nmap 扫 到 80 22

dirsearch 扫描发现 
┌──(root㉿kali)-[~]

└─# dirsearch -u http://192.168.167.13/

/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html

  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3

 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /root/reports/http_192.168.167.13/__24-11-11_04-35-06.txt

Target: http://192.168.167.13/

[04:35:06] Starting:

[04:35:11] 403 -  279B  - /.ht_wsr.txt

[04:35:11] 403 -  279B  - /.htaccess.bak1

[04:35:11] 403 -  279B  - /.htaccess.orig

[04:35:11] 403 -  279B  - /.htaccess.sample

[04:35:11] 403 -  279B  - /.htaccess.save

[04:35:11] 403 -  279B  - /.htaccess_extra

[04:35:11] 403 -  279B  - /.htaccess_orig

[04:35:11] 403 -  279B  - /.htaccess_sc

[04:35:11] 403 -  279B  - /.htaccessBAK

[04:35:11] 403 -  279B  - /.htaccessOLD

[04:35:11] 403 -  279B  - /.htaccessOLD2

[04:35:11] 403 -  279B  - /.htm

[04:35:11] 403 -  279B  - /.html

[04:35:11] 403 -  279B  - /.htpasswds

[04:35:11] 403 -  279B  - /.htpasswd_test

[04:35:11] 403 -  279B  - /.httr-oauth

[04:35:13] 403 -  279B  - /.php

[04:35:25] 301 -  317B  - /assets  ->  http://192.168.167.13/assets/

[04:35:25] 200 -  475B  - /assets/

[04:35:42] 301 -  321B  - /management  ->  http://192.168.167.13/management/

[04:35:42] 404 -    1KB - /management/configprops

[04:35:42] 404 -    1KB - /management/env

[04:35:42] 200 -    2KB - /management/

[04:35:53] 403 -  279B  - /server-status

[04:35:53] 403 -  279B  - /server-status/

[04:36:01] 200 -  466B  - /vendor/                                          

Task Completed

┌──(root㉿kali)-[~]

└─# dirsearch -u http://192.168.167.13/management/

/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html

  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3

 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /root/reports/http_192.168.167.13/_management__24-11-11_04-44-02.txt

Target: http://192.168.167.13/

[04:44:02] Starting: management/

[04:44:03] 301 -  324B  - /management/js  ->  http://192.168.167.13/management/js/

