Penetration into a web game platform

Post reprinted: the blog of the bad feelings

Seeing this article, I thought it was quite good.

 

Today, I went to the Forum to read the article, indicating that I saw a very classic article. Then I went to the blog and shared it with you. I really admire this cool year, patience, carefulness, and flexible thinking are good. The author of this article is: 9999 Daniel, indicating the ID of his jar.

 

0 × 01. Origin-for tribe

0 × 02. Click farming-Persimmon

0 × 03. The main site hits the wall-nose and swollen face

0 × 04. When the substation is in progress-drop immediately after the battle

0 × 05. Flash in the deadlock-complete the task

0 × 06. Expand the treasure of the War-step by step

0 × 07. Conclusion-patience, perseverance, and carefulness

 

0 × 01. Cause ..

A friend played a game on this platform and scolded a later employee. He asked me to help him obtain the information ..

 

 

0 × 02. Click

Let's just look at it and collect some information.
The main site connection is all phtml files, and there are N platforms with the same IP address, all of which are developed by this company. There is also a server table site, and the content of the newly opened server pushed is all of its platform .. well .. this is a good strategy ..
There is a forum where each platform points to a different forum address with different logos, but the ucenter is integrated, so the data is the same. dz x1.5 is set up and different servers in the same segment, [Two IP end numbers]
All Forum addresses and ucenters automatically jump to the same domain name ucenter. *****. com
Well, the founding site of visual testing. google site :****. com inurl: php | asp | aspx | jsp, which is used in forums. The statement is changed to site: www. ****. com inurl: php | asp | aspx | jsp Oh.
Aucun document ne correspond aux termes de recherche sp é cifi é s (site: *****. com inurl: php | asp | aspx | jsp). Nothing ..
The main site is the same server on other platforms.

Hscan only enables port 80 for both ip addresses. http banner returns nginx,

The end name of the test file is phtml phtmL, and php is definitely a linux server,
Failed to test the ngnix Parsing Vulnerability/. php and % 00. php because the ngnix version is not returned. [Both servers have been tested]
No eggs are scanned in the background. The egg began to faint ..

0 × 03. Main Site hitting the wall
Continue watching the main site ..
Both news and public Connection Methods

Http: // www. *****. com/index/news/gonggao/1103. phtm

Http: // www. *****. com/index/news/4103. phtm

Such as htacsse rewrite.
Open

Http: // www. *****. com/index/news

Http: // www. *****. com/index/

All return 404, htacsse redirection does not have to run.
Continue Test

Http: // www. *****. com/index/news/gonggao/1103-1.phtm

Failed. There is no available direction in the cookie value.
Check the second-level domain name to see if there can be admin. ***. com and other background management addresses. Alas... only www and bbs ..
Let's look at the Forum. By the way, we started to try social engineering. Go to the announcement board and check the Administrator account name.
Http://whois.domaintools.com/#####.com.
All are domain @ ****. com... And
Email Search: [This is the email image] is associated with about 23 domains
23 domain names. It is estimated that all other platforms are registered in this email address ..
After confirming, I checked the Domain Name Information of several other platforms. This email address is used...
The materials are also filled in at the company address. The phone number is landline and the phone number on the official website is the same.
Are you swollen ..

0 × 04. substation in progress
The announcement board has turned over 10 pages, with more than 13 People publishing announcements .. ID is GM0001-GM0024, ID is 20 W + .. identity is edited .. the user group name has also been changed, and the mouse is placed on the editing tab. The connection address is home. php? Mod = spacecp & ac = usergroup & gid = 22 oh .. because dz's groupID from low-level users to administrators is a total of 10 .. so the user group to be created .. I do not know the permission .. but it is very small ..
Click the name to view the information but you do not have the permission. You are too lazy to check the registration number because you still do not have the permission ..
Here we will give a small tip, which is not a vulnerability. It can be said that the code filtering is not rigorous. It was accidentally discovered some time ago ,.

------------ Tip start ------------
Many versions of Dz are not tested, that is, unregistered users and common users do not have the permission to view other user information.

Take the official website for example, the announcement publisher has a Cnteacher, ID is 859, groupID is also 1, that is, administrator permissions. Want to enter the space to see information, http://www.discuz.net/home.php? Mod = space & uid = 859, but it shows 'Please log on before browsing'

In this case, add & do = index & view = admin after the url to view the home page of this id with the admin permission. add & do = profile & view = admin to view the personal data of this id with the admin permission.

