文件上传漏之Durian靶场练习——渗透day13
一、靶场准备
下载地址:http://www.vulnhub.com/entry/durian-1,553/
更改网络模式
二、练习过程
1、使用kali进行探测,探测到192.168.174.138地址
netdiscover -r 192.168.174.0/24
2、使用kali对192.168.174.138进行端口探测,发现8000为nginx 1.14.2、7080为LiteSpeed、8088为LiteSpeed,7080为后台,8088为前台,8000代理8088
nmap -sC -sV -p- 192.168.174.138 -n -vv --min-rate=2000
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 64 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 28:1c:64:fa:9c:c3:d2:d4:bb:76:3d:3b:10:e2:b1:25 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcIoZ27ulKq07HoP1IAw+p+ngZIw9E1wu2RSr/iVSr8jF8avZE4uJPET1cjydV6nBG5RPzhakghCPmAAukzctDBhPn5bMgWPMCVOv5DisAIldp6H44iQJWYsAAMxbgurBxfwLVVIeL2xyCxwK70G59QtOjCCLPIcoXo2MtNn2IC5rgLYY2UgL0SeNfblLkKKMscxAQgKZ6dh63aFT+j6Y0WHxn+N5uaySNG7CPxamddeKHNwoSdC1FZuMfAPRGGqDfH4OHAtu5/zYDWgP/BLheBalHR/TP8KYC1hDhbI+5fLCykSTT7Q8qXI9XtqfYnYoGwF5XqQX0ljw1ue9zKPhF
| 256 da:b2:e1:7f:7c:1b:58:cf:fd:4f:74:e9:23:6d:51:d7 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPCIIPNvjo5nfOTzx/1iidyta9PBBg5UviiyhuMPxZq06KZccaHk2JobdXSYzKAWlUGYDBOncFRTErBSvkRWkt0=
| 256 41:e1:0c:2b:d4:26:e8:d3:71:bb:9d:f9:61:56:63:c0 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJACpKE5LO4W2cn4Y54RR9yUu93wV+fFR7CPMBLBT3AG
7080/tcp open ssl/empowerid syn-ack ttl 64 LiteSpeed
| fingerprint-strings:
| GetRequest:
| HTTP/1.0 302 Found
| x-powered-by: PHP/5.6.36
| x-frame-options: SAMEORIGIN
| x-xss-protection: 1;mode=block
| referrer-policy: same-origin
| x-content-type-options: nosniff
| set-cookie: LSUI37FE0C43B84483E0=d3b620b64038c4a2f4954c993ee0eea1; path=/; secure; HttpOnly
| expires: Thu, 19 Nov 1981 08:52:00 GMT
| cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
| pragma: no-cache
| set-cookie: LSID37FE0C43B84483E0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
| set-cookie: LSPA37FE0C43B84483E0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
| set-cookie: LSUI37FE0C43B84483E0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
| location: /login.php
| content-type: text/html; charset=UTF-8
| content-length: 0
| date: Wed, 14 Sep 2022 01:20:55 GMT
| server: LiteSpeed
| alt-svc: quic=":7080"; ma=2592000; v="43,46", h3-Q043=":7080";
| HTTPOptions:
| HTTP/1.0 302 Found
| x-powered-by: PHP/5.6.36
| x-frame-options: SAMEORIGIN
| x-xss-protection: 1;mode=block
| referrer-policy: same-origin
| x-content-type-options: nosniff
| set-cookie: LSUI37FE0C43B84483E0=9f3792960e7814d08da02910250cf89b; path=/; secure; HttpOnly
| expires: Thu, 19 Nov 1981 08:52:00 GMT
| cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
| pragma: no-cache
| set-cookie: LSID37FE0C43B84483E0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
| set-cookie: LSPA37FE0C43B84483E0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
