The main site of Shi nun's milk powder, getshell, involves millions of member users (a large increase in baby data after the establishment of the second child)
(After the establishment of the second child, there is a large increase in baby data)
Detailed description:
After reading this brother's hole WooYun: Shi en milk powder, a website SQL injection involves 1.03 million member information.
In my heart, only the grass-mud horse ran through !!!!!!!!!!!!!!
Http://www.scient.com.cn/user.php
Register a user and modify the Avatar for upload.
Direct burp suite truncation upload, change jpg to php
Proof of vulnerability:
/home/wwwscient/domains/wwwscient.ts12.ompchina.net/public_html/wap/database.php$db['default']['hostname'] = 'localhost';$db['default']['username'] = 'rootroot';$db['default']['password'] = '7EbRerZKPWeszMV4';$db['default']['database'] = 'wapscient';$db['default']['dbdriver'] = 'mysql';$db['default']['dbprefix'] = '';$db['default']['pconnect'] = TRUE;$db['default']['db_debug'] = TRUE;$db['default']['cache_on'] = FALSE;$db['default']['cachedir'] = '';$db['default']['char_set'] = 'utf8';$db['default']['dbcollat'] = 'utf8_general_ci';$db['default']['swap_pre'] = '';$db['default']['autoinit'] = TRUE;$db['default']['stricton'] = FALSE;
/home/wwwscient/domains/wwwscient.ts12.ompchina.net/public_html/wap/zip_comm/config.php $db_main=array("db_host" => 'localhost', "db_port" => '3306', "db_user" => 'root', "db_pw" => '', "db_name" => 'mysns'); /* $db_back=array("db_host" => 'localhost', "db_port" => '3306', "db_user" => 'bak', "db_pw" => '1', "db_name" => 'fly_bak');*/ $g_offstroot.="";break;default: $db_main=array("db_host" => 'localhost',"db_port" => '3306', "db_user" => 'limi', "db_pw" => '1okmaP7l5Y3wMu', "db_name" => 'limi'); $g_offstroot.="";break;
Solution:
Restrict upload, and your SQL injection is not fixed yet...