Educated PG walkthrough Intermediate
nmap 扫 到 80 22
dirsearch 扫描发现
┌──(root㉿kali)-[~]
└─# dirsearch -u http://192.168.167.13/
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /root/reports/http_192.168.167.13/__24-11-11_04-35-06.txt
Target: http://192.168.167.13/
[04:35:06] Starting:
[04:35:11] 403 - 279B - /.ht_wsr.txt
[04:35:11] 403 - 279B - /.htaccess.bak1
[04:35:11] 403 - 279B - /.htaccess.orig
[04:35:11] 403 - 279B - /.htaccess.sample
[04:35:11] 403 - 279B - /.htaccess.save
[04:35:11] 403 - 279B - /.htaccess_extra
[04:35:11] 403 - 279B - /.htaccess_orig
[04:35:11] 403 - 279B - /.htaccess_sc
[04:35:11] 403 - 279B - /.htaccessBAK
[04:35:11] 403 - 279B - /.htaccessOLD
[04:35:11] 403 - 279B - /.htaccessOLD2
[04:35:11] 403 - 279B - /.htm
[04:35:11] 403 - 279B - /.html
[04:35:11] 403 - 279B - /.htpasswds
[04:35:11] 403 - 279B - /.htpasswd_test
[04:35:11] 403 - 279B - /.httr-oauth
[04:35:13] 403 - 279B - /.php
[04:35:25] 301 - 317B - /assets -> http://192.168.167.13/assets/
[04:35:25] 200 - 475B - /assets/
[04:35:42] 301 - 321B - /management -> http://192.168.167.13/management/
[04:35:42] 404 - 1KB - /management/configprops
[04:35:42] 404 - 1KB - /management/env
[04:35:42] 200 - 2KB - /management/
[04:35:53] 403 - 279B - /server-status
[04:35:53] 403 - 279B - /server-status/
[04:36:01] 200 - 466B - /vendor/
Task Completed
┌──(root㉿kali)-[~]
└─# dirsearch -u http://192.168.167.13/management/
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /root/reports/http_192.168.167.13/_management__24-11-11_04-44-02.txt
Target: http://192.168.167.13/
[04:44:02] Starting: management/
[04:44:03] 301 - 324B - /management/js -> http://192.168.167.13/management/js/
[04:44:03] 400 - 1KB - /management/!.gitignore
[04:44:04] 404 - 276B - /management/%2e%2e//google.com
[04:44:04] 200 - 0B - /management/.admin
[04:44:04] 200 - 0B - /management/.admin/
[04:44:06] 400 - 1KB - /management/!.htpasswd
[04:44:06] 400 - 1KB - /management/!.htaccess
[04:44:07] 403 - 279B - /management/.ht_wsr.txt
[04:44:07] 403 - 279B - /management/.htaccess.bak1
[04:44:07] 403 - 279B - /management/.htaccess.orig
[04:44:07] 403 - 279B - /management/.htaccess.sample
[04:44:07] 403 - 279B - /management/.htaccess.save
[04:44:07] 403 - 279B - /management/.htaccess_extra
[04:44:07] 403 - 279B - /management/.htaccessBAK
[04:44:07] 403 - 279B - /management/.htaccess_sc
[04:44:07] 403 - 279B - /management/.htaccess_orig
[04:44:07] 403 - 279B - /management/.htaccessOLD2
[04:44:07] 403 - 279B - /management/.htaccessOLD
[04:44:07] 403 - 279B - /management/.htm
[04:44:07] 403 - 279B - /management/.html
[04:44:07] 403 - 279B - /management/.htpasswd_test
[04:44:07] 403 - 279B - /management/.htpasswds
[04:44:07] 403 - 279B - /management/.httr-oauth
[04:44:07] 400 - 1KB - /management/.idea/workspace(3).xml
[04:44:07] 400 - 1KB - /management/.idea/workspace(2).xml
[04:44:07] 400 - 1KB - /management/.idea/workspace(4).xml
