Title: Infiltration into the spinach server (actual combat)

Today, I suddenly found a spinach site while browsing the web page. I won’t post the screenshot of the website.

It is said that spinach stations are safer and not easy to penetrate, so I did it today when I had nothing to do. As a result, I just scanned the port and my IP was banned. This is a bit sad, so I can only hang the agent and take a look.

I browsed and found that this site should not be the main site, but a side station that handles various activities. And I found a surprise in one of the activities pop-up windows

SFZ can be uploaded here, doesn’t that mean there may be a file upload vulnerability? When collecting information, I learned that this server is IIS7.5

Some time ago, just reviewing and analyzing the vulnerability, so let's try whether the vulnerability exists.

Made the php's horse into a picture horse for uploading

According to the response results, the upload was successful and the address was returned. Next, let's visit

It can be seen that the parsing was indeed successful, but unfortunately it cannot be used normally. So then directly change the suffix of php Malaysia to jpg for upload

When I visited again, I found that it could be used normally. When I went in, I saw that there were many personal information and transfer screenshots of people. I have to say that spinach harms people.

Since you have a webshell, let’s take a look at the current permissions first.

It's really hard to deal with, and I once again encountered low permissions. Don't consider raising the rights first, and continue to see if there are any other sensitive documents available. After searching in various directories for a long time, I finally found the configuration file of the database, which is displayed as follows

Connect to the database and take a look

Found the account and password of the suspected administrator. I tried this and could decrypt it. I was lucky.

Next, log in to the background to take a look

The result was very disappointed. I originally thought there would be various user information and capital flows. It has reached this point, so I can only continue. Just while thinking about how to raise power, I sighed that Spinach Station is indeed not a false reputation, I found the server's information file under a folder.

Pay attention to the file name —— "Server Information". But I was really sleepy and someone gave me a pillow. From this we know that this site should be built on the pagoda and has given the account and password. It's so thoughtful. Try logging in and check it out

As shown in the picture, several databases record many sinful money transactions. I won't release it in detail.

On the pagoda, the administrator also saw that he changed port 3389 to 19283. Combined with the server account and password given in the previous file, log in and take a look

Through a tossing and trying, I found that there are three sites about spinach placed under this server, and the functions are still different. One is the main site, one is the event handling, and the other is the red envelope grab. It's really colorful.

Reprinted from the original link:

https://www.kngzs.cn/1705.html