Jump to content

Title: Record once the spinach website penetrates semi-finished products

UKhackteam
UKhackteam
in Hacker Cracking / Penetration Testing / Cybersecurity

Featured Replies

Posted

Preface

On a sunny afternoon, we were talking enthusiastically under the leadership of Blank, women.

图片

And Mr. float discovered a strange IP that visited his blog.

图片

Alas, I don’t take any network security laws seriously at all, just start fighting.

Game Start

Browser access will directly jump to the login interface.

图片

Information Collection

Knock an X on the path. Get ThinkPHP and version number.

图片

图片

At the same time, Mr. float nmap scanned to port 801 and confirmed that it was Baota website building. However, there is no further study here.

图片

图片

RCE attempt

5.0.21 can directly RCE, and payload is flying all over the sky. But I still encountered a little pitfall.

图片

The module name is not the usual index and must exist. Log in according to the jump:

/admin/login/index.html

It was guessed that the module was admin, and it was indeed successful.

图片

Disable_functions is in the column, and rce is indeed unsuccessful.

图片

Still Horse

The good news is that the file was successfully written.

图片

Visit shell.php and see the phpinfo interface.

图片

The backhand wrote about the ice scorpion and horse connecting it.

图片

I took the opportunity to take a look, loan, manager, salesperson, bc. OK, keep on playing.

图片

Connect the database

Hard coding is really a problem in the universe, and the database password is obtained.

图片

The first time I encountered MySQL password, there is @ in it, writing it directly will destroy the connection string. like:

mysql://root:[email protected]:3306/mysql

The @ in password will make the judgment that the ip: port will go to the ip: port in advance. It needs to be encoded as %40

图片

Administrator login

There is no progress in flipping the web directory and code, so try to log in to the system.

There is an account password in the database, of course, the password is a hash with salt.

图片

图片

Whoever has a good family must have a password, just patch the login code, and then you won’t check the table.

Log in to the system.

图片

This business looks so advanced, I can't understand it a little, so I leave the backdoor user in case of missed

Reprinted from the original link: https://mp.weixin.qq.com/s/f4nWOGgPXlSA_ChgpBj7Zw

  • Quote

    • Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Reply to this topic...
    Go to topic listing

    Important Information

    HackTeam Cookie PolicyWe have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.