💡 The source of all evil
It all started with a fraudulent phone call: one day during my lunch break, I received a call claiming to guide me through the process of using "Jiebei" (a loan service), and the caller had detailed information about me. After a brief conversation, I realized it was a scam and the caller told me to take the fake money and go spend it on prostitutes before hanging up.
💡 Start operating
Unable to sleep, I became angry and decided to take action.
I started by investigating the phone number of the caller, but couldn't find any useful information. I only found a platform for selling phone numbers.
I thought about calling their customer service to gather more information, but realized that the information provided on their website was fake. (It probably wasn't a reputable platform)
After briefly looking at the website homepage, I discovered that it specialized in selling "black cards" to others, and there would be order records. This means that if I accessed the backend, I could potentially find information about the scammers.
I collected some basic information:
Website middleware: shopnc had a historical injection vulnerability
Registrant information: Feng X 186xxx
Kineditor 4.1.7: Directory traversal vulnerability, failed path explosion, unable to read files through injection
Website backend: /admin
Following the instructions provided, I started the injection process:
http://wooyun.2xss.cc/bug_detail.php?wybug_id=wooyun-2015-0143429
The place where the payload is echoed is in the delivery address, so I had to do it manually. After looking at the installation path of the database, I realized it was a "Guardian". It seemed like it wasn't blocking my injection attempts.
Then things got frustrating. The passwords in the 33hao_admin table were hashed with salt, making it difficult to crack.
I decided to focus on the database. Port 3306 for MySQL was open. The default user table in MySQL contains the database password... Could I inject and retrieve the password? Despite my efforts, I couldn't crack it.
I was frustrated, so I tried decrypting other database passwords. Finally, I found several passwords, QQ numbers, a 163 email, and another phone number that I could decrypt.
I used the TG social engineering library robot to search for information and then used a social engineering password generator tool to perform a brute force attack.
[email protected]
YGPYSFNTSFAIHAGE
axxxxx5555
xxs19226
xxxxx5555
fengrui
15145xxxx46@
15145xxxx46
mingduyuan
25岁12月28日
During the brute force attack on the backend, I found that the verification code was invalid, but there was a limit on the number of login attempts. Following the example of a master, I added an "x-forwarded-for" header in the HTTP request to bypass the login attempt limit. You can refer to the "fakeip" plugin in Burp Suite: https://www.jmwww.net/file/web/8617.html
I couldn't crack the main site's backend, and I was about to give up. Then I remembered that I hadn't checked the subdomains, so I decided to try brute forcing them.
In the "Set Friendship Link" section, I found that I could upload images, but it had a whitelist. After searching around, I found a function that allowed me to change the file upload type. How delightful!
But then I encountered another obstacle. When I uploaded a script file, it automatically added an underscore to the file extension, like xxx._php. How frustrating!
Since there was a PHP environment and a .NET environment, I tried many abnormal file extensions... cer, asa, pht... Finally, I discovered that ashx could be parsed without adding an underscore.
I uploaded an ashx file that executed commands... It worked like a charm. However, I couldn't upload a shell that could connect back, as it would be blocked by the security measures.
I could have used the ashx file to write a shell with a different extension, but I needed to escape the double quotes, which prevented me from connecting.
Reference:
So, I decided to use the method of including a PHP file. I uploaded a txt shell and then used file inclusion to execute it.
However, when I tried to execute commands using the Bisheng RAT, it didn't work.
I checked the PHP info and found that some functions were disabled. How frustrating!
I realized that I was using a Windows server, and I wasn't skilled enough to bypass the restrictions. Then it hit me—I only needed to access the backend, I didn't need to escalate privileges. I had already obtained the source code for more than ten websites, and the main site (shopnc) didn't even have the corresponding database configuration file with the password. It took me a long time to find it...
Finally, I found the database password and realized that I could also log in to the main site's backend... Now it was time to check the orders.
Looking at the time (1:39 AM), I decided to call it a night. I couldn't continue working on this project, or I would go bald.