靶场练习-vulnyx：Jerry - Hard - VulNyx - 靶场练习 | 🎐清风. = 劈开深海，填入我的山🍂

# 靶场搭建

下载：Jerry

Nat，IP： 192.168.1.173

# 渗透过程

# 信息初收集

	PORT STATE SERVICE VERSION
	22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
	\| ssh-hostkey:
	\| 256 65:bb:ae:ef:71:d4:b5:c5:8f:e7:ee:dc:0b:27:46:c2 (ECDSA)
	\|_ 256 ea:c8:da:c8:92:71:d8:8e:08:47:c0:66:e0:57:46:49 (ED25519)
	25/tcp open smtp Postfix smtpd
	\|_smtp-commands: vulnyx.com, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING
	80/tcp open http Apache httpd 2.4.57 ((Debian))
	\|_http-title: jerry.nyx
	\|_http-server-header: Apache/2.4.57 (Debian)

80 端口目录收集找到 request 目录，有个文件上传点，但是不知道为什么抓不到文件上传请求感到很困惑。不过好在能看到 script.js 中的上传代码，直接构造一个

function UploadCheck(File) {
  var file = File.files[0];
  var filename = file.name;
  var extension = filename.split('.').pop();

  if (extension !== 'jpg' && extension !== 'jpeg' && extension !== 'png') {
    $('#upload_message').text("Only images are allowed");
    File.form.reset();
  } else {
    $("#inputGroupFile01").text(filename);
  }
}

$(document).ready(function () {
  $("#upload").click(function (event) {
    event.preventDefault();
    var fd = new FormData();
    var files = $('#uploadFile')[0].files[0];
    fd.append('uploadFile', files);

    if (!files) {
      $('#upload_message').text("Please select a file");
    } else {
      $.ajax({
        url: '/request/upload.php',
        type: 'post',
        data: fd,
        contentType: false,
        processData: false,
        success: function (response) {
          if (response.trim() != '') {
            $("#upload_message").html(response);
          } else {
            window.location.reload();
          }
        },
      });
    }
  });
});

构造也不行啊，我麻了