一、靶场准备

下载地址:http://www.vulnhub.com/entry/durian-1,553/

更改网络模式

二、练习过程

1、使用kali进行探测,探测到192.168.174.138地址

netdiscover -r 192.168.174.0/24

2、使用kali对192.168.174.138进行端口探测,发现8000为nginx 1.14.2、7080为LiteSpeed、8088为LiteSpeed,7080为后台,8088为前台,8000代理8088

nmap -sC -sV -p- 192.168.174.138 -n -vv --min-rate=2000

​PORT     STATE SERVICE       REASON         VERSION
22/tcp   open  ssh           syn-ack ttl 64 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
|   2048 28:1c:64:fa:9c:c3:d2:d4:bb:76:3d:3b:10:e2:b1:25 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcIoZ27ulKq07HoP1IAw+p+ngZIw9E1wu2RSr/iVSr8jF8avZE4uJPET1cjydV6nBG5RPzhakghCPmAAukzctDBhPn5bMgWPMCVOv5DisAIldp6H44iQJWYsAAMxbgurBxfwLVVIeL2xyCxwK70G59QtOjCCLPIcoXo2MtNn2IC5rgLYY2UgL0SeNfblLkKKMscxAQgKZ6dh63aFT+j6Y0WHxn+N5uaySNG7CPxamddeKHNwoSdC1FZuMfAPRGGqDfH4OHAtu5/zYDWgP/BLheBalHR/TP8KYC1hDhbI+5fLCykSTT7Q8qXI9XtqfYnYoGwF5XqQX0ljw1ue9zKPhF
|   256 da:b2:e1:7f:7c:1b:58:cf:fd:4f:74:e9:23:6d:51:d7 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPCIIPNvjo5nfOTzx/1iidyta9PBBg5UviiyhuMPxZq06KZccaHk2JobdXSYzKAWlUGYDBOncFRTErBSvkRWkt0=
|   256 41:e1:0c:2b:d4:26:e8:d3:71:bb:9d:f9:61:56:63:c0 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJACpKE5LO4W2cn4Y54RR9yUu93wV+fFR7CPMBLBT3AG
7080/tcp open  ssl/empowerid syn-ack ttl 64 LiteSpeed
| fingerprint-strings:
|   GetRequest:
|     HTTP/1.0 302 Found
|     x-powered-by: PHP/5.6.36
|     x-frame-options: SAMEORIGIN
|     x-xss-protection: 1;mode=block
|     referrer-policy: same-origin
|     x-content-type-options: nosniff
|     set-cookie: LSUI37FE0C43B84483E0=d3b620b64038c4a2f4954c993ee0eea1; path=/; secure; HttpOnly
|     expires: Thu, 19 Nov 1981 08:52:00 GMT
|     cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
|     pragma: no-cache
|     set-cookie: LSID37FE0C43B84483E0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
|     set-cookie: LSPA37FE0C43B84483E0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
|     set-cookie: LSUI37FE0C43B84483E0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
|     location: /login.php
|     content-type: text/html; charset=UTF-8
|     content-length: 0
|     date: Wed, 14 Sep 2022 01:20:55 GMT
|     server: LiteSpeed
|     alt-svc: quic=":7080"; ma=2592000; v="43,46", h3-Q043=":7080";
|   HTTPOptions:
|     HTTP/1.0 302 Found
|     x-powered-by: PHP/5.6.36
|     x-frame-options: SAMEORIGIN
|     x-xss-protection: 1;mode=block
|     referrer-policy: same-origin
|     x-content-type-options: nosniff
|     set-cookie: LSUI37FE0C43B84483E0=9f3792960e7814d08da02910250cf89b; path=/; secure; HttpOnly
|     expires: Thu, 19 Nov 1981 08:52:00 GMT
|     cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
|     pragma: no-cache
|     set-cookie: LSID37FE0C43B84483E0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
|     set-cookie: LSPA37FE0C43B84483E0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
|     set-cookie: LSUI37FE0C43B84483E0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
|     location: /login.php
|     content-type: text/html; charset=UTF-8
|     content-length: 0
|     date: Wed, 14 Sep 2022 01:20:55 GMT
|     server: LiteSpeed
|_    alt-svc: quic=":7080"; ma=2592000; v="43,46", h3-Q043=":7080";
|_http-favicon: Unknown favicon MD5: AF89068FFB9883F7D99BB25F75687AC7
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to https://192.168.174.138:7080/login.php
| ssl-cert: Subject: commonName=durian/organizationName=LiteSpeedCommunity/stateOrProvinceName=NJ/countryName=US/organizationalUnitName=Testing/initials=CP/dnQualifier=openlitespeed/localityName=Virtual/name=openlitespeed/emailAddress=mail@durian
| Issuer: commonName=durian/organizationName=LiteSpeedCommunity/stateOrProvinceName=NJ/countryName=US/organizationalUnitName=Testing/initials=CP/dnQualifier=openlitespeed/localityName=Virtual/name=openlitespeed/emailAddress=mail@durian
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-09-08T02:05:32
| Not valid after:  2022-12-07T02:05:32
| MD5:   9009 c3b8 8777 9a53 9b56 2556 30ee 0e9c