[04:44:03] 400 -    1KB - /management/!.gitignore

[04:44:04] 404 -  276B  - /management/%2e%2e//google.com

[04:44:04] 200 -    0B  - /management/.admin

[04:44:04] 200 -    0B  - /management/.admin/

[04:44:06] 400 -    1KB - /management/!.htpasswd

[04:44:06] 400 -    1KB - /management/!.htaccess

[04:44:07] 403 -  279B  - /management/.ht_wsr.txt

[04:44:07] 403 -  279B  - /management/.htaccess.bak1

[04:44:07] 403 -  279B  - /management/.htaccess.orig

[04:44:07] 403 -  279B  - /management/.htaccess.sample

[04:44:07] 403 -  279B  - /management/.htaccess.save

[04:44:07] 403 -  279B  - /management/.htaccess_extra

[04:44:07] 403 -  279B  - /management/.htaccessBAK

[04:44:07] 403 -  279B  - /management/.htaccess_sc

[04:44:07] 403 -  279B  - /management/.htaccess_orig

[04:44:07] 403 -  279B  - /management/.htaccessOLD2

[04:44:07] 403 -  279B  - /management/.htaccessOLD

[04:44:07] 403 -  279B  - /management/.htm

[04:44:07] 403 -  279B  - /management/.html

[04:44:07] 403 -  279B  - /management/.htpasswd_test

[04:44:07] 403 -  279B  - /management/.htpasswds

[04:44:07] 403 -  279B  - /management/.httr-oauth

[04:44:07] 400 -    1KB - /management/.idea/workspace(3).xml

[04:44:07] 400 -    1KB - /management/.idea/workspace(2).xml

[04:44:07] 400 -    1KB - /management/.idea/workspace(4).xml

[04:44:07] 400 -    1KB - /management/.idea/workspace(5).xml

[04:44:07] 400 -    1KB - /management/.idea/workspace(6).xml

[04:44:07] 400 -    1KB - /management/.idea/workspace(7).xml

[04:44:08] 403 -  279B  - /management/.php

[04:44:11] 400 -    1KB - /management/;/admin

[04:44:11] 400 -    1KB - /management/;/json

[04:44:11] 400 -    1KB - /management/;/login

[04:44:11] 400 -    1KB - /management/;json/

[04:44:11] 400 -    1KB - /management/;admin/

[04:44:11] 400 -    1KB - /management/;login/

[04:44:12] 400 -    1KB - /management/actuator/;/auditLog

[04:44:12] 400 -    1KB - /management/actuator/;/beans

[04:44:12] 400 -    1KB - /management/actuator/;/auditevents

[04:44:12] 400 -    1KB - /management/actuator/;/caches

[04:44:12] 400 -    1KB - /management/actuator/;/conditions

[04:44:12] 400 -    1KB - /management/actuator/;/configurationMetadata

[04:44:12] 400 -    1KB - /management/actuator/;/dump

[04:44:12] 400 -    1KB - /management/actuator/;/events

[04:44:12] 400 -    1KB - /management/actuator/;/heapdump

[04:44:12] 400 -    1KB - /management/actuator/;/env

[04:44:12] 400 -    1KB - /management/actuator/;/configprops

[04:44:12] 400 -    1KB - /management/actuator/;/health

[04:44:12] 400 -    1KB - /management/actuator/;/features

[04:44:12] 400 -    1KB - /management/actuator/;/exportRegisteredServices

[04:44:12] 400 -    1KB - /management/actuator/;/flyway

[04:44:12] 400 -    1KB - /management/actuator/;/info

[04:44:12] 400 -    1KB - /management/actuator/;/healthcheck

[04:44:12] 400 -    1KB - /management/actuator/;/liquibase

[04:44:12] 400 -    1KB - /management/actuator/;/loggers

[04:44:12] 400 -    1KB - /management/actuator/;/integrationgraph

[04:44:12] 400 -    1KB - /management/actuator/;/httptrace

[04:44:12] 400 -    1KB - /management/actuator/;/jolokia

[04:44:12] 400 -    1KB - /management/actuator/;/logfile

[04:44:12] 400 -    1KB - /management/actuator/;/loggingConfig

[04:44:12] 400 -    1KB - /management/actuator/;/metrics

[04:44:13] 400 -    1KB - /management/actuator/;/mappings

[04:44:13] 400 -    1KB - /management/actuator/;/prometheus

[04:44:13] 400 -    1KB - /management/actuator/;/refresh

[04:44:13] 400 -    1KB - /management/actuator/;/registeredServices

[04:44:13] 400 -    1KB - /management/actuator/;/releaseAttributes

[04:44:13] 400 -    1KB - /management/actuator/;/resolveAttributes

[04:44:13] 400 -    1KB - /management/actuator/;/scheduledtasks

[04:44:13] 400 -    1KB - /management/actuator/;/sessions

[04:44:13] 400 -    1KB - /management/actuator/;/shutdown

[04:44:13] 400 -    1KB - /management/actuator/;/springWebflow

[04:44:13] 400 -    1KB - /management/actuator/;/sso

[04:44:13] 400 -    1KB - /management/actuator/;/ssoSessions

[04:44:13] 400 -    1KB - /management/actuator/;/statistics

[04:44:13] 400 -    1KB - /management/actuator/;/status

[04:44:13] 400 -    1KB - /management/actuator/;/trace

[04:44:13] 400 -    1KB - /management/actuator/;/threaddump

[04:44:13] 403 -  279B  - /management/admin%20/

[04:44:13] 200 -    0B  - /management/admin

[04:44:13] 200 -    0B  - /management/Admin

[04:44:14] 200 -    0B  - /management/admin.

[04:44:14] 200 -    0B  - /management/admin/

[04:44:14] 200 -    0B  - /management/Admin/

[04:44:14] 200 -    0B  - /management/admin/index

[04:44:15] 400 -    1KB - /management/admin;/

[04:44:15] 400 -    1KB - /management/Admin;/

[04:44:21] 403 -  279B  - /management/application

[04:44:21] 403 -  279B  - /management/application/

[04:44:21] 403 -  279B  - /management/application/cache/

[04:44:21] 403 -  279B  - /management/application/configs/application.ini

[04:44:21] 403 -  279B  - /management/application/logs/

[04:44:21] 301 -  328B  - /management/assets  ->  http://192.168.167.13/management/assets/

[04:44:21] 200 -    0B  - /management/assets/

[04:44:28] 200 -  487B  - /management/dist/

[04:44:28] 301 -  326B  - /management/dist  ->  http://192.168.167.13/management/dist/

[04:44:34] 404 -  276B  - /management/index

[04:44:34] 400 -    1KB - /management/index.php::$DATA

[04:44:34] 200 -  503B  - /management/installation/

[04:44:34] 301 -  334B  - /management/installation  ->  http://192.168.167.13/management/installation/

