Shulou(Shulou.com)06/01 Report--

Not long ago, I received help from a friend (on the premise that there must be authorization, but not random penetration testing), that is to say, there is a station that can't do it, so let me see if I can help with it. I happened to be looking at the system log at the end of the emergency response recently. I was a little upset, so I took the job and made me a little happier.

Website information collection, the overall goal of the hand is an ip address plus server port website, one click to open the browser, you can see the jump to a login page, in the analysis of the login interface, found that the picture verification code can be reused, later apply burp to re-upload several post requests, learned that the same account, login password can be infinitely abnormal, here because of the shortcomings of login authentication As a result, the password of the realizable account is suddenly broken, and in the case of good luck, it can be managed in the background. However, the explosion is too loud, it will cause a lot of system logs, which is very easy to find, not to mention the corresponding time required to break the background management, at this stage, we are in the process of collecting assets, and after many weak passwords are not successfully detected, then look for other valuable information.

The application engine simply checked the server port and found that this ip address opened many server ports to the public, such as 3306, 27017, 6379, 22. After a brief consideration, the server ports that can be used include Mysql data, and redis,mongodb,ssh also has some https business processes, in which the Mysql data version number is 8.0.17. In this version number, the system vulnerabilities are more or less repaired. Then try to mongodb unauthorized license system vulnerabilities, as expected, fix the vulnerabilities Try to connect with weak passwords again, but I can't find it. Later, through other information collection techniques, I temporarily have a very simple understanding of the information content of the overall target business process, and then still return to the https business process and try to start from the web page.

System vulnerability detection

Previously, in the process of testing this kind of website, it was found that the operator of this project was interested in applying the name of the website plus the composition of the dynamic password. According to this valuable information content, a small dynamic password dictionary is generated by combining the historical account password collected before and the valuable information content of the overall target website, and then the burp is integrated to achieve a burst. Sure enough, after the account password comes out, record and query the account password, but when you log in again, you find that this situation has happened in the background management, as shown below: the first reaction at this moment is Will the website be deployed? the waf,ip address is banned? Then click on the mobile network to apply the mobile phone, and then find the business process to understand the situation, that is, you can't log in with admin, otherwise an exception will occur.

Comprehensive testing after the discovery of a lot of loopholes, some containing file vulnerabilities can be executed, directly upload the script to take the permission, so far, it is recommended that you have a need for their own website or APP for comprehensive security testing can go to the website security company there to have a look, the domestic do more professional such as SINESAFE, Eagle Shield Security, Qiming Star and so on.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.