How do I use storm game (Internet) to storm Intranet (a large number of security risks)

From storm game to storm intranet, the Intranet only performs some web detection. Considering the impact on system operation and time, the staff network segment is often used.
http://g.baofeng.com/ Storm game official website.http://g.baofeng.com/ Userservice/submitquestion customer service center I want to ask questions. Xss code can be inserted without filtering. Then, the cookie is sent to the background.http://g.baofeng.com/ When editing game content, admin/login does not strictly filter Game Image uploads. You can change the package to obtain the shell. If you forget it, it is not described in detail. Now you have obtained the shell. As a game homepage server, user data is essential. It should be noted that the game uses sso login, but the sso login source code does not have access permissions, so it cannot analyze the specific login method. Search for database configurations and find files. There are database configuration and cache server configuration recharge interface configuration. (In the parameters. yml. test file, the configured ip address is 192.168.60.147. After analysis, it is basically confirmed that this is the ip network segment of the employee's work machine .) Connect to the database. What is more valuable is the game_bbs database. http://bbs.g.baofeng.com/ The database of this forum. There are not more than 5 million users. Promotion comrades need to work hard. This server does not jump over. As a stepping stone, it jumps into the Intranet. Wipe !!!!!!! http://192.168.2.74/index.php/user/login/ Data cluster management machine. The server is down, sister !! Not me .. Login box injection, username write 'and 1 = 2 union select 1 from (select + count (*), concat (floor (rand (0) * 2 ), (select user from mysql. user limit) a from information_schema.tables group by a) B -- the root permission was obtained before the test. The path is/var/www/html/. No proof is provided. gpc is not enabled, you can write a shell. http://192.168.2.160:8080/ella/ Cluster Monitoring Platform. No password. http://192.168.2.186/ http://192.168.2.187/ Storm cms management center. Weak Password test/test http://192.168.2.54/gotologin.box BD data system. Struts command execution.
 Solution:

Useful Hole Filling, obsolete Shutdown