The Super 8 Hotel tells you the security risk of weak passwords

Dns to find the C segment of Speed 8, find an important entry and management system, find this: http://myportal.super8.com.cn this seems to be the login entry? Isn't it a big deal? Test it at will, enter the adminkkkk password, and prompt "no user is found ." That's great. Haha, help us find the Administrator account, enter admin, and say the password is wrong. That account already exists. Then, the admin account has random passwords, packet capture, burp brute-force cracking, and a weak password 1234567 is obtained. The logon permission is upgraded step by step from a small weak password, and the weak password cannot be ignored !!! Here we can see a connection, which is a wonderful call. Note: (when it was around, we found a lot of internal employee email accounts, further causing greater harm to social engineering) and ran to another system, however, this system is useless. Go back to the link and see another connection. A certain instruction book reads the downloaded connection, and it makes a fortune. Address is: http://myportal.super8.com.cn/hr_admin/Upfile/1e1f1ef1-bd64-443c-846a-6a60b45fd3ff.pdf hr_admin, saw this I smiled, access, it is indeed the background. Then there is no verification code in the Management Background: The original password is poor, and the burp continues to crack the admin account. The admin password admin123 is a weak password. What it looks like after login, the New World. It's okay to get a shell. Backdoor address: http://myportal.super8.com.cn/hr_Admin/Upfile/image/77.asp; (1).jpg Delete. Then I connected the kitchen knife and looked at it. Wow, the permissions are still huge. 1B. There are a lot of data backups. Is the membership information so ruined !!!
Okay, the process is complete.
 Solution:

0x1: A person. It is critical that the weak password must be changed. 0x2: I found that the permissions of the other systems to upload folders are well set and there is no execution permission. Why is this not set in that way. 0x3: do not put the eggs on the server or in a basket regardless of any backup information. 0x4: Delete the shell and fix the vulnerability.