PWNOS: 2.0 (PRE-RELEASE)
2024-07-02 07:35:16
PWNOS: 2.0 (PRE-RELEASE)
https://www.vulnhub.com/entry/pwnos-20-pre-release,34/
主机发现
# yunki @ yunki in ~ [9:45:32]
$ nmap -sn 192.168.54.0/24
Nmap scan report for 192.168.54.7
Host is up (0.00029s latency).
扫描端口
# yunki @ yunki in ~ [9:48:40]
$ sudo nmap --min-rate 10000 -p- 192.168.54.7
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-14 09:49 CST
Nmap scan report for 192.168.54.7
Host is up (0.00099s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 00:0C:29:65:84:D7 (VMware)Nmap done: 1 IP address (1 host up) scanned in 2.97 seconds
TCP扫描
# yunki @ yunki in ~ [9:49:35]
$ sudo nmap -sT -sV -p22,80 192.168.54.7 PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.8p1 Debian 1ubuntu3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.2.17 ((Ubuntu))
MAC Address: 00:0C:29:65:84:D7 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
UDP扫描
# yunki @ yunki in ~ [9:50:22]
$ sudo nmap -sU -O -p22,80 192.168.54.7PORT STATE SERVICE
22/udp closed ssh
80/udp closed http
MAC Address: 00:0C:29:65:84:D7 (VMware)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop
脚本扫描
# yunki @ yunki in ~ [9:50:22]
$ sudo nmap -sU -O -p22,80 192.168.54.7
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-14 09:51 CST
Nmap scan report for 192.168.54.7
Host is up (0.00076s latency).PORT STATE SERVICE
22/udp closed ssh
80/udp closed http
MAC Address: 00:0C:29:65:84:D7 (VMware)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hopOS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.87 seconds# yunki @ yunki in ~ [9:51:14]
$ sudo nmap --script=vuln -p22,80 192.168.54.7
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
| http-cookie-flags:
| /:
| PHPSESSID:
| httponly flag not set
| /login.php:
| PHPSESSID:
| httponly flag not set
| /login/:
| PHPSESSID:
| httponly flag not set
| /index/:
| PHPSESSID:
| httponly flag not set
| /register/:
| PHPSESSID:
|_ httponly flag not set
| http-enum:
| /blog/: Blog
| /login.php: Possible admin folder
| /login/: Login page
| /info.php: Possible information file
| /icons/: Potentially interesting folder w/ directory listing
| /includes/: Potentially interesting directory w/ listing on 'apache/2.2.17 (ubuntu)'
| /index/: Potentially interesting folder
| /info/: Potentially interesting folder
|_ /register/: Potentially interesting folder
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.54.7
| Found the following possible CSRF vulnerabilities:
|
| Path: http://192.168.54.7:80/login.php
| Form id:
| Form action: login.php
|
| Path: http://192.168.54.7:80/register.php
| Form id:
|_ Form action: register.php
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
MAC Address: 00:0C:29:65:84:D7 (VMware)
web渗透
尝试sql注入登录
被拦截了。
# yunki @ yunki in ~ [9:56:57]
$ dirb http://192.168.54.7-----------------
DIRB v2.22
By The Dark Raver
-----------------START_TIME: Tue Mar 14 09:57:06 2023
URL_BASE: http://192.168.54.7/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt-----------------GENERATED WORDS: 4612 ---- Scanning URL: http://192.168.54.7/ ----
+ http://192.168.54.7/activate (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.54.7/blog/
+ http://192.168.54.7/cgi-bin/ (CODE:403|SIZE:288)
==> DIRECTORY: http://192.168.54.7/includes/
+ http://192.168.54.7/index (CODE:200|SIZE:854)
+ http://192.168.54.7/index.php (CODE:200|SIZE:854)
+ http://192.168.54.7/info (CODE:200|SIZE:50179)
+ http://192.168.54.7/info.php (CODE:200|SIZE:50048)
+ http://192.168.54.7/login (CODE:200|SIZE:1174)
+ http://192.168.54.7/register (CODE:200|SIZE:1562)
+ http://192.168.54.7/server-status (CODE:403|SIZE:293) ---- Entering directory: http://192.168.54.7/blog/ ----
+ http://192.168.54.7/blog/add (CODE:302|SIZE:0)
+ http://192.168.54.7/blog/atom (CODE:200|SIZE:1062)
+ http://192.168.54.7/blog/categories (CODE:302|SIZE:0)
+ http://192.168.54.7/blog/comments (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.54.7/blog/config/
+ http://192.168.54.7/blog/contact (CODE:200|SIZE:5922)
==> DIRECTORY: http://192.168.54.7/blog/content/
+ http://192.168.54.7/blog/delete (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.54.7/blog/docs/
