One Security Test for a server in Sogou (getshell + simple internal detection)
During the Dragon Boat Festival, SGSRC sent zongzi and felt a burst of tears. So these days they planned to perform a penetration test on Sogou, although the Intranet has been successfully roaming, but the environment that hurts and is later found, it will not continue: ([My SGSRC number forgot 23333]
At the beginning, I found a sogou bbs http://mt.sogou.com/bbs/, although there is no weak password, but there is an IIS7 parsing vulnerability in the foreground to upload a picture and then successfully won
The sub-permission of this machine is very dead. As long as the php itself has a waring or Error, the 500 Error will pop up.
As a result, many things cannot be used: (this is for your own experience ..
If the proxy is not available, you have to write a file_get_contents file remotely and then call it one by one with a get request to directly post what you have found :)
When I chain the Mysql database of mt.sogou.com, I found that the password for this website was in plain text :)
Plaintext !!!!
The user with sogou-inc.com Email in the query successfully cracked 3 users
[Email protected] PY xxx 2015
[Email protected] 5 x m! (Changed)
[Email protected] Ma XXX @
Some system code Wiki, etc.
http://mt.sogou.com/bbs/api/proxy.php?url=http://10.134.**.191/http://mt.sogou.com/bbs/api/proxy.php?url=http://*****.dailybuild.sogou-inc.com/http://mt.sogou.com/bbs/api/proxy.php?url=http://*****.dailybuild.sogou-inc.com/http://mt.sogou.com/bbs/api/proxy.php?url=http://10.11.***.187/index.phphttp://mt.sogou.com/bbs/api/proxy.php?url=http://10.11.***.196http://mt.sogou.com/bbs/api/proxy.php?url=http://10.11.**.80/wiki_local/http://mt.sogou.com/bbs/api/proxy.php?url=http://10.11.***.105/
Mysql should not use the root Blank Password, even the Intranet!
Mysql10.11 .***. 224 empty root 10. 11. ***. 131 root 10. 11. ***. 203 root10.11 .***. 99 root "search04.mysql.db.sogou-op.org", "vr *****", "sbs *******", Mysql: 10. 134. **. 237 Vrspider: 10. 134. **. 125 Reader, summary, ec, iq, xmldb, openhub: 10. 144. **. 40 Vrinst: 10. 134. **. 3110. 134. **. 109: web searchhub10.134 .**. 125: wap searchhub10.134 .**. 121: vrqo
Share sad news :(
Solution:
Do not use the same password for the Intranet testing machine!
All key IP addresses are sensitive.