Title: Penetration test of fraud (pig killing) websites

Today, a friend suddenly told me that a certain person who transferred the phone and was cheated of 1,200 yuan was cheated of it. He was shocked. As expected, I'll give it a try.

I'm going to come to the address of the scam website, and the opening is like this Decisively collect information: (Because the message scammer returns the friend's money, he will give him some face and mosaic for the time being) Check the port, and guess it's the pagoda panel construction. is open 80, so visit Tutorial on finding customer service software from the official website. I found that the background path is: /admin Direct access As expected, I found No idea, I directly admin: 123456, I didn't expect it to go in hahaha The next step is of getshell. I found that it is directly editable language configuration file I used a simple sentence here and blocked the IP. I took a look at it and actually used the cloud shield. This liar is a little safe, so I had to use my Godzilla killer (it directly has the bypass function, which is easy to use, right) Good guy, there are so many disabled functions, then OK, bypass it Discovery of restricted directory reading during file management

Directly use Godzilla's directory access bypass

When browsing the directory, I found that there are multiple versions of php. I am not familiar with the php5 raising rights (Godzilla does not apply to haha). After seeing php7, I decided to find other sites You can access other sites. The parsing of ip is all this. Finally, I found a php7

Finally found a php7, but the kernel of the Linux version is very new, it seems that elevating power is a problem

Then, as expected, Godzilla's function bypasses the executable command directly obtains the low-privilege shell after execution

It is a www user, with very low permissions. A pig killing tool was also found in the directory: Frame

You can generate a link to the fraud details with one click (Now everyone knows that you should not believe in the importance of QQ WeChat transactions. This kind of pig-killing game is easy to cheat people)

Finally, based on the collected database links and other information, you will take a look in the database. There is a problem with Godzilla's link

So build FRP to access the scam server

Information

Since www users cannot write to the mysql directory.so file, mysql cannot be escalated.

Sudo has always had to use the www password, but it also cannot use sudo.

Commands with suid bits are as shown in the table.

/usr/bin/chage

/usr/bin/gpasswd

/usr/bin/newgrp

/usr/bin/mount

/usr/bin/su

/usr/bin/umount

/usr/bin/pkexec

/usr/bin/chfn

/usr/bin/chsh

/usr/bin/at

/usr/bin/sudo

/usr/bin/crontab

/usr/bin/passwd

/usr/sbin/grub2-set-bootflag

/usr/sbin/unix_chkpwd

/usr/sbin/pam_timestamp_check

/usr/lib/polkit-1/polkit-agent-helper-1 Finally used CVE-2018-18955https://www.freebuf.com/news/197122.html Finally, the sorted information was submitted to friends and police, and then he did not go deeper.

This article is reproduced from the original link: https://xz.aliyun.com/t/9200https://mp.weixin.qq.com/s?__biz=Mzg2NDYwMDA1NA==mid=2247486388idx=1sn=cfc74ce3900b5ae89478bab819ede626chksm=ce67a12df910283b8bc136f46ebd1d8ea59fcce80bce216bdf075481578c479fefa58973d7cbscene=21#wechat_redirect