Series of hidden penetration download any file to send mail at
Learning ideas point:
Download any file tips
A: test record
Once again, the process of testing a small program, fill out the form there is a function, as follows:
1, the normal start filling out the form information
2, after the completed form material will be sent to our e-mail them to fill out the pdf form.
3, here we were using burpsuite capture view Bowen, found that the control parameters controllable sent pdf file, any file can be downloaded.
4, modify filepath parameters: ../../../../../ etc / passwd, try to send them to my e-mail is received successfully.
5, modify filepath parameters: ../../../../ root / .bash_history, read bash_history file successfully.
II: further penetration
Read to the server by downloading a parameter of any command history records, so as to acquire the database configuration file path by determining its own history command :( It should be a combination of the directory, you can analyze these historical command, the purpose is to profile the path instead etc / shadow ,, because of the high probability not to break, nothing to use value ...)
Bash_history Case diagram:
By analyzing bash_history file, we finally found the following profile:
/home/apache-tomcat-7.0.63/webapps/xxxx/WEB-INF/classes/config/properties/jdbc.properties, direct access to the database to achieve the ultimate goal account
/home/apache-tomcat-7.0.63/webapps/xss/WEB-INF/classes/mapper/yssRxPersonBaseDataMapper.xml directly to the ultimate goal of obtaining account web side.
Three: extend ideas
假如成功获取到了数据库账号和web侧的账号之后,我们将其密码进行整理,然后尝试去碰(猜测)ssh的密码,动静不要太大,大概率是相同或者一些业务名称的变形的(xxx@2018,xxx@2019,xxx是业务名称,业务名称可通过web目录看出来滴啦)。通过这些账号,然后对其c端扫描一下咯,基本是这样(只针对账号这个测试面哈),当然如果账号密码是普通权限,也可进行提权等其他操作进一步渗透下去。
