Title: Record of Penetration of a University

0x01  Information Collect

First of all, the given target is xxx University official website :www.xxx.edu.cn, but don’t really just test the main site. Generally, main site like this is relatively safe, and it is likely to use some site group systems. Many schools use Boda’s unified management, which comes with waf

1.Subdomain name collection

can be used to blast subdomain3,fuzzdomain,subDomainsBrute,seay subdomain name

However, I did not use the above in this infiltration, and the blasting time was too long.

I use these fofa, shadon, and these cyberspace search engines

For example, the following picture:

host='xxxx.edu.cn'

2.Port Information

Through the above fofa results, you can learn the IP address and scan using the port scanning tool. No available ports found

However, many websites have this IP, which feels like it is a reverse proxy

Then give up the port

3.Sensitive information collection

github search Google hacking Lingfengyun network disk search and did not collect some sensitive things. The email address is Tencent's corporate email address, and VPN looks like this

Some of the email accounts collected were as follows

Collapse of some intranet systems by browsing the website

By viewing the prompts of the unified authentication platform and some social workers know that students can log in after using their student number to add their ID card (default password)

So I collected a wave of student numbers to backup

site:xxx.edu.cn Student ID

0x02 Vulnerability mining

After collecting some of the required information, I started to dig into each subdomain. After searching for a long time, most systems use a unified template, with relatively single functions and no loopholes were found.

site:xxx.edu.cn inurl:login

site:xxx.edu.cn intitle: Log in

Then I focused on some login systems

Then I found a system to log in

At this time, I remembered his prompt. The user name and password are my work number. That is to say, there may be some teacher's work number information here, and I'm just lucky. The system administrator account of this system is a weak password.

After admin enters the background, I find the user information and learns that the teacher's account is 5 digits. I can see that there is an action in the address bar. I tested str2, and then I refreshed the web page and couldn't open it. I visually found that the ip is blocked.

Then, after knowing the user rules, I wrote a script to be used as a dictionary backup

#!/usr/bin/env python

# -*- coding:utf-8 -*-

# datetime :2019/7/10 8:44

begin_num=0 # Start parameter generation starting from the number

end_num=20000 # End parameter Stop to nth parameter

print(''''

After running the script, 5.txt will be generated in the directory where the script is located, and the generated numbers are stored.

''')

for i in range(begin_num, end_num + 1):

if i 10:

i='0000' + str(i)

elif i 100:

i='000' + str(i)

elif i 1000:

i='00' + str(i)

elif i 10000:

i='0'+str(i)

with open('5.txt', 'a') as f:

f.write(str(i) + '\n')

print('The program has been run and the file has been generated')

Then I found the injection in this background, uploaded it, but it was fruitless, so I recorded it in the text and changed it to another domain name.

Then see the course selection system

is to use the student account as the account password and log in successfully

seems useless, but what makes me feel bad about this is that when I uploaded the test, I changed the suffix of the script format and couldn't send out the data packets. As a result, I returned to the web page to refresh and the link was reset. That's right, I was banned again with ip.

Then I tried to break the teacher account, and the same account was used as the password

After entering, I looked around and still couldn't make any progress

In the same way, I entered the graduate management system and the student payment query system (it was really just querying.), and finally got a little progress in the financial xx system.

Yes, read it right, the ID number, so I tried it 100 times with my mental retardation and got 14 teacher accounts with ID cards, but they all seem to be some retired teachers, so the authority should be very low or I can't get in at all.

Then I came to the unified identity authentication platform to try logging in, but I logged in. (The academic affairs cannot log in)

So we started here, which was considered a breakthrough. Because some systems here cannot be opened without authentication, such as this breakthrough point: Apartment Management System

Open : before authentication

Open after authentication:

It really doesn’t have permission. Click to log in again and you can access this system So it has also proved that this system can only be used by users who have logged into the unified authentication platform. Then happens that there is a Java deserialization vulnerability in this system

So through this deserialization vulnerability (shiro deserialization), a rebound shell is obtained, and the machine is root permissions

Then the agent traffic is behind it. If you use a dog hole, you won’t waste more talk.

Then I found a waf I've never seen before

Surprised, the second master guarded the station, retreated, sorry, disturbed.

0x03  Summary

1. Information collection subdomain name: fofa(host='xxxx.edu.cn') Port collection: Yujian scanning tool, the website uses a reverse proxy port to only allow ports 443 or 80 to exit the network to collect sensitive information: 1. Github collection (passive code leakage and email leakage) 2. Lingfengyun network disk search (no sensitive information such as Baidu network disk and Tencent network disk) 3. goog hack collects student number: site:xxx.edu.cn Student number login: site:xxx.edu.cn inurl:login or site:xxx.edu.cn intitle: Log in 2. Preview the homepage link of the official website to obtain other subdomain name systems and email accounts 3. Discover the unified authentication platform to use the work number and ID card and log in 6 digits after logging in 4. Discover the asset and laboratory platform to use the work number as username and password. Here you can enter the system through the weak password admin and admin to obtain the teacher's work number and the system has a struts2 vulnerability, which is intercepted by WAF. 5. Discover the course selection center, and the account and password are both student numbers and teacher's work number to enter the system. The file uploads of the system are also intercepted by WAF. 6. Other systems such as the graduate management system, student payment query system, and financial xx system have all stored accounts and passwords. All of them have work numbers and can enter the system. You can collect the ID number bound to the teacher's account. 7. Get the teacher’s account and ID number and enter the unified authentication platform. You can log in to the dormitory management system (prerequisite you need to log in to the unified authentication system first) 8. There is a shiro anti-sequence vulnerability in the dormitory management system, but it can only remotely rebound NC original link: https://www.xljtj.com/archives/dxst.html