Shulou(Shulou.com)05/31 Report--

This article mainly introduces the web security so that file reading vulnerabilities and shell closely linked example analysis, has a certain reference value, interested friends can refer to, I hope you can learn a lot after reading this article, the following let Xiaobian take you to understand.

For reference, study and use only

Process

While sorting out the report, I found that there was a XXE vulnerability in Daqiang's vulnerability report, and it was echoed back. After careful study, it is found that this interface is the unified parameter entry of the whole system after login. After the system parses the method in xml, the logic of the response is executed according to the corresponding method. Unable to resist the restlessness of our hearts, Daqiang and I began to find all kinds of sensitive documents through fuzz.

After various attempts, a large number of system sensitive information has been read. But it does little to help Get shell. Daqiang almost gave up. At this time, I stared at Daqiang's computer screen and found 1.txt, 2.txt and other files on his desktop. Coincidentally, my desktop also uses a simple name, with some important temporary files. On a whim, are there many people who store some sensitive information that is not easy to record on the desktop for convenience? Next, we fuzz the administrator desktop files directly. After an attempt, we found the temporary files of 111.txt, 123.txt, and pwd.txt. It is found that some web addresses and corresponding account passwords are stored in the pwd.txt file, as well as some scattered strings that look like passwords. At this time, Daqiang and I laughed out a goose cry, and he clamored to teach the administrator how to behave.

Daqiang and I immediately scanned the target host for full port service. It is found that this host has 21, 80, 443, 3389, 6379, 8080, 8085, 8086 services open. Daqiang and I planned to log in directly to 3389 using one of the six pairs of account passwords we read. With excitement, I tried again and again. However, the style of painting goes like this:

Failed to enter 3389.

Failed to enter ftp.

Failed to enter redis.

Because the link address read is the intranet system, there is no chance to enter.

.

After various services failed, we tried to blow up 3389, ftp and other services. There are still no results. When we directly access ports 8085 and 8086 of the destination address, there is no direct display of any services. But it is found that 8085 and 8086 services are very connected.

Through du Niang, we try to find the service information that may have 8085 and 8086 default ports. But still nothing.

At the moment, the roar of teaching administrators to be human also disappeared.

Wait, this is not the end. It's too hasty to end like this. I closed my eyes, vaguely ~ as if I had seen these two ports as the default port service somewhere. After the brain is running at high speed, as well as some residual memories. Thinking of the treeNMS and treeDMS management systems I encountered many years ago, the default ports are 8086 and 8085. After verification, this time did not disappoint me and Daqiang, it is this pair of brother system. We take advantage of the admin account password combination read through the XXE arbitrary file read vulnerability. First of all, it successfully entered the treeNMS system.

Log in to treeNMS

To view the system data, What Founders manager K, the management side is empty. Redis doesn't have any information. Don't panic, there is also the DMS system. Continue to try to log on to the next one with apprehension.

Log in to treeDMS

The mood is extremely excited at the moment, and the roar of Daqiang has returned. There are a total of three accounts on the administrative side, and the password is stored through MD5. After counter-checking, the passwords of the two accounts were successfully found. Log in directly. See if you can get anything.

Log in to the backstage

That's what I expected. This commodity management background system is still relatively fragile. There is no restriction on the type of files to be uploaded. We use the icon setting module to upload files and get the shell directly. Of course, the regret in my heart has been well made up.

Thank you for reading this article carefully. I hope the article "sample Analysis of File Reading vulnerabilities and shell in web Security" shared by the editor is helpful to everyone. At the same time, I also hope that you can support us and pay attention to the industry information channel. More related knowledge is waiting for you to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.