Starting from Jannock penetration Xiaomi Technology (xiaomi.com)

Someone launched the Xiaomi technology Penetration Process in March. Take a closer look at the Classic Penetration Process, in which injection, upload, and social engineering are basically seamlessly integrated.
 
At present, some people seem to have no technical skills, and some people think it is too difficult. In this case, I will answer the related technical points.
Let's see how much we know.
First, the author is from http://xshare.api.xiaomi.com/xShare? Do = list2 & choice = sms & category = x % 27% 20and % 201 = 2% 20 union % 20 select %, 2, 3, host, user, password, 9, 0, 1, 2, 3% 20 from % 20mysql. user % 23 & orderby = m_hot this injection point starts. I want to inject SQL into this stuff. You may be familiar with it. Here, we can mention blind injection. The above injection point is obviously a common injection point, but if it is a non-explicit or even jump injection point, you need to perform blind injection or something, generally, pangolin may be difficult to do. We recommend sqlmap or the SQL injection tool that comes with webinsepct. The author obtains the information through this injection point.
1. mysql version, linked account, permission, database list, database path, and so on. it depends on whether the database user's permissions are large enough. Here is the root user link of mysql, so any environment that can be obtained by built-in functions can be obtained.
2. Tables, fields, and data of the current database. Www.2cto.com
The above two points are preliminary information available. This information directly affects the subsequent penetration. The author uses the root user of mysql to export a webshell to the web directory using into outfile.
First, the mysql user you linked must have file_prv before you can use into outfile to export files. Therefore, during subsequent reinforcement or earlier security configuration, it is very important for users with any permissions to connect to the database. Secondly, you can use load_file to obtain the web path. Of course, some systems may be able to obtain the web system path through brute-force or error.
The key point here is that the database link user has excessive permissions.
Simply put, you can use the injection point-> mysql root to operate on files-> Use load_file and other methods to obtain the physical path of the web application-> use into outfile to export webshell
Here, there is already a webshell. Is the http://xshare.api.xiaomi.com/rso/1.php mentioned by the author.
Here I want to talk about the permission issue. Generally, when configuring a linux server, the web directory should not have read and write permissions for all users. That is to say, the user who started the mysql service should not be able to write to the web directory. However, the tragedy is that such unwriteable situations are rare.
Generally, after webshell is available, we can do the following things:
1. privilege escalation through webshell. bash shell should be available in linux. Whether it's through python, c, or perl. Of course, there are some more advanced methods to reverse shell.
2. collect all useful information, such as database data, database-linked user passwords, and bash_histroy. What information can be collected when it is completely infiltrated by ordinary times, how much knowledge you have mastered, so the value of penetration is here. penetration is a valuable task!
Through the webshell above, and then through the mysql root user, the author first thought of viewing the database data. Well, the old version of the user library is left in the database. Although this database is abandoned, there is still a lot of information in it. At this time, social engineering began to play a major role.
 
At this point, we should note that the goal of the author is not the abandoned server, but the e-commerce site he is currently using.
 
3. Because the database linked user is root, the author uses root to cross-database access to the user database ucenter that remains on the server. From the uc library, the author queries the Domain Name Information of xiaomi.com and then checks the registered email address to find out the password hash of the user in the library. This step belongs to social engineering.
 
I did not mention it here. The discuz password hash seems to be less broken and I don't know what it means.
 
Through the reverse query snowhilloldman@gmail.com, the author found the Domain Name Administrator in the uc database username, and then crack the password in this place, social engineering into the user gmail mailbox.
 
Here, the user's domain name can be controlled. At least the record of the domain name can be reset by retrieving the password. Xiaomi.com does not seem to have any domain name protection ~
 
4. because of the risk of obtaining control of domain names through retrieval of passwords, the author carries out the next step of penetration, through the above mail address book, found, wanghaizhou@gmail.com this mailbox. I guess wanghaizhou is the user name in the UC library. Therefore, hackers deem this email address to be the same person. Enter the same password in gmail. A large amount of sensitive information has been read from this mailbox, such as the server password and Intranet VPN. This controls the entire server.
 
Penetration is complete.
 
The above is a description of the author's process of penetrating Xiaomi. I just added some of my views.
 
So in this case, Xiaomi has not done enough work in those places?
 
1. Launch the product without auditing. This is for sure. Otherwise, the obvious injection points are certainly not possible.
 
2. Unused applications are not promptly deleted or restricted. I always think that I don't need this link, so no one knows. Lucky.
 
3. Incorrect server configuration and incorrect application configuration. Use a user with excessive permissions to configure the environment. Application Environment Security Configuration is an important part. At present, it is estimated that 2/3 of security problems are caused by improper configuration. Frankly speaking, O & M is also a tragedy of security.
 
4. Use the same password in multiple places and use the same password in important business fields. This is not appropriate.
 
5. store sensitive information on the network or in an uncontrolled area.
 
In general, O & M personnel make all possible mistakes and have poor security awareness. hackers just try to mine as much information as possible!
 
I tried to penetrate Xiaomi before, but I didn't find the injection entry point. This is a key point.

From Robert's Blog