nmap 扫 到 80 22

dirsearch 扫描发现 
┌──(root㉿kali)-[~]

└─# dirsearch -u http://192.168.167.13/

/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html

  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3

 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /root/reports/http_192.168.167.13/__24-11-11_04-35-06.txt

Target: http://192.168.167.13/

[04:35:06] Starting:

[04:35:11] 403 -  279B  - /.ht_wsr.txt

[04:35:11] 403 -  279B  - /.htaccess.bak1

[04:35:11] 403 -  279B  - /.htaccess.orig

[04:35:11] 403 -  279B  - /.htaccess.sample

[04:35:11] 403 -  279B  - /.htaccess.save

[04:35:11] 403 -  279B  - /.htaccess_extra

[04:35:11] 403 -  279B  - /.htaccess_orig

[04:35:11] 403 -  279B  - /.htaccess_sc

[04:35:11] 403 -  279B  - /.htaccessBAK

[04:35:11] 403 -  279B  - /.htaccessOLD

[04:35:11] 403 -  279B  - /.htaccessOLD2

[04:35:11] 403 -  279B  - /.htm

[04:35:11] 403 -  279B  - /.html

[04:35:11] 403 -  279B  - /.htpasswds

[04:35:11] 403 -  279B  - /.htpasswd_test

[04:35:11] 403 -  279B  - /.httr-oauth

[04:35:13] 403 -  279B  - /.php

[04:35:25] 301 -  317B  - /assets  ->  http://192.168.167.13/assets/

[04:35:25] 200 -  475B  - /assets/

[04:35:42] 301 -  321B  - /management  ->  http://192.168.167.13/management/

[04:35:42] 404 -    1KB - /management/configprops

[04:35:42] 404 -    1KB - /management/env

[04:35:42] 200 -    2KB - /management/

[04:35:53] 403 -  279B  - /server-status

[04:35:53] 403 -  279B  - /server-status/

[04:36:01] 200 -  466B  - /vendor/                                          

Task Completed

┌──(root㉿kali)-[~]

└─# dirsearch -u http://192.168.167.13/management/

/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html

  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3

 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /root/reports/http_192.168.167.13/_management__24-11-11_04-44-02.txt

Target: http://192.168.167.13/

[04:44:02] Starting: management/

[04:44:03] 301 -  324B  - /management/js  ->  http://192.168.167.13/management/js/

