跳转至

DC-3

usershell

目标IP:192.168.205.129

端口只开放了80,是Joomla

[CVE-2017-8917] [http] [critical]

发现注入,sqlmap一把梭

sqlmap -u "http://192.168.205.129/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=1*"

登录后台,模板处getshell

拿到用户权限

rootshell

内核提权CVE-2016-4557