渗透测试靶机实战---系统篇07 （中危漏洞）

（续）渗透测试靶机实战---系统篇06

---

上篇最后一个是中危漏洞，从这篇开始主要是针对中危漏洞的一些渗透：

1. awiki Multiple Local File Include Vulnerabilities

 

---

2.Check if Mailserver answer to VRFY and EXPN requests

msf5 auxiliary(scanner/http/ssl_version) > search VRFY

Matching Modules
================

   #  Name                              Disclosure Date  Rank    Check  Description
   -  ----                              ---------------  ----    -----  -----------
   0  auxiliary/scanner/smtp/smtp_enum                   normal  Yes    SMTP User Enumeration Utility


msf5 auxiliary(scanner/http/ssl_version) >  use auxiliary/scanner/smtp/smtp_enum
msf5 auxiliary(scanner/smtp/smtp_enum) > show options

Module options (auxiliary/scanner/smtp/smtp_enum):

   Name       Current Setting                                                Required  Description
   ----       ---------------                                                --------  -----------
   RHOSTS                                                                    yes       The target address range or CIDR identifier
   RPORT      25                                                             yes       The target port (TCP)
   THREADS    1                                                              yes       The number of concurrent threads
   UNIXONLY   true                                                           yes       Skip Microsoft bannered servers when testing unix users
   USER_FILE  /usr/share/metasploit-framework/data/wordlists/unix_users.txt  yes       The file that contains a list of probable users accounts.

msf5 auxiliary(scanner/smtp/smtp_enum) > set RHOSTS 192.168.10.149
RHOSTS => 192.168.10.149
msf5 auxiliary(scanner/smtp/smtp_enum) > show options

Module options (auxiliary/scanner/smtp/smtp_enum):

   Name       Current Setting                                                Required  Description
   ----       ---------------                                                --------  -----------
   RHOSTS     192.168.10.149                                                 yes       The target address range or CIDR identifier
   RPORT      25                                                             yes       The target port (TCP)
   THREADS    1                                                              yes       The number of concurrent threads
   UNIXONLY   true                                                           yes       Skip Microsoft bannered servers when testing unix users
   USER_FILE  /usr/share/metasploit-framework/data/wordlists/unix_users.txt  yes       The file that contains a list of probable users accounts.

msf5 auxiliary(scanner/smtp/smtp_enum) > run

[*] 192.168.10.149:25     - 192.168.10.149:25 Banner: 220 metasploitable.localdomain ESMTP Postfix (Ubuntu)
[+] 192.168.10.149:25     - 192.168.10.149:25 Users found: , backup, bin, daemon, distccd, ftp, games, gnats, irc, libuuid, list, lp, mail, man, news, nobody, postgres, postmaster, proxy, service, sshd, sync, sys, syslog, user, uucp, www-data
[*] 192.168.10.149:25     - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

上面UserFound可以看到系统里面有哪些用户。