Security Monitoring for www.360xxxx.com
Description
This penetration intrusion only focuses on the discovery of problems without any destructive behavior.
To ensure the information security of the target site, the image has been coded. the following target URL is replaced by www.360xxxx.com.
Recently, I was bored. Roland just wanted to learn about the security-related technical ideas and found an injection station on Baidu. As a result, it took several hours to get off the server, record the ideas
Intrusion Process
It is easy to obtain the information. The URL parameters are enclosed in single quotes and the path is exposed.
Get the absolute path of the website
E:\test\360XXXX\wsq\wsq2\news.php
At the same time, it was confirmed that there was an injection on the site. After using sqlmap to run, it also confirmed this idea.
Then I started to use sqlmap to run the database and run the table to run the data. when I ran the data, I was so scared that the password was stored in plaintext.
Then I started looking for the background, and found that the background was so simple. The domain name is added to the admin and successfully merged to the background.
Next, I took shell and rummaged through the entire background. I found that I used ThinkPHP framework for secondary development and there was a place to upload images. However, I not only tested the file extensions, but also checked the file header, I felt that the filtering was tight, so I gave up.
Then return to the injection, and think about whether a shell can be written into the database, and the SQL map cannot be written into the shell.
Then I used sqlmap to check mysql permissions and found it was administrator.
Mysql has a relatively high permission, and then uses sqlmap to query the root password. Then, it is thrown to mysql 5 and cannot be completely resolved. This path is also broken.
Then it took a long time to get stuck here. I was wondering how to write the shell. After scanning the port, I found that 3306 was opened.
Then I wondered if I could check the root password in php.
When querying sqlmap data, we found that sqlmap has a file reading function, which can be used in combination with the previous absolute path to read files.
Sqlmap-u "http://www.360XXXX.com/wsq/wsq2/news.php? Id = 4825 & y = 1 & ty = toutiao.com "-p id -- file-read E: \ test \ 360XXXX \ wsq \ wsq2 \ news. php
Then, since the page has been injected, the page must be connected to the database. Following the include information in php, the page can always get the database connection information, so it starts to read files, we found that we could read news smoothly. php source code
Then, view the source code downloaded to the local device. The local storage path is
/home/chaplin/.sqlmap/output/www.360XXXX.com/files/E__test_360XXXX_wsq_wsq2_news.php
A consql. php file is displayed. The database connection information is determined based on the file name. Then, the directory is constructed to read the file.
Sqlmap-u "http://www.360XXXX.com/wsq/wsq2/news.php? Id = 4825 & y = 1 & ty = toutiao News "-p id -- file-read E: \ test \ 360XXXX \ conMysql \ consql. php
The file is also successfully read, and then the root password is obtained.
I found that the database was connected to an intranet address and Internet address. I threw it into Navicat and tried to connect. I found the connection was successful.
Then, the SQL Execution At the injection point is smoothly switched to the mysql command line, and it is still an administrator permission.
Then try to write shell in the SQL command line
MySQL
SELECT "
" INTO OUTFILE "E:\\test\\3602000\\wsq\\wsq2\\line.php";
Then I successfully wrote a sentence and got the webshell.