信息收集
| IP Address | Opening Ports |
|---|---|
| 10.10.11.28 | TCP:22,80 |
$ nmap -p- 10.10.11.28 --min-rate 1000 -sC -sV
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 e3:54:e0:72:20:3c:01:42:93:d1:66:9d:90:0c:ab:e8 (RSA)
| 256 f3:24:4b:08:aa:51:9d:56:15:3d:67:56:74:7c:20:38 (ECDSA)
|_ 256 30:b1:05:c6:41:50:ff:22:a3:7f:41:06:0e:67:fd:50 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Sea - Home
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Wonder-CMS && XSS-RCE
$ feroxbuster --url http://10.10.11.28/
![[Meachines] [Easy] Sea WonderCMS-XSS-RCE+System Mo…插图1](https://img.4awl.net/img/5b/eea8c2c966267c12a752d72229eed6.jpg "[Meachines] [Easy] Sea WonderCMS-XSS-RCE+System Mo…插图1")
![[Meachines] [Easy] Sea WonderCMS-XSS-RCE+System Mo…插图2](https://img.4awl.net/img/ad/9e9525df35eda250477dccc5893d12.jpg "[Meachines] [Easy] Sea WonderCMS-XSS-RCE+System Mo…插图2")
https://github.com/prodigiousMind/CVE-2023-41425
http://10.10.11.28/contact.php
![[Meachines] [Easy] Sea WonderCMS-XSS-RCE+System Mo…插图3](https://img.4awl.net/img/1a/e3270d20bb56479c4e5e4d904ff2a8.jpg "[Meachines] [Easy] Sea WonderCMS-XSS-RCE+System Mo…插图3")
复制xss载荷到字段website发送
![[Meachines] [Easy] Sea WonderCMS-XSS-RCE+System Mo…插图4](https://img.4awl.net/img/f9/7c18f9a0c2f46216337fd5289f5b41.jpg "[Meachines] [Easy] Sea WonderCMS-XSS-RCE+System Mo…插图4")
获取反向shell后在/var/www/sea/data/database.js 存在hash
![[Meachines] [Easy] Sea WonderCMS-XSS-RCE+System Mo…插图5](https://img.4awl.net/img/a1/6f87d0cadf460d1a31d6e5b56fbf38.jpg "[Meachines] [Easy] Sea WonderCMS-XSS-RCE+System Mo…插图5")
$ john –wordlist=/usr/share/wordlists/rockyou.txt hash
john破解后密码是:mychemicalromance
User.txt
5b1f824a93b0ea7e012b0a84fdbac2cc
权限提升 - System Monitor 命令注入
amay@sea:~$ netstat -lnput
![[Meachines] [Easy] Sea WonderCMS-XSS-RCE+System Mo…插图6](https://img.4awl.net/img/bb/ef4719a2a3cca64e735ac1c4e3dab2.jpg "[Meachines] [Easy] Sea WonderCMS-XSS-RCE+System Mo…插图6")
$ ssh -L 8888:127.0.0.1:8080 [email protected]
http://127.0.0.1:8888
输入amay账户密码后进入
![[Meachines] [Easy] Sea WonderCMS-XSS-RCE+System Mo…插图7](https://img.4awl.net/img/10/ea7afa6232db4efcdca80659dc3cb9.jpg "[Meachines] [Easy] Sea WonderCMS-XSS-RCE+System Mo…插图7")
把命令chmod u+s /bin/bash进行url编码并且对字段log_file命令注入
![[Meachines] [Easy] Sea WonderCMS-XSS-RCE+System Mo…插图8](https://img.4awl.net/img/b7/8e2600ac1e6cb1804c417c718cde1b.jpg "[Meachines] [Easy] Sea WonderCMS-XSS-RCE+System Mo…插图8")
amay@sea:~$ /bin/bash -p
提升至root权限特权模式
![[Meachines] [Easy] Sea WonderCMS-XSS-RCE+System Mo…插图9](https://img.4awl.net/img/8e/94931c60b24ef99f4ec3cab6db2c86.jpg "[Meachines] [Easy] Sea WonderCMS-XSS-RCE+System Mo…插图9")
Root.txt
4c0c7c21e39e202983ecab6d8c15f493
4A评测 - 免责申明
本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。
不得将上述内容用于商业或者非法用途,否则一切后果请用户自负。
本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。
如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解!
程序来源网络,不确保不包含木马病毒等危险内容,请在确保安全的情况下或使用虚拟机使用。
侵权违规投诉邮箱:4ablog168#gmail.com(#换成@)
