Title: Record the penetration of a certain pig-killing dish

0x00 Introduction

Last year, I was shopping in Weibu. I was originally trying to find a few IPs to practice my tracing ability, but I accidentally discovered a pig killing disk. If there are any missing parts in this article, please point them out in time. Please do not go to Weibu to find me to reappear this target. This case has been fully handed over to an official.

0x01 Simple recipe

When we opened the link, we saw a strong "microdisk" aura coming to us. Since we had audited this set of source code ourselves, we directly found the corresponding place and called xss. As a result, it turned out that the microdisk was three-opened, yes, three-opened!

In desperation, I still use the old idea and find a way to make the framework report an error, look at the version number, and go through the rce.

Getting the version number and physical path, there is actually a small detail, you can see the picture below.

Here is SERVER_NAME and SERVER_ADDR. I encountered a situation when I was working on similar projects before. The two information fed back by making the page report an error may contain real IP. If you cannot find the target real IP, you can try this trick.

Everyone knows that such targets, other side stations, ports and other collections are of no use, so I won’t go into details.

I registered an account and looked at it. There was no point to use it. At this time, I suddenly remembered that there was an injection here in goods/pid. Since we used our own day to hit it before, I had never used this injection point. I'll try it today.

bingo! This is very nasty. If you know the physical path, then you can pass the shell? No, it's not possible, there are not enough permissions.

But see what I found!

The database information is displayed inexplicably, so can it be directly connected? Obviously not, because it cannot be connected externally.

0x02 It's right

The stalemate lasted for about ten minutes, see what I found.

adminer Hahaha, how did I find this? I mentioned before that we have audited the first and second openings of this system. There will be such an adminer database management system in certain specific directories, so I also fuzzed from this target, found it, and then connected it.

Find the suspect IP, simply check the authenticity, positioning, etc.

Sure enough, it is in our Greater Yunnan again.

In order to ensure the integrity of the evidence, we still have to find a way to take a picture in the background. Because I am in Curry now, I can force the place where the blind hit XS is not successful and I can force the payment load of XS, and then induce the customer service to trigger it.

Then I came in. The background upload point was deleted in the third version. The shell permissions in the database were not enough, and the required services could not be enabled, so I was unable to get the shell in the end.

Reprinted in the original link: https://mp.weixin.qq.com/s?__biz=Mzg4MjcxMTAwMQ==mid=2247486198idx=1sn=e41bc5d7e4aee7314beaab7f5830435dchksm=cf53ca40f8244356493dff79a82e26a8c3ef89c50c4508de61cacf523527534d383e6d6b2445scene=178cur_album_id=2831511688645656580#rd