[04:44:03] 400 -    1KB - /management/!.gitignore

[04:44:04] 404 -  276B  - /management/%2e%2e//google.com

[04:44:04] 200 -    0B  - /management/.admin

[04:44:04] 200 -    0B  - /management/.admin/

[04:44:06] 400 -    1KB - /management/!.htpasswd

[04:44:06] 400 -    1KB - /management/!.htaccess

[04:44:07] 403 -  279B  - /management/.ht_wsr.txt

[04:44:07] 403 -  279B  - /management/.htaccess.bak1

[04:44:07] 403 -  279B  - /management/.htaccess.orig

[04:44:07] 403 -  279B  - /management/.htaccess.sample

[04:44:07] 403 -  279B  - /management/.htaccess.save

[04:44:07] 403 -  279B  - /management/.htaccess_extra

[04:44:07] 403 -  279B  - /management/.htaccessBAK

[04:44:07] 403 -  279B  - /management/.htaccess_sc

[04:44:07] 403 -  279B  - /management/.htaccess_orig

[04:44:07] 403 -  279B  - /management/.htaccessOLD2

[04:44:07] 403 -  279B  - /management/.htaccessOLD

[04:44:07] 403 -  279B  - /management/.htm

[04:44:07] 403 -  279B  - /management/.html

[04:44:07] 403 -  279B  - /management/.htpasswd_test

[04:44:07] 403 -  279B  - /management/.htpasswds

[04:44:07] 403 -  279B  - /management/.httr-oauth

[04:44:07] 400 -    1KB - /management/.idea/workspace(3).xml

[04:44:07] 400 -    1KB - /management/.idea/workspace(2).xml

[04:44:07] 400 -    1KB - /management/.idea/workspace(4).xml

[04:44:07] 400 -    1KB - /management/.idea/workspace(5).xml

[04:44:07] 400 -    1KB - /management/.idea/workspace(6).xml

[04:44:07] 400 -    1KB - /management/.idea/workspace(7).xml

[04:44:08] 403 -  279B  - /management/.php

[04:44:11] 400 -    1KB - /management/;/admin

[04:44:11] 400 -    1KB - /management/;/json

[04:44:11] 400 -    1KB - /management/;/login

[04:44:11] 400 -    1KB - /management/;json/

[04:44:11] 400 -    1KB - /management/;admin/

[04:44:11] 400 -    1KB - /management/;login/

[04:44:12] 400 -    1KB - /management/actuator/;/auditLog

[04:44:12] 400 -    1KB - /management/actuator/;/beans

[04:44:12] 400 -    1KB - /management/actuator/;/auditevents

[04:44:12] 400 -    1KB - /management/actuator/;/caches

[04:44:12] 400 -    1KB - /management/actuator/;/conditions

[04:44:12] 400 -    1KB - /management/actuator/;/configurationMetadata

[04:44:12] 400 -    1KB - /management/actuator/;/dump

[04:44:12] 400 -    1KB - /management/actuator/;/events

[04:44:12] 400 -    1KB - /management/actuator/;/heapdump

[04:44:12] 400 -    1KB - /management/actuator/;/env

[04:44:12] 400 -    1KB - /management/actuator/;/configprops

[04:44:12] 400 -    1KB - /management/actuator/;/health

[04:44:12] 400 -    1KB - /management/actuator/;/features

[04:44:12] 400 -    1KB - /management/actuator/;/exportRegisteredServices

[04:44:12] 400 -    1KB - /management/actuator/;/flyway

[04:44:12] 400 -    1KB - /management/actuator/;/info

[04:44:12] 400 -    1KB - /management/actuator/;/healthcheck

[04:44:12] 400 -    1KB - /management/actuator/;/liquibase

[04:44:12] 400 -    1KB - /management/actuator/;/loggers

[04:44:12] 400 -    1KB - /management/actuator/;/integrationgraph

[04:44:12] 400 -    1KB - /management/actuator/;/httptrace

[04:44:12] 400 -    1KB - /management/actuator/;/jolokia

[04:44:12] 400 -    1KB - /management/actuator/;/logfile

[04:44:12] 400 -    1KB - /management/actuator/;/loggingConfig

[04:44:12] 400 -    1KB - /management/actuator/;/metrics

[04:44:13] 400 -    1KB - /management/actuator/;/mappings

[04:44:13] 400 -    1KB - /management/actuator/;/prometheus

[04:44:13] 400 -    1KB - /management/actuator/;/refresh

[04:44:13] 400 -    1KB - /management/actuator/;/registeredServices

[04:44:13] 400 -    1KB - /management/actuator/;/releaseAttributes

[04:44:13] 400 -    1KB - /management/actuator/;/resolveAttributes

[04:44:13] 400 -    1KB - /management/actuator/;/scheduledtasks

[04:44:13] 400 -    1KB - /management/actuator/;/sessions

[04:44:13] 400 -    1KB - /management/actuator/;/shutdown

[04:44:13] 400 -    1KB - /management/actuator/;/springWebflow

[04:44:13] 400 -    1KB - /management/actuator/;/sso

[04:44:13] 400 -    1KB - /management/actuator/;/ssoSessions

[04:44:13] 400 -    1KB - /management/actuator/;/statistics

[04:44:13] 400 -    1KB - /management/actuator/;/status

[04:44:13] 400 -    1KB - /management/actuator/;/trace

[04:44:13] 400 -    1KB - /management/actuator/;/threaddump

[04:44:13] 403 -  279B  - /management/admin%20/

[04:44:13] 200 -    0B  - /management/admin

[04:44:13] 200 -    0B  - /management/Admin

[04:44:14] 200 -    0B  - /management/admin.

[04:44:14] 200 -    0B  - /management/admin/

[04:44:14] 200 -    0B  - /management/Admin/

[04:44:14] 200 -    0B  - /management/admin/index

[04:44:15] 400 -    1KB - /management/admin;/

[04:44:15] 400 -    1KB - /management/Admin;/

[04:44:21] 403 -  279B  - /management/application

[04:44:21] 403 -  279B  - /management/application/

[04:44:21] 403 -  279B  - /management/application/cache/

[04:44:21] 403 -  279B  - /management/application/configs/application.ini

[04:44:21] 403 -  279B  - /management/application/logs/

[04:44:21] 301 -  328B  - /management/assets  ->  http://192.168.167.13/management/assets/

[04:44:21] 200 -    0B  - /management/assets/

[04:44:28] 200 -  487B  - /management/dist/

[04:44:28] 301 -  326B  - /management/dist  ->  http://192.168.167.13/management/dist/

[04:44:34] 404 -  276B  - /management/index

[04:44:34] 400 -    1KB - /management/index.php::$DATA

[04:44:34] 200 -  503B  - /management/installation/

[04:44:34] 301 -  334B  - /management/installation  ->  http://192.168.167.13/management/installation/

[04:44:35] 400 -    1KB - /management/jkstatus;

