A system with a large user volume has multiple common SQL Injection Vulnerabilities, high-risk weak passwords, And the GETSHELL method in the background # this vulnerability can cause batch getshells.

A system with a large user volume has multiple common SQL Injection Vulnerabilities, high-risk weak passwords, And the GETSHELL method in the background # this vulnerability can cause batch getshells.

#1. Introduction to the general system. The information_schema table of the system does not exist. You can only guess it ~

#2. injection point packaging set:

 

1. topic. php? ChannelID = ** & topicID = ** injection parameters: channelID, topicID2, topic. php? Action = news & channelID = *** & topicID = *** & newsTime = *** & newsID = *** injection parameters: newsID, channelID, topicID3, index. php? HostID = ** injection parameter: hostID4, search. php? HostID = injection parameter: hostID5, channel. php? ChannelID = injection parameter: channelID6,/schemdes/js_info_list.php? ChannelID = ** & topicID = *** & num = *** all parameter injection, etc.

[Statement: the following cases are only for CNVD and CNcert Security Testing. Other users shall not exploit them or maliciously destroy them. Otherwise, they will be responsible for the consequences]

#3. Injection proof: <administrator table name: cms_user, Administrator field: username, password, etc.>

The error message is like this:
 

1. Proof of Injection Point 1:
 

Http://www.deko-cn.com/topic.php? ChannelID = 13 & topicID = 45 http://www.wincom.net.cn/topic.php? ChannelID = 19 & topicID = 2 http://www.gztianba.com/topic.php? ChannelID = 4 & topicID = 481, etc.

 

 

 

2. Proof of Injection Point 2:
 

Http://www.key163.com/topic.php? Action = news & channelID = 1 & topicID = 25 & newsID = 76 http://www.jiayuchina.com.cn/topic.php? Action = news & channelID = 40 & topicID = 228 & newsID = 526 http://www.wh-dg.com/topic.php? Action = news & channelID = 30 & topicID = 150 & newsID = 107, etc.

 

 

 

3. Proof of injection 3:
 

Http://www.yhachina.com/index.php? HostID = 1 http://www.qiaoxingda.com/index.php? HostID = 3 http://www.sanhegz.com/index.php? HostID = 2 and so on

 

 

 

4. injection point 4 proof:
 

Http://www.hkstc.com.cn/search.php? HostID = 1 http://www.hk-si.com/search.php? HostID = 2 and so on

 

 

5. Proof of Injection Point 5:
 

Http://www.wincom.cn/channel.php? ChannelID = 9 http://www.zhanhong.com.cn/EN/channel.php? ChannelID = 8 & topicID = 16 http://bk.gzarts.edu.cn/channel.php? ChannelID = and so on

 

 

6. Proof of Injection Point 6:
 

Http://www.investhuadu.gov.cn/includes/js_info_list.php? TopicID = 129 & css = 4 & length = 30 & num = 7 http://www.yhachina.com/includes/js_info_list.php? ChannelID = 2 & topicID =, 56, 44 & num = 15, etc.

 

 

 

#4. backend getshell method:

The default address of the day after tomorrow is/manager/. Add a shell to the place where the product is added in the background, capture the package, and change the Type to "Content-Type: image/jpeg" to get the shell.
 

 

Right-click the image on the foreground to get the shell address:
 

#5. High-Risk weak passwords:

There is an Ewebeditor 3.8 PHP version under the background directory of the system. This editor has a severe weak password, which can cause modifications to the configuration to take Webshell.
 

Location: manager/ewebeditor/admin/default. php weak password: admin \ admin or teamtop \ teamtop

Weak Password proof:
 

http://www.83373822.com/manager/ewebeditor/admin/default.php

 

 

 

 

http://www.sylvania.cn/manager/ewebeditor/admin/default.php

 

 

http://www.bags4u.com.cn/manager/ewebeditor/admin/default.php

 

 

 

Solution:

How can this problem be solved?