It may be because there are too many tests for testing dolls. A friend asked me to check the security of his website a few days ago. Wow, it's a safe dog and a 360 website guard. How can this be done. The first step is to find a place where you can enter feedback. XSS can manage cookies in the background. There is a FCK in the background, but 360 webguard does not send PHP files. Kidney disease is abnormal. If you want to get down to this station, we need to divide the system first. First, we need to break through the 360 website guard and find that 360 guard will intercept all PHP files, and a normal picture will not be transmitted if it is changed to PHP. Now, the egg hurts again ....... after several tests, I finally uploaded the file (the method is relatively simple and you can test it on your own. Once it is published here, I don't want to use it tomorrow). After uploading the PHP file, next we will bypass the protection of 360 security guard. To bypass website guard 360, first obtain the real IP address. I will upload a PHP online test PING file, for example, ping my server, then I will go to arp-a on the server (My webmaster comment: the original article is wrong here, it should be: netstat-an) to get the real IP address of the website and get the real IP address, you can bypass CDN. (Webmaster comment: This method is very creative. It comes from the idea of bypassing CDN to find real IP addresses. It is a novel and alternative method) then I add the target website resolution WWW in the HOST file of my server. XXX. in this way, the CND of the 360 website guard is successfully bypassed. Next we have a security dog that needs to be bypassed. We must all have our own methods, attackers can bypass dongle detection by encrypting the data. Uploaded to an encrypted trojan (no 360 website guard, pass what are OK, Xiaoshuang), checked the C disk has a SERV-U, but he changed the default password and port; wood relationship, through the SERV-U configuration file to crack a simple user, do not know whether you remember no, SERV-U <10.5 or earlier versions have a 0DAY, read server C drive arbitrary files, such as through port 21, directly replace shift, and the remote login server method is relatively simple. You should be clear about the ideas and welcome to the discussion (by Metasploit)