| SHA-1: ab6e 1ab5 d06d 506c c588 d946 b97a c0fd 89f1 5605
| -----BEGIN CERTIFICATE-----
| MIIEMTCCAxmgAwIBAgIUIE+NkC48iwucp8CENgLvUcYH84swDQYJKoZIhvcNAQEL
| BQAwgcUxDzANBgNVBAMMBmR1cmlhbjELMAkGA1UEBhMCVVMxEDAOBgNVBAcMB1Zp
| cnR1YWwxGzAZBgNVBAoMEkxpdGVTcGVlZENvbW11bml0eTEQMA4GA1UECwwHVGVz
| dGluZzELMAkGA1UECAwCTkoxGjAYBgkqhkiG9w0BCQEWC21haWxAZHVyaWFuMRYw
| FAYDVQQpDA1vcGVubGl0ZXNwZWVkMQswCQYDVQQrDAJDUDEWMBQGA1UELhMNb3Bl
| bmxpdGVzcGVlZDAeFw0yMDA5MDgwMjA1MzJaFw0yMjEyMDcwMjA1MzJaMIHFMQ8w
| DQYDVQQDDAZkdXJpYW4xCzAJBgNVBAYTAlVTMRAwDgYDVQQHDAdWaXJ0dWFsMRsw
| GQYDVQQKDBJMaXRlU3BlZWRDb21tdW5pdHkxEDAOBgNVBAsMB1Rlc3RpbmcxCzAJ
| BgNVBAgMAk5KMRowGAYJKoZIhvcNAQkBFgttYWlsQGR1cmlhbjEWMBQGA1UEKQwN
| b3BlbmxpdGVzcGVlZDELMAkGA1UEKwwCQ1AxFjAUBgNVBC4TDW9wZW5saXRlc3Bl
| ZWQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCdqKu/8xCP8hH62rXJ
| PIoL9a+rtHe3HL1bNH3/pDOa7zCcWsEjcpYvl3sVTM3AuqCx1+RMJBKmLAaF8liy
| /eTvs2MLkpLr1zkv+jj3iEMvv9cyMtOJfk10PkBMKYiSffPMwELRHeT2x2tgTY2/
| toDBP8zQeVj8wm8svelG4bFRv8/bIsktJvZDy56nzFmXXjxiO9qBbKlUWLJHRtmT
| H+8whDiiGF55wY8pKJbJNlJa64RnfXxA004zEgmuDnYLPDj+tp2cvEvOZG+TAlTa
| 47FmZL2MkamPTveOB4ZXH+KN2gedEaZqIumb0tXrjahlI6Ukuh45lhz1BUxlriCa
| qPbxAgMBAAGjFzAVMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUA
| A4IBAQAlOatyhOSya2XaAK+fAOrjMFT0iF7ekKKRnzwwNJUP50vF9mTMsj8l1Gb4
| rNn545bmtOuGE2GP9BUYyy+dw0NmUVyWBfyJmzZDbosSftwlTU7jJ8V3sM20MaxO
| 1x4181lTv9ROJrrDGrye+Sf2MOahrh5iZ+Mq/LZKZ04MTw7iYRNGgkCIbKISmafa
| qqja3MokTaIdQBf+oCxX7JiR0Jd6YMdmux5p1/xSEuq8GnPgM8mRZiLSkZYOrwB9
| HJhCswI5T79RSJVIrpRbR7g9h1vc+yDDu/SH49g5SGyE/e2YdDRuA/JVyMUKZFBt
| wSErKwtEdoJosbega14/Vpe9uKIr
|_-----END CERTIFICATE-----
|_http-server-header: LiteSpeed
| tls-alpn:
|   h2
|   spdy/3
|   spdy/2
|_  http/1.1
|_ssl-date: TLS randomness does not represent time
8000/tcp open  http          syn-ack ttl 64 nginx 1.14.2
| http-methods:
|_  Supported Methods: GET HEAD
|_http-title: Durian
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: nginx/1.14.2
8088/tcp open  radan-http    syn-ack ttl 64 LiteSpeed
| fingerprint-strings:
|   GetRequest:
|     HTTP/1.0 200 OK
|     etag: "2fd-5f56ea13-40590;;;"
|     last-modified: Tue, 08 Sep 2020 02:18:59 GMT
|     content-type: text/html
|     content-length: 765
|     accept-ranges: bytes
|     date: Wed, 14 Sep 2022 01:20:39 GMT
|     server: LiteSpeed
|     connection: close
|     <html>
|     <body bgcolor="white">
|     <head>
|     <title>Durian</title>
|     <meta name="description" content="We Are Still Alive!">
|     <meta name="keywords" content="Hacked by Ind_C0d3r">
|     <meta name="robots" content="index, follow">
|     <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
|     <meta name="language" content="English">
|     </head>
|     <link href="https://fonts.googleapis.com/css?family=Righteous|Saira+Stencil+One&display=swap" rel="stylesheet">
|     <style type="text/css">
|     @font-face {
|     font-family: 'Righteous', cursive;
|     font-family: 'Saira Stencil One', cursive;
|     </style>
|     <center><br><br>
|     <img src="https://www.producemarketguide.com/sites/default/files/Commoditi
|   Socks5:
|     HTTP/1.1 400 Bad Request
|     content-type: text/html
|     cache-control: private, no-cache, max-age=0
|     pragma: no-cache
|     content-length: 1209
|     date: Wed, 14 Sep 2022 01:20:39 GMT
|     server: LiteSpeed
|     connection: close
|     <!DOCTYPE html>
|     <html style="height:100%">
|     <head>
|     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
|     <title> 400 Bad Request
|     </title></head>
|     <body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;">
|     <div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;">
|     style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">400</h1>
|     style="margin-top:20px;font-size: 30px;">Bad Request
|     </h2>
|     <p>It is not a valid request!</p>
|_    </div></div><div style="color:#f0f0
|_http-title: Durian
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: LiteSpeed[点击并拖拽以移动]
​