[04:44:35] 400 -    1KB - /management/jkstatus;

[04:44:35] 400 -    1KB - /management/jolokia/exec/com.sun.management:type=DiagnosticCommand/jfrStart/filename=!/tmp!/foo

[04:44:35] 400 -    1KB - /management/jolokia/exec/com.sun.management:type=DiagnosticCommand/help/*

[04:44:35] 400 -    1KB - /management/jolokia/read/java.lang:type=*/HeapMemoryUsage

[04:44:35] 400 -    1KB - /management/jolokia/exec/com.sun.management:type=DiagnosticCommand/compilerDirectivesAdd/!/etc!/passwd

[04:44:35] 400 -    1KB - /management/jolokia/exec/com.sun.management:type=DiagnosticCommand/jvmtiAgentLoad/!/etc!/passwd

[04:44:35] 400 -    1KB - /management/jolokia/exec/com.sun.management:type=DiagnosticCommand/vmLog/output=!/tmp!/pwned

[04:44:35] 400 -    1KB - /management/jolokia/search/*:j2eeType=J2EEServer,*

[04:44:35] 200 -  120B  - /management/js/

[04:44:37] 403 -  279B  - /management/login.wdm%20

[04:44:40] 403 -  279B  - /management/New%20Folder

[04:44:40] 403 -  279B  - /management/New%20folder%20(2)

[04:44:43] 403 -  279B  - /management/phpliteadmin%202.php

[04:44:43] 400 -    1KB - /management/phpmyadmin!!

[04:44:47] 403 -  279B  - /management/Read%20Me.txt

[04:44:47] 200 -   66B  - /management/README.txt

[04:44:47] 200 -   66B  - /management/README

[04:44:48] 400 -    1KB - /management/secure/ContactAdministrators!default.jspa

[04:44:48] 400 -    1KB - /management/secure/ConfigurePortalPages!default.jspa?view=popular

[04:44:49] 400 -    1KB - /management/secure/QueryComponent!Default.jspa

[04:44:53] 403 -  279B  - /management/system/cron/cron.txt

[04:44:53] 403 -  279B  - /management/system/

[04:44:53] 403 -  279B  - /management/system

[04:44:53] 403 -  279B  - /management/system/expressionengine/config/config.php

[04:44:53] 403 -  279B  - /management/system/error.txt

[04:44:53] 403 -  279B  - /management/system/cache/

[04:44:53] 403 -  279B  - /management/system/expressionengine/config/database.php

[04:44:53] 403 -  279B  - /management/system/log/

[04:44:53] 403 -  279B  - /management/system/logs/

[04:44:53] 403 -  279B  - /management/system/storage/

[04:44:55] 400 -    1KB - /management/Trace.axd::$DATA

[04:44:56] 200 -  675B  - /management/uploads/

[04:44:56] 301 -  329B  - /management/uploads  ->  http://192.168.167.13/management/uploads/

[04:44:58] 400 -    1KB - /management/web.config::$DATA

[04:45:00] 400 -    1KB - /management/wps/contenthandler/!ut/p/digest!8skKFbWr_TwcZcvoc9Dn3g/?uri=http://www.redbooks.ibm.com/Redbooks.nsf/RedbookAbstracts/sg247798.html?Logout&RedirectTo=http://example.com

发现用户和密码

http://192.168.167.13/management/installation/install_guide.txt

Admin: admin@admin.com

Pass: 1234

Student: student@student.com

Pass: 1234

Teacher: teacher@teacher.com

Pass: 1234

Parent: parent@parent.com

Pass: 1234

发现登录不了 琢磨了半天 进兔子洞了

上网查exp 直接漏洞利用 https://www.exploit-db.com/exploits/50587?source=post_page-----2bb26b45d97e--------------------------------

'username' => 'school',

'password' => '@jCma4s8ZM<?kA',

登录数据库

发现密码



爆破密码

su msander

然后进 emiller

反编译他的apk

发现密码

emiller:EzPwz2022_dev1$$23!!

登录后发现可以sudo执行任何操作 提权成功

Educated PG walkthrough Intermediate的更多相关文章

  1. 简析服务端通过GT导入SHP至PG的方法

    文章版权由作者李晓晖和博客园共有,若转载请于明显处标明出处:http://www.cnblogs.com/naaoveGIS/ 1.背景 项目中需要在浏览器端直接上传SHP后服务端进行数据的自动入PG ...