Ps: Don't underestimate these vulnerabilities. Sometimes they can help. www.2cto.com
------------ Tip ended ------------

This is not the case. I used it now. Unfortunately, I didn't get any useful materials. I checked the users with ID 1 and the first few users.
=-= The admin user group is a newbie. High-end.
There are only two IDs between 2 and 20, one is test and the other is test2.. Don't die ..
In the posting of the announcement board, I tried to use the existing x1.5exp and use it as a failure.
At the same time, the member group with the ID GM0009 is 1. I am very happy to see the three Red words of the postmaster .. and the ID has a 9. Well, I like it, but how nice it would be to use GM9999 .. although no useful things are found in the post content, there is at least something to appease the eggs. hey, little egg, no pain, wait for him to burst into the chrysanthemum.
Oh. You are disappointed again, and there are no materials left at all... but there are currently two mailboxes, one is domain registration mailbox, the other is to contact our hr mailbox... That is, hr @ ****. com ..
Do I have to assume the domain name acquirer and the senior naked speaker? Oh no, how much evidence does this deception need to read to remove the barriers ..

0 × 05. A breakthrough flash in the deadlock
Deadlock ..
Go to http://www.whoismind.com/and check whether the domain name registered in this mailbox has its own ..
Aha, there is another site for the server table. I forgot to read this. Generally, the server table is changed by dede. Let's see what this is.

Wow, it's still connected to the ucenter. It looks pretty, very similar to the internal network.

It seems that it is not dede. I still tried it and read plus/search. php. It really is 404 ..
Scan the background and google it. By the way, check the connection method of the new server.

Http: // ********. com /? Do = yx & key = & game = ****

Click Start game connection
Http: // ********. com /? Mygamesid= 3728
Looks like a game,
Click to enter the page to directly jump to the game to enter the page, try to submit? Mygamesid = 3728-1, it's useless. You just jumped to the home page and failed various tests ..
There is a service start time on the page, and then test. Fruitless ..
Google does not have any useful ..
Return to view the source code, and see where there are two variables selected for the start time, one is? Newgamehrs = 1 what is the other one? Newgameday = 2412 and so on. Just now, we can only see the hrs = * variable on the page. Try the day variable,
Construct URLs

Http: // ********. com /? Newgamehrs = 1 & newgameday = 2412-1

Omfg !!! Yes !!! The returned content is different. It is the same as 2411 !!
Injection exists !!!!! I do not know how to filter ..
? Newgamehrs = 1 & newgameday = 2412 and 1 = 1 directly 403... change.
? Newgamehrs = 1 & newgameday = 2412/**/aNd/**/9 = 9
Lmao !! The jump is correct !!!!
? Newgamehrs = 1 & newgameday = 2412/**/aNd/**/9 = 9999
The content location is blank.. Oh no. Blind injection... How can you not report an error...
Open the source code with luck... Ah, haha, rp broke out!
An error is reported. Why is it not displayed on the page? On the page, look at the top toolbar of the imitation Intranet... I seem to understand something... Nima blocked the error ..
Haha, but I can't stop it. Continue to expand'
If there are so many articles manually injected, we will not be able to detail the table, and there are tools that can do things, we will not bother with that.

Havij runs directly and replaces several sensitive characters.

Walk you ~
Note successful.
Wait. What's wrong with the host ip address ..

 

Target: http: // *******. com /? Newgamehrs = 1 & newgameday = 2412

Host IP: **. *. **. 61
Web Server: nginx
DB Server: MySQL
Resp. Time (avg): 623 MS
Current User: ***. com @ localhost
SQL Version: 5.5.28-log
Current DB: ****** _ com
Host Name :******
Installation dir:/usr
System User: *****. com @ localhost
Compile OS: Linux
DB User: ***. com '@ 'localhost'
Data Bases: information_schema
* ***** _ Com

Here,
Database sites are separated,
In the red area above, the ending number of Ip addresses... this is another server in the same segment !!! You can find this site when bing's main site just now! Changed? ...
The *****. com with the underline has never been seen !! Not any of the above !!
In addition, the access cannot be opened. The registrant who queries whois is also the same email address. Is this the old domain name?
Put it down for the moment and continue reading.
Data bases only has ****** _ com. This domain name is the domain name of this service table ..
Where is ucenter? Where is uc_members? Where is username, password, email, salt ????
Wtf... Why are you hurting me? Are you okay?
However, since this table exists, it proves that this station has a background and an independent publishing system. By the way, let's see how the background is scanned.
[Havij simultaneously running the table name at a turtle speed]
A lot of 403... but none of them are in the background. According to the previous url naming method, I tried to build several similar ones? Do = admin ,? Do = login url, but still all failed ..
This reminds me of the strange domain name just now, adding the letter in front of the domain name, no ,****. com, no, ***** admin, no, admin *****, no .. run the command to generate a dictionary and add all these domain names .. run it ..
[Havij simultaneously runs the column name of system_user at the turtle speed]
-- Here, by the way, sqlmap... why am I using it as a snail speed... So despise xp... --
Ah, hahaha, the background ran out. Nima http ://******. com/***** guanliyuanlogin/[This *** is the letter of the db user domain name, which will be X later.]
Very good. How complicated are you, too.
Havij also successfully ran out the adminuser and adminpass data while scanning the background. The password is still the md5 Billing Data. To be honest, I like the md5 billing data, because since it is charged, it proves to be complex and useful. that's the logic.
Login is successful, and the background is very simple, so I will not be able to get my seat on the right.
However, there are only two functions... manage, add...
In addition, there are only five lines to be added... games, servers, Server start times, game addresses, registration addresses, and even uploading locations are not available... let alone shell...
Thank you for taking care of me. Although it hurts you, you should always get used to it. Don't ignore me... Well, I know, you're preparing for the chrysanthemum, right.
I can see that my dear egg is so confident that it will give me a lot of confidence. I know that his chips are the password that comes out. xD
I started to try hard...
-There is no number here .-
You know ..
This Nima is like this again. By the way, this station is another IP address of the same segment. Let's see what station is there on this server.
..... Only him ....
Well .... Check the second-level domain name of X ..
Inner.x.com
Plan.x.com
Hahaha, inner is an internal announcement site, dede !!!
Use the backend that you just ran to try the connection !! Login successful !!!
Next we will use shell directly in the dede background! It's easy to write!
View the database configuration file,
$ Dbhost = '192. 168.1.9 ′;
$ Dbname = 'ner.x.com ';
$ Dbuser = 'ner.x.com ';
$ Dbpwd = 'aduxnqcyrvxqrxh ';
$ Dbprefix = 'dede _';
$ Db_language = 'gbk ';