[04:44:35] 400 -    1KB - /management/jolokia/exec/com.sun.management:type=DiagnosticCommand/jfrStart/filename=!/tmp!/foo

[04:44:35] 400 -    1KB - /management/jolokia/exec/com.sun.management:type=DiagnosticCommand/help/*

[04:44:35] 400 -    1KB - /management/jolokia/read/java.lang:type=*/HeapMemoryUsage

[04:44:35] 400 -    1KB - /management/jolokia/exec/com.sun.management:type=DiagnosticCommand/compilerDirectivesAdd/!/etc!/passwd

[04:44:35] 400 -    1KB - /management/jolokia/exec/com.sun.management:type=DiagnosticCommand/jvmtiAgentLoad/!/etc!/passwd

[04:44:35] 400 -    1KB - /management/jolokia/exec/com.sun.management:type=DiagnosticCommand/vmLog/output=!/tmp!/pwned

[04:44:35] 400 -    1KB - /management/jolokia/search/*:j2eeType=J2EEServer,*

[04:44:35] 200 -  120B  - /management/js/

[04:44:37] 403 -  279B  - /management/login.wdm%20

[04:44:40] 403 -  279B  - /management/New%20Folder

[04:44:40] 403 -  279B  - /management/New%20folder%20(2)

[04:44:43] 403 -  279B  - /management/phpliteadmin%202.php

[04:44:43] 400 -    1KB - /management/phpmyadmin!!

[04:44:47] 403 -  279B  - /management/Read%20Me.txt

[04:44:47] 200 -   66B  - /management/README.txt

[04:44:47] 200 -   66B  - /management/README

[04:44:48] 400 -    1KB - /management/secure/ContactAdministrators!default.jspa

[04:44:48] 400 -    1KB - /management/secure/ConfigurePortalPages!default.jspa?view=popular

[04:44:49] 400 -    1KB - /management/secure/QueryComponent!Default.jspa

[04:44:53] 403 -  279B  - /management/system/cron/cron.txt

[04:44:53] 403 -  279B  - /management/system/

[04:44:53] 403 -  279B  - /management/system

[04:44:53] 403 -  279B  - /management/system/expressionengine/config/config.php

[04:44:53] 403 -  279B  - /management/system/error.txt

[04:44:53] 403 -  279B  - /management/system/cache/

[04:44:53] 403 -  279B  - /management/system/expressionengine/config/database.php

[04:44:53] 403 -  279B  - /management/system/log/

[04:44:53] 403 -  279B  - /management/system/logs/

[04:44:53] 403 -  279B  - /management/system/storage/

[04:44:55] 400 -    1KB - /management/Trace.axd::$DATA

[04:44:56] 200 -  675B  - /management/uploads/

[04:44:56] 301 -  329B  - /management/uploads  ->  http://192.168.167.13/management/uploads/

[04:44:58] 400 -    1KB - /management/web.config::$DATA

[04:45:00] 400 -    1KB - /management/wps/contenthandler/!ut/p/digest!8skKFbWr_TwcZcvoc9Dn3g/?uri=http://www.redbooks.ibm.com/Redbooks.nsf/RedbookAbstracts/sg247798.html?Logout&RedirectTo=http://example.com

发现用户和密码

http://192.168.167.13/management/installation/install_guide.txt

Admin: admin@admin.com

Pass: 1234

Student: student@student.com

Pass: 1234

Teacher: teacher@teacher.com

Pass: 1234

Parent: parent@parent.com

Pass: 1234

发现登录不了 琢磨了半天 进兔子洞了

上网查exp 直接漏洞利用 https://www.exploit-db.com/exploits/50587?source=post_page-----2bb26b45d97e--------------------------------

'username' => 'school',

'password' => '@jCma4s8ZM<?kA',

登录数据库

发现密码



爆破密码

su msander

然后进 emiller

反编译他的apk

发现密码

emiller:EzPwz2022_dev1$$23!!

登录后发现可以sudo执行任何操作 提权成功

Educated PG walkthrough Intermediate的更多相关文章

  1. 简析服务端通过GT导入SHP至PG的方法

    文章版权由作者李晓晖和博客园共有,若转载请于明显处标明出处:http://www.cnblogs.com/naaoveGIS/ 1.背景 项目中需要在浏览器端直接上传SHP后服务端进行数据的自动入PG ...

  2. Bootstap datetimepicker报错TypeError: intermediate value

    Bootstrap datetimepicker有多个版本,官方的链接中,只是datepicker,没有时间的选择,原版的datetimepicker也不再更新,不能用新版的jquery.现在http ...

