Educated PG walkthrough Intermediate

nmap 扫到 80 22

dirsearch 扫描发现

┌──(root㉿kali)-[~]

└─# dirsearch -u http://192.168.167.13/

/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html

  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3

 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /root/reports/http_192.168.167.13/__24-11-11_04-35-06.txt

Target: http://192.168.167.13/

[04:35:06] Starting:

[04:35:11] 403 -  279B  - /.ht_wsr.txt

[04:35:11] 403 -  279B  - /.htaccess.bak1

[04:35:11] 403 -  279B  - /.htaccess.orig

[04:35:11] 403 -  279B  - /.htaccess.sample

[04:35:11] 403 -  279B  - /.htaccess.save

[04:35:11] 403 -  279B  - /.htaccess_extra

[04:35:11] 403 -  279B  - /.htaccess_orig

[04:35:11] 403 -  279B  - /.htaccess_sc

[04:35:11] 403 -  279B  - /.htaccessBAK

[04:35:11] 403 -  279B  - /.htaccessOLD

[04:35:11] 403 -  279B  - /.htaccessOLD2

[04:35:11] 403 -  279B  - /.htm

[04:35:11] 403 -  279B  - /.html

[04:35:11] 403 -  279B  - /.htpasswds

[04:35:11] 403 -  279B  - /.htpasswd_test

[04:35:11] 403 -  279B  - /.httr-oauth

[04:35:13] 403 -  279B  - /.php

[04:35:25] 301 -  317B  - /assets  ->  http://192.168.167.13/assets/

[04:35:25] 200 -  475B  - /assets/

[04:35:42] 301 -  321B  - /management  ->  http://192.168.167.13/management/

[04:35:42] 404 -    1KB - /management/configprops

[04:35:42] 404 -    1KB - /management/env

[04:35:42] 200 -    2KB - /management/

[04:35:53] 403 -  279B  - /server-status

[04:35:53] 403 -  279B  - /server-status/

[04:36:01] 200 -  466B  - /vendor/                                          

Task Completed

┌──(root㉿kali)-[~]

└─# dirsearch -u http://192.168.167.13/management/

/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html

  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3

 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /root/reports/http_192.168.167.13/_management__24-11-11_04-44-02.txt

Target: http://192.168.167.13/

[04:44:02] Starting: management/

[04:44:03] 301 -  324B  - /management/js  ->  http://192.168.167.13/management/js/

