Introduction: From the beginning of last month, AFTER the end of those projects, I entered the period of digging holes. My daily work is digging holes, and I will stop only when there are temporary projects. Recently, I was sorting out reports and found this station, which is quite interesting.
Information collection
This site is called Fastadmin from Fofa. It is a background framework developed based on Thinkphp5 and Bootstrap. According to experience, PHP sites are basically found by adding admin after the root path
getshell
Weak password of conventional means first hit a wave, not try SQL injection weak password admin/123456 successfully enter the background
Since tp5 framework is combined, I thought it might be possible to use TP5 RCE command directly, and then use file_put_contents to write shell, so I directly try
It didn’t work…
It should be because tp5 framework is not pure secondary development, so it can not be connected, and TP5 RCE hole analysis articles flying everywhere, it is estimated that the development should also have been repaired, then we can only find another opening
There are many points for uploading files. I tried one of them. Classification Management can add brands, and there are two points for uploading files
Try to upload a sentence, directly end with PHP, upload failed, general bypass means, change the content-type to image/ PNG, upload successfully
Shell is easy to upload, direct command execution list directory, no accident failure, should be disabled command execution function
Take a look at phpInfo and see that FPM /fastcgi exists and you can use this point to bypass disable_function for command execution
disable_functionsIn the function of the forbidden method, a glance at my commonly used are in the inside, do not look carefully, think of a way around it
PHP is version 7.2. There are several versions of PHP on this server
Sock is not a specific port number. There is no way to remotely attack PHp-fpm in TCP mode to execute commands. There is no way to use SSRF and Gopher to attack local php-Fpm. Since both attacks exploit THE TCP mode, there is only one exploit left
Sock is used to read /run/ PHP/php7.3-ftp. sock is used to read /run/ PHP/php7.3-ftp. sock is used to read /run/ PHP/php7.3-ftp. sock is used to read /run/ PHP/php7.3-ftp. sock is used to read /run/ PHP/php7.3-ftp. sock is used to read /run/ PHP/php7.3-ftpm
Directly use the plugin in ant Sword to find the absolute path of sock file and upload it successfully
Antoproxy. PHP file was successfully uploaded to the shell directory and the connection address of the shell was changed. The default password was Ant
It did not succeed. I don’t know why. The phP-FPM route failed
Remember the UAF script used in the previous contest to bypass disabLE_funtion. You can download the script from the corresponding address on Github for manual upload, or directly bypass it with the plug-in in ant Sword. Backtrace UAF was selected this time, which exploits a bug used in the debug_backtrace() function for two years. We can trick it into returning a reference to the corrupted variable, leading to post-release use of the vulnerability
Since PWN knowledge is involved, Web Dog will not be further studied, but also directly use plug-ins to successfully execute commands
Here this station is almost, is not particularly difficult, think of the corresponding point to take
Afterword.
2021 Latest collation network security penetration testing/security learning (full set of video, big factory surface classics, boutique manual, essential kit) a > poke me take < a
The web management interface directly gives a file management function, can upload any file, this is not can enter the background can take shell, turned over the directory there are some other stations on this server, heart really big ah…
