Wandering the entire business line of VeryCD

In this test, we will use VeryCD's own business logic and big data published on the Internet to perform a white hat test on VeryCD. # It is only a test behavior. To explain the severity of big data HACK to the public, no data of VeryCD is exported. #1 Introduction overview first let's talk about the foothold of this article. When studying Wordpress, we found that this popular overseas application has a high security factor in the core code, while in the logic design, but there are obvious deficiencies. ~! Traverse User Name: http://www.verycd.com/blog/?author=1 Through the above link, you only need to constantly change the author id to traverse the username of the entire Wordpress database. In this test, the user name of the official VeryCD blog is as follows: bill zw.zouxiaoman daiyi VeryCD admin !~ Login Design http://www.verycd.com/blog/wp-login.php Wordpress has no code, no verification code, no limit on the number of logon attempts with wrong passwords. What's more, if you enter a user name that does not exist, it will also tell you whether it exists, it's too proud. #2 start the test. Now that you know the user name and the logon interface is unblocked, enable http fuzz and scan it. Enable Acunetix \ Web Vulnerability limit 8, click Authentication Tester, set the corresponding user name file, the password file collected from big data, and then mix the weak password dictionary. #3 What are the results? Well, the password for fuzz to daiyi finally went to the Wordpress background! #4 prove I have been here !~ Under the primary domain http://www.verycd.com/blog/about/ #5 more cruel results !~ The email password of daiyi is a bit consistent with that of other places. More cruelly, daiyi was originally the WebMaster of VeryCD.
# Proof of the vulnerability. You didn't get a SHELL. What do you mean? <? Php/*** WordPress basic configuration file. ** This file contains the following configuration options: MySQL settings, database table name prefix, key, * WordPress language settings, and ABSPATH. For more information, visit the * {@ link http://codex.wordpress.org/zh-cn:%E7%BC%96%E8%BE%91_wp-config.php * edit wp-config.php} Codex page. For more information about MySQL settings, consult your Space Provider. ** This file is used by the installer to automatically generate the wp-config.php profile, * You can manually copy this file, rename it to wp-config.php, and then enter relevant information. ** @ Package WordPress * // ** MySQL settings-the specific information comes from the host you are using ** // ** WordPress database name */define ('db _ name ', 'teamblog');/** MySQL database username */define ('db _ user', 'teamblog '); /** MySQL Database PASSWORD */define ('db _ password', 'ta6tdvn ******** l7 '); /** MySQL HOST */define ('db _ host', '2017. 168. *. ** 6'); # What you get above is the main site SHELL.
 Solution:

# Add IP address restrictions to backend management intersections. # Add restrictions to the logon interface.