foreword
A few days ago, I was planning to get edusrc points, so I was going to use the Nday that I hadn’t brushed to continue to get points, and then I had today’s case:
collect message
When I was digging the certificate of a sports college before, I found a loophole in the steps of modifying the password by modifying the html file
So I am ready to survey and map this asset and continue to see if it can be scored
Pick one to open:
There is no background image, but it is still the same asset, because there is an account when testing a sports academy, so you can directly enter that account to proceed to the next operation, but this asset has no account, so I plan to collect student ID some type of
To help you study cybersecurity, you can receive a full set of information for free:
① Mind map of cybersecurity learning and growth path
② 60+ classic cybersecurity toolkits
③ 100+ SRC analysis reports
④ 150+ e-books on cybersecurity attack and defense techniques
⑤ The most authoritative CISSP Certification Exam Guide + Question Bank
⑥ More than 1800 pages of CTF Practical Skills Manual
⑦ Collection of the latest interview questions from network security companies (including answers)
⑧ APP Client Security Testing Guide (Android+IOS)
The student number is nothing, and when I was about to think about other entry points, I suddenly discovered
The requirement for this piece is to enter the last 5 digits of the student number, and the student number is usually regular, so I went to generate a dictionary FUZZ
The program for outputting dictionaries from 00000 to 99999 in Python is:
dictionary = {}
for i in range(100000):
key = str(i).zfill(5)
value = \"Value \" + key
dictionary\[key\] = value
with open(\'dict.txt\', \'w\') as file:
for key, value in dictionary.items():
file.write(key + \'\\n\')
After loading the dictionary, you need to set the time
Finally got a few accounts successfully
EDUSRC does not accept blasting vulnerabilities, so this student ID cannot be regarded as a vulnerability, but the student ID finally came out
Then directly enter the 5-digit student number from FUZZ
https://1.test.edu.cn/passworf/find1_html
After find1_html changed to find2_html
Directly enter the password we want to reset and log in to the background after the change is successful:
Continue to browse function points to find breakthrough points:
Found an active add point
There is no upload point but there is a description function. Try to construct the xss payload directly:
<Script>alert("1)</Script>
stored XSS+1
Payload here: <Script>alert("1)</Script>
Bypass with case
Later, another information upload point was found:
These few points are transparent and did not open BP, and then I plan to open BP to see if I can get some breakthroughs
Click the first point under the title of [Add Resume Information] in this block
It is found that it is an information editing interface, but it jumps out of a small window, so I didn’t notice it when I opened BP to capture packets:
After clicking Modify Capture Packet on the right:
When the id value is found, close it with single quotes to view:
Browser side:
Found that the sql statement was executed
And found to be a GET request:
So pull the path of this block to the browser for direct access
In this way, you don’t have to worry about anti-sqlmap forms, and it’s faster without packing data packets
Sqlmap successfully ran out the data!
Sql injection +1
Then continue to [Member Registration]
Directly enclose the search with single quotes:
Successfully executed the query statement
F12 calls out the network and finds that it is also a GET request method, copy the request URL and directly view the echo
Direct sqlmap run
Sql injection +2
Then click the three words [Administrator] in the upper right corner
At the beginning, I didn’t find that these three words could be clicked. After clicking, I found the information upload point:
This piece can upload files and try to upload a php first
The prompt can only upload the file types listed above. When I was about to think of other ways to bypass it, I suddenly found that the file types allowed to be uploaded included pdf, so try uploading a pdf-xss directly:
Upload successfully and then try to access it in a browser:
But the browser prompts that there is no file, and then carefully looked at the file upload echo:
The path of uploadfile/16893293978.pdf here is followed by the ?value= parameter, and after this parameter is given, another parameter is followed:
? file=url=uploadfile/16893293978.pdf, and then return to the parameters in the request package:
Found that there is a &field=url parameter here, try to change the parameter to 1
The browser echoes that "1" does not exist, so this is clear. The parameter that should be connected after the parameter &field= is the path after the file is uploaded. Because we input 1 in this block, the file 1 does not exist, so the echo NotFound is clear. So let's try this file:
Packing:
Successfully trigger XSS
Store xss+2
But the task of this piece is getshell, so continue to try to upload files
Modify the MIME information and bypass the php5 segment, but it still prompts that it cannot be uploaded, and the image is uploaded but cannot be parsed
This upload should be written to death, so continue to find other breakthroughs, check the parameters and find that there is "filename"
Problem parameter, quickly add a delay command to try:
`sleep 7`
Success delay at the echo:
Command executed successfully! Further probing:
Curl command to probe ngrok.io
Successful echo!
Command execution +1, and finally use the corresponding command to get the shell
Summarize
The overall difficulty is moderate, but this time there are too many background functions in the test, which requires careful observation and testing. After the background information collection is completed, the difficulty of Getshell becomes smaller in an instant.