  3. PG 中 JSON 字段的应用

    13 年发现 pg 有了 json 类型,便从 oracle 转 pg,几年下来也算比较熟稔了,总结几个有益的实践. 用途一:存储设计时无法预料的文档性的数据.比如,通常可以在人员表准备一个 json ...

  4. pg gem 安装(postgresql94)

    使用下面命令安装报错 gem install pg 错误: [root@AS-test middle_database]# gem install pgBuilding native extensio ...

  5. #pg学习#postgresql的安装

    1.按照官网给的步骤编译安装(Mac安装是比较容易的,相比Liunx) cd /Users/renlipeng/Desktop/postgresql-9.5.1 ./configure --prefi ...

  6. PG 函数的易变性(Function Volatility Categories)

    此概念的接触是在做分区表的时候碰到的,分区表按时间字段分区,在查询时当where条件中时间为now()或者current_time()等时是无法查询的,即使进行格式转换也不行,只有是时间格式如‘201 ...

  7. c++错误——intermediate.manifest : general error c1010070很傻的错

    .\Debug\sadf.exe.intermediate.manifest : general error c1010070: Failed to load and parse the manife ...

  8. mysql 序列与pg序列的比较

    mysql序列(这里只谈innodb引擎): 在使用mysql的AUTO_INCREMENT时,使用AUTO_INCREMENT的字段必须建有索引,也可以为索引的一部分.当没有索引时会报错:      ...

  9. 使用zfs进行pg的pitr恢复测试

    前段时间做了一下zfs做pg的增量恢复测试,mark一下. 服务器信息: 主机:192.168.173.43 备机:192.168.173.41 主备使用流复制搭建,在备机上面进行了zfs快照备份. ...

  10. PG CREATEINDEX CONCURRENTLY

    PG CREATEINDEX CONCURRENTLY [TOC] 官方说法 根据9.1的文档 Creating an index can interfere with regular operati ...

随机推荐

  1. php 读取 csv 转数组列表

    我们有个文档需要修改,但是文档列太多,以及数量太大,以至于眼睛看起来很吃力,于是我决定做个简单的转化用脚本读取我想要验证的列的内容是否正确. 于是就产生了一个这样将csv快速的转为数组列表的功能函数 ...

  2. linux 自动输入密码脚本避免密码确认

    有时候需要执行一个小脚本,就把一部分命令集合起来,我们可以使用 && 或者 .sh 脚本换行. 而有些时候涉及权限需要输入密码就出现了一些客户端会卡在输密码的界面让用户输入 脚本会暂停 ...

  3. 成为Java GC专家(4) — Apache的MaxClients参数详解及其在Tomcat执行FullGC时的影响

    这是"成为Java GC专家系列文章"的第四篇. 在第一篇文章 成为JavaGC专家Part I - 深入浅出Java垃圾回收机制 中我们学习了不同GC算法的执行过程,GC如何工作 ...

  4. Prometheus之系统安装,启动

    Prometheus简介Prometheus是最初在SoundCloud上构建的开源系统监视和警报工具包. 自2012年成立以来,许多公司和组织都采用了Prometheus,该项目拥有非常活跃的开发人 ...

  5. 渗透测试-Kioptix Level 1靶机getshell及提权教程

    声明! 学习视频来自B站up主 泷羽sec 有兴趣的师傅可以关注一下,如涉及侵权马上删除文章,笔记只是方便各位师傅的学习和探讨,文章所提到的网站以及内容,只做学习交流,其他均与本人以及泷羽sec团队无 ...

  6. Windows安装redis并将redis设置成服务开机自启

    Redis 作为一种缓存工具,主要用于解决高并发的问题,在分布式系统中有着极其广泛的应用,Redis 本身是应用于 Linux/Unix 平台的(部署在服务器上边),官方并没有提供 Windows 平 ...

  7. 前端每日一知之web攻击方式

    脑图在线链接 本文内容依据[js每日一题]公众号精彩文章总结而来

  8. Centos7.8安装Gitlab

    公司为了合规性考虑,需要自己搭建私有化版的github.那不用想,肯定要上GitLab了. 项目背景: 服务器:华为云ECS,需要上公网,并在安全组打开80端口访问. 用户:关闭公开注册,新建用户后, ...

  9. [OS] 计算机资源虚拟化技术

    1 定义:计算机资源虚拟化 服务器虚拟化主要通过软件技术将物理服务器的硬件资源抽象化,创建多个独立的虚拟服务器环境. 2 虚拟化技术方向 以下是一些常见的服务器虚拟化方式和工具: 基于hypervis ...

  10. echarts 图表设置默认选中

    echarts:https://echarts.apache.org/zh/api.html#events.legendselected tfjy1997:https://blog.csdn.net/ ...