An old system in Qijia, GETSHELL, to the Intranet
No highlights
Access:
Http://chajian.jia.com/kaoshi/
I don't know what the system is.
Then open
Http://chajian.jia.com/kaoshi/admin/
Admin-> admin
Fruitless.
Later I looked at Qijia's vulnerability and found that no attempt was made for weak passwords of 123456. Then I tried it.
The logon is successful.
Because at first I didn't know that this system was something of QIBoCMS, and its function was very simple.
An injection vulnerability was found in the background and the QIbo CMS was found only after the file was read.
During this period, the upload vulnerability was attempted because it could not be put into single quotes and all would not be able to get WEBSHELL through MYSQL.
Obtain the Database user table information:
After you build the same system, you can find that the function file is hidden and not deleted. You can directly call the URL for direct access.
GETSHELL method:
Http://chajian.jia.com/kaoshi/admin/index.php? Lfj = alonepage & job = list
Use assert () when writing Shell, because eval will be replaced with eva l, resulting in failure.
Proof of vulnerability:
SHELL address:
Http://chajian.jia.com/kaoshi/cache/xx.php
Solution:
Security is a whole. to ensure security, it is not how powerful a powerful place is, but where a really weak place is.
Update version and modify Weak Password
MYSQL permissions need to be downgraded
Relatively biased applications should focus on taking care
Go offline if not required