  2. Bootstap datetimepicker报错TypeError: intermediate value

    Bootstrap datetimepicker有多个版本,官方的链接中,只是datepicker,没有时间的选择,原版的datetimepicker也不再更新,不能用新版的jquery.现在http ...

  3. PG 中 JSON 字段的应用

    13 年发现 pg 有了 json 类型,便从 oracle 转 pg,几年下来也算比较熟稔了,总结几个有益的实践. 用途一:存储设计时无法预料的文档性的数据.比如,通常可以在人员表准备一个 json ...

  4. pg gem 安装(postgresql94)

    使用下面命令安装报错 gem install pg 错误: [root@AS-test middle_database]# gem install pgBuilding native extensio ...

  5. #pg学习#postgresql的安装

    1.按照官网给的步骤编译安装(Mac安装是比较容易的,相比Liunx) cd /Users/renlipeng/Desktop/postgresql-9.5.1 ./configure --prefi ...

  6. PG 函数的易变性(Function Volatility Categories)

    此概念的接触是在做分区表的时候碰到的,分区表按时间字段分区,在查询时当where条件中时间为now()或者current_time()等时是无法查询的,即使进行格式转换也不行,只有是时间格式如‘201 ...

  7. c++错误——intermediate.manifest : general error c1010070很傻的错

    .\Debug\sadf.exe.intermediate.manifest : general error c1010070: Failed to load and parse the manife ...

  8. mysql 序列与pg序列的比较

    mysql序列(这里只谈innodb引擎): 在使用mysql的AUTO_INCREMENT时,使用AUTO_INCREMENT的字段必须建有索引,也可以为索引的一部分.当没有索引时会报错:      ...

  9. 使用zfs进行pg的pitr恢复测试

    前段时间做了一下zfs做pg的增量恢复测试,mark一下. 服务器信息: 主机:192.168.173.43 备机:192.168.173.41 主备使用流复制搭建,在备机上面进行了zfs快照备份. ...

  10. PG CREATEINDEX CONCURRENTLY

    PG CREATEINDEX CONCURRENTLY [TOC] 官方说法 根据9.1的文档 Creating an index can interfere with regular operati ...

随机推荐

  1. js-xlsx 前段读取excel

    JavaScript读取和导出excel示例(基于js-xlsx) 放入参考链接 http://demo.haoji.me/2017/02/08-js-xlsx/ github官网 https://g ...

  2. apisix lua插件开发

    1. 怎么定义ngx自定义变量 ngx.var.custom_var nginx_config: # config for render the template to generate nginx. ...

  3. Golang之学习资源参考

    使用golang开发也有一段时间,在此总结一些自己从0入门到掌握所涉及一些资源,希望可以帮助其他人 [初级] 基础语法练习:  https://gobyexample.com/ [中级] 1.gola ...

  4. MySQL之根据经纬度计算距离

    可以在MySQL层面使用自定义计算函数来使用 CREATE DEFINER=`xxx`@`%` FUNCTION `get_distance`( lat1 float,lon1 float,lat2 ...

  5. mongo迁移工具之mongo-shake

    最近需要进行MongoDB中数据迁移,之前使用过阿里系的redisShake感觉不错, 这次打算使用mongoShake来进行同步 github: https://github.com/alibaba ...

  6. c# 添加系统右键菜单(Windows11以前)

    今天介绍一下在注册表中添加系统右键菜单实现在文件夹的右键菜单中添加,删除以及查找是否已经添加的方法. 注意这里的方法仅限于Windows11之前使用,Windows11默认的右键菜单已经改变,需要使用 ...

  7. Helm部署SkyWalking

    一 . 部署ElasticSearch 1.下载安装包 helm repo add elastic https://helm.elastic.cohelm pull elastic/elasticse ...

  8. 指针, C语言的精髓

    指针, C语言的精髓 莫队先咕几天, 容我先讲完树剖 (因为后面树上的东西好多都要用树剖求 LCA). 什么是指针 保存变量地址的变量叫做指针. 这是大概的定义, 但是Defad认为这个定义不太好理解 ...

  9. C++ builder 10.2 x64程序使用typeid获取vcl类名时异常

    C++ builder 10.2 x64程序使用typeid获取vcl类名时异常 比如: const std::type_info &t= typeid(TForm1); 那么t的name() ...

  10. #oscp#渗透测试 kioptix level 3靶机getshell及提权教程

    声明! 文章所提到的网站以及内容,只做学习交流,其他均与本人以及泷羽sec团队无关,切勿触碰法律底线,否则后果自负!!!! 一.靶机搭建 点击扫描虚拟机 选择靶机使在文件夹即可 二.信息收集 前言 信 ...