Title: Record a penetration of the Spinach Points Mall

Get the target site page

Prepare to give up before it even started

Then let's see a points mall in the upper right corner. I clicked in with a sad heart

I saw this page and slammed the door and went out to smoke for ten minutes [Don't ask why I didn't do it before

Start collecting information

Get this point store and put the domain name into fofa

After getting the real IP, I found the Baota backend login panel

Then use the domain name/ip to scan the directory [Which is the super large dictionary of Yujian] and look at the language bar to check it. I don’t know what script language domain name is followed directly with index.php [with pages], index.jsp[404], index.asp[404], OK, please contact php to get the background

If there are very few pages like this, try your luck to find features to try

Search in fofa

Many pages show onethink, and then search on Baidu

It is confirmed that this framework is and is developed based on thinkphp [There is an idea here : When we use the tp framework vulnerability to attack, if it is not successful, then we can use the found cms for code audit. Based on the fact that we have found the Baota login panel above, we can audit any file and read the Baota username and password, plan the task getshell] Use the tp vulnerability scanning tool to obtain POC

The debug error was tp5.0.1 and searched for it. I found the log path. I tried to use the log inclusion but failed. Later, I found that his logs would be cleared when they reached a certain number and the phpinfo page would occupy a certain kb. So I had to clear his logs through burp and then convert the URL encoding to?phpphpinfo();//See [Vulnerability Summary File Inclusion]

When sending send, the log file will disappear immediately after not displaying it in burp. At this time, look back at the initial POC. When the POC is successful, there will be debug information below.

So we focus on Raw when the execution is successful, the following information will be displayed to extract key features

Extract key features and search in Raw

So if phpphpinfo(); is included, these two features will be repeated. The operation just now will be written to the log to catch the packet and convert the url's %3C?php%20phpinfo();%3E into php phpinfo(); Please note here that when its log reaches a certain amount, it will be cleared and cannot contain our malicious code. When we write phpphpinfo(); When we write phpphpinfo(); When we send it, we have to access the log to see if it exists?phpphpinfo(); I tried it three times here. It is not a problem to successfully include the feature (successfully included). The remaining getshell is not mentioned. It is too simple. As long as it is included and executed, getshell is not a problem.

Reprinted from the original link: https://mp.weixin.qq.com/s/vE5QQx0FI_0OWVQ-6Uc9xg