2026-04-01

6Days Lab: 1.1

项目地址：https://download.vulnhub.com/6daylab/6Days_Lab-v1.0.1.ova

是一个打包好的镜像文件

注意：导入 vmx 时一定要选择我已移动，否则没网

使用 Nmap 扫描出开放服务及操作系统版本

任意文件读取

src

开局一个输入框，测了半天啥也没有

查看网页源代码发现可以的图像地址

解码发现居然是走的 HTTP 协议请求外部地址

抓包修改参数发现存在任意文件读取

读取到两个用户

1 2	user:x:1000:1000:,,,:/home/user:/bin/bash andrea:x:1001:1001:,,,:/home/andrea:/bin/andrea

前面 NMap 扫描出 80 是 Apache 服务，读取 Apache 的默认配置文件，以便发现其他 Web 服务或配置信息

从配置文件中发现，该服务器在 8080 端口还运行着另一个网站服务，但该端口在防火墙层面被 filtered（由 nmap 扫描结果可知），无法从外部直接访问

<VirtualHost *:8080>
	ServerAdmin webmaster@localhost

	DocumentRoot /var/www
	<Directory />
		Options FollowSymLinks
		AllowOverride None
	</Directory>
	<Directory /var/www/>
		Options Indexes FollowSymLinks MultiViews
		AllowOverride None
		Order allow,deny
		allow from all
	</Directory>

	ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
	<Directory "/usr/lib/cgi-bin">
		AllowOverride None
		Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
		Order allow,deny
		Allow from all
	</Directory>

	ErrorLog ${APACHE_LOG_DIR}/error.log

	# Possible values include: debug, info, notice, warn, error, crit,
	# alert, emerg.
	LogLevel warn

	CustomLog ${APACHE_LOG_DIR}/access.log combined

    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>

</VirtualHost>

读取网站源码 /var/www/index.php

<html>
<head>
<title>Rashomon IPS - Main Page</title>
</head>
<body>
<h2>Rashomon Intrusion Prevention System</h2>
<h3>Become immune to every attack!</h3>
Today we're announcing our brand new product, Rashomon IPS! <br />
It's capable of blocking any <b>sophisticated cyber attack</b> which <u>can harm your precious customers.</u> (you don't want THAT to happen, do you?) <br />
<img src="http://<? echo passthru("/sbin/ifconfig | /bin/grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | /bin/grep -Eo '([0-9]*\.){3}[0-9]*' | /bin/grep -v '127.0.0.1' | /usr/bin/tr -d '\n'"); ?>/image.php?src=https%3A%2f%2f4.bp.blogspot.com%2f-u8Jo4CEKQLk%2fV4OpiaoMJ7I%2fAAAAAAAAAiw%2f8kuCpTOpRWUAdp2p4GpegWdnOwxjwHNYQCLcB%2fs1600%2fphoto.jpg" /> <br />
(This guy is coming after your website!) <br />
<br />
Don't waste your time and money by hiring <font color="#ff00cc">pentesters</font> and doing real security audits. <br />
This is the best way to secure your organization and you can completely rely on it, and only it! <br />
<br />
IT'S SO SECURE WE EVEN USE IT ON OUR WEBSITE. <br />
<br />
So be quick and get a <u>%15 discount</u> on our newest product using the promocode <b>NONEEDFORPENTEST</b>. (discount will be available until yesterday)<br />
<br />
<form name="promo" method="GET" action="checkpromo.php">
Apply your promo code here: <input type="text" name="promocode">
<input type="submit" value="Apply Promo">
</form>
</body>
</html>
<?php

?>

从上面发现有个 checkpromo.php 文件，继续读取

一眼存在 SQL 注入漏洞

<?php
include 'config.php';

$conn = mysql_connect($servername, $username, $password);

if (!$conn) {
	die("Connection failed: " . $conn->connect_error);
}

$sql = "SELECT discount, status FROM promocodes WHERE promocode='".$_GET['promocode']."';";

mysql_select_db($dbname);
$result = mysql_query($sql, $conn);

if (!$result) {
	echo "Promocode not valid!";
} else {
	while($row = mysql_fetch_array($result, MYSQL_ASSOC))
	{
		if($row['status'] == 0)
			echo "Code expired!";
		else
			echo "You have %".$row['discount']." discount!";
	}
}

mysql_close($conn);
?>