Title: A brother was cheated, and I penetrated into a certain BC's experience of killing pigs

1. Cause of the incident

This brother found me and told me that he had been cheated of a lot of money. Of course, we are just white hats, and we can help. Of course, it is a pig-killing game after all, and even if we win, we can't recover the money.

2. Information collection

Getting the target website shows that it is a very conventional BC site, and it is a bit low-key. First, we can collect simple information. The two more important information that can be seen through the Wappalyzer plug-in are two more important information. . The command line nslookup+url is checked for IP, and found that there is no CDN . Then go to the webmaster tool to see http://s.tool.chinaz.com/same . Hong Kong, the wool comes from the sheep, and the Chinese are cheating Chinese people? After knowing the IP address, the port scans (full port scan + service detection.

This process is quite long, you can do something else first) Seeing the open port 3306, connect it and take a look. find that it doesn't work, it shouldn't be connected externally.

3. Backstage capture

Back to the web, add an admin behind the url with the backhand find that it doesn't work. Then I remember that the background of BC generally exists separately. Since that's the case, I can only find xss. Register an account and log in and check it out. The ones filled in are false information, please do not take it seriously. After entering, it's a 0-day romance. It seems that I have tried it in a place where the deposit is Submit Check whether the xss platform can receive cookies Received the cookies, confirm that xss exists, and log in to the backend next. You can see here that there are actually many users and the scammed users will be deleted by the administrator, so that there are very few users now.

IV. Find upload points

Seeing that there is a database backup, but I found that it is impossible to download it. After giving up, I asked the big guy in the group. The big guy said that he could do flash phishing. After I downloaded the source code, I found that there were three conditions to do flash phishing. I decisively gave up the conditions : a free space and a free domain name (the domain name can be www.flashxxx.tk This kind of person has high credibility) This Ma Zi that can be launched normally

V. Summary

1. Through the Wappalyzer plug-in, you can view the php version and Windows serve information 2. Through nslookup and domain name nationwide, you can view that the target site does not have CDN3. Query the same IP website http://s.tool.chinaz.com/same4. Scan the corresponding ports and fingerprints of the IP through NAMP, and found that ports 80, 3306 and 8800 are open 5. It is found that port 3306 cannot be connected, and the admin account does not exist after the test is added to the URL. BC has special background management 6. Now register a false test login account, and there is an XSS vulnerability in the user name of the fixed-point information deposit information 7. Fill in the JS generated by the sb.xss.com background here. After submitting, the reviewer clicks to see the cookie information of the review administrator 8. Through the leaked COOKIE, you can view the administrator's background address, and you can construct COOKIE to enter the background original link: http://www.toobug.cn/post/1129.html