PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.0p1 Debian 4+deb7u7 (protocol 2.0) | ssh-hostkey: | 1024 c4d659e6774c227a961660678b42488f (DSA) | 20481182fe534edc5b327f446482757dd0a0 (RSA) |_2563daa985c87afea84b823688db9055fd8 (ECDSA) 80/tcp open http Apache httpd 2.2.22 ((Debian)) |_http-title: Welcome to Drupal Site | Drupal Site | http-robots.txt: 36 disallowed entries (15 shown) | /includes/ /misc/ /modules/ /profiles/ /scripts/ | /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt | /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt |_/LICENSE.txt /MAINTAINERS.txt |_http-generator: Drupal 7 (http://drupal.org) |_http-server-header: Apache/2.2.22 (Debian) 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 1000002,3,4111/tcp rpcbind | 1000002,3,4111/udp rpcbind | 1000003,4111/tcp6 rpcbind | 1000003,4111/udp6 rpcbind | 100024135804/udp6 status | 100024141727/udp status | 100024150387/tcp status |_100024152241/tcp6 status 50387/tcp open status 1 (RPC #100024) MAC Address: 08:00:27:0C:90:9D (Oracle VirtualBox virtual NIC) Warning: OSScan results may be unreliable because we could not find at least 1openand1 closed port Device type: general purpose Running: Linux 3.X OS CPE: cpe:/o:linux:linux_kernel:3 OS details: Linux 3.2 - 3.16 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Thu May 11 18:27:20 2023 -- 1 IP address (1 host up) scanned in 15.41 seconds
判断 CMS
进来可以看见是 Drupal
CMSeek 判断 CMS 版本
searchsploit 搜寻 cms 版本漏洞
1
searchsploit drupal 7
发现不管是 version 7 还是 7 以上或以下均有漏洞可利用,调用 msf 进行尝试
获取 SHELL
MSF 漏洞利用尝试
这里若是真实渗透,不推荐一个一个 exp 去打,要确定细节,精准利用 exp
利用编号 1 exp 拿到了 SHELL
内部信息收集
为后续权限提升做准备
内核与发行版
SUID
这里 find 可以用于提权
SUDO
没有 sudo
1 2
www-data@DC-1:/var/www$ sudo -l bash: sudo: command not found