💡 The Source of All Evil
All of this starts with a fraudulent phone call: it was during my lunch break, and I was sleeping soundly when I suddenly received a call claiming to guide me on how to use "Jiebei" (a loan service), and the caller had detailed information about me. After a brief conversation, I realized it was all nonsense, and they directly told me to take the fake money and go to a brothel before hanging up.
💡 Starting the Operation
Since I couldn't sleep, I was angry and decided to take action.
I started by investigating the phone number of the caller, but I couldn't find any useful information. I only found a platform for selling phone numbers.
I thought about calling their customer service to trick them, but I realized that all the information on their website was fake. (It probably wasn't a reputable platform)
After briefly looking at the website homepage, I discovered that it specialized in selling black cards to others, and there would be order records. So, wouldn't I be able to find information about the scammers by accessing the backend?
I collected some basic information:
Website middleware: shopnc has a historical injection vulnerability
Registrant information: Feng X, 186xxx
Kineditor 4.1.7: Directory traversal vulnerability, failed path explosion, unable to read files through injection
Website backend: /admin
Following the instructions of this master, I started the injection:
http://wooyun.2xss.cc/bug_detail.php?wybug_id=wooyun-2015-0143429
The place where the echo is displayed is in the delivery address, so I had to do it manually. After looking at the installation path of the database, it turned out to be a guardian god. It seemed like it wasn't intercepting my injection.
Then things got frustrating because the passwords in the 33hao_admin table were salted and I couldn't decrypt them.
I thought about hacking into the database, and port 3306 was open for MySQL. The default user table in MySQL contains the database password... Could I inject and retrieve the password? After many attempts, I still couldn't figure it out.
I was so frustrated that I decrypted all the other database passwords and finally found several passwords, QQ numbers, a 163 email, and another phone number.
I used the TG social engineering database robot to search for all the collected information. Then, I used a social engineering password generation tool to create a password dictionary and started brute-forcing.
[email protected]
YGPYSFNTSFAIHAGE
axxxxx5555
xxs19226
xxxxx5555
fengrui
15145xxxx46@
15145xxxx46
mingduyuan
25 years old, December 28th
I tried to brute-force the backend and found that the verification code was invalid, but there was a limit on the number of login attempts. Following the example of the "Fish God," I added an "x-forwarded-for" header in the HTTP request and bypassed the login limit. You can refer to the Burp's FakeIP plugin for more information: https://www.jmwww.net/file/web/8617.html
I couldn't crack the main website's backend, and I was about to give up. Then I remembered that there were other sub-sites that I hadn't explored, so I decided to try brute-forcing them.
In the "Set Friendly Links" section, I found that I could upload images, but there was a whitelist. After searching around, I found a function that allowed me to change the file upload type. How delightful!
Then I encountered another obstacle: when I uploaded a script file, an underscore was automatically added to the file extension, such as xxx._php. Damn it!
Since there was a PHP environment and a .NET environment, I tried many abnormal file extensions... cer, asa, pht... Finally, I discovered that ashx could be parsed without adding an underscore.
I uploaded an ashx file that executed commands... It worked like a charm. But I could only upload an ashx backdoor that generated files; if I wrote a shell, it had to be undetectable, otherwise, I couldn't connect.
I could have directly used ashx to write a shell with a different file extension, but I had to escape the double quotes, and after escaping, I couldn't connect...
Reference:
Afterwards, I tried using file inclusion by uploading a txt shell and then including it.
After connecting with the shell, I couldn't execute commands.
I checked the PHPinfo disable functions... Damn it!
After another round of foolish attempts, I realized that it was a Windows server, and I couldn't handle it. Then it hit me that I only needed to access the backend; I didn't need to escalate privileges. There were more than ten website source codes, and the main website, shopnc, didn't have the corresponding database configuration file with the password. I searched for a long time...
Finally, I found the database password and also discovered that I could log in to the main website's backend... Then it was time to check the orders.
I looked at the time, it was 1:39 in the morning. I needed to get some sleep; I couldn't keep pushing myself, or I would go bald.