banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。
HomeArchives图文

A Diary of Foolishness Triggered by a Scam Phone Call

#渗透测试#旧文#91aze352
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The author received a fraudulent phone call and decided to investigate the source. They found a website selling black cards and discovered vulnerabilities in the middleware and directory listings. They attempted to hack into the database but struggled to crack the passwords. They eventually found the database password and were able to log into the website's backend to search for orders. The author eventually stopped their investigation for the night.

💡 The Source of All Evil

All of this started with a fraudulent phone call: one day during my lunch break, I received a call claiming to guide me on how to use "Jiebei" (a loan service), and the caller had detailed information about me. After a conversation, I realized it was all nonsense, and the person on the other end told me to take the fake money and go spend it on prostitutes before hanging up.

image

💡 Starting the Operation

Unable to sleep, I became angry and decided to take action.
I started by investigating the phone number of the caller, but I couldn't find any useful information. I only found a platform for selling phone numbers.
I thought about calling their customer service to trick them, but I realized that all the information on their website was fake. (It probably wasn't a reputable platform)

image
After briefly looking at the website homepage, I discovered that it specialized in selling "black cards" to others, and there would be order records. So, if I could access the backend, I might be able to find information about the scammers.

image

I collected some basic information:

Website middleware: shopnc had a historical injection vulnerability

Registrant information: Feng X 186xxx

Kineditor 4.1.7: Directory traversal vulnerability, failed path explosion, unable to read files through injection

Website backend: /admin

Following the guidance of this master, I started the injection:

http://wooyun.2xss.cc/bug_detail.php?wybug_id=wooyun-2015-0143429

The place where the payload is echoed is in the delivery address, so I had to do it manually. I looked at the installation path of the database and realized it was "Guardian". It seemed like it wasn't intercepting my injection.

image
Then things got frustrating because the passwords in the 33hao_admin table were salted and I couldn't crack them.

image
I thought about hacking into the database, and port 3306 was open for MySQL. The default user table in MySQL contains the database password... Could I inject and retrieve the password? But even after trying various methods, I couldn't crack it.
I was so frustrated that I tried to crack the passwords of other databases, and finally, I found a few passwords, QQ numbers, a 163 email, and another phone number that could be decrypted.
I used a social engineering database robot on Telegram to search for information I had collected. Then I used a social engineering password generator tool to try to crack them.

[email protected]
YGPYSFNTSFAIHAGE
axxxxx5555
xxs19226
xxxxx5555
fengrui
15145xxxx46@
15145xxxx46
mingduyuan
25岁12月28日

image
I tried to brute force the backend and found that the verification code was invalid, but there was a limit on the number of login attempts. Following the example of "Yu Shen," I added an "x-forwarded-for" header in the HTTP request and bypassed the login attempt limit. You can refer to the "fakeip" plugin in Burp Suite: https://www.jmwww.net/file/web/8617.html
I couldn't crack the main website's backend, and I was about to give up. But then I remembered that there were other sub-sites that I hadn't checked, so I tried to brute force them, and I actually found one.

image
In the "Friendship Links" section, I found that I could upload images, but there was a whitelist. After searching around, I found a function that allowed me to change the file upload type. It was a moment of joy~

But then I encountered another obstacle. When I uploaded a script file, it automatically added an underscore to the file extension, like xxx._php. Damn!

image

Since there was both a PHP environment and a .NET environment, I tried many abnormal file extensions... cer, asa, pht... Finally, I discovered that ashx could be parsed without adding an underscore.

I uploaded an ashx file that executed commands... It worked like a charm. But I could only upload a backdoor ashx file that generated files. If I wanted to write a proper backdoor, it had to be undetectable; otherwise, I couldn't connect.

I could have used the ashx file to write a backdoor in another file extension, but I had to escape the double quotes, and after escaping, I couldn't connect...

Reference:

image

So, I changed my approach and used file inclusion through PHP to upload a text-based backdoor and then included it in the file.

image

image

But when I connected using the "Bingdu" tool, I couldn't execute commands.

image

I checked the PHP info and found that some functions were disabled. Damn!

image

I realized that I was too focused on gaining control of the Windows server, but in reality, I only needed access to the backend. There were more than ten website source codes, and the main website "shopnc" didn't have the corresponding database configuration file with the password. I searched for a long time...

image

Finally, I found the database password and realized that I could also log in to the main website's backend... Then it was time to check the orders.

image

I looked at the time, it was 1:39 am. I needed to get some sleep; I couldn't keep working on this, or I would go bald.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.