nmap 扫 到 80 22

dirsearch 扫描发现 
┌──(root㉿kali)-[~]

└─# dirsearch -u http://192.168.167.13/

/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html

  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3

 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /root/reports/http_192.168.167.13/__24-11-11_04-35-06.txt

Target: http://192.168.167.13/

[04:35:06] Starting:

[04:35:11] 403 -  279B  - /.ht_wsr.txt

[04:35:11] 403 -  279B  - /.htaccess.bak1

[04:35:11] 403 -  279B  - /.htaccess.orig

[04:35:11] 403 -  279B  - /.htaccess.sample

[04:35:11] 403 -  279B  - /.htaccess.save

[04:35:11] 403 -  279B  - /.htaccess_extra

[04:35:11] 403 -  279B  - /.htaccess_orig

[04:35:11] 403 -  279B  - /.htaccess_sc

[04:35:11] 403 -  279B  - /.htaccessBAK

[04:35:11] 403 -  279B  - /.htaccessOLD

[04:35:11] 403 -  279B  - /.htaccessOLD2

[04:35:11] 403 -  279B  - /.htm

[04:35:11] 403 -  279B  - /.html

[04:35:11] 403 -  279B  - /.htpasswds

[04:35:11] 403 -  279B  - /.htpasswd_test

[04:35:11] 403 -  279B  - /.httr-oauth

[04:35:13] 403 -  279B  - /.php

[04:35:25] 301 -  317B  - /assets  ->  http://192.168.167.13/assets/

[04:35:25] 200 -  475B  - /assets/

[04:35:42] 301 -  321B  - /management  ->  http://192.168.167.13/management/

[04:35:42] 404 -    1KB - /management/configprops

[04:35:42] 404 -    1KB - /management/env

[04:35:42] 200 -    2KB - /management/

[04:35:53] 403 -  279B  - /server-status

[04:35:53] 403 -  279B  - /server-status/

[04:36:01] 200 -  466B  - /vendor/                                          

Task Completed

┌──(root㉿kali)-[~]

└─# dirsearch -u http://192.168.167.13/management/

/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html

  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3

 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /root/reports/http_192.168.167.13/_management__24-11-11_04-44-02.txt

Target: http://192.168.167.13/

[04:44:02] Starting: management/

[04:44:03] 301 -  324B  - /management/js  ->  http://192.168.167.13/management/js/

