Penetration caused by a poor Baidu application rating

After the Baidu app was beaten by a star...

A penetration last night aims to modify the negative rating of Baidu applications ..

= I have little penetration experience and enjoy myself. Do not laugh, haha.

--------------------------------------------------------

I have developed some Baidu applications to facilitate my use at ordinary times. Yesterday, I accidentally discovered that my Baidu application was given a negative comment: A star + comment: "I really don't understand where the force is ?"!!

= At that time, I was so angry that my application did not provoke you! In this way, many users in China are not happy to point out where they are unhappy, but to scold them directly. Although this person did not scold me, is it possible to give a star? Are you sorry for the name of this tool?

So I thought... In retaliation, the following process was started.

1. Use Baidu to search for his comment ID, "gu *******".

2. Find its Baidu space at http://hi.baidu.com/gd?#/home.

3. I am even more annoyed when I find this person is working on IT after 80!

Let's say IT's not a mainstream problem. If you entertain me, I can't help IT. If you do IT, Do websites, and share technology, should you respect others' development.

4. Then I found that this person is also developing the Baidu application, and it seems that it was recently developed.

After reading this, the Baidu application has no difficulty or special features. Is it necessary to point something to my application?

5. Then, you can determine some materials, such as the name, hometown, and QQ number.

6. Of course, this person is a WEB engineer and has his own website (but it is not long before it is launched ). Www. den ********. com

7. Go in and check it out. It's a discuz X2.5 forum. After google site, no other applications are found on the website.

8. ping the website IP address and check the domain name on the server. There are many domain names on the same server. Www.2cto.com

9. Find out from it and find that one of the websites has fckeditor, and then upload shell, = Of course, this website has been ruined by various shells. Linux servers include asp, ashx, And asa suffixes. (I deleted it)

10. The current website directory is/home/aobok *** bagoubgovk6i2nug/wwwroot /. The 2nd-layer Directory consists of a user name and a random string. It is impossible to guess the path of our target site. Because the target station only has one discuz, there seems to be no way to crack the path...

11. Limited permissions, not all directories can be viewed. Due to weak penetration experience, I thought about it for a long time and moved to the/etc/httpd/conf. d directory, which contains php. conf and python. conf, but it is useless.

12. Try/etc/nginx again and find that the directory exists, and there is an nginx. conf in it, which contains the path settings for access logs.



/Var/log/nginx/error. log
/Var/log/nginx/access. log

13. Try/var/log/nginx/and access. log and error. log. Write a PHP file and download/var/log/nginx/access. log to test2.txt.

14. ueditopen test2.txt and accidentally find the address record in the log. You can directly log on to the management background of the website (that is, the control panel of the virtual host ).

Example: http://www.bkjia.com: 8888/main. php? P = UEVFBxQOCwIU ***** lxQWl1YS1UTFkM =



15. The log file is large and there is no way to determine which is the management backend of the target website from the address.

16. So I wrote a perl script, which will be able to match the above records and be repeated.

#!perl -w
use strict;
open(F,"<./test2.txt");
open(O,">./test3.txt");
open(O2,">./test4.txt");
my $pass={};
print O2 "[";
while(my $line=<F>){
  chomp $line;
  if($line =~ /8888\/main\.php\?p=([^&"\.]+)/){
    my $tmp=$1;
    if(!defined($pass->{$1})){
      $pass->{$1}=1;
      print O "http://******:8888/main.php?p=".$1."\t".$1."\n";
      print O2 "'".$1."',";
    }
  }
}
print O2 "1]";
close(F);
close(O);
close(O2);

17. Then, we write a JS script to automatically log on to the address obtained above, and obtain the user name from the logon page.



The user name and logon address pair are obtained.



18. Find our target website and log on to the control panel of the website.



19. Because it is discuz, directly go to the config directory to view the configuration file. A password is displayed.



20. I still wanted to modify the login page and steal the password, but the password is not like a temporary password. So I directly log on to the Baidu account, succeeded, and modified the negative comment of the Baidu application.



21. In addition, I tried to use the QQ number @ qq.com + to log on to the Xiaomi Forum account of this person.

22. In addition, let a friend Add the QQ number of the person and use the explicit IP address function to know that the person is located somewhere in Guangzhou.

23. Later, you can find the WEB proxy and then try to log on to this QQ account. (Not tested due to remote logon prompt)

------------------------------------------------

Summary:

:), Although there is no technical content, it has achieved its own goal, hey.


Author gainover