2024fulcrum域渗透实战技术.docx

域渗透实战之fuIcrum信息收集端口扫描FUZZ接口目录遍历目录暴力破解端口端口漏洞利用XXe漏洞文件泄露XXe文件读取权限提升SSRF漏洞编写脚本反弹SheIlOshell域渗透网络枚举翻配置文件解密密码隧道搭建1.DAP春询使用原始PowerSheU进行枚举上传POWerVieW工具执行命令获取oot.txt反弹Shell信息收集端口扫描使用nmap进行端口扫描,发现存在大量端口开放1.IDeee.e.62StartingNnap7.92(https:/nMap.org)at223-9-1722:27CSTWarning:1.1.1.62givinguponportbecausertransaissioncaphit(1).Mnupscanreportfor1.1.1.62Hostisup(.slatency).Notshown:57532filteredtcpports(no>response),7998closedtcpports(reset)PORTSTATESERVICEVtcpopenunknown22/tcpopnssh8tcpopenhttp88/tcpopnkrberossec9999/tcpopenabyssNmapdone:1IPaddress(1hostup)scannedin89.71seconds接着去查看其版本和对应的服务TMP.22.M,a,WW.4231.1.1.2Startinf77.W(ht5：(WPQrg)at2239-1722:29CSTWmpscanreportfor1.1.1.62Not1up(.51slatency).msmsemimy0WtcpopRhttpa!fin1.1.(Ubuntu)I.ttp-rvrMter:nfil.l.(Utantu)Siltdow*'tMvatitl(ttWtl;charttU11*).2ilcpth0Bn½N."1UbUnQU¼ttftu.2(UtatM1.ima;prtcl2.)Ih*Mt*v:IM72(tU)I2566:“:“:S：g：cli3：7c:”；S：lc:M(CA>1.256lB:c4:9d:M:«6：n：4t:M:M：n：*f:U：4e：Sl：M：f»(C551)MAs0P<MtpItflfti1.1.(Ubuntu)IJinAWEr-IWMtor:nfinl.ll.(Ubuntu)htt>-titl:Inputstrifaasnotlaacometfcml.Itt-wthods:1.PotentullyriskymtMs:TMeESiACPopenhttpAflfUt.l.(Ubuntu)IJIUAMfver-e*f:RgiMl.t.(Ubuntu)IMSrotots.3:1SUUOWdEnf9999U99f>MtpRflfii1.1.(Ubuntu)I.MtMrvr-hdr:n<iMl.i,(Utuntu)IEltriagMincorrvctf11Mt.IM<9*mtM>:1. RKRtUUyriskyaHod*:TMCIM42)tc>otftMtFMlMlE1.1.(Ubwntu)1 .H<hMrvr*Mdr:NUna-AFIXtiSitedoc*tMwtitle(applIsuWjion;UurseCFOSrvlcIM:OS：Umoi;CPf:cpe:/:IWum:Im0.kmlServicedetectionprfwwd.P3xreportanyberrctrltsathttps:/nMp.ort/Mbait/.Mmpdone:1IPMME$(1hostup)sewedin71.75secondsFUZZ接口使用WfUZZ对其Url路径后的参数进行枚举“Mtt：Zie.>.>.2:VBMM*rFUUj"'ii3A-fg<7deiH.fIMI/HCMCeWFrHRttCMlMCM1*RM<l.BtfMFMTt<rr*CtVHttt«.cf>'r<rawwRf1wid”>.l.