<> Drill of XX net protection

After receiving the notice of the safety net drill , Information collection for a certain Bureau . A weak vulnerability was found in one of the systems . Arbitrary user login vulnerability and arbitrary user password reset , It will cause any user to enter the background management for non operation or non operation webshell. Successfully enter the background management interface in this time , I just didn't find something to get shell The place where . Next, explain how to successfully enter the management background , The chicken is going to perform .

<> The pain of a rookie

Information collection is the first step in infiltration , Sub domain name or side station c Scan the segment . My common search engines here are Google ,Shodan,FOFA, You can also use some tools for collection . Daily operation of the collected assets , It is very important to collect the information of the target website in the early stage . Find one of the background login platforms , Enumeration blasting , Check whether there is injection in the login, and find that it doesn't work , We tried version and middleware vulnerability detection again, but we still couldn't find it , Ready to give up, ready to start on the next goal .

<> Another village with hidden willows and bright flowers

I suddenly thought that if I didn't see the source code, I would be surprised , But I never met him , Are read from other people's articles like any user login vulnerability . Here is the concrete utilization process .

There is a successful login path in the source code , Modify the path of the platform to the source code and return the path of successful login .

After successful login, it is found that it is super administrator privilege , I didn't get the server in the end .
Through the source code to see a password to change the address
Enter the user name after accessing admin, Password can be input freely burpsuite Packet capture found return information .
Incorrect user name and password returned , Next, modify the return package false Amend to true.
Put the package and find that the original password has passed the verification , Any input of mobile phone number .
The verification code is also entered at will , Grab the package and modify the return value .
After putting the package, you can set a new password .

Here is a brief summary of the early information collection is very important , It is very helpful to get the server intranet penetration in the later stage , Also has the patience and the unceasing study spirit .

©2019-2020 Toolsou All rights reserved,
Huawei 2021 session Hardware Engineer Logical post (FPGA) Super detailed surface !!!Vue-element-admin upgrade ui edition virtual machine VMware Download and install the most detailed tutorial !C++ Move constructor and copy constructor sound of dripping water java Backstage interview pygame Realize full screen mode and adjustable window size mysql Database setting character set configuration modification my.ini file (windows)30 What's the experience of being a junior programmer at the age of 20 C++ Multithreading programming ( Summary of common functions and parameters )python_ cherry tree