Table of contents
NiushopCMS Penetration Testing
There is a file upload point in the personal data of the personal center
Among the personal data of background users, there is a file upload point
There is also a file upload point in the background article management office
Business Logic Vulnerabilities
NiushopCMS Penetration Testing
Site Home
collect message
Retrieve ip information and get website information
Port 22 is found to be at high risk
Yujian scan port information
Discover the above port information
nmap scan information
Scanned port information:
scan directory
Status code 200:
Additional directory information:
Weak password blasting
Just collected information and found that port 22 is open, there is a high risk, try weak password blasting
The connection failed, indicating that the password may not be weak
Try to blast the database with weak passwords
Also not checked out, there may not be weak passwords
Try to log in to the background:
Try to enter the account password, capture the packet for blasting You can try to use the account admin first, and choose the mode of sniper for blasting to see if the blasting is successful
Capture the packet to get the data, send it to the Intruder module, and select the sniper mode:
Select the password dictionary and blast
Through observation, according to the length, make a judgment
The password is: admin123456
Successfully logged in to the background Account: admin Password: admin123456
New admin users can be added:
File Upload Vulnerability
There is a file upload point in the personal data of the personal center
Find the file upload point
Try to upload, grab the packet to get the data information, upload the file successfully, check the path of the uploaded file
Find the path to upload the image
Uploaded successfully, check it out
Visit the file upload point, the php statement is parsed, check that the Trojan file is successfully created, visit and try to execute the php statement
Use Godzilla to connect and successfully obtain server permissions
Among the personal data of background users, there is a file upload point
Try to upload a picture, capture the packet and modify the data information, insert the php statement into the picture, and then release the package to check that the upload is successful
Visit the corresponding upload path to see if it is parsed
successfully parsed. Replace the php statement with a one-sentence Trojan horse, or use a php sentence to generate a file and write it into a Trojan horse Take PHP as an example to generate a file in one sentence and write it into a Trojan horse. The same principle applies to a Trojan horse in one sentence.
Modify the suffix of the uploaded file, insert the php Trojan statement into the picture, and put it in the package
Successfully uploaded, verify whether it is parsed
Visit the corresponding upload link
Verify that in the sentence we just inserted, the generated Trojan file is successfully generated and can be parsed
Use Ant Sword or Godzilla to connect
The connection is successful, just add
There is also a file upload point in the background article management office
The trial process is the same as above. The statement can be a one-sentence Trojan horse or a sentence to generate a file and write it into a Trojan horse, capture the packet and insert it into the picture The upload method to try is roughly the same as above
After accessing, enter the php statement and it will be parsed
Third-party tool Ant Sword to connect
connection succeeded
Obtaining server permissions successfully:
Others, etc. There are more file upload points, you can try this method in turn. (Similarly, the same idea and method can be uploaded and tested for verification)
Business Logic Vulnerabilities
Purchase goods at will, capture the package and modify the (quantity information) num information in the data package
Capture packets
Just put the packet, the same is true for the next packet, change num to -1
Modify two data packets in a row, change the num to -1, and then release the packet (you can choose any number of num, the number is arbitrary, just add a minus sign in front of the modification)
Continue to put the bag, and then you can see, pay 0 yuan
After this method is found to be executed, an interface of insufficient inventory will pop up. We try to modify the quantity again, change it to 0.000001 and try again
Let's choose a product at random:
Click to buy:
Grab the data packet and modify the data packet information:
Modify the purchase quantity
Just put the packet, and observe the second packet again:
revise again
Just pack it.
The payment interface appears:
Successfully paid for the order:
Go to the member center to view my order:
0 yuan shopping can be realized.
There is also a business logic loophole in the repeated use of coupons. After the order is submitted in the payment interface, the packet is captured to obtain the data packet, and the data packet is sent multiple times. The return is a successful operation. Go to the personal interface to check the order, whether the coupon has been used repeatedly, and whether it is successful.
XSS
Where there is interaction, you can try to see if there is xss in turn
In the article management of the website in the background
After trying to save, verify that there is no popup.
Preview the effect and find the pop-up window
A pop-up window will appear in the center of the article.
