title: date: 2022-04-13 categories: 随笔 tags:
本来正在整点小项目,朋友这个时候来发了个问题,于是顺手一起做了,自我感觉这台机子拿入口这块还是和实战契合度挺高的(顺便一水) :)
Host is up (0.093s latency).
Not shown: 65520 closed ports
PORT STATE SERVICE
22/tcp open ssh
| ssh-hostkey:
| 2048 9d:d0:b8:81:55:54:ea:0f:89:b1:10:32:33:6a:a7:8f (RSA)
| 256 1f:2e:67:37:1a:b8:91:1d:5c:31:59:c7:c6:df:14:1d (ECDSA)
|_ 256 30:9e:5d:12:e3:c6:b7:c6:3b:7e:1e:e7:89:7e:83:e4 (ED25519)
80/tcp open http
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-title: Library
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
| http-cookie-flags:
| /:
| PHPSESSID:
| secure flag not set and HTTPS in use
|_ httponly flag not set
|_http-title: Library
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after: 2019-11-08T23:48:47
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
445/tcp open microsoft-ds
3306/tcp open mysql
5040/tcp open unknown
7680/tcp open pando-pub
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49668/tcp open unknown
49669/tcp open unknown
Host script results:
|_clock-skew: -1h00m00s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-04-12T22:28:53
|_ start_date: N/A
Nmap done: 1 IP address (1 host up) scanned in 166.32 seconds
image-20220413084113215
任意文件包含和sql注入的点。
image-20220413084138338
image-20220413084148467
仔细一看代码发现只是任意文件读取不能包含,下一步。
二级目录爆破,配合任意文件读取确定伪造paul用户的思路。
image-20220413091443653
image-20220413091538877
image-20220413091553389
image-20220413091709561