Preliminary preparation
phpstudy、seay、burp
Scan directly with seay, so fast, but will miss many interesting vulnerabilities
File contains
You can see that the first one is file inclusion, and here I use php+Apache+MySql to build Xionghai cms. This php version cannot use php7
You can see that it has been built, and then we see if there are any reinstallation loopholes
Obviously it does not exist, so let's continue to look at the file inclusion. Obviously, the passed parameter r is filtered by the addslashes function. Action is equal to the value of file equal to the value of r. When the file is empty, jump to index.php, which is the home page. , When the file is not empty, jump to the parameter value splicing.php execution, so there is a file containing
But I have a few files showing 404 here, so I put a 1.php in the root directory of the website to prove that there are files here.
Successful executionPayload:http://127.0.0.1/index.php?r=../1
Ultra vires
There is an unauthorized login in checklogin.php.
Determine whether the user value in the cookie is empty. If it is empty, jump to the login page. If it is not empty, the login is successful.
Blast account password
No restrictions
Capture packets directly, set weak password top100 and start running directly
to sum up
Xionghai cms still has vulnerabilities such as sql injection, xss, csrf, etc., which are not reproduced here.