重生信息安全 作者:kepler404
下载地址http://download.vulnhub.com/dc/DC-1.zip
map-A -T410.10.10.132--script=vuln
Nmap scan report for 10.10.10.132Host is up (0.00034s latency).Not shown: 997 closed portsPORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0)|_clamav-exec: ERROR: Script execution failed (use-dtodebug)80/tcpopenApache httpd2.2.22((Debian))|_clamav-exec:ERROR: Script executionfailed(use-dtodebug)|-csrf:| Spidering limitedto: maxdepth=3; maxpagecount=20; withinhost=10.10.10.132| Found the following possible CSRF vulnerabilities:|| Path: http://10.10.10.132:80/| Form id: user-login-form| Form action: /node?destination=node|| Path: http://10.10.10.132:80/user/register| Form id: user-register-form| Form action: /user/register|| Path: http://10.10.10.132:80/node?destination=node| Form id: user-login-form| Form action: /node?destination=node|| Path: http://10.10.10.132:80/user/password| Form id: user-pass| Form action: /user/password|| Path: http://10.10.10.132:80/user| Form id: user-login| Form action: /user|| Path: http://10.10.10.132:80/user/| Form id: user-login|_ Form action: /user/|_http-dombased-xss: Couldn't find any DOM based XSS.| http-enum:| /rss.xml: RSS or Atom feed| /robots.txt: Robots file| /UPGRADE.txt: Drupal file| /INSTALL.txt: Drupalfile| /INSTALL.mysql.txt: Drupalfile| /INSTALL.pgsql.txt: Drupalfile| /: Drupalversion7| /README: Interesting, a readme.| /README.txt: Interesting, a readme.| /0/: Potentially interesting folder|_ /user/: Potentially interesting folder|_http-server-header: Apache/2.2.22(Debian)|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.| http-vuln-cve2014-3704:| VULNERABLE:| Drupal - pre Auth SQL Injection Vulnerability| State: VULNERABLE (Exploitable)| IDs: CVE:CVE-2014-3704| The expandArguments function in the database abstraction API in| Drupal core 7.x before 7.32 does not properly construct prepared| statements, which allows remote attackers to conduct SQL injection| attacks via an array containing crafted keys.|| Disclosure date: 2014-10-15| References:| http://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html| http://www.securityfocus.com/bid/70595| http://www.drupal.org/SA-CORE-2014-005|_ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3704111/tcp open rpcbind 2-4 (RPC #100000)|_clamav-exec: ERROR: Script execution failed (use -d to debug)| rpcinfo:| program version port/proto service| 100000 2,3,4 111/tcp rpcbind| 100000 2,3,4 111/udp rpcbind| 100000 3,4 111/tcp6 rpcbind| 100000 3,4 111/udp6 rpcbind| 100024 1 36912/udp status| 100024 1 37215/tcp6 status| 100024 1 52947/udp6 status|_ 100024 1 54937/tcp statusMAC Address: 00:0C:29:3D:43:A8 (VMware)Device type: general purposeRunning: Linux 3.XOS CPE: cpe:/o:linux:linux_kernel:3OS details: Linux 3.2 - 3.16Network Distance: 1 hopService Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTEHOP RTT ADDRESS1 0.34 ms 10.10.10.132
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 530.45 seconds
通过返回结果看到存在CVE2014-3704
seachsploit搜索 -m参数可以把exp保存到当前位置
接着在msf上搜
漏洞利用getshell
切换shellcat flag1.txtEvery good CMS needs a config file - and so do you.
发现flag1
寻找drupal配置文件
drupal数据库配置文件默认在
/sites/default/settings.php
发现flag2
cat settings.php |
发表于 2020-3-19 06:23:51
收藏