Analysis of Security ideas in a background

This article hides all actual addresses. Then, I didn't get Webshell. This article only provides some analysis and ideas to provide some ideas for children's shoes who learn and detect website security.
There are a lot of kids shoes who only know how to find the editor, upload, download, inject, and others... This article is written to the children who want to break through the bottleneck.
Because it was late in the middle of the night, it was only half done. I got up in the morning because I had a date with my Japanese girlfriend, so I didn't continue. Later, my website administrator asked me, and I reported the problem to them.

The background uses a universal password. I did not really think of this. The main site uses wordpress and has a substation on the same server. This is the background of this substation.
Several uploads cannot upload php at all. This is definitely the case and I have thought of countless ways.


In addition, there are no editors or the like in the background, and there is nothing to edit but to review and so on.

Then let's analyze it slowly. What caught my attention was the download part of a thesis.



Here I think it is strange that I chose a date and click "Download". The system response is very slow and a compressed package of hundreds of MB is provided for download.
I think if I am the programmer and there is no universal password in the background, the level should not be very high, so the system cannot be too complicated, I think the batch download of this paper that I can write is as follows:
Submit a POST data packet from the client to the SERVER. This data packet is a date, and the system filters the data packet from the database or directory. All documents meeting this date are compressed and packaged, then download the package. The name of the package is in the data of the previous POST.

If the filter is performed from the directory, is it possible to POST the name of a folder and then let the system package the file in this directory for provision? In other words, what about downloading other files without downloading the compressed package by submitting POST data in a directory?
This is just a conjecture.
Let's try to construct html locally for POST data, first POST a single quotation mark:

1. <Form name = "downloadclass" action = "http: // www.2cto.com/admin/downloadclass. php" method = "post">
2. <Select name = "class">
3. <Option value = "'">' </option>
4. <Option value = "404.php% 00"> 404.php</option>
5. </Select>
6. <Input name = "Submit" type = "submit" class = "button" id = "Submit" value = "downlink"/>
7. </Form>

Let's take a look at the information returned by the server:



The server does not perform any authentication filters on postinformation, and directly adds .zip as the file name of the compressed package, and then looks at the function I circled.
First, we need to solve the problem of adding .zip. This is actually a good solution. In IE, if it is GET, we only need to add % 00, which is url encoding.
This is not the case in POST. % 00 is \ 0 is the truncation character. Then we try:



The blank space of the two byte selected in the editor is not a space, it is 0x0000 edited in hexadecimal mode.
Although I do not know whether this can achieve my goal, that is, a truncation character of POST. But it seems that I can't use IE. Should I use other tools?

Wordpress, you should understand it later