Remember a practical training for security
On a sunny day, a Ann take son suddenly received superior mission, mission is collecting holes for the entire area, quantity requirement is not more commonly, this is going to be puzzled by Ann suits, suit seed in the thinking of relax too (touch) this week have been to Chinese comments section is wake up at this time (I guess you don’t have a girlfriend), I can’t believe I got a bolt from the blue.
All right, let’s get back to business. Let’s start with a wave of information gathering, not forcing anything. Fofa.
Title =" region "& & Body =" platform "& & country="CN" & & region! ="HK" & & region! ="MO"
This search can also block some spinach, SQ website is very good ~, persimmon of course pick good pinch, background/management/platform to go
Good! Next comes the familiar login interface
What is the idea at this time, looking for interface/unauthorized/blasting/directory, these can be holes, can not miss a trace of detail, don’t rush to blasting into, first to F12 big method (learn from 12 little)
The interface is available and try accessing it
There is an interface manager on the.net website. If you find an interface and go back to the parent directory, you can see all interfaces, and some ASPx interfaces can see parameter values.
This hole is coming, isn’t it? Directory traversal steady, turn a and what to say, see the last penultimate Uploader small heart flutter.
Very good white toss, at this time guess, there is a directory traversal there are thousands of directory traversal, scan directory don’t leng.
Touched a circle also did not have what interface is not authorized, now thinking to find page is not authorized, just in the source code turned also see these things, login after the page, non-stop to access.
Very good, an unauthorized, but the operation can not be very chicken ribs, at most calculate medium and low risk to see things just, the front end of the test to go deep.
Admin :123456 try weak password
This, and to 2 holes, verification code and user name enumeration, here also try to login window SQL injection and universal password fruitless can only give up, on the cannon on the cannon blasting!
No accident came in, weak password vulnerability +1
Let’s start turning function pointsIn fact, these.net sites aspX interface is very easy to do SQL injection, through the point of function point capture package directly into the SQLMap a shuttle.Seven holes by hand, ten more by the scanner and not far from the job.
Take down, but this is too slow, put aside for now, continue to scroll through the function points to find an upload point to upload templates.
Upload a normal XLSX table, change filename value and keep PK header prefix to avoid detection, then change the content to “girl”.
Don’t worry, take a look at the function of the website, there is a button to download the template, at this time we know that the uploaded template, the downloaded template, then they must be in the same mold.
Here you can see the address of the upload, there is a little operation to download the template directly by right clicking on the copy link, and HERE I took the screenshot directly after the flash.
Visit to see if she’s still there
Perfect finish on the skates
I wish every teacher can encounter such easy system every day good luck