By: a real gray wolf man
First come address
Http://extsjz.my012.com: 8008
First, Let's explain what the legendary 7 Verification login method is.
First of all, I have the account password for this company's ERP system, but here only the account password is far from enough. Because the server needs to verify the machine code of the client, only authorized machines can log on.
GET/servlet/extsjz. login. sjzclient? Companyid = 110 & loginname = 49/& password = 1 & code =
088cfbe9aa0c0468312b8382c2fd115cff2d81_a1ee015c & if_zj =
% 200 & cpuId = BFEBFBFF & netCardId = 00: FF: 2A: 3A: 4B: 5B: 00: 00 & drvId =
% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 20% 209VM79H5A $
You have noticed the parameters .. I will explain
Companyid company ID, for example, Beijing 010 restarts 119
No more loginname & password
CpuId client CPUID
NetCardId Nic MAC
DrvId physical hard disk ID
There is also a CODE code = encryption (cpuId + netcardid + dryid + time verification)
That is to say, even if you know the password, you cannot log on.
The following is an analysis of the so-called CODE
Verification CODE 5B95423888EC0468798E8023A2ED114C90FD0CF86CEE015C
5B95423888EC0 ***** 798E8023A2ED ***** C90FD0CF86CE *****
088cfbe9aa0c0468312b8382c2fd115cff2d8410a1ee015c this is the CODE generated by my machine subaccount
The red part is the time verification part. The system time is encrypted and inserted into the CODE. It may be caused by brute-force cracking.
But I have come up with a clever solution .. Because the encrypted time remains unchanged.
By capturing packets, copy the wrong code from my local machine to extract the correct time part and insert it to the correct but time-Incorrect code 5B95423888EC0 ***** 798E8023A2ED ***** C90FD0CF86CE *****
For example, if you enter the correct account and password, the system will show that the account is unauthorized, because the server does not have a record of the sub-hardware information of this host.
However, when I submit the correct computer hardware configuration information
Because the time part in the CODE is different from the server, it means that the server must be at the current time, but the CODE at on the local machine cannot log on.
After the correct time is replaced, log in successfully.
Then access the http://extsjz.my012.com: 8008/servlet/extsjz. login. main will appear on the login interface
Because I haven't been involved for a long time.
Asked him to help analyze the error message.
Although I am familiar with the following injection statements.
However, I am not sure to say it is a MYSQL database because of the many JAVA above ..
The stinking fish must have told me that MYSQL is still messy.
Because there is nothing in the header. asp. php. jsp, and so on.
This account is only a common employee privilege.
The purpose of me and stingray is to get the webshll or admin permissions.
I started searching for the uploaded location with the stinking fish. Analyze the upload path
I did not expect that the error message was directly reported to me.
The website structure is clear.
The stingray directly constructs an address for uploading arbitrary files through the uploaded URL.
First, I uploaded a PHP file. I cannot parse it. I guess the JSP file is uploaded.
Http://extsjz.my012.com: 8008 // cominfo/110/knowledge_file/1325776317692/404 .jsp
Still cannot be resolved.
At this time, the system is dizzy .. Is it. net ..
I learned about Apache...
Why can't I resolve it?
Starting division of labor, stinking fish starts to construct a local file and upload it to a resolvable directory.
Help him find the Directory
Directly open a PK Scan
Suddenly stunned...
This is his mother.
The visual servlet can be parsed. Opening a scanner is a crazy scan .. Nothing ..
Baidu searched the servlet results...
Servlet is a server-side Java application that has the characteristics of being independent from the platform and protocol and can generate dynamic Web pages. It serves as the intermediate layer between customer requests (Web browsers or other HTTP client programs) and server responses (databases or applications on the HTTP server. Servlet is a Java application on the server inside the Web server. Unlike the traditional Java application started from the command line, Servlet is loaded by the Web server, the Web server must contain a Java virtual machine that supports Servlet.
I have never heard of Servlet before ..
Find the Servlet vulnerability .. It was found that all the content was earlier than 07 years ago ..
