Rubik's cube Network photography system injection vulnerability and exploitation and repair

 

Rubik's cube Network photography system

 

Injection point: www.2cto.com/news. php? Action = detail & id = [SQLi]

 

The first step is to obtain the Administrator account and password through the injection point. The password is in plain text.

 

Step 2: Enter/admin. php In the background and try to get webshell

 

 

Step 3: Upload a Trojan horse with a sentence of .asp;.jpg

 

Step 4: The kitchen knife connects to a Trojan

 

Step 5: further escalate the right and win the server...

 

 

--------------------------------------------------------------------------------

It should be that the mysql password for unified website construction is plain text .... it is estimated that the password is either empty or the plaintext getshell has time to check whether there are other vulnerabilities including cgi filtering. This is disgusting.

 

In fact, cgi, you know, like this http://www.bkjia.com/data/attachment/1.php1_1.jpg

Not necessarily valid

FastCGI Error

 

The FastCGI Handler was unable to process the request.

Error Details:

 

Cocould not find entry for "jpg" on site 236134254 in [Types] section.

Error Number: 1413 (0x80070585 ).

Error Description: required TD § too many errors y too many

HTTP Error 500-Server Error.

Internet Information Services (IIS)

Www.2cto.com provides the repair solution:

Filter parameters on the news. php page. Fixed the iis6 resolution vulnerability.