[04:44:03] 400 -    1KB - /management/!.gitignore

[04:44:04] 404 -  276B  - /management/%2e%2e//google.com

[04:44:04] 200 -    0B  - /management/.admin

[04:44:04] 200 -    0B  - /management/.admin/

[04:44:06] 400 -    1KB - /management/!.htpasswd

[04:44:06] 400 -    1KB - /management/!.htaccess

[04:44:07] 403 -  279B  - /management/.ht_wsr.txt

[04:44:07] 403 -  279B  - /management/.htaccess.bak1

[04:44:07] 403 -  279B  - /management/.htaccess.orig

[04:44:07] 403 -  279B  - /management/.htaccess.sample

[04:44:07] 403 -  279B  - /management/.htaccess.save

[04:44:07] 403 -  279B  - /management/.htaccess_extra

[04:44:07] 403 -  279B  - /management/.htaccessBAK

[04:44:07] 403 -  279B  - /management/.htaccess_sc

[04:44:07] 403 -  279B  - /management/.htaccess_orig

[04:44:07] 403 -  279B  - /management/.htaccessOLD2

[04:44:07] 403 -  279B  - /management/.htaccessOLD

[04:44:07] 403 -  279B  - /management/.htm

[04:44:07] 403 -  279B  - /management/.html

[04:44:07] 403 -  279B  - /management/.htpasswd_test

[04:44:07] 403 -  279B  - /management/.htpasswds

[04:44:07] 403 -  279B  - /management/.httr-oauth

[04:44:07] 400 -    1KB - /management/.idea/workspace(3).xml

[04:44:07] 400 -    1KB - /management/.idea/workspace(2).xml

[04:44:07] 400 -    1KB - /management/.idea/workspace(4).xml

[04:44:07] 400 -    1KB - /management/.idea/workspace(5).xml

[04:44:07] 400 -    1KB - /management/.idea/workspace(6).xml

[04:44:07] 400 -    1KB - /management/.idea/workspace(7).xml

[04:44:08] 403 -  279B  - /management/.php

[04:44:11] 400 -    1KB - /management/;/admin

[04:44:11] 400 -    1KB - /management/;/json

[04:44:11] 400 -    1KB - /management/;/login

[04:44:11] 400 -    1KB - /management/;json/

[04:44:11] 400 -    1KB - /management/;admin/

[04:44:11] 400 -    1KB - /management/;login/

[04:44:12] 400 -    1KB - /management/actuator/;/auditLog

[04:44:12] 400 -    1KB - /management/actuator/;/beans

[04:44:12] 400 -    1KB - /management/actuator/;/auditevents

[04:44:12] 400 -    1KB - /management/actuator/;/caches

[04:44:12] 400 -    1KB - /management/actuator/;/conditions

[04:44:12] 400 -    1KB - /management/actuator/;/configurationMetadata

[04:44:12] 400 -    1KB - /management/actuator/;/dump

[04:44:12] 400 -    1KB - /management/actuator/;/events

[04:44:12] 400 -    1KB - /management/actuator/;/heapdump

[04:44:12] 400 -    1KB - /management/actuator/;/env

[04:44:12] 400 -    1KB - /management/actuator/;/configprops

[04:44:12] 400 -    1KB - /management/actuator/;/health

[04:44:12] 400 -    1KB - /management/actuator/;/features

[04:44:12] 400 -    1KB - /management/actuator/;/exportRegisteredServices

[04:44:12] 400 -    1KB - /management/actuator/;/flyway

[04:44:12] 400 -    1KB - /management/actuator/;/info

[04:44:12] 400 -    1KB - /management/actuator/;/healthcheck

[04:44:12] 400 -    1KB - /management/actuator/;/liquibase

[04:44:12] 400 -    1KB - /management/actuator/;/loggers

[04:44:12] 400 -    1KB - /management/actuator/;/integrationgraph

[04:44:12] 400 -    1KB - /management/actuator/;/httptrace

[04:44:12] 400 -    1KB - /management/actuator/;/jolokia

[04:44:12] 400 -    1KB - /management/actuator/;/logfile

[04:44:12] 400 -    1KB - /management/actuator/;/loggingConfig

[04:44:12] 400 -    1KB - /management/actuator/;/metrics

[04:44:13] 400 -    1KB - /management/actuator/;/mappings

[04:44:13] 400 -    1KB - /management/actuator/;/prometheus

[04:44:13] 400 -    1KB - /management/actuator/;/refresh

[04:44:13] 400 -    1KB - /management/actuator/;/registeredServices

[04:44:13] 400 -    1KB - /management/actuator/;/releaseAttributes

[04:44:13] 400 -    1KB - /management/actuator/;/resolveAttributes

[04:44:13] 400 -    1KB - /management/actuator/;/scheduledtasks

[04:44:13] 400 -    1KB - /management/actuator/;/sessions

[04:44:13] 400 -    1KB - /management/actuator/;/shutdown

[04:44:13] 400 -    1KB - /management/actuator/;/springWebflow

[04:44:13] 400 -    1KB - /management/actuator/;/sso

[04:44:13] 400 -    1KB - /management/actuator/;/ssoSessions

[04:44:13] 400 -    1KB - /management/actuator/;/statistics

[04:44:13] 400 -    1KB - /management/actuator/;/status

[04:44:13] 400 -    1KB - /management/actuator/;/trace

[04:44:13] 400 -    1KB - /management/actuator/;/threaddump

[04:44:13] 403 -  279B  - /management/admin%20/

[04:44:13] 200 -    0B  - /management/admin

[04:44:13] 200 -    0B  - /management/Admin

[04:44:14] 200 -    0B  - /management/admin.

[04:44:14] 200 -    0B  - /management/admin/

[04:44:14] 200 -    0B  - /management/Admin/

[04:44:14] 200 -    0B  - /management/admin/index

[04:44:15] 400 -    1KB - /management/admin;/

[04:44:15] 400 -    1KB - /management/Admin;/

[04:44:21] 403 -  279B  - /management/application

[04:44:21] 403 -  279B  - /management/application/

[04:44:21] 403 -  279B  - /management/application/cache/

[04:44:21] 403 -  279B  - /management/application/configs/application.ini

[04:44:21] 403 -  279B  - /management/application/logs/

[04:44:21] 301 -  328B  - /management/assets  ->  http://192.168.167.13/management/assets/

[04:44:21] 200 -    0B  - /management/assets/

[04:44:28] 200 -  487B  - /management/dist/

[04:44:28] 301 -  326B  - /management/dist  ->  http://192.168.167.13/management/dist/

[04:44:34] 404 -  276B  - /management/index

[04:44:34] 400 -    1KB - /management/index.php::$DATA

[04:44:34] 200 -  503B  - /management/installation/

[04:44:34] 301 -  334B  - /management/installation  ->  http://192.168.167.13/management/installation/

