记一次目录遍历到后台
【推荐学习】暗月渗透测试培训 十多年渗透经验,体系化培训渗透测试 、高效学习渗透测试,欢迎添加微信好友aptimeok 咨询。
ip:xx.xxx.xxx
扫描一下IP 就开了两个端口。一个3389 一个80
![记一次目录遍历到后台](https://www.moonsec.com/wp-content/themes/justnews/themer/assets/images/lazy.png)
打开主页
![记一次目录遍历到后台](https://www.moonsec.com/wp-content/themes/justnews/themer/assets/images/lazy.png)
然后访问钓鱼的页面 /index.php/Home/Index/index/ptm/18/ptbm/53456
![记一次目录遍历到后台](https://www.moonsec.com/wp-content/themes/justnews/themer/assets/images/lazy.png)
随便输入一个地址 发现是一个thinkphp 框架
![记一次目录遍历到后台](https://www.moonsec.com/wp-content/themes/justnews/themer/assets/images/lazy.png)
然后发现图片地址
![记一次目录遍历到后台](https://www.moonsec.com/wp-content/themes/justnews/themer/assets/images/lazy.png)
访问地址
![记一次目录遍历到后台](https://www.moonsec.com/wp-content/themes/justnews/themer/assets/images/lazy.png)
返回发现有一个kineditor kineditoir 里面有一个泄露目录的一个问题。 然后此程序为tp 想着是否可以利用tp 的日志泄露读取一些敏感信息
![记一次目录遍历到后台](https://www.moonsec.com/wp-content/themes/justnews/themer/assets/images/lazy.png)
发现当前是在C盘里面。那么web 目录为phpStudy/WWW/
那么看看这里面有什么
/Public/kindeditor/php/file_manager_json.php?path=phpStudy/WWW/
![记一次目录遍历到后台](https://www.moonsec.com/wp-content/themes/justnews/themer/assets/images/lazy.png)
/Public/kindeditor/php/file_manager_json.php?path=phpStudy/WWW/App/
最终找到log目录为
/Public/kindeditor/php/file_manager_json.php?path=phpStudy/WWW/App/Runtime/Logs/Qwadmin/
然后目录遍历一下
![记一次目录遍历到后台](https://www.moonsec.com/wp-content/themes/justnews/themer/assets/images/lazy.png)
然后在20_06_03 中找到后台管理员账号密码
![记一次目录遍历到后台](https://www.moonsec.com/wp-content/themes/justnews/themer/assets/images/lazy.png)
然后就是找后台了。根据上面tp 路由的方式。那么后台应该就是Qwadmin
![记一次目录遍历到后台](https://www.moonsec.com/wp-content/themes/justnews/themer/assets/images/lazy.png)
然后就是登陆了
![记一次目录遍历到后台](https://www.moonsec.com/wp-content/themes/justnews/themer/assets/images/lazy.png)
后台没有找到getshell 的地方。(猛男落泪)
本文来自https://www.o2oxy.cn/2676.html,经授权后发布,本文观点不代表立场,转载请联系原作者。