<> Drill of XX net protection
After receiving the notice of the safety net drill , Information collection for a certain Bureau . A weak vulnerability was found in one of the systems . Arbitrary user login vulnerability and arbitrary user password reset , It will cause any user to enter the background management for non operation or non operation webshell. Successfully enter the background management interface in this time , I just didn't find something to get shell The place where . Next, explain how to successfully enter the management background , The chicken is going to perform .
<> The pain of a rookie
Information collection is the first step in infiltration , Sub domain name or side station c Scan the segment . My common search engines here are Google ,Shodan,FOFA, You can also use some tools for collection . Daily operation of the collected assets , It is very important to collect the information of the target website in the early stage . Find one of the background login platforms , Enumeration blasting , Check whether there is injection in the login, and find that it doesn't work , We tried version and middleware vulnerability detection again, but we still couldn't find it , Ready to give up, ready to start on the next goal .
<> Another village with hidden willows and bright flowers
I suddenly thought that if I didn't see the source code, I would be surprised , But I never met him , Are read from other people's articles like any user login vulnerability . Here is the concrete utilization process .
There is a successful login path in the source code , Modify the path of the platform to the source code and return the path of successful login .
After successful login, it is found that it is super administrator privilege , I didn't get the server in the end .
Through the source code to see a password to change the address
Enter the user name after accessing admin, Password can be input freely burpsuite Packet capture found return information .
Incorrect user name and password returned , Next, modify the return package false Amend to true.
Put the package and find that the original password has passed the verification , Any input of mobile phone number .
The verification code is also entered at will , Grab the package and modify the return value .
After putting the package, you can set a new password .
Here is a brief summary of the early information collection is very important , It is very helpful to get the server intranet penetration in the later stage , Also has the patience and the unceasing study spirit .