Jsp + mysql + resin Penetration Process of a site

After a preliminary look at the jsp + mysql setup, it is easy to find an injection point:

The root password for mysql is 123321 (Listen 5 is too dark, it is charged, it is recommended to go to www.tmd5.com), telnet, mysql cannot be connected.

CAB6CCCFAA4F9B2297B359AE934B6EC1 zhangguishu-123

3c1cefc8a3e3e415cfb98b63c0a493c6 linmengjian8018

 

Scan the Directory and find the fck editor,

 

Almost all directories can be listed. The following account is used to log on as an administrator. Two uploads are added to the added content, and both are automatically renamed. One of them can upload files in asa format for video uploading, I thought that webshell was basically obtained here. Who knows that the path cannot be found after the upload.

Finally, find the path of the source file on the previous video page. However .... Asa opened directly in text... No parsing. Then you can find a page and report an error. The server is the Resin-3.0.14 parser.

Okay, let's change your mind. mysql is the root permission. Try to write files. To write a file, you must know the absolute path and magic_quotes_gpc () = OFF, but the error cannot be returned. Later I thought that I could find the web path based on the parser. The resin configuration file contains the web path. I can try to find the configuration file in the default installation path of resin.

C:/Resin-3.0.14/conf/resin. conf

D:/Resin-3.0.14/conf/resin. conf

E:/Resin-3.0.14/conf/resin. conf

F:/Resin-3.0.14/conf/resin. conf

C:/Resin/conf/resin. conf

D:/Resin/conf/resin. conf

E:/Resin/conf/resin. conf

F:/Resin/conf/resin. conf

I used pangolin to guess the resin installation path, read D:/Resin-3.0.14/conf/resin. conf, and have a web path at the end.

Continue to use pangolin, write a webshell in jsp, connect to the connector, and upload a trojan. getshell is successful.

Run Cmd. whoami is the administrator privilege. net user and net localgroup are used directly. Ipconfig found to be Intranet, and netstat-an found that 3389 was enabled.

Upload lcx and forward it to the port.

However, the connection was not successful, and the data was not exchanged. At first, we thought it was a soft relationship. tasklist looked at the existence of rising and coffee, taskkill/im XX. EXE/F directly handles the process, and net start does not find any security software-related process. By the way, port 3389 is also restricted in the registry, but it is still not connected, and the character is wrong. It's all about taking servers, so the last trojan was completed manually.

From kylin's blog |