Title: Record any file to download it to getshell

0x01 Introduction

One day I had nothing to do, so I searched for the xx system on Fofa, thinking about trying my luck, and similar

0x02 Testing process

I picked a website and opened it

Em…, try your luck, backhand admin admin enters, it is a management system

Then, according to the website's functional points, click a few randomly, and found that there was nothing but regular operations. After searching for a while, I found that there was a file download operation.

Good guy, it's hidden very deeply. I caught the package and saw the requested address. It seems to be a file

fileName is changed to./etc/passwd to see, good guy, I reported an error

It seems that this path should not be the one. Then I tried it one by one././etc/passwd and././etc/passwd and both have 500 errors. When you arrive, you can access it.

Let’s see if you can read the historical commands. If you can read the historical commands, you can see if there is any website backup file or website installation package. Hehe, change the path to /root/.bash_history, access! ….500 Error

It seems that the permissions are insufficient. There is no way, start from other places.

Next, you can check the website source code in F12 and use the iconic statements or files in the source code to search for the same system. Maybe there will be root permissions, probably like this

After having the same system, try weak password again

Maybe I have good luck recently, and the weak password has entered again. hey-hey

Next try the operation just now, download the././././etc/passwd file to see

Try reading the history command /root/.bash.history

You can read the historical commands and slowly flip through them. Finally, you will find that there is a website source code.

Download it with backhand

Decompress

JSP's website, I have never learned Java and have cracked it. I first built up the environment with the historical commands, so I deployed the same system on my server.

I haven't learned Java, and the automated Java audit tool is still charged, so I just use one method to do it manually.

After searching for it for most of the day, I almost wanted to give up.

However, this system has mysql, let’s take a look at the structure in the data first. Probably this looks

Then I found an account that comes with the system in the table of the management website users (represented by account x here). Account x is higher than admin permissions.

Put the password to cmd5 to check

Want money? I am a lot of poor people and have no money. I look for a good master and check it out. The good master is very quick and I replied to the message.

Then I used this account x to log in to the system I built and found that I could not find out that this account existed on the website, which means that it might be left by the developer. Hehe, with this account, other systems can log in.

Then I found that the system has an upload point to upload files. Since they are all in the white box, you can deploy a real-time file monitoring tool to see the changed files, or to see if the files to be uploaded later have been uploaded.

FileMonitor is used here to monitor files

Upload file, grab package and change the suffix.jsp

prompts that upload failed

Check the file monitoring, it can be uploaded

suffix is controllable, but the file name is uncontrollable, which is troublesome. Generally, file names are named after timestamps or specific algorithms. If you upload them a few more times, it doesn't seem to be regular.

Look at the class file in the downloaded website source code. Look at the requested address

should be the Uploadfile method in the upload class (I haven't learned Java, I don't know if it's right, don't criticize~)

I found the Uploadfile method and looked at it one by one. I was dizzy, but in the end I found the method to generate the file name=-=

Let me see what UUID.randomUUID().toString() is

Three parts: current date and time + clock sequence + globally unique IEEE machine identification number (network card mac address)

Suddenly, I thought about it and could find a way to get the first two, but the mac address of the last network card is very difficult. Any file download cannot be downloaded with the mac address of the network card, and another road is blocked.

After a few hours, I found another upload point

File monitoring

Direct transmission to horse

Echoed the address

Ice Scorpion successfully connected

Finally, use the system's own account to log in to the system, and then use the second upload point to upload the horse.

0x03  Summary

1. Search for an open source CMS system through fofa, click any target site, enter the weak password admin/admin to enter the system 2. At the background file download, http://www.xxx.com/filenam=xxxx.xls appears, then there is a vulnerability to download any file in these links 3. Use bp to fuzz path, try to read././etc/passwd and././etc/passwd and both 500 errors,/././etc/passwd can read the content. Then change to././././root/.bash_history, and the error is 500. 4. Any target website of this test cannot read history records. Then search for several other similar open source cms systems through fofa, enter the same weak password admin/admin to enter the system, and then you can also read the././././root/.bash_history content normally. Display the records of the target administrator's operations, including the name of the compressed package that backs up the target site and is saved to the root directory of the website. 5. You can directly download the source code compressed package in the root directory to the local area and perform code audits. 6. Found that the target source code contains the website configuration file and the backup file of the mysql database. 7. By building an environment locally, the target system can run normally locally. At the same time, it also monitors file changes through FileMonitor (https://github.com/TheKingOfDuck/FileMonitor), and manages the database through phpmyadmin. The system's own account system and corresponding password hash value are found in the database table, and successfully decrypted through md5, and logs into the local environment system backend through the system account. 8. At the file uploading site in the background, there is a file upload vulnerability. Uploading test.jsp is prompted to be successful. However, the monitoring of FileMonitor shows that a new file has been established. Although the uploaded file name is not searched, it proves that it has not been uploaded successfully. 9. By searching the upload keyword in the source code, you can know that the rules for the successful file name after upload are: current date and time + clock sequence + globally unique IEEE machine identification number (network card mac address) 10. Another file upload was found in another place in the backend of the local environment system. A.jsp can be successfully uploaded and the uploaded file name is returned. Search for the file name to know the saved path. 12. Finally, use the system-owned account system to log in to the target system background, and then use the second place to upload the horse. Original link: https://mp.weixin.qq.com/s?__biz=Mzg4NTUwMzM1Ng==mid=2247493857idx=1sn=f7db570914d9e4b4f517ab05b5e5d380chksm=cfa54cf2f8d2c5e41b2636bb3e6a9961617324182a2dd93b52a1fa3bea9dd42d8ed96b377bb4scene=178cur_album_id=1553386251775492098#rd