At this time, I was arrogant. If you want to find a vulnerability, you should first understand the Servlet operation method, and then open a website.
Http://www.ibm.com/developerworks/cn/java/j-lo-servlet/, I found out I was so stupid that I couldn't understand anything.
Then I came to FUCK in obscurity and posted such a post...
Do you have any suggestions?
Scalpers .. People ..
Updated at any time if there is any progress
Update Progress
January 6
Both me and stingray have obtained permissions for the same company and for the same system under section C.
The website framework is html + js
PHP cannot be parsed because the directory has no parsing permission
I tried to find an upload location and constructed an upload statement. Fill in the dir parameter ../and directly transfer it to the website root directory.
Then, the webshell is sent to the stinking fish, which has been taken root.
Updated on March 13, January 7.
Last night, the three of us started to study stinking fish and silver.
The little man constructed a directory that can be uploaded to any server
But it is not parsed.
Study till AM
The result is that the root of the two servers in section C uses the same system.
Servlets, then I'm going to study the configuration file from the server I got to see what the server parses.
This morning, I got a server from my research with sanshi's big master.
Sanshi failed to rebound because of some cards in the region.
Therefore, we found that there are many. class java files under the same-layer directory of the website.
Http://extshow.fboos.com: 8015/servlet/extys. winshow
Window is an existing windows. class.
But not at the same layer as the root directory of the website.
So we tried to upload our class program.
YoCo Smart 12:50:57
Which one do you want to see now? The top one is 404. wait for half an hour. I don't know if it's because I can't open it. Let's take a rest first.
YoCo Smart 12:53:12
If you have done jsp websites, you should be able to think that java web has a delay. Because java consumes too much and cannot be updated in real time, sometimes jsp changes are made, you cannot press F5 to see the effect. This is also based on the java language. I guess it should be similar to jsp. I guess it's right. I will know it in half an hour.
Living is not amiable you make me alive not as good as dead as 12:53:44
Well, you and I will upload a class to test it.
Living is not amiable you make me alive not as good as dead as 12:56:03
Http://extshow.fboos.com: 8015/servlet/extys. winshow
You uploaded it ??
Living is not amiable you make me alive not as good as dead as 12:56:18
Oh no
YoCo Smart 12:56:22
Obviously not
YoCo Smart 12:57:21
I don't know which part of the configuration file is responsible for the refresh time. The left that was uploaded last time was forty minutes ago. I don't know when the refresh will take effect. I want to wait for an hour for the sake of insurance.
YoCo Smart 12:57:30
My name is top. class.
Send several images
Under the/home/show/extys/servlets/extys directory
Therefore
Http://extshow.fboos.com: 8015/servlet/extys. winshow can be parsed
However, we can resolve the 1. class and 2. class that can be parsed.
When the file name is accessed, 404 is displayed.
You can access it again after it is changed.
This is a tangle
January 8
I found 07 and asked him to edit the class for me and find the problem.
Package extys;
Import java. io. IOException;
Public class winshow extends HttpServletEx
{
Public void EallGet (HttpServletBean hsBean)
Throws Exception, IOException
{
EallPost (hsBean );
}
Public void EallPost (HttpServletBean hsBean) throws Exception, IOException {
String js = hsBean. getParameter ("js ");
Js = MyTools. replaceAll (js ,".","/");
HsBean. println ("<div id = winshow style = 'height: 100% '> I am a Chinese </div> ");
HsBean. println ("<script language = 'javascript 'type =
'Text/javascript 'src = '/js/"+ js +". js'> </script> ");
}
Public void destroy ()
{
}
}
If the package name is extys, our own package cannot be parsed ..
Then we will compile an extys.
Then I packed the entire site and we can see the source code.
Thanks for the decompilation tool 07.
Let me end this post...
The system has already been researched.
If you continue, you may get the server.
This is not intended for database disconnection, not for hacking.
Only for research
Notify the administrator of the vulnerability.
Http://www.qinghao.cn/1.php
I am very satisfied with this achievement.
If I am alone, I cannot do it.
Thank you for helping me
Sanshi .. Fish .. Silver Boy .. 07
