Article Directory
Preface
Suddenly I found that this article was only published on my personal blog , and I forgot to publish it on CSDN. I hereby add it.
Last article: A travel website sql injection led to the disclosure of information of more than 20,000 people . The sql injection point has been found and the database has been found, but the shell is still not available. After exploration, I found the upload point on a sub-station.
Uploaded successfully and got the server
but! ! !
I uploaded a Trojan to the server because I was inexperienced, but the Trojan was deleted the next day, and the Trojan upload page was also forbidden to access, so it was confiscated.
Keke, for the reason of learning, I wrote this article (a high risk just slipped away, crying.jpg)
Vulnerability description
Sub-site http://cs.xxxxxx.cn One customer service management system can register customer service users at will, the chat page can upload shells, and the server has been taken.
Vulnerability details
The registration page is found in the source code of the http://cs.xxxxx.cn page, and if the registered user 1 successfully registers, he will give a dedicated chat link http://cs.xxxxx.cn/index.php/Index/admin?kf =149806532
The open link is a chat page, there is no option to upload files, but pictures can be uploaded
Upload pictures on the chat interface, change the image/jpeg to php, base64 encoding the one sentence Trojan successfully uploaded
Connect shell successfully connected
Download and modify files at will, and execute mysql commands
Write at the end
If you happen to read this article, it is recommended that if you upload the Trojan and then test it, you can immediately delete the Trojan and clean up all traces (asked by a group of big guys).
After cleaning up the traces, it is not so easy for them to find Trojan horses, and the patching audit is really not generally slow (two weeks). After they receive your vulnerability, they will test it again. If the test fails, the audit will not pass. , So it is better to hide the Trojan horse for insurance.
Fortunately, an arbitrary user login vulnerability was included, and it was at risk.
Clean up the traces, the lesson of blood! ! !