Injection and simple social engineering won a sub-station of phoenixnet

Hello everyone, I am Admin 17951. Today I am going to give you a tutorial. I am a newbie. I hope you will not be surprised at what you have done badly.

Injection and simple social engineering won a sub-station of phoenixnet

Just a few days ago, the holiday was boring. I went to the internet cafe to access the Internet. I went around the Internet with a cool experience. I visited a sub-station of Phoenix. I found that this sub-station can traverse directories.

Continue to flip the Directory and find that the sub-station uses a CMS program.

I remember that this CMS seems to have an injection vulnerability. I don't know if this substation has been completed. No matter what, try again first, but I forgot the injection code, so I had to go to Baidu

After finding the injection code, I took the code to the substation and tried it. As a result, this injection vulnerability exists in the substation, and the Administrator account and password are successfully reported.

There are more than a dozen administrators. First, I will break the MD5 of the admin account's password. This account is generally the highest permission among administrators, but the cup shows that this MD5 cannot be broken.

Then I broke the Second Account and the second one. Then I went to the default background of the CMS program and successfully logged on to the background. However, I found that this account is a common administrator account, the permission is low, and many functions are unavailable.

After my research, I found that this ordinary administrator account could not take the SHELL in the background, but instead broke the MD5 of the password of the third administrator account. This time, I was lucky, this account is a super Administrator Account, which has many more functions than the ordinary administrator.

Then start to get SEHLL, there are uploads and templates, I will first try to upload here

Add the upload suffix first

Then upload the file

As a result, the cup is ready, and the suffix just added is filtered out, so it cannot be broken through. Create a new 1. asp Directory, and the result is filtered into 1asp.

No way. It seems that I cannot break through the upload here. Let's take a look at the template here.

Create a template

No. I first created a template with the suffix HTML, pasted the trojan code, and renamed the template.

I still can't. The cup is dead. I couldn't get the SHELL for both the upload and the template. I found the method of using the SHELL in the CMS background on the Internet. I tried several methods and the results won't work, SHELL cannot be obtained. What should I do if my thinking is interrupted?

When I rummaged around in the background, I found some footprints of the predecessors. I think, since some predecessors have been there, maybe they have already won the SHELL. If they can find the SHELL of their predecessors, maybe something can be used. There is an online Trojan Detection Function in the background.

The result is truly a trojan of several predecessors.

Among them, there is a daoye. asp and a daoye. aspx big horse from the file name seems to be uploaded by the same person, just start with the two big horses.

First, I will try admin 123 123456 hack daoye and so on. These SHEL common weak passwords can be used to log on to these two Trojans. The results will not work and the password will be incorrect. I scanned my predecessor's trojan horse, but I didn't know the password. What should I do? The idea was interrupted again.

I found that when I used a weak password to log on to the ASP Trojan, an error message was prompted every time the password was incorrect:

HACK:

I found a Baidu blog, which seems to be the predecessor of this uncle. In his blog's personal information, I found a group number:

Use QQ to search for this group number:

The QQ: XXXXX772 of the group owner is obtained. Search for the group owner using QQ again:

Network Name of the group owner: longli Taojin. This person may be the inverted master. I don't know. No matter what, first use his QQ number: XXXXX772 to log on to the two horses and try again, log on to the ASP Trojan first. No, the password is incorrect, and the hack by hacker is prompted. log on to the ASPX Trojan again. This RP outbreak, and log on to the SHELL directly:

Don't dare to mess up, just click something to pop up!

Okay, the tutorial is here. I am the first time a newbie is doing a tutorial. If there is something wrong with it, please read the official documents and do not joke about it. It may be a bit cool, mosaic is also playing a lot, and there may be some typos, statements are not fluent, and I am too lazy to change it. After all, I graduated from elementary school.