[04:44:03] 400 -    1KB - /management/!.gitignore

[04:44:04] 404 -  276B  - /management/%2e%2e//google.com

[04:44:04] 200 -    0B  - /management/.admin

[04:44:04] 200 -    0B  - /management/.admin/

[04:44:06] 400 -    1KB - /management/!.htpasswd

[04:44:06] 400 -    1KB - /management/!.htaccess

[04:44:07] 403 -  279B  - /management/.ht_wsr.txt

[04:44:07] 403 -  279B  - /management/.htaccess.bak1

[04:44:07] 403 -  279B  - /management/.htaccess.orig

[04:44:07] 403 -  279B  - /management/.htaccess.sample

[04:44:07] 403 -  279B  - /management/.htaccess.save

[04:44:07] 403 -  279B  - /management/.htaccess_extra

[04:44:07] 403 -  279B  - /management/.htaccessBAK

[04:44:07] 403 -  279B  - /management/.htaccess_sc

[04:44:07] 403 -  279B  - /management/.htaccess_orig

[04:44:07] 403 -  279B  - /management/.htaccessOLD2

[04:44:07] 403 -  279B  - /management/.htaccessOLD

[04:44:07] 403 -  279B  - /management/.htm

[04:44:07] 403 -  279B  - /management/.html

[04:44:07] 403 -  279B  - /management/.htpasswd_test

[04:44:07] 403 -  279B  - /management/.htpasswds

[04:44:07] 403 -  279B  - /management/.httr-oauth

[04:44:07] 400 -    1KB - /management/.idea/workspace(3).xml

[04:44:07] 400 -    1KB - /management/.idea/workspace(2).xml

[04:44:07] 400 -    1KB - /management/.idea/workspace(4).xml

[04:44:07] 400 -    1KB - /management/.idea/workspace(5).xml

[04:44:07] 400 -    1KB - /management/.idea/workspace(6).xml

[04:44:07] 400 -    1KB - /management/.idea/workspace(7).xml

[04:44:08] 403 -  279B  - /management/.php

[04:44:11] 400 -    1KB - /management/;/admin

[04:44:11] 400 -    1KB - /management/;/json

[04:44:11] 400 -    1KB - /management/;/login

[04:44:11] 400 -    1KB - /management/;json/

[04:44:11] 400 -    1KB - /management/;admin/

[04:44:11] 400 -    1KB - /management/;login/

[04:44:12] 400 -    1KB - /management/actuator/;/auditLog

[04:44:12] 400 -    1KB - /management/actuator/;/beans

[04:44:12] 400 -    1KB - /management/actuator/;/auditevents

[04:44:12] 400 -    1KB - /management/actuator/;/caches

[04:44:12] 400 -    1KB - /management/actuator/;/conditions

[04:44:12] 400 -    1KB - /management/actuator/;/configurationMetadata

[04:44:12] 400 -    1KB - /management/actuator/;/dump

[04:44:12] 400 -    1KB - /management/actuator/;/events

[04:44:12] 400 -    1KB - /management/actuator/;/heapdump

[04:44:12] 400 -    1KB - /management/actuator/;/env

[04:44:12] 400 -    1KB - /management/actuator/;/configprops

[04:44:12] 400 -    1KB - /management/actuator/;/health

[04:44:12] 400 -    1KB - /management/actuator/;/features

[04:44:12] 400 -    1KB - /management/actuator/;/exportRegisteredServices

[04:44:12] 400 -    1KB - /management/actuator/;/flyway

[04:44:12] 400 -    1KB - /management/actuator/;/info

[04:44:12] 400 -    1KB - /management/actuator/;/healthcheck

[04:44:12] 400 -    1KB - /management/actuator/;/liquibase

[04:44:12] 400 -    1KB - /management/actuator/;/loggers

[04:44:12] 400 -    1KB - /management/actuator/;/integrationgraph

[04:44:12] 400 -    1KB - /management/actuator/;/httptrace

[04:44:12] 400 -    1KB - /management/actuator/;/jolokia

[04:44:12] 400 -    1KB - /management/actuator/;/logfile

[04:44:12] 400 -    1KB - /management/actuator/;/loggingConfig

[04:44:12] 400 -    1KB - /management/actuator/;/metrics

[04:44:13] 400 -    1KB - /management/actuator/;/mappings

[04:44:13] 400 -    1KB - /management/actuator/;/prometheus

[04:44:13] 400 -    1KB - /management/actuator/;/refresh

[04:44:13] 400 -    1KB - /management/actuator/;/registeredServices

[04:44:13] 400 -    1KB - /management/actuator/;/releaseAttributes

[04:44:13] 400 -    1KB - /management/actuator/;/resolveAttributes

[04:44:13] 400 -    1KB - /management/actuator/;/scheduledtasks

[04:44:13] 400 -    1KB - /management/actuator/;/sessions

[04:44:13] 400 -    1KB - /management/actuator/;/shutdown

[04:44:13] 400 -    1KB - /management/actuator/;/springWebflow

[04:44:13] 400 -    1KB - /management/actuator/;/sso

[04:44:13] 400 -    1KB - /management/actuator/;/ssoSessions

[04:44:13] 400 -    1KB - /management/actuator/;/statistics

[04:44:13] 400 -    1KB - /management/actuator/;/status

[04:44:13] 400 -    1KB - /management/actuator/;/trace

[04:44:13] 400 -    1KB - /management/actuator/;/threaddump

[04:44:13] 403 -  279B  - /management/admin%20/

[04:44:13] 200 -    0B  - /management/admin

[04:44:13] 200 -    0B  - /management/Admin

[04:44:14] 200 -    0B  - /management/admin.

[04:44:14] 200 -    0B  - /management/admin/

[04:44:14] 200 -    0B  - /management/Admin/

[04:44:14] 200 -    0B  - /management/admin/index

[04:44:15] 400 -    1KB - /management/admin;/

[04:44:15] 400 -    1KB - /management/Admin;/

[04:44:21] 403 -  279B  - /management/application

[04:44:21] 403 -  279B  - /management/application/

[04:44:21] 403 -  279B  - /management/application/cache/

[04:44:21] 403 -  279B  - /management/application/configs/application.ini

[04:44:21] 403 -  279B  - /management/application/logs/

[04:44:21] 301 -  328B  - /management/assets  ->  http://192.168.167.13/management/assets/

[04:44:21] 200 -    0B  - /management/assets/

[04:44:28] 200 -  487B  - /management/dist/

[04:44:28] 301 -  326B  - /management/dist  ->  http://192.168.167.13/management/dist/

[04:44:34] 404 -  276B  - /management/index

[04:44:34] 400 -    1KB - /management/index.php::$DATA

[04:44:34] 200 -  503B  - /management/installation/

[04:44:34] 301 -  334B  - /management/installation  ->  http://192.168.167.13/management/installation/