3、查看192.168.174.138的8000、7080端口进行查看

4、kali下载feroxbuster工具

5、使用feroxbuster对192.168.174.138:8088目录进行探测

feroxbuster -u http://192.168.174.138:8088/

 												


											

文件上传漏之Durian靶场练习——渗透day13相关推荐
	

    
								
  1. 探究文件上传安全:upload-labs靶场的绕过技巧
		
    数据来源 本文仅用于信息安全的学习,请遵守相关法律法规,严禁用于非法途径.若观众因此作出任何危害网络安全的行为,后果自负,与本人无关. 文件上传基础 01 什么是文件上传 02 文件上传产生漏洞的原因 ...
    
		
    2. 
						
  2. 文件上传绕waf(waf拦不住我)
		
    一. 什么是文件上传漏洞 Web应用程序通常会有文件上传的功能, 例如在 BBS发布图片 , 在个人网站发布ZIP 压缩 包, 在办公平台发布DOC文件等 , 只要 Web应用程序允许上传文件, 就有 ...
    
		
    3. 
						
  3. web安全入门(第七章-1)文件上传漏洞--解析、验证、伪造
		
    一.客户端检测 1,客户端校验:一般是在网页上写一段Js脚本,用Js去检测,校验上传文件的后缀名,有白名单也有黑名单. 2,判断方式:通过抓包来判断,如果还未抓住包,就弹出不准上传,那么就是前端验证, ...
    
		
    4. 
						
  4. 文件上传漏洞-解析、验证、伪造1
		
    文章目录 文件上传漏洞: webshell: 文件上传漏洞的原因: 文件上传常见检测: 靶场实战 1.前端验证绕过 2.Content-Type方式绕过 3.黑名单绕过 4. .htaccess文件绕 ...
    
		
    5. 
						
  5. 01文件上传漏洞(黑名单检测篇)
		
    本篇文章将会从文件上传漏洞的基本概念讲起,然后去了解在文件上传中我们的网站都有哪些检测机制,如何去绕过这些检测机制,最后是如何去修复文件上传漏洞. 参考靶场:upload在github上搜索即可在本地 ...
    
		
    6. 
						
