From fans' blog
The infiltrated host is a friend of mine. There are several sites in the dual-line virtual host, and the architecture is apache + php + mysql. Information collection is important before testing. Statistical analysis and utilization of system information, database information, network device information, Administrator information, and so on. First scan the host Port:
As shown in the figure, ports 80, 443, and 5901 are opened, and ports such as WEB, https, and VNC are opened. Because it is a virtual host, it is the first step to confirm how many domain names and websites it has. Use the VM Site query tool to query:
We can see that there are seven sites on this IP address. I browsed these seven sites randomly, and one of them seemed to be faulty. For example:
Very familiar phpcms logo. Since the active site uses the open-source CMS, it is worth "exploring ". Use the wwwscan tool for further scanning.
After the scan, several directories are told to access them one by one to find whether there is any sensitive information.
An administrator interface that indicates that phpcms is in version 2007. According to the analysis results, one website uses the phpcms2007 program, which is a common method in Web application penetration testing. Remember that there is a classic multi-byte encoding vulnerability. The cause of this vulnerability is that 0xbf27 is not a valid GBK character, but after addslashed () conversion, it becomes 0xbf5c27. 0xbf5c is a valid GBK character, therefore, 0xbf5c27 is processed as a character 0xbf5c and a single nickname. The result is that the query statement is executed after the quotation marks. There are multiple vulnerabilities caused by the multi-byte encoding vulnerability in the phpcms2007 program, which are tested by the vulnerability in the area. php file.
Submit URL:Http://www.nuanyue.com/area.php? Action = city & province = % BF % 27
A classic multi-byte encoding vulnerability. Continue submission to determine the number of columns:
Http://www.nuanyue.com/area.php? Action = city & province = % BF % 27Order by 1 /**
We can see that the normal webpage is returned. Continue to submit URL:
Http://www.nuanyue.com/area.php? Action = city & province = % BF % 27Order by 2 /**
An abnormal webpage is returned.
If the column value is 1, submit again:
Http://www.nuanyue.com/area.php? Action = city & province = % BF % 27/**/union/**/select/**/user ()/**
It seems that the website has a high permission to connect to the database. You can also collect information through version (), data (), and so on. Directly expose the Administrator and password of the phpcmd background. You can use the background to upload and edit the PHP file to obtain the WebShell. Continue submission:
Http://www.nuanyue.com/area.php? Action = city & province = % BF \ % 27/**/union/**/select/**/CONCAT (username, password) /**/from % 20phpcms_member % 20 where % 20 userid = 1/*
As you can see, the website administrator is phpcms, And the password is 32MD encrypted. You can directly go to the md5-related website to query
You already know the admin background account and password. Directly go to the background to upload the script Trojan. Because the phpcms program has no restrictions on uploading php scripts in the background, the script Trojan can be uploaded in the background.
Second, the penetration test is mainly used by the side note. The significance of the side note is "smooth and smooth", so as to obtain system permissions. Prior to this, it makes sense to collect database information, system information, website information, and System Administrator information for comprehensive analysis and utilization. After obtaining the permissions of a website, we will analyze it.
Obtain the system's mysql Administrator account is root, and the password is 12 *. Many administrators often use the password system. Can I use this password for vnc?
Go in directly, get the root permission, and use exp to raise the permission ." Three-point technology, seven-point management ", good verification, a multi-purpose password or a regular password is risky.