Title: Record the actual penetration of the scam behind being cheated by Huabei

0X00 Cause of the incident

I encountered a pre-storage phone bill of 3999 and was tricked to send a tablet. Alipay was operated and cashed out and transferred money and took away my Huabei.

When I got home, I felt something was wrong and regretted it more and more. I searched online about this kind of activities and caught a lot of them and they were exactly the same. The more I looked at it, the more angry I became.

The most important thing is that the tablet I gave was more than 800 yuan, which was not worth the pre-sale phone bill, and it was actually stuck, so I decided to dig deeper.

0X01 Information Collection

Copy the short domain name link sent by verification text message to the browser to resolve the URL xx.xxxx.xx.xx. The good guy is obviously not under the official mobile official. He searched the URL through the webmaster tool to analyze it and resolved it to Alibaba Cloud without cdn enabled. The domain name holder is a technology company in Guangdong. The domain name expired in November this year. After searching the company, I found that the four big words "operation abnormalities" were abnormal. My phone bill for several thousand must be very cool.

By scanning the obtained domain name with nmap -p 1-65355 xx.xxxx.xx for full ports, check which services are open, and then starting from its services, you can see that there are only ports 80 and 22. The only useful information is that port 22 knows that the other party is from the Linux server.

After accessing the web service to port 80, this interface is also the interface that jumps from the short domain name in the text message content.

Its URL form is /admin/user/login's obvious user login interface. As we all know, admin means management. Intuition makes me reduce directory access layer by layer, and it turns out to the merchant management interface of admin/login.

0X02 Vulnerability mining

Currently, two login interfaces have been found. Backstage login has no verification code to perform blasting operations, but the prerequisite is to know the merchant’s mobile number. Let’s log in to my own users normally to see if there are any available places. The functions are very simple and there is no available places. The avatar cannot be edited and uploaded. This interface only provides the total amount of phone bills displayed. I guess they only use such a platform to display a number to scare consumers in the past few months.

I decided to exit the user to use burp to capture a packet and analyze the transmitted data, enter the correct mobile number verification code and SMS verification code to enable the packet capture, but I can see that the parameters are all transmitted in plain text, and the verification codes are all correct. If I replace it with other users, can I reach a level of overprivileges? The replacement number at mobile successfully logged in to other users and obtained a level of overprivileges.

The same personal center and the same place without any use, and switch to the background login box. If you don’t say anything, you can directly use burp to catch a login POST package. Save it to the local txt file and run it with SQLmap. You may have unexpected gains. Because it is Alibaba Cloud’s server that is 100% intercepted locally, I chose to use the same Alibaba Cloud server as it to run. Username, password, and remenbaer are not injected.

It's okay, grab a package and send a package to see the data that responds. You can see that the content of the account is directly output to the value tag.

Construct xss payload to close and plug it! ”scriptalert(/xss/)/script then re-sends the reflective xss.

0X03 Getshell

The two loopholes dug were too useless, and the idea was temporarily cut off. Go back and analyze the data packets caught. I haven't paid much attention to the response packets. I found that the words rememberMe=deleteMe are the words shiro deserialization vulnerability.

Just go to exp, check the source code here and fill in the static files in the website for detection.

You can see that the command execution box is input-able proof that the vulnerability exists, and the other way around, it cannot be entered. In addition, a 5663.js verification file is generated in the directory of /css level, and the access test is successful in writing the file.

The file is successfully written, and then the shell is written to the Ice Scorpion connection and execute whoami to view the current permissions. The Linux environment directly roots the highest permissions to save the trouble of raising the permissions.

The permissions are available, and the server opens 22 ports to the public key to log in directly without password. However, considering that the other party is Alibaba Cloud's server logging in remote location, there will be a text message reminder that the noise is too loud, so the solution was not implemented. We continued to dig out useful information. After searching for a long time, we found a database configuration file. The address of the database connection is 172.xx.xx.xx (the masters are very skilled and the intranet address is also given to the code to prevent the analges). You can tell at a glance that it is the IP station database of the intranet. I find a way to forward it on the proxy and connect it.

