西域大都护府 第四期cfs靶场 渗透记录
官方wp: https://mp.weixin.qq.com/s/SGiEnT28JyAuWK9DC4T4-w
内网拓扑图
感谢西域大都护府提供这么好的cfs靶场
1.DEDECMS
首先是dedecms,会员功能被关闭了,那个前台的登陆口没法用
ps.dedecms一些漏洞
文件上传的payload:https://zhzhdoai.github.io/2019/07/28/Dedecms%E5%90%8E%E5%8F%B0getshell%E6%BC%8F%E6%B4%9E%E9%9B%86%E5%90%88/
后台getshell:
https://zhzhdoai.github.io/2019/03/05/%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1-DedeCMS%E5%90%8E%E5%8F%B0getshell/
爆破后台目录(这个我试了木有成功):
https://mochazz.github.io/2018/02/26/DEDECMS%E6%89%BE%E5%90%8E%E5%8F%B0%E7%9B%AE%E5%BD%95%E6%8A%80%E5%B7%A7/
随便摸了摸还是准备先扫描网站目录
dirsearch用自己的字典扫了一下
python dirsearch.py -e php -s 1 -w worlist.dic -u http://xxx/
-s 是延迟访问
访问robots.txt
User-agent: *
Disallow: /ffffffffllllllllllaaaaaaaagggggg22222222222.txt
Disallow: /plus/ad_js.php
Disallow: /plus/advancedsearch.php
Disallow: /plus/car.php
Disallow: /plus/carbuyaction.php
Disallow: /plus/shops_buyaction.php
Disallow: /plus/erraddsave.php
Disallow: /plus/posttocar.php
Disallow: /plus/disdls.php
Disallow: /plus/feedback_js.php
Disallow: /plus/mytag_js.php
Disallow: /plus/rss.php
Disallow: /plus/search.php
Disallow: /plus/recommend.php
Disallow: /plus/stow.php
Disallow: /plus/count.php
Disallow: /include
Disallow: /templets
访问 /ffffffffllllllllllaaaaaaaagggggg22222222222.txt,得到flag2