Cap (Linux · Easy)

枚举

nmap

nmap -A -v -T4 -Pn 10.10.10.245

Nmap scan report for 10.10.10.245
Host is up (1.1s latency).
Not shown: 655 closed tcp ports (conn-refused), 342 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|_  256 3f:d0:ff:91:eb:3b:f6:e1:9f:2e:8d:de:b3:de:b2:18 (ED25519)
80/tcp open  http    gunicorn
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 404 NOT FOUND
|     Server: gunicorn
|     Date: Mon, 19 Aug 2024 06:33:40 GMT
|     Connection: close
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 232
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Server: gunicorn
|     Date: Mon, 19 Aug 2024 06:33:14 GMT
|     Connection: close
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 19386
|     <!DOCTYPE html>
|     <html class="no-js" lang="en">
|     <head>
|     <meta charset="utf-8">
|     <meta http-equiv="x-ua-compatible" content="ie=edge">
|     <title>Security Dashboard</title>
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <link rel="shortcut icon" type="image/png" href="/static/images/icon/favicon.ico">
|     <link rel="stylesheet" href="/static/css/bootstrap.min.css">
|     <link rel="stylesheet" href="/static/css/font-awesome.min.css">
|     <link rel="stylesheet" href="/static/css/themify-icons.css">
|     <link rel="stylesheet" href="/static/css/metisMenu.css">
|     <link rel="stylesheet" href="/static/css/owl.carousel.min.css">
|     <link rel="stylesheet" href="/static/css/slicknav.min.css">
|     <!-- amchar
|   HTTPOptions: 
|     HTTP/1.0 200 OK
|     Server: gunicorn
|     Date: Mon, 19 Aug 2024 06:33:20 GMT
|     Connection: close
|     Content-Type: text/html; charset=utf-8
|     Allow: GET, HEAD, OPTIONS
|     Content-Length: 0
|   RTSPRequest: 
|     HTTP/1.1 400 Bad Request
|     Connection: close
|     Content-Type: text/html
|     Content-Length: 196
|     <html>
|     <head>
|     <title>Bad Request</title>
|     </head>
|     <body>
|     <h1><p>Bad Request</p></h1>
|     Invalid HTTP Version &#x27;Invalid HTTP Version: &#x27;RTSP/1.0&#x27;&#x27;
|     </body>
|_    </html>
|_http-server-header: gunicorn
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

ftp

1
2
3

ftp 10.10.10.245
anonymous
# 匿名登不上

http

截屏2024-08-19 15.10.01

/data/7 ，此处可以下载pcap文件

截屏2024-08-19 15.21.47

2024CISCN初赛

post @ 2024-06-20

2024CISCN初赛

ezjava

JDBC-Attack-SQLite加载恶意so文件

分析JdbcController，com.example.jdbctest.controller.JdbcController#connect

@RequestMapping({"/connect"})
@ResponseBody
public ResultBean connect(@RequestBody JdbcBean jdbcBean) {
    try {
        return new ResultBean(1, String.join(",", this.datasourceServiceImpl.testDatasourceConnectionAble(jdbcBean)));
    } catch (Exception var3) {
        return new ResultBean(0, "连接失败");
    }
}

实例化连接测试，跟进com.example.jdbctest.services.datasourceServiceImpl#testDatasourceConnectionAble

public String[] testDatasourceConnectionAble(JdbcBean jdbcBean) throws ClassNotFoundException, SQLException {
    DatasourceLoadConfig var10000 = this.datasourceLoadConfig;
    Map<String, String> config = DatasourceLoadConfig.getConfig();
    switch (jdbcBean.getType()) {
        case 1:
            Class.forName((String)config.get("JDBC-MYSQL"));
            MysqlDatasourceConnector mysqlDatasourceConnector = new MysqlDatasourceConnector(DriverManager.getConnection(jdbcBean.getUrl()));
            if (jdbcBean.getTableName() != null) {
                return mysqlDatasourceConnector.getTableContent(jdbcBean.getTableName());
            }

            return mysqlDatasourceConnector.getTables();
        case 2:
            Class.forName((String)config.get("JDBC-POSTGRES"));
            PostgresDatasourceConnector postgresDatasourceConnector = new PostgresDatasourceConnector(DriverManager.getConnection(jdbcBean.getUrl()));
            if (jdbcBean.getTableName() != null) {
                return postgresDatasourceConnector.getTableContent(jdbcBean.getTableName());
            }

            return postgresDatasourceConnector.getTables();
        case 3:
            SqliteDatasourceConnector sqliteDatasourceConnector = new SqliteDatasourceConnector(jdbcBean.getUrl());
            if (jdbcBean.getTableName() != null) {
                return sqliteDatasourceConnector.getTableContent(jdbcBean.getTableName());
            }

            return sqliteDatasourceConnector.getTables();
        case 4:
            Class.forName((String)config.get("JDBC-SQLITE"));
            return new String[]{""};
        default:
            return new String[]{""};
    }
}

根据sqliteDatasourceConnector.getTableContent，跟进到com.example.jdbctest.services.DatasourceServiceImpl#getTableContent

public String[] getTableContent(String tableName) {
    String sql = "select * from " + tableName;

    try {
        // 创建了一个Statement对象，Statement是JDBC API中用于执行SQL语句和查询数据库的一个类
        Statement statement = this.connection.createStatement();
        Throwable var4 = null;

        try {
            // 执行SQL查询
            ResultSet resultSet = statement.executeQuery(sql);
            Throwable var6 = null;

            // ...
        } // catch
        // ...
    } // catch
    
    return new String[0];
}

Prev Home Next

n2ryx's Blog|

HTB Cap

Cap (Linux · Easy)

枚举

nmap

ftp

2024CISCN初赛

2024CISCN初赛

ezjava

Categories

Tag Cloud

Recent Posts

Links