DingTom的博客
avatar🌌
DingTomDingTom的博客

Next Generation Static Blog Framework.

记录我的学习和生活

MazeSec-JNDI

mazesec

信息收集

bash
$ nmap 192.168.31.25 -p- -oN nmapscan/ports
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-27 09:10 -0400
Nmap scan report for JNDI (192.168.31.25)
Host is up (0.0026s latency).
Not shown: 65531 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
8009/tcp open  ajp13
8080/tcp open  http-proxy
MAC Address: 08:00:27:76:D3:32 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 7.02 seconds

$ ports=$(grep open nmapscan/ports | awk -F '/' '{print $1}' | paste -sd ',')

$ nmap -sVC -O -p 22,80,8009,8080 192.168.31.25 -oN nmapscan/nmap_tcp
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-27 09:12 -0400
Nmap scan report for JNDI (192.168.31.25)
Host is up (0.00036s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp   open  http    Apache httpd 2.4.62 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.62 (Debian)
8009/tcp open  ajp13   Apache Jserv (Protocol v1.3)
| ajp-methods: 
|   Supported methods: GET HEAD POST PUT DELETE OPTIONS
|   Potentially risky methods: PUT DELETE
|_  See https://nmap.org/nsedoc/scripts/ajp-methods.html
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
|_http-title: \xE5\x88\xA9\xE5\x85\xB9\xE4\xB8\x8E\xE9\x9D\x92\xE9\xB8\x9F | \xE5\xB1\xB1\xE7\x94\xB0\xE5\xB0\x9A\xE5\xAD\x90\xE6\x89\xA7\xE5\xAF\xBC\xE7\x9A\x84\xE9\x9D\x92\xE6\x98\xA5\xE8\xAF\x97\xE7\xAF\x87
|_http-server-header: Apache-Coyote/1.1
|_http-open-proxy: Proxy might be redirecting requests
| http-methods: 
|_  Potentially risky methods: PUT DELETE
MAC Address: 08:00:27:76:D3:32 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.41 seconds
bash
$ dirb http://192.168.31.25                

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Fri Mar 27 09:16:28 2026
URL_BASE: http://192.168.31.25/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.31.25/ ----
+ http://192.168.31.25/index.html (CODE:200|SIZE:6)                                                                                                                    
+ http://192.168.31.25/server-status (CODE:403|SIZE:278)                                                                                                               
                                                                                                                                                                       
-----------------
END_TIME: Fri Mar 27 09:17:13 2026
DOWNLOADED: 4612 - FOUND: 2

$ dirsearch -u http://192.168.31.25/ --timeout=30
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /home/dingtom/reports/http_192.168.31.25/__26-03-27_09-15-36.txt

Target: http://192.168.31.25/

[09:15:36] Starting: 
[09:15:37] 403 -  278B  - /.ht_wsr.txt
[09:15:37] 403 -  278B  - /.htaccess.bak1
[09:15:37] 403 -  278B  - /.htaccess.orig
[09:15:37] 403 -  278B  - /.htaccess.sample
[09:15:37] 403 -  278B  - /.htaccess.save
[09:15:37] 403 -  278B  - /.htaccess_extra
[09:15:37] 403 -  278B  - /.htaccess_orig
[09:15:37] 403 -  278B  - /.htaccess_sc
[09:15:37] 403 -  278B  - /.htaccessBAK
[09:15:37] 403 -  278B  - /.htaccessOLD
[09:15:37] 403 -  278B  - /.htaccessOLD2
[09:15:37] 403 -  278B  - /.htm
[09:15:37] 403 -  278B  - /.html
[09:15:37] 403 -  278B  - /.htpasswds
[09:15:37] 403 -  278B  - /.httr-oauth
[09:15:37] 403 -  278B  - /.htpasswd_test
[09:15:37] 403 -  278B  - /.php
[09:15:52] 403 -  278B  - /server-status/
[09:15:52] 403 -  278B  - /server-status

Task Completed

$ feroxbuster -u 'http://192.168.31.25/' -w /usr/share/wordlists/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt --random-agent -x php,html,txt,db,zip,rar -b 404,502 -q
404      GET        9l       31w      275c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
403      GET        9l       28w      278c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter              
200      GET        1l        1w        6c http://192.168.31.25/
200      GET        1l        1w        6c http://192.168.31.25/index.html
Scanning: http://192.168.31.25/
Vulnyx-Solar
© 2024 - 2026
DingTom
Valaxy v0.28.0-beta.7 驱动|主题-Yunv0.28.0-beta.7