[Meachines] [Medium] October October-CMS+BOF-ROP链自...

文章预览

信息收集 IP Address Opening Ports 10.10.10.16 TCP :22，80 $ nmap -p- 10.10.10.16 --min-rate 1000 -sC -sV PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 79:b1:35:b6:d1:25:12:a3:0c:b5:2e:36:9c:33:26:28 (DSA) | 2048 16:08:68:51:d1:7b:07:5a:34:66:0d:4c:d0:25:56:f5 (RSA) | 256 e3:97:a7:92:23:72:bf:1d:09:88:85:b6:6c:17:4e:85 (ECDSA) |_ 256 89:85:90:98:20:bf:03:5d:35:7f:4a:a9:e1:1b:65:31 (ED25519) 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) |_http-title: October CMS - Vanilla |_http-server-header: Apache/2.4.7 (Ubuntu) | http-methods: |_ Potentially risky methods: PUT PATCH DELETE Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel October-CMS username:admin password:admin Admin Login http://10.10.10.16/backend/backend/auth/signin http://10.10.10.16/backend/cms/media 通过上传php5后缀文件绕过 http://10.10.10.16/storage/app/media/p0wny.php5 User.txt 2e2e813cc41a0812857cb7e ………………………………