Penetrate a large news website

Some time ago, I took a website and sent it to hake. However, there were not many people reading it. I sent it here even if I hadn't posted it online.

The technical content of the article is not very high.

I think this is also original ..

Target news.xxxx.net

 

First, collect information.

This code is quite sexy. Haha

 

Scan another directory.

 

It's amazing to find a directory.

 

But I decided to start from the station.

 

Start with the main site www.xxx.net.

Various directories are scanned.

 

There is FCK... but after trying, I found that the hole has been added.

 

 

I started a long directory flip operation. I flipped through and did not flip to what I could use ..

Another side

Changed to blog.xxx.net.

I have learned this time ..

 

It's kindeditor. I remember there was a directory traversal vulnerability ..

 

Exploitation Method

Http://blog.xxx.net/editor/php/file_manager_json.php? Path =/

I found it... the website root is not in the var/www folder.

Finally, I found it in data/www...

 

Finally, I tried several sites that were not shown on the bypass tools.

123.xxx.net

Test.xxx.net

Demo. xxx. net123 the sub-station opened and found that it was the website navigation of 114la.

 

Some time ago there was 0 day

I tried it.

 

 

OK

Decrypt the password and log on to the background.

I can't do it either in the background. I can't do shell or anything. It's too simple =

See this article with shell.

Http://lcx.cc /? Foxnews00001796.html

Click template management in the background ---> category template --> Add Template

You can directly add php or asp suffixes.

Write a sentence to www.2cto.com.

The trojan is stored in the admin \ tpls \ main \ green \ class directory.

Http://123.xxx.net \ admin \ tpls \ main \ green \ class \ 11.php

 

Now cross-site

I am struggling to find the directory. You should know the picture above.

There is no news.xxx.net directory ..

Later, I wondered if it was a folder under the Home Directory www.xxx.net.

Later, I clicked the news folder to upload a txt file.

Open it with an uneasy mood ..

 

This check is over. In fact, this shell has a lot of permissions. It is root. Because webshell does not have the intention to escalate permissions.

 

Finally, I wrote another article. It seems that there are tutorials on the Internet, but some of them are not very clear, so I can write them together.

When I flipped through the directory, I found the step of my predecessors. A shell with a wrong password and no echo was found.

I tried some passwords but couldn't crack them. I tried to run the dictionary, but I didn't even run it.

But let's talk about how to use the t00ls tool to crack the shell password without echo ..

 

This is the tool. You can go to baidu by yourself ..

How to use it now

 

First, capture the package with the wrong password. Capture the post data.

POST/fckeditor/editor/filemanager/connectors/php/xxx. php HTTP/1.1

Host: www.xxx.net

Connection: keep-aliveReferer: http://www.xxx.net/fckeditor/edi... nectors/php/xxx. php

 

Content-Length: 33

Cache-Control: max-age = 0

Origin: http://www.xxx.net

Content-Type: application/x-www-form-urlencoded

Accept: application/xml, application/xhtml

 

+ Xml, text/html; q = 0.9, text/plain; q = 0.8, image/png, */*; q = 0.5

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1;) AppleWebKit/534.12 (KHTML, like Gecko)

 

Maxthon/3.0 Safari/534.12

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN, zh; q = 0.8

Accept-Charset: GBK, UTF-8; q = 0.7, *; q = 0.3

Cookie:

Wespaceuser = login;

AJSTAT_ OK _times = 1; rTvgYGhchbcookietime = 0; rTvgYGhchbusername = hzck1999;

PHPSESSID = bnkc817f11htk4huq67p7nfpd1; cdb_sid = OhXi57;

_ Utma = 125976530.309523011.13229005369132290053691322901163.2; _ utmc = 125976530;

_ Utmz = 125976530.1322900520.1.1.utmcsr = (direct) | utmccn = (direct) | utmcmd = (none );

Hm_lvt_9dad9a39dc2779b297b1621b72055626 = 1322906408673;

Hm_lpvt_9dad9a39dc2779b297b1621b72055626 = 1322906408673

 

Password = sss & doing = login

 

Here we fill in... note that the password segment is changed to a dictionary variable.

 

Then look at the returned information

I got the blue mark. This is the message returned when the password is incorrect.

 

 

Set the password dictionary again

 

 

Click start ..

If the result is broken, the password will be displayed on the output side...

 

Okay, that's it .. my dishes. there is no technical content in the article, and the results can be obtained only by carefully translating the contents. I hope you will not try it .. in other words, the intrusion process is actually a process of patience and care .. there are only a few technologies.