One, the preface
I am a computer enthusiast, think of this experiment is a relatively complete a web attack, want to share it with as much as I do, is my a note at the same time, express less than place please leave a message,
Second, platform and its tools
Experimental platform: a fetish https://hack.zkaq.cn/battle/target? Id=3 eb7bec4a7e95297
Experimental environment: win2003 (also can be other, be sure to close the security protection software, such as 360)
Experimental tools: Chinese kitchen knife:
Brazil barbecue (churrasco)
Download link: link: https://pan.baidu.com/s/1uWrlqAKmZDXZPW7GP5j-ng
The extracted code: DFLP
Copy this paragraph after open the baidu network backup phone App, operation more convenient oh
3, a brief overview of thinking
1. The first use one steal the cookie value, uploaded to the browser makes the success of landing
2. Because the title prompts to system permissions, so we'll be the first to enter the website backstage, again to find a way to mention right
3. Find upload loopholes, upload a word trojans, using Chinese kitchen knife link background,
4. Began to elevate privileges on the site after upload system CMD
5. Access is not big enough, will continue to upload the Brazilian grill, access to the highest
6. Create the administrator account
Remote login
7.
8. Get the flag
Four, the experiment steps
1. Open the web page display after (what have on one of these steps) :
It is to use the fourth question gets the cookie to login admin page ADMINSESSIONIDCSTRCSDQ=LBMLMBCCNPFINOANFGLPCFBC
I am using firefox, F12, found in the store cookies, add the above cookies to the inside,=behind for value, for the name in front of F5 to refresh after add:
After log in successfully show the following interface:
2. Find loopholes to upload, I found two places where can upload:
3. Try to upload a word trojans, upload fail, pop-up:
4. Try to image format to upload a Trojan (using analytic holes), (also can use the cer loopholes to upload, need to amend the suffix to. Cer) will be ma. TXT is modified to ma. JSP; Ma. JPG format, note that the file is too small can't upload, a picture size at least 1 k, and TXT for KB, so to write a word more Trojan several times, in order to achieve image size:
5. Splicing IP, the use of Chinese kitchen knife link, has displayed the picture address relative path (after the success of the upload will address shown in the image), add url at front, is the picture saved location, and http://59.63.200.79:8005/UploadFiles/20204138204292.jpg
6. Use Chinese kitchen knife link, link success
7. Try to open the flag, prompt access is not enough, so we began to ascend permission,
8. Right click on the add url, open the Chinese kitchen knife virtual terminal:
Try to create user "net user hacks, 123/add" prompt authority is not enough, this is because the terminal no permissions, generally the terminal under the system disk, so we upload our system on the terminal
9. Upload the end, because we have no rights, so it is difficult to find upload entry, but there is a place is almost everyone can upload, recycle bin, the file named RECYCLER, will upload our CMD
10. Then open the CMD uploading virtual terminal to run some code, found that the administrator privileges to run the function, these functions to create a new user cannot run
, then we continue to think of some way to elevate privileges
11. Upload Brazil barbecue or pr tools:
12. In the terminal to switch to the Brazilian barbecue in the root directory:
13. Start creating user: churrasco "net user aaa 123/add"//the content inside double quotes for instructions to be executed:
14. Will create the users to add to the Administrators group: churrasco ".net localgroup Administrators aaa/add "
15. See if there are any more we create management group users:.net localgroup Administrators
16. Check to see if the remote connection open (see if port 3389 is open) : netstast - an
Can see the remote link is open, if you don't continue to upload opens open, forced open the port 3389
17. The remote link to return to the desktop, run MSTSC:
Input the website url
Enter create account password:
Link success
To the end of a perfect web penetration!!!!!!!!!!
CodePudding user response:
This is what s the matter?CodePudding user response:
CodePudding user response:
NICECodePudding user response:
, figure?