[04:44:07] 400 - 1KB - /management/.idea/workspace(5).xml
[04:44:07] 400 - 1KB - /management/.idea/workspace(6).xml
[04:44:07] 400 - 1KB - /management/.idea/workspace(7).xml
[04:44:08] 403 - 279B - /management/.php
[04:44:11] 400 - 1KB - /management/;/admin
[04:44:11] 400 - 1KB - /management/;/json
[04:44:11] 400 - 1KB - /management/;/login
[04:44:11] 400 - 1KB - /management/;json/
[04:44:11] 400 - 1KB - /management/;admin/
[04:44:11] 400 - 1KB - /management/;login/
[04:44:12] 400 - 1KB - /management/actuator/;/auditLog
[04:44:12] 400 - 1KB - /management/actuator/;/beans
[04:44:12] 400 - 1KB - /management/actuator/;/auditevents
[04:44:12] 400 - 1KB - /management/actuator/;/caches
[04:44:12] 400 - 1KB - /management/actuator/;/conditions
[04:44:12] 400 - 1KB - /management/actuator/;/configurationMetadata
[04:44:12] 400 - 1KB - /management/actuator/;/dump
[04:44:12] 400 - 1KB - /management/actuator/;/events
[04:44:12] 400 - 1KB - /management/actuator/;/heapdump
[04:44:12] 400 - 1KB - /management/actuator/;/env
[04:44:12] 400 - 1KB - /management/actuator/;/configprops
[04:44:12] 400 - 1KB - /management/actuator/;/health
[04:44:12] 400 - 1KB - /management/actuator/;/features
[04:44:12] 400 - 1KB - /management/actuator/;/exportRegisteredServices
[04:44:12] 400 - 1KB - /management/actuator/;/flyway
[04:44:12] 400 - 1KB - /management/actuator/;/info
[04:44:12] 400 - 1KB - /management/actuator/;/healthcheck
[04:44:12] 400 - 1KB - /management/actuator/;/liquibase
[04:44:12] 400 - 1KB - /management/actuator/;/loggers
[04:44:12] 400 - 1KB - /management/actuator/;/integrationgraph
[04:44:12] 400 - 1KB - /management/actuator/;/httptrace
[04:44:12] 400 - 1KB - /management/actuator/;/jolokia
[04:44:12] 400 - 1KB - /management/actuator/;/logfile
[04:44:12] 400 - 1KB - /management/actuator/;/loggingConfig
[04:44:12] 400 - 1KB - /management/actuator/;/metrics
[04:44:13] 400 - 1KB - /management/actuator/;/mappings
[04:44:13] 400 - 1KB - /management/actuator/;/prometheus
[04:44:13] 400 - 1KB - /management/actuator/;/refresh
[04:44:13] 400 - 1KB - /management/actuator/;/registeredServices
[04:44:13] 400 - 1KB - /management/actuator/;/releaseAttributes
[04:44:13] 400 - 1KB - /management/actuator/;/resolveAttributes
[04:44:13] 400 - 1KB - /management/actuator/;/scheduledtasks
[04:44:13] 400 - 1KB - /management/actuator/;/sessions
[04:44:13] 400 - 1KB - /management/actuator/;/shutdown
[04:44:13] 400 - 1KB - /management/actuator/;/springWebflow
[04:44:13] 400 - 1KB - /management/actuator/;/sso
[04:44:13] 400 - 1KB - /management/actuator/;/ssoSessions
[04:44:13] 400 - 1KB - /management/actuator/;/statistics
[04:44:13] 400 - 1KB - /management/actuator/;/status
[04:44:13] 400 - 1KB - /management/actuator/;/trace
[04:44:13] 400 - 1KB - /management/actuator/;/threaddump
[04:44:13] 403 - 279B - /management/admin%20/
[04:44:13] 200 - 0B - /management/admin
[04:44:13] 200 - 0B - /management/Admin
[04:44:14] 200 - 0B - /management/admin.
