One sweat penetration

Why is it sweating? Because the temperature is 40 degrees high! Of course it's about to sweat.
Please give your comments on any bad points in the article! After all, I am also a student B. Without your advice, how can I improve the technology?

First, the domain name www.2cto.com is thrown into WVS, Yu Jian, and pker. wwwscan! No background is scanned !!
It's cool !!!!! The main site seems hopeless! Drop it to 114 for query .. Independent server slot!
 
The hope of the side station is shattered !! But I saw that the main site did a good job of security! Aspx site !, No injection is found in the background and manual tests are performed!
Just jump to the second-level domain name with a connection from the main site! If you have a second-level domain name, you can start with a second-level domain name!
Ping by habit... Again, the pressure is coming.
 
It's not the same IP address! There is no way to find useful information from the second-level domain name since it is all a station !!
The same as the template of the main site !! Injection and so on !! The background is found!
Try the weak password without being injected. What if the weak password succeeds !! Wow !!

 

Various weak passwords !! Failed .. Think about it .. Go back to the page to find other useful information !!
Click the image viewing link of a second-level domain name !!!

 
You can see this link here !! System_dntb first thought of the Editor !! Hurry to the default path !!
Access the default page to view the source code !!!
 

Now you should know what I will do !! Firefox firebug modification and upload !!
Great success !!!
 
I recalled that since the Code is the same in some places but the code has changed, is there a vulnerability in the main site?
Go back to the front-end and check it !!! Just click a connection to view my pleasure !! Same as second-level domain names
 
Hurry up and modify Firefox firebug and wait for the result !!
Wait for his sister !!
 
Upload Rejected !!! However, I still remember that the breakthrough method was that Guilin veterans could modify and upload cookies, but they needed to exploit the iis6.0 resolution vulnerability !!!
Try it!
 
Upload is uploaded !! But I still need to be able to live without iis7 !! The iis7 malformed vulnerability 1.jpg/ 1.phP also failed !!
Grass it sister !! Back to the shell you just got and want to escalate the permission to the server to find something !!
I checked the second-level domain name in 114 and it is also an independent server! So you should think of the root possibility of 95%!
At last, the root is found in the case of sweating... Elevation of Privilege !!!!! Success !!!
 
The system permission is added to the server !! Connection !!!
The first thing that comes to mind when you enter the server is !! Connect to MYSQL and view the table !!! Find the management table cracking! Then go to the main website !!
 
Find a lot of management table cracking inside the management table because of the second-level domain name station so cracked the N-1 MD5 table !! Then, go to the background of the main site at the front end !!!
After N + 1 hour, I found a backend to crack and log on to one of the managed tables. No, no, Nima. MD5 is required !! Fortunately, I am helpless !!
I am also embarrassed to find some helpless friends to crack !! His MD5 is used up! Tangle!

 
No way. It seems that this table cannot be managed !!
I found a website like my own php on the second-level domain name !! Make a decision !!!
Register a user and upload the Avatar !! What you understand is local verification !!!!! Because it is self-developed, it is very likely that the main site management
That person !! This is the developer !! Upload phpshell locally and get it @@@@
The first thing to get shell is! View database cracking management MD5
I also found that the span of IP address 88 is a little large!
The management of her sister-in-law is the same as the MD5 on the server !!!! This site is in the white sky !!! The account cannot log on to the main site!
The server does not want to take root +. What you know is the same as above !! He fell into the second server!
Continue to return to the foreground !! Look at the main station's front-end!
At this time, I will discuss with silence Daniel about Firefox cookie spoofing and upload verification code modification !! However, attempts to modify cookie spoofing failed !!! At the same time, I also found an OA system at the front-end !!!
Login with the first cracked account is successful !!! Login has gone !!
However, I cannot think of B with lower permissions !!! I threw it to silence !!! Later, he found an ewebeditor !! Login from the default path !!! Default background password !!

 
I hope it will be big because the OA system is linked to the main website. Haha is so happy!
Take shell !!!!
 

I got a shell @!!! The IP 81 is not close to the target !!!! Ah, close to the verge of crash !!!

At this time, I am still looking for data to see if I can enter the main site !! Find the configuration file data connection ..

Let me eat a pound of it !!! The connected database configuration file has two databases connected to one table which is not the OA system at all.
 
Log on to the main site! ! Hahaha finally succeeded in entering the main site !!!
 
The shell on the main site is really not good for JB !! Shell won't be obtained after a while !!! Although the main site has the system_dntb, the upload is rejected !!
At this time, silence came up with an ipconfig !!!! I was scared !!!
 

I almost got cheated. It turned out to be a good network card !!!! The main site should be on this server !!!! The website is relatively secure, but the server is a little careless !! You can browse all the data !!! It's not as easy as I thought !!! Finally, the main site was found by connected mengtaizai !!!!!
Upload a Trojan !!!!!
 
Do you think it is smooth sailing? Please refer to the abnormal management above. The 99% directory cannot be written. I also thought of the first directory for Guilin veterans !! However, too many virtual directories have been set for management.
I am looking for something in the directory that clearly looks at the same structure, but the contents in the fucking directory are different from those of Guilin veterans, which means false !! I have a directory.
I finally found a writable directory !! Because I believe that the biggest Server vulnerability is human operation !! So I kept searching patiently !!

 
The target site is finally settled. Because the permission setting Homepage cannot be changed, my goal is not the homepage !!!!!!!
If I am not doing anything about dish B, I can point out that some places may be redundant, but this is my first thought and I have not reduced it, so I should study it if I have !!