目标站点:www.wlyz.net
0x01访问目标站点,收集相关信息
五莲县第一中学 | 地址:山东省五莲县县城育才路18号|电话:0633—5213084 传真:0633—5213084鲁ICP备05037787号 鲁ICP备09015440号 19117年7月4日 星期二 五莲一中网站版权所有?WY 2009
0x02网站指纹识别--->whatweb www.wlyz.net
WhatWeb是一款网站指纹识别工具,主要针对的问题是:“这个网站使用的什么技术?”WhatWeb可以告诉你网站搭建使用的程序,包括何种CMS系统、什么博客系统、Javascript库、web服务器、内嵌设备等。WhatWeb有超过900个插件,并且可以识别版本号、email地址、账号、web框架、SQL错误等等。
http://www.wlyz.net [200 OK]
Apache[1.3.28], Country[CHINA][CN],
HTTPServer[Windows (32 bit)][Apache/1.3.28 (Win32)
PHP/4.3.3],
IP[218.56.158.77],
PHP[4.3.3], Script[text/javascript], X-Powered-By[PHP/4.3.3]
0x03 google hack
-->site:*.wlyz.net
-->site:*.wlyz.net login
http://www.wlyz.net/phpinfo.php
绝对路径:e:/k12product/htdocs
IP可能存在内网: SERVER_ADDR 192.168.70.2
系统:windows 2003
后台地址:http://www.wlyz.net/platform/app/login.php?url=http%3A//www.wlyz.net/platform/
敏感:http://www.wlyz.net/derup/page/comment.php/3141
0x04 whois查询-->whois wlyz.net
WHOIS是用来查询域名的IP以及所有者等信息的传输协议
管理员:dou shuiwei
组织:wulian middle school of rizhao
街道:yucai road,wulian,rizhao
城市:rizhao
省:Shandong
电话:+86.6335213084
邮箱:msf@rz-public.sd.cninfo.net
Name Server:ns19.xincache.com
Name Server:ns20.xincache.com
0x05 nslookup查询-->nslookup wlyz.net
nslookup wlyz.net
Server: 10.10.10.2
Address: 10.10.10.2#53
Non-authoritative answer:
Name: wlyz.net
Address: 218.56.158.77
IP地址查询: 218.56.158.77山东省日照市 联通 //通过对服务器ip查询,看能否和信息收集的站点相关信息对应,或者是使用的云服务器。
查看IP地址能否直接访问:http://218.56.158.77/cms/index.htm
0x06 nmap nmap 218.56.158.77
Starting Nmap 7.40 ( https://nmap.org ) at 2017-07-04 22:22 CST
Nmap scan report for 218.56.158.77
Host is up (1.1s latency).
Not shown: 984 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
514/tcp filtered shell
593/tcp filtered http-rpc-epmap
1025/tcp filtered NFS-or-IIS
1027/tcp open IIS
1434/tcp filtered ms-sql-m
3306/tcp open mysql
3389/tcp open ms-wbt-server
4444/tcp filtered krb524
4662/tcp filtered edonkey
4899/tcp filtered radmin
6129/tcp filtered unknown
9898/tcp filtered monkeycom
Nmap done: 1 IP address (1 host up) scanned in 61.84 seconds
rdesktop 218.56.158.77 //连一下,看下什么操作系统
nmap 218.56.158.77 --script=vuln
Starting Nmap 7.40 ( https://nmap.org ) at 2017-07-04 22:26 CST
Nmap scan report for 218.56.158.77
Host is up (1.1s latency).
Not shown: 984 closed ports
PORT STATE SERVICE
80/tcp open http
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
| /phpinfo.php: Possible information file
| /icons/: Potentially interesting directory w/ listing on'apache/1.3.28'
|_ /index/: Potentially interesting folder
| http-sql-injection:
| Possible sqli for queries:
|_ http://218.56.158.77/cms/app/js/(this.open)?webFXTreeConfig%2elMinusIcon%3awebFXTreeConfig%2elPlusIcon%3b=%27%20OR%20sqlspider
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-trace: TRACE is enabled
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
514/tcp filtered shell
593/tcp filtered http-rpc-epmap
1025/tcp filtered NFS-or-IIS
1027/tcp open IIS
1434/tcp filtered ms-sql-m
3306/tcp open mysql
|_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug)
3389/tcp open ms-wbt-server
|_ssl-ccs-injection: No reply from server (TIMEOUT)
|_sslv2-drown:
4444/tcp filtered krb524
4662/tcp filtered edonkey
4899/tcp filtered radmin
6129/tcp filtered unknown
9898/tcp filtered monkeycom
Nmap done: 1 IP address (1 host up) scanned in 394.47 seconds
0x07 C段探测:
1.用AWVS扫C段
2.用whatweb探测C段
https://github.com/x0day/bannerscan
0x08子域名爆破:
1.脚本加载字典爆破.子域名爆破工subDomainsBrute http://www.freebuf.com/sectool/106625.html
2.nmap --scriptdns-brute www.wlyz.net
Host script results:
| dns-brute:
| DNS Brute-forcehostnames:
|_ www.wlyz.net -218.56.158.77
3.在线爆破
爆破成功:www.wlyz.net-218.56.158.77
爆破成功:vod.wlyz.net-218.56.158.77