Once I thought that mining CNVD is a very distant thing, registered assets of 50 million black box 10 cases (currently not code audit acra, will study hard acRA later!) This threshold already stumps me (script kid’s own account).
This article involves related experiments: using SQLMAP assist manual injection (this experiment mainly introduces the use of SQLMAP assist manual injection, through the study of this experiment, you can understand SQLMAP, master SQLMAP common commands, learn to use SQLMAP assist manual injection.)
The turning point of the matter lies in the process of excavating EDU, and the loopholes are very small and white, without any technical content, it is good for the teachers to see a lively, school students just want to earn some living expenses. Woo woo woo
A wave of routine vulnerability tests on the home page, such as weak password and login box injection, were fruitless, and it was found that there was a password retrieval function.
Retrieve password interface.
Add a single quotation mark (‘) to each of the parameters for the simplest injection. This is only for lazy players like me. For int injection points, you can’t detect errors.
Luck is really important ah, abba abba, direct shipment, and target does not exist WAF directly on sqlmap run
Dba permission sqlserver database, direct takeoff, rare find absolute path to write shell directly OS-shell successfully obtain permission, and can be displayed.
Through enterprise chumming, I checked the development unit and found that the assets were more than 50 million. Then, as long as the cases met 10 cases, FOFA searched the relevant keywords and collected a wave of sites.
Not bad, Abba, abba, clean up liver, a good start with the hole,
So thinking of writing a wave of script, batch run admin account weak password, so many sites, I do not believe that there is no a weak password, about a few sites, found the same station, so directly in a site local F12 to see his landing request package, and then write a script, batch run
I have tried another way. Thanks to Fengxsone for telling me about the Selenium automated test module, Abba Abba, which I can practice. Here is a brief introduction.
You can do this by PIP Install Selenium or by searching for the install module in PyCharm
This module, very very simple ha, after the installation is completed, you need to download the corresponding browser corresponding version of the driver, then you can have a pleasant play, interested master, remember to see the development manual acya, I think I said too low or disturb
After a Run, it’s a slow waiting process
After about 20 sites, I successfully entered the background using admin-123456. My script also gg, no write jump operation, MY dish, abba abba
After entering the background, a pass operation, find a upload point, but uploaded to the path of a file server to go above, although can get a file server shell, but estimated that other stations are also passed on the server above, slipped slipped away.
Continue fuzz, log out and log in again, then use Burp to capture the package at the same time, pull out the package separately, please call me to code little prince.
No session or token parameter was found. Procedure Then directly to other sites, random input account password, replace the return package. Go directly to the admin account.
Then fuzz, the test of the test, but in the password reset is a little east east, id card as long as the existence of the account, mobile phone number input their own verification code can be sent to their mobile phone
So here we only need to get the login ID card can use their mobile phone number to receive the verification code, so login, background, in the user management interface to capture the packet. Then it is the process of slowly deleting cookies. Here I recommend this function of Burp for thieves to use
In this function module, it is not too comfortable to be able to fast fuzz cookie, finally found that only a schoolcon parameter, unauthorized access, and the Schoocan parameter is already loaded when the page
Clean up, abba, abba.
After pretending for a while ~~~~~~ certificate down, ho ho, take off.
Abba abba, too no technical content, you masters forgive me, just to learn too many things, there are want to study together to supervise each other drop? My QQ807483402 in addition, welcome to follow the wechat public number F12sec, we are a group of network security enthusiasts with a dream yo, Abba Abba.