| set-cookie: LSUI37FE0C43B84483E0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
| location: /login.php
| content-type: text/html; charset=UTF-8
| content-length: 0
| date: Wed, 14 Sep 2022 01:20:55 GMT
| server: LiteSpeed
|_ alt-svc: quic=":7080"; ma=2592000; v="43,46", h3-Q043=":7080";
|_http-favicon: Unknown favicon MD5: AF89068FFB9883F7D99BB25F75687AC7
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to https://192.168.174.138:7080/login.php
| ssl-cert: Subject: commonName=durian/organizationName=LiteSpeedCommunity/stateOrProvinceName=NJ/countryName=US/organizationalUnitName=Testing/initials=CP/dnQualifier=openlitespeed/localityName=Virtual/name=openlitespeed/emailAddress=mail@durian
| Issuer: commonName=durian/organizationName=LiteSpeedCommunity/stateOrProvinceName=NJ/countryName=US/organizationalUnitName=Testing/initials=CP/dnQualifier=openlitespeed/localityName=Virtual/name=openlitespeed/emailAddress=mail@durian
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-09-08T02:05:32
| Not valid after: 2022-12-07T02:05:32
| MD5: 9009 c3b8 8777 9a53 9b56 2556 30ee 0e9c
| SHA-1: ab6e 1ab5 d06d 506c c588 d946 b97a c0fd 89f1 5605
| -----BEGIN CERTIFICATE-----
| MIIEMTCCAxmgAwIBAgIUIE+NkC48iwucp8CENgLvUcYH84swDQYJKoZIhvcNAQEL
| BQAwgcUxDzANBgNVBAMMBmR1cmlhbjELMAkGA1UEBhMCVVMxEDAOBgNVBAcMB1Zp
| cnR1YWwxGzAZBgNVBAoMEkxpdGVTcGVlZENvbW11bml0eTEQMA4GA1UECwwHVGVz
| dGluZzELMAkGA1UECAwCTkoxGjAYBgkqhkiG9w0BCQEWC21haWxAZHVyaWFuMRYw
| FAYDVQQpDA1vcGVubGl0ZXNwZWVkMQswCQYDVQQrDAJDUDEWMBQGA1UELhMNb3Bl
| bmxpdGVzcGVlZDAeFw0yMDA5MDgwMjA1MzJaFw0yMjEyMDcwMjA1MzJaMIHFMQ8w
| DQYDVQQDDAZkdXJpYW4xCzAJBgNVBAYTAlVTMRAwDgYDVQQHDAdWaXJ0dWFsMRsw
| GQYDVQQKDBJMaXRlU3BlZWRDb21tdW5pdHkxEDAOBgNVBAsMB1Rlc3RpbmcxCzAJ
| BgNVBAgMAk5KMRowGAYJKoZIhvcNAQkBFgttYWlsQGR1cmlhbjEWMBQGA1UEKQwN
| b3BlbmxpdGVzcGVlZDELMAkGA1UEKwwCQ1AxFjAUBgNVBC4TDW9wZW5saXRlc3Bl
| ZWQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCdqKu/8xCP8hH62rXJ
| PIoL9a+rtHe3HL1bNH3/pDOa7zCcWsEjcpYvl3sVTM3AuqCx1+RMJBKmLAaF8liy
| /eTvs2MLkpLr1zkv+jj3iEMvv9cyMtOJfk10PkBMKYiSffPMwELRHeT2x2tgTY2/
| toDBP8zQeVj8wm8svelG4bFRv8/bIsktJvZDy56nzFmXXjxiO9qBbKlUWLJHRtmT
| H+8whDiiGF55wY8pKJbJNlJa64RnfXxA004zEgmuDnYLPDj+tp2cvEvOZG+TAlTa
| 47FmZL2MkamPTveOB4ZXH+KN2gedEaZqIumb0tXrjahlI6Ukuh45lhz1BUxlriCa
| qPbxAgMBAAGjFzAVMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUA
| A4IBAQAlOatyhOSya2XaAK+fAOrjMFT0iF7ekKKRnzwwNJUP50vF9mTMsj8l1Gb4
| rNn545bmtOuGE2GP9BUYyy+dw0NmUVyWBfyJmzZDbosSftwlTU7jJ8V3sM20MaxO
| 1x4181lTv9ROJrrDGrye+Sf2MOahrh5iZ+Mq/LZKZ04MTw7iYRNGgkCIbKISmafa
| qqja3MokTaIdQBf+oCxX7JiR0Jd6YMdmux5p1/xSEuq8GnPgM8mRZiLSkZYOrwB9
| HJhCswI5T79RSJVIrpRbR7g9h1vc+yDDu/SH49g5SGyE/e2YdDRuA/JVyMUKZFBt
| wSErKwtEdoJosbega14/Vpe9uKIr
