Penetration into the yiba phishing site

Wenzicishui
3EST Information Security Team
When I accidentally discovered a phishing site, I decided to penetrate the site.

It is estimated that many people will be confused by the dazzling homepage. Based on experience, this kind of website is nothing more than several HTML pages, plus information about victims of an MDB data inventory. Therefore, it is natural to think about this.
 

There are not many sites above, but every good bird is an illegal site.

 

The next step is the process of searching for the target. because there are not many websites and they are all phishing, it is hard to find the open source code of a website and download the database smoothly. The result cannot be parsed by MD5, have you ever been hacked before, tried cookie spoofing, but still failed to enter the background, and later found that a background can directly access the omnipotent password, there is an old version of eweb, no background, however, this version can be used to construct local asa uploads.
 

The method is to save the source code of the upload page to a local html file and modify it as follows.

 
During the upload process, the file header is also detected, and a sentence is merged with the image to be uploaded successfully,

Connect the kitchen knife...
 

The target station supports ASPX and goes directly to ASPX. First, I checked the recycle bin and could write data. I tested it.
It can still be executed. It has not been such a good thing for a long time !!
 

I uploaded an IIS script to run the password and found that it was useless. I knew the path of the target site.

Because these user names are all random numbers and passwords are also random, there is no such thing as out-of-the-stars. This password is also not associated with FTP, because the server uses serv-u, no matter what virtual host software you use, use RP to try PR ^_^.

The result cannot be uploaded to the recycle bin directory. It is reasonable to say that you have the execution permission.

It seems that this problem can only be clarified by entering the server. It is estimated that it is still a permission issue.
 

Using the out-of-the-stars idea, I found several directories, zend and php, and found that the classic media index DIRECTORY can be written and executed. I am too lazy and generally use the parameter-free version directly, in this way, I am too lazy to tangle with issues such as path abbreviations. The echo results tell me that I was not successful ....
 

Don't be discouraged. Try t00ls. I guess many people are the same as me.

Failed

 
Once again, it seems useful to collect more versions.

Then dump out the hash and directly manage the login .....
 

Find the target site

 

It turned out to be a virtual host software called Yifang, which has never been used before. It seems that no one has studied it after google.

 

Later, I found that the software is encrypted, and the background password is actually 35 characters:
G460AE3C5FB9641765CB2E68B06E4FA2845
In addition, the serv-u and mysql passwords cannot be cracked.
However, we found that all user passwords are stored in plain text.
In general, it seems that it is still relatively smooth. What is left behind is to study this set of software ....

Thinking, if I don't have PR to raise the right, it's estimated that I will be out of service later... therefore, the research on the virtual host software is still ongoing. If you have any experience, please share it with us. If you are interested, you can download the research:

Asp "target =_blank> http://www.efang.com.cn/download.asp