[04:44:14] 200 - 0B - /management/admin/
[04:44:14] 200 - 0B - /management/Admin/
[04:44:14] 200 - 0B - /management/admin/index
[04:44:15] 400 - 1KB - /management/admin;/
[04:44:15] 400 - 1KB - /management/Admin;/
[04:44:21] 403 - 279B - /management/application
[04:44:21] 403 - 279B - /management/application/
[04:44:21] 403 - 279B - /management/application/cache/
[04:44:21] 403 - 279B - /management/application/configs/application.ini
[04:44:21] 403 - 279B - /management/application/logs/
[04:44:21] 301 - 328B - /management/assets -> http://192.168.167.13/management/assets/
[04:44:21] 200 - 0B - /management/assets/
[04:44:28] 200 - 487B - /management/dist/
[04:44:28] 301 - 326B - /management/dist -> http://192.168.167.13/management/dist/
[04:44:34] 404 - 276B - /management/index
[04:44:34] 400 - 1KB - /management/index.php::$DATA
[04:44:34] 200 - 503B - /management/installation/
[04:44:34] 301 - 334B - /management/installation -> http://192.168.167.13/management/installation/
[04:44:35] 400 - 1KB - /management/jkstatus;
[04:44:35] 400 - 1KB - /management/jolokia/exec/com.sun.management:type=DiagnosticCommand/jfrStart/filename=!/tmp!/foo
[04:44:35] 400 - 1KB - /management/jolokia/exec/com.sun.management:type=DiagnosticCommand/help/*
[04:44:35] 400 - 1KB - /management/jolokia/read/java.lang:type=*/HeapMemoryUsage
[04:44:35] 400 - 1KB - /management/jolokia/exec/com.sun.management:type=DiagnosticCommand/compilerDirectivesAdd/!/etc!/passwd
[04:44:35] 400 - 1KB - /management/jolokia/exec/com.sun.management:type=DiagnosticCommand/jvmtiAgentLoad/!/etc!/passwd
[04:44:35] 400 - 1KB - /management/jolokia/exec/com.sun.management:type=DiagnosticCommand/vmLog/output=!/tmp!/pwned
[04:44:35] 400 - 1KB - /management/jolokia/search/*:j2eeType=J2EEServer,*
[04:44:35] 200 - 120B - /management/js/
[04:44:37] 403 - 279B - /management/login.wdm%20
[04:44:40] 403 - 279B - /management/New%20Folder
[04:44:40] 403 - 279B - /management/New%20folder%20(2)
[04:44:43] 403 - 279B - /management/phpliteadmin%202.php
[04:44:43] 400 - 1KB - /management/phpmyadmin!!
[04:44:47] 403 - 279B - /management/Read%20Me.txt
[04:44:47] 200 - 66B - /management/README.txt
[04:44:47] 200 - 66B - /management/README
[04:44:48] 400 - 1KB - /management/secure/ContactAdministrators!default.jspa
[04:44:48] 400 - 1KB - /management/secure/ConfigurePortalPages!default.jspa?view=popular
[04:44:49] 400 - 1KB - /management/secure/QueryComponent!Default.jspa
[04:44:53] 403 - 279B - /management/system/cron/cron.txt
[04:44:53] 403 - 279B - /management/system/
[04:44:53] 403 - 279B - /management/system
[04:44:53] 403 - 279B - /management/system/expressionengine/config/config.php
[04:44:53] 403 - 279B - /management/system/error.txt
[04:44:53] 403 - 279B - /management/system/cache/
[04:44:53] 403 - 279B - /management/system/expressionengine/config/database.php
[04:44:53] 403 - 279B - /management/system/log/
[04:44:53] 403 - 279B - /management/system/logs/
[04:44:53] 403 - 279B - /management/system/storage/
[04:44:55] 400 - 1KB - /management/Trace.axd::$DATA
[04:44:56] 200 - 675B - /management/uploads/
[04:44:56] 301 - 329B - /management/uploads -> http://192.168.167.13/management/uploads/
[04:44:58] 400 - 1KB - /management/web.config::$DATA
[04:45:00] 400 - 1KB - /management/wps/contenthandler/!ut/p/digest!8skKFbWr_TwcZcvoc9Dn3g/?uri=http://www.redbooks.ibm.com/Redbooks.nsf/RedbookAbstracts/sg247798.html?Logout&RedirectTo=http://example.com
发现用户和密码
http://192.168.167.13/management/installation/install_guide.txt
Admin: admin@admin.com
Pass: 1234
Student: student@student.com
Pass: 1234
Teacher: teacher@teacher.com
Pass: 1234
Parent: parent@parent.com
Pass: 1234
发现登录不了 琢磨了半天 进兔子洞了
上网查exp 直接漏洞利用 https://www.exploit-db.com/exploits/50587?source=post_page-----2bb26b45d97e--------------------------------
'username' => 'school',
'password' => '@jCma4s8ZM<?kA',
登录数据库
发现密码
爆破密码
su msander
然后进 emiller
反编译他的apk
发现密码
emiller:EzPwz2022_dev1$$23!!
登录后发现可以sudo执行任何操作 提权成功
Educated PG walkthrough Intermediate的更多相关文章
- 简析服务端通过GT导入SHP至PG的方法
文章版权由作者李晓晖和博客园共有,若转载请于明显处标明出处:http://www.cnblogs.com/naaoveGIS/ 1.背景 项目中需要在浏览器端直接上传SHP后服务端进行数据的自动入PG ...
- Bootstap datetimepicker报错TypeError: intermediate value
Bootstrap datetimepicker有多个版本,官方的链接中,只是datepicker,没有时间的选择,原版的datetimepicker也不再更新,不能用新版的jquery.现在http ...