[04:44:35] 400 -    1KB - /management/jkstatus;

[04:44:35] 400 -    1KB - /management/jolokia/exec/com.sun.management:type=DiagnosticCommand/jfrStart/filename=!/tmp!/foo

[04:44:35] 400 -    1KB - /management/jolokia/exec/com.sun.management:type=DiagnosticCommand/help/*

[04:44:35] 400 -    1KB - /management/jolokia/read/java.lang:type=*/HeapMemoryUsage

[04:44:35] 400 -    1KB - /management/jolokia/exec/com.sun.management:type=DiagnosticCommand/compilerDirectivesAdd/!/etc!/passwd

[04:44:35] 400 -    1KB - /management/jolokia/exec/com.sun.management:type=DiagnosticCommand/jvmtiAgentLoad/!/etc!/passwd

[04:44:35] 400 -    1KB - /management/jolokia/exec/com.sun.management:type=DiagnosticCommand/vmLog/output=!/tmp!/pwned

[04:44:35] 400 -    1KB - /management/jolokia/search/*:j2eeType=J2EEServer,*

[04:44:35] 200 -  120B  - /management/js/

[04:44:37] 403 -  279B  - /management/login.wdm%20

[04:44:40] 403 -  279B  - /management/New%20Folder

[04:44:40] 403 -  279B  - /management/New%20folder%20(2)

[04:44:43] 403 -  279B  - /management/phpliteadmin%202.php

[04:44:43] 400 -    1KB - /management/phpmyadmin!!

[04:44:47] 403 -  279B  - /management/Read%20Me.txt

[04:44:47] 200 -   66B  - /management/README.txt

[04:44:47] 200 -   66B  - /management/README

[04:44:48] 400 -    1KB - /management/secure/ContactAdministrators!default.jspa

[04:44:48] 400 -    1KB - /management/secure/ConfigurePortalPages!default.jspa?view=popular

[04:44:49] 400 -    1KB - /management/secure/QueryComponent!Default.jspa

[04:44:53] 403 -  279B  - /management/system/cron/cron.txt

[04:44:53] 403 -  279B  - /management/system/

[04:44:53] 403 -  279B  - /management/system

[04:44:53] 403 -  279B  - /management/system/expressionengine/config/config.php

[04:44:53] 403 -  279B  - /management/system/error.txt

[04:44:53] 403 -  279B  - /management/system/cache/

[04:44:53] 403 -  279B  - /management/system/expressionengine/config/database.php

[04:44:53] 403 -  279B  - /management/system/log/

[04:44:53] 403 -  279B  - /management/system/logs/

[04:44:53] 403 -  279B  - /management/system/storage/

[04:44:55] 400 -    1KB - /management/Trace.axd::$DATA

[04:44:56] 200 -  675B  - /management/uploads/

[04:44:56] 301 -  329B  - /management/uploads  ->  http://192.168.167.13/management/uploads/

[04:44:58] 400 -    1KB - /management/web.config::$DATA

[04:45:00] 400 -    1KB - /management/wps/contenthandler/!ut/p/digest!8skKFbWr_TwcZcvoc9Dn3g/?uri=http://www.redbooks.ibm.com/Redbooks.nsf/RedbookAbstracts/sg247798.html?Logout&RedirectTo=http://example.com

发现用户和密码

http://192.168.167.13/management/installation/install_guide.txt

Admin: admin@admin.com

Pass: 1234

Student: student@student.com

Pass: 1234

Teacher: teacher@teacher.com

Pass: 1234

Parent: parent@parent.com

Pass: 1234

发现登录不了 琢磨了半天 进兔子洞了

上网查exp 直接漏洞利用 https://www.exploit-db.com/exploits/50587?source=post_page-----2bb26b45d97e--------------------------------

'username' => 'school',

'password' => '@jCma4s8ZM<?kA',

登录数据库

发现密码



爆破密码

su msander

然后进 emiller

反编译他的apk

发现密码

emiller:EzPwz2022_dev1$$23!!

登录后发现可以sudo执行任何操作 提权成功

Educated PG walkthrough Intermediate的更多相关文章

  1. 简析服务端通过GT导入SHP至PG的方法

    文章版权由作者李晓晖和博客园共有,若转载请于明显处标明出处:http://www.cnblogs.com/naaoveGIS/ 1.背景 项目中需要在浏览器端直接上传SHP后服务端进行数据的自动入PG ...