There is a Socks agent on the Ice Scorpion to cooperate with Proxifier to add Navicat Premium data program management to tunnel agent into its intranet database. After the Proxifier is configured, the program will be added to connect. However, after repeated trials and repeated connections, the data will be abnormal directly, and most of them will be intercepted.

I have stepped on a lot of tricks in the intranet proxy. In short, I am still not experienced enough. There are also masters who have given instructions to use adminer.php (manually @Uncia boss here). Adminer is really good, lightweight and convenient. Just upload the web directory. But the environment is that the Java environment only supports jsp scripts and adminer only has php scripts.

0X04 Intranet Agent

Since adminer does not support ice scorpions and cannot be proxied, then we will set up a proxy tunnel and step into a lot of pitfalls here to try to use reDuh and Tunna, either without traffic or disconnection at once. I don’t know if my posture is wrong or is restricted by the current environment. Finally, I found the reGeorg artifact on GitHub.

reGeorg

It can be said to be an upgraded version of reDuh, which mainly uses the port of the intranet server to pass http/https

The tunnel forwards to the local machine and forms a loop for the target server to connect to the internal open port of the target server on the intranet or with port policies. It uses webshell to create a

The socks agent performs intranet penetration, because the current environment is Java, we upload the .jsp forwarding file to the website directory.

After uploading the script, accessing its script, it shows that Georg says, 'All seems fine', the proxy is successful.

Then execute python2 reGeorgSocksProxy.py -p 9999 -u http://xx.xxxx.xx/tunnel.jsp also displays Georg says, 'All seems fine' on the command line interface.

Open Proxifier to basically configure the 9999 port of local 127.0.0.1, then set the proxy rules to add the Navicat program. Select the Direct off state for other actions, but only allow Navicat traffic to pass through.

After the configuration is complete, right-click Navicat to open in Proxifier local proxy mode.

You can see that the link is stable and the Python window has traffic transmission (remember, please do not close the window during the proxy process).

0X05  True scam

We have also connected the database, look at the account in the membership table, and find your name by filtering the name field in the membership table. Sure enough, the time when the data was lying there coincides with the time when the data was being tricked.

How to prove it? It’s very simple. The first batch of Curry’s users were from May 2019, and it’s a year away. Is this a scam logged in to an account with a 19-year account and it’s clear that I can see the cashback record. I randomly select a lucky player to log in to his account based on the previous level of overriding the authority loophole.

It’s been a year since this has passed, and it’s only the first time that it’s cash back. In the past few months, it’s the consumers who fool you with various reasons. In short, it’s the consumers who will always suffer.

0X06  Write to the end

As for why I wrote this article, because I am also a victim, I want to analyze it in this way so that everyone can understand this bureau more intuitively so that more people can be tricked. When you go to handle it, they will tell you that this is an activity authorized by mobile (I told me before). But this way, you can see that it has nothing to do with mobile for half a cent. It is just a platform they built independently, and the balance inside is just a fool. There is a platform that shows you a number to reassure you. As for the hundreds of dollars that arrive in the first month, they are just manually recharged hundreds of dollars from your set of thousands.

Let’s not talk about it. In the next year, I will have to eat dirt and return Huabei. I probably will have more tricks when the merchant logs into the system, but until the penetration test points, my purpose is to prove whether this is a scam. Since it is a solid one, we don’t need to go deeper.

The safe confrontation we do is just like a war without gunpowder. In addition to winning or losing, the outcome of the war also has the difference between justice and injustice. The only difference is that we must always stand from the perspective of justice and explore its loophole principle without causing harm to it.

Reprinted in the original link address: https://mp.weixin.qq.com/s?__biz=Mzg2NDYwMDA1NA==mid=2247486245idx=1sn=ebfcf540266643c0d618e5cd47396474chksm=ce67a1bcf91028aa09435781e951926067dcf41532dacf9f6d3b522ca2df1be8a3c8551c1672scene=21#wechat_redirect