Jump to content

Title: Record a web login kill penetration test

UKhackteam
UKhackteam
in Hacker Cracking / Penetration Testing / Cybersecurity

Featured Replies

Posted

During the penetration test, there are a lot of web login pages. So what ideas should we use to conduct a test? Let’s take a look at some of my testers’ ideas.

Test ideas How will it penetrate when you see a web login box like this?

1049983-20221122161144125-937896601.jpg

We can see that there is no verification code when logging in, and there will be a blasting problem. So what will the usernames of blasting exist in general

1.admin

2.test

3.root

Here you can also find the operator test of the corresponding system, collect and manage accounts, and increase the chance of blasting.

Blasting was carried out here, but there was no result

Directory scanning We can scan the directory. Maybe some scanned directories have not been authenticated and can be accessed directly.

1049983-20221122161144975-43469940.png

After the above methods are not authorized by JS files, we will look at the JS files next

Found that there is a /SystemMng/Index url in index.js

We try to splice access

1049983-20221122161145762-648547022.jpg

After splicing it in, I found that there was nothing. Are you ready to give up?

1049983-20221122161146563-1851357490.jpg

Don't worry, let's see if JS has found a surprise

1049983-20221122161147284-1744435551.jpg

The splicing of several pieces is quite harmful. Take one to continue to use for everyone

1049983-20221122161147977-1570743273.jpg

Combination punch weak password explosion has reached this point, we have obtained the administrator's account and phone number, and we can also reset their password directly (take the correct account and try to explode)

You can see that password is encrypted and found as m5. We can use the transcoding and blasting provided by burp.

1049983-20221122161148870-450547764.jpg

The blasting is successful, the account is relatively complicated. I can't get the username without the previous operation.

1049983-20221122161149626-1906501501.jpg

Login successfully

1049983-20221122161150320-470810085.jpg

Log in and return package test. Enter the logged-in account password at will. Log in and grab the package.

After modifying his authentication data

1049983-20221122161151069-1570905541.jpg

After modification, it was found that there was no data for jumping. There was still a leak in JS.

1049983-20221122161151786-761786982.jpg

The same method

The overreach has now obtained the account password of an ordinary user. Then we should try a overreach of the right, vertical overreach or parallel overreach.

Use the blasting account to log in and capture packets. The masters in this place can watch the data packets several times and return the packets when digging.

When constructing, I thought it was a verification ID. After a few more rounds of testing, I found that I only recognized the code parameters.

1049983-20221122161152477-1992148335.jpg

Never authorize to obtain all permissions on the website

1049983-20221122161153290-648200404.jpg

Original connection: https://xz.aliyun.com/t/11612

  • Quote

    • Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Reply to this topic...
    Go to topic listing

    Important Information

    HackTeam Cookie PolicyWe have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.