- PG 中 JSON 字段的应用
13 年发现 pg 有了 json 类型,便从 oracle 转 pg,几年下来也算比较熟稔了,总结几个有益的实践. 用途一:存储设计时无法预料的文档性的数据.比如,通常可以在人员表准备一个 json ...
- pg gem 安装(postgresql94)
使用下面命令安装报错 gem install pg 错误: [root@AS-test middle_database]# gem install pgBuilding native extensio ...
- #pg学习#postgresql的安装
1.按照官网给的步骤编译安装(Mac安装是比较容易的,相比Liunx) cd /Users/renlipeng/Desktop/postgresql-9.5.1 ./configure --prefi ...
- PG 函数的易变性(Function Volatility Categories)
此概念的接触是在做分区表的时候碰到的,分区表按时间字段分区,在查询时当where条件中时间为now()或者current_time()等时是无法查询的,即使进行格式转换也不行,只有是时间格式如‘201 ...
- c++错误——intermediate.manifest : general error c1010070很傻的错
.\Debug\sadf.exe.intermediate.manifest : general error c1010070: Failed to load and parse the manife ...
- mysql 序列与pg序列的比较
mysql序列(这里只谈innodb引擎): 在使用mysql的AUTO_INCREMENT时,使用AUTO_INCREMENT的字段必须建有索引,也可以为索引的一部分.当没有索引时会报错: ...
- 使用zfs进行pg的pitr恢复测试
前段时间做了一下zfs做pg的增量恢复测试,mark一下. 服务器信息: 主机:192.168.173.43 备机:192.168.173.41 主备使用流复制搭建,在备机上面进行了zfs快照备份. ...
- PG CREATEINDEX CONCURRENTLY
PG CREATEINDEX CONCURRENTLY [TOC] 官方说法 根据9.1的文档 Creating an index can interfere with regular operati ...
随机推荐
- 接口自动化AES对称加密为什么密钥key是16位的?
对称加密AES,加密和解密的密钥是同一个 AES是一个分组加密算法,AES有三种密钥长度(128.192.256)比特,常用的是128比特,也就是16位 AES常用的加密模式有:ECB,ECB是将明文 ...
- 内衣 ERP 系统 (Delphi)
服装行业ERP系统,当时从开始实施推行,最后二次开发,源代码交接... 发几个截图看看 可配置的查询 这个功能几乎被我全改过... 后台报表配置 欢迎微信搜一搜 IT软件部落 关注公众号,你可以了解更 ...
- 2024 BUPT Programming Contest F
简要题意 多测,给定一个 \(n \times n\) 矩阵,矩阵中的每一个元素的计算方式如下: 矩阵的行和列唯一决定两个整数对 \((a, b)\),矩阵第 \(a(0 \le a < n)\ ...
- php yaconf扩展
在了解到PHP鸟哥还有这个扩展后,我安装尝试了一下 在这里有介绍 https://pecl.php.net/package/yaconf 这里有更详细的代码和说明 https://github.co ...
- MySQL 主从复制之多线程复制
目录 一.MySQL 多线程复制的背景 二.MySQL 5.5 主从复制 1.原理 2.部署主从复制 2.1.主节点安装配置MySQL 5.5 2.2.从节点安装配置MySQL 5.5 3.检查主从库 ...
- 发布一个TCP 吞吐性能测试小工具
当写完一个TCP服务的时候,是不是很想马上测试一下这个服务的性能,它到底能应付怎样的请求处理,其性能又是怎样呢.相信以下这个小工具能帮到你的小忙,它是基于Beetle实现的一个小工具只需要设置一下参数 ...
- python之数据库管理工具sandman2
文档:Welcome to sandman2's documentation! - sandman2 0.0.1 documentation [安装] pip install sandman2 安装成 ...
- JDBC【4】-- SPI底层原理解析
前面已经讲过SPI的基本实现原理了,demo也基本实现了,再来说说SPI. http://aphysia.cn/archives/jdbcspi 背景:SPI是什么? SPI,即是Service Pr ...
- docker 批量删除镜像
删除虚悬镜像 列出REPOSITORY和TAG均为<none>的虚悬镜像: $ docker images --filter dangling=true REPOSITORY TAG IM ...
- docker直接运行vue3源代码npm run dev
有套代码,需要在服务器直接run dev,docker build玩起来. 步骤: 将自己的代码上传到服务器,本例:/home/flow/ruoyi-ui cd到项目根目录 ruoyi-ui,新建D ...