Disclaimer: Any direct or indirect consequences and losses caused by the dissemination and use of the information provided in this article are the responsibility of the user. I and the author do not assume any responsibility for this. Please bear the consequences yourself! If there is any infringement, please inform us and we will delete it immediately and apologize. Thanks!
Source of article: This article is provided by Master Makabaka of Dragon7 Team
Public account: Dragon7 SEC, thank you for your attention
Vulnerability details:
For a record, I discovered an interesting vulnerability today.
First we got an ip
Figure 1:
For normal operation, after getting an IP, go directly to the asset surveying and mapping platform.
Figure 2:
Two web services are directly obtained here and tested one by one. When I opened the first web page, it was blank. I lost it and caused trouble! !
Picture 3:
However, I will not give up easily. I believe this is really blank, so I will go directly to dirsearch.
Sure enough, I discovered a lot of good things directly.
A swagger interface information leak came directly
Figure 4:
Although many interfaces are leaked, basically either authentication is not done, or the interface is wrong! Alas, I fell into deep thought
I can only look for other openings, you damn boy! !
It's still good. Two directories were traversed directly, and a lot of information was leaked!
Figure 5:
图6:
图7:
Although some information is indeed leaked, it can still be communicated, just like water! But my goal is more than that, I'm not willing to give in
If you are not willing to give in, then keep working hard! !
Carefully, carefully, and carefully again, take another look at what you obtained earlier
Liu'an Hua Ming Youyi Village
Picture 8:
I found the backend address directly here, and I feel confident again. Let’s go directly to burp to run the weak password
However, it failed, the weak password did not succeed! ! ! Lost in thought again
Let's grab a login package and test the injection or something, hey!
Figure 9:
wc wc wc? What is the situation? I just want to test the injection. What is the situation? Did you give it to me directly? ?
For this wave of operations, I can only say 666.
So why are you hesitating? Just go ahead! !
Picture 10:
Ah! ! This, this, this? That's it! !
Haha, we succeeded here too. Finally, we found out that the layuiadmin framework is used, and as long as the username exists, the password, mobile phone number, etc. can be returned.
However, after testing, there is no point where you can getshell in the background. This is a pity. It may be because the framework is niche. I have not found any articles documenting this framework. Alas! But at least, we can do business!
This is also a complete article, just a little bit, please don’t criticize me! ! ! Please! !