Directory
0 × 00 click
0 × 01 vulnerability search
0 × 02 exploitation Vulnerability
0 × 03 finished
0x00 click
With another authorization, I initiated a friendship penetration on a site owned by Sao Hu.
Without knowing any information, I first learned about some basic server information of Sao Hu.
The situation is as follows:
The server is a UNIX System
Web Version: nginx/0.7.69
IP: XXX. XXX uses reverse proxy
0x01 vulnerability search
I have no vulnerabilities on the server for the time being.
Two Parsing Vulnerabilities were discovered in the web version based on nginx's earlier 80 sec
Here we can see, of course, how can such a big fox do this silly thing ???
So after the test, I still come to the conclusion that there is a vulnerability in wood.
Then I started to find another vulnerability and found a background login post submission injection vulnerability.
In addition, an error is reported. Here I will send a picture to everyone.
<Ignore_js_op>
07:01:36 upload
Download Attachment (77.38 KB)
Enter admin' In the username'
Error reported
1
We can obtain the following information:
Table: Manage
Field: manage_name and manage_pwd
0x02 exploits
We can exploit this vulnerability if we know that the Web has a vulnerability.
Since it can be injected
Let's start reporting error injection. We can use Firefox's live HTTP headers plug-in to capture packets.
Because the login box limits the character length. Although we can modify the character length, it is a little bit out of pants and fart.
Then we start to capture the packet and submit the Username Password in post.
Of course, the password cannot be blank
We can construct it like this ..
Username = admin 'Union select 1 from (select count (*), Concat (floor (RAND (0) * 2), (select Concat (0x7e, manage_pwd, 0x7e, manage_name, count (*), 0x27, 0x7e) from manage limit 0, 1) A from information_schema.tables group by a) B # & Password = dir
We thought we knew the tables and fields on the premise, so we didn't need to inject them one step at a time to directly blow them out.
Second, I have a lower injection permission.
<Ignore_js_op>
07:07:42 upload
Download Attachment (157.72 KB)
2
The account and password are encrypted by MD5.
This penetration is basically over.
0x03 finished
After obtaining the account and password, we can enter the background
3
<Ignore_js_op>
07:10:40 upload
Download Attachment (63.9 KB)
I will not expose sensitive information because I have asked for it.