信息收集 1 2 3 4 5 6 7 8 9 10 IP=192.168.0.129 nmap $IP Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-22 22:14 EDT Nmap scan report for 192.168.0.129 Host is up (0.00025s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http MAC Address: 08:00:27:78:DB:06 (Oracle VirtualBox virtual NIC)
一边扫 一遍打开看了下 80 端口是一个 Apache2 的It works默认主页。先扫一波目录:
1 2 gobuster dir -u http://$IP /javascript -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-directories-lowercase.txt -x php,php3,txt,html,bk,bak,zip,tar,gz,7z,pdf,shtml,js dirb http://$IP
只有一个 /javascript 的目录和 javascript/jquery/jquery的 jQuery 3.6.1 的包,其他没啥。
像这种上来就是默认主页的,有可能是有 vhost 的。因为是 Vulnyx 的靶场,可以先试试 192.168.0.129 express.nyx。
果然,打开了一个 Popular Playlist 的网页。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 gobuster dir -u http://express.nyx -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-directories-lowercase.txt -x php,php3,txt,html,bk,bak,zip,tar,gz,7z,pdf,shtml,js /index.html (Status: 200) [Size: 16358] /js (Status: 301) [Size: 307] [--> http://express.nyx/js/] /css (Status: 301) [Size: 308] [--> http://express.nyx/css/] /javascript (Status: 301) [Size: 315] [--> http://express.nyx/javascript/] dirb http://$IP ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Wed Oct 23 20:25:37 2024 URL_BASE: http://192.168.0.129/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://192.168.0.129/ ---- + http://192.168.0.129/index.html (CODE:200|SIZE:10701) ==> DIRECTORY: http://192.168.0.129/javascript/ + http://192.168.0.129/server-status (CODE:403|SIZE:278) ---- Entering directory: http://192.168.0.129/javascript/ ---- ==> DIRECTORY: http://192.168.0.129/javascript/jquery/ ---- Entering directory: http://192.168.0.129/javascript/jquery/ ---- + http://192.168.0.129/javascript/jquery/jquery (CODE:200|SIZE:289782) ----------------- END_TIME: Wed Oct 23 20:25:45 2024 DOWNLOADED: 13836 - FOUND: 3
一边扫着,打开网页看看访问细节。 http://express.nyx/js/api.js 这个文件里面还是有一些信息的。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 function getMusicList ( fetch ("/api/music/list" ) .then ((response ) => response.json ()) .then ((data ) => { console .log ("Music genre list:" , data); }) .catch ((error ) => { console .error ("Error fetching the music list:" , error); }); } function getMusicSongs ( fetch ("/api/music/songs" ) .then ((response ) => response.json ()) .then ((data ) => { console .log ("List of songs:" , data); }) .catch ((error ) => { console .error ("Error fetching the list of songs:" , error); }); } function getUsersWithKey ( fetch (`/api/users?key=${secretKey} ` ) .then ((response ) => response.json ()) .then ((data ) => { console .log ("User list (with key):" , data); }) .catch ((error ) => { console .error ("Error fetching the user list:" , error); }); } function checkUrlAvailability ( const data = { id : 1 , url : "http://example.com" , token : "1234-1234-1234" , }; fetch ("/api/admin/availability" , { method : "POST" , headers : { "Content-Type" : "application/json" , }, body : JSON .stringify (data), }) .then ((response ) => response.json ()) .then ((data ) => { console .log ("URL status:" , data); }) .catch ((error ) => { console .error ("Error checking the URL availability:" , error); }); }
因为是直接声明的函数,可以在控制台直接调用。比如 getMusicList(),getMusicSongs(),getUsersWithKey(),checkUrlAvailability()。getUsersWithKey() 里面有一个 secretKey,但是从来没有声明过,直接报错。checkUrlAvailability()倒是给了一个提示,看样子可以访问内网。
尝试入侵 所以就目前来看,有两个接口是摆明了可以传参的,一个是 getUsersWithKey(),一个是 checkUrlAvailability()。
分别试试这两个接口:
1 2 3 4 5 6 7 curl http://express.nyx/api/users { "message" : "Unauthorized,wrong key!" , "result" : "error" }
报错需要 Key。
fuzz 一波
1 wfuzz -c -z file,/usr/share/wordlists/rockyou.txt --hc 401 http://express.nyx/api/users?key=FUZZ
跑半天没啥,停了。
接下来尝试访构建 checkUrlAvailability() 的请求,看看能不能成功:
1 2 3 4 5 6 7 8 curl -X POST http://express.nyx/api/admin/availability -d "{\"id\":1,\"url\":\"http://express.nyx\",\"token\":\"1234-1234-1234\"}" -H "Content-Type: application/json" { "message" : "Unauthorized, wrong token" , "result" : "error" } wfuzz -c -z file,/usr/share/wordlists/seclists/Discovery/Variables/secret-keywords.txt --hc 401 -d "{\"id\":1,\"url\":\"http://express.nyx\",\"token\":\"FUZZ\"}" -H "Content-Type: application/json" http://express.nyx/api/admin/availability
放弃。哈哈哈。等有时间再来玩。
