Grand 180-day penetration documentary Chapter 4. SVN Hunter (SVN information leakage and design problems on a site lead to server breakdown)

Source: Internet
Author: User
Tags sdo

I thought port 81 server would be helpful for the next step of penetration .. The results show that there are not many sites on this segment .. It seems that only this station and a database server are active in the whole segment =

So, change your mind again ..

I used a second-level domain name query tool to export a grand site for general scanning...


One source code backup of bbsdk.sdo.com was found.





 


But after reading it for a while, it seems to be another offline station ..

 

Half an hour later, the scan result is displayed.

Even if some sites have sensitive directories, they are blocked by the Grand UAM...

However, svn leakage information was found in 58.215.44.53.



Database Information



However, external connections are still prohibited ......

 

You can view the background information of this website.


 


But you cannot get the administrator password or log in...

 

However, it is rare to carefully analyze SVN...

 

Found a registration page ???


 

 


Register a user and log on to the background ..

However, the message "invalid user" is displayed, and many functions in the corresponding directory cannot be accessed ......

 


This is also true when you go to another directory.




 


Suddenly, this upload directory attracted the eye ..

I checked through SVN, and there is an upload program ..

 

If the verification restriction can be bypassed, it will be easy...

 

Continue directory traversal...

 

Finally .. Under the down directory, upload_channel.php found some problems.









 


Only these four grand friends can view the files ....

This is nothing special...

In addition, this upload program restricts the upload of other users at the code level and should be safe...

 

 

Suddenly, a neural network said: Are you sure these four users have already registered ...?

 

A flash of light, right !!! Have these four users registered !!

 

Although I think it is a bit incredible, this problem should not occur due to code-level restrictions ..

But I returned to the registration page with an uneasy mood...

 

Yangchuangbin .. Already exists...



Wushaoming .. Already exists...

Mafeitao .. Already exists...

Fanbing .. Registered successfully !!

 

Return down/upload_channel.php .. Finally, a cute upload page is displayed ~~



Directly upload the standard PHP program .. Uploaded successfully ~



Although no upload address is returned, according to SVN information analysis, the file should not be renamed and uploaded to the same directory ..

 

I tried it .. Pia .. Successful! Decisive kitchen knife connection...



Connect to the database...



Go back and check it. This is the mobile app download site of the File Manager ..

According to the database information, the number of downloads is nearly 9 million ..



If the website is infiltrated by criminals and the mobile app is replaced with a Trojan virus, it will cause harm to a large number of mobile phone users !!!
 

Solution:

For bbsdk.sdo.com

· Deprecate expired services in a timely manner

· Modify the MSSQL password in this example

 

For wj.sdo.com

If the website is infiltrated by criminals and the mobile app is replaced with a Trojan virus, it will cause harm to a large number of mobile phone users !!!

· Delete SVN Information

· Modify the MYSQL password in this example

· Check and delete possible PHP Trojans

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.