An old system in Qijia, GETSHELL, to the Intranet

An old system in Qijia, GETSHELL, to the Intranet

No highlights

Access:

Http://chajian.jia.com/kaoshi/

I don't know what the system is.

Then open

Http://chajian.jia.com/kaoshi/admin/

Admin-> admin

Fruitless.

Later I looked at Qijia's vulnerability and found that no attempt was made for weak passwords of 123456. Then I tried it.

The logon is successful.

Because at first I didn't know that this system was something of QIBoCMS, and its function was very simple.
 

An injection vulnerability was found in the background and the QIbo CMS was found only after the file was read.

During this period, the upload vulnerability was attempted because it could not be put into single quotes and all would not be able to get WEBSHELL through MYSQL.

Obtain the Database user table information:
 

After you build the same system, you can find that the function file is hidden and not deleted. You can directly call the URL for direct access.

GETSHELL method:

Http://chajian.jia.com/kaoshi/admin/index.php? Lfj = alonepage & job = list

Use assert () when writing Shell, because eval will be replaced with eva l, resulting in failure.
 

Proof of vulnerability:

SHELL address:

Http://chajian.jia.com/kaoshi/cache/xx.php


 

 

 

 

 

Solution:

Security is a whole. to ensure security, it is not how powerful a powerful place is, but where a really weak place is.

Update version and modify Weak Password

MYSQL permissions need to be downgraded

Relatively biased applications should focus on taking care

Go offline if not required