Open google to search for Nanjing University. Http://www.xxx.xx/click open link automatically jump to the http://www.bkjia.com/cps/site/newweb/foreground/ here,
I have a basic understanding of the website twice. If I change the case and the case does not exist, it is very likely that the website is linux or unix. I clicked two connections and found that there were variables passed in. This is rare, some of the better master sites I have seen are static pages and links to sub-sites.
Next, open a news article and view the image url. No trace of the typical editor is found. But wearing a virgins does not mean that they are virgins. The website cannot be retained, and the website cannot be retained.
Open wvs (how long it takes to stop you ~~) Start to take a bath.
After I take a bath, I can see that wvs has not been completed, but I don't think it is necessary to continue scanning.
Because I scanned the injection ..
Open havij and start the injection. Some basic information is obtained smoothly, and the user is still root,
I'm not in a hurry to decrypt it. I went to phpmyadmin first. Unfortunately, I didn't find it. I had nothing to do if I used dirbuster to scan it again. Later, I discovered that the original root password could not be obtained...
Here seems to be stuck, so I went to note the table segment, at the same time open wscan ON THE http://www.nju.edu.cn/cps/site/newweb/ to scan the directory, hoping to scan to the background.
Unfortunately, I still haven't scanned it ..
So I went back to root again. Since phpmyadmin cannot be found, it does not mean that I cannot write it. select into outfile can also write one sentence, but what about the absolute path?
Http://www.nju.edu.cn/cps/site/newweb/foreground/show1.php? Id = 1 '. It's that simple.
Now let's start writing shell. The process is not detailed. As we all know, the result is unsuccessful .. GPC must be disabled .. Is a directory not writable? (Windows is rare, but linux has strict permission allocation, which is prone to write failures)
So I started to change directories and switch to the image directory...
Here I got stuck again, so I flipped through the wvs scan report and turned to something suspicious.
Some of my sisters used to get webshell .. Www.2cto.com is so depressed ..
If you are depressed, you can directly read the file in loadfile, and then get the password and go in ..
I found several horses .. But it was in 755, And then I carefully flipped through the Directory and found that the permission settings were really tight. The directory was, and webshell had no permission to write data (not root, execute whoami echo nobody ), all files are 644 and cannot be changed. If you try the chmod command without ECHO, the File Permission remains unchanged. Find the database connection file and phpmyadmin directory (originally phpMadmin ..) Root logon still fails to select into outfile. After visiting the website directory, I went away ..
That's all?
It's done...
Solution:
How to fix vulnerabilities