-TWVM，WT4ret;Xltt.M.M-Uti三e9BM9Mtr«AtfZr<tEW7tBtteMUiMtwrCWrt目录遍历使用工具进行目录枚举未发现有用的目录froatHtrr:1.1.1.62:'Php.l_l_)l_)Il_IIIXn'pi*irZIII一J八Il，_wr：2.7.TarturlZThrwdi“Ehst StatusCodes Tiatout(mc«) I<-f11t,Con<iFilErtnsions HTTPaetoe urionDepth«(«wniof*AvailableMtpzl.l.l.62rursarvwcl1sti/OiscovtrytoWo>*t*mra<t-wdu-4rvctoristitZW.；*431,J2.W7.JM1froabustr2.7.Uftrocbutrfr<M-confit.tBlp<(«TJhttpszfitfM.C(He9i52froatasttrrlaatstFressEM11tousthe5<mwt*w*te11 cIltW:1.l.l.=""lMd.php chttpzl.l.l.ft2btt.pN) cMte:t.l.l.9"Mx.phpM3UMlfounds:294N7VMMU/lhtt9tl.l.l.62t42tt46MM11/»httpl.l.l.tti¼/接着去看服务访问端口为4的口面O8IaIoIgaaUnderMaintancePfa*ywo目录暴力破解然后继续对其进行爆破发现存在homephp.ioiotae?4.FulcrumFileUpload然后尝试进行上传,发现没法上传成功Srrytheeuploadfailed88端口访问88端口发现存在PhPadmin登录界面IOlOlOeptMWelcometoPhPMyAdEin尝试弱口令登录,没有成功56423端口使用CUrl进行测试发现有何显curlhttp:/ie.10.ie.62:56423Heartbeat*：*Pinge:*Pong*1*hokali，curlPOSThttp:/ie.ie.ie.62:56423Heartbeat":Ping:"Pong*漏洞利用XXe漏洞接着使用burp然后抓包GW11F1IMMtMMISMWMeMWRMAUS,3UMiM.M.”M>.)efaMlMlM，IWnnoM<，sGtal.p%AcMP4laal.lMtflal,flp<9.MMa0Rrfmbvmp./,r，k«1UnVh三f6TB.n,3c<9tRce4ufBA>.”laHComettienclwCt三<eUe*3mwl9Wn.pae.<llMMR.<NWtM*utfM<.ru4.<aUp¾m<Mr.aefBICeHU1.三RtBhM发现其存在XXe漏洞«T/MTTF1WtIeltIegm*11uwM三AeWtIS<KU.1.41w.J.rwW>tocUnailM>*cc«HtwfMl.wlmowMl三l,MfiTaaiiMiavit.4MBMi9./3Acc<H>U三nv三v6g.6a，<««HIMKeAnt<B>CemectMR<leClnMaCMiIM*C>Mt,ClltM¾C4RnctM*WwttaM.U<lStr>三-IrMtUO-tae<1C三m三W-i4HfthM<三rtwt>mvwXF>'OOCTVf<r»t(*11BQnw三aMS1UVaJJI111MXMW三nMMMOtY<HYftWlMtUR11WV<M*三tW4C三moctM11<l«MtervrM<r>三X*Hiwtw1* tet¾n.Ul1MnMM«emCftRtCRtTy999HutAR)M.ce*wetf- CeveitA4R<lw XEZc26BH6CawteRtV4R9KU文件泄露然后使用XXe进行加载.dtd文件来读取文件k*wXXe文件读取开后http服务八XVnrvrMSefRrtWMS"/，".明一；%e.K.3-(iat¼M2J<Mt9,MMtNWt<MN-iawmt，：x：，l(11九el*ae.ie.3【皿nnc»<»<”】田ow:,ti3(awwc三r*.m4>n.rmj.m.i.j-1nnr.t.-t，Smzz二；二nrr-,；»：-一=：血SWMhfJ<erm1u¼H4d0<rer<l<MWmMCIUmH匕lwCFU3"W3G三t"MwBlim-THrm413ZCMMmOi1E*mt/1nrrc>T13AMUMMCvM>叱，VWUIZtc9lFnmte7lrcxrm<½6um<MMtoMcMM44cHfc<fvOcC4UJciSSlqUG*nj0MMTPWOjtMOPtFqgml.E34cr*XUfWT.MbSIdMMJH2rcC*CZUU3”Cm*>sl.HIKn】OMcteMC