1. My mining logic
Because the actual infiltration will often encounter a login box in front of you, so most of the targets I choose are also the login interface of a certain system.
My test logic is generally
1. Weak password + blasting + password leakage search
2. xss (relatively less and it’s not that the storage basically doesn’t accept the meaning) + sql injection (tested a little, relatively few)
3. Find and splice url from js or other return packages and test again (basically, what is spelled out and what is tested)
2. Confirm the target
First of all, to find the corresponding system, I usually use fofa
The query statement is "keyword" && org="China Education and Research Network Center"
For the keywords here, I usually go to edusrc to find a manufacturer whose repair rate is not particularly high, and then use the fofa statement to query
body="Technical support: xxx (manufacturer's name)" or directly search for the manufacturer's name (direct search can search for some vocational schools that need to be identified by themselves)
like this
body="Manufacturer Name" && org="China Education and Research Network Center"
Here we have identified the target, in order to avoid suspicion, I have made the full code (this vulnerability has been fixed by the manufacturer, and it is only used for technical research)
3. Vulnerability mining
Weak password + blasting + password leakage search
1. Search for relevant manuals (there may be sensitive information or administrator passwords in the manuals, which will help us infiltrate in the next step)
In general, you can search like this. If you want to be more detailed, you can use the search statement to search
I posted the more commonly used Google grammar
Site: Finds the URL associated with the specified website.
filetype: Search for files of the specified type.
intext: Search for specified characters in the text content of the web page.
inurl: Search for URLs containing specific characters.
intitle: Search for web pages that contain specific characters in the title of the web page.
I didn’t find the leaked manual here, and I can’t get in with weak passwords, so the second idea is xss+sql
xss+sql
Initially, there may be four injection points: student login + administrator login + forgot password + registration
There is nothing in the test. I found a place where the query statement was exposed at the forgotten password. This where=controllable variable, I feel that hope is coming. After the test, no matter how closed it is, the injection is unsuccessful. It should be written to filter, so I gave up. move on to the next thought
Logic test + splicing url
I first tested the logic of the student account, because the student account can be registered by itself
But after the registration is completed, I can see that I can’t log in and it’s not within the time. What can I do.
I know you are in a hurry, but don't be in a hurry, grab a bag and have a look before you talk
Here we see that the return packet returns a string of characters, we can boldly guess whether the login is successful or not is determined by the return value
Here comes the question, how to find the correct return value
Here I recommend two methods 1.f12 look at the source code +js 2.burp look at the history package
Here, the logic is successfully found through burp's history return package
Here js writes a method validatelogintime() If it is "ok" when post submits data, it will return true
So here we bp modified the package and successfully entered the next interface
But if you directly click to agree to enter here, there is no way to enter, then go through the refurbished return package
Successfully found a url, we spliced into
There is a file upload point here, and the button is a flash file. I downloaded the flash player here and can’t load this option. I don’t know where the problem is. If you know the master, you can leave a message to communicate.
If the file upload cannot be used, then directly test the injection and xss of each parameter (you can test it if you store it)
After entering the student’s background xss+sql are filtered, there is no way to exceed the authority to the administrator account, so go to the front desk to try the administrator account
There will be a prompt whether the administrator account exists, so here you can use burp blasting to view the return value to determine what the administrator account is
Get the administrator account as admin
Let's see if there is any information that can be used in the previous new return package
I went, and there was actually a post submission logic written in it. Although there was nothing in the return packet of the login administrator account, there was no other information at hand.
Send a package, change a package, and directly enter the background
Summarize
When digging the logic, you still have to be patient. The return packet after the student logs in actually contains the login logic of the administrator.
In addition, this hole has been repaired, and all the information has been coded, only technical research.