Tip: This article is only for sharing, I hope it can help you.
Article directory
foreword
I feel helpful and give a thumbs up.
1. Results display
The server is 12 hours away from us and is overseas. I was there at 3:00 am.
No specific process and some messy screenshots, you know, Tiezi.
2. Talking about the process
At first, it was just a small software to solve the physiological needs. Some members have to bear with me, after all, they are poor. Then! ! ! Tmd, give me the speed limit at night! ! ! I have 5G and you give me dozens of K and tens of K, who do you look down on! Damn, can you bear this? I can not. Thinking about going in and taking a look. You can't pay the speed limit! ! ! Then came in.
Haha, it's a bit of a joke, but that's what it is.
You listen to me blowing to you.
This is actually not easy to fight, and it can be said that we attach great importance to the aspect of being shameless. I also abolished the power of nine cows and two tigers. It was very simple at the beginning, you have to grab the bag. Capture packets to find the background management page.
Collecting information and discovering that Google has to authenticate the webpage before discovering its information, I am really willing to spend money. Fofa is the same, there is no useful information.
1. Think about BP capture. Find the address. Then I found that the address was unclear, and the browser directly refused to access the given address.
2. Think about blasting the directory to see if you can find the background. It doesn't work. It's normal. This thing is very lucky.
3. Then find its source code through one of the urls of the collected information. Put it on github.
4. Through this source code audit, the background management page was found.
5. Blast into.
It sounds simple, but it is actually quite difficult and time-consuming. And a little luck. I also took a lot of crooked paths, for example, I also found the configuration file directory. But people directly do not allow access. There is also the url where the api is placed, which also requires website authentication, which is to prove that you are the owner of the website. The protection is still quite tight. There are many crooked paths, so I won’t list them one by one.
The general idea is to find the background and enter the background. The difficulty is how to find and how to get in. There are too many actual operating conditions, and it does not mean that you can definitely find and enter. It depends on the specific situation.
3. The next goal
The pants are all off, what's the difference? See if you can get into the host.
This uses a framework that I don't know, and it has loopholes. If it is finished, I will write a POC later. There is a related deserialization vulnerability in laravel8. Don't know if there is a fix.
Summarize
There is no nutritious content, just to share and give an idea. I'm too embarrassed to ask for praise this time. Like it depending on your mood, goodbye, Tiezi.