Check the permission.

...
2.6.32...
Forget it. The permission should be sufficient to cross-site. Go directly to the site where the service table is opened, view the configuration file, and there is a master site configuration, and there is a // configuration later. dbname is Plan.x.com .. what is this? Open this website,
403 is returned. The Ip address is directed to another server in the same segment...
This ....
Now that you have ucenter data, you can simply complete the task.
However, the problem arises again. I don't know the person's website ID. A friend only knows his game account, and is like a randomly generated name...

You can only find this name ..

No...
Now, let a friend go to the Forum to scold him, and then tell him in the game that, after a while, he will reply ..
Check your email, QQ, and password. Send it to your friends! Complete the task perfectly!

0 × 06. Expand the treasure
After the task is completed, it is customary to continue to expand the result.
I'm curious about plan.x.com. After reading the other site and having nothing, I scanned the port. it is a batch port, because it is probably an internal plan or something, curious.
The main site shell, dzx1.5 .. I have not obtained any of the latest versions. I hope this 1.5 version is not the latest version. The Administrator account and password in uc_admin cannot be broken, and I have updated it. I will change it later.
Good luck is that you have successfully won the shell through the plug-in vulnerability !!
At this time, port **. **. 65 is swept out. Port 80 and port 9527 is open. It is the station plan.x.com.
What is 9527... Stephen Chow ?? Web port ?? Possible ..
Access http ://**. *. **. 65: 9527 returns 403. aha, it is indeed a web port. visit http: // plan.x.com: 9527/and return to the login interface !!!
This is not the case.
Log on to the database with the account and password that have been canceled in the database!
Yes .. the password in admin_user cannot be unopened .. the encrypted data updated to 123465 cannot be logged on .. how can this be encrypted .. there is no shell, and the library site is also separated. You cannot see login ..
By the way, try to find the usernames of several administrators in uc_members to see if the passwords can be obtained ..
There are 6 administrators in total, and four of their sisters can be found, but none of them can be logged on !!..
Looking at the database, there is a table named login_logs... I... clicked in and looked... Blind... logging password in plaintext .....
I think where username = "the names of the Administrators"
There are countless passwords for each of them. They are the full-site login records. You can also find your own. 6 GB Data... Unfortunately there are too many duplicates ..
However, it seems that many useful passwords have been obtained, and the account of the Forum Founder has also logged in.
There are so many passwords that only one can log on to plan.x.com ..
Yes. After logging in, the password is displayed. Enter the number of the rectangle chart C6. The security card !!!!!!!!! Fuck me !!!! I swear !!!!!!
Cool...
Looking at the database, we can see a strange column named 'plamsecurity .. is it a security card .. I recorded this record for the account that obtained the plaintext password, cleared it during update, and logged on again. successful! Haha! However, the permission is slightly smaller. There is also an admin_group_id column, which is changed to 1. log out and log on again!
Gorgeous. very powerful background, win shell, I want to take off the login library .. one backup can be performed at 500 time out. If you want to package the data in a volume, you can only have a total of 100 million + members, 6 GB .. how long will it take to download .. how long does it take to repeat .. the egg started to ache again ....

0 × 07. Summary
Three words, patience, perseverance, careful.
Success depends on the inconspicuous places.
There's nothing profound about it. The first time I wrote this article, I laughed ..
This is a waste of time. Thank you.

There are not many images, which are written in word. Considering the upload issue, we should try to save as few pictures as possible. The writing should be very detailed. I hope you can leave your valuable comments. Thank you.