bluecms gray box test

Others 2021-01-22 13:28:10 views: null

bluecms gray box test

Idea: Find function points

\

We install bluecms

1. Repeat installation vulnerability

We directly visit install again


Found that the installation can be repeated!
1. This means that we can destroy the website
. 2. You can enter the background.
We can implement the separation of the site and the library. We didn’t need to change the administrator’s account password and the database connection address.

The website, the internal network is weaker than the external network, and the background is weaker than the front desk.
We know that it can be executed above php5.5 . If this appears in double quotation marks, **${}** will be executed as code. For
example:

<?php
echo "${phpinfo()}";
?>

When we install the database name,

we will pass the Trojan horse in one sentence. We enter KaTeX parse error: Expected'}', got'EOF' at end of input: { _REQUEST[a]}


Since I didn’t install other high-level php environment locally, it was like this

front end

1.

Where we are registered


Can blast out all usernames

We are using burp to capture the packet and insert it in the mailbox

<script>alert(1)</script>


Found to be a stored XSS

2.

We found that there was SQL injection when registering: as shown in the figure

2020/5/28 12:54	INSERT INTO blue_user (user_id, user_name, pwd, email, reg_time, last_login_time) VALUES ('', '98798798', md5('98798798'), '[email protected]', '1590641655', '1590641655')

We use the database monitoring in the source code audit tool and found that we can try SQL injection

2020/5/28 12:54	INSERT INTO blue_user (user_id, user_name, pwd, email, reg_time, last_login_time) VALUES ('', '98798798', md5('98798798'), '98798798' or updatexml(1,concat(0x7e,(select database())),1),1,1)#@qq.com', '1590641655', '1590641655')

Executed in the database and found that the execution was successful.
We are capturing packets and changing data.

We immediately try to capture the packet directly and try to inject


We opened the audit tool and found that there were magic quotation marks, and escaped our '

2020/5/28 13:29	INSERT INTO blue_user (user_id, user_name, pwd, email, reg_time, last_login_time) VALUES ('', 'admin175', md5('admin175'), 'ad\' or updatexml(1,concat(0x7e,(select database())),1),1,1)#@[email protected]', '1590643772', '1590643772')

We use the wide-byte method and found that the error is reported and cannot be inserted.
If we use blind injection, it is really a headache. We have to register a large number of accounts and need to enter a verification code.

We use another Sao operation to try to enter multiple pieces of data for insertion. Because there are magic quotation marks, our username can only be encoded in hexadecimal.

INSERT INTO blue_user (user_id, user_name, pwd, email, reg_time, last_login_time) VALUES ('', 'asdasd', md5('98798798'), '98798798' ,1,1),(100,0x6c696261696c69626169,md5(123456),(select database()),1,1)#@qq.com', '1590641655', '1590641655')

3.

We tried to log in with a universal password, but the
login was successful

4.

Generally speaking, if there is a loophole in one place, there will be similar loopholes in other places as well.
We enter the background to try the universal password login


The username field does not exist,
what about the password field?

Successful login

Backstage

1.


We can directly back up the file, and then search for the file locally, and directly access it externally, and find that we can directly access the backup file

front end

1.

We think that magic quotation marks will affect GET, POST, COOKIE parameters, but $_SERVER will not be affected, we want to whether there is header injection in this cms, such as X-Forwarded-For, or the following

$_SERVER[‘HTTP_REFERER’]
$_SERVER[“HTTP_USER_AGENT”]
$_SERVER[“REMOTE_ADDR”]


We check again


We found that the Master’s audit system could not read Chinese. We directly checked the source file and found that it was a comment page. We visited the past and

we directly visited the past and it was blank. We published a news item, re-engaged and found that Comment system The

first thing we think about is whether there will be XSS.
Let’s insert


We right check


Found that <> has been materialized


We check the source code and find that there is a **htmlspecialchars()** function

We try to use event trigger


It seems that there is no xss injection.
It’s okay, we already know


Here is directly spliced ​​into the database without any processing. We try to see if header injection can be carried out. For
example, X-Forwarded-For
we directly capture the package and change the package, and use sqlmap to run the package.


When we are splicing, remember to make up for the latter value, and then pass the parameter


Very happy, I ran out.
We mainly need to increase the level-level 3

python sqlmap.py -r 1.txt --level 3

2. File contains vulnerabilities

We modify local files


Directly output this thing to see what it is, and then capture the package to view, it is a path, the path that the file contains, and the parameters in the middle of this path can be controlled. We can truncate this file to achieve the effect of any file inclusion

Guess you like

Origin blog.csdn.net/weixin_43264067/article/details/106455783
Recommended
Ranking
A quick primer on numpy basics
Two sister tease python project
Java | Multiple keywords in the replacement content are returned to the front end in red style
C ++: references
The string leetcood 1018 is a binary prefix divisible by 5
Flutter 布局组件
Java combat spingboot-redis
PMP pre-exam sprint and wrong questions sorting
ActiveMq C# Message Features: Delayed and Timed Message Delivery
DSP28377S_ copy a program from the RAM to FLASH portion DETAILS
Daily
More
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)

Code World

© 2018 codetd.com