[04:44:35] 400 -    1KB - /management/jkstatus;

[04:44:35] 400 -    1KB - /management/jolokia/exec/com.sun.management:type=DiagnosticCommand/jfrStart/filename=!/tmp!/foo

[04:44:35] 400 -    1KB - /management/jolokia/exec/com.sun.management:type=DiagnosticCommand/help/*

[04:44:35] 400 -    1KB - /management/jolokia/read/java.lang:type=*/HeapMemoryUsage

[04:44:35] 400 -    1KB - /management/jolokia/exec/com.sun.management:type=DiagnosticCommand/compilerDirectivesAdd/!/etc!/passwd

[04:44:35] 400 -    1KB - /management/jolokia/exec/com.sun.management:type=DiagnosticCommand/jvmtiAgentLoad/!/etc!/passwd

[04:44:35] 400 -    1KB - /management/jolokia/exec/com.sun.management:type=DiagnosticCommand/vmLog/output=!/tmp!/pwned

[04:44:35] 400 -    1KB - /management/jolokia/search/*:j2eeType=J2EEServer,*

[04:44:35] 200 -  120B  - /management/js/

[04:44:37] 403 -  279B  - /management/login.wdm%20

[04:44:40] 403 -  279B  - /management/New%20Folder

[04:44:40] 403 -  279B  - /management/New%20folder%20(2)

[04:44:43] 403 -  279B  - /management/phpliteadmin%202.php

[04:44:43] 400 -    1KB - /management/phpmyadmin!!

[04:44:47] 403 -  279B  - /management/Read%20Me.txt

[04:44:47] 200 -   66B  - /management/README.txt

[04:44:47] 200 -   66B  - /management/README

[04:44:48] 400 -    1KB - /management/secure/ContactAdministrators!default.jspa

[04:44:48] 400 -    1KB - /management/secure/ConfigurePortalPages!default.jspa?view=popular

[04:44:49] 400 -    1KB - /management/secure/QueryComponent!Default.jspa

[04:44:53] 403 -  279B  - /management/system/cron/cron.txt

[04:44:53] 403 -  279B  - /management/system/

[04:44:53] 403 -  279B  - /management/system

[04:44:53] 403 -  279B  - /management/system/expressionengine/config/config.php

[04:44:53] 403 -  279B  - /management/system/error.txt

[04:44:53] 403 -  279B  - /management/system/cache/

[04:44:53] 403 -  279B  - /management/system/expressionengine/config/database.php

[04:44:53] 403 -  279B  - /management/system/log/

[04:44:53] 403 -  279B  - /management/system/logs/

[04:44:53] 403 -  279B  - /management/system/storage/

[04:44:55] 400 -    1KB - /management/Trace.axd::$DATA

[04:44:56] 200 -  675B  - /management/uploads/

[04:44:56] 301 -  329B  - /management/uploads  ->  http://192.168.167.13/management/uploads/

[04:44:58] 400 -    1KB - /management/web.config::$DATA

[04:45:00] 400 -    1KB - /management/wps/contenthandler/!ut/p/digest!8skKFbWr_TwcZcvoc9Dn3g/?uri=http://www.redbooks.ibm.com/Redbooks.nsf/RedbookAbstracts/sg247798.html?Logout&RedirectTo=http://example.com

发现用户和密码

http://192.168.167.13/management/installation/install_guide.txt

Admin: admin@admin.com

Pass: 1234

Student: student@student.com

Pass: 1234

Teacher: teacher@teacher.com

Pass: 1234

Parent: parent@parent.com

Pass: 1234

发现登录不了琢磨了半天进兔子洞了

上网查exp 直接漏洞利用 https://www.exploit-db.com/exploits/50587?source=post_page-----2bb26b45d97e--------------------------------

'username' => 'school',

'password' => '@jCma4s8ZM<?kA',

登录数据库

发现密码

爆破密码

su msander

然后进 emiller

反编译他的apk

发现密码

emiller:EzPwz2022_dev1$$23!!

