Title: A summary of a practical offensive and defense drill

0x01 External website service

Asset Discovery

Multi-surveying and mapping platform search https://hunter.qianxin.com/

https://fofa.info/

https://quake.360.cn/

Multi-grammatical search If a target site is xxxx.com, we can collect assets through different syntaxes, and the collected assets will be more comprehensive.

Take Fofa as an example here

domain='xxxx.com'

host='xxxx.com'

header='xxxx.com'

cert='xxxx.com'

Sensitive information leakage

For information collection of school sites, generally speaking, there are few points that can be obtained from external networks. Most web applications are placed behind VPNs, so it can be said that it will be twice the result with half the effort to get a VPN account. At this time, this information can be mined through syntax.

Commonly used commands are as follows:

#google syntax

site:*.edu.cn intext: vpn | Username | Password | Account | Default Password

#github

*.edu.cn password

During this offensive and defense drill, I was lucky enough to find the default password for a certain site's VPN, using the name pinyin/12345678 weak password

Default Password

For some sites, the default account password may not be changed after the construction is completed. At this time, you can try to use the default account password to log in.

Here are some common default passwords for web sites

account:

admin administrator root user test

password:

admin admin123 123456 123 test root

For some widely used systems, you can search for their default passwords through Google syntax

Here, successfully log in to the Fanwei backend through sysadmin/1

nacos/nacos

Common exploits

For multi-target offensive and defensive drills, it is better for individuals to collect target subdomain urls than to do, and then batch import them into fingerprint recognition tools, such as Goby and Fofahub

Filter out important assets from fingerprint recognition results for breakthroughs, use known vulnerabilities or day to attack

Here are some batch exploit tools:

https://github.com/Anonymous-ghost/AttackWebFrameworkTools-5.0

https://github.com/d3ckx1/Fvuln

https://github.com/W01fh4cker/Serein

Framework classes such as log4j, shiro, struts2, etc.

OA categories such as Zhiyuan, Fanwei, UFIDA, Lan Ling, etc. are also the target UFIDA NC sites that have found

UJIUNIC NC writes shell

Access the interface /servlet/~ic/bsh.servlet.BshServlet to execute commands

After detecting dnslog, it was found that it could not be found out of the network. It is written directly into the webshell here.

1. First generate a Godzilla jsp Trojan, and then perform unicode encoding.

2. Then url encoding the output result

3. The payload field is as follows. The default path written here is webapps/nc_web, which can be flexible in actual combat.

String keyWord=URLDecoder.decode('