Grand 180-day penetration documentary Chapter 4. SVN Hunter (SVN information leakage and design problems on a site lead to server breakdown)

I thought port 81 server would be helpful for the next step of penetration .. The results show that there are not many sites on this segment .. It seems that only this station and a database server are active in the whole segment =

So, change your mind again ..

I used a second-level domain name query tool to export a grand site for general scanning...

One source code backup of bbsdk.sdo.com was found.

 

But after reading it for a while, it seems to be another offline station ..

 

Half an hour later, the scan result is displayed.

Even if some sites have sensitive directories, they are blocked by the Grand UAM...

However, svn leakage information was found in 58.215.44.53.

Database Information

However, external connections are still prohibited ......

 

You can view the background information of this website.

 

But you cannot get the administrator password or log in...

 

However, it is rare to carefully analyze SVN...

 

Found a registration page ???

 

 

Register a user and log on to the background ..

However, the message "invalid user" is displayed, and many functions in the corresponding directory cannot be accessed ......

 

This is also true when you go to another directory.

 

Suddenly, this upload directory attracted the eye ..

I checked through SVN, and there is an upload program ..

 

If the verification restriction can be bypassed, it will be easy...

 

Continue directory traversal...

 

Finally .. Under the down directory, upload_channel.php found some problems.

 

Only these four grand friends can view the files ....

This is nothing special...

In addition, this upload program restricts the upload of other users at the code level and should be safe...

 

 

Suddenly, a neural network said: Are you sure these four users have already registered ...?

 

A flash of light, right !!! Have these four users registered !!

 

Although I think it is a bit incredible, this problem should not occur due to code-level restrictions ..

But I returned to the registration page with an uneasy mood...

 

Yangchuangbin .. Already exists...

Wushaoming .. Already exists...

Mafeitao .. Already exists...

Fanbing .. Registered successfully !!

 

Return down/upload_channel.php .. Finally, a cute upload page is displayed ~~

Directly upload the standard PHP program .. Uploaded successfully ~

Although no upload address is returned, according to SVN information analysis, the file should not be renamed and uploaded to the same directory ..

 

I tried it .. Pia .. Successful! Decisive kitchen knife connection...

Connect to the database...

Go back and check it. This is the mobile app download site of the File Manager ..

According to the database information, the number of downloads is nearly 9 million ..

If the website is infiltrated by criminals and the mobile app is replaced with a Trojan virus, it will cause harm to a large number of mobile phone users !!!
 

Solution:

For bbsdk.sdo.com

· Deprecate expired services in a timely manner

· Modify the MSSQL password in this example

 

For wj.sdo.com

If the website is infiltrated by criminals and the mobile app is replaced with a Trojan virus, it will cause harm to a large number of mobile phone users !!!

· Delete SVN Information

· Modify the MYSQL password in this example

· Check and delete possible PHP Trojans