Code execution of a sub-station of Hangzhou youqu Network (ACFUN) leads to shell access.

Hangzhou youqu network wiki substation Region.

Insert the PHP code that generates a PHP sentence trojan in the image to get the shell. Connect
After looking at the files on the server, I obtained the password of the root user of MySQL and successfully logged on to phpmyadmin. I found that the user information of another sub-station may be http://dts.acfun. TV.

In addition, two interesting files are found in the website directory.

Dare not try to raise the right.


Visit http://wiki.acfun. TV /images/2/28/acgirl-1122.png/1.php to find the hidden holes. Uploaded And inserted <? Php phpinfo ();?> The image file tu1.jpg of the code can be found at http://wiki.acfun. TV /images/0/0b/tu1.jpg/1.php.
The inserted php code is executed. 1.

Insert the PHP code that generates a PHP Trojan file in the current directory into the image file, and access
Connect the client to the ingress.

The root User Password of MySQL is found in the backup-LocalSettings.php file under the root directory of the website, the website has phpmyadmin
(Http://wiki.acfun. TV /phpmyadmin/), directly log in, found another substation may be http://dts.acfun. TV /user information, 3.

 

Solution:

The website administrator understands.