  6. 文件上传漏洞 (上传知识点、题型总结大全-upload靶场全解)
		
    文件上传漏洞 什么是文件上传漏洞 什么是webshell 一句话木马大全 产生文件上传漏洞的原因 文件上传漏洞的攻击与防御方式 1.前端限制 2.检查扩展名 1.黑名单策略, 2.白名单策略 3.检查 ...
    
		
    7. 
						
  7. upload-labs-master文件上传靶场第七关详解
		
    一.前言 upload-labs-master是文件上传靶场,里面目前总共有19关,github地址https://github.com/c0ny1/upload-labs,今天要说的是这个靶场的第七 ...
    
		
    8. 
						
  8. [网络安全提高篇] 一〇四.网络渗透靶场Oracle+phpStudy本地搭建万字详解(SQL注入、XSS攻击、文件上传漏洞)
		
    当您阅读到该篇文章时,作者已经将"网络安全自学篇"设置成了收费专栏,首先说声抱歉.感谢这一年来大家的阅读和陪伴,这100篇安全文章记录了自己从菜鸡到菜鸟的成长史,该部分知识也花了很 ...
    
		
    9. 
						
  9. [网络安全自学篇] 三十一.文件上传之Upload-labs靶场及CTF题目01-10(四)
		
    这是作者的系列网络安全自学教程,主要是关于安全工具和实践操作的在线笔记,特分享出来与博友们学习,希望您们喜欢,一起进步.前文分享了编辑器漏洞和IIS高版本文件上传漏洞,包括FCKeditor.eWeb ...
    
		
    10. 
		


					

最新文章
	

    
						
  1. 关于linux驱动程序的学习
		
    2. 
						
  2. 【BZOJ1623】 [Usaco2008 Open]Cow Cars 奶牛飞车 贪心
		
    3. 
						
  3. 深入探究VC —— 链接器link.exe(4)【转】http://blog.csdn.net/wangningyu/article/details/4849452...
		
    4. 
						
  4. 前端学习(2363):发送get请求
		
    5. 
						
  5. Node.js 爬虫初探
		
    6. 
						
  6. 不要再被Python洗脑了,来看看这个吧......
		
    7. 
						
  7. 快速搭建Web环境 Angularjs + Express3 + Bootstrap3
		
    8. 
						
  8. webService调用模式比较
		
    9. 
						
  9. cpg数据库处理_找到未提取的pdf
		
    10. 
						
  10. mysql 在线语法检查工具_「mysql 管理工具」五大开源MySQL管理工具! - seo实验室
		
    11. 
						
  11. Python移动应用开发
		
    12. 
						
  12. APISpace 空号检测API接口 免费好用
		
    13. 
						
  13. 两阶段最小二乘法原理_R语言工具变量与两阶段最小二乘法
		
    14. 
						
  14. 今生,只想做一个平凡的人
		
    15. 
						
  15. 互联网审判中区块链存证技术的应用进路
		
    16. 
						
  16. HTML+JS+websocket 实现联机“游戏王”对战(一)
		
    17. 
						
  17. 从屏下指纹到体感手机,vivo能否走出自己的创新之路?
		
    18. 
						
  18. 圣诞树代码,c语言编程,基于graphics.h
		
    19. 
						
  19. learining user's intrinsic and extrinsic interests for point of interest recommendation IJCAI17
		
    20. 
						
  20. 使用ga算法解决背包问题_我如何使用算法解决现实生活中的手提背包的背包问题
		
    21. 
		

	


热门文章
	

    
									
  1. SQLite数据库管理器:SQLPro for SQLite for Mac
			
    2. 
						
  2. 历年计算机一级b考试试题及答案,全国计算机等级考试一级B历年试题合集含答案...
			
    3. 
						
  3. 计算机研究所混文凭的学校,能混文凭的研究生学校,考研难度最小的五所211
			
    4. 
						
  4. STC15单片机-GPIO模式介绍以及LED灯闪烁
			
    5. 
						
  5. Error in rq.fit.br(wx, wy, tau = tau, ...): Singular design matrix
			
    6. 
						
  6. python完美测试数据之faker
			
    7. 
						
  7. 项目交易平台上发布的项目
			
    8. 
						
  8. Alibaba Cloud Linux 3 安装部署 ECStore B2C V5.0.1 社区版
			
    9. 
						
  9. 给女朋友讲解什么是Git
			
    10. 
						
  10. ASP将Excel导入数据库的方法
			
    11.