bourse

环境

靶场来自灵境项目Live-Fire:bourse

项目地址

1
https://github.com/414aaj/LingJing

环境

1
2
靶机:192.168.242.18
kali:192.168.59.129

信息收集

端口扫描

1
2
存在端口 22,80,8081
80停止运行,8081有个后台,重心放在8081

目录扫描

目录爆破没有发现什么有用的东西

弱口令

发现验证码可复用

yakit爆破

根据回显爆破用户名admin

存在弱密码

1
admin:password

image-20260112204744524

成功登录后台

image-20260112204947506

测试文件上传,发现是白名单,基本放弃

在消息中心发现存在另一个用户superAdmin,应该权限更高

image-20260112210715384

爆破无果,尝试其他方法

发现接口都来自192.168.242.18:9442,猜测后端运行在9422端口

js泄露

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
setting/common/getModuleList
setting/statistics/day
setting/statistics/save
setting/userAccount/tronTrans
system/captcha
system/chunkUpload
system/common/clearAllCache
system/common/getDeptTreeList
system/common/getLoginLogList
system/common/getNoticeList
system/common/getOperationLogList
system/common/getPostList
system/common/getResourceList
system/common/getRoleList
system/common/getUserInfoByIds
system/common/getUserList
system/dataDict/list?code=
system/dataDict/lists?codes=
system/downloadByHash?hash=
system/downloadById?id=
system/getAllFiles
system/getAudio
system/getAudioWithdraw
system/getFileInfoByHash?hash=
system/getFileInfoById?id=
system/getInfo
system/login
system/logout
system/queueMessage/deletes
system/queueMessage/getReceiveUser
system/queueMessage/receiveList
system/queueMessage/sendList
system/queueMessage/sendPrivateMessage
system/queueMessage/updateReadStatus
system/saveNetworkImage
system/uploadFile
system/uploadImage
system/user/changeStatus
system/user/clearCache
system/user/delete
system/user/index
system/user/initUserPassword
system/user/modifyPassword
system/user/read/
system/user/realDelete
system/user/recovery
system/user/recycle
system/user/save
system/user/setHomePage
system/user/update/
system/user/updateInfo

对接口进行测试

1
2
3
4
5
6
7
8
9
10
GET /system/common/getUserList HTTP/1.1
Host: 192.168.242.18:9442
Accept: application/json, text/plain, */*
Accept-Language: zh_CN
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:146.0) Gecko/20100101 Firefox/146.0
Content-Type: application/json;charset=UTF-8
Referer: http://192.168.242.18:8081/
Origin: http://192.168.242.18:8081
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJqdGkiOiJkZWZhdWx0XzM2IiwiaWF0IjoxNzY1NTk0MDUyLjk3MjMzMiwibmJmIjoxNzY1NTk0MDUyLjk3MjMzMiwiZXhwIjoxNzY1NjgwNDUyLjk3MjMzMiwiaWQiOjM2LCJ1c2VybmFtZSI6ImFkbWluIiwidXNlcl90eXBlIjoiMTAwIiwibmlja25hbWUiOiI8c2NyaXB0PmFsZXJ0KDEpPC9zY3JpcHQ-IiwicGhvbmUiOm51bGwsImVtYWlsIjpudWxsLCJhdmF0YXIiOm51bGwsInNpZ25lZCI6bnVsbCwiZGFzaGJvYXJkIjpudWxsLCJzdGF0dXMiOjEsImxvZ2luX2lwIjoiMTkyLjE2OC4xODguNiIsImxvZ2luX3RpbWUiOiIyMDI1LTEyLTEzIDEwOjM5OjEwIiwiYmFja2VuZF9zZXR0aW5nIjpudWxsLCJjcmVhdGVkX2J5IjowLCJ1cGRhdGVkX2J5IjozNiwiY3JlYXRlZF9hdCI6IjIwMjQtMTItMTYgMjM6MDI6NDMiLCJ1cGRhdGVkX2F0IjoiMjAyNS0xMi0xMyAxMDozOToxMCIsInJlbWFyayI6bnVsbCwiand0X3NjZW5lIjoiZGVmYXVsdCJ9.IWMb9fGqUeUmSIpDxJojBSze_Lc8h22I2n8PB7GadEA
Accept-Encoding: gzip, deflate

发现返回了用户信息及id

image-20260112213527262

找到hash,尝试破解

无果

再看其他接口,有个system/user/initUserPassword重置密码很感兴趣

先用admin用户进行测试

发现传入参数格式{"id":1}

admin账户应该被重置密码了,再次爆破,初始密码肯定是弱密码

爆破得到密码123456

开始重置suoerAdmin

成功

image-20260112214555191

成功登录

image-20260112214634877

计划任务反弹shell

找到定时任务功能,还可以执行php代码,尝试反弹shell

image-20260112221227819

成功反弹

image-20260112221301169

找到flag

1
{LingJing-vl55jL8D8Em-qfKjRA1I1dE-ApW3AfxzLS}

image-20260112221432229

还差一个flag

根据提示,怀疑在某个接口

继续对接口进行测试

system/user/recycle找到另一个flag

image-20260112222912323

1
{LingJing-vl55jL8D8Em-qfKjRA1I1dE-ApW3AfxzLS}
靶场
bourse
http://xiaowu5.cn/2026/01/12/bourse/
作者
5
发布于
2026年1月12日
许可协议
BY XIAOWU