  2. Bootstap datetimepicker报错TypeError: intermediate value

    Bootstrap datetimepicker有多个版本,官方的链接中,只是datepicker,没有时间的选择,原版的datetimepicker也不再更新,不能用新版的jquery.现在http ...

  3. PG 中 JSON 字段的应用

    13 年发现 pg 有了 json 类型,便从 oracle 转 pg,几年下来也算比较熟稔了,总结几个有益的实践. 用途一:存储设计时无法预料的文档性的数据.比如,通常可以在人员表准备一个 json ...

  4. pg gem 安装(postgresql94)

    使用下面命令安装报错 gem install pg 错误: [root@AS-test middle_database]# gem install pgBuilding native extensio ...

  5. #pg学习#postgresql的安装

    1.按照官网给的步骤编译安装(Mac安装是比较容易的,相比Liunx) cd /Users/renlipeng/Desktop/postgresql-9.5.1 ./configure --prefi ...

  6. PG 函数的易变性(Function Volatility Categories)

    此概念的接触是在做分区表的时候碰到的,分区表按时间字段分区,在查询时当where条件中时间为now()或者current_time()等时是无法查询的,即使进行格式转换也不行,只有是时间格式如‘201 ...

  7. c++错误——intermediate.manifest : general error c1010070很傻的错

    .\Debug\sadf.exe.intermediate.manifest : general error c1010070: Failed to load and parse the manife ...

  8. mysql 序列与pg序列的比较

    mysql序列(这里只谈innodb引擎): 在使用mysql的AUTO_INCREMENT时,使用AUTO_INCREMENT的字段必须建有索引,也可以为索引的一部分.当没有索引时会报错:      ...

  9. 使用zfs进行pg的pitr恢复测试

    前段时间做了一下zfs做pg的增量恢复测试,mark一下. 服务器信息: 主机:192.168.173.43 备机:192.168.173.41 主备使用流复制搭建,在备机上面进行了zfs快照备份. ...

  10. PG CREATEINDEX CONCURRENTLY

    PG CREATEINDEX CONCURRENTLY [TOC] 官方说法 根据9.1的文档 Creating an index can interfere with regular operati ...

随机推荐

  1. AI智能学生体测小程序解决方案

    引言: 近年来,随着教育理念的提升,对学生综合素质的教育越发重视,特别是越发重视学生的身体素质提升,各阶段的升学考试也将体测纳入考核范围.学校也推出了各种体测锻炼促进手段,今天为您介绍一个基于小程序的 ...

  2. nginx防盗链接的使用

    以 local.hyperf.com为例 nginx配置文件如下 # 至少需要一个 Hyperf 节点,多个配置多行 upstream hyperf { # Hyperf HTTP Server 的 ...

  3. equals与”==”的区别

    本文由 ImportNew - 刘志军 翻译自 Javarevisited.如需转载本文,请先参见文章末尾处的转载要求. equals()和"=="操作用于对象的比较,检查俩对象的 ...

  4. Python:pygame游戏编程之旅七(pygame基础知识讲解1)

    与Python自带的random.math.time等模块一样,Pygame框架也带有许多模块来提供绘图.播放声音.处理鼠标输入等功能. 本章将讲述Pygame提供的基本模块及功能,并假设读者已经具有 ...

  5. 在table中,tbody没有充满整个table

    解决方法就是给table加上 display:table;就好了

  6. Python之时间日期操作

    常用时间操作的函数汇总, 涵盖 常用的time   datetime 1.计算两个日期相差天数 import datetime str1 = '2021-10-20' str2 = '2021-10- ...

  7. springboot 实现通用责任链模式

    1.概述 在我们平时的工作中,填写分布填写数据,比如填入商品的基本信息,所有人信息,明细信息,这种情况就可以使用责任链模式来处理. 2.代码实现 2.1商品对象 public class Produc ...

  8. maven 分离打包的技术

    1.概要 我们在构建springboot 程序的时候,可以将所有的文件打包成一个大的文件,这个使用起来还是很方便的,但是有些情况下不是很方便,比如 程序需要经常更新的时候,通过网络传输就比较慢,还有比 ...

  9. M1芯片pod问题

    M1芯片pod问题 换了M1芯片的mac后,在Xcode跑项目报pod错误,提示run pod install更新pod,但是去终端跑命令时又报错 然后在github上看到一个老哥的方法 https: ...

  10. Postgres中的Common Table Expression

    Common Table Expression 是 pg 里极为重要的特性.这个特性简单的说就是 INSERT/UPDATE/DELTE 三项操作可以返回结果集.如: update item set ...