Getshell, a sina Server

Getshell, a sina Server

Getshell, a sina Server

On a server of Sina, the Forum information is displayed as a plug-in Forum of Sina SHOW, But you can understand Mao in Section C of Sina.
 

Http: // 123.103.108.50/uc_server

Corresponding domain name is http://bbs.uctools.net/uc_server

The password is 123456789.



Reset the administrator password to the background

DZ3.1, but it seems to have been fixed. Cannot generate HTM



I wanted to quit, but I had a whim. I used the file verification tool that comes with dz and found the shell left by unknown files.

0. php

1. php

2. php

All three are in the root directory and the password is.
 

Link to the kitchen knife.
 

Isn't Nima a plug-in website? Why is your sina business on top?

/Data0/web_root/vroom.show.sina.com.cn/www/inc/SSOCookie.class.php

<? Php/*** set & get cookie for sina.com.cn * cookie format: [uniqueid: userid: appgroup: displayname: gender: paysign] */class SSOCookie {const COOKIE_SUE = 'sue '; // sina user encrypt info const COOKIE_SUP = 'sup'; // sina user plain infoconst COOKIE_KEY_FILE = '/data0/web_root/keys $ _ arrConf; // the infomation in cookie. confpublic function _ construct ($ c Onfig = self: COOKIE_KEY_FILE) {if (! $ This-> _ parseConfigFile ($ config) {throw new Exception ("parse config file failed");} else {echo 14314 ;}} public function getCookie (& $ arrUserInfo) {// ciphertext cookie or plaintext cookie does not exist. if (! Isset ($ _ COOKIE [self: COOKIE_SUE]) |! Isset ($ _ COOKIE [self: COOKIE_SUP]) {return false ;}

/*** SSO login interface call function ** @ param $ ip Client ip Address * @ param $ pin SSO interface call PIN code * @ param $ entry project code * @ param $ ag user type * @ param $ userId user ID * @ param $ pwd user password * @ param $ url SSO interface call address * @ param $ succ SSO interface call result set * @ return $ resultArr return result (array type) */public static function ssoLogin ($ userId, $ pwd) {$ ip = $ _ SERVER ['remote _ ADDR ']; // Client ip address $ pin = '70269226506e773f52a5ed9471f1691c '; // PIN code $ entry = 'desktop '; // project code $ ag = ''; // user type $ mchk = md5 ($ userId. $ ag. $ pwd. $ ip. $ pin); // encrypted string $ userId = rawurlencode ($ userId); $ pwd = rawurlencode ($ pwd); // convert to uniform character encoding $ url = (" http://ilogin.sina.com.cn/api/chksso.php?entry= {$ Entry} & user ={$ userId} & ag ={$ ag} & pw ={$ pwd} & ip ={$ ip} & m ={$ mchk }" ); // interface call address // Zend_Debug: dump ($ url); $ succ = file_get_contents ($ url); // interface call result // var_dump ($ succ ); // echo "succ = {$ succ} <br>"; $ result = ''; parse_str ($ succ, $ result ); foreach ($ result as $ key =>$ value) {$ result [$ key] = urldecode ($ value) ;}// Zend_Debug: dump ($ succ ); // print_r ($ result); return $ result ;} /*** inject COOKIE ** @ param $ str SSO interface return value * @ param $ strOne split string 1 * @ param $ strTwo split string 2 * @ param $ strThree split string 3 * @ param $ delArray Delete the first element in the array */public static function setCookieStr ($ str) {$ strOne = explode ('set-Cookie: ', $ str ['cookies']); $ delArray = array_shift ($ strOne); $ cookie = array (); foreach ($ strOne as $ key => $ value) {$ strTwo = explode ('=', $ value, 2); $ strThree = explode (';', $ strTwo ['1']); // echo $ strTwo ['1'], "<br>"; $ cookieName = trim ($ strTwo ['0']); $ cookieValue = trim ($ strThree ['0']); $ cookie [$ cookieName] = $ cookieValue; if (stripos ($ strTwo ['1'], 'httpponly ') {$ httponly = 1; // echo $ strTwo ['0']; // print_r ($ strThree); // echo "<br> ";} else {$ httponly = 0;} // echo "cookieName = $ cookieName, cookieValue = $ cookieValue, $ httponly <br>"; setcookie ($ cookieName, $ cookieValue, 0, "/", "sina.com.cn", 0, $ httponly) ;}// print_r ($ cookie); return $ cookie ;}}

<?phpdefine("AG",1);define("AG_PIN",'e22760687e1ad7132a84ebf21fc18490');define("AG_ENTRY",'sinashow');define("AG_DOMAIN",'.show.sina.com.cn');$cookie_key = array('v0'=>'v030f6b787dd6f37157e6a2493e83714a63f1438fc30217955ca3f8f952cdef4','v1'=>'v130f6b787dd6f37157e6a2493e83714a63f1438fc30217955ca3f8f952cdef4');class ShowSSO{public $_url = "";public $_host = "http://login.show.sina.com.cn/";public $_format = 'json';public $_Encrypt;public $_uid;public $_pwd;public $_ip;public $_ag;public $_ag_pin;public $_ag_entry;public $_request='cURL';public $_method='POST';public $_result='';function __construct($ag,$ag_pin,$entry,$uid,$pwd){//echo $pwd;if(!empty($ag))$this->_ag=$ag;if(!empty($ag_pin))$this->_ag_pin=$ag_pin;if(!empty($entry))$this->_ag_entry=$entry;if(!empty($uid))$this->_uid=$uid;if(!empty($pwd))$this->_pwd=$pwd;

 

Solution:

Enhanced Filtering