# 靶场搭建
下载:Jerry
Nat,IP: 192.168.1.173
# 渗透过程
# 信息初收集
PORT STATE SERVICE VERSION | |
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0) | |
| ssh-hostkey: | |
| 256 65:bb:ae:ef:71:d4:b5:c5:8f:e7:ee:dc:0b:27:46:c2 (ECDSA) | |
|_ 256 ea:c8:da:c8:92:71:d8:8e:08:47:c0:66:e0:57:46:49 (ED25519) | |
25/tcp open smtp Postfix smtpd | |
|_smtp-commands: vulnyx.com, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING | |
80/tcp open http Apache httpd 2.4.57 ((Debian)) | |
|_http-title: jerry.nyx | |
|_http-server-header: Apache/2.4.57 (Debian) |
80 端口目录收集找到 request 目录,有个文件上传点,但是不知道为什么抓不到文件上传请求感到很困惑。不过好在能看到 script.js 中的上传代码,直接构造一个
function UploadCheck(File) {
var file = File.files[0];
var filename = file.name;
var extension = filename.split('.').pop();
if (extension !== 'jpg' && extension !== 'jpeg' && extension !== 'png') {
$('#upload_message').text("Only images are allowed");
File.form.reset();
} else {
$("#inputGroupFile01").text(filename);
}
}
$(document).ready(function () {
$("#upload").click(function (event) {
event.preventDefault();
var fd = new FormData();
var files = $('#uploadFile')[0].files[0];
fd.append('uploadFile', files);
if (!files) {
$('#upload_message').text("Please select a file");
} else {
$.ajax({
url: '/request/upload.php',
type: 'post',
data: fd,
contentType: false,
processData: false,
success: function (response) {
if (response.trim() != '') {
$("#upload_message").html(response);
} else {
window.location.reload();
}
},
});
}
});
});
构造也不行啊,我麻了