这台靶机设定的30秒响应速度真的让人绝望。正儿八经的每做一个动作就可以玩半天手机
勘探
nmap
nmap -sS -p 1-65535 10.10.10.11
Starting Nmap 7.91 ( https://nmap.org ) at 2022-01-03 15:31 CST
Nmap scan report for 10.10.10.11
Host is up (0.28s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE
135/tcp open msrpc
8500/tcp open fmtp
49154/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 589.45 seconds
发现打开了8500端口,
可以使用nc尝试连接一下
nc 10.10.10.11 8500
等三十秒发现返回了一个报文
HTTP/1.0 200 OK
Date: Thu, 14 May 2020 18:48:18 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Server: JRun Web Server
<html>
<head>
<title>Index of /</title></head><body bgcolor="#ffffff">
<h1>Index of /</h1><br><hr><pre><a href="CFIDE/">CFIDE/</a> <i>dir</i> 03/22/17 08:52 μμ
<a href="cfdocs/">cfdocs/</a> <i>dir</i> 03/22/17 08:55 μμ
</pre><hr></html>
再用web打开看一下,发现可以浏览文件夹,发现了CFIDE和cfdocs文件夹可以确定了是adobe的ColdFusion系统,那么进入/CFIDE/administrator文件夹发现cfm8版本那么搜索一下有什么漏洞
searchsploit coldfusion 8 1 ⨯
---------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------------------------------- ---------------------------------
Adobe ColdFusion - 'probe.cfm' Cross-Site Scripting | cfm/webapps/36067.txt
Adobe ColdFusion - Directory Traversal | multiple/remote/14641.py
Adobe ColdFusion - Directory Traversal (Metasploit) | multiple/remote/16985.rb
Adobe Coldfusion 11.0.03.292866 - BlazeDS Java Object Deserialization Remote Code Execution | windows/remote/43993.py
Adobe ColdFusion 2018 - Arbit