Metasploitable2 漏洞分析 – 作者:cloudcoll

admin

3年前发布
关注私信

0120

1、vsftpd源码包后门漏洞（笑脸漏洞） 21,6200

原理：因为在vsftpd2.3.4中在6200端口存在一个shell,使得任何人都可以进行连接，并且VSFTPD v2.3.4 服务，是以 root 权限运行的，最终我们提到的权限也是root

1603454985_5f92c809b30a3e9e2bf30.png!small?1603454987368

1603455003_5f92c81baa7a9efef583c.png!small?1603455005348

1603455016_5f92c82851e8e2624bb40.png!small?1603455017939

2、UNREAL IRCD后门漏洞 6667

1603455044_5f92c8449c034202b2eb2.png!small?1603455046518

1603455066_5f92c85a2a8506e6f2f66.png!small?1603455067866

1603455078_5f92c86688dff32e0e491.png!small?1603455080135

1603455088_5f92c870800c1d1a33192.png!small?1603455090164

1603455106_5f92c88200d2037545b2c.png!small?1603455107611

1603455124_5f92c8948d9f7bf73113d.png!small?1603455126163

3、弱口令漏洞

3.1 telnet弱口令

3.2 ssh弱口令

1603455203_5f92c8e350094cfcc5bb7.png!small?1603455204983

3.3 ftp弱口令

3.4 hydra爆破

1603455270_5f92c926b97e2d874d71c.png!small?1603455272326

3.5 mysql弱口令

1603455289_5f92c939ece8838c0ba9f.png!small?1603455291579

3.6 Postgresql 弱口令

3.7 VNC弱口令

1603455328_5f92c96020060805f05f1.png!small?1603455329720

VNC连接成功

1603455348_5f92c974d267a7894fce7.png!small?1603455351436

3.8 Apache Tomcat弱口令 8180

1603455374_5f92c98e5aa26f137f163.png!small?1603455376055

1603455390_5f92c99e1a11f415c8c76.png!small?1603455391934

1603455403_5f92c9ab0d379e32aae1d.png!small?1603455405033

4、Samba 漏洞 139，445

4.1 Samba Sysmlink默认配置目录遍历漏洞

1603455466_5f92c9eab6424dc9724a1.png!small?1603455468333

1603455478_5f92c9f6c37a4f72dd440.png!small?1603455480442

1603455491_5f92ca0380893430b4351.png!small?1603455493182

4.2 SambaMS-RPC Shell 命令注入漏洞

1603455528_5f92ca28bce039fd0922f.png!small?1603455530484

注意看info信息的的Description，利用过程同上

1603455545_5f92ca39f3c1414e8733a.png!small?1603455547599

1603455555_5f92ca432f450f5a4d0bc.png!small?1603455556750

5、Distcc后门漏洞

1603455570_5f92ca52d05e645bcc8fe.png!small?1603455572415

1603455582_5f92ca5e447e0905eaeef.png!small?1603455583936

1603455600_5f92ca701e31af4596a8c.png!small?1603455601749

6、Ingreslock后门漏洞 1524

1603455620_5f92ca84309555b75c0ab.png!small?1603455621855

7、PHP CGI参数注入执行漏洞 80

1603455649_5f92caa1479a28f6b2abb.png!small?1603455650947

1603455677_5f92cabd5940dbf9808bf.png!small?1603455678999 1603455690_5f92cacac61916945ccba.png!small?1603455692460

8、Druby远程代码执行漏洞 8787

1603455724_5f92caecb26c78760409d.png!small?1603455726351

1603455738_5f92cafae4be46e451ab0.png!small?1603455740603

9、Linux NFS共享目录配置漏洞 2049

利用步骤：

查看是否开启服务

1603456099_5f92cc63f1132095e4788.png!small?1603456101648

查看其设置的远程目录列表

1603456217_5f92ccd9c35049d2ff7fe.png!small?1603456219394

生成rsa公钥

1603456361_5f92cd691284a9454b240.png!small?1603456362798

把192.168.220.145的根目录挂载到/tmp/t00l/下，把生成的公钥追加到靶机的authorized_keys下：

1603456627_5f92ce7345353f914ba5d.png!small?1603456628878

实现无密码登入：

1603459710_5f92da7ed1282a5bb172d.png!small?1603459712907

10、JAVA RMI SERVER命令执行漏洞 1099

1603455823_5f92cb4fcc4be62b967f4.png!small?1603455825484

1603455849_5f92cb6916f005aa2979a.png!small?1603455851051

参考链接：

https://www.cnblogs.com/7-58/p/12890535.html

https://www.freebuf.com/articles/network/117444.html

https://blog.csdn.net/Birldlee/article/details/78914506

https://blog.csdn.net/wyvbboy/article/details/53183054

https://www.freebuf.com/articles/system/34571.html

来源：freebuf.com 2020-10-23 21:53:02 by: cloudcoll

© 版权声明

文章版权归作者所有，未经允许请勿转载。

THE END

安全网站文章

喜欢就支持一下吧

相关推荐

评论抢沙发

请登录后发表评论