==> DIRECTORY: http://192.168.54.7/blog/flash/
==> DIRECTORY: http://192.168.54.7/blog/images/
+ http://192.168.54.7/blog/index (CODE:200|SIZE:8094)
+ http://192.168.54.7/blog/index.php (CODE:200|SIZE:8094)
+ http://192.168.54.7/blog/info (CODE:302|SIZE:0)
+ http://192.168.54.7/blog/info.php (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.54.7/blog/interface/
==> DIRECTORY: http://192.168.54.7/blog/languages/
+ http://192.168.54.7/blog/login (CODE:200|SIZE:5671)
+ http://192.168.54.7/blog/logout (CODE:302|SIZE:0)
+ http://192.168.54.7/blog/options (CODE:302|SIZE:0)
+ http://192.168.54.7/blog/rdf (CODE:200|SIZE:1411)
+ http://192.168.54.7/blog/rss (CODE:200|SIZE:1237)
==> DIRECTORY: http://192.168.54.7/blog/scripts/
+ http://192.168.54.7/blog/search (CODE:200|SIZE:4955)
+ http://192.168.54.7/blog/setup (CODE:302|SIZE:0)
+ http://192.168.54.7/blog/static (CODE:302|SIZE:0)
+ http://192.168.54.7/blog/stats (CODE:200|SIZE:5313)
==> DIRECTORY: http://192.168.54.7/blog/themes/
+ http://192.168.54.7/blog/trackback (CODE:302|SIZE:0)
+ http://192.168.54.7/blog/upgrade (CODE:302|SIZE:0)
扫描到了blog目录,去看看http://192.168.54.7/blog
一般看到blog等界面,会想到去查看该cms的信息,于是查看源代码,发现
用searchsploit搜一下
# yunki @ yunki in ~ [10:04:02]
$ searchsploit simple php blog 0.4.0
--------------------------------------------------------------------------------------------------------------------- ---------------------------------Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------- ---------------------------------
Simple PHP Blog 0.4.0 - Multiple Remote s | php/webapps/1191.pl
Simple PHP Blog 0.4.0 - Remote Command Execution (Metasploit) | php/webapps/16883.rb
--------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results# yunki @ yunki in ~/vulnhub [10:05:46]
$ searchsploit -m 1191 Exploit: Simple PHP Blog 0.4.0 - Multiple Remote sURL: https://www.exploit-db.com/exploits/1191Path: /usr/share/exploitdb/exploits/php/webapps/1191.pl
File Type: Perl script text executable
通过阅读1191文件,使用一下。创建个新用户吧。
┌──(root
PWNOS: 2.0 (PRE-RELEASE)相关推荐
- 001-Spring Cloud Edgware.SR3 升级最新 Finchley.SR1,spring boot 1.5.9.RELEASE 升级2.0.4.RELEASE注意问题点...
一.前提 升级前 => 升级后 Spring Boot 1.5.x => Spring Boot 2.0.4.RELEASE Spring Cloud Edgware SR3 => ...
- Payment Spring Boot 1.0.2.RELEASE 发布,接入微信支付分、先享卡功能
Payment Spring Boot 是微信支付V3的Java实现,仅仅依赖Spring内置的一些类库.配置简单方便,可以让开发者快速为Spring Boot应用接入微信支付. 演示例子:https ...
- TURBOLinux 7.0下安装Oracle 8.1.7.0.1 release 3
作者:shiley 时间:2002-5-20 ----------------------------------------------------------------------------- ...
- Spring Web Services 3.0.4.RELEASE和2.4.3.RELEASE发布
Spring同时发布了Web Services项目的两个版本:作为开发主干的3.0.4.RELEASE和作为运维的2.4.3.RELEASE.两个版本都已更新,可以在Spring Framework ...
- spring boot 2.0.3.RELEASE 整合 shiro bug 记录
spring boot 2.0.3.RELEASE 和 shiro 结合的 bug 纪要: 1.shiro 的过滤器 会出现在所有的过滤链中,尽管该请求不包含在shiro过滤规则中,尽管不会进入shi ...
- ECS1.0 pre 解读
ECS1.0 pre 解读 前言 详细 1.C# 作业系统 The C# Job system 2.实体和组件 Entities and components (1) 实体和组件 Entities a ...
- PWNOS: 1.0 解法一
PWNOS: 1.0 https://www.vulnhub.com/entry/pwnos-10,33/ 扫描主机 # yunki @ yunki in ~ [11:04:09] $ nmap -s ...
- Spring Boot 2.4.0 M2 Release Notes持续更新
Spring Boot 2.4.0 M2 Release Notes持续更新 Spring Boot 2.4.0 M2 Release Notes Spring Boot 2.4.0 M2 Relea ...
- 教你如何使用android studio 4.0发布release 版本 学习记录 仅供参考
教你如何使用android studio 4.0发布release 版本 学习记录 仅供参考 这是老师给我们布置的任务,我在这里做一个简单的总结,话不多说,直接上图上步骤吧 首先,在菜单栏中,点击 B ...
- 安装vs2019 正式版 安装 .net core 3.0 pre
安装vs2019 正式版 及遇到的问题 安装visual studio 2019 和2017 一样是需要下载下载器,这个官网上就能直接下载: 这个是中文版的官网连接----- https://vis ...
最新文章
- 图解net use 命令使用示例
- android应用兼容报告,手机资讯导报:华为发布国内首份Android7.0应用兼容报告
- 2020年10月份学习总结,项目管理案例
- 【NLP】NLP提效,除了选择合适的模型,就是数据增强了
- 使用WSUS服务器为客户端安装安全补丁
- 《java练习题》习题集二
- OpenCV学习笔记(1)——显示图片
- AMD院士站台 异构计算与OpenCL编程师资培训首站清华开讲
- vimrc.local 备份
- android跳转到相册需要权限,Android打开相册获取图片路径
- 20165313 课程总结
- 为什么平方损失函数不适应于分类问题?——从概率论的角度
- js检测当前浏览器的flash版本
- 使用C++开发的NES(FC)模拟器
- Java学习 --- HTML
- 五、JDBC(复习)
- linux shell脚本编写 | 三角形 | 梯形 | 菱形 | 九九乘法表 | 矩形 | 超详细
- mPEG-SG 甲氧基PEG琥珀酰亚胺戊二酸酯
- 博途PLC 中位值滤波算法(FC功能块)
- 如何用照片做抖音视频?这样剪辑电子相册
热门文章