Injection Error Type (knife) submitted for a Web penetration background login box post)

Directory
0 × 00 click
0 × 01 vulnerability search
0 × 02 exploitation Vulnerability
0 × 03 finished

0x00 click

With another authorization, I initiated a friendship penetration on a site owned by Sao Hu.

Without knowing any information, I first learned about some basic server information of Sao Hu.

The situation is as follows:

The server is a UNIX System

Web Version: nginx/0.7.69

IP: XXX. XXX uses reverse proxy

0x01 vulnerability search

I have no vulnerabilities on the server for the time being.

Two Parsing Vulnerabilities were discovered in the web version based on nginx's earlier 80 sec

Here we can see, of course, how can such a big fox do this silly thing ???

So after the test, I still come to the conclusion that there is a vulnerability in wood.

Then I started to find another vulnerability and found a background login post submission injection vulnerability.

In addition, an error is reported. Here I will send a picture to everyone.

<Ignore_js_op>

07:01:36 upload

Download Attachment (77.38 KB)

Enter admin' In the username'

Error reported

1

We can obtain the following information:

Table: Manage

Field: manage_name and manage_pwd

0x02 exploits

We can exploit this vulnerability if we know that the Web has a vulnerability.

Since it can be injected

Let's start reporting error injection. We can use Firefox's live HTTP headers plug-in to capture packets.

Because the login box limits the character length. Although we can modify the character length, it is a little bit out of pants and fart.

Then we start to capture the packet and submit the Username Password in post.

Of course, the password cannot be blank

We can construct it like this ..

Username = admin 'Union select 1 from (select count (*), Concat (floor (RAND (0) * 2), (select Concat (0x7e, manage_pwd, 0x7e, manage_name, count (*), 0x27, 0x7e) from manage limit 0, 1) A from information_schema.tables group by a) B # & Password = dir

We thought we knew the tables and fields on the premise, so we didn't need to inject them one step at a time to directly blow them out.

Second, I have a lower injection permission.

<Ignore_js_op>

07:07:42 upload

Download Attachment (157.72 KB)

2

The account and password are encrypted by MD5.

This penetration is basically over.

0x03 finished

After obtaining the account and password, we can enter the background

3

<Ignore_js_op>

07:10:40 upload

Download Attachment (63.9 KB)

I will not expose sensitive information because I have asked for it.