|_-----END CERTIFICATE-----
|_http-server-header: LiteSpeed
| tls-alpn:
| h2
| spdy/3
| spdy/2
|_ http/1.1
|_ssl-date: TLS randomness does not represent time
8000/tcp open http syn-ack ttl 64 nginx 1.14.2
| http-methods:
|_ Supported Methods: GET HEAD
|_http-title: Durian
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: nginx/1.14.2
8088/tcp open radan-http syn-ack ttl 64 LiteSpeed
| fingerprint-strings:
| GetRequest:
| HTTP/1.0 200 OK
| etag: "2fd-5f56ea13-40590;;;"
| last-modified: Tue, 08 Sep 2020 02:18:59 GMT
| content-type: text/html
| content-length: 765
| accept-ranges: bytes
| date: Wed, 14 Sep 2022 01:20:39 GMT
| server: LiteSpeed
| connection: close
| <html>
| <body bgcolor="white">
| <head>
| <title>Durian</title>
| <meta name="description" content="We Are Still Alive!">
| <meta name="keywords" content="Hacked by Ind_C0d3r">
| <meta name="robots" content="index, follow">
| <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
| <meta name="language" content="English">
| </head>
| <link href="https://fonts.googleapis.com/css?family=Righteous|Saira+Stencil+One&display=swap" rel="stylesheet">
| <style type="text/css">
| @font-face {
| font-family: 'Righteous', cursive;
| font-family: 'Saira Stencil One', cursive;
| </style>
| <center><br><br>
| <img src="https://www.producemarketguide.com/sites/default/files/Commoditi
| Socks5:
| HTTP/1.1 400 Bad Request
| content-type: text/html
| cache-control: private, no-cache, max-age=0
| pragma: no-cache
| content-length: 1209
| date: Wed, 14 Sep 2022 01:20:39 GMT
| server: LiteSpeed
| connection: close
| <!DOCTYPE html>
| <html style="height:100%">
| <head>
| <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
| <title> 400 Bad Request
| </title></head>
| <body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;">
| <div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;">
| style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">400</h1>
| style="margin-top:20px;font-size: 30px;">Bad Request
| </h2>
| <p>It is not a valid request!</p>
|_ </div></div><div style="color:#f0f0
|_http-title: Durian
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: LiteSpeed[点击并拖拽以移动]
3、查看192.168.174.138的8000、7080端口进行查看
4、kali下载feroxbuster工具
5、使用feroxbuster对192.168.174.138:8088目录进行探测
feroxbuster -u http://192.168.174.138:8088/
文件上传漏之Durian靶场练习——渗透day13相关推荐
- 探究文件上传安全:upload-labs靶场的绕过技巧
数据来源 本文仅用于信息安全的学习,请遵守相关法律法规,严禁用于非法途径.若观众因此作出任何危害网络安全的行为,后果自负,与本人无关. 文件上传基础 01 什么是文件上传 02 文件上传产生漏洞的原因 ...
- 文件上传绕waf(waf拦不住我)
一. 什么是文件上传漏洞 Web应用程序通常会有文件上传的功能, 例如在 BBS发布图片 , 在个人网站发布ZIP 压缩 包, 在办公平台发布DOC文件等 , 只要 Web应用程序允许上传文件, 就有 ...
- web安全入门(第七章-1)文件上传漏洞--解析、验证、伪造
一.客户端检测 1,客户端校验:一般是在网页上写一段Js脚本,用Js去检测,校验上传文件的后缀名,有白名单也有黑名单. 2,判断方式:通过抓包来判断,如果还未抓住包,就弹出不准上传,那么就是前端验证, ...
