Cmsware Vulnerability Detection for a comprehensive game site

Author: akens
Target: about 800 of domestic comprehensive game sites
There is no technical content in the intrusion process. It is just some ideas and experiences. If you write something wrong, please contact Daniel. Although it was detected in, the actual url is replaced for the sake of harmony.
Injection Point http://pk.akens.com/index.php? Iid = 1 run out of the injection point with 20 fields
Http://pk.akens.com/index.php? Iid = 1/**/and/**/1 = 2/**/union/**/select, 11,12, 13,14, 15,16, 17,18, 19,20 /*
View some basic information user () = cmsware888@10.0.0.16, database () = cmsware, version () = 4.0.27-standard
After the information burst out, I felt cool. mysql version earlier than 5 means that tables and fields cannot be cracked using the system library, and files cannot be cracked with sufficient permissions. Next, I used various tools to guess the table, but the result still failed.
After sorting out the root smoke, my website was relatively large and there was a lot of corn sharding. I wondered if I could start with corn sharding. So google found several suspicious points in the substations, the results were disappointing, and they were not injected. Back to this point, I repeatedly looked at the information and suddenly came up with a thought in my head. The database name is cmsware. Will the website adopt a whole-Site program named cmsware? Lima ran to google to search for the cmsware keyword, And there was indeed a set of thinking content management systems (CMSware). If the website is using this system, it would be easier. Go to the official site to download a set of source code, and install it on the Virtual Machine. Check the database and obtain the table named cmsware_user with the storage administrator password. Import Statement Query
Http://pk.akens.com/index.php? Iid = 1/**/and/**/1 = 2/**/union/**/select, 11,12, 13,14, 15,16, 17,18, 19,20 /**

/From/**/cmsware_user /*
No expected result is returned... There are two possibilities: either the website does not use this system at all, or the Administrator has changed the default table name. Look at the user () = cmsware888@10.0.0.16 information, I tried to change the table name to cmsware888_user into the query:
Http://pk.akens.com/index.php? Iid = 1/**/and/**/1 = 2/**/union/**/select, 11,12, 13,14, 15,16, 17,18, 19,20 /**

/From/**/cmsware888_user /*
Unexpectedly, an error page was returned. This is not far from the successful penetration, and the field is included in the query:
Http://pk.akens.com/index.php? Iid = 1/**/and/**/1 = 2/**/union/**/select, uId, 12, 13, uName, 15, 16, uPass, 18, 19, 20 /**

/From/**/cmsware888_user /*
It is concluded that the password of an administrator's username and password is encrypted by 32-bit MD5, but it cannot be cracked. But it does not matter. Such a large Website Cannot have only one administrator, as a result, the passwords of nearly 20 users were gradually revealed, and then the uGId = 1 passwords were filtered out for website cracking.
Several attacks are successfully cracked. The password is available, and now the background is poor. After a long stroll on the website, no background was found for tool scans, google searches, or baidu searches. Visit the folder of the whole station program after the corn on www.akens.com and pk.akens.com,
It is found that all directories do not exist. It was determined that the program was allocated a separate corn. With this idea, you can go back to the database to complete the task of searching for the background. Because many programs fill in the website URL during initial configuration. Find and locate in the database of the virtual machine, and finally find a table such as cmsware_sys that stores the website URL.
Submit: http://pk.akens.com/index.php? Iid = 1/**/and/**/1 = 2/**/union/**/select, 11,12, 13, varName, 15,16, varValue,

18, 19, 20/**/from/**/cmsware888_sys/**/where/**/id = 6 /*
Take the account and password before the explosion of a smooth login background http://cms.akens.com/cmsware/admin/index.php
It is easier to use shell in the background. There is a system function management option in system management. You can directly add PHP code. Access http: // 127.0.0.1/CMSware/setting/cms. ini. php to get the shell Permission and execute database statements. Log on to the shell, which contains the main site and sub-station folders. After reading a little bit, we should have done file synchronization. This is almost the case. Delete the shell and leave.