登录后发现可以sudo执行任何操作提权成功

Educated PG walkthrough Intermediate的更多相关文章

简析服务端通过GT导入SHP至PG的方法
文章版权由作者李晓晖和博客园共有,若转载请于明显处标明出处:http://www.cnblogs.com/naaoveGIS/ 1.背景项目中需要在浏览器端直接上传SHP后服务端进行数据的自动入PG ...
Bootstap datetimepicker报错TypeError: intermediate value
Bootstrap datetimepicker有多个版本,官方的链接中,只是datepicker,没有时间的选择,原版的datetimepicker也不再更新,不能用新版的jquery.现在http ...
PG 中 JSON 字段的应用
13 年发现 pg 有了 json 类型,便从 oracle 转 pg,几年下来也算比较熟稔了,总结几个有益的实践. 用途一:存储设计时无法预料的文档性的数据.比如,通常可以在人员表准备一个 json ...
pg gem 安装(postgresql94)
使用下面命令安装报错 gem install pg 错误: [root@AS-test middle_database]# gem install pgBuilding native extensio ...
#pg学习#postgresql的安装
1.按照官网给的步骤编译安装(Mac安装是比较容易的,相比Liunx) cd /Users/renlipeng/Desktop/postgresql-9.5.1 ./configure --prefi ...
PG 函数的易变性（Function Volatility Categories）
此概念的接触是在做分区表的时候碰到的,分区表按时间字段分区,在查询时当where条件中时间为now()或者current_time()等时是无法查询的,即使进行格式转换也不行,只有是时间格式如‘201 ...
c++错误——intermediate.manifest : general error c1010070很傻的错
.\Debug\sadf.exe.intermediate.manifest : general error c1010070: Failed to load and parse the manife ...
mysql 序列与pg序列的比较
mysql序列(这里只谈innodb引擎): 在使用mysql的AUTO_INCREMENT时,使用AUTO_INCREMENT的字段必须建有索引,也可以为索引的一部分.当没有索引时会报错: ...
使用zfs进行pg的pitr恢复测试
前段时间做了一下zfs做pg的增量恢复测试,mark一下. 服务器信息: 主机:192.168.173.43 备机:192.168.173.41 主备使用流复制搭建,在备机上面进行了zfs快照备份. ...
PG CREATEINDEX CONCURRENTLY
PG CREATEINDEX CONCURRENTLY [TOC] 官方说法根据9.1的文档 Creating an index can interfere with regular operati ...

随机推荐

【一步步开发AI运动小程序】八、利用body-calc进行姿态识别
随着人工智能技术的不断发展,阿里体育等IT大厂,推出的"乐动力"."天天跳绳"AI运动APP,让云上运动会.线上运动会.健身打卡.AI体育指导等概念空前火热.那 ...
高性能计算-gemm-mpi并行计算优化(8)
1. 目标: 矩阵A(MK) 矩阵B(KN)相乘,计算结果 C(M*N);本测试将使用不同的数据分块方式.MPI通信接口.数据循环模型,测试通信及计算效率,计算耗时为程序用户态和核心态的占用cpu时间 ...
(Redis基础教程之五)如何在Redis中操作字符串
如何在ubuntu18.04上安装和保护redis 如何连接到Redis数据库如何管理Redis数据库和Keys 如何在Redis中管理副本和客户端如何在Redis中管理字符串如何在Redis中 ...
方法的虚分派(virtual dispatch)和方法表（method table）
Java方法调用的虚分派 JUN 2ND, 2013 | COMMENTS 本文通过介绍 Java 方法调用的虚分派,来加深对 Java 多态实现的理解.需要预先理解 Java 字节码和 JVM 的基 ...
VTK 视角的旋转、平移、缩放
在CAD/CAM软件中,都需要旋转.平移和缩放视角,来观察操作图形.由于VTK定义的交互的类型不是很适用,所有通过定义一套自己的交互方式. 在下面代码中,鼠标左键平移,滚轮缩放,右键旋转. 先定义一个 ...
The 2nd GUAT Collegiate Programming Contest (Round 1)
第二届 GUAT大学生程序设计大赛第一场题解(A-M) 前言比赛的内容主要包括计算机科学的常用算法,基本的计算理论,(如:离散数学,具体数学,组合数学基础),数据结构基础,程序设计语言(规定是C ...
Member not found: ’packageRoot’ in Flutter
path/flutter/.pub-cache/hosted/pub.dartlang.org/platform-3.0.0/ lib/src/interface/local_platform.dar ...
中电金信：AI数据服务
01 方案简介 AI数据服务解决方案为泛娱乐.电子商务.交通出行等行业提供数据处理.数据分析.AI模型训练等服务,通过自主研发的IDSC自动化数据服务平台与客户业务流程无缝衔接,实现超低延时的 ...
django推导流程
目录一.纯手撸web框架二.基于wsgiref模块三.代码封装优化四.动静态网页五.jinja2模块六.前端.后端.数据库三者联动一.纯手撸web框架 1.web框架的本质理解1:连接 ...
2024年1月Java项目开发指南13：登录注册实现
创建文件,如上图创建好文件后去router.index.js配置路由 import { createRouter, createWebHistory } from 'vue-router'; // ...

Educated PG walkthrough Intermediate

Educated PG walkthrough Intermediate的更多相关文章

随机推荐

热门专题