An inspection of China Security Information Network (the Administrator has fixed the vulnerability)

By: Qingtian Xiaozhu

Look at the side station, it's all his sub-domain name.

The source code of the main site is fengxun 4.0, which does not have 0 days. You can only view the side station ~!

A

It shows that the main site is not built, so I thought that since there is no construction, his settings are all the original default? Well, let's look at the source code.

Oh, it's 08cms. The administrators I 've studied have several default 08cms 08cms and admin08cms & admin08cms (it looks like the webshell left on the official website-.-|)

Two tests, RP full line!

There are several Breakthrough points in getting shell in the background:

1. attachments can be set by yourself (php Upload is expected)

2. SQL export is available (the path is expected to be known)

I thought the shell could be used successfully, but it happened again ~

The suffix name has changed to 23143316a7c1c87ef78724. _ php

This is depressing. I tried asp asa aspx and all of them failed. It seems that the source code is restricted?

You can only export the test results using SQL. The next task is to find the path.

The path where the database is imported can be exposed:

When the database is randomly imported, the path will pop up.

Now that you know the path, MYSQL exports a sentence immediately,

Just export a single sentence connection.

 

 

If the permission is large, it is OK to directly cross-directory.

Privilege Escalation makes it easier to locate the SA and ROOT direct KO!

This article is over. It is very important to find a solution to solve any technical problems ~!!!

The website administrator has fixed the vulnerability.