当前位置:网站首页>记一次phpcms9.6.3漏洞利用getshell到内网域控
记一次phpcms9.6.3漏洞利用getshell到内网域控
2022-06-26 12:35:00 【『铁躯电芯』】
信息收集
首先利用nmap扫描网段收集到主机ip地址:
nmap -sP 192.168.31.0/24
扫描主机信息:
发现可能是win7的操作系统并且开放80端口
getshell
因为开放80端口,直接访问网站:
得到:
扫描目录发现管理员登陆:
得到:
弱口令:admin admin12345
phpcms9.6.3后台getshell的漏洞,网上有很多可以参考这篇博客:
https://blog.csdn.net/weixin_42433470/article/details/112409431
我这里利用的是:
用户->管理员模块->添加会员模型
得到shell:
获取权限
用蚁剑连接shell
然后利用cs上线:
利用的模块是:
首先创建一个监听:
利用的攻击模块是:
attack–>web DRIVE-BY -->scripted web delivery
生成:
复制到蚁剑上运行:
cs这边就上线了:
CS进行嗅探
shell systeminfo
得到:
收集到:域是god.org
存在地址:192.168.52.143
提权
得到system权限:
cs获取hash
Access–>Run Minikatz
CS查看域环境:
net view
CS获取域内主机列表:
CS获取域内主机win2008
开始得到:
执行命令:
CS获取域内主机WindowsServer2003
开始得到:
执行命令得到:
shell ipconfig 查看ip地址
边栏推荐
- 菜鸟实战UML——活动图
- NFS shared storage service installation
- Why is password salt called "salt"? [Close] - why is a password salt called a "salt"? [closed]
- 美学心得(第二百三十八集) 罗国正
- 5+API,清除应用缓存
- Tiger DAO VC产品正式上线,Seektiger生态的有力补充
- New routing file in laravel framework
- Tiger Dao VC products are officially launched, a powerful supplement to seektiger ecology
- MS17_ 010 utilization summary
- Scala-day06- pattern matching - Generic
猜你喜欢
Configuring Apache digest authentication
Comparison of latest mobile phone processors in 2020 (with mobile phone CPU ladder diagram)
The laravel dingo API returns a custom error message
Adobe Acrobat阻止30款安全软件查看PDF文件 或存在安全风险
程序员必备,一款让你提高工作效率N倍的神器uTools
JS get the current screen height method and listen for DOM elements to enter the viewport
Xiaolong 888 was released, Xiaomi 11 was launched, and 14 manufacturers carried it in the first batch!
PHP uses laravel pay component to quickly access wechat jsapi payment (wechat official account payment)
![[probability theory] conditional probability, Bayesian formula, correlation coefficient, central limit theorem, parameter estimation, hypothesis test](/img/2f/f44381ea759f4c1c957a8f9434f0ee.png)
[probability theory] conditional probability, Bayesian formula, correlation coefficient, central limit theorem, parameter estimation, hypothesis test
Scala-day02- variables and data types
随机推荐
SQL injection in Pikachu shooting range
Xiaolong 888 was released, Xiaomi 11 was launched, and 14 manufacturers carried it in the first batch!
imagecopymerge
PHP get directory size
What are the top ten securities companies? Is it safe to open a mobile account?
Is it safe to open a securities account
详细实操分享,下班刷了两小时的搞笑视频,一个月收益7000多
NFS shared storage service installation
What determines the rent
How long ago did PHP get
JMeter response time and TPS listener tutorial
Ubuntu安装配置PostgreSQL(18.04)
7-2 摘花生
Websocket and socket IO case practice
webgame开发中的文件解密
On the use of protostaff [easy to understand]
Msvcr110 not found DLL, unable to continue code execution Solution for startup
VMware virtual machine bridging mode can not access the campus network "suggestions collection"
Vscode solves the problem of Chinese garbled code
sqlalchemy event listen Automatic generate CRUD excel