A system with a large user volume has multiple common SQL Injection Vulnerabilities, high-risk weak passwords, And the GETSHELL method in the background # this vulnerability can cause batch getshells.
#1. Introduction to the general system. The information_schema table of the system does not exist. You can only guess it ~
#2. injection point packaging set:
1. topic. php? ChannelID = ** & topicID = ** injection parameters: channelID, topicID2, topic. php? Action = news & channelID = *** & topicID = *** & newsTime = *** & newsID = *** injection parameters: newsID, channelID, topicID3, index. php? HostID = ** injection parameter: hostID4, search. php? HostID = injection parameter: hostID5, channel. php? ChannelID = injection parameter: channelID6,/schemdes/js_info_list.php? ChannelID = ** & topicID = *** & num = *** all parameter injection, etc.
[Statement: the following cases are only for CNVD and CNcert Security Testing. Other users shall not exploit them or maliciously destroy them. Otherwise, they will be responsible for the consequences]
#3. Injection proof: <administrator table name: cms_user, Administrator field: username, password, etc.>
The error message is like this:
1. Proof of Injection Point 1:
Http://www.deko-cn.com/topic.php? ChannelID = 13 & topicID = 45 http://www.wincom.net.cn/topic.php? ChannelID = 19 & topicID = 2 http://www.gztianba.com/topic.php? ChannelID = 4 & topicID = 481, etc.
2. Proof of Injection Point 2:
Http://www.key163.com/topic.php? Action = news & channelID = 1 & topicID = 25 & newsID = 76 http://www.jiayuchina.com.cn/topic.php? Action = news & channelID = 40 & topicID = 228 & newsID = 526 http://www.wh-dg.com/topic.php? Action = news & channelID = 30 & topicID = 150 & newsID = 107, etc.
3. Proof of injection 3:
Http://www.yhachina.com/index.php? HostID = 1 http://www.qiaoxingda.com/index.php? HostID = 3 http://www.sanhegz.com/index.php? HostID = 2 and so on
4. injection point 4 proof:
Http://www.hkstc.com.cn/search.php? HostID = 1 http://www.hk-si.com/search.php? HostID = 2 and so on
5. Proof of Injection Point 5:
Http://www.wincom.cn/channel.php? ChannelID = 9 http://www.zhanhong.com.cn/EN/channel.php? ChannelID = 8 & topicID = 16 http://bk.gzarts.edu.cn/channel.php? ChannelID = and so on
6. Proof of Injection Point 6:
Http://www.investhuadu.gov.cn/includes/js_info_list.php? TopicID = 129 & css = 4 & length = 30 & num = 7 http://www.yhachina.com/includes/js_info_list.php? ChannelID = 2 & topicID =, 56, 44 & num = 15, etc.
#4. backend getshell method:
The default address of the day after tomorrow is/manager/. Add a shell to the place where the product is added in the background, capture the package, and change the Type to "Content-Type: image/jpeg" to get the shell.
Right-click the image on the foreground to get the shell address:
#5. High-Risk weak passwords:
There is an Ewebeditor 3.8 PHP version under the background directory of the system. This editor has a severe weak password, which can cause modifications to the configuration to take Webshell.
Location: manager/ewebeditor/admin/default. php weak password: admin \ admin or teamtop \ teamtop
Weak Password proof:
http://www.83373822.com/manager/ewebeditor/admin/default.php
http://www.sylvania.cn/manager/ewebeditor/admin/default.php
http://www.bags4u.com.cn/manager/ewebeditor/admin/default.php
Solution:
How can this problem be solved?