Title: A practical penetration of cross-border spinach APP

0x01 Preparation Tool This penetration is mainly aimed at Android APP. The backend server of the Spinach APP is overseas, and the platform includes a number of illegal gambling-related mini-gambling games.

1. Thunderbolt Android emulator, used to run the installation program of gambling websites.

2. Packet capture tool Fiddler (or burpsuite, wireshark), is used to catch traffic packets to find the website backend server address.

3. Sublist3r, Chinese ant sword and other conventional penetration tools.

0x02 Information collection 1. Find the server address. Traffic packet capture analysis of the server address of the network spinach APP. Use Fiddler to grab Android emulator traffic and obtain the APP backend website address through analysis: http://****.com. You can also use bp or wireshark tools to catch packages, and there are many online tutorials.

Query the domain name "****.com" found in the packet capture, and the target server IP address is found: x.x.x.x.x. and further query the server IP on the "Webmaster's Home" website to confirm that the server is overseas.

2. Obtain the subdomain name.

Use Sublist3r.py to collect domain names.

python Sublist3r.py -d xxx.com -o 1.txt found some subdomains, but no breakthrough was found in the test

0x03 Penetration process 1. Register and log in and discover HTML5 pages. Register and log in to the App page, crawl the address, take the crawl to the address and log in to the browser. I found that the APP page is a pure HTML5 page, which makes it more convenient to operate in the browser.

2. The injection of the front desk account failed. Use the test number to register and then grab the package and modify the package. Find the injection point, but the injection failed.

3. Log in to the registered user and find an upload vulnerability. The user browsing function has an identity review function in the personal center. Identity information needs to be uploaded to verify user information. It is inferred that this upload function can hide the Trojan upload point.

4. After uploading fuzz test, the backend program only verifies the content of mime and file header. Modify the file type bypass method, upload the picture horse directly and modify the mime type, and successfully upload it to get the shell address.

5. It is to use the "Chinese Ant Sword" to successfully connect to the Trojan, analyze and find the database configuration file in the source code of the server website, and successfully connect to the database.

6. Use the Chinese Ant Sword to connect to the database successfully and get the hash value of the account and password.

7. Through file directory structure analysis, the background is a single entry file, the parameter s=admin successfully jumps to the background, decrypts the hash value of the backend account through the database, and successfully logs into the background.

By obtaining the administrator's backend permissions, we can grasp the number of registered users on the website on the same day, and the number of gambling odds occurred 86, but the capital flow was 542,000 yuan. In terms of administrator login logs, the main login IPs are distributed in the Philippines, Hong Kong, Guangxi, Vietnam and other places.

User login log records, and the data includes the user's id, login ip, mobile phone number, login time and other information.

User betting records, data includes member id, betting amount, cumulative level gift, etc.

0x04 Summary of the hole digging method 1. Find the injection and pay attention to whether the database user permissions and the site library are the same server.

2. Find XSS with the purpose of entering the background for further attacks.

3. Find uploads, some pages that can be uploaded, such as application links, member avatars, and some sensitive pages, etc. to see if the verification method can be bypassed, and combined with the server's parsing characteristics.

4. Find downloads, test whether there are unauthorized files to download in the download column of the website or the attachment link at the end of the article.

5. Find editors, typical ewebeditors, fckeditors, etc.

6. Find possible background management programs and try weak passwords

Reprinted from the original link: https://mp.weixin.qq.com/s?__biz=Mzg2NDYwMDA1NA==mid=2247485589idx=1sn=f4f64ea923675c425f1de9e4e287fb07chksm=ce67a20cf9102b1a1a171041745bd7c243156eaee575b444acc62d325e2cd2d9f72b2779cf01scene=21#wechat_redirect