One Security Test for a server in Sogou (getshell + simple internal detection)

One Security Test for a server in Sogou (getshell + simple internal detection)

During the Dragon Boat Festival, SGSRC sent zongzi and felt a burst of tears. So these days they planned to perform a penetration test on Sogou, although the Intranet has been successfully roaming, but the environment that hurts and is later found, it will not continue: ([My SGSRC number forgot 23333]

At the beginning, I found a sogou bbs http://mt.sogou.com/bbs/, although there is no weak password, but there is an IIS7 parsing vulnerability in the foreground to upload a picture and then successfully won

The sub-permission of this machine is very dead. As long as the php itself has a waring or Error, the 500 Error will pop up.

As a result, many things cannot be used: (this is for your own experience ..

If the proxy is not available, you have to write a file_get_contents file remotely and then call it one by one with a get request to directly post what you have found :)





When I chain the Mysql database of mt.sogou.com, I found that the password for this website was in plain text :)

Plaintext !!!!

The user with sogou-inc.com Email in the query successfully cracked 3 users

[Email protected] PY xxx 2015

[Email protected] 5 x m! (Changed)

[Email protected] Ma XXX @

Some system code Wiki, etc.

http://mt.sogou.com/bbs/api/proxy.php?url=http://10.134.**.191/http://mt.sogou.com/bbs/api/proxy.php?url=http://*****.dailybuild.sogou-inc.com/http://mt.sogou.com/bbs/api/proxy.php?url=http://*****.dailybuild.sogou-inc.com/http://mt.sogou.com/bbs/api/proxy.php?url=http://10.11.***.187/index.phphttp://mt.sogou.com/bbs/api/proxy.php?url=http://10.11.***.196http://mt.sogou.com/bbs/api/proxy.php?url=http://10.11.**.80/wiki_local/http://mt.sogou.com/bbs/api/proxy.php?url=http://10.11.***.105/

Mysql should not use the root Blank Password, even the Intranet!

Mysql10.11 .***. 224 empty root 10. 11. ***. 131 root 10. 11. ***. 203 root10.11 .***. 99 root "search04.mysql.db.sogou-op.org", "vr *****", "sbs *******", Mysql: 10. 134. **. 237 Vrspider: 10. 134. **. 125 Reader, summary, ec, iq, xmldb, openhub: 10. 144. **. 40 Vrinst: 10. 134. **. 3110. 134. **. 109: web searchhub10.134 .**. 125: wap searchhub10.134 .**. 121: vrqo

Share sad news :(
 

 

Solution:

Do not use the same password for the Intranet testing machine!

All key IP addresses are sensitive.