(this article is only for the normal learning record. If there is any mistake, please point out. If this article can help you, I'm also very happy.)
The recurrence refers to the articles in the network. The loophole is only for learning and communication. Illegal use is strictly prohibited!!!
1、 Event background
CMS: content management system
2、 Vulnerability analysis
1. After downloading maccms10 from the fake "Apple official website", open the source code and find maccms10. Zip \ extend \ qcloud \ SMS \ sms.php, maccms10. Zip \ extend \ upyun \ SRC \ upyun \ API \ format. PHP
- The back door Trojans of smsphp and format.php are the same. Find one to analyze
- Execute the following code to see the malicious code written in PHP + HTML
2. Move the source code of the website to the web root directory of phpstudy, open phpstudy, open Apache service, and access with password
- Here I move the file with back door directly to the web root directory, and the access address is 127.0.0.1/format.php
- Click login to enter the following interface
3. As can be seen from the figure above, this is a horse with many functions, such as executing SQL, executing commands, rebounding ports, etc. test several of them
4. Test rebound port, use Kali virtual machine as attacker and local machine as target
- Do not click bounce after filling in the bounce address and port. The bounce address is Kali's IP address
5. Open Kali, use NC to monitor, and click bounce
- After clicking bounce, you can get the shell of the target machine, input the system command for testing, and repeat successfully!!! Rebound shell: rebound the terminal or resolver or shell on the target machine to the attacker's computer, requiring the attacker to monitor the port in advance
- Rebound shell: rebound the terminal or resolver or shell on the target machine to the attacker's computer, requiring the attacker to monitor the port in advance
- Rebound shell: rebound the terminal or resolver or shell on the target machine to the attacker's computer, requiring the attacker to monitor the port in advance