Notes on the thinking of software analysis and library acquisition of a Taobao customer

A previous customer threw a program , Say to study the principle , How did he collect Taobao , Let me study the principle , Collecting this thing is no longer a problem , Whether it's python Collect or pass websocket I think it can be realized , After all, now for ua The test is not as strict as before .

I'll throw it to him directly OD Inside   Let's look at the shelling first .

At present, it seems to be going well   There were no errors , Then I'll break sentences or something   Then I found myself right exe The anti cracking of is really a little difficult ,,  Sure enough, leave me web The way

The first idea is always to see how he transfers value ,,

Since there is no shelling, there is no need to consider the trouble of shelling ,,

It can be seen from the packet capture that the login module is through   app.AneTaoApi.login Value transmitting   Don't waste time   I directly inject manually  

I think it's filtered here   Then the card owner   Lost again nmap Go and see what ports are Anyway, I feel that there are many solutions to loopholes   I'm useless sqlmap  Because I passed censys.io After looking at the port, I found that he has many kinds of websites

I feel that the above idea is not the key   Now it's interesting

Access through ports   I found that there are many server websites     By having 888 The port can directly determine that there is a pagoda （ The back of this piece is useful , In the early stage, it must be assets , So saving is still useful ）

After finishing   I found one dedecms The system of   And a   I don't know what to do with the backstage  

The first starting point of not talking more and not nagging less is definitely dedecms （ After all, raising rights is the most convenient ）

Ask how you know it is dedecms  Look directly at robots.txt Will determine the   There is no fingerprint recognition

Don't ask   Go ahead and inject   Version, model   Direct access /data/admin/ver.txt  Found to be 20180109

But through open loopholes to inject   Discovery is a failure   This one has been studied for a long time ...  I didn't find it backstage   And then visit /data/ Below the file sql The error log also does not exist

Then we'll see another backstage

The beginner doesn't know what this thing does   Just try the weak password   Find that you can go in ！！！  Heaven never shuts one door but opens another   rescue .

Here, here   I found a place   

See   Dcat Admin  Through the official found that this is a background template

See there is one above this place

I tried to raise power backstage   You can't   Here's to say   Picture transmission %00  What messy posture I used a lot   Studied 2 God   Maybe I'm too good

Not much to say   My idea is to apply the market to see if I can find something about a background manager ...

I found it   I installed it directly

Happy I just want to eat chicken

Lose your horse and go up   Want to implement   I think the absolute path of splicing is no problem   But keep reporting the wrong

I think it may have been intercepted   

Then I found one of the most interesting   This is the background management tool   Yes, there is   Cross directory download permission   direct

/admin/media/download?file=../../../../../../etc/passwd

But what's the use of this   Of course, I passed dedecms The vulnerability of absolute directory has been downloaded   He dedecms Database configuration file for   But it's not root Permission is not turned on   Remote database access   Probably dedecms It's made directly by pagoda web

Then it suddenly occurred to me that I could download him my.cnf

/admin/media/download?file=../../../../../../../etc/my.cnf

How happy   direct navicat test

Find the user table   end ...  

Of course, I have tried mysql Writing documents is a mess   Those who want to raise rights in depth   It is still unsuccessful

overall   The security of the whole server is not very good ,, But I haven't found any particularly good way ..  Writing documents   use root Permission to write logs   No way   No execution permission . direct   Statement output   It's not mysql Write permission null 

But just get the data   Finally, I hope pte Yes ,  ha-ha