One breakthrough to get webshell

I took a website some time ago. Because of the limited technology of cainiao, I got stuck for a long time and couldn't go through the background.

Now I finally stabbed him and shared my experience with you. If you think it is simple, don't spray me.

Scan the injection points with safe3, and then click the radish header to inject the chrysanthemum.

Decrypt admin's md5 and get it! Ff2013

Enter the account and password in the background to find an error. Why? No, I asked a few cows. They probably didn't take care of me,

It may be a false background, so I looked for it again and found that there were no other management pages, so I went back to the background to find a breakthrough point.

After filling in the information, the system displays an error.

I also went to the Internet to find the exp of this cms and found that the chrysanthemum was too tight to work.

Right-click the source code

I have read the logon page again !? Where is the verification code?

So let's look down.

The IP address is a local variable. The IP address is always 1 and the return is restricted. verification fails no matter how it is done.

However, after the verification is successful, the system will jump to the m directory.

Later, a friend gave me some advice and found that

Here is a get request. The request page is

So I accessed

It is found that the value-1 in the V tag indicates that if the verification fails, the value should be 1.

So I added the account and password to the url.

I found that this verification was successful, so I changed it to the m directory after the challenge.

I found that it still cannot work. I found a showVCode () function in the source code. It should be a controlled verification code. So I entered javascript in the address bar of the logon page: showVCoode ()

The verification code is displayed successfully. Remember the verification code and I will try again.

Http://www.xxxx.com.cn/m/manager/login.xml.php? Username = admin & password =! Ff2013 & vcode = 54713 the one behind it is the verification code, and then log on to the system to find the tag or 1, and convert it to the m directory. Then, the system successfully enters the background.

Now I want to use shell, so I flipped through and found that the upload was fckeditor.

Website configuration is also available here

The suffix is changed, so you cannot upload all kinds of changes !! It seems that the filter has arrived.

The parsing vulnerability does not work, so I thought I had seen that some symbols can be replaced by other encoding methods.

So I used the Conversion Tool of xiaokui to convert it into % 3B. After uploading it, I found that the resolution was successful.

So I opened the kitchen knife and connected it in one sentence...

The permission is quite high. If there is a side station, the side station can be used. However, the side station is independent, and there is no result in privilege escalation.