Discuz3.2 use a weak shell password, causing database hosting

Discuz3.2 use a weak shell password, causing database hosting

First of all, this is a "kind of" (loan, p2p) website. I am also implicated in this for the sake of ignorance of the dead and dead. I should try again!

Step:
Habitually look at admin

No, but I put the Empty Action illegal operation. Please contact the Administrator to go to the search engine and try to find the program to download and analyze it.


You can search it out directly. This is common for admin users of financial/loan websites. (You can try it)

So here, it is unrealistic to find the program. On the other hand, it is also an escape from the heart, so it is possible to do simple things with no trouble.

Return to the target site again, yo and there is a Community


The address is like this: http://www.xxxx.cn/bbs/forum.php. I think I can see discuz's in front. Then admin again.

Think and analyze and develop a battle plan

1. enumerative weak passwords in the background

2. Use the social engineering database (my database is one of the most powerful) to query the Administrator's email password and access the database through credential stuffing.

3. If solution 2 fails, penetrate other websites registered by the Administrator and query the passwords being used by the Administrator.

From the perspective of the small number of people in the community, the company has not promoted the community, that is, the management is not strong.

I really want to cry. I can't say anything. Let me in with a weak password.
Discuz3.2getshell:
First install a plug-in the background

Click Interface Information to import interface information.

Here, a Trojan is written.

Access path: the http://www.xxxx.cn/bbs/data/dzapp_haodai_config.php will see that it has been written. (If you are the main station, it is/data/dzapp_haodai_config.php) and this is actually a third-party security issue. Every time I think of this, I am very surprised that the white hats that connect to the getshell in the background, is there such a shortage of money? Rank missing? Don't tell me it's for network security. Haha
Further dive:


I first suspected whether a previous person had packed the package, and then checked the file upload/modification time. The package was modified by the end of 2014, and should be packed by the Administrator, because other files were modified during the period from January 1, 2015.

(Of course, it is not ruled out that the modification time of this file can be modified by the predecessors. Even if the administrator is stupid, the password is weak. Haha)

Quickly find the password of the database account and cannot connect to the database through skilled T-database experience

1. External Connection not allowed

2. If CDN is used, the IP address is incorrect.

So:


I care about your mom so much, wasting so much time, I directly find the SQL file and package it locally to build an environment to see what is good

Conclusion: The write is still complete, and the subsequent Elevation of Privilege will not be written, too much.

In general, this penetration is still quite successful. Sometimes it is common to spend a few days

There is no bright spot in the article. In fact, patience is patience and patience. I hope you can learn something.