Penetration test I php + mysql wonderful Forum

Today, we are penetrating a website.

Let me briefly describe it. Php + mysql. There are injection points. Direct havij injection. The hl_admin table is displayed. Then inject

Get account and password

The password is 32-bit. Please try again .. Cannot be solved. I wiped it. Then, because it is the mysql injection point, you can read the text

. Read the logon Page code. Then I read the configuration file, and there is no information. Read the root password in config.

Unfortunately, it cannot be used for external connection. It's useless. Then you can view the table content.

We can see that many tables have user names and passwords. You can add all the passwords that can be collected.

DataFound: username = admin

DataFound: password = c3284d0f94606de1fd2af172aba15bf3

DataFound: username = longcaiphp

DataFound: password = 5725d74774dafaf1700performance6c8214c3

Use it for decryption, prompting you to charge fees. Google is the first one. It turns out that md5 encryption is used twice. This is the first time you encounter such a site. So I tried to use this

Admin and 123456 login is not correct.

Continue to flip the table. See the adminlog table. Suddenly, look at the administrator login to continue.

Because I have tried a lot before. Therefore, logs are messy. But it's okay. It can be automatically sorted.

Logs are gratifying. Besides my logon records. I found my previous logon records. The Administrator is also 2b.

You have to guess many times for logon. Nima I also tried a lot .. Finally, I tried it in a certain place. This has taken many detours. In

After the md5 encryption is performed twice. The password was cracked. It contains the first three digits and the last three digits of two md5 values.

 

One digit is the same. As a result, I always thought that the Administrator's md5 was not the standard md5 .. Fortunately, I finally came back.

Enter the background. Another amazing point has appeared.

This website has only one upload page. However, some calls are incorrect. Some can. Okay. Find more

Yes

For example ., You will not be prompted when uploading the image, but the address will be given. If you upload a php file.

At first, I thought it was a filter. As a result, various packets are captured. Change the package. You can also go to the file management module to see if it has been uploaded.

Persistent tangle. Because there are more than 30 pages to upload. Let's look at the last page. The page for this site's upload call

This is where it is.

Really amazing. Later .. I saw a new PHP file in the last one. It's my big horse .. First

No matter when it appears. Open it first .. Enter the Trojan .. Nima. The uploaded php trojan files are all in it .. That is to say

Actually, it has been uploaded. But the error will pop up .. I used to perform file upload management in the background one by one .. 19-page hour

When I found my horse. Do you need such a trap ..

Into the horse .. I cried

This Nima's. Disk C 2 GB. 2 GB disk size. Is Nima a server ?!!!!