A social engineering penetration reconstructs the CMS chicken rib vulnerability in the Deep Throat

Reference: http://www.bkjia.com/Article/201209/157778.html

This penetration is also a pain point. The target site is a discuz forum. The latest version does not have any 0day. Let's take a look at the side Station, which is basically a deep-throat cms and discuz. Deep Throat has been injected before, but its encryption method is unknown, even if the password is disclosed, there is no solution. Section C takes too long, so we decided to conduct social engineering. one of the several stations in Deep Throat was responsible for selling virtual hosts, so we started with him.

First of all, we should first consult with the customer carefully. Obtain trust.

After gaining trust, the recipient accepts my requirements to make me buy his space

As a result, he received the background and account password. It's also the first time I 've got a website with Deep Throat.

He gave me an explanation, so I tried to find a breakthrough point to prevent him.

Change the background account password.

The Upload Vulnerability of Deep Throat cms is no longer useful on the Internet, and all of them are invalid. You can only find it by yourself. Of course

This also exposes a chicken rib vulnerability.

In the back-end upload, change to/1.asp in the root directory of the site. Now, we understand that IIS6

Parse Vulnerabilities and upload images. However, the IIS6 vulnerability is not false, but is not used to upload images.

In my test, although the path of the uploaded file is modified

Cannot be uploaded to the/1.asp directory.

In the module, we can upload the pony package. Then it is automatically uploaded to/1.asp.

Decompress the package. As a result, we achieved our lovely pony.

Done