Guangxi Education and Training Network Arbitrary File Upload from getshell to intranet fall
Guangxi Education and Training Network Arbitrary File Upload from getshell to intranet fall
Detailed description:
Http ://**.**.**.**/
First, google
Site: **. ** admin
Expected result: http: // **. **/bbs/toplist. jsp? Page = 1 & orders = 7
It contains all user names
New users are added every day.
Site: **. ** filetype: doc Password
Expected result: **. **/resource/news/images/CMS12201/46019.doc
The initial password is 8888.
In http: // **. **/jsp/portal/
Log on successfully with Lu Yan 19761107/8888
Any file can be uploaded at the survey and the returned path is in the source code.
Click "OK" here and it will not change. view the source code directly:
Shell address: http: // **. **/resource/news/images/CMS14801/77411.jsp
Password 023
Proof of vulnerability:
The username and password of the Intranet machine are found in/root/. bash_history.
There are still some unexpected gains in an intranet machine:
Solution:
Filter.
In addition, you cannot open the domain names you entered directly on this site... Do not tell me that I have not maintained the domain name =.