This article mainly introduces the implementation of PHP to save the website user password to the CSS file (universal type), the instance code, very good, with reference value, the need for friends can refer to, hope to help everyone.
Many times, after we get a shell, occasionally encounter a password can not solve the situation, using XSS to collect cookies, feel inconvenient; Use the XSS platform to hijack the form bar, feel trouble, also worry about the password they want others also copy a copy of the situation, This time we need to find a way to collect the desired pwd ...
The simplest, look at other people's Landing interface as follows:
I spring and autumn landing interface, we can see the user and password of the name attribute is: "Username and password", of course, for I spring and autumn such a CMS, if you coincidentally have such a similar site shell,
And then we'll find another one. thinkphp Login Interface:
In fact, also look at the account and password of the Name property: "User also has password", in fact, the name of the login is similar, then we can directly in the shell to find the landing file, and then modify the relevant content.
Then the question comes, many people will feel the log file is very cumbersome or is not good for what, then the best way is that we write a crawl landing time post data script, and then use the relevant files to include it, so that the completion of both the safe operation of the site, It also guarantees that you can get the password you want. The surprise is not surprise, the accident is not unexpected.
Look at my website backstage, very simple, direct admin directory, nothing to say, directly find my admin directory, include our script, get the administrator's password
Do I say more how to pull Duzi to the administrator password, I, ah, sin sin, I was deliberately, you did not listen to the wrong, I was deliberately, this is bypass, the is a gold key,when u wonna be get someone else ' s p Assword.
Haha, are you happy, boys?
In fact, for the kind of site that you start landing, you can from its index.php file to do the rules, see its require or include and other call files, as long as the landing has a relationship, Or directly can be said to be in the process of landing will be called to the file directly to the file we study included in it can get the password.
Wordy for so long, above this sentence is the focus, let you disappointed, younger brother's language organization ability needs to contact, then summed up a word:
LU's process has the call to the file, we do that can include in, and then get the password!!
Last one of the pictures I used, don't be excited!
PS: below to see the snippet example code PHP using gzip compression transfer JS and CSS file method
<?php/** * Full Invocation Example: * 1, combine.php?t=j&b=public&fs=jslib.jquery,function * * This example calls the PUBLIC/JSLIB/JQ in the root directory of the Web site Uery.js and Public/function.js * 2, combine.php?t=j&fs=jslib.jquery,function * * This example calls the root directory of the site jslib/ Jquery.js and Function.js * 3, Combine.php?t=c&b=public.css&fs=common,index * * This example calls the root directory of the site Public/css/common . CSS and Public/css/index.css * 4, Combine.php?t=c&fs=css.common * This example calls the site root directory of the CSS/COMMON.CSS * Note: Multiple file names are used, separated; A file name at the end do not have, * with, separate multiple files will be compressed into a document, one-time pass to the browser **/$is _bad_request=false; $cache = true; $doc _root_uri=$_server[' document_root ']. ' /'; $cachedir = $doc _root_uri. ' Public/cache '; File type, j is js,c for CSS $type =isset ($_get[' t ')? ($_get[' t ']== ' J ' | | $_get[' t ']== ' C '? $_get[' t ']: '): '; The base directory where JS and CSS files are stored, for example: B=public.js represents the/public/js folder, the starting point is that the site root//base directory parameter is not required, and if there is a base directory then the base directory will be appended to the file name $base =isset ($_ Get[' B '])? ($doc _root_uri.str_replace ('. ', '/', $_get[' B ')]): $doc _root_uri; List of file names with no suffix. For example, the base directory is//file name format is: Base directory (if any) + package name + file name//For example: type is J,//file name PUblic.js.jquery//If there is a base path and is public,//then the converted file name is/public/public/js/jquery.js//if there is no base path//Then the converted file name is/public/js/jquer Y.js//Multiple file names, separating $fs =isset ($_get[' FS '))? Str_replace ('. ', '/', $_get[' FS ']): '; $fs =str_replace (', ', '. '). ($type = = ' j '? ') JS, ': ' CSS, '), $FS); $fs = $fs. ($type = = ' j '? '. JS ': '. css '); if ($type = = "| | $fs = = ") {$is _bad_request=true;}//die ($base); if ($is _bad_request) {header ("http/1.0 503 Not Implemented"), $file _type= $type = = ' j '? ' JavaScript ': ' CSS '; $elements = Explode (', ', Preg_replace ('/([^?] *). */', ' \1 ', $fs)); Determine last modification date of the files $lastmodified = 0; while (list (, $element) = each ($elements)) {$path = $base. '/' . $element; if ($type = = ' J ' && substr ($path,-3)! = '. js ') | | ($type = = ' C ' && substr ($path,-4)! = '. css ') {Header ("http/1.0 403 Forbidden"); Exit } if (substr ($path, 0, strlen ($base))! = $base | |!file_exists ($path)) {header ("http/1.0 404 Not Found"); Exit } $lastmodified = max ($lastmodifIED, Filemtime ($path)); }//Send Etag Hash $hash = $lastmodified. '-' . MD5 ($FS); Header ("Etag: \" ". $hash. "\""); if (Isset ($_server[' Http_if_none_match ')) && stripslashes ($_server[' http_if_none_match ']) = = ' ". $hash. ' "') {//Return visit and no modifications, so does not send anything headers (" http/1.0 304 not Modified "); Header ("content-type:text/". $file _type); Header (' content-length:0 '); } else {//first time visit or files were modified if ($cache) {//Determine supported compression method $gzip = strstr ($_server[' http_accept_encoding '), ' gzip '); $deflate = strstr ($_server[' http_accept_encoding '), ' deflate '); Determine used compression method $encoding = $gzip? ' gzip ': ($deflate? ' Deflate ': ' None '); Check for buggy versions of Internet Explorer if (!strstr ($_server[' http_user_agent '), ' Opera ') && PR Eg_match ('/^mozilla\/4\.0 \ (compatible; MSIE ([0-9]\.[ 0-9])/I ', $_server[' http_user_agent '], $matches) {$version = Floatval ($matches [1]); if ($version < 6) $encoding = ' None '; if ($version = = 6 &&!strstr ($_server[' http_user_agent '), ' EV1 ') $encoding = ' None '; }//Try the cache first to see if the combined files were already generated $cachefile = ' cache-'. $hash. '.' . $file _type. ($encoding! = ' None '? '.' . $encoding: "); if (File_exists ($cachedir. '/' . $cachefile) {if ($fp = fopen ($cachedir. '/' . $cachefile, ' RB ') {if ($encoding! = ' None ') {Header ("content-encoding:"). $encoding); } header ("content-type:text/". $file _type); Header ("Content-length:".) FileSize ($cachedir. '/' . $cachefile)); Fpassthru ($FP); Fclose ($FP); Exit }}}//Get contents of the files $contents = '; Reset ($elements); while (list (, $element) = each ($elements)) {$path = $base. '/' . $element; $contents. = "\ n".File_get_contents ($path); }//Send Content-type header ("content-type:text/". $file _type); if (Isset ($encoding) && $encoding! = ' None ') {//Send compressed contents $contents = Gzencode ($content S, 9, $gzip? Force_gzip:force_deflate); Header ("content-encoding:".) $encoding); Header (' Content-length: '. strlen ($contents)); Echo $contents; } else {//Send regular contents header (' Content-length: '. strlen ($contents)); Echo $contents; }//Store cache if ($cache) {if ($fp = fopen ($cachedir. '/' . $cachefile, ' WB ') {fwrite ($fp, $contents); Fclose ($FP); } } }