Obtain cookie information in the same way
Successfully obtained cookie information
XSS platform can be used to detect information and bypass login
Insert this malicious statement code into it
Go to visit the created interface
The platform records the information
Expand to view information content
Expanded information:
Save the above url information and cookie information, and use hackbar to bypass login
Go back to the foreground, use the url and cookie information just now, and try to bypass the login
Successfully bypassed:
Successfully bypassed and entered the background management interface.
After viewing the verification test, it was found that:
At the basic setting, there is still XSS after testing
The front desk observes its pop-up window changes
After testing, it is found that this type is stored XSS
Jumping to other locations will also pop up:
There are other interactive places, and there are loopholes in the same way, just try again and again.
SQL injection
After verification, it was found that there was sql injection in the foreground
Injection point:
Capture the packet to get the data and save it to the txt file in the sqlmap directory
Use the tool sqlmap to run:
After testing, sqlmap cannot run out of the database, and cannot explode the database.
In the same position, there is also sql injection in the price, etc.:
There is an error at the injection point:
Use the tool sqlmap to try to run again:
Boolean type injection:
python sqlmap.py -r test.txt --technique=B --batchSuccessfully ran:
Run out methods and payloads that can be successfully injected
Injection type and payload:
爆数据库
python sqlmap.py -r test.txt --technique=B --batch --dbs
Find the database of our corresponding website, and then explode the table.
Next, explode the data table
爆数据表
python sqlmap.py -r test.txt --technique=B --batch -D niushop_b2c --tables
After waiting, the data table information appears:
The data table information in the database is as follows, successfully exploded
It can be seen that the large number of data tables
Through observation, find what we want, the important data table Guess it is sys_user Explode the fields in the data table and get the column information
尝试爆破
python sqlmap.py -r test.txt --technique=B --batch -D niushop_b2c -T sys_user_admin --columnssys_user_admin data table:
The information listed in the table was successfully exposed
By observation, there is no information we want. Continue to explode other data tables.
sys_users data table:
获取数据表当中的列的信息:
python sqlmap.py -r test.txt --technique=B --batch -D niushop_b2c -T sys_user --columnsResults as shown below:
It is observed that there are more sensitive data information, username and password
After getting the above information, we continue to explode the field information:
尝试爆破列的信息,爆破字段,获取重要的信息用户名和密码
python sqlmap.py -r test.txt --technique=B --batch -D niushop_b2c -T sys_user -C user_name,user_password --dumpPart of the data information:
Guess the data password is encrypted by MD5, try to use MD5 to decrypt, find one at random to try:
Continue to wait for burst data information.
View more user and password information
Observe the admin information and decrypt it
Get admin user and password information
The blasting was successful, and the user and password information was successfully obtained
The blasting database was successful!
After verification, it is found that there is a sql injection point in the background:
The query interface in the database management in the setting
An error message appears
Capture the packet to get the data packet, put it in the directory of sqlmap, and use sqlmap to run
sqlmap run data:
burst database python sqlmap.py -r test.txt --batch --dbs
After waiting:
The sqlmap tool cannot run out. But there is SQL injection, you can try other ways to inject.
There are also sql injection points at the user in the background:
try to inject
After injection, an error is reported:
Grab the data packet and save it in the text file under the directory of sqlmap
Use the sqlmap tool to run data:
Ran out of the injection statement and the database
burst database python sqlmap.py -r test.txt --batch --dbs
Determine which database is currently in use python sqlmap.py -r test.txt --batch --dbs --current-db
Explode the data tables in the database python sqlmap.py -r test.txt --batch --dbs -D niushop_b2c --tables
Find the most important data sheets we need and get the information in them
The preliminary judgment is this table Next, blast the column information in the table python sqlmap.py -r test.txt --batch --dbs -D niushop_b2c -T niushop_b2c --columns
Find the information for our most wanted columns, username and userpassword Blast username and userpassword python sqlmap.py -r test.txt --batch --dbs -D niushop_b2c -T sys_user -C user_name,user_password --dump
Some user information:
By analyzing the password is MD5 encryption, randomly find a password to decode
Decoding succeeded.
It was observed that some passwords were decoded after the data was run out of sqlmap. In the encrypted brackets is the decoded information.
The content is for reference and study only.
If the article is inappropriate, criticism and correction are welcome!