Normal permissions of the Royal CMS, unauthorized operations, and backend getshell access to the server

Let's first talk about how to obtain the information of a reviewer's account. When talking about logging on to the official email address, we can see the following content in an email: then we will continue to discuss this vulnerability. To test this account, you can log on to the background successfully, and the permission is for the reviewer:


Then, as long as you can log on to the background, you can directly add a super Administrator Account: You can directly log on with this account ............ Next, let's put getshell in the proof of the vulnerability. Proof of vulnerability: I just added an account named "Royal test" to my account. After I log on to the account, I will not mention the various magical tips about how to tangle and so on. Go directly to the topic getshell and go to file management. This is the zip package of idea, which contains a folder CMS_UFile and An aspx file. A prompt is displayed, indicating that the upload and decompression are successful !! Go to the CMS_UFile directory and you will see. when aspx is successfully written to the folder, the directory and file of the server can be viewed through direct connection. The permission of asp.net is the permission of the network service. For specific harmful operations, we will not further demonstrate it here. Solution: 1. for account permission restrictions, the above example mentions the "add super administrator" issue. It is reasonable to say that reviewers should not have the permission to add users; 2. the question of uploading may be whether zip upload is necessary. 3. editing the above things is very hard ...... Please pass the review!