- 文件上传漏洞-解析、验证、伪造1
文章目录 文件上传漏洞: webshell: 文件上传漏洞的原因: 文件上传常见检测: 靶场实战 1.前端验证绕过 2.Content-Type方式绕过 3.黑名单绕过 4. .htaccess文件绕 ...
- 01文件上传漏洞(黑名单检测篇)
本篇文章将会从文件上传漏洞的基本概念讲起,然后去了解在文件上传中我们的网站都有哪些检测机制,如何去绕过这些检测机制,最后是如何去修复文件上传漏洞. 参考靶场:upload在github上搜索即可在本地 ...
- 文件上传漏洞 (上传知识点、题型总结大全-upload靶场全解)
文件上传漏洞 什么是文件上传漏洞 什么是webshell 一句话木马大全 产生文件上传漏洞的原因 文件上传漏洞的攻击与防御方式 1.前端限制 2.检查扩展名 1.黑名单策略, 2.白名单策略 3.检查 ...
- upload-labs-master文件上传靶场第七关详解
一.前言 upload-labs-master是文件上传靶场,里面目前总共有19关,github地址https://github.com/c0ny1/upload-labs,今天要说的是这个靶场的第七 ...
- [网络安全提高篇] 一〇四.网络渗透靶场Oracle+phpStudy本地搭建万字详解(SQL注入、XSS攻击、文件上传漏洞)
当您阅读到该篇文章时,作者已经将"网络安全自学篇"设置成了收费专栏,首先说声抱歉.感谢这一年来大家的阅读和陪伴,这100篇安全文章记录了自己从菜鸡到菜鸟的成长史,该部分知识也花了很 ...
- [网络安全自学篇] 三十一.文件上传之Upload-labs靶场及CTF题目01-10(四)
这是作者的系列网络安全自学教程,主要是关于安全工具和实践操作的在线笔记,特分享出来与博友们学习,希望您们喜欢,一起进步.前文分享了编辑器漏洞和IIS高版本文件上传漏洞,包括FCKeditor.eWeb ...
最新文章
- 关于linux驱动程序的学习
- 【BZOJ1623】 [Usaco2008 Open]Cow Cars 奶牛飞车 贪心
- 深入探究VC —— 链接器link.exe(4)【转】http://blog.csdn.net/wangningyu/article/details/4849452...
- 前端学习(2363):发送get请求
- Node.js 爬虫初探
- 不要再被Python洗脑了,来看看这个吧......
- 快速搭建Web环境 Angularjs + Express3 + Bootstrap3
- webService调用模式比较
- cpg数据库处理_找到未提取的pdf
- mysql 在线语法检查工具_「mysql 管理工具」五大开源MySQL管理工具! - seo实验室
- Python移动应用开发
- APISpace 空号检测API接口 免费好用
- 两阶段最小二乘法原理_R语言工具变量与两阶段最小二乘法
- 今生,只想做一个平凡的人
- 互联网审判中区块链存证技术的应用进路
- HTML+JS+websocket 实现联机“游戏王”对战(一)
- 从屏下指纹到体感手机,vivo能否走出自己的创新之路?
- 圣诞树代码,c语言编程,基于graphics.h
- learining user's intrinsic and extrinsic interests for point of interest recommendation IJCAI17
- 使用ga算法解决背包问题_我如何使用算法解决现实生活中的手提背包的背包问题
热门文章
- SQLite数据库管理器:SQLPro for SQLite for Mac
- 历年计算机一级b考试试题及答案,全国计算机等级考试一级B历年试题合集含答案...
- 计算机研究所混文凭的学校,能混文凭的研究生学校,考研难度最小的五所211
- STC15单片机-GPIO模式介绍以及LED灯闪烁
- Error in rq.fit.br(wx, wy, tau = tau, ...): Singular design matrix
- python完美测试数据之faker
- 项目交易平台上发布的项目
- Alibaba Cloud Linux 3 安装部署 ECStore B2C V5.0.1 社区版
- 给女朋友讲解什